diff --git a/meta-openembedded/meta-gnome/recipes-connectivity/network-manager-applet/network-manager-applet_1.22.0.bb b/meta-openembedded/meta-gnome/recipes-connectivity/network-manager-applet/network-manager-applet_1.22.0.bb
index 28d95d4..cef7c75 100644
--- a/meta-openembedded/meta-gnome/recipes-connectivity/network-manager-applet/network-manager-applet_1.22.0.bb
+++ b/meta-openembedded/meta-gnome/recipes-connectivity/network-manager-applet/network-manager-applet_1.22.0.bb
@@ -16,7 +16,7 @@
 # We currently don't build NetworkManager with libteamdctl support
 EXTRA_OEMESON += "-Dteam=false"
 
-PACKAGECONFIG ??= ""
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
 PACKAGECONFIG[modemmanager] = "-Dwwan=true, -Dwwan=false, modemmanager"
 PACKAGECONFIG[selinux] = "-Dselinux=true, -Dselinux=false, libselinux"
 
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb
index 050076d..35c7989 100644
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb
+++ b/meta-openembedded/meta-multimedia/recipes-multimedia/mycroft/mycroft_19.8.1.bb
@@ -87,4 +87,7 @@
 # pgrep is used by stop-mycroft.sh
 RDEPENDS:${PN} += "procps"
 
+# More tools needed by scripts
+RDEPENDS:${PN} += "bash jq libnotify"
+
 SYSTEMD_SERVICE:${PN} = "mycroft-setup.service mycroft.service"
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/opus-tools/opus-tools_0.2.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/opus-tools/opus-tools_0.2.bb
new file mode 100644
index 0000000..b5e6ed9
--- /dev/null
+++ b/meta-openembedded/meta-multimedia/recipes-multimedia/opus-tools/opus-tools_0.2.bb
@@ -0,0 +1,15 @@
+SUMMARY = "Opus Audio Tools"
+HOMEPAGE = "http://www.opus-codec.org/"
+
+LICENSE = "BSD-2-Clause & GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=79f6fc2a6239fbe5f6e52f20ac76698c"
+
+SRC_URI = "http://downloads.xiph.org/releases/opus/opus-tools-${PV}.tar.gz"
+SRC_URI[md5sum] = "ff2d0536e960cabbfb8ca7c8c1759b6c"
+SRC_URI[sha256sum] = "b4e56cb00d3e509acfba9a9b627ffd8273b876b4e2408642259f6da28fa0ff86"
+
+S = "${WORKDIR}/opus-tools-${PV}"
+
+DEPENDS = "libopus libopusenc flac opusfile"
+
+inherit autotools pkgconfig
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/packagegroups/packagegroup-meta-multimedia.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/packagegroups/packagegroup-meta-multimedia.bb
index 9e0c319..5522731 100644
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/packagegroups/packagegroup-meta-multimedia.bb
+++ b/meta-openembedded/meta-multimedia/recipes-multimedia/packagegroups/packagegroup-meta-multimedia.bb
@@ -66,6 +66,7 @@
     mycroft \
     openal-soft \
     opusfile \
+    opus-tools \
     libdvdcss \
     ${@bb.utils.contains("LICENSE_FLAGS_WHITELIST", "commercial", bb.utils.contains("DISTRO_FEATURES", "x11", "vlc", "", d), "", d)} \
     ${@bb.utils.contains("LICENSE_FLAGS_WHITELIST", "commercial", "sox streamripper", "", d)} \
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
index 7268c94..b848b82 100644
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
+++ b/meta-openembedded/meta-multimedia/recipes-multimedia/sample-content/bigbuckbunny-1080p.bb
@@ -3,7 +3,7 @@
 # http://www.bigbuckbunny.org/index.php/about/
 LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/CC-BY-3.0;md5=dfa02b5755629022e267f10b9c0a2ab7"
 
-SRC_URI = "http://themazzone.com/big_buck_bunny_1080p_surround.avi"
+SRC_URI = "https://www.mediaspip.net/IMG/avi/big_buck_bunny_1080p_surround.avi"
 SRC_URI[md5sum] = "223991c8b33564eb77988a4c13c1c76a"
 SRC_URI[sha256sum] = "69fe2cfe7154a6e752688e3a0d7d6b07b1605bbaf75b56f6470dc7b4c20c06ea"
 
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch b/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
deleted file mode 100644
index b623dbf..0000000
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Upstream-Status: Backport
-
-Backport patch to fix CVE-2015-6749 from:
-
-https://trac.xiph.org/ticket/2212
-
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
----
-From 04815d3e1bfae3a6cdfb2c25358a5a72b61299f7 Mon Sep 17 00:00:00 2001
-From: Mark Harris <mark.hsj@gmail.com>
-Date: Sun, 30 Aug 2015 05:54:46 -0700
-Subject: [PATCH] oggenc: Fix large alloca on bad AIFF input
-
-Fixes #2212
----
- oggenc/audio.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/oggenc/audio.c b/oggenc/audio.c
-index 477da8c..4921fb9 100644
---- a/oggenc/audio.c
-+++ b/oggenc/audio.c
-@@ -245,8 +245,8 @@ static int aiff_permute_matrix[6][6] =
- int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
- {
-     int aifc; /* AIFC or AIFF? */
--    unsigned int len;
--    unsigned char *buffer;
-+    unsigned int len, readlen;
-+    unsigned char buffer[22];
-     unsigned char buf2[8];
-     aiff_fmt format;
-     aifffile *aiff = malloc(sizeof(aifffile));
-@@ -269,9 +269,9 @@ int aiff_open(FILE *in, oe_enc_opt *opt, unsigned char *buf, int buflen)
-         return 0; /* Weird common chunk */
-     }
- 
--    buffer = alloca(len);
--
--    if(fread(buffer,1,len,in) < len)
-+    readlen = len < sizeof(buffer) ? len : sizeof(buffer);
-+    if(fread(buffer,1,readlen,in) < readlen ||
-+       (len > readlen && !seek_forward(in, len-readlen)))
-     {
-         fprintf(stderr, _("Warning: Unexpected EOF in reading AIFF header\n"));
-         return 0;
--- 
-2.5.0
-
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0004-Fix-format-error-blocking-compilation-with-hardening.patch b/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0004-Fix-format-error-blocking-compilation-with-hardening.patch
deleted file mode 100644
index 111e98a..0000000
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/0004-Fix-format-error-blocking-compilation-with-hardening.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From: Petter Reinholdtsen <pere@hungry.com>
-Date: Wed, 22 Oct 2014 13:25:21 +0200
-Subject: Fix format error blocking compilation with hardening
-
-Last-Update: 2014-10-22
-Forwarded: no
-
-Enabling hardening refuses to compile code with sprintf() calls
-with no formatting string. Adjust the code to work with hardening.
----
- ogg123/status.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ogg123/status.c b/ogg123/status.c
-index 92b8ff1..ccec389 100644
---- a/ogg123/status.c
-+++ b/ogg123/status.c
-@@ -148,7 +148,7 @@ int print_statistics_line (stat_format_t stats[])
- 
-     switch (stats->type) {
-     case stat_noarg:
--      len += sprintf(str+len, stats->formatstr);
-+      len += sprintf(str+len, "%s", stats->formatstr);
-       break;
-     case stat_intarg:
-       len += sprintf(str+len, stats->formatstr, stats->arg.intarg);
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/gettext.patch b/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/gettext.patch
index b61ce7c..dd03fa9 100644
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/gettext.patch
+++ b/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools/gettext.patch
@@ -2,23 +2,10 @@
 
 Upstream-Status: Pending
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
-
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -2,8 +2,8 @@
- 
- AUTOMAKE_OPTIONS = foreign dist-zip
- 
--SUBDIRS = po intl include share debian win32 @OPT_SUBDIRS@
--DIST_SUBDIRS = po intl include share debian win32 ogg123 oggenc oggdec ogginfo \
-+SUBDIRS = po include share debian win32 @OPT_SUBDIRS@
-+DIST_SUBDIRS = po include share debian win32 ogg123 oggenc oggdec ogginfo \
- 	vcut vorbiscomment m4
- 
- EXTRA_DIST = config.rpath README AUTHORS COPYING CHANGES vorbis-tools.spec config.h mkinstalldirs
+Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
 --- a/configure.ac
 +++ b/configure.ac
-@@ -31,7 +31,7 @@ CFLAGS="$cflags_save"
+@@ -34,7 +34,7 @@
  AC_PROG_LIBTOOL
  
  ALL_LINGUAS="be cs da en_GB eo es fr hr hu nl pl ro ru sk sv uk vi"
@@ -27,7 +14,7 @@
  
  dnl --------------------------------------------------
  dnl System checks
-@@ -383,7 +383,6 @@ AC_OUTPUT([
+@@ -397,7 +397,6 @@
  Makefile
  m4/Makefile
  po/Makefile.in
@@ -35,3 +22,16 @@
  include/Makefile
  share/Makefile
  win32/Makefile
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -2,8 +2,8 @@
+ 
+ AUTOMAKE_OPTIONS = foreign dist-zip
+ 
+-SUBDIRS = po intl include share win32 @OPT_SUBDIRS@
+-DIST_SUBDIRS = po intl include share win32 ogg123 oggenc oggdec ogginfo \
++SUBDIRS = po include share win32 @OPT_SUBDIRS@
++DIST_SUBDIRS = po include share win32 ogg123 oggenc oggdec ogginfo \
+ 	vcut vorbiscomment m4
+ 
+ EXTRA_DIST = config.rpath README AUTHORS COPYING CHANGES
diff --git a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb b/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
similarity index 72%
rename from meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb
rename to meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
index 89e6652..f399bfa 100644
--- a/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.0.bb
+++ b/meta-openembedded/meta-multimedia/recipes-multimedia/vorbis-tools/vorbis-tools_1.4.2.bb
@@ -11,13 +11,11 @@
 DEPENDS = "libogg libvorbis"
 
 SRC_URI = "http://downloads.xiph.org/releases/vorbis/${BP}.tar.gz \
-           file://0001-oggenc-Fix-large-alloca-on-bad-AIFF-input.patch \
-           file://0004-Fix-format-error-blocking-compilation-with-hardening.patch \
            file://gettext.patch \
           "
 
-SRC_URI[md5sum] = "567e0fb8d321b2cd7124f8208b8b90e6"
-SRC_URI[sha256sum] = "a389395baa43f8e5a796c99daf62397e435a7e73531c9f44d9084055a05d22bc"
+SRC_URI[md5sum] = "998fca293bd4e4bdc2b96fb70f952f4e"
+SRC_URI[sha256sum] = "db7774ec2bf2c939b139452183669be84fda5774d6400fc57fde37f77624f0b0"
 
 inherit autotools pkgconfig gettext
 
diff --git a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.32.4.bb b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.32.4.bb
index 0ef525d..167d810 100644
--- a/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.32.4.bb
+++ b/meta-openembedded/meta-networking/recipes-connectivity/networkmanager/networkmanager_1.32.4.bb
@@ -59,6 +59,7 @@
     ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', bb.utils.contains('DISTRO_FEATURES', 'x11', 'consolekit', '', d), d)} \
     ${@bb.utils.contains('DISTRO_FEATURES', 'bluetooth', 'bluez5', '', d)} \
     ${@bb.utils.filter('DISTRO_FEATURES', 'wifi polkit', d)} \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux audit', '', d)} \
 "
 
 inherit ${@bb.utils.contains('PACKAGECONFIG', 'nmcli', 'bash-completion', '', d)}
@@ -83,6 +84,8 @@
 PACKAGECONFIG[cloud-setup] = "--with-nm-cloud-setup=yes,--with-nm-cloud-setup=no"
 PACKAGECONFIG[nmcli] = "--with-nmcli=yes,--with-nmcli=no,readline"
 PACKAGECONFIG[ovs] = "--enable-ovs,--disable-ovs,jansson"
+PACKAGECONFIG[audit] = "--with-libaudit,--without-libaudit,audit"
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
 
 PACKAGES =+ " \
   ${PN}-nmcli ${PN}-nmcli-doc \
diff --git a/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb b/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
index d5e9e2c..cf2b156 100644
--- a/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
+++ b/meta-openembedded/meta-networking/recipes-daemons/lldpd/lldpd_1.0.8.bb
@@ -61,4 +61,4 @@
 
 FILES:${PN}-zsh-completion += "${datadir}/zsh/"
 # FIXME: zsh is broken in meta-oe so this cannot be enabled for now
-#RDEPENDS_${PN}-zsh-completion += "zsh"
+#RDEPENDS:${PN}-zsh-completion += "zsh"
diff --git a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
index 54aa3ce..a8d3e91 100644
--- a/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
+++ b/meta-openembedded/meta-networking/recipes-support/cifs/cifs-utils_6.13.bb
@@ -26,7 +26,7 @@
     # want installed to /usr/sbin rather than /sbin to be DISTRO_FEATURES usrmerge compliant
     # must override ROOTSBINDIR (default '/sbin'),
     # setting --exec-prefix or --prefix in EXTRA_OECONF does not work
-    if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','fakse',d)}; then
+    if ${@bb.utils.contains('DISTRO_FEATURES','usrmerge','true','false',d)}; then
         export ROOTSBINDIR=${sbindir}
     fi
 }
diff --git a/meta-openembedded/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb b/meta-openembedded/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
index 6ce52d7..263de81 100644
--- a/meta-openembedded/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
+++ b/meta-openembedded/meta-networking/recipes-support/curlpp/curlpp_0.8.1.bb
@@ -16,3 +16,10 @@
 inherit cmake pkgconfig binconfig
 
 BBCLASSEXTEND = "native nativesdk"
+
+do_install:append() {
+    sed -e 's@[^ ]*-ffile-prefix-map=[^ "]*@@g' \
+        -e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \
+        -e 's@[^ ]*-fmacro-prefix-map=[^ "]*@@g' \
+        -i ${D}${libdir}/pkgconfig/*.pc
+}
diff --git a/meta-openembedded/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch b/meta-openembedded/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch
new file mode 100644
index 0000000..8fdd62d
--- /dev/null
+++ b/meta-openembedded/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch
@@ -0,0 +1,116 @@
+From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001
+From: Luca Deri <deri@ntop.org>
+Date: Sat, 15 May 2021 19:53:46 +0200
+Subject: [PATCH] Added further checks
+
+Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3]
+CVE: CVE-2021-36082
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+
+---
+ src/lib/protocols/netbios.c |  2 +-
+ src/lib/protocols/tls.c     | 32 +++++++++++++++++---------------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
+index 1f3850cb..0d3b705f 100644
+--- a/src/lib/protocols/netbios.c
++++ b/src/lib/protocols/netbios.c
+@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len
+   int ret = 0, len, idx = inlen;
+   char *b;
+ 
+-  len = (*in++)/2;
++  len = (*in++)/2, inlen--;
+   b  = out;
+   *out = 0;
+ 
+diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
+index 5b572cae..c115ac08 100644
+--- a/src/lib/protocols/tls.c
++++ b/src/lib/protocols/tls.c
+@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
+ 	i += 4 + extension_len, offset += 4 + extension_len;
+       }
+ 
+-      ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
++      ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
+ 
+-      for(i=0; i<ja3.num_cipher; i++) {
+-	rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
++      for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) {
++	rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
+ 
+ 	if(rc <= 0) break; else ja3_str_len += rc;
+       }
+ 
+-      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+-      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
++      if(JA3_STR_LEN > ja3_str_len) {
++          rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
++          if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
++      }
+ 
+       /* ********** */
+ 
+-      for(i=0; i<ja3.num_tls_extension; i++) {
+-	int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
++      for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN-ja3_str_len); i++) {
++	int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
+ 
+ 	if(rc <= 0) break; else ja3_str_len += rc;
+       }
+@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
+ 	      int rc;
+ 
+ 	    compute_ja3c:
+-	      ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
++	      ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
+ 
+ 	      for(i=0; i<ja3.num_cipher; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.cipher[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+ 
+-	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++	      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+ 	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+ 	      /* ********** */
+ 
+ 	      for(i=0; i<ja3.num_tls_extension; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.tls_extension[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+ 
+-	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++	      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+ 	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+ 	      /* ********** */
+ 
+ 	      for(i=0; i<ja3.num_elliptic_curve; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.elliptic_curve[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+ 
+-	      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
++	      rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+ 	      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+ 	      for(i=0; i<ja3.num_elliptic_curve_point_format; i++) {
+-		rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
++		rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+ 			      (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
+ 		if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+ 	      }
+-- 
+2.17.1
+
diff --git a/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb b/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
index cfc60a7..89450f5 100644
--- a/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
+++ b/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
@@ -11,6 +11,7 @@
 SRCREV = "64929a75e0a7a60d864bd25a9fd97fdf9ac892a2"
 SRC_URI = "git://github.com/ntop/nDPI.git;branch=3.4-stable \
            file://0001-autogen.sh-not-generate-configure.patch \
+           file://CVE-2021-36082.patch \
 "
 
 S = "${WORKDIR}/git"
diff --git a/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass b/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass
index af38793..65d980f 100644
--- a/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass
+++ b/meta-openembedded/meta-oe/classes/image_types_sparse.bbclass
@@ -1,16 +1,16 @@
 inherit image_types
 
 CONVERSIONTYPES += "sparse"
-CONVERSION_CMD:sparse() {
-    in="${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"
-    out="${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.sparse"
-    case "${type}" in
-        ext*)
-            ext2simg "$in" "$out"
-            ;;
-        *)
-            img2simg "$in" "$out"
-            ;;
-    esac
-}
+CONVERSION_CMD:sparse = " \
+    case "${type}" in \
+        ext*) \
+            ext2simg "${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}" \
+                     "${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.sparse" \
+            ;; \
+        *) \
+            img2simg "${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}" \
+                     "${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.sparse" \
+            ;; \
+    esac \
+"
 CONVERSION_DEPENDS_sparse = "android-tools-native"
diff --git a/meta-openembedded/meta-oe/recipes-connectivity/iwd/iwd_1.15.bb b/meta-openembedded/meta-oe/recipes-connectivity/iwd/iwd_1.16.bb
similarity index 94%
rename from meta-openembedded/meta-oe/recipes-connectivity/iwd/iwd_1.15.bb
rename to meta-openembedded/meta-oe/recipes-connectivity/iwd/iwd_1.16.bb
index bb75387..6bace61 100644
--- a/meta-openembedded/meta-oe/recipes-connectivity/iwd/iwd_1.15.bb
+++ b/meta-openembedded/meta-oe/recipes-connectivity/iwd/iwd_1.16.bb
@@ -8,7 +8,7 @@
 SRC_URI = "https://www.kernel.org/pub/linux/network/wireless/${BP}.tar.xz \
            file://0001-build-Use-abs_top_srcdir-instead-of-abs_srcdir-for-e.patch \
           "
-SRC_URI[sha256sum] = "a7ab8e80592da5cb1a8b651b6d41e87e4507a3f07e04246e05bca89c547af659"
+SRC_URI[sha256sum] = "af548398aea2089a3a5103e5586561f24791090a17d4b2e50785e2faab5ed03a"
 
 inherit autotools manpages pkgconfig python3native systemd
 
diff --git a/meta-openembedded/meta-oe/recipes-core/meta/distro-feed-configs.bb b/meta-openembedded/meta-oe/recipes-core/meta/distro-feed-configs.bb
index cffeeb6..a87de45 100644
--- a/meta-openembedded/meta-oe/recipes-core/meta/distro-feed-configs.bb
+++ b/meta-openembedded/meta-oe/recipes-core/meta/distro-feed-configs.bb
@@ -28,6 +28,6 @@
 #    confs = [ ( "${sysconfdir}/opkg/%s-feed.conf" % feed ) for feed in archs ]
 #    return " ".join( confs )
 #
-#CONFFILES_${PN} += '${@distro_feed_configs(d)}'
+#CONFFILES:${PN} += '${@distro_feed_configs(d)}'
 
 CONFFILES:${PN} += '${@ " ".join( [ ( "${sysconfdir}/opkg/%s-feed.conf" % feed ) for feed in "all ${PACKAGE_EXTRA_ARCHS} ${MACHINE_ARCH}".split() ] ) }'
diff --git a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb
index 47ee309..d46447d 100644
--- a/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb
+++ b/meta-openembedded/meta-oe/recipes-core/packagegroups/packagegroup-meta-oe.bb
@@ -525,6 +525,7 @@
     ttf-gentium \
     ttf-hunky-sans \
     ttf-hunky-serif \
+    ttf-ipa \
     ttf-lohit \
     ttf-inconsolata \
     ttf-liberation-sans-narrow \
@@ -668,7 +669,6 @@
     live555-examples \
     live555-mediaserver \
     libmikmod \
-    opus-tools \
     libmodplug \
     sound-theme-freedesktop \
     yavta \
diff --git a/meta-openembedded/meta-oe/recipes-devtools/geany/geany-plugins_1.37.bb b/meta-openembedded/meta-oe/recipes-devtools/geany/geany-plugins_1.37.bb
index 10e51fa..9a70537 100644
--- a/meta-openembedded/meta-oe/recipes-devtools/geany/geany-plugins_1.37.bb
+++ b/meta-openembedded/meta-oe/recipes-devtools/geany/geany-plugins_1.37.bb
@@ -66,7 +66,7 @@
 EXTRA_OECONF += "--disable-debugger"
 #PLUGINS += "${PN}-debugger"
 #LIC_FILES_CHKSUM += "file://debugger/COPYING;md5=4325afd396febcb659c36b49533135d4"
-#FILES_${PN}-debugger = "${libdir}/geany/debugger.so ${datadir}/${PN}/debugger"
+#FILES:${PN}-debugger = "${libdir}/geany/debugger.so ${datadir}/${PN}/debugger"
 
 PLUGINS += "${PN}-defineformat"
 LIC_FILES_CHKSUM += "file://defineformat/COPYING;md5=751419260aa954499f7abaabaa882bbe"
@@ -76,8 +76,8 @@
 EXTRA_OECONF += "--disable-devhelp"
 #PLUGINS += "${PN}-devhelp"
 #LIC_FILES_CHKSUM += "file://devhelp/COPYING;md5=d32239bcb673463ab874e80d47fae504"
-#LICENSE_${PN}-devhelp = "GPLv3"
-#FILES_${PN}-devhelp = "${libdir}/geany/devhelp.so"
+#LICENSE:${PN}-devhelp = "GPLv3"
+#FILES:${PN}-devhelp = "${libdir}/geany/devhelp.so"
 
 PLUGINS += "${PN}-geanyctags"
 LIC_FILES_CHKSUM += "file://geanyctags/COPYING;md5=c107cf754550e65755c42985a5d4e9c9"
@@ -100,7 +100,7 @@
 EXTRA_OECONF += "--disable-geanylua"
 #PLUGINS += "${PN}-geanylua"
 #LIC_FILES_CHKSUM += "file://geanylua/COPYING;md5=4325afd396febcb659c36b49533135d4"
-#FILES_${PN}-geanylua = "${libdir}/geany/geanylua.so ${libdir}/${PN}/geanylua/*.so"
+#FILES:${PN}-geanylua = "${libdir}/geany/geanylua.so ${libdir}/${PN}/geanylua/*.so"
 
 PLUGINS += "${PN}-geanymacro"
 LIC_FILES_CHKSUM += "file://geanymacro/COPYING;md5=c107cf754550e65755c42985a5d4e9c9"
@@ -125,7 +125,7 @@
 
 #PLUGINS += "${PN}-geanypy"
 #LIC_FILES_CHKSUM += "file://geanypy/COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-#FILES_${PN}-geanypy = "${libdir}/geany/geanypy.so"
+#FILES:${PN}-geanypy = "${libdir}/geany/geanypy.so"
 
 PLUGINS += "${PN}-geanyvc"
 LIC_FILES_CHKSUM += "file://geanyvc/COPYING;md5=c107cf754550e65755c42985a5d4e9c9"
@@ -160,13 +160,13 @@
 EXTRA_OECONF += "--disable-peg-markdown"
 #PLUGINS += "${PN}-markdown"
 #LIC_FILES_CHKSUM += "file://markdown/COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-#FILES_${PN}-markdown = "${libdir}/geany/markdown.so"
+#FILES:${PN}-markdown = "${libdir}/geany/markdown.so"
 
 # | checking whether the GTK version in use is compatible with plugin multiterm... no
 EXTRA_OECONF += "--disable-multiterm"
 #PLUGINS += "${PN}-multiterm"
 #LIC_FILES_CHKSUM += "file://multiterm/COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
-#FILES_${PN}-multiterm = "${libdir}/geany/multiterm.so"
+#FILES:${PN}-multiterm = "${libdir}/geany/multiterm.so"
 
 PLUGINS += "${PN}-overview"
 LIC_FILES_CHKSUM += "file://overview/overview/overviewplugin.c;beginline=4;endline=20;md5=1aa33522916cdeb46cccac0c629da0d0"
@@ -226,8 +226,8 @@
 EXTRA_OECONF += " --disable-webhelper"
 #PLUGINS += "${PN}-webhelper"
 #LIC_FILES_CHKSUM += "file://webhelper/COPYING;md5=d32239bcb673463ab874e80d47fae504"
-#LICENSE_${PN}-webhelper = "GPLv3"
-#FILES_${PN}-webhelper = "${libdir}/geany/webhelper.so"
+#LICENSE:${PN}-webhelper = "GPLv3"
+#FILES:${PN}-webhelper = "${libdir}/geany/webhelper.so"
 
 PLUGINS += "${PN}-workbench"
 LIC_FILES_CHKSUM += "file://workbench/COPYING;md5=c107cf754550e65755c42985a5d4e9c9"
diff --git a/meta-openembedded/meta-oe/recipes-devtools/jemalloc/files/0001-Makefile.in-make-sure-doc-generated-before-install.patch b/meta-openembedded/meta-oe/recipes-devtools/jemalloc/files/0001-Makefile.in-make-sure-doc-generated-before-install.patch
new file mode 100644
index 0000000..0a1fe6d
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/jemalloc/files/0001-Makefile.in-make-sure-doc-generated-before-install.patch
@@ -0,0 +1,42 @@
+From 1efb45330f5dbe475a092cda6982e6d7e135485a Mon Sep 17 00:00:00 2001
+From: Mingli Yu <mingli.yu@windriver.com>
+Date: Tue, 10 Aug 2021 13:02:18 +0000
+Subject: [PATCH] Makefile.in: make sure doc generated before install
+
+There is a race between the doc generation and the doc installation,
+so make the install depend on the build for doc to fix the error occurs
+sometimes as below:
+ | TOPDIR/tmp-glibc/hosttools/install: cannot stat 'doc/jemalloc.3': No such file or directory
+ | make: *** [Makefile:513: install_doc_man] Error 1
+
+Upstream-Status: Submitted [https://github.com/jemalloc/jemalloc/pull/2108]
+
+Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
+---
+ Makefile.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index 7128b007..ab94f0c8 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -501,14 +501,14 @@ install_lib: install_lib_static
+ endif
+ install_lib: install_lib_pc
+ 
+-install_doc_html:
++install_doc_html: build_doc_html
+ 	$(INSTALL) -d $(DATADIR)/doc/jemalloc$(install_suffix)
+ 	@for d in $(DOCS_HTML); do \
+ 	echo "$(INSTALL) -m 644 $$d $(DATADIR)/doc/jemalloc$(install_suffix)"; \
+ 	$(INSTALL) -m 644 $$d $(DATADIR)/doc/jemalloc$(install_suffix); \
+ done
+ 
+-install_doc_man:
++install_doc_man: build_doc_man
+ 	$(INSTALL) -d $(MANDIR)/man3
+ 	@for d in $(DOCS_MAN3); do \
+ 	echo "$(INSTALL) -m 644 $$d $(MANDIR)/man3"; \
+-- 
+2.29.2
+
diff --git a/meta-openembedded/meta-oe/recipes-devtools/jemalloc/files/run-ptest b/meta-openembedded/meta-oe/recipes-devtools/jemalloc/files/run-ptest
new file mode 100644
index 0000000..b351f94
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/jemalloc/files/run-ptest
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+saved_dir=$PWD
+for dir in tests/* ; do
+	cd $dir
+	for atest in * ; do
+		if [ \( -x $atest \) -a \( -f $atest \) ] ; then
+			rm -rf tests.log
+			./$atest > tests.log 2>&1
+			sed -e '/: pass/ s/^/PASS: /g' \
+			    -e '/: skip/ s/^/SKIP: /g' \
+			    -e '/: fail/ s/^/FAIL: /g' \
+			    -e 's/: pass//g' \
+			    -e 's/: skip//g' \
+			    -e 's/: fail//g' \
+			    -e '/^--- pass:/d' tests.log
+		fi
+	done
+	cd $saved_dir
+done
+
diff --git a/meta-openembedded/meta-oe/recipes-devtools/jemalloc/jemalloc_5.2.1.bb b/meta-openembedded/meta-oe/recipes-devtools/jemalloc/jemalloc_5.2.1.bb
index 3963766..b5d53bb 100644
--- a/meta-openembedded/meta-oe/recipes-devtools/jemalloc/jemalloc_5.2.1.bb
+++ b/meta-openembedded/meta-oe/recipes-devtools/jemalloc/jemalloc_5.2.1.bb
@@ -13,14 +13,31 @@
 
 LIC_FILES_CHKSUM = "file://README;md5=6900e4a158982e4c4715bf16aa54fa10"
 
-SRC_URI = "git://github.com/jemalloc/jemalloc.git"
+SRC_URI = "git://github.com/jemalloc/jemalloc.git \
+           file://0001-Makefile.in-make-sure-doc-generated-before-install.patch \
+           file://run-ptest \
+"
 
 SRCREV = "ea6b3e973b477b8061e0076bb257dbd7f3faa756"
 
 S = "${WORKDIR}/git"
 
-inherit autotools
+inherit autotools ptest
 
 EXTRA_AUTORECONF += "--exclude=autoheader"
 
 EXTRA_OECONF:append:libc-musl = " --with-jemalloc-prefix=je_"
+
+do_compile_ptest() {
+	oe_runmake tests
+}
+
+do_install_ptest() {
+	install -d ${D}${PTEST_PATH}/tests
+	subdirs="test/unit test/integration test/stress "
+	for tooltest in ${subdirs}
+	do
+		cp -r ${B}/${tooltest} ${D}${PTEST_PATH}/tests
+	done
+	find ${D}${PTEST_PATH}/tests \( -name "*.d" -o -name "*.o" \) -exec rm -f {} \;
+}
diff --git a/meta-openembedded/meta-oe/recipes-devtools/ldns/ldns_1.7.1.bb b/meta-openembedded/meta-oe/recipes-devtools/ldns/ldns_1.7.1.bb
index 2a52dd6..2ce6691 100644
--- a/meta-openembedded/meta-oe/recipes-devtools/ldns/ldns_1.7.1.bb
+++ b/meta-openembedded/meta-oe/recipes-devtools/ldns/ldns_1.7.1.bb
@@ -16,3 +16,10 @@
 
 EXTRA_OECONF = "--with-ssl=${STAGING_EXECPREFIXDIR} \
                 libtool=${TARGET_PREFIX}libtool"
+
+do_install:append() {
+    sed -e 's@[^ ]*-ffile-prefix-map=[^ "]*@@g' \
+        -e 's@[^ ]*-fdebug-prefix-map=[^ "]*@@g' \
+        -e 's@[^ ]*-fmacro-prefix-map=[^ "]*@@g' \
+        -i ${D}${libdir}/pkgconfig/*.pc
+}
diff --git a/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch
new file mode 100644
index 0000000..b41bbe0
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl/CVE-2014-10402.patch
@@ -0,0 +1,56 @@
+Backport patch to fix CVE-2014-10402.
+
+CVE: CVE-2014-10402
+Upstream-Status: Backport [https://github.com/rehsack/dbi/commit/19d0fb1]
+
+Ref:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972180#12
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+
+From 19d0fb169eed475e1c053e99036b8668625cfa94 Mon Sep 17 00:00:00 2001
+From: Jens Rehsack <sno@netbsd.org>
+Date: Tue, 6 Oct 2020 10:22:17 +0200
+Subject: [PATCH] lib/DBD/File.pm: fix CVE-2014-10401
+
+Dig into the root cause of RT#99508 - which resulted in CVE-2014-10401 - and
+figure out that DBI->parse_dsn is the wrong helper to parse our attributes in
+DSN, since in DBD::dr::connect only the "dbname" remains from DSN which causes
+parse_dsn to bailout.
+
+Parsing on our own similar to parse_dsn shows the way out.
+
+Signed-off-by: Jens Rehsack <sno@netbsd.org>
+---
+ lib/DBD/File.pm | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/lib/DBD/File.pm b/lib/DBD/File.pm
+index fb14e9a..f55076f 100644
+--- a/lib/DBD/File.pm
++++ b/lib/DBD/File.pm
+@@ -109,7 +109,11 @@ sub connect
+     # We do not (yet) care about conflicting attributes here
+     # my $dbh = DBI->connect ("dbi:CSV:f_dir=test", undef, undef, { f_dir => "text" });
+     # will test here that both test and text should exist
+-    if (my $attr_hash = (DBI->parse_dsn ($dbname))[3]) {
++    #
++    # Parsing on our own similar to parse_dsn to find attributes in 'dbname' parameter.
++    if ($dbname) {
++	my @attrs = split /;/ => $dbname;
++	my $attr_hash = { map { split /\s*=>?\s*|\s*,\s*/, $_} @attrs };
+ 	if (defined $attr_hash->{f_dir} && ! -d $attr_hash->{f_dir}) {
+ 	    my $msg = "No such directory '$attr_hash->{f_dir}";
+ 	    $drh->set_err (2, $msg);
+@@ -120,7 +124,6 @@ sub connect
+     if ($attr and defined $attr->{f_dir} && ! -d $attr->{f_dir}) {
+ 	my $msg = "No such directory '$attr->{f_dir}";
+ 	$drh->set_err (2, $msg);
+-	$attr->{RaiseError} and croak $msg;
+ 	return;
+ 	}
+ 
+-- 
+2.17.1
+
diff --git a/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb
index 311cf27..b214182 100644
--- a/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb
+++ b/meta-openembedded/meta-oe/recipes-devtools/perl/libdbi-perl_1.643.bb
@@ -9,7 +9,9 @@
 LICENSE = "Artistic-1.0 | GPL-1.0+"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=10982c7148e0a012c0fd80534522f5c5"
 
-SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz"
+SRC_URI = "http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-${PV}.tar.gz \
+           file://CVE-2014-10402.patch \
+           "
 SRC_URI[md5sum] = "352f80b1e23769c116082a90905d7398"
 SRC_URI[sha256sum] = "8a2b993db560a2c373c174ee976a51027dd780ec766ae17620c20393d2e836fa"
 
diff --git a/meta-openembedded/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb b/meta-openembedded/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
index f1e9948..70e1a47 100644
--- a/meta-openembedded/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
+++ b/meta-openembedded/meta-oe/recipes-graphics/dnfdragora/dnfdragora_git.bb
@@ -17,7 +17,7 @@
 inherit cmake gettext pkgconfig python3-dir python3native distutils3-base mime-xdg
 
 DEPENDS += "dnf python3 "
-#DEPENDS_class-nativesdk += "nativesdk-python3"
+#DEPENDS:class-nativesdk += "nativesdk-python3"
 
 RDEPENDS:${PN}:class-target = " python3-core libyui libyui-ncurses "
 
diff --git a/meta-openembedded/meta-oe/recipes-graphics/ttf-fonts/ttf-ipa_003.03.01.bb b/meta-openembedded/meta-oe/recipes-graphics/ttf-fonts/ttf-ipa_003.03.01.bb
new file mode 100644
index 0000000..89c48d5
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-graphics/ttf-fonts/ttf-ipa_003.03.01.bb
@@ -0,0 +1,21 @@
+require ttf.inc
+
+SUMMARY = "Ipa fonts - TTF Version"
+HOMEPAGE = "https://moji.or.jp/ipafont"
+LICENSE = "IPA"
+LICENSE_URL = "https://moji.or.jp/ipafont/license/"
+LIC_FILES_CHKSUM = "file://IPA_Font_License_Agreement_v1.0.txt;md5=6cd3351ba979cf9db1fad644e8221276 \
+"
+SRC_URI = "https://moji.or.jp/wp-content/ipafont/IPAfont/IPAfont00303.zip "
+
+SRC_URI[sha256sum] = "f755ed79a4b8e715bed2f05a189172138aedf93db0f465b4e20c344a02766fe5"
+
+S = "${WORKDIR}/IPAfont00303"
+
+PACKAGES = "ttf-ipag ttf-ipagp ttf-ipam ttf-ipamp"
+FONT_PACKAGES = "ttf-ipag ttf-ipagp ttf-ipam ttf-ipamp"
+
+FILES:ttf-ipag = "${datadir}/fonts/truetype/ipag.ttf"
+FILES:ttf-ipagp = "${datadir}/fonts/truetype/ipagp.ttf"
+FILES:ttf-ipam = "${datadir}/fonts/truetype/ipam.ttf"
+FILES:ttf-ipamp = "${datadir}/fonts/truetype/ipamp.ttf"
diff --git a/meta-openembedded/meta-oe/recipes-multimedia/opus-tools/opus-tools_0.1.8.bb b/meta-openembedded/meta-oe/recipes-multimedia/opus-tools/opus-tools_0.1.8.bb
deleted file mode 100644
index a84f2bf..0000000
--- a/meta-openembedded/meta-oe/recipes-multimedia/opus-tools/opus-tools_0.1.8.bb
+++ /dev/null
@@ -1,15 +0,0 @@
-SUMMARY = "Opus Audio Tools"
-HOMEPAGE = "http://www.opus-codec.org/"
-
-LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://COPYING;md5=843a066da9f1facfcc6ea6f616ffecb1"
-
-SRC_URI = "http://downloads.xiph.org/releases/opus/opus-tools-${PV}.tar.gz"
-SRC_URI[md5sum] = "b424790eda9357a4df394e2d7ca19eac"
-SRC_URI[sha256sum] = "e4e188579ea1c4e4d5066460d4a7214a7eafe3539e9a4466fdc98af41ba4a2f6"
-
-S = "${WORKDIR}/opus-tools-${PV}"
-
-DEPENDS = "libopus flac"
-
-inherit autotools pkgconfig
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch b/meta-openembedded/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
new file mode 100644
index 0000000..e55093d
--- /dev/null
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
@@ -0,0 +1,132 @@
+From 759318f11352d01b45bbab62c7bf0a53fb781083 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 10 Aug 2021 11:27:16 -0400
+Subject: [PATCH] flush uid/gid caches when user/group added/deleted/modified
+
+It was reported in issue #209 that in the enriched format that auditd
+is creating the wrong account associations. This is due to caching
+previous lookups. The fix is to monitor for account lifecycle changes
+and flush the LRUs if any are seen.
+
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/8662f61108f8b9365f96ef49ca8ca331a7880f24]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ auparse/auparse-idata.h |  3 ++-
+ auparse/interpret.c     | 12 ++++++++++++
+ src/auditd-event.c      | 27 +++++++++++++++++++++++++--
+ 3 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h
+index 660901a..eaca86a 100644
+--- a/auparse/auparse-idata.h
++++ b/auparse/auparse-idata.h
+@@ -1,6 +1,6 @@
+ /*
+ * idata.h - Header file for ausearch-lookup.c
+-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina.
++* Copyright (c) 2013,2016-17,2021 Red Hat Inc.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id,
+ void _auparse_load_interpretations(const char *buf);
+ void _auparse_free_interpretations(void);
+ const char *_auparse_lookup_interpretation(const char *name);
++void _auparse_flush_caches(void);
+ 
+ #endif
+ 
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 046867b..eef377a 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void)
+ 	gid_cache_created = 0;
+ }
+ 
++void _auparse_flush_caches(void)
++{
++	if (uid_cache_created) {
++		destroy_lru(uid_cache);
++		uid_cache_created = 0;
++	}
++	if (gid_cache_created) {
++		destroy_lru(gid_cache);
++		gid_cache_created = 0;
++	}
++}
++
+ static const char *print_uid(const char *val, unsigned int base)
+ {
+         int uid;
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index cb29fee..3655726 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -42,6 +42,7 @@
+ #include "libaudit.h"
+ #include "private.h"
+ #include "auparse.h"
++#include "auparse-idata.h"
+ 
+ /* This is defined in auditd.c */
+ extern volatile int stop;
+@@ -56,7 +57,7 @@ static void do_space_left_action(int admin);
+ static void do_disk_full_action(void);
+ static void do_disk_error_action(const char *func, int err);
+ static void fix_disk_permissions(void);
+-static void check_excess_logs(void); 
++static void check_excess_logs(void);
+ static void rotate_logs_now(void);
+ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
+ static void shift_logs(void);
+@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 	        	snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH,
+ 		    "type=DAEMON_ERR op=format-enriched msg=NULL res=failed");
+ 	} else {
+-		int rc;
++		int rc, rtype;
+ 		size_t mlen, len;
+ 		char *message;
+ 		// Do raw format to get event started
+@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 
+ 		// Loop over all fields while possible to add field
+ 		rc = auparse_first_record(au);
++		rtype = auparse_get_type(au);
++		switch (rtype)
++		{	// Flush before adding to pickup new associations
++			case AUDIT_ADD_USER:
++			case AUDIT_ADD_GROUP:
++				_auparse_flush_caches();
++				break;
++			default:
++				break;
++		}
++
+ 		while (rc > 0 && len > MIN_SPACE_LEFT) {
+ 			// See what kind of field we have
+ 			size_t vlen;
+@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 			rc = auparse_next_field(au);
+ 		}
+ 
++		switch(rtype)
++		{	// Flush after modification to remove stale entries
++			case AUDIT_USER_MGMT:
++			case AUDIT_DEL_USER:
++			case AUDIT_DEL_GROUP:
++			case AUDIT_GRP_MGMT:
++				_auparse_flush_caches();
++				break;
++			default:
++				break;
++		}
+ 		free(message);
+ 	}
+         return format_buf;
+-- 
+2.17.1
+
diff --git a/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.3.bb b/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.4.bb
similarity index 96%
rename from meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.3.bb
rename to meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.4.bb
index c30b971..db55049 100644
--- a/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.3.bb
+++ b/meta-openembedded/meta-oe/recipes-security/audit/audit_3.0.4.bb
@@ -9,13 +9,14 @@
 
 SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \
            file://Fixed-swig-host-contamination-issue.patch \
+           file://0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch \
            file://auditd \
            file://auditd.service \
            file://audit-volatile.conf \
 "
 
 S = "${WORKDIR}/git"
-SRCREV = "17c100abcfef4cbd94a0a5be9b830c8386c3add6"
+SRCREV = "86a975cd96c3838e56be9d27262f8a36bb822634"
 
 inherit autotools python3native update-rc.d systemd
 
diff --git a/meta-openembedded/meta-oe/recipes-shells/tcsh/tcsh_6.22.04.bb b/meta-openembedded/meta-oe/recipes-shells/tcsh/tcsh_6.22.04.bb
index ac6c6db..c4da5cd 100644
--- a/meta-openembedded/meta-oe/recipes-shells/tcsh/tcsh_6.22.04.bb
+++ b/meta-openembedded/meta-oe/recipes-shells/tcsh/tcsh_6.22.04.bb
@@ -20,7 +20,7 @@
 inherit autotools
 
 do_compile:prepend() {
-    oe_runmake CC_FOR_GETHOST='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' gethost
+    oe_runmake CC_FOR_GETHOST='${BUILD_CC}' CFLAGS='${BUILD_CFLAGS}' LDFLAGS='${BUILD_LDFLAGS}' gethost
 }
 
 do_install:append () {
diff --git a/meta-openembedded/meta-oe/recipes-support/augeas/augeas.inc b/meta-openembedded/meta-oe/recipes-support/augeas/augeas.inc
index 077a2db..d83ba49 100644
--- a/meta-openembedded/meta-oe/recipes-support/augeas/augeas.inc
+++ b/meta-openembedded/meta-oe/recipes-support/augeas/augeas.inc
@@ -27,7 +27,7 @@
     rm -fr ${D}${datadir}/vim
 }
 
-PACKAGECONFIG ??= ""
-PACKAGECONFIG[libselinux] = "--with-selinux,--without-selinux,libselinux"
+PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
 
 EXTRA_AUTORECONF += "-I ${S}/gnulib/m4"
diff --git a/meta-openembedded/meta-perl/recipes-perl/libmime/libmime-types-perl_2.17.bb b/meta-openembedded/meta-perl/recipes-perl/libmime/libmime-types-perl_2.17.bb
index fd398a0..18fa46f 100644
--- a/meta-openembedded/meta-perl/recipes-perl/libmime/libmime-types-perl_2.17.bb
+++ b/meta-openembedded/meta-perl/recipes-perl/libmime/libmime-types-perl_2.17.bb
@@ -29,7 +29,7 @@
 "
 
 RDEPENDS:${PN}-ptest = "perl-module-lib perl-module-test-more"
-#RSUGGESTS_${PN}-ptest = "libmojo-base-perl"
+#RSUGGESTS:${PN}-ptest = "libmojo-base-perl"
 
 do_install () {
     cpan_do_install
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-aiohue_2.5.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-aiohue_2.6.1.bb
similarity index 76%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-aiohue_2.5.1.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-aiohue_2.6.1.bb
index 6ea4da3..c79a922 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-aiohue_2.5.1.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-aiohue_2.6.1.bb
@@ -4,7 +4,7 @@
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=dab31a1d28183826937f4b152143a33f"
 
-SRC_URI[sha256sum] = "3ee8e857b07364516f8b9f0e5c52d4cd775036f3ace37c2769de1e8579f4dc07"
+SRC_URI[sha256sum] = "1374f7fc50bac46375e18ce7d511515265ce83c9180f312e60a36d63055f0104"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-apply-defaults_0.1.4.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-apply-defaults_0.1.6.bb
similarity index 68%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-apply-defaults_0.1.4.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-apply-defaults_0.1.6.bb
index 7889f0c..6bf61cf 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-apply-defaults_0.1.4.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-apply-defaults_0.1.6.bb
@@ -5,8 +5,7 @@
 
 PYPI_PACKAGE = "apply_defaults"
 
-SRC_URI[md5sum] = "719abb133f4b46283ebd940fcdf30a78"
-SRC_URI[sha256sum] = "1ce26326a61d8773d38a9726a345c6525a91a6120d7333af79ad792dacb6246c"
+SRC_URI[sha256sum] = "3773de3491b94c0fe44310f1a85888389cdc71e1544b343bce0d2bd6991acea5"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-astroid_2.6.5.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-astroid_2.6.6.bb
similarity index 89%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-astroid_2.6.5.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-astroid_2.6.6.bb
index 5d7ef8f..1085103 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-astroid_2.6.5.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-astroid_2.6.6.bb
@@ -4,7 +4,7 @@
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=a70cf540abf41acb644ac3b621b2fad1"
 
-SRC_URI[sha256sum] = "83e494b02d75d07d4e347b27c066fd791c0c74fc96c613d1ea3de0c82c48168f"
+SRC_URI[sha256sum] = "3975a0bd5373bdce166e60c851cfcbaf21ee96de80ec518c1f4cb3e94c3fb334"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-bitarray_2.2.3.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-bitarray_2.2.5.bb
similarity index 77%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-bitarray_2.2.3.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-bitarray_2.2.5.bb
index b72ca3b..f8e2489 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-bitarray_2.2.3.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-bitarray_2.2.5.bb
@@ -3,7 +3,7 @@
 LICENSE = "PSF"
 LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=8;endline=8;md5=2ad702cdcd49e8d2ac01d7e7d0810d2d"
 
-SRC_URI[sha256sum] = "b5d707d9c4aa75e684e21ff1848b234f3d2ff41d5038db89e2465e5527f90c68"
+SRC_URI[sha256sum] = "efb2dc83f0acb832a94af3687eea558d72512cf2e54a64fca56a10aacf57934c"
 
 inherit setuptools3 pypi
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-configargparse_1.5.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-configargparse_1.5.2.bb
similarity index 85%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-configargparse_1.5.1.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-configargparse_1.5.2.bb
index 32b24f0..e4b6797 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-configargparse_1.5.1.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-configargparse_1.5.2.bb
@@ -3,7 +3,7 @@
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=da746463714cc35999ed9a42339f2943"
 
-SRC_URI[sha256sum] = "371f46577e76ec71a183b88378f36dd09f4b946f60fe60712f411b020f26b812"
+SRC_URI[sha256sum] = "c39540eb4843883d526beeed912dc80c92481b0c13c9787c91e614a624de3666"
 
 PYPI_PACKAGE = "ConfigArgParse"
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-defusedxml_0.7.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-defusedxml_0.7.1.bb
index f48c429..e5790f4 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-defusedxml_0.7.1.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-defusedxml_0.7.1.bb
@@ -8,3 +8,5 @@
 SRC_URI[sha256sum] = "1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"
 
 inherit pypi setuptools3
+
+BBCLASSEXTEND = "native"
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-distro_1.5.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-distro_1.6.0.bb
similarity index 64%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-distro_1.5.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-distro_1.6.0.bb
index aaaee0d..8aa2255 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-distro_1.5.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-distro_1.6.0.bb
@@ -5,8 +5,7 @@
 
 PYPI_PACKAGE = "distro"
 
-SRC_URI[md5sum] = "0ed68b4064709bdaaf6cce69780ddc51"
-SRC_URI[sha256sum] = "0e58756ae38fbd8fc3020d54badb8eae17c5b9dcbed388b17bb55b8a5928df92"
+SRC_URI[sha256sum] = "83f5e5a09f9c5f68f60173de572930effbcc0287bb84fdc4426cb4168c088424"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-engineio_4.2.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-engineio_4.2.1.bb
similarity index 73%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-engineio_4.2.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-engineio_4.2.1.bb
index 7a828a6..2eb82e8 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-engineio_4.2.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-engineio_4.2.1.bb
@@ -17,5 +17,4 @@
 	python3-asyncio \
 "
 
-SRC_URI[md5sum] = "1fa937ec2a9f6feac27e9f65824c5781"
-SRC_URI[sha256sum] = "4e97c1189c23923858f5bb6dc47cfcd915005383c3c039ff01c89f2c00d62077"
+SRC_URI[sha256sum] = "d510329b6d8ed5662547862f58bc73659ae62defa66b66d745ba021de112fa62"
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-gast_0.5.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-gast_0.5.2.bb
similarity index 78%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-gast_0.5.1.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-gast_0.5.2.bb
index eda1860..d318973 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-gast_0.5.1.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-gast_0.5.2.bb
@@ -4,7 +4,7 @@
 LICENSE = "BSD-3-Clause"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=a3ad9b6802e713fc5e307e1230f1ea90"
 
-SRC_URI[sha256sum] = "b00e63584db482ffe6107b5832042bbe5c5bf856e3c7279b6e93201b3dcfcb46"
+SRC_URI[sha256sum] = "f81fcefa8b982624a31c9e4ec7761325a88a0eba60d36d1da90e47f8fe3c67f7"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-core_1.30.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-core_1.31.1.bb
similarity index 87%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-core_1.30.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-core_1.31.1.bb
index 2ded8c6..fe0aebb 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-core_1.30.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-core_1.31.1.bb
@@ -6,7 +6,7 @@
 
 inherit pypi setuptools3
 
-SRC_URI[sha256sum] = "0724d354d394b3d763bc10dfee05807813c5210f0bd9b8e2ddf6b6925603411c"
+SRC_URI[sha256sum] = "108cf94336aed7e614eafc53933ef02adf63b9f0fd87e8f8212acaa09eaca456"
 
 RDEPENDS:${PN} += "\
     ${PYTHON_PN}-asyncio \
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-python-client_2.12.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-python-client_2.15.0.bb
similarity index 75%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-python-client_2.12.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-python-client_2.15.0.bb
index 36345e0..6172cd2 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-python-client_2.12.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-google-api-python-client_2.15.0.bb
@@ -2,9 +2,9 @@
 Moderator, and many other Google APIs."
 HOMEPAGE = "https://github.com/googleapis/google-api-python-client"
 LICENSE = "Apache-2.0"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=94023d14f6b58272fd885e4e3f2f08b3"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=86d3f3a95c324c9479bd8986968f4327"
 
-SRC_URI[sha256sum] = "a5d203241a93201a770c966f8eca39de7f88b28194f9d252065b18e83bd99c4b"
+SRC_URI[sha256sum] = "8375489232823f44c601196a960505e03ec58c95ddb6415c6b1d1d76b468f8ba"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-google-auth_1.32.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-google-auth_1.34.0.bb
similarity index 87%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-google-auth_1.32.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-google-auth_1.34.0.bb
index 72dd24d..92ad248 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-google-auth_1.32.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-google-auth_1.34.0.bb
@@ -6,7 +6,7 @@
 
 inherit pypi setuptools3
 
-SRC_URI[sha256sum] = "e34e5f5de5610b202f9b40ebd9f8b27571d5c5537db9afed3a72b2db5a345039"
+SRC_URI[sha256sum] = "f1094088bae046fb06f3d1a3d7df14717e8d959e9105b79c57725bd4e17597a2"
 
 RDEPENDS:${PN} += "\
     ${PYTHON_PN}-asyncio \
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-greenlet_1.1.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-greenlet_1.1.1.bb
similarity index 78%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-greenlet_1.1.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-greenlet_1.1.1.bb
index 0f0f18f..9d014ec 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-greenlet_1.1.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-greenlet_1.1.1.bb
@@ -4,6 +4,6 @@
 LIC_FILES_CHKSUM = "file://LICENSE;md5=e95668d68e4329085c7ab3535e6a7aee \
                     file://LICENSE.PSF;md5=c106931d9429eda0492617f037b8f69a"
 
-SRC_URI[sha256sum] = "c87df8ae3f01ffb4483c796fe1b15232ce2b219f0b18126948616224d3f658ee"
+SRC_URI[sha256sum] = "c0f22774cd8294078bdf7392ac73cf00bfa1e5e0ed644bd064fdabc5f2a2f481"
 
 inherit pypi distutils3 setuptools3
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-grpcio_1.38.1.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-grpcio_1.38.1.bb
index cbc8ce9..f680347 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-grpcio_1.38.1.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-grpcio_1.38.1.bb
@@ -34,6 +34,7 @@
 BORING_SSL ?= "0"
 export GRPC_BUILD_WITH_BORING_SSL_ASM = "${BORING_SSL}"
 
+GRPC_CFLAGS ?= ""
 GRPC_CFLAGS:append:toolchain-clang = " -fvisibility=hidden -fno-wrapv -fno-exceptions"
 export GRPC_PYTHON_CFLAGS = "${GRPC_CFLAGS}"
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-huey_2.3.2.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-huey_2.4.0.bb
similarity index 70%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-huey_2.3.2.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-huey_2.4.0.bb
index 4ef80c4..afdc65b 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-huey_2.3.2.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-huey_2.4.0.bb
@@ -5,7 +5,7 @@
 
 PYPI_PACKAGE = "huey"
 
-SRC_URI[sha256sum] = "7176acb113850824490da5a31f328cc48a2002a59bfb396efbab8ecbd3573910"
+SRC_URI[sha256sum] = "82981fb8f1964e8c9ee8f4ebcd5a2ebad561dd93ce8b454bf4f4ecfb54bd1411"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-humanize_3.10.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-humanize_3.11.0.bb
similarity index 81%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-humanize_3.10.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-humanize_3.11.0.bb
index 5698384..aacda65 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-humanize_3.10.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-humanize_3.11.0.bb
@@ -5,7 +5,7 @@
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=4ecc42519e84f6f3e23529464df7bd1d"
 
-SRC_URI[sha256sum] = "b2413730ce6684f85e0439a5b80b8f402e09f03e16ab8023d1da758c6ff41148"
+SRC_URI[sha256sum] = "4160cdc63fcd0daac27d2e1e218a31bb396fc3fe5712d153675d89432a03778f"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-ipython_7.25.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-ipython_7.26.0.bb
similarity index 88%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-ipython_7.25.0.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-ipython_7.26.0.bb
index 5e5261f..4c1d4eb 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-ipython_7.25.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-ipython_7.26.0.bb
@@ -6,7 +6,7 @@
 
 PYPI_PACKAGE = "ipython"
 
-SRC_URI[sha256sum] = "54bbd1fe3882457aaf28ae060a5ccdef97f212a741754e420028d4ec5c2291dc"
+SRC_URI[sha256sum] = "0cff04bb042800129348701f7bd68a430a844e8fb193979c08f6c99f28bb735e"
 
 RDEPENDS:${PN} = "\
     ${PYTHON_PN}-setuptools \
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-isort_5.9.2.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-isort_5.9.3.bb
similarity index 84%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-isort_5.9.2.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-isort_5.9.3.bb
index a459423..44a51db 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-isort_5.9.2.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-isort_5.9.3.bb
@@ -4,7 +4,7 @@
 SECTION = "devel/python"
 LIC_FILES_CHKSUM = "file://PKG-INFO;beginline=6;endline=6;md5=8227180126797a0148f94f483f3e1489"
 
-SRC_URI[sha256sum] = "f65ce5bd4cbc6abdfbe29afc2f0245538ab358c14590912df638033f157d555e"
+SRC_URI[sha256sum] = "9c2ea1e62d871267b78307fe511c0838ba0da28698c5732d54e2790bf3ba9899"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb
index e0f4870..e1ee99b 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-m2crypto_0.38.0.bb
@@ -31,14 +31,14 @@
 DISTUTILS_INSTALL_ARGS += "build_ext --openssl=${STAGING_EXECPREFIXDIR}"
 
 SWIG_FEATURES:x86 = "-D__i386__"
-SWIG_FEATURES_x32 = "-D__ILP32__"
+SWIG_FEATURES:x32 = "-D__ILP32__"
 
 SWIG_FEATURES ?= "-D__${HOST_ARCH}__ ${@['-D__ILP32__','-D__LP64__'][d.getVar('SITEINFO_BITS') != '32']}"
 
 SWIG_FEATURES:append:riscv64 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}"
 SWIG_FEATURES:append:riscv32 = " -D__SIZEOF_POINTER__=${SITEINFO_BITS}/8 -D__riscv_xlen=${SITEINFO_BITS}"
 SWIG_FEATURES:append:mipsarch = " -D_MIPS_SZPTR=${SITEINFO_BITS}"
-SWIG_FEATURES:append:powerpc64le = " -D_:powerpc64__"
+SWIG_FEATURES:append:powerpc64le = " -D__powerpc64__"
 export SWIG_FEATURES
 
 export STAGING_DIR
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-pycurl_7.43.0.6.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-pycurl_7.44.0.bb
similarity index 70%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-pycurl_7.43.0.6.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-pycurl_7.44.0.bb
index 0437a6c..72b87da 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-pycurl_7.43.0.6.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-pycurl_7.44.0.bb
@@ -9,11 +9,10 @@
 
 LICENSE = "LGPLv2 | MIT"
 LIC_FILES_CHKSUM = "file://COPYING-LGPL;md5=4fbd65380cdd255951079008b364516c \
-                    file://COPYING-MIT;md5=60872a112595004233b769b6cbfd65b6 \
+                    file://COPYING-MIT;md5=75f131c591546fd1277ca49c9a81ab1b \
                     "
 
-SRC_URI[md5sum] = "3e121d895101022c30619e1bbf97eb97"
-SRC_URI[sha256sum] = "8301518689daefa53726b59ded6b48f33751c383cf987b0ccfbbc4ed40281325"
+SRC_URI[sha256sum] = "2ce9905626d8ceafcbadee666e2f45397e29c7618ddcdc63fc22d85e5046c6d6"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-devtools/python/python3-zeroconf_0.33.2.bb b/meta-openembedded/meta-python/recipes-devtools/python/python3-zeroconf_0.34.3.bb
similarity index 79%
rename from meta-openembedded/meta-python/recipes-devtools/python/python3-zeroconf_0.33.2.bb
rename to meta-openembedded/meta-python/recipes-devtools/python/python3-zeroconf_0.34.3.bb
index 242f329..a8b9aeb 100644
--- a/meta-openembedded/meta-python/recipes-devtools/python/python3-zeroconf_0.33.2.bb
+++ b/meta-openembedded/meta-python/recipes-devtools/python/python3-zeroconf_0.34.3.bb
@@ -3,7 +3,7 @@
 LICENSE = "LGPL-2.1"
 LIC_FILES_CHKSUM = "file://COPYING;md5=3bb705b228ea4a14ea2728215b780d80"
 
-SRC_URI[sha256sum] = "5a59425d225a1f5fba0196766fccf856d4686f653037108cbc643a76c1a884fd"
+SRC_URI[sha256sum] = "145e67c182d361b350f057fb9240dedec5e79a7c61f465a01138d4a49a4b87b3"
 
 inherit pypi setuptools3
 
diff --git a/meta-openembedded/meta-python/recipes-extended/send2trash/python3-send2trash_1.7.1.bb b/meta-openembedded/meta-python/recipes-extended/send2trash/python3-send2trash_1.8.0.bb
similarity index 71%
rename from meta-openembedded/meta-python/recipes-extended/send2trash/python3-send2trash_1.7.1.bb
rename to meta-openembedded/meta-python/recipes-extended/send2trash/python3-send2trash_1.8.0.bb
index d3554c8..76f59e2 100644
--- a/meta-openembedded/meta-python/recipes-extended/send2trash/python3-send2trash_1.7.1.bb
+++ b/meta-openembedded/meta-python/recipes-extended/send2trash/python3-send2trash_1.8.0.bb
@@ -4,6 +4,6 @@
 
 inherit pypi setuptools3
 
-SRC_URI[sha256sum] = "17730aa0a33ab82ed6ca76be3bb25f0433d0014f1ccf63c979bab13a5b9db2b2"
+SRC_URI[sha256sum] = "d2c24762fd3759860a0aff155e45871447ea58d2be6bdd39b5c8f966a0c99c2d"
 
 PYPI_PACKAGE = "Send2Trash"
diff --git a/meta-raspberrypi/docs/extra-build-config.md b/meta-raspberrypi/docs/extra-build-config.md
index f52c51f..82ec3c0 100644
--- a/meta-raspberrypi/docs/extra-build-config.md
+++ b/meta-raspberrypi/docs/extra-build-config.md
@@ -99,7 +99,7 @@
 mode is defaulted to NTSC using a 4:3 aspect ratio. Check the config.txt for a
 detailed description of options and modes. The following variables are supported in
 local.conf: `HDMI_FORCE_HOTPLUG`, `HDMI_DRIVE`, `HDMI_GROUP`, `HDMI_MODE`,
-`CONFIG_HDMI_BOOST`, `SDTV_MODE`, `SDTV_ASPECT` and `DISPLAY_ROTATE`.
+`HDMI_CVT`, `CONFIG_HDMI_BOOST`, `SDTV_MODE`, `SDTV_ASPECT` and `DISPLAY_ROTATE`.
 
 Example to force HDMI output to 720p in CEA mode:
 
diff --git a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
index c1c5340..583144d 100644
--- a/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
+++ b/meta-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bb
@@ -105,6 +105,9 @@
     if [ -n "${HDMI_MODE}" ]; then
         sed -i '/#hdmi_mode=/ c\hdmi_mode=${HDMI_MODE}' $CONFIG
     fi
+    if [ -n "${HDMI_CVT}" ]; then
+        echo 'hdmi_cvt=${HDMI_CVT}' >> $CONFIG
+    fi
     if [ -n "${CONFIG_HDMI_BOOST}" ]; then
         sed -i '/#config_hdmi_boost=/ c\config_hdmi_boost=${CONFIG_HDMI_BOOST}' $CONFIG
     fi
diff --git a/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb b/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb
index 37e2e57..4f242d3 100644
--- a/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb
+++ b/meta-raspberrypi/recipes-kernel/linux-firmware-rpidistro/linux-firmware-rpidistro_git.bb
@@ -63,6 +63,7 @@
     # add compat links. Fixes errors like
     # brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.raspberrypi,4-model-b.txt failed with error -2
     ln -s brcmfmac43455-sdio.txt ${D}${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-model-b.txt
+    ln -s brcmfmac43455-sdio.txt ${D}${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module.txt
     ln -s brcmfmac43455-sdio.txt ${D}${nonarch_base_libdir}/firmware/brcm/brcmfmac43455-sdio.raspberrypi,3-model-b-plus.txt
     ln -s brcmfmac43430-sdio.txt ${D}${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.raspberrypi,3-model-b.txt
     ln -s brcmfmac43430-sdio.txt ${D}${nonarch_base_libdir}/firmware/brcm/brcmfmac43430-sdio.raspberrypi,model-zero-w.txt
diff --git a/poky/MAINTAINERS.md b/poky/MAINTAINERS.md
index 2ddcde6..36a9bde 100644
--- a/poky/MAINTAINERS.md
+++ b/poky/MAINTAINERS.md
@@ -40,6 +40,7 @@
 * opkg: Alex Stewart
 * devtool: Saul Wold
 * eSDK: Saul Wold
+* overlayfs: Vyacheslav Yurkov
 
 Maintainers needed
 ------------------
diff --git a/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst b/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
index 593de61..40b245b 100644
--- a/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
+++ b/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-fetching.rst
@@ -144,6 +144,10 @@
 make any attempted network access a fatal error, which is useful for
 checking that mirrors are complete as well as other things.
 
+If :term:`BB_CHECK_SSL_CERTS` is set to ``0`` then SSL certificate checking will
+be disabled. This variable defaults to ``1`` so SSL certificates are normally
+checked.
+
 .. _bb-the-unpack:
 
 The Unpack
diff --git a/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst b/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
index 6283c26..2392ec4 100644
--- a/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
+++ b/poky/bitbake/doc/bitbake-user-manual/bitbake-user-manual-ref-variables.rst
@@ -93,6 +93,10 @@
       fetcher does not attempt to use the host listed in :term:`SRC_URI` after
       a successful fetch from the :term:`PREMIRRORS` occurs.
 
+   :term:`BB_CHECK_SSL_CERTS`
+      Specifies if SSL certificates should be checked when fetching. The default
+      value is ``1`` and certificates are not checked if the value is set to ``0``.
+
    :term:`BB_CONSOLELOG`
       Specifies the path to a log file into which BitBake's user interface
       writes output during the build.
diff --git a/poky/bitbake/lib/bb/fetch2/__init__.py b/poky/bitbake/lib/bb/fetch2/__init__.py
index ad89868..914fa5c 100644
--- a/poky/bitbake/lib/bb/fetch2/__init__.py
+++ b/poky/bitbake/lib/bb/fetch2/__init__.py
@@ -808,6 +808,29 @@
     fetcher = bb.fetch2.Fetch([url], d)
     return fetcher.localpath(url)
 
+# Need to export PATH as binary could be in metadata paths
+# rather than host provided
+# Also include some other variables.
+FETCH_EXPORT_VARS = ['HOME', 'PATH',
+                     'HTTP_PROXY', 'http_proxy',
+                     'HTTPS_PROXY', 'https_proxy',
+                     'FTP_PROXY', 'ftp_proxy',
+                     'FTPS_PROXY', 'ftps_proxy',
+                     'NO_PROXY', 'no_proxy',
+                     'ALL_PROXY', 'all_proxy',
+                     'GIT_PROXY_COMMAND',
+                     'GIT_SSH',
+                     'GIT_SSL_CAINFO',
+                     'GIT_SMART_HTTP',
+                     'SSH_AUTH_SOCK', 'SSH_AGENT_PID',
+                     'SOCKS5_USER', 'SOCKS5_PASSWD',
+                     'DBUS_SESSION_BUS_ADDRESS',
+                     'P4CONFIG',
+                     'SSL_CERT_FILE',
+                     'AWS_ACCESS_KEY_ID',
+                     'AWS_SECRET_ACCESS_KEY',
+                     'AWS_DEFAULT_REGION']
+
 def runfetchcmd(cmd, d, quiet=False, cleanup=None, log=None, workdir=None):
     """
     Run cmd returning the command output
@@ -816,28 +839,7 @@
     Optionally remove the files/directories listed in cleanup upon failure
     """
 
-    # Need to export PATH as binary could be in metadata paths
-    # rather than host provided
-    # Also include some other variables.
-    # FIXME: Should really include all export varaiables?
-    exportvars = ['HOME', 'PATH',
-                  'HTTP_PROXY', 'http_proxy',
-                  'HTTPS_PROXY', 'https_proxy',
-                  'FTP_PROXY', 'ftp_proxy',
-                  'FTPS_PROXY', 'ftps_proxy',
-                  'NO_PROXY', 'no_proxy',
-                  'ALL_PROXY', 'all_proxy',
-                  'GIT_PROXY_COMMAND',
-                  'GIT_SSH',
-                  'GIT_SSL_CAINFO',
-                  'GIT_SMART_HTTP',
-                  'SSH_AUTH_SOCK', 'SSH_AGENT_PID',
-                  'SOCKS5_USER', 'SOCKS5_PASSWD',
-                  'DBUS_SESSION_BUS_ADDRESS',
-                  'P4CONFIG',
-                  'AWS_ACCESS_KEY_ID',
-                  'AWS_SECRET_ACCESS_KEY',
-                  'AWS_DEFAULT_REGION']
+    exportvars = FETCH_EXPORT_VARS
 
     if not cleanup:
         cleanup = []
diff --git a/poky/bitbake/lib/bb/fetch2/wget.py b/poky/bitbake/lib/bb/fetch2/wget.py
index 784df70..29fcfbb 100644
--- a/poky/bitbake/lib/bb/fetch2/wget.py
+++ b/poky/bitbake/lib/bb/fetch2/wget.py
@@ -52,13 +52,19 @@
 
 
 class Wget(FetchMethod):
+    """Class to fetch urls via 'wget'"""
 
     # CDNs like CloudFlare may do a 'browser integrity test' which can fail
     # with the standard wget/urllib User-Agent, so pretend to be a modern
     # browser.
     user_agent = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0"
 
-    """Class to fetch urls via 'wget'"""
+    def check_certs(self, d):
+        """
+        Should certificates be checked?
+        """
+        return (d.getVar("BB_CHECK_SSL_CERTS") or "1") != "0"
+
     def supports(self, ud, d):
         """
         Check to see if a given url can be fetched with wget.
@@ -82,7 +88,10 @@
         if not ud.localfile:
             ud.localfile = d.expand(urllib.parse.unquote(ud.host + ud.path).replace("/", "."))
 
-        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp --no-check-certificate"
+        self.basecmd = d.getVar("FETCHCMD_wget") or "/usr/bin/env wget -t 2 -T 30 --passive-ftp"
+
+        if not self.check_certs(d):
+            self.basecmd += " --no-check-certificate"
 
     def _runwget(self, ud, d, command, quiet, workdir=None):
 
@@ -282,19 +291,44 @@
                 newreq = urllib.request.HTTPRedirectHandler.redirect_request(self, req, fp, code, msg, headers, newurl)
                 newreq.get_method = req.get_method
                 return newreq
-        exported_proxies = export_proxies(d)
 
-        handlers = [FixedHTTPRedirectHandler, HTTPMethodFallback]
-        if exported_proxies:
-            handlers.append(urllib.request.ProxyHandler())
-        handlers.append(CacheHTTPHandler())
-        # Since Python 2.7.9 ssl cert validation is enabled by default
-        # see PEP-0476, this causes verification errors on some https servers
-        # so disable by default.
-        import ssl
-        if hasattr(ssl, '_create_unverified_context'):
-            handlers.append(urllib.request.HTTPSHandler(context=ssl._create_unverified_context()))
-        opener = urllib.request.build_opener(*handlers)
+        # We need to update the environment here as both the proxy and HTTPS
+        # handlers need variables set. The proxy needs http_proxy and friends to
+        # be set, and HTTPSHandler ends up calling into openssl to load the
+        # certificates. In buildtools configurations this will be looking at the
+        # wrong place for certificates by default: we set SSL_CERT_FILE to the
+        # right location in the buildtools environment script but as BitBake
+        # prunes prunes the environment this is lost. When binaries are executed
+        # runfetchcmd ensures these values are in the environment, but this is
+        # pure Python so we need to update the environment.
+        #
+        # Avoid tramping the environment too much by using bb.utils.environment
+        # to scope the changes to the build_opener request, which is when the
+        # environment lookups happen.
+        newenv = {}
+        for name in bb.fetch2.FETCH_EXPORT_VARS:
+            value = d.getVar(name)
+            if not value:
+                origenv = d.getVar("BB_ORIGENV")
+                if origenv:
+                    value = origenv.getVar(name)
+            if value:
+                newenv[name] = value
+
+        with bb.utils.environment(**newenv):
+            import ssl
+
+            if self.check_certs(d):
+                context = ssl.create_default_context()
+            else:
+                context = ssl._create_unverified_context()
+
+            handlers = [FixedHTTPRedirectHandler,
+                        HTTPMethodFallback,
+                        urllib.request.ProxyHandler(),
+                        CacheHTTPHandler(),
+                        urllib.request.HTTPSHandler(context=context)]
+            opener = urllib.request.build_opener(*handlers)
 
         try:
             uri = ud.url.split(";")[0]
diff --git a/poky/bitbake/lib/bb/tests/utils.py b/poky/bitbake/lib/bb/tests/utils.py
index a7ff33d..4d5e21b 100644
--- a/poky/bitbake/lib/bb/tests/utils.py
+++ b/poky/bitbake/lib/bb/tests/utils.py
@@ -666,3 +666,21 @@
 
         layers = [{"SRC_URI"}, {"QT_GIT", "QT_MODULE", "QT_MODULE_BRANCH_PARAM", "QT_GIT_PROTOCOL"}, {"QT_GIT_PROJECT", "QT_MODULE_BRANCH", "BPN"}, {"PN", "SPECIAL_PKGSUFFIX"}]
         self.check_referenced("${SRC_URI}", layers)
+
+
+class EnvironmentTests(unittest.TestCase):
+    def test_environment(self):
+        os.environ["A"] = "this is A"
+        self.assertIn("A", os.environ)
+        self.assertEqual(os.environ["A"], "this is A")
+        self.assertNotIn("B", os.environ)
+
+        with bb.utils.environment(B="this is B"):
+            self.assertIn("A", os.environ)
+            self.assertEqual(os.environ["A"], "this is A")
+            self.assertIn("B", os.environ)
+            self.assertEqual(os.environ["B"], "this is B")
+
+        self.assertIn("A", os.environ)
+        self.assertEqual(os.environ["A"], "this is A")
+        self.assertNotIn("B", os.environ)
diff --git a/poky/bitbake/lib/bb/utils.py b/poky/bitbake/lib/bb/utils.py
index e6e82d1..7063491 100644
--- a/poky/bitbake/lib/bb/utils.py
+++ b/poky/bitbake/lib/bb/utils.py
@@ -1681,3 +1681,19 @@
             shutil.move(src, dst)
         else:
             raise err
+
+@contextmanager
+def environment(**envvars):
+    """
+    Context manager to selectively update the environment with the specified mapping.
+    """
+    backup = dict(os.environ)
+    try:
+        os.environ.update(envvars)
+        yield
+    finally:
+        for var in envvars:
+            if var in backup:
+                os.environ[var] = backup[var]
+            else:
+                del os.environ[var]
diff --git a/poky/documentation/bsp-guide/bsp.rst b/poky/documentation/bsp-guide/bsp.rst
index 5f62376..b80354a 100644
--- a/poky/documentation/bsp-guide/bsp.rst
+++ b/poky/documentation/bsp-guide/bsp.rst
@@ -1042,7 +1042,7 @@
 #. Edit the ``init-ifupdown_1.0.bbappend`` file so that it contains the
    following::
 
-      FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+      FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
    The append file needs to be in the ``meta-xyz/recipes-core/init-ifupdown``
    directory.
@@ -1269,9 +1269,9 @@
    include conf/machine/include/tune-cortexa8.inc
 
    IMAGE_FSTYPES += "tar.bz2 jffs2 wic wic.bmap"
-   EXTRA_IMAGECMD_jffs2 = "-lnp "
+   EXTRA_IMAGECMD:jffs2 = "-lnp "
    WKS_FILE ?= "beaglebone-yocto.wks"
-   IMAGE_INSTALL_append = " kernel-devicetree kernel-image-zimage"
+   IMAGE_INSTALL:append = " kernel-devicetree kernel-image-zimage"
    do_image_wic[depends] += "mtools-native:do_populate_sysroot dosfstools-native:do_populate_sysroot"
 
    SERIAL_CONSOLES ?= "115200;ttyS0 115200;ttyO0"
@@ -1458,29 +1458,29 @@
 
 Following is the contents of the append file::
 
-   KBRANCH_genericx86 = "v5.0/standard/base"
-   KBRANCH_genericx86-64 = "v5.0/standard/base"
-   KBRANCH_edgerouter = "v5.0/standard/edgerouter"
-   KBRANCH_beaglebone-yocto = "v5.0/standard/beaglebone"
+   KBRANCH:genericx86 = "v5.0/standard/base"
+   KBRANCH:genericx86-64 = "v5.0/standard/base"
+   KBRANCH:edgerouter = "v5.0/standard/edgerouter"
+   KBRANCH:beaglebone-yocto = "v5.0/standard/beaglebone"
 
-   KMACHINE_genericx86 ?= "common-pc"
-   KMACHINE_genericx86-64 ?= "common-pc-64"
-   KMACHINE_beaglebone-yocto ?= "beaglebone"
+   KMACHINE:genericx86 ?= "common-pc"
+   KMACHINE:genericx86-64 ?= "common-pc-64"
+   KMACHINE:beaglebone-yocto ?= "beaglebone"
 
-   SRCREV_machine_genericx86 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-   SRCREV_machine_genericx86-64 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-   SRCREV_machine_edgerouter ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
-   SRCREV_machine_beaglebone-yocto ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine:genericx86 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine:genericx86-64 ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine:edgerouter ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
+   SRCREV_machine:beaglebone-yocto ?= "3df4aae6074e94e794e27fe7f17451d9353cdf3d"
 
-   COMPATIBLE_MACHINE_genericx86 = "genericx86"
-   COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
-   COMPATIBLE_MACHINE_edgerouter = "edgerouter"
-   COMPATIBLE_MACHINE_beaglebone-yocto = "beaglebone-yocto"
+   COMPATIBLE_MACHINE:genericx86 = "genericx86"
+   COMPATIBLE_MACHINE:genericx86-64 = "genericx86-64"
+   COMPATIBLE_MACHINE:edgerouter = "edgerouter"
+   COMPATIBLE_MACHINE:beaglebone-yocto = "beaglebone-yocto"
 
-   LINUX_VERSION_genericx86 = "5.0.3"
-   LINUX_VERSION_genericx86-64 = "5.0.3"
-   LINUX_VERSION_edgerouter = "5.0.3"
-   LINUX_VERSION_beaglebone-yocto = "5.0.3"
+   LINUX_VERSION:genericx86 = "5.0.3"
+   LINUX_VERSION:genericx86-64 = "5.0.3"
+   LINUX_VERSION:edgerouter = "5.0.3"
+   LINUX_VERSION:beaglebone-yocto = "5.0.3"
 
 This particular append file works for all the machines that are
 part of the ``meta-yocto-bsp`` layer. The relevant statements are
diff --git a/poky/documentation/conf.py b/poky/documentation/conf.py
index 6c6458f..8e15fdc 100644
--- a/poky/documentation/conf.py
+++ b/poky/documentation/conf.py
@@ -28,7 +28,7 @@
 
 # -- Project information -----------------------------------------------------
 project = 'The Yocto Project \xae'
-copyright = '2010-%s, The Linux Foundation' % datetime.datetime.now().year
+copyright = '2010-%s, The Linux Foundation, CC-BY-SA-2.0-UK license' % datetime.datetime.now().year
 author = 'The Linux Foundation'
 
 # -- General configuration ---------------------------------------------------
diff --git a/poky/documentation/dev-manual/common-tasks.rst b/poky/documentation/dev-manual/common-tasks.rst
index 7fa0df4..7f51674 100644
--- a/poky/documentation/dev-manual/common-tasks.rst
+++ b/poky/documentation/dev-manual/common-tasks.rst
@@ -207,37 +207,37 @@
       To make sure your changes apply only when building machine "one",
       use a machine override with the :term:`DEPENDS` statement::
 
-         DEPENDS_one = "foo"
+         DEPENDS:one = "foo"
 
-      You should follow the same strategy when using ``_append``
-      and ``_prepend`` operations::
+      You should follow the same strategy when using ``:append``
+      and ``:prepend`` operations::
 
-         DEPENDS_append_one = " foo"
-         DEPENDS_prepend_one = "foo "
+         DEPENDS:append:one = " foo"
+         DEPENDS:prepend:one = "foo "
 
       As an actual example, here's a
       snippet from the generic kernel include file ``linux-yocto.inc``,
       wherein the kernel compile and link options are adjusted in the
       case of a subset of the supported architectures::
 
-         DEPENDS_append_aarch64 = " libgcc"
-         KERNEL_CC_append_aarch64 = " ${TOOLCHAIN_OPTIONS}"
-         KERNEL_LD_append_aarch64 = " ${TOOLCHAIN_OPTIONS}"
+         DEPENDS:append:aarch64 = " libgcc"
+         KERNEL_CC:append:aarch64 = " ${TOOLCHAIN_OPTIONS}"
+         KERNEL_LD:append:aarch64 = " ${TOOLCHAIN_OPTIONS}"
 
-         DEPENDS_append_nios2 = " libgcc"
-         KERNEL_CC_append_nios2 = " ${TOOLCHAIN_OPTIONS}"
-         KERNEL_LD_append_nios2 = " ${TOOLCHAIN_OPTIONS}"
+         DEPENDS:append:nios2 = " libgcc"
+         KERNEL_CC:append:nios2 = " ${TOOLCHAIN_OPTIONS}"
+         KERNEL_LD:append:nios2 = " ${TOOLCHAIN_OPTIONS}"
 
-         DEPENDS_append_arc = " libgcc"
-         KERNEL_CC_append_arc = " ${TOOLCHAIN_OPTIONS}"
-         KERNEL_LD_append_arc = " ${TOOLCHAIN_OPTIONS}"
+         DEPENDS:append:arc = " libgcc"
+         KERNEL_CC:append:arc = " ${TOOLCHAIN_OPTIONS}"
+         KERNEL_LD:append:arc = " ${TOOLCHAIN_OPTIONS}"
 
-         KERNEL_FEATURES_append_qemuall=" features/debug/printk.scc"
+         KERNEL_FEATURES:append:qemuall=" features/debug/printk.scc"
 
       .. note::
 
-         Avoiding "+=" and "=+" and using machine-specific ``_append``
-         and ``_prepend`` operations is recommended as well.
+         Avoiding "+=" and "=+" and using machine-specific ``:append``
+         and ``:prepend`` operations is recommended as well.
 
    -  *Place Machine-Specific Files in Machine-Specific Locations:* When
       you have a base recipe, such as ``base-files.bb``, that contains a
@@ -247,7 +247,7 @@
       at ``meta-one/recipes-core/base-files/base-files.bbappend`` could
       extend :term:`FILESPATH` using :term:`FILESEXTRAPATHS` as follows::
 
-         FILESEXTRAPATHS_prepend := "${THISDIR}/${BPN}:"
+         FILESEXTRAPATHS:prepend := "${THISDIR}/${BPN}:"
 
       The build for machine "one" will pick up your machine-specific file as
       long as you have the file in
@@ -443,8 +443,8 @@
 adds the recipes, classes and configurations contained within the
 particular layer to the source directory.
 
-Using .bbappend Files in Your Layer
------------------------------------
+Appending Other Layers Metadata With Your Layer
+-----------------------------------------------
 
 A recipe that appends Metadata to another recipe is called a BitBake
 append file. A BitBake append file uses the ``.bbappend`` file type
@@ -465,7 +465,7 @@
 When you create an append file, you must use the same root name as the
 corresponding recipe file. For example, the append file
 ``someapp_3.1.bbappend`` must apply to ``someapp_3.1.bb``. This
-means the original recipe and append file names are version
+means the original recipe and append filenames are version
 number-specific. If the corresponding recipe is renamed to update to a
 newer version, you must also rename and possibly update the
 corresponding ``.bbappend`` as well. During the build process, BitBake
@@ -474,6 +474,9 @@
 :term:`BB_DANGLINGAPPENDS_WARNONLY`
 variable for information on how to handle this error.
 
+Overlaying a File Using Your Layer
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 As an example, consider the main formfactor recipe and a corresponding
 formfactor append file both from the :term:`Source Directory`.
 Here is the main
@@ -512,7 +515,7 @@
 and is from the Raspberry Pi BSP Layer named ``meta-raspberrypi``. The
 file is in the layer at ``recipes-bsp/formfactor``::
 
-   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
 By default, the build system uses the
 :term:`FILESPATH` variable to
@@ -537,7 +540,7 @@
 .. note::
 
    BitBake automatically defines the :term:`THISDIR` variable. You should
-   never set this variable yourself. Using "_prepend" as part of the
+   never set this variable yourself. Using ":prepend" as part of the
    :term:`FILESEXTRAPATHS` ensures your path will be searched prior to other
    paths in the final list.
 
@@ -545,6 +548,12 @@
    allow to add build options (e.g. ``systemd``). For these cases, your
    append file would not even use the :term:`FILESEXTRAPATHS` statement.
 
+The end result of this ``.bbappend`` file is that on a Raspberry Pi, where
+``rpi`` will exist in the list of :term:`OVERRIDES`, the file
+``meta-raspberrypi/recipes-bsp/formfactor/formfactor/rpi/machconfig`` will be
+used during :ref:`ref-tasks-fetch` and the test for a non-zero file size in
+:ref:`ref-tasks-install` will return true, and the file will be installed.
+
 Prioritizing Your Layer
 -----------------------
 
@@ -830,27 +839,27 @@
 all images, which might not be what you require.
 
 To add a package to your image using the local configuration file, use
-the :term:`IMAGE_INSTALL` variable with the ``_append`` operator::
+the :term:`IMAGE_INSTALL` variable with the ``:append`` operator::
 
-   IMAGE_INSTALL_append = " strace"
+   IMAGE_INSTALL:append = " strace"
 
 Use of the syntax is important -
 specifically, the space between the quote and the package name, which is
-``strace`` in this example. This space is required since the ``_append``
+``strace`` in this example. This space is required since the ``:append``
 operator does not add the space.
 
-Furthermore, you must use ``_append`` instead of the ``+=`` operator if
+Furthermore, you must use ``:append`` instead of the ``+=`` operator if
 you want to avoid ordering issues. The reason for this is because doing
 so unconditionally appends to the variable and avoids ordering problems
 due to the variable being set in image recipes and ``.bbclass`` files
-with operators like ``?=``. Using ``_append`` ensures the operation
+with operators like ``?=``. Using ``:append`` ensures the operation
 takes effect.
 
-As shown in its simplest use, ``IMAGE_INSTALL_append`` affects all
+As shown in its simplest use, ``IMAGE_INSTALL:append`` affects all
 images. It is possible to extend the syntax so that the variable applies
 to a specific image only. Here is an example::
 
-   IMAGE_INSTALL_append_pn-core-image-minimal = " strace"
+   IMAGE_INSTALL:append:pn-core-image-minimal = " strace"
 
 This example adds ``strace`` to the ``core-image-minimal`` image only.
 
@@ -976,17 +985,17 @@
        ${PN}-tools \
        "
 
-   RDEPENDS_${PN}-apps = "\
+   RDEPENDS:${PN}-apps = "\
        dropbear \
        portmap \
        psplash"
 
-   RDEPENDS_${PN}-tools = "\
+   RDEPENDS:${PN}-tools = "\
        oprofile \
        oprofileui-server \
        lttng-tools"
 
-   RRECOMMENDS_${PN}-tools = "\
+   RRECOMMENDS:${PN}-tools = "\
        kernel-module-oprofile"
 
 In the previous example, two package group packages are created with
@@ -1013,7 +1022,7 @@
 
 Use the following in a configuration file::
 
-   hostname_pn-base-files = "myhostname"
+   hostname:pn-base-files = "myhostname"
 
 Changing the default value of the variable "hostname" can be useful in
 certain situations. For example, suppose you need to do extensive
@@ -1028,7 +1037,7 @@
 will have no default hostname in the filesystem. Here is an example that
 unsets the variable in a configuration file::
 
-  hostname_pn-base-files = ""
+  hostname:pn-base-files = ""
 
 Having no default hostname in the filesystem is suitable for
 environments that use dynamic hostnames such as virtual machines.
@@ -1544,8 +1553,8 @@
 name can be found through the
 ``${``\ :term:`PN`\ ``}`` variable, then
 you specify the dependencies for the main package by setting
-``RDEPENDS_${PN}``. If the package were named ``${PN}-tools``, then you
-would set ``RDEPENDS_${PN}-tools``, and so forth.
+``RDEPENDS:${PN}``. If the package were named ``${PN}-tools``, then you
+would set ``RDEPENDS:${PN}-tools``, and so forth.
 
 Some runtime dependencies will be set automatically at packaging time.
 These dependencies include any shared library dependencies (i.e. if a
@@ -1796,7 +1805,7 @@
    sure the install portion of the build completes with no issues.
    However, if you wish to install additional files not already being
    installed by ``make install``, you should do this using a
-   ``do_install_append`` function using the install command as described
+   ``do_install:append`` function using the install command as described
    in the "Manual" bulleted item later in this list.
 
 -  *Other (using* ``make install``\ *)*: You need to define a ``do_install``
@@ -1865,9 +1874,9 @@
 
 If you are adding services and the service initialization script or the
 service file itself is not installed, you must provide for that
-installation in your recipe using a ``do_install_append`` function. If
+installation in your recipe using a ``do_install:append`` function. If
 your recipe already has a ``do_install`` function, update the function
-near its end rather than adding an additional ``do_install_append``
+near its end rather than adding an additional ``do_install:append``
 function.
 
 When you create the installation for your services, you need to
@@ -1938,7 +1947,7 @@
    discover problems, you can set
    :term:`PACKAGES`,
    :term:`FILES`,
-   ``do_install(_append)``, and so forth as needed.
+   ``do_install(:append)``, and so forth as needed.
 
 -  *Splitting an Application into Multiple Packages*: If you need to
    split an application into several packages, see the
@@ -2137,7 +2146,7 @@
 Post-installation scripts run immediately after installing a package on
 the target or during image creation when a package is included in an
 image. To add a post-installation script to a package, add a
-``pkg_postinst_``\ `PACKAGENAME`\ ``()`` function to the recipe file
+``pkg_postinst:``\ `PACKAGENAME`\ ``()`` function to the recipe file
 (``.bb``) and replace `PACKAGENAME` with the name of the package you want
 to attach to the ``postinst`` script. To apply the post-installation
 script to the main package for the recipe, which is usually what is
@@ -2147,7 +2156,7 @@
 
 A post-installation function has the following structure::
 
-   pkg_postinst_PACKAGENAME() {
+   pkg_postinst:PACKAGENAME() {
        # Commands to carry out
    }
 
@@ -2300,7 +2309,7 @@
 path. You can accomplish this by adding to the :term:`CFLAGS` variable. The
 following example shows this::
 
-   CFLAGS_prepend = "-I ${S}/include "
+   CFLAGS:prepend = "-I ${S}/include "
 
 In the following example, ``mtd-utils`` is a makefile-based package::
 
@@ -2330,9 +2339,9 @@
 
    PACKAGES =+ "mtd-utils-jffs2 mtd-utils-ubifs mtd-utils-misc"
 
-   FILES_mtd-utils-jffs2 = "${sbindir}/mkfs.jffs2 ${sbindir}/jffs2dump ${sbindir}/jffs2reader ${sbindir}/sumtool"
-   FILES_mtd-utils-ubifs = "${sbindir}/mkfs.ubifs ${sbindir}/ubi*"
-   FILES_mtd-utils-misc = "${sbindir}/nftl* ${sbindir}/ftl* ${sbindir}/rfd* ${sbindir}/doc* ${sbindir}/serve_image ${sbindir}/recv_image"
+   FILES:mtd-utils-jffs2 = "${sbindir}/mkfs.jffs2 ${sbindir}/jffs2dump ${sbindir}/jffs2reader ${sbindir}/sumtool"
+   FILES:mtd-utils-ubifs = "${sbindir}/mkfs.ubifs ${sbindir}/ubi*"
+   FILES:mtd-utils-misc = "${sbindir}/nftl* ${sbindir}/ftl* ${sbindir}/rfd* ${sbindir}/doc* ${sbindir}/serve_image ${sbindir}/recv_image"
 
    PARALLEL_MAKE = ""
 
@@ -2360,14 +2369,14 @@
    XORG_PN = "libXpm"
 
    PACKAGES =+ "sxpm cxpm"
-   FILES_cxpm = "${bindir}/cxpm"
-   FILES_sxpm = "${bindir}/sxpm"
+   FILES:cxpm = "${bindir}/cxpm"
+   FILES:sxpm = "${bindir}/sxpm"
 
 In the previous example, we want to ship the ``sxpm`` and ``cxpm``
 binaries in separate packages. Since ``bindir`` would be packaged into
 the main :term:`PN` package by default, we prepend the :term:`PACKAGES` variable
 so additional package names are added to the start of list. This results
-in the extra ``FILES_*`` variables then containing information that
+in the extra ``FILES:*`` variables then containing information that
 define which files and directories go into which packages. Files
 included by earlier packages are skipped by latter packages. Thus, the
 main :term:`PN` package does not include the above listed files.
@@ -2398,7 +2407,7 @@
 from the appropriate area. In particular, this class sets ``noexec`` on
 both the :ref:`ref-tasks-configure`
 and :ref:`ref-tasks-compile` tasks,
-sets ``FILES_${PN}`` to "/" so that it picks up all files, and sets up a
+sets ``FILES:${PN}`` to "/" so that it picks up all files, and sets up a
 :ref:`ref-tasks-install` task, which
 effectively copies all files from ``${S}`` to ``${D}``. The
 ``bin_package`` class works well when the files extracted into ``${S}``
@@ -2459,7 +2468,7 @@
 
 -  Ensure that you set up :term:`FILES`
    (usually
-   ``FILES_${``\ :term:`PN`\ ``}``) to
+   ``FILES:${``\ :term:`PN`\ ``}``) to
    point to the files you have installed, which of course depends on
    where you have installed them and whether those files are in
    different locations than the defaults.
@@ -2504,7 +2513,7 @@
 
       S = "${WORKDIR}/postfix-${PV}"
       CFLAGS += "-DNO_ASM"
-      SRC_URI_append = " file://fixup.patch"
+      SRC_URI:append = " file://fixup.patch"
 
 -  *Functions:* Functions provide a series of actions to be performed.
    You usually use functions to override the default implementation of a
@@ -2631,7 +2640,7 @@
 
       VAR =+ "Starts"
 
--  *Appending (_append):* Use the ``_append`` operator to append values
+-  *Appending (:append):* Use the ``:append`` operator to append values
    to existing variables. This operator does not add any additional
    space. Also, the operator is applied after all the ``+=``, and ``=+``
    operators have been applied and after all ``=`` assignments have
@@ -2641,15 +2650,15 @@
    start to ensure the appended value is not merged with the existing
    value::
 
-      SRC_URI_append = " file://fix-makefile.patch"
+      SRC_URI:append = " file://fix-makefile.patch"
 
    You can also use
-   the ``_append`` operator with overrides, which results in the actions
+   the ``:append`` operator with overrides, which results in the actions
    only being performed for the specified target or machine::
 
-      SRC_URI_append_sh4 = " file://fix-makefile.patch"
+      SRC_URI:append:sh4 = " file://fix-makefile.patch"
 
--  *Prepending (_prepend):* Use the ``_prepend`` operator to prepend
+-  *Prepending (:prepend):* Use the ``:prepend`` operator to prepend
    values to existing variables. This operator does not add any
    additional space. Also, the operator is applied after all the ``+=``,
    and ``=+`` operators have been applied and after all ``=``
@@ -2659,13 +2668,13 @@
    end to ensure the prepended value is not merged with the existing
    value::
 
-      CFLAGS_prepend = "-I${S}/myincludes "
+      CFLAGS:prepend = "-I${S}/myincludes "
 
    You can also use the
-   ``_prepend`` operator with overrides, which results in the actions
+   ``:prepend`` operator with overrides, which results in the actions
    only being performed for the specified target or machine::
 
-      CFLAGS_prepend_sh4 = "-I${S}/myincludes "
+      CFLAGS:prepend:sh4 = "-I${S}/myincludes "
 
 -  *Overrides:* You can use overrides to set a value conditionally,
    typically based on how the recipe is being built. For example, to set
@@ -2676,7 +2685,7 @@
    you would do the following::
 
       KBRANCH = "standard/base"
-      KBRANCH_qemuarm = "standard/arm-versatile-926ejs"
+      KBRANCH:qemuarm = "standard/arm-versatile-926ejs"
 
    Overrides are also used to separate
    alternate values of a variable in other situations. For example, when
@@ -2951,7 +2960,7 @@
          If your distro does not enable by default ptest, which Poky
          does, you need the following in your ``local.conf`` file::
 
-                 DISTRO_FEATURES_append = " ptest"
+                 DISTRO_FEATURES:append = " ptest"
 
 
 6. *Optionally Start a vncserver:* If you are running in a server
@@ -4301,7 +4310,7 @@
 your ``local.conf`` file::
 
    INHERIT += "externalsrc"
-   EXTERNALSRC_pn-myrecipe = "path-to-your-source-tree"
+   EXTERNALSRC:pn-myrecipe = "path-to-your-source-tree"
 
 This next example shows how to accomplish the same thing by setting
 :term:`EXTERNALSRC` in the recipe itself or in the recipe's append file::
@@ -4323,7 +4332,7 @@
 :term:`EXTERNALSRC_BUILD`
 to point to that directory::
 
-   EXTERNALSRC_BUILD_pn-myrecipe = "path-to-your-source-tree"
+   EXTERNALSRC_BUILD:pn-myrecipe = "path-to-your-source-tree"
 
 Replicating a Build Offline
 ---------------------------
@@ -4538,7 +4547,7 @@
    exceptions::
 
       STATICLIBCONF = "--disable-static"
-      STATICLIBCONF_sqlite3-native = ""
+      STATICLIBCONF:sqlite3-native = ""
       EXTRA_OECONF += "${STATICLIBCONF}"
 
    .. note::
@@ -4578,7 +4587,7 @@
 the built library.
 
 The :term:`PACKAGES` and
-:term:`FILES_* <FILES>` variables in the
+:term:`FILES:* <FILES>` variables in the
 ``meta/conf/bitbake.conf`` configuration file define how files installed
 by the ``do_install`` task are packaged. By default, the :term:`PACKAGES`
 variable includes ``${PN}-staticdev``, which represents all static
@@ -4597,7 +4606,7 @@
    PACKAGES_DYNAMIC = "^${PN}-locale-.*"
    FILES = ""
 
-   FILES_${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*${SOLIBS} \
+   FILES:${PN} = "${bindir}/* ${sbindir}/* ${libexecdir}/* ${libdir}/lib*${SOLIBS} \
                ${sysconfdir} ${sharedstatedir} ${localstatedir} \
                ${base_bindir}/* ${base_sbindir}/* \
                ${base_libdir}/*${SOLIBS} \
@@ -4607,24 +4616,24 @@
                ${datadir}/idl ${datadir}/omf ${datadir}/sounds \
                ${libdir}/bonobo/servers"
 
-   FILES_${PN}-bin = "${bindir}/* ${sbindir}/*"
+   FILES:${PN}-bin = "${bindir}/* ${sbindir}/*"
 
-   FILES_${PN}-doc = "${docdir} ${mandir} ${infodir} ${datadir}/gtk-doc \
+   FILES:${PN}-doc = "${docdir} ${mandir} ${infodir} ${datadir}/gtk-doc \
                ${datadir}/gnome/help"
-   SECTION_${PN}-doc = "doc"
+   SECTION:${PN}-doc = "doc"
 
    FILES_SOLIBSDEV ?= "${base_libdir}/lib*${SOLIBSDEV} ${libdir}/lib*${SOLIBSDEV}"
-   FILES_${PN}-dev = "${includedir} ${FILES_SOLIBSDEV} ${libdir}/*.la \
+   FILES:${PN}-dev = "${includedir} ${FILES_SOLIBSDEV} ${libdir}/*.la \
                    ${libdir}/*.o ${libdir}/pkgconfig ${datadir}/pkgconfig \
                    ${datadir}/aclocal ${base_libdir}/*.o \
                    ${libdir}/${BPN}/*.la ${base_libdir}/*.la"
-   SECTION_${PN}-dev = "devel"
-   ALLOW_EMPTY_${PN}-dev = "1"
-   RDEPENDS_${PN}-dev = "${PN} (= ${EXTENDPKGV})"
+   SECTION:${PN}-dev = "devel"
+   ALLOW_EMPTY:${PN}-dev = "1"
+   RDEPENDS:${PN}-dev = "${PN} (= ${EXTENDPKGV})"
 
-   FILES_${PN}-staticdev = "${libdir}/*.a ${base_libdir}/*.a ${libdir}/${BPN}/*.a"
-   SECTION_${PN}-staticdev = "devel"
-   RDEPENDS_${PN}-staticdev = "${PN}-dev (= ${EXTENDPKGV})"
+   FILES:${PN}-staticdev = "${libdir}/*.a ${base_libdir}/*.a ${libdir}/${BPN}/*.a"
+   SECTION:${PN}-staticdev = "devel"
+   RDEPENDS:${PN}-staticdev = "${PN}-dev (= ${EXTENDPKGV})"
 
 Combining Multiple Versions of Library Files into One Image
 -----------------------------------------------------------
@@ -4701,8 +4710,8 @@
    MACHINE = "qemux86-64"
    require conf/multilib.conf
    MULTILIBS = "multilib:lib32"
-   DEFAULTTUNE_virtclass-multilib-lib32 = "x86"
-   IMAGE_INSTALL_append = "lib32-glib-2.0"
+   DEFAULTTUNE:virtclass-multilib-lib32 = "x86"
+   IMAGE_INSTALL:append = "lib32-glib-2.0"
 
 This example enables an additional library named
 ``lib32`` alongside the normal target packages. When combining these
@@ -4749,7 +4758,7 @@
    :term:`Build Directory`. For
    example, consider ``lib32`` in a ``qemux86-64`` image. The possible
    architectures in the system are "all", "qemux86_64",
-   "lib32_qemux86_64", and "lib32_x86".
+   "lib32:qemux86_64", and "lib32:x86".
 
 -  The ``${MLPREFIX}`` variable is stripped from ``${PN}`` during RPM
    packaging. The naming for a normal RPM package and a Multilib RPM
@@ -4768,7 +4777,7 @@
 -  The ``${MLPREFIX}`` is not stripped from ``${PN}`` during IPK
    packaging. The naming for a normal RPM package and a Multilib IPK
    package in a ``qemux86-64`` system resolves to something like
-   ``bash_4.1-r2.x86_64.ipk`` and ``lib32-bash_4.1-rw_x86.ipk``,
+   ``bash_4.1-r2.x86_64.ipk`` and ``lib32-bash_4.1-rw:x86.ipk``,
    respectively.
 
 -  The IPK deploy folder is not modified with ``${MLPREFIX}`` because
@@ -4857,7 +4866,7 @@
 
    MACHINE = "qemux86-64"
    DEFAULTTUNE = "x86-64-x32"
-   baselib = "${@d.getVar('BASE_LIB_tune-' + (d.getVar('DEFAULTTUNE') \
+   baselib = "${@d.getVar('BASE_LIB:tune-' + (d.getVar('DEFAULTTUNE') \
        or 'INVALID')) or 'lib'}"
 
 Once you have set
@@ -6085,7 +6094,7 @@
 
    -  Add a ``psplash`` append file for a branded splash screen. For
       information on append files, see the
-      ":ref:`dev-manual/common-tasks:using .bbappend files in your layer`"
+      ":ref:`dev-manual/common-tasks:appending other layers metadata with your layer`"
       section.
 
    -  Add any other append files to make custom changes that are
@@ -6510,11 +6519,11 @@
 a pattern of files or directories under a specified path and creates a
 package for each one it finds by appending to the
 :term:`PACKAGES` variable and
-setting the appropriate values for ``FILES_packagename``,
-``RDEPENDS_packagename``, ``DESCRIPTION_packagename``, and so forth.
+setting the appropriate values for ``FILES:packagename``,
+``RDEPENDS:packagename``, ``DESCRIPTION:packagename``, and so forth.
 Here is an example from the ``lighttpd`` recipe::
 
-   python populate_packages_prepend () {
+   python populate_packages:prepend () {
        lighttpd_libdir = d.expand('${libdir}')
        do_split_packages(d, lighttpd_libdir, '^mod_(.*).so$',
                         'lighttpd-module-%s', 'Lighttpd module for %s',
@@ -6618,7 +6627,7 @@
       instead of the default False which appends them
    match_path
       match file_regex on the whole relative path to
-      the root rather than just the file name
+      the root rather than just the filename
    aux_files_pattern_verbatim
       Extra item(s) to be added to FILES for each
       package, using the actual derived module name
@@ -7101,7 +7110,7 @@
 variables to your ``local.conf`` file, which is found in the
 :term:`Build Directory`::
 
-   DISTRO_FEATURES_append = " ptest"
+   DISTRO_FEATURES:append = " ptest"
    EXTRA_IMAGE_FEATURES += "ptest-pkgs"
 
 Once your build is complete, the ptest files are installed into the
@@ -7145,7 +7154,7 @@
    your recipe in order for the package to meet the dependencies. Here
    is an example where the package has a runtime dependency on "make"::
 
-      RDEPENDS_${PN}-ptest += "make"
+      RDEPENDS:${PN}-ptest += "make"
 
 -  *Add a function to build the test suite:* Not many packages support
    cross-compilation of their test suites. Consequently, you usually
@@ -7289,11 +7298,11 @@
        "
    S = "${WORKDIR}/npm"
    inherit npm
-   LICENSE_${PN} = "MIT"
-   LICENSE_${PN}-accepts = "MIT"
-   LICENSE_${PN}-array-flatten = "MIT"
+   LICENSE:${PN} = "MIT"
+   LICENSE:${PN}-accepts = "MIT"
+   LICENSE:${PN}-array-flatten = "MIT"
    ...
-   LICENSE_${PN}-vary = "MIT"
+   LICENSE:${PN}-vary = "MIT"
 
 Here are three key points in the previous example:
 
@@ -7389,11 +7398,11 @@
 set it for a specific package type and/or package. Note that the order
 of precedence is the same as this list:
 
--  ``PACKAGE_ADD_METADATA_<PKGTYPE>_<PN>``
+-  ``PACKAGE_ADD_METADATA_<PKGTYPE>:<PN>``
 
 -  ``PACKAGE_ADD_METADATA_<PKGTYPE>``
 
--  ``PACKAGE_ADD_METADATA_<PN>``
+-  ``PACKAGE_ADD_METADATA:<PN>``
 
 -  :term:`PACKAGE_ADD_METADATA`
 
@@ -7523,7 +7532,7 @@
 
 Set these variables in your distribution configuration file as follows::
 
-   DISTRO_FEATURES_append = " systemd"
+   DISTRO_FEATURES:append = " systemd"
    VIRTUAL-RUNTIME_init_manager = "systemd"
 
 You can also prevent the SysVinit distribution feature from
@@ -7547,7 +7556,7 @@
 
 Set these variables in your distribution configuration file as follows::
 
-   DISTRO_FEATURES_append = " systemd"
+   DISTRO_FEATURES:append = " systemd"
    VIRTUAL-RUNTIME_init_manager = "systemd"
 
 Doing so causes your main image to use the
@@ -7646,7 +7655,7 @@
 Then, you can add the following to your
 ``local.conf``::
 
-   SRCREV_pn-PN = "${AUTOREV}"
+   SRCREV:pn-PN = "${AUTOREV}"
 
 :term:`PN` is the name of the recipe for
 which you want to enable automatic source revision updating.
@@ -7664,22 +7673,22 @@
 This line pulls in the
 listed include file that contains numerous lines of exactly that form::
 
-   #SRCREV_pn-opkg-native ?= "${AUTOREV}"
-   #SRCREV_pn-opkg-sdk ?= "${AUTOREV}"
-   #SRCREV_pn-opkg ?= "${AUTOREV}"
-   #SRCREV_pn-opkg-utils-native ?= "${AUTOREV}"
-   #SRCREV_pn-opkg-utils ?= "${AUTOREV}"
-   SRCREV_pn-gconf-dbus ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-common ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-config-gtk ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-desktop ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-keyboard ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-panel-2 ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-themes-extra ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-terminal ?= "${AUTOREV}"
-   SRCREV_pn-matchbox-wm ?= "${AUTOREV}"
-   SRCREV_pn-settings-daemon ?= "${AUTOREV}"
-   SRCREV_pn-screenshot ?= "${AUTOREV}"
+   #SRCREV:pn-opkg-native ?= "${AUTOREV}"
+   #SRCREV:pn-opkg-sdk ?= "${AUTOREV}"
+   #SRCREV:pn-opkg ?= "${AUTOREV}"
+   #SRCREV:pn-opkg-utils-native ?= "${AUTOREV}"
+   #SRCREV:pn-opkg-utils ?= "${AUTOREV}"
+   SRCREV:pn-gconf-dbus ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-common ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-config-gtk ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-desktop ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-keyboard ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-panel-2 ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-themes-extra ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-terminal ?= "${AUTOREV}"
+   SRCREV:pn-matchbox-wm ?= "${AUTOREV}"
+   SRCREV:pn-settings-daemon ?= "${AUTOREV}"
+   SRCREV:pn-screenshot ?= "${AUTOREV}"
    . . .
 
 These lines allow you to
@@ -7737,9 +7746,9 @@
 (``pkg_postinst``) scripts for packages that are installed into the
 image can be run at the time when the root filesystem is created during
 the build on the host system. These scripts cannot attempt to run during
-first-boot on the target device. With the "read-only-rootfs" feature
-enabled, the build system checks during root filesystem creation to make
-sure all post-installation scripts succeed. If any of these scripts
+the first boot on the target device. With the "read-only-rootfs" feature
+enabled, the build system makes sure that all post-installation scripts
+succeed at file system creation time. If any of these scripts
 still need to be run after the root filesystem is created, the build
 immediately fails. These build-time checks ensure that the build fails
 rather than the target device fails later during its initial boot
@@ -7922,25 +7931,25 @@
 
    $ buildhistory-collect-srcrevs -a
    # i586-poky-linux
-   SRCREV_pn-glibc = "b8079dd0d360648e4e8de48656c5c38972621072"
-   SRCREV_pn-glibc-initial = "b8079dd0d360648e4e8de48656c5c38972621072"
-   SRCREV_pn-opkg-utils = "53274f087565fd45d8452c5367997ba6a682a37a"
-   SRCREV_pn-kmod = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
+   SRCREV:pn-glibc = "b8079dd0d360648e4e8de48656c5c38972621072"
+   SRCREV:pn-glibc-initial = "b8079dd0d360648e4e8de48656c5c38972621072"
+   SRCREV:pn-opkg-utils = "53274f087565fd45d8452c5367997ba6a682a37a"
+   SRCREV:pn-kmod = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
    # x86_64-linux
-   SRCREV_pn-gtk-doc-stub-native = "1dea266593edb766d6d898c79451ef193eb17cfa"
-   SRCREV_pn-dtc-native = "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf"
-   SRCREV_pn-update-rc.d-native = "eca680ddf28d024954895f59a241a622dd575c11"
-   SRCREV_glibc_pn-cross-localedef-native = "b8079dd0d360648e4e8de48656c5c38972621072"
-   SRCREV_localedef_pn-cross-localedef-native = "c833367348d39dad7ba018990bfdaffaec8e9ed3"
-   SRCREV_pn-prelink-native = "faa069deec99bf61418d0bab831c83d7c1b797ca"
-   SRCREV_pn-opkg-utils-native = "53274f087565fd45d8452c5367997ba6a682a37a"
-   SRCREV_pn-kern-tools-native = "23345b8846fe4bd167efdf1bd8a1224b2ba9a5ff"
-   SRCREV_pn-kmod-native = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
+   SRCREV:pn-gtk-doc-stub-native = "1dea266593edb766d6d898c79451ef193eb17cfa"
+   SRCREV:pn-dtc-native = "65cc4d2748a2c2e6f27f1cf39e07a5dbabd80ebf"
+   SRCREV:pn-update-rc.d-native = "eca680ddf28d024954895f59a241a622dd575c11"
+   SRCREV_glibc:pn-cross-localedef-native = "b8079dd0d360648e4e8de48656c5c38972621072"
+   SRCREV_localedef:pn-cross-localedef-native = "c833367348d39dad7ba018990bfdaffaec8e9ed3"
+   SRCREV:pn-prelink-native = "faa069deec99bf61418d0bab831c83d7c1b797ca"
+   SRCREV:pn-opkg-utils-native = "53274f087565fd45d8452c5367997ba6a682a37a"
+   SRCREV:pn-kern-tools-native = "23345b8846fe4bd167efdf1bd8a1224b2ba9a5ff"
+   SRCREV:pn-kmod-native = "fd56638aed3fe147015bfa10ed4a5f7491303cb4"
    # qemux86-poky-linux
-   SRCREV_machine_pn-linux-yocto = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
-   SRCREV_meta_pn-linux-yocto = "a227f20eff056e511d504b2e490f3774ab260d6f"
+   SRCREV_machine:pn-linux-yocto = "38cd560d5022ed2dbd1ab0dca9642e47c98a0aa1"
+   SRCREV_meta:pn-linux-yocto = "a227f20eff056e511d504b2e490f3774ab260d6f"
    # all-poky-linux
-   SRCREV_pn-update-rc.d = "eca680ddf28d024954895f59a241a622dd575c11"
+   SRCREV:pn-update-rc.d = "eca680ddf28d024954895f59a241a622dd575c11"
 
 .. note::
 
@@ -8564,11 +8573,11 @@
 
 -  The default tests for the image are defined as::
 
-      DEFAULT_TEST_SUITES_pn-image = "ping ssh df connman syslog xorg scp vnc date rpm dnf dmesg"
+      DEFAULT_TEST_SUITES:pn-image = "ping ssh df connman syslog xorg scp vnc date rpm dnf dmesg"
 
 -  Add your own test to the list of the by using the following::
 
-      TEST_SUITES_append = " mytest"
+      TEST_SUITES:append = " mytest"
 
 -  Run a specific list of tests as follows::
 
@@ -8941,7 +8950,7 @@
 -  After the variable values, all functions appear in the output. For
    shell functions, variables referenced within the function body are
    expanded. If a function has been modified using overrides or using
-   override-style operators like ``_append`` and ``_prepend``, then the
+   override-style operators like ``:append`` and ``:prepend``, then the
    final assembled function body appears in the output.
 
 Viewing Package Information with ``oe-pkgdata-util``
@@ -9715,7 +9724,7 @@
    (it already is in ``OpenEmbedded-core`` defaults and ``poky`` reference distribution).
    If not, set in your distro config file or in ``local.conf``::
 
-      DISTRO_FEATURES_append = " debuginfod"
+      DISTRO_FEATURES:append = " debuginfod"
 
    This distro feature enables the server and client library in ``elfutils``,
    and enables ``debuginfod`` support in clients (at the moment, ``gdb`` and ``binutils``).
@@ -9802,7 +9811,7 @@
    Make the following addition in either your ``local.conf`` file or in
    an image recipe::
 
-      IMAGE_INSTALL_append = " gdbserver"
+      IMAGE_INSTALL:append = " gdbserver"
 
    The change makes
    sure the ``gdbserver`` package is included.
@@ -9938,21 +9947,21 @@
 -  Ensure that GDB is on the target. You can do this by adding "gdb" to
    :term:`IMAGE_INSTALL`::
 
-      IMAGE_INSTALL_append = " gdb"
+      IMAGE_INSTALL:append = " gdb"
 
    Alternatively, you can add "tools-debug" to :term:`IMAGE_FEATURES`::
 
-      IMAGE_FEATURES_append = " tools-debug"
+      IMAGE_FEATURES:append = " tools-debug"
 
 -  Ensure that debug symbols are present. You can make sure these
    symbols are present by installing ``-dbg``::
 
-      IMAGE_INSTALL_append = "packagename-dbg"
+      IMAGE_INSTALL:append = "packagename-dbg"
 
    Alternatively, you can do the following to include
    all the debug symbols::
 
-      IMAGE_FEATURES_append = " dbg-pkgs"
+      IMAGE_FEATURES:append = " dbg-pkgs"
 
 .. note::
 
@@ -11131,6 +11140,75 @@
 The :term:`CVE_PRODUCT` variable defines the name used to match the recipe name
 against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
 
+Editing recipes to fix vulnerabilities
+--------------------------------------
+
+To fix a given known vulnerability, you need to add a patch file to your recipe. Here's
+an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::
+
+   SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
+              file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
+              file://fix-CVE-2020-20446.patch \
+              file://fix-CVE-2020-20453.patch \
+              file://fix-CVE-2020-22015.patch \
+              file://fix-CVE-2020-22021.patch \
+              file://fix-CVE-2020-22033-CVE-2020-22019.patch \
+              file://fix-CVE-2021-33815.patch \
+
+The :ref:`cve-check <ref-classes-cve-check>` class defines two ways of
+supplying a patch for a given CVE. The first
+way is to use a patch filename that matches the below pattern::
+
+   cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+
+As shown in the example above, multiple CVE IDs can appear in a patch filename,
+but the :ref:`cve-check <ref-classes-cve-check>` class will only consider
+the last CVE ID in the filename as patched.
+
+The second way to recognize a patched CVE ID is when a line matching the
+below pattern is found in any patch file provided by the recipe::
+
+  cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+
+This allows a single patch file to address multiple CVE IDs at the same time.
+
+Of course, another way to fix vulnerabilities is to upgrade to a version
+of the package which is not impacted, typically a more recent one.
+The NIST database knows which versions are vulnerable and which ones
+are not.
+
+Last but not least, you can choose to ignore vulnerabilities through
+the :term:`CVE_CHECK_PN_WHITELIST` and :term:`CVE_CHECK_WHITELIST`
+variables.
+
+Implementation details
+----------------------
+
+Here's what the :ref:`cve-check <ref-classes-cve-check>` class does to
+find unpatched CVE IDs.
+
+First the code goes through each patch file provided by a recipe. If a valid CVE ID
+is found in the name of the file, the corresponding CVE is considered as patched.
+Don't forget that if multiple CVE IDs are found in the filename, only the last
+one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch
+file. The found CVE IDs are also considered as patched.
+
+Then, the code looks up all the CVE IDs in the NIST database for all the
+products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
+
+ - If the package name (:term:`PN`) is part of
+   :term:`CVE_CHECK_PN_WHITELIST`, it is considered as patched.
+
+ - If the CVE ID is part of :term:`CVE_CHECK_WHITELIST`, it is
+   considered as patched too.
+
+ - If the CVE ID is part of the patched CVE for the recipe, it is
+   already considered as patched.
+
+ - Otherwise, the code checks whether the recipe version (:term:`PV`)
+   is within the range of versions impacted by the CVE. If so, the CVE
+   is considered as unpatched.
+
 The CVE database is stored in :term:`DL_DIR` and can be inspected using
 ``sqlite3`` command as follows::
 
@@ -11274,7 +11352,7 @@
 :term:`DISTRO_FEATURES`
 statement in your ``local.conf`` file::
 
-   DISTRO_FEATURES_append = " wayland"
+   DISTRO_FEATURES:append = " wayland"
 
 .. note::
 
diff --git a/poky/documentation/kernel-dev/advanced.rst b/poky/documentation/kernel-dev/advanced.rst
index 871ec8a..2dbcca6 100644
--- a/poky/documentation/kernel-dev/advanced.rst
+++ b/poky/documentation/kernel-dev/advanced.rst
@@ -69,7 +69,7 @@
    You can use the :term:`KBRANCH` value to define an alternate branch typically
    with a machine override as shown here from the ``meta-yocto-bsp`` layer::
 
-           KBRANCH_edgerouter = "standard/edgerouter"
+           KBRANCH:edgerouter = "standard/edgerouter"
 
 
 The linux-yocto style recipes can optionally define the following
@@ -113,7 +113,7 @@
 feature called "cfg/sound.scc" just for the ``qemux86`` machine,
 specify::
 
-   KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc"
+   KERNEL_FEATURES:append:qemux86 = " cfg/sound.scc"
 
 The value of
 the entries in :term:`KERNEL_FEATURES` are dependent on their location
@@ -724,7 +724,7 @@
 ``*.scc`` in the :term:`SRC_URI` statement. You need to use the following
 form from your kernel append file::
 
-   SRC_URI_append_myplatform = " \
+   SRC_URI:append:myplatform = " \
        file://myplatform;type=kmeta;destsuffix=myplatform \
        "
 
diff --git a/poky/documentation/kernel-dev/common.rst b/poky/documentation/kernel-dev/common.rst
index a97140b..d42ca5f 100644
--- a/poky/documentation/kernel-dev/common.rst
+++ b/poky/documentation/kernel-dev/common.rst
@@ -416,16 +416,16 @@
    kernel. Thus, the name of the append file is
    ``linux-yocto_4.12.bbappend``::
 
-      FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+      FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
-      SRC_URI_append = " file://patch-file-one.patch"
-      SRC_URI_append = " file://patch-file-two.patch"
-      SRC_URI_append = " file://patch-file-three.patch"
+      SRC_URI:append = " file://patch-file-one.patch"
+      SRC_URI:append = " file://patch-file-two.patch"
+      SRC_URI:append = " file://patch-file-three.patch"
 
    The :term:`FILESEXTRAPATHS` and :term:`SRC_URI` statements
    enable the OpenEmbedded build system to find patch files. For more
    information on using append files, see the
-   ":ref:`dev-manual/common-tasks:using .bbappend files in your layer`"
+   ":ref:`dev-manual/common-tasks:appending other layers metadata with your layer`"
    section in the Yocto Project Development Tasks Manual.
 
 Modifying an Existing Recipe
@@ -469,7 +469,7 @@
 :term:`FILESEXTRAPATHS`
 variable as follows::
 
-   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
 The path ``${``\ :term:`THISDIR`\ ``}/${``\ :term:`PN`\ ``}``
 expands to "linux-yocto" in the current directory for this example. If
@@ -496,29 +496,29 @@
 strings in the file from the ``meta-yocto-bsp`` layer upstream.
 ::
 
-   KBRANCH_genericx86  = "standard/base"
-   KBRANCH_genericx86-64  = "standard/base"
+   KBRANCH:genericx86  = "standard/base"
+   KBRANCH:genericx86-64  = "standard/base"
 
-   KMACHINE_genericx86 ?= "common-pc"
-   KMACHINE_genericx86-64 ?= "common-pc-64"
-   KBRANCH_edgerouter = "standard/edgerouter"
-   KBRANCH_beaglebone = "standard/beaglebone"
+   KMACHINE:genericx86 ?= "common-pc"
+   KMACHINE:genericx86-64 ?= "common-pc-64"
+   KBRANCH:edgerouter = "standard/edgerouter"
+   KBRANCH:beaglebone = "standard/beaglebone"
 
-   SRCREV_machine_genericx86    ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
-   SRCREV_machine_genericx86-64 ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
-   SRCREV_machine_edgerouter ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
-   SRCREV_machine_beaglebone ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
+   SRCREV_machine:genericx86    ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
+   SRCREV_machine:genericx86-64 ?= "d09f2ce584d60ecb7890550c22a80c48b83c2e19"
+   SRCREV_machine:edgerouter ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
+   SRCREV_machine:beaglebone ?= "b5c8cfda2dfe296410d51e131289fb09c69e1e7d"
 
 
-   COMPATIBLE_MACHINE_genericx86 = "genericx86"
-   COMPATIBLE_MACHINE_genericx86-64 = "genericx86-64"
-   COMPATIBLE_MACHINE_edgerouter = "edgerouter"
-   COMPATIBLE_MACHINE_beaglebone = "beaglebone"
+   COMPATIBLE_MACHINE:genericx86 = "genericx86"
+   COMPATIBLE_MACHINE:genericx86-64 = "genericx86-64"
+   COMPATIBLE_MACHINE:edgerouter = "edgerouter"
+   COMPATIBLE_MACHINE:beaglebone = "beaglebone"
 
-   LINUX_VERSION_genericx86 = "4.12.7"
-   LINUX_VERSION_genericx86-64 = "4.12.7"
-   LINUX_VERSION_edgerouter = "4.12.10"
-   LINUX_VERSION_beaglebone = "4.12.10"
+   LINUX_VERSION:genericx86 = "4.12.7"
+   LINUX_VERSION:genericx86-64 = "4.12.7"
+   LINUX_VERSION:edgerouter = "4.12.10"
+   LINUX_VERSION:beaglebone = "4.12.10"
 
 This append file
 contains statements used to support several BSPs that ship with the
@@ -640,7 +640,7 @@
 directory, and rename the copied file to "defconfig". Then, add the
 following lines to the linux-yocto ``.bbappend`` file in your layer::
 
-   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
    SRC_URI += "file://defconfig"
 
 The :term:`SRC_URI` tells the build system how to search
@@ -687,7 +687,7 @@
 configuration fragment and extend the :term:`FILESPATH` variable in your
 ``.bbappend`` file::
 
-   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
    SRC_URI += "file://8250.cfg"
 
 The next time you run BitBake to build the
@@ -726,7 +726,7 @@
 and provides the path to the "in-tree" ``defconfig`` file to be used for
 a Raspberry Pi 2, which is based on the Broadcom 2708/2709 chipset::
 
-   KBUILD_DEFCONFIG_raspberrypi2 ?= "bcm2709_defconfig"
+   KBUILD_DEFCONFIG:raspberrypi2 ?= "bcm2709_defconfig"
 
 Aside from modifying your kernel recipe and providing your own
 ``defconfig`` file, you need to be sure no files or statements set
@@ -988,10 +988,10 @@
 
    Add the following to the ``local.conf``::
 
-      SRC_URI_pn-linux-yocto = "git:///path-to/linux-yocto-4.12;protocol=file;name=machine;branch=standard/base; \
+      SRC_URI:pn-linux-yocto = "git:///path-to/linux-yocto-4.12;protocol=file;name=machine;branch=standard/base; \
                                 git:///path-to/yocto-kernel-cache;protocol=file;type=kmeta;name=meta;branch=yocto-4.12;destsuffix=${KMETA}"
-      SRCREV_meta_qemux86 = "${AUTOREV}"
-      SRCREV_machine_qemux86 = "${AUTOREV}"
+      SRCREV_meta:qemux86 = "${AUTOREV}"
+      SRCREV_machine:qemux86 = "${AUTOREV}"
 
    .. note::
 
@@ -1061,8 +1061,8 @@
    must be named ``linux-yocto_4.12.bbappend`` and have the following
    contents::
 
-      FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-      SRC_URI_append = "file://0001-calibrate.c-Added-some-printk-statements.patch"
+      FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
+      SRC_URI:append = "file://0001-calibrate.c-Added-some-printk-statements.patch"
 
    The :term:`FILESEXTRAPATHS` and :term:`SRC_URI` statements
    enable the OpenEmbedded build system to find the patch file.
@@ -1070,7 +1070,7 @@
    For more information on append files and patches, see the
    ":ref:`kernel-dev/common:creating the append file`" and
    ":ref:`kernel-dev/common:applying patches`" sections. You can also see the
-   ":ref:`dev-manual/common-tasks:using .bbappend files in your layer`"
+   ":ref:`dev-manual/common-tasks:appending other layers metadata with your layer`"
    section in the Yocto Project Development Tasks Manual.
 
    .. note::
@@ -1237,7 +1237,7 @@
 add the following lines to the linux-yocto ``.bbappend`` file in your
 layer::
 
-   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
    SRC_URI += "file://defconfig"
 
 The :term:`SRC_URI` tells the build system how to search for the file, while the
@@ -1345,7 +1345,7 @@
 statements to the kernel's append file, those configuration options will
 be picked up and applied when the kernel is built::
 
-   FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+   FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
    SRC_URI += "file://myconfig.cfg"
 
 As mentioned earlier, you can group related configurations into multiple
@@ -1939,7 +1939,7 @@
 2. *Add the Feature File to SRC_URI:* Add the ``.scc`` file to the
    recipe's :term:`SRC_URI` statement::
 
-      SRC_URI_append = " file://test.scc"
+      SRC_URI:append = " file://test.scc"
 
    The leading space before the path is important as the path is
    appended to the existing path.
@@ -1948,7 +1948,7 @@
    :term:`KERNEL_FEATURES` statement to specify the feature as a kernel
    feature::
 
-      KERNEL_FEATURES_append = " test.scc"
+      KERNEL_FEATURES:append = " test.scc"
 
    The OpenEmbedded build
    system processes the kernel feature when it builds the kernel.
diff --git a/poky/documentation/kernel-dev/faq.rst b/poky/documentation/kernel-dev/faq.rst
index f0a7af3..5aa702a 100644
--- a/poky/documentation/kernel-dev/faq.rst
+++ b/poky/documentation/kernel-dev/faq.rst
@@ -36,9 +36,9 @@
 The kernel image (e.g. ``vmlinuz``) is provided by the
 ``kernel-image`` package. Image recipes depend on ``kernel-base``. To
 specify whether or not the kernel image is installed in the generated
-root filesystem, override ``RDEPENDS_${KERNEL_PACKAGE_NAME}-base`` to include or not
+root filesystem, override ``RDEPENDS:${KERNEL_PACKAGE_NAME}-base`` to include or not
 include "kernel-image". See the
-":ref:`dev-manual/common-tasks:using .bbappend files in your layer`"
+":ref:`dev-manual/common-tasks:appending other layers metadata with your layer`"
 section in the
 Yocto Project Development Tasks Manual for information on how to use an
 append file to override metadata.
diff --git a/poky/documentation/migration-guides/migration-1.4.rst b/poky/documentation/migration-guides/migration-1.4.rst
index 3f98091..baf3c08 100644
--- a/poky/documentation/migration-guides/migration-1.4.rst
+++ b/poky/documentation/migration-guides/migration-1.4.rst
@@ -83,7 +83,7 @@
 you can find in the :term:`Source Directory` at
 ``meta/recipes-core/init-ifupdown``. For information on how to use
 append files, see the
-":ref:`dev-manual/common-tasks:using .bbappend files in your layer`"
+":ref:`dev-manual/common-tasks:appending other layers metadata with your layer`"
 section in the Yocto Project Development Tasks Manual.
 
 .. _migration-1.4-remote-debugging:
diff --git a/poky/documentation/migration-guides/migration-1.5.rst b/poky/documentation/migration-guides/migration-1.5.rst
index e1ba4a9..11c8212 100644
--- a/poky/documentation/migration-guides/migration-1.5.rst
+++ b/poky/documentation/migration-guides/migration-1.5.rst
@@ -144,7 +144,7 @@
 
 BitBake will now shorten revisions from Git repositories from the normal
 40 characters down to 10 characters within :term:`SRCPV`
-for improved usability in path and file names. This change should be
+for improved usability in path and filenames. This change should be
 safe within contexts where these revisions are used because the chances
 of spatially close collisions is very low. Distant collisions are not a
 major issue in the way the values are used.
diff --git a/poky/documentation/migration-guides/migration-3.4.rst b/poky/documentation/migration-guides/migration-3.4.rst
index 6fa1ab2..e83e936 100644
--- a/poky/documentation/migration-guides/migration-3.4.rst
+++ b/poky/documentation/migration-guides/migration-3.4.rst
@@ -56,6 +56,13 @@
 case where some code does use them as overrides but some does not. We plan to try
 and make the tune code use overrides more consistently in the future.
 
+There are some variables which do not use override syntax which include the
+suffix to variables in ``layer.conf`` files such as :term:`BBFILE_PATTERN`,
+:term:`SRCREV`\ ``_xxx`` where ``xxx`` is a name from :term:`SRC_URI` and
+:term:`PREFERRED_VERSION`\ ``_xxx``. In particular, ``layer.conf`` suffixes
+may be the same as a :term:`DISTRO` override causing some confusion. We do
+plan to try and improve consistency as these issues are identified.
+
 To help with migration of layers there is a script in OE-Core. Once configured
 with the overrides used by a layer, this can be run as::
 
diff --git a/poky/documentation/overview-manual/concepts.rst b/poky/documentation/overview-manual/concepts.rst
index 4f8e6cb..c8b8988 100644
--- a/poky/documentation/overview-manual/concepts.rst
+++ b/poky/documentation/overview-manual/concepts.rst
@@ -1768,15 +1768,12 @@
 generators is to make some dependency and hash information available to
 the build. This information includes:
 
--  ``BB_BASEHASH_task-``\ taskname: The base hashes for each task in the
+-  ``BB_BASEHASH:task-``\ taskname: The base hashes for each task in the
    recipe.
 
 -  ``BB_BASEHASH_``\ filename\ ``:``\ taskname: The base hashes for each
    dependent task.
 
--  ``BBHASHDEPS_``\ filename\ ``:``\ taskname: The task dependencies for
-   each task.
-
 -  :term:`BB_TASKHASH`: The hash of the currently running task.
 
 Shared State
@@ -2027,7 +2024,7 @@
    .. note::
 
       By default, ``foo-dev`` also has an :term:`RDEPENDS`-style dependency on
-      ``foo``, because the default value of ``RDEPENDS_${PN}-dev`` (set in
+      ``foo``, because the default value of ``RDEPENDS:${PN}-dev`` (set in
       bitbake.conf) includes "${PN}".
 
    To ensure that the dependency chain is never broken, ``-dev`` and
diff --git a/poky/documentation/overview-manual/yp-intro.rst b/poky/documentation/overview-manual/yp-intro.rst
index d20a4ab..7aee9db 100644
--- a/poky/documentation/overview-manual/yp-intro.rst
+++ b/poky/documentation/overview-manual/yp-intro.rst
@@ -738,7 +738,7 @@
 defined by the classes it inherits from the OE-Core layer's class
 definitions in ``./meta/classes``. Within a recipe you can also define
 additional tasks as well as task prerequisites. Recipe syntax through
-BitBake also supports both ``_prepend`` and ``_append`` operators as a
+BitBake also supports both ``:prepend`` and ``:append`` operators as a
 method of extending task functionality. These operators inject code into
 the beginning or end of a task. For information on these BitBake
 operators, see the
diff --git a/poky/documentation/ref-manual/classes.rst b/poky/documentation/ref-manual/classes.rst
index 49905f2..3af0238 100644
--- a/poky/documentation/ref-manual/classes.rst
+++ b/poky/documentation/ref-manual/classes.rst
@@ -404,6 +404,22 @@
 section in the Yocto Project Overview and Concepts Manual for more
 discussion on these cross-compilation tools.
 
+.. _ref-classes-cve-check:
+
+``cve-check.bbclass``
+=====================
+
+The ``cve-check`` class looks for known CVEs (Common Vulnerabilities
+and Exposures) while building an image. This class is meant to be
+inherited globally from a configuration file::
+
+   INHERIT += "cve-check"
+
+You can also look for vulnerabilities in specific packages by passing
+``-c cve_check`` to BitBake. You will find details in the
+":ref:`dev-manual/common-tasks:checking for vulnerabilities`"
+section in the Development Tasks Manual.
+
 .. _ref-classes-debian:
 
 ``debian.bbclass``
@@ -456,8 +472,8 @@
 tarball. Following is an example::
 
    BBCLASSEXTEND = "devupstream:target"
-   SRC_URI_class-devupstream = "git://git.example.com/example"
-   SRCREV_class-devupstream = "abcd1234"
+   SRC_URI:class-devupstream = "git://git.example.com/example"
+   SRCREV:class-devupstream = "abcd1234"
 
 Adding the above statements to your recipe creates a variant that has
 :term:`DEFAULT_PREFERENCE` set to "-1".
@@ -465,8 +481,8 @@
 Any development-specific adjustments can be done by using the
 ``class-devupstream`` override. Here is an example::
 
-   DEPENDS_append_class-devupstream = " gperf-native"
-   do_configure_prepend_class-devupstream() {
+   DEPENDS:append:class-devupstream = " gperf-native"
+   do_configure:prepend:class-devupstream() {
        touch ${S}/README
    }
 
@@ -846,7 +862,7 @@
 inheriting the class, you can then disable the feature by setting the
 :term:`ICECC_DISABLED` variable to "1" as follows::
 
-   INHERIT_DISTRO_append = " icecc"
+   INHERIT_DISTRO:append = " icecc"
    ICECC_DISABLED ??= "1"
 
 This practice
@@ -974,7 +990,7 @@
 recipe, add the following to the recipe. You need to realize that the
 package name override, in this example ``${PN}``, must be used::
 
-   INSANE_SKIP_${PN} += "dev-so"
+   INSANE_SKIP:${PN} += "dev-so"
 
 Please keep in mind that the QA checks
 are meant to detect real or potential problems in the packaged
@@ -1182,7 +1198,7 @@
    its :term:`PN` value matches something already in :term:`OVERRIDES` (e.g.
    :term:`PN` happens to be the same as :term:`MACHINE` or
    :term:`DISTRO`), it can have unexpected consequences.
-   For example, assignments such as ``FILES_${PN} = "xyz"`` effectively
+   For example, assignments such as ``FILES:${PN} = "xyz"`` effectively
    turn into ``FILES = "xyz"``.
 
 -  ``rpaths:`` Checks for rpaths in the binaries that contain build
@@ -1208,7 +1224,7 @@
 
 -  ``unlisted-pkg-lics:`` Checks that all declared licenses applying
    for a package are also declared on the recipe level (i.e. any license
-   in ``LICENSE_*`` should appear in :term:`LICENSE`).
+   in ``LICENSE:*`` should appear in :term:`LICENSE`).
 
 -  ``useless-rpaths:`` Checks for dynamic library load paths (rpaths)
    in the binaries that by default on a standard system are searched by
@@ -1605,7 +1621,7 @@
       BBCLASSEXTEND = "native"
 
    Inside the
-   recipe, use ``_class-native`` and ``_class-target`` overrides to
+   recipe, use ``:class-native`` and ``:class-target`` overrides to
    specify any functionality specific to the respective native or target
    case.
 
@@ -1636,7 +1652,7 @@
        BBCLASSEXTEND = "nativesdk"
 
    Inside the
-   recipe, use ``_class-nativesdk`` and ``_class-target`` overrides to
+   recipe, use ``:class-nativesdk`` and ``:class-target`` overrides to
    specify any functionality specific to the respective SDK machine or
    target case.
 
@@ -2481,7 +2497,7 @@
 the recipe's main package, use ``${``\ :term:`PN`\ ``}``. Here
 is an example from the connman recipe::
 
-   SYSTEMD_SERVICE_${PN} = "connman.service"
+   SYSTEMD_SERVICE:${PN} = "connman.service"
 
 Services are set up to start on boot automatically
 unless you have set
diff --git a/poky/documentation/ref-manual/faq.rst b/poky/documentation/ref-manual/faq.rst
index c7322e7..d3a603d 100644
--- a/poky/documentation/ref-manual/faq.rst
+++ b/poky/documentation/ref-manual/faq.rst
@@ -301,7 +301,7 @@
 attempt before any others by adding something like the following to the
 ``local.conf`` configuration file::
 
-   PREMIRRORS_prepend = "\
+   PREMIRRORS:prepend = "\
        git://.*/.* http://www.yoctoproject.org/sources/ \n \
        ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
        http://.*/.* http://www.yoctoproject.org/sources/ \n \
@@ -341,7 +341,7 @@
 You could make the following changes to the ``local.conf`` configuration
 file as long as the :term:`PREMIRRORS` server is current::
 
-   PREMIRRORS_prepend = "\
+   PREMIRRORS:prepend = "\
        ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
        http://.*/.* http://www.yoctoproject.org/sources/ \n \
        https://.*/.* http://www.yoctoproject.org/sources/ \n"
diff --git a/poky/documentation/ref-manual/kickstart.rst b/poky/documentation/ref-manual/kickstart.rst
index fc723cc..cac9f2f 100644
--- a/poky/documentation/ref-manual/kickstart.rst
+++ b/poky/documentation/ref-manual/kickstart.rst
@@ -65,13 +65,17 @@
 Here is a list that describes other supported options you can use with
 the ``part`` and ``partition`` commands:
 
--  ``--size``: The minimum partition size in MBytes. Specify an
-   integer value such as 500. Do not append the number with "MB". You do
-   not need this option if you use ``--source``.
+-  ``--size``: The minimum partition size. Specify as an integer value
+   optionally followed by one of the units "k" / "K" for kibibyte,
+   "M" for mebibyte and "G" for gibibyte. The default unit if none is
+   given is "M". You do not need this option if you use ``--source``.
 
--  ``--fixed-size``: The exact partition size in MBytes. You cannot
-   specify with ``--size``. An error occurs when assembling the disk
-   image if the partition data is larger than ``--fixed-size``.
+-  ``--fixed-size``: The exact partition size. Specify as an integer
+   value optionally followed by one of the units "k" / "K" for kibibyte,
+   "M" for mebibyte and "G" for gibibyte. The default unit if none is
+   given is "M".  Cannot be specify together with ``--size``. An error
+   occurs when assembling the disk image if the partition data is larger
+   than ``--fixed-size``.
 
 -  ``--source``: This option is a Wic-specific option that names the
    source of the data that populates the partition. The most common
@@ -134,10 +138,13 @@
 -  ``--align (in KBytes)``: This option is a Wic-specific option that
    says to start partitions on boundaries given x KBytes.
 
--  ``--offset (in KBytes)``: This option is a Wic-specific option that
+-  ``--offset``: This option is a Wic-specific option that
    says to place a partition at exactly the specified offset. If the
    partition cannot be placed at the specified offset, the image build
-   will fail.
+   will fail. Specify as an integer value optionally followed by one of
+   the units "s" / "S" for 512 byte sector, "k" / "K" for kibibyte, "M"
+   for mebibyte and "G" for gibibyte. The default unit if none is given
+   is "k".
 
 -  ``--no-table``: This option is a Wic-specific option. Using the
    option reserves space for the partition and causes it to become
@@ -151,7 +158,10 @@
 -  ``--extra-space``: This option is a Wic-specific option that adds
    extra space after the space filled by the content of the partition.
    The final size can exceed the size specified by the ``--size``
-   option. The default value is 10 Mbytes.
+   option. The default value is 10M. Specify as an integer value
+   optionally followed by one of the units "k" / "K" for kibibyte, "M"
+   for mebibyte and "G" for gibibyte. The default unit if none is given
+   is "M".
 
 -  ``--overhead-factor``: This option is a Wic-specific option that
    multiplies the size of the partition by the option's value. You must
diff --git a/poky/documentation/ref-manual/qa-checks.rst b/poky/documentation/ref-manual/qa-checks.rst
index 0ef203c..c3e40db 100644
--- a/poky/documentation/ref-manual/qa-checks.rst
+++ b/poky/documentation/ref-manual/qa-checks.rst
@@ -223,7 +223,7 @@
    software that reads :term:`CFLAGS` when you build it,
    you could add the following to your recipe::
 
-      CFLAGS_append = " -fPIC "
+      CFLAGS:append = " -fPIC "
 
    For more information on text relocations at runtime, see
    https://www.akkadia.org/drepper/textrelocs.html.
@@ -263,7 +263,7 @@
 
    The ``/usr/share/info/dir`` should not be packaged. Add the following
    line to your :ref:`ref-tasks-install` task or to your
-   ``do_install_append`` within the recipe as follows::
+   ``do_install:append`` within the recipe as follows::
 
       rm ${D}${infodir}/dir
    
@@ -347,7 +347,7 @@
     
 .. _qa-check-dep-cmp:
 
--  ``<var>_<packagename> is invalid: <comparison> (<value>)   only comparisons <, =, >, <=, and >= are allowed [dep-cmp]``
+-  ``<var>:<packagename> is invalid: <comparison> (<value>)   only comparisons <, =, >, <=, and >= are allowed [dep-cmp]``
 
    If you are adding a versioned dependency relationship to one of the
    dependency variables (:term:`RDEPENDS`,
@@ -454,14 +454,14 @@
    ``pkg_preinst``, ``pkg_postinst``, ``pkg_prerm``, ``pkg_postrm``, and
    :term:`ALLOW_EMPTY`) should always be set specific
    to a package (i.e. they should be set with a package name override
-   such as ``RDEPENDS_${PN} = "value"`` rather than
+   such as ``RDEPENDS:${PN} = "value"`` rather than
    ``RDEPENDS = "value"``). If you receive this error, correct any
    assignments to these variables within your recipe.
 
 
-- ``recipe uses DEPENDS_${PN}, should use DEPENDS [pkgvarcheck]``
+- ``recipe uses DEPENDS:${PN}, should use DEPENDS [pkgvarcheck]``
 
-   This check looks for instances of setting ``DEPENDS_${PN}``
+   This check looks for instances of setting ``DEPENDS:${PN}``
    which is erroneous (:term:`DEPENDS` is a recipe-wide variable and thus
    it is not correct to specify it for a particular package, nor will such
    an assignment actually work.) Set :term:`DEPENDS` instead.
@@ -524,7 +524,7 @@
    following:
 
    -  Add the files to :term:`FILES` for the package you want them to appear
-      in (e.g. ``FILES_${``\ :term:`PN`\ ``}`` for the main
+      in (e.g. ``FILES:${``\ :term:`PN`\ ``}`` for the main
       package).
 
    -  Delete the files at the end of the ``do_install`` task if the
@@ -539,18 +539,18 @@
    when a recipe has been renamed. However, if that is not the case, the
    message might indicate that a private version of a library is being
    erroneously picked up as the provider for a common library. If that
-   is the case, you should add the library's ``.so`` file name to
+   is the case, you should add the library's ``.so`` filename to
    :term:`PRIVATE_LIBS` in the recipe that provides
    the private version of the library.
 
 
 .. _qa-check-unlisted-pkg-lics:
 
--  ``LICENSE_<packagename> includes licenses (<licenses>) that are not listed in LICENSE [unlisted-pkg-lics]``
+-  ``LICENSE:<packagename> includes licenses (<licenses>) that are not listed in LICENSE [unlisted-pkg-lics]``
 
    The :term:`LICENSE` of the recipe should be a superset
    of all the licenses of all packages produced by this recipe. In other
-   words, any license in ``LICENSE_*`` should also appear in
+   words, any license in ``LICENSE:*`` should also appear in
    :term:`LICENSE`.
 
 
@@ -620,7 +620,7 @@
 
 .. _qa-check-missing-update-alternatives:
 
-- ``<recipename>: recipe defines ALTERNATIVE_<packagename> but doesn't inherit update-alternatives. This might fail during do_rootfs later! [missing-update-alternatives]``
+- ``<recipename>: recipe defines ALTERNATIVE:<packagename> but doesn't inherit update-alternatives. This might fail during do_rootfs later! [missing-update-alternatives]``
 
     This check ensures that if a recipe sets the :term:`ALTERNATIVE` variable that the
     recipe also inherits :ref:`update-alternatives <ref-classes-update-alternatives>` such
diff --git a/poky/documentation/ref-manual/variables.rst b/poky/documentation/ref-manual/variables.rst
index 1150940..7aecda0 100644
--- a/poky/documentation/ref-manual/variables.rst
+++ b/poky/documentation/ref-manual/variables.rst
@@ -38,9 +38,9 @@
       Like all package-controlling variables, you must always use them in
       conjunction with a package name override, as in::
 
-         ALLOW_EMPTY_${PN} = "1"
-         ALLOW_EMPTY_${PN}-dev = "1"
-         ALLOW_EMPTY_${PN}-staticdev = "1"
+         ALLOW_EMPTY:${PN} = "1"
+         ALLOW_EMPTY:${PN}-dev = "1"
+         ALLOW_EMPTY:${PN}-staticdev = "1"
 
    :term:`ALTERNATIVE`
       Lists commands in a package that need an alternative binary naming
@@ -53,7 +53,7 @@
       provided by another package. For example, if the ``busybox`` package
       has four such commands, you identify them as follows::
 
-         ALTERNATIVE_busybox = "sh sed test bracket"
+         ALTERNATIVE:busybox = "sh sed test bracket"
 
       For more information on the alternatives system, see the
       ":ref:`update-alternatives.bbclass <ref-classes-update-alternatives>`"
@@ -297,7 +297,7 @@
       can attach it to a specific image recipe by using the recipe name
       override::
 
-         BAD_RECOMMENDATIONS_pn-target_image = "package_name"
+         BAD_RECOMMENDATIONS:pn-target_image = "package_name"
 
       It is important to realize that if you choose to not install packages
       using this variable and some other packages are dependent on them
@@ -575,7 +575,7 @@
 
          Internally, the :term:`BBCLASSEXTEND` mechanism generates recipe
          variants by rewriting variable values and applying overrides such
-         as ``_class-native``. For example, to generate a native version of
+         as ``:class-native``. For example, to generate a native version of
          a recipe, a :term:`DEPENDS` on "foo" is rewritten
          to a :term:`DEPENDS` on "foo-native".
 
@@ -1133,7 +1133,7 @@
       As an example, the following override allows you to install extra
       files, but only when building for the target::
 
-         do_install_append_class-target() {
+         do_install:append:class-target() {
              install my-extra-file ${D}${sysconfdir}
          }
 
@@ -1141,7 +1141,7 @@
       "native" when building for the build host, and to "other" when not
       building for the build host::
 
-         FOO_class-native = "native"
+         FOO:class-native = "native"
          FOO = "other"
 
       The underlying mechanism behind :term:`CLASSOVERRIDE` is simply
@@ -1246,7 +1246,7 @@
       that identifies the resulting package. Then, provide a
       space-separated list of files. Here is an example::
 
-         CONFFILES_${PN} += "${sysconfdir}/file1 \
+         CONFFILES:${PN} += "${sysconfdir}/file1 \
              ${sysconfdir}/file2 ${sysconfdir}/file3"
 
       There is a relationship between the :term:`CONFFILES` and :term:`FILES`
@@ -1471,11 +1471,22 @@
          variable only in certain contexts (e.g. when building for kernel
          and kernel module recipes).
 
+   :term:`CVE_CHECK_PN_WHITELIST`
+      The list of package names (:term:`PN`) for which
+      CVEs (Common Vulnerabilities and Exposures) are ignored.
+
+   :term:`CVE_CHECK_WHITELIST`
+      The list of CVE IDs which are ignored. Here is
+      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
+
+         # This is windows only issue.
+         CVE_CHECK_WHITELIST += "CVE-2020-15523"
+
    :term:`CVE_PRODUCT`
       In a recipe, defines the name used to match the recipe name
       against the name in the upstream `NIST CVE database <https://nvd.nist.gov/>`__.
 
-      The default is ${:term:`BPN`}. If it does not match the name in NIST CVE
+      The default is ${:term:`BPN`}. If it does not match the name in the NIST CVE
       database or matches with multiple entries in the database, the default
       value needs to be changed.
 
@@ -1535,7 +1546,7 @@
       package naming. You must use the package name as an override when you
       set this variable. Here is an example from the ``fontconfig`` recipe::
 
-         DEBIAN_NOAUTONAME_fontconfig-utils = "1"
+         DEBIAN_NOAUTONAME:fontconfig-utils = "1"
 
    :term:`DEBIANNAME`
       When the :ref:`debian <ref-classes-debian>` class is inherited,
@@ -1545,7 +1556,7 @@
       override when you set this variable. Here is an example from the
       ``dbus`` recipe::
 
-         DEBIANNAME_${PN} = "dbus-1"
+         DEBIANNAME:${PN} = "dbus-1"
 
    :term:`DEBUG_BUILD`
       Specifies to build packages with debugging information. This
@@ -2104,7 +2115,7 @@
       to fix a runtime dependency to the exact same version of another
       package in the same recipe::
 
-         RDEPENDS_${PN}-additional-module = "${PN} (= ${EXTENDPKGV})"
+         RDEPENDS:${PN}-additional-module = "${PN} (= ${EXTENDPKGV})"
 
       The dependency relationships are intended to force the package
       manager to upgrade these types of packages in lock-step.
@@ -2204,7 +2215,7 @@
       this variable, use an override for the associated image type. Here is
       an example::
 
-         EXTRA_IMAGECMD_ext3 ?= "-i 4096"
+         EXTRA_IMAGECMD:ext3 ?= "-i 4096"
 
    :term:`EXTRA_IMAGEDEPENDS`
       A list of recipes to build that do not provide packages for
@@ -2331,7 +2342,7 @@
       list of files or paths that identify the files you want included as
       part of the resulting package. Here is an example::
 
-         FILES_${PN} += "${bindir}/mydir1 ${bindir}/mydir2/myfile"
+         FILES:${PN} += "${bindir}/mydir1 ${bindir}/mydir2/myfile"
 
       .. note::
 
@@ -2347,7 +2358,7 @@
             rather than ``/usr/bin``. You can find a list of these
             variables at the top of the ``meta/conf/bitbake.conf`` file in
             the :term:`Source Directory`. You will also
-            find the default values of the various ``FILES_*`` variables in
+            find the default values of the various ``FILES:*`` variables in
             this file.
 
       If some of the files you provide with the :term:`FILES` variable are
@@ -2380,7 +2391,7 @@
       :term:`FILESEXTRAPATHS` from within a ``.bbappend`` file and that you
       prepend paths as follows::
 
-         FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+         FILESEXTRAPATHS:prepend := "${THISDIR}/${PN}:"
 
       In the above example, the build system first
       looks for files in a directory that has the same name as the
@@ -2402,7 +2413,7 @@
 
       Here is another common use::
 
-         FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+         FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
 
       In this example, the build system extends the
       :term:`FILESPATH` variable to include a directory named ``files`` that is
@@ -2410,13 +2421,13 @@
 
       This next example specifically adds three paths::
 
-         FILESEXTRAPATHS_prepend := "path_1:path_2:path_3:"
+         FILESEXTRAPATHS:prepend := "path_1:path_2:path_3:"
 
       A final example shows how you can extend the search path and include
       a :term:`MACHINE`-specific override, which is useful
       in a BSP layer::
 
-          FILESEXTRAPATHS_prepend_intel-x86-common := "${THISDIR}/${PN}:"
+          FILESEXTRAPATHS:prepend:intel-x86-common := "${THISDIR}/${PN}:"
 
       The previous statement appears in the
       ``linux-yocto-dev.bbappend`` file, which is found in the
@@ -2664,7 +2675,7 @@
 
       Here is an example from the ``dbus`` recipe::
 
-         GROUPADD_PARAM_${PN} = "-r netdev"
+         GROUPADD_PARAM:${PN} = "-r netdev"
 
       For information on the standard Linux shell command
       ``groupadd``, see https://linux.die.net/man/8/groupadd.
@@ -2977,7 +2988,7 @@
       ``btrfs``, and so forth). When setting this variable, you should use
       an override for the associated type. Here is an example::
 
-         IMAGE_CMD_jffs2 = "mkfs.jffs2 --root=${IMAGE_ROOTFS} --faketime \
+         IMAGE_CMD:jffs2 = "mkfs.jffs2 --root=${IMAGE_ROOTFS} --faketime \
              --output=${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.jffs2 \
              ${EXTRA_IMAGECMD}"
 
@@ -3033,8 +3044,8 @@
             :term:`IMAGE_FSTYPES` prior to using the "inherit image" line.
 
          -  Due to the way the OpenEmbedded build system processes this
-            variable, you cannot update its contents by using ``_append``
-            or ``_prepend``. You must use the ``+=`` operator to add one or
+            variable, you cannot update its contents by using ``:append``
+            or ``:prepend``. You must use the ``+=`` operator to add one or
             more options to the :term:`IMAGE_FSTYPES` variable.
 
    :term:`IMAGE_INSTALL`
@@ -3052,7 +3063,7 @@
 
       When you use this variable, it is best to use it as follows::
 
-         IMAGE_INSTALL_append = " package-name"
+         IMAGE_INSTALL:append = " package-name"
 
       Be sure to include the space
       between the quotation character and the start of the package name or
@@ -3144,7 +3155,7 @@
          IMAGE_NAME ?= "${IMAGE_BASENAME}-${MACHINE}${IMAGE_VERSION_SUFFIX}"
 
    :term:`IMAGE_NAME_SUFFIX`
-      Suffix used for the image output file name - defaults to ``".rootfs"``
+      Suffix used for the image output filename - defaults to ``".rootfs"``
       to distinguish the image file from other files created during image
       building; however if this suffix is redundant or not desired you can
       clear the value of this variable (set the value to ""). For example,
@@ -3292,7 +3303,7 @@
       Specifies a dependency from one image type on another. Here is an
       example from the :ref:`image-live <ref-classes-image-live>` class::
 
-         IMAGE_TYPEDEP_live = "ext3"
+         IMAGE_TYPEDEP:live = "ext3"
 
       In the previous example, the variable ensures that when "live" is
       listed with the :term:`IMAGE_FSTYPES` variable,
@@ -3695,7 +3706,7 @@
       recipe. The package name override must be used, which in this example
       is ``${PN}``::
 
-         INSANE_SKIP_${PN} += "dev-so"
+         INSANE_SKIP:${PN} += "dev-so"
 
       See the ":ref:`insane.bbclass <ref-classes-insane>`" section for a
       list of the valid QA checks you can specify using this variable.
@@ -3749,10 +3760,10 @@
       ``meta-yocto-bsp/recipes-kernel/linux/linux-yocto_4.12.bbappend``.
       Here are the related statements from that append file::
 
-         KBRANCH_genericx86 = "standard/base"
-         KBRANCH_genericx86-64 = "standard/base"
-         KBRANCH_edgerouter = "standard/edgerouter"
-         KBRANCH_beaglebone = "standard/beaglebone"
+         KBRANCH:genericx86 = "standard/base"
+         KBRANCH:genericx86-64 = "standard/base"
+         KBRANCH:edgerouter = "standard/edgerouter"
+         KBRANCH:beaglebone = "standard/beaglebone"
 
       The :term:`KBRANCH` statements
       identify the kernel branch to use when building for each supported
@@ -3780,11 +3791,11 @@
       Here is an example from a "raspberrypi2" :term:`KMACHINE` build that uses
       a ``defconfig`` file named "bcm2709_defconfig"::
 
-         KBUILD_DEFCONFIG_raspberrypi2 = "bcm2709_defconfig"
+         KBUILD_DEFCONFIG:raspberrypi2 = "bcm2709_defconfig"
 
       As an alternative, you can use the following within your append file::
 
-         KBUILD_DEFCONFIG_pn-linux-yocto ?= defconfig_file
+         KBUILD_DEFCONFIG:pn-linux-yocto ?= "defconfig_file"
 
       For more
       information on how to use the :term:`KBUILD_DEFCONFIG` variable, see the
@@ -3932,10 +3943,10 @@
       statements add specific configurations to targeted machine types::
 
          KERNEL_EXTRA_FEATURES ?= "features/netfilter/netfilter.scc features/taskstats/taskstats.scc"
-         KERNEL_FEATURES_append = "${KERNEL_EXTRA_FEATURES}"
-         KERNEL_FEATURES_append_qemuall = "cfg/virtio.scc"
-         KERNEL_FEATURES_append_qemux86 = " cfg/sound.scc cfg/paravirt_kvm.scc"
-         KERNEL_FEATURES_append_qemux86-64 = "cfg/sound.scc"
+         KERNEL_FEATURES:append = "${KERNEL_EXTRA_FEATURES}"
+         KERNEL_FEATURES:append:qemuall = "cfg/virtio.scc"
+         KERNEL_FEATURES:append:qemux86 = " cfg/sound.scc cfg/paravirt_kvm.scc"
+         KERNEL_FEATURES:append:qemux86-64 = "cfg/sound.scc"
 
    :term:`KERNEL_FIT_LINK_NAME`
       The link name of the kernel flattened image tree (FIT) image. This
@@ -4117,13 +4128,13 @@
       Kernel's ``meta`` branch. As an example take a look in the
       ``common/recipes-kernel/linux/linux-yocto_3.19.bbappend`` file::
 
-         LINUX_VERSION_core2-32-intel-common = "3.19.0"
-         COMPATIBLE_MACHINE_core2-32-intel-common = "${MACHINE}"
-         SRCREV_meta_core2-32-intel-common = "8897ef68b30e7426bc1d39895e71fb155d694974"
-         SRCREV_machine_core2-32-intel-common = "43b9eced9ba8a57add36af07736344dcc383f711"
-         KMACHINE_core2-32-intel-common = "intel-core2-32"
-         KBRANCH_core2-32-intel-common = "standard/base"
-         KERNEL_FEATURES_append_core2-32-intel-common = "${KERNEL_FEATURES_INTEL_COMMON}"
+         LINUX_VERSION:core2-32-intel-common = "3.19.0"
+         COMPATIBLE_MACHINE:core2-32-intel-common = "${MACHINE}"
+         SRCREV_meta:core2-32-intel-common = "8897ef68b30e7426bc1d39895e71fb155d694974"
+         SRCREV_machine:core2-32-intel-common = "43b9eced9ba8a57add36af07736344dcc383f711"
+         KMACHINE:core2-32-intel-common = "intel-core2-32"
+         KBRANCH:core2-32-intel-common = "standard/base"
+         KERNEL_FEATURES:append:core2-32-intel-common = "${KERNEL_FEATURES_INTEL_COMMON}"
 
       The :term:`KMACHINE` statement says
       that the kernel understands the machine name as "intel-core2-32".
@@ -4303,15 +4314,15 @@
       Documentation License 1.2 could be specified as follows::
 
          LICENSE = "GFDL-1.2 & GPLv2"
-         LICENSE_${PN} = "GPLv2"
-         LICENSE_${PN}-doc = "GFDL-1.2"
+         LICENSE:${PN} = "GPLv2"
+         LICENSE:${PN}-doc = "GFDL-1.2"
 
    :term:`LICENSE_CREATE_PACKAGE`
       Setting :term:`LICENSE_CREATE_PACKAGE` to "1" causes the OpenEmbedded
       build system to create an extra package (i.e.
       ``${``\ :term:`PN`\ ``}-lic``) for each recipe and to add
       those packages to the
-      :term:`RRECOMMENDS`\ ``_${PN}``.
+      :term:`RRECOMMENDS`\ ``:${PN}``.
 
       The ``${PN}-lic`` package installs a directory in
       ``/usr/share/licenses`` named ``${PN}``, which is the recipe's base
@@ -4615,7 +4626,7 @@
       in QEMU, like in the following example from the ``connman-conf``
       recipe::
 
-         SRC_URI_append_qemuall = " file://wired.config \
+         SRC_URI:append:qemuall = " file://wired.config \
              file://wired-setup \
              "
 
@@ -4818,7 +4829,7 @@
       can attach it to a specific image recipe by using the recipe name
       override::
 
-         NO_RECOMMENDATIONS_pn-target_image = "1"
+         NO_RECOMMENDATIONS:pn-target_image = "1"
 
       It is important to realize that if you choose to not install packages
       using this variable and some other packages are dependent on them
@@ -4841,14 +4852,14 @@
 
    :term:`NOAUTOPACKAGEDEBUG`
       Disables auto package from splitting ``.debug`` files. If a recipe
-      requires ``FILES_${PN}-dbg`` to be set manually, the
+      requires ``FILES:${PN}-dbg`` to be set manually, the
       :term:`NOAUTOPACKAGEDEBUG` can be defined allowing you to define the
       content of the debug package. For example::
 
          NOAUTOPACKAGEDEBUG = "1"
-         FILES_${PN}-dev = "${includedir}/${QT_DIR_NAME}/Qt/*"
-         FILES_${PN}-dbg = "/usr/src/debug/"
-         FILES_${QT_BASE_NAME}-demos-doc = "${docdir}/${QT_DIR_NAME}/qch/qt.qch"
+         FILES:${PN}-dev = "${includedir}/${QT_DIR_NAME}/Qt/*"
+         FILES:${PN}-dbg = "/usr/src/debug/"
+         FILES:${QT_BASE_NAME}-demos-doc = "${docdir}/${QT_DIR_NAME}/qch/qt.qch"
 
    :term:`NON_MULTILIB_RECIPES`
       A list of recipes that should not be built for multilib. OE-Core's
@@ -4944,7 +4955,7 @@
       assignment will override ``FOO`` with the value "overridden" at the
       end of parsing::
 
-         FOO_an-override = "overridden"
+         FOO:an-override = "overridden"
 
       See the
       ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:conditional syntax (overrides)`"
@@ -4959,7 +4970,7 @@
       allows variables to be set for a single recipe within configuration
       (``.conf``) files. Here is an example::
 
-         FOO_pn-myrecipe = "myrecipe-specific value"
+         FOO:pn-myrecipe = "myrecipe-specific value"
 
       .. note::
 
@@ -5107,7 +5118,7 @@
       can attach it to a specific image recipe by using the recipe name
       override::
 
-         PACKAGE_EXCLUDE_pn-target_image = "package_name"
+         PACKAGE_EXCLUDE:pn-target_image = "package_name"
 
       If you choose to not install a package using this variable and some
       other package is dependent on it (i.e. listed in a recipe's
@@ -5344,18 +5355,18 @@
 
          Or, you can just append the variable::
 
-            PACKAGECONFIG_append = " f4"
+            PACKAGECONFIG:append = " f4"
 
       -  *Configuration file:* This method is identical to changing the
          block through an append file except you edit your ``local.conf``
          or ``mydistro.conf`` file. As with append files previously
          described, you can either completely override the variable::
 
-            PACKAGECONFIG_pn-recipename = "f4 f5"
+            PACKAGECONFIG:pn-recipename = "f4 f5"
 
          Or, you can just amend the variable::
 
-            PACKAGECONFIG_append_pn-recipename = " f4"
+            PACKAGECONFIG:append:pn-recipename = " f4"
 
    :term:`PACKAGECONFIG_CONFARGS`
       A space-separated list of configuration options generated from the
@@ -5390,7 +5401,7 @@
       (leftmost) package.
 
       Packages in the variable's list that are empty (i.e. where none of
-      the patterns in ``FILES_``\ pkg match any files installed by the
+      the patterns in ``FILES:``\ pkg match any files installed by the
       :ref:`ref-tasks-install` task) are not generated,
       unless generation is forced through the
       :term:`ALLOW_EMPTY` variable.
@@ -5541,7 +5552,7 @@
 
       For example, when the :ref:`debian <ref-classes-debian>` class
       renames the output package, it does so by setting
-      ``PKG_packagename``.
+      ``PKG:packagename``.
 
    :term:`PKG_CONFIG_PATH`
       The path to ``pkg-config`` files for the current build context.
@@ -5775,17 +5786,17 @@
       :term:`OVERRIDES` to set a machine-specific
       override. Here is an example::
 
-         PREFERRED_VERSION_linux-yocto_qemux86 = "5.0%"
+         PREFERRED_VERSION_linux-yocto:qemux86 = "5.0%"
 
       Although not recommended, worst case, you can also use the
       "forcevariable" override, which is the strongest override possible.
       Here is an example::
 
-         PREFERRED_VERSION_linux-yocto_forcevariable = "5.0%"
+         PREFERRED_VERSION_linux-yocto:forcevariable = "5.0%"
 
       .. note::
 
-         The ``\_forcevariable`` override is not handled specially. This override
+         The ``:forcevariable`` override is not handled specially. This override
          only works because the default value of :term:`OVERRIDES` includes "forcevariable".
 
       If a recipe with the specified version is not available, a warning
@@ -5809,7 +5820,7 @@
       the ``local.conf`` configuration file in the
       :term:`Build Directory`::
 
-         PREMIRRORS_prepend = "\
+         PREMIRRORS:prepend = "\
              git://.*/.* http://www.yoctoproject.org/sources/ \n \
              ftp://.*/.* http://www.yoctoproject.org/sources/ \n \
              http://.*/.* http://www.yoctoproject.org/sources/ \n \
@@ -5992,7 +6003,7 @@
       Like all package-controlling variables, you must always use them in
       conjunction with a package name override. Here is an example::
 
-         RCONFLICTS_${PN} = "another_conflicting_package_name"
+         RCONFLICTS:${PN} = "another_conflicting_package_name"
 
       BitBake, which the OpenEmbedded build system uses, supports
       specifying versioned dependencies. Although the syntax varies
@@ -6000,7 +6011,7 @@
       from you. Here is the general syntax to specify versions with the
       :term:`RCONFLICTS` variable::
 
-         RCONFLICTS_${PN} = "package (operator version)"
+         RCONFLICTS:${PN} = "package (operator version)"
 
       For ``operator``, you can specify the following:
 
@@ -6013,7 +6024,7 @@
       For example, the following sets up a dependency on version 1.2 or
       greater of the package ``foo``::
 
-         RCONFLICTS_${PN} = "foo (>= 1.2)"
+         RCONFLICTS:${PN} = "foo (>= 1.2)"
 
    :term:`RDEPENDS`
       Lists runtime dependencies of a package. These dependencies are other
@@ -6022,7 +6033,7 @@
       package ``foo`` needs the packages ``bar`` and ``baz`` to be
       installed::
 
-         RDEPENDS_foo = "bar baz"
+         RDEPENDS:foo = "bar baz"
 
       The most common types of package
       runtime dependencies are automatically detected and added. Therefore,
@@ -6063,7 +6074,7 @@
       on the ``perl`` package. In this case, you would use the following
       :term:`RDEPENDS` statement::
 
-         RDEPENDS_${PN}-dev += "perl"
+         RDEPENDS:${PN}-dev += "perl"
 
       In the example,
       the development package depends on the ``perl`` package. Thus, the
@@ -6072,10 +6083,10 @@
 
       .. note::
 
-         ``RDEPENDS_${PN}-dev`` includes ``${``\ :term:`PN`\ ``}``
+         ``RDEPENDS:${PN}-dev`` includes ``${``\ :term:`PN`\ ``}``
          by default. This default is set in the BitBake configuration file
          (``meta/conf/bitbake.conf``). Be careful not to accidentally remove
-         ``${PN}`` when modifying ``RDEPENDS_${PN}-dev``. Use the "+=" operator
+         ``${PN}`` when modifying ``RDEPENDS:${PN}-dev``. Use the "+=" operator
          rather than the "=" operator.
 
       The package names you use with :term:`RDEPENDS` must appear as they would
@@ -6092,7 +6103,7 @@
       from you. Here is the general syntax to specify versions with the
       :term:`RDEPENDS` variable::
 
-         RDEPENDS_${PN} = "package (operator version)"
+         RDEPENDS:${PN} = "package (operator version)"
 
       For ``operator``, you can specify the following:
 
@@ -6112,7 +6123,7 @@
       For example, the following sets up a dependency on version 1.2 or
       greater of the package ``foo``::
 
-         RDEPENDS_${PN} = "foo (>= 1.2)"
+         RDEPENDS:${PN} = "foo (>= 1.2)"
 
       For information on build-time dependencies, see the
       :term:`DEPENDS` variable. You can also see the
@@ -6247,7 +6258,7 @@
       variable in conjunction with a package name override. Here is an
       example::
 
-         RPROVIDES_${PN} = "widget-abi-2"
+         RPROVIDES:${PN} = "widget-abi-2"
 
    :term:`RRECOMMENDS`
       A list of packages that extends the usability of a package being
@@ -6278,7 +6289,7 @@
       support wireless functionality. In this case, you would use the
       following::
 
-         RRECOMMENDS_${PN}-dev += "wireless_package_name"
+         RRECOMMENDS:${PN}-dev += "wireless_package_name"
 
       In the
       example, the package name (``${PN}-dev``) must appear as it would in
@@ -6291,7 +6302,7 @@
       Here is the general syntax to specify versions with the
       :term:`RRECOMMENDS` variable::
 
-         RRECOMMENDS_${PN} = "package (operator version)"
+         RRECOMMENDS:${PN} = "package (operator version)"
 
       For ``operator``, you can specify the following:
 
@@ -6304,7 +6315,7 @@
       For example, the following sets up a recommend on version 1.2 or
       greater of the package ``foo``::
 
-         RRECOMMENDS_${PN} = "foo (>= 1.2)"
+         RRECOMMENDS:${PN} = "foo (>= 1.2)"
 
    :term:`RREPLACES`
       A list of packages replaced by a package. The package manager uses
@@ -6316,7 +6327,7 @@
       As with all package-controlling variables, you must use this variable
       in conjunction with a package name override. Here is an example::
 
-         RREPLACES_${PN} = "other_package_being_replaced"
+         RREPLACES:${PN} = "other_package_being_replaced"
 
       BitBake, which the OpenEmbedded build system uses, supports
       specifying versioned replacements. Although the syntax varies
@@ -6324,7 +6335,7 @@
       from you. Here is the general syntax to specify versions with the
       :term:`RREPLACES` variable::
 
-         RREPLACES_${PN} = "package (operator version)"
+         RREPLACES:${PN} = "package (operator version)"
 
       For ``operator``, you can specify the following:
 
@@ -6337,7 +6348,7 @@
       For example, the following sets up a replacement using version 1.2
       or greater of the package ``foo``::
 
-          RREPLACES_${PN} = "foo (>= 1.2)"
+          RREPLACES:${PN} = "foo (>= 1.2)"
 
    :term:`RSUGGESTS`
       A list of additional packages that you can suggest for installation
@@ -6348,7 +6359,7 @@
       variable in conjunction with a package name override. Here is an
       example::
 
-         RSUGGESTS_${PN} = "useful_package another_package"
+         RSUGGESTS:${PN} = "useful_package another_package"
 
    :term:`S`
       The location in the :term:`Build Directory` where
@@ -6862,7 +6873,7 @@
       defined in the ``meta/conf/bitbake.conf`` configuration file.
 
       You will see this variable referenced in the default values of
-      ``FILES_${PN}``.
+      ``FILES:${PN}``.
 
    :term:`SOLIBSDEV`
       Defines the suffix for the development symbolic link (symlink) for
@@ -6871,7 +6882,7 @@
       ``meta/conf/bitbake.conf`` configuration file.
 
       You will see this variable referenced in the default values of
-      ``FILES_${PN}-dev``.
+      ``FILES:${PN}-dev``.
 
    :term:`SOURCE_MIRROR_FETCH`
       When you are fetching files to create a mirror of sources (i.e.
@@ -7609,7 +7620,7 @@
       override to indicate the package to which the value applies. Here is
       an example from the connman recipe::
 
-         SYSTEMD_SERVICE_${PN} = "connman.service"
+         SYSTEMD_SERVICE:${PN} = "connman.service"
 
    :term:`SYSVINIT_ENABLED_GETTYS`
       When using
@@ -7947,14 +7958,14 @@
       your own tests to the list of tests by appending :term:`TEST_SUITES` as
       follows::
 
-         TEST_SUITES_append = " mytest"
+         TEST_SUITES:append = " mytest"
 
       Alternatively, you can
       provide the "auto" option to have all applicable tests run against
       the image.
       ::
 
-         TEST_SUITES_append = " auto"
+         TEST_SUITES:append = " auto"
 
       Using this option causes the
       build system to automatically run tests that are applicable to the
@@ -8215,7 +8226,7 @@
       The BitBake configuration file (``meta/conf/bitbake.conf``) defines
       :term:`TUNE_FEATURES` as follows::
 
-         TUNE_FEATURES ??= "${TUNE_FEATURES_tune-${DEFAULTTUNE}}"
+         TUNE_FEATURES ??= "${TUNE_FEATURES:tune-${DEFAULTTUNE}}"
 
       See the :term:`DEFAULTTUNE` variable for more information.
 
@@ -8241,13 +8252,13 @@
       the architecture, ABI, and tuning of output packages. The specific
       tune is defined using the "_tune" override as follows::
 
-         TUNE_PKGARCH_tune-tune = "tune"
+         TUNE_PKGARCH:tune-tune = "tune"
 
       These tune-specific package architectures are defined in the machine
       include files. Here is an example of the "core2-32" tuning as used in
       the ``meta/conf/machine/include/tune-core2.inc`` file::
 
-         TUNE_PKGARCH_tune-core2-32 = "core2-32"
+         TUNE_PKGARCH:tune-core2-32 = "core2-32"
 
    :term:`TUNEABI`
       An underlying Application Binary Interface (ABI) used by a particular
@@ -8614,7 +8625,7 @@
 
       Here is an example from the ``dbus`` recipe::
 
-         USERADD_PARAM_${PN} = "--system --home ${localstatedir}/lib/dbus \
+         USERADD_PARAM:${PN} = "--system --home ${localstatedir}/lib/dbus \
                                 --no-create-home --shell /bin/false \
                                 --user-group messagebus"
 
diff --git a/poky/documentation/releases.rst b/poky/documentation/releases.rst
index 3ace7c0..3f96464 100644
--- a/poky/documentation/releases.rst
+++ b/poky/documentation/releases.rst
@@ -35,7 +35,8 @@
 - :yocto_docs:`3.1.6 Documentation </3.1.6>`
 - :yocto_docs:`3.1.7 Documentation </3.1.7>`
 - :yocto_docs:`3.1.8 Documentation </3.1.8>`
-- :yocto_docs:`3.1.8 Documentation </3.1.9>`
+- :yocto_docs:`3.1.9 Documentation </3.1.9>`
+- :yocto_docs:`3.1.10 Documentation </3.1.10>`
 
 ==========================
  Outdated Release Manuals
diff --git a/poky/documentation/sdk-manual/appendix-customizing-standard.rst b/poky/documentation/sdk-manual/appendix-customizing-standard.rst
index 9bc70cf..c619c15 100644
--- a/poky/documentation/sdk-manual/appendix-customizing-standard.rst
+++ b/poky/documentation/sdk-manual/appendix-customizing-standard.rst
@@ -29,6 +29,6 @@
 provided by recipes with the standard SDK by adding "api-documentation"
 to the
 :term:`DISTRO_FEATURES`
-variable: DISTRO_FEATURES_append = " api-documentation" Setting this
+variable: DISTRO_FEATURES:append = " api-documentation" Setting this
 variable as shown here causes the OpenEmbedded build system to build the
 documentation and then include it in the standard SDK.
diff --git a/poky/documentation/sdk-manual/appendix-customizing.rst b/poky/documentation/sdk-manual/appendix-customizing.rst
index 44f4334..4eccc28 100644
--- a/poky/documentation/sdk-manual/appendix-customizing.rst
+++ b/poky/documentation/sdk-manual/appendix-customizing.rst
@@ -73,7 +73,7 @@
       SDK_INHERIT_BLACKLIST
       is set using the "?=" operator. Consequently, you will need to
       either define the entire list by using the "=" operator, or you
-      will need to append a value using either "_append" or the "+="
+      will need to append a value using either ":append" or the "+="
       operator. You can learn more about these operators in the
       ":ref:`bitbake:bitbake-user-manual/bitbake-user-manual-metadata:basic syntax`"
       section of the BitBake User Manual.
@@ -250,7 +250,7 @@
       recipes that depend on lists of other recipes.
 
    -  Build the "world" target and set
-      ``EXCLUDE_FROM_WORLD_pn-``\ recipename for the recipes you do not
+      ``EXCLUDE_FROM_WORLD:pn-``\ recipename for the recipes you do not
       want built. See the
       :term:`EXCLUDE_FROM_WORLD`
       variable for additional information.
@@ -334,7 +334,7 @@
 time significantly and increases the size of the SDK installer by 30-80
 Mbytes depending on how many recipes are included in your configuration.
 
-You can use ``EXCLUDE_FROM_WORLD_pn-``\ recipename for recipes you want
+You can use ``EXCLUDE_FROM_WORLD:pn-``\ recipename for recipes you want
 to exclude. However, it is assumed that you would need to be building
 the "world" target if you want to provide additional items to the SDK.
 Consequently, building for "world" should not represent undue overhead
diff --git a/poky/documentation/sdk-manual/appendix-obtain.rst b/poky/documentation/sdk-manual/appendix-obtain.rst
index fc6b8b9..841abac 100644
--- a/poky/documentation/sdk-manual/appendix-obtain.rst
+++ b/poky/documentation/sdk-manual/appendix-obtain.rst
@@ -163,7 +163,7 @@
          SDK installer. Doing so ensures that the eventual SDK
          installation process installs the appropriate library packages
          as part of the SDK. Following is an example using ``libc``
-         static development libraries: TOOLCHAIN_TARGET_TASK_append = "
+         static development libraries: TOOLCHAIN_TARGET_TASK:append = "
          libc-staticdev"
 
 7. *Run the Installer:* You can now run the SDK installer from
diff --git a/poky/documentation/sdk-manual/extensible.rst b/poky/documentation/sdk-manual/extensible.rst
index 2cdb06d..8ef44e3 100644
--- a/poky/documentation/sdk-manual/extensible.rst
+++ b/poky/documentation/sdk-manual/extensible.rst
@@ -838,7 +838,7 @@
 If you need to add runtime dependencies, you can do so by adding the
 following to your recipe::
 
-   RDEPENDS_${PN} += "dependency1 dependency2 ..."
+   RDEPENDS:${PN} += "dependency1 dependency2 ..."
 
 .. note::
 
@@ -1154,7 +1154,7 @@
 splitting. The :term:`PACKAGES` variable lists all of the packages to be
 produced, while the :term:`FILES` variable specifies which files to include
 in each package by using an override to specify the package. For
-example, ``FILES_${PN}`` specifies the files to go into the main package
+example, ``FILES:${PN}`` specifies the files to go into the main package
 (i.e. the main package has the same name as the recipe and
 ``${``\ :term:`PN`\ ``}`` evaluates to the
 recipe name). The order of the :term:`PACKAGES` value is significant. For
diff --git a/poky/documentation/sdk-manual/intro.rst b/poky/documentation/sdk-manual/intro.rst
index 2f94aaf..802d3f3 100644
--- a/poky/documentation/sdk-manual/intro.rst
+++ b/poky/documentation/sdk-manual/intro.rst
@@ -12,16 +12,6 @@
 explains how to use both the Yocto Project extensible and standard
 SDKs to develop applications and images.
 
-.. note::
-
-   Prior to the 2.0 Release of the Yocto Project, application
-   development was primarily accomplished through the use of the
-   Application Development Toolkit (ADT) and the availability of
-   stand-alone cross-development toolchains and other tools. With the
-   2.1 Release of the Yocto Project, application development has
-   transitioned to within a tool-rich extensible SDK and the more
-   traditional standard SDK.
-
 All SDKs consist of the following:
 
 -  *Cross-Development Toolchain*: This toolchain contains a compiler,
diff --git a/poky/documentation/sphinx-static/switchers.js b/poky/documentation/sphinx-static/switchers.js
index 3972b48..6243724 100644
--- a/poky/documentation/sphinx-static/switchers.js
+++ b/poky/documentation/sphinx-static/switchers.js
@@ -5,7 +5,7 @@
     'dev': 'dev (3.4)',
     '3.3.2': '3.3.2',
     '3.2.4': '3.2.4',
-    '3.1.9': '3.1.9',
+    '3.1.10': '3.1.10',
     '3.0.4': '3.0.4',
     '2.7.4': '2.7.4',
   };
diff --git a/poky/documentation/test-manual/reproducible-builds.rst b/poky/documentation/test-manual/reproducible-builds.rst
index c66c82f..68fdf54 100644
--- a/poky/documentation/test-manual/reproducible-builds.rst
+++ b/poky/documentation/test-manual/reproducible-builds.rst
@@ -70,7 +70,7 @@
 
 .. note::
 
-   Because of an open bug in GCC, using ``DISTRO_FEATURES_append = " lto"`` or
+   Because of an open bug in GCC, using ``DISTRO_FEATURES:append = " lto"`` or
    adding ``-flto`` (Link Time Optimization) to ``CFLAGS`` makes the resulting
    binary non-reproducible, in that it depends on the full absolute build path
    to ``recipe-sysroot-native``, so installing the Yocto Project in a different
diff --git a/poky/documentation/test-manual/understand-autobuilder.rst b/poky/documentation/test-manual/understand-autobuilder.rst
index c158d9c..b6809ce 100644
--- a/poky/documentation/test-manual/understand-autobuilder.rst
+++ b/poky/documentation/test-manual/understand-autobuilder.rst
@@ -27,7 +27,7 @@
          "TEMPLATE" : "arch-qemu",
          "step1" : {
                "extravars" : [
-                     "IMAGE_FSTYPES_append = ' wic wic.bmap'"
+                     "IMAGE_FSTYPES:append = ' wic wic.bmap'"
                     ]
         }
    },
diff --git a/poky/documentation/test-manual/yocto-project-compatible.rst b/poky/documentation/test-manual/yocto-project-compatible.rst
index a789746..96c12ac 100644
--- a/poky/documentation/test-manual/yocto-project-compatible.rst
+++ b/poky/documentation/test-manual/yocto-project-compatible.rst
@@ -115,6 +115,11 @@
    user changes a configuration setting to activate the layer, by selecting
    a :term:`MACHINE`, a :term:`DISTRO` or a :term:`DISTRO_FEATURES` setting.
 
+-  Layers should be documenting where they don’t support normal "core"
+   functionality such as where debug symbols are disabled or missing, where
+   development headers and on-target library usage may not work or where
+   functionality like the SDK/eSDK would not be expected to work.
+
 The project does test the compatibility status of the core project layers on
 its :doc:`Autobuilder </test-manual/understand-autobuilder>`.
 
diff --git a/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb b/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb
new file mode 100644
index 0000000..6040506
--- /dev/null
+++ b/poky/meta-selftest/recipes-test/overlayfs-user/overlayfs-user.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Overlayfs class unit test"
+DESCRIPTION = "Contains an overlayfs configuration"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+EXCLUDE_FROM_WORLD = "1"
+
+inherit ${@bb.utils.contains("DISTRO_FEATURES", "overlayfs", "overlayfs", "", d)}
+include test_recipe.inc
+
+OVERLAYFS_WRITABLE_PATHS[mnt-overlay] = "/usr/share/my-application"
+
+do_install() {
+    install -d ${D}/usr/share/my-application
+}
+
+FILES:${PN} += "/usr"
diff --git a/poky/meta-selftest/recipes-test/systemd-machine-units/systemd-machine-units_%.bbappend b/poky/meta-selftest/recipes-test/systemd-machine-units/systemd-machine-units_%.bbappend
new file mode 100644
index 0000000..2057209
--- /dev/null
+++ b/poky/meta-selftest/recipes-test/systemd-machine-units/systemd-machine-units_%.bbappend
@@ -0,0 +1,2 @@
+# This bbappend is used to alter the recipe using the test_recipe.inc file created by tests.
+include test_recipe.inc
diff --git a/poky/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb b/poky/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
index 37193f5..d11e2e5 100644
--- a/poky/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
+++ b/poky/meta-skeleton/recipes-baremetal/baremetal-examples/baremetal-helloworld_git.bb
@@ -4,7 +4,7 @@
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=39346640a23c701e4f459e05f56f4449"
 
-SRCREV = "0bf9ea216e6f76be50726a3a74e527b7bbb0ad93"
+SRCREV = "31b4e5a337018b4a00a7426b0e5ed83b81df30c7"
 PV = "0.1+git${SRCPV}"
 
 SRC_URI = "git://github.com/aehs29/baremetal-helloqemu.git;protocol=https;branch=master"
@@ -28,13 +28,14 @@
 # machine that QEMU uses on OE, e.g. -machine virt -cpu cortex-a57
 # but the examples can also be run on other architectures/machines
 # such as vexpress-a15 by overriding the setting on the machine.conf
-COMPATIBLE_MACHINE = "qemuarmv5|qemuarm|qemuarm64|qemuriscv64"
+COMPATIBLE_MACHINE = "qemuarmv5|qemuarm|qemuarm64|qemuriscv64|qemuriscv32"
 
 BAREMETAL_QEMUARCH ?= ""
 BAREMETAL_QEMUARCH:qemuarmv5 = "versatile"
 BAREMETAL_QEMUARCH:qemuarm = "arm"
 BAREMETAL_QEMUARCH:qemuarm64 = "aarch64"
 BAREMETAL_QEMUARCH:qemuriscv64 = "riscv64"
+BAREMETAL_QEMUARCH:qemuriscv32 = "riscv32"
 
 EXTRA_OEMAKE:append = " QEMUARCH=${BAREMETAL_QEMUARCH} V=1"
 
diff --git a/poky/meta/classes/baremetal-image.bbclass b/poky/meta/classes/baremetal-image.bbclass
index 9ec3f14..089c445 100644
--- a/poky/meta/classes/baremetal-image.bbclass
+++ b/poky/meta/classes/baremetal-image.bbclass
@@ -82,12 +82,15 @@
 # RISC-V tunes set the BIOS, unset, and instruct QEMU to
 # ignore the BIOS and boot from -kernel
 QB_DEFAULT_BIOS:qemuriscv64 = ""
+QB_DEFAULT_BIOS:qemuriscv32 = ""
 QB_OPT_APPEND:append:qemuriscv64 = " -bios none"
+QB_OPT_APPEND:append:qemuriscv32 = " -bios none"
 
 
 # Use the medium-any code model for the RISC-V 64 bit implementation,
 # since medlow can only access addresses below 0x80000000 and RAM
 # starts at 0x80000000 on RISC-V 64
+# Keep RISC-V 32 using -mcmodel=medlow (symbols lie between -2GB:2GB)
 CFLAGS:append:qemuriscv64 = " -mcmodel=medany"
 
 
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 6582f97..70d1988 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -94,10 +94,11 @@
     """
     Check recipe for patched and unpatched CVEs
     """
+    from oe.cve_check import get_patched_cves
 
     if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
         try:
-            patched_cves = get_patches_cves(d)
+            patched_cves = get_patched_cves(d)
         except FileNotFoundError:
             bb.fatal("Failure in searching patches")
         whitelisted, patched, unpatched = check_cves(d, patched_cves)
@@ -156,65 +157,6 @@
 ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 
-def get_patches_cves(d):
-    """
-    Get patches that solve CVEs using the "CVE: " tag.
-    """
-
-    import re
-
-    pn = d.getVar("PN")
-    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
-
-    # Matches the last "CVE-YYYY-ID" in the file name, also if written
-    # in lowercase. Possible to have multiple CVE IDs in a single
-    # file name, but only the last one will be detected from the file name.
-    # However, patch files contents addressing multiple CVE IDs are supported
-    # (cve_match regular expression)
-
-    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
-
-    patched_cves = set()
-    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
-    for url in src_patches(d):
-        patch_file = bb.fetch.decodeurl(url)[2]
-
-        if not os.path.isfile(patch_file):
-            bb.error("File Not found: %s" % patch_file)
-            raise FileNotFoundError
-
-        # Check patch file name for CVE ID
-        fname_match = cve_file_name_match.search(patch_file)
-        if fname_match:
-            cve = fname_match.group(1).upper()
-            patched_cves.add(cve)
-            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
-
-        with open(patch_file, "r", encoding="utf-8") as f:
-            try:
-                patch_text = f.read()
-            except UnicodeDecodeError:
-                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
-                        " trying with iso8859-1" %  patch_file)
-                f.close()
-                with open(patch_file, "r", encoding="iso8859-1") as f:
-                    patch_text = f.read()
-
-        # Search for one or more "CVE: " lines
-        text_match = False
-        for match in cve_match.finditer(patch_text):
-            # Get only the CVEs without the "CVE: " tag
-            cves = patch_text[match.start()+5:match.end()]
-            for cve in cves.split():
-                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
-                patched_cves.add(cve)
-                text_match = True
-
-        if not fname_match and not text_match:
-            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
-
-    return patched_cves
-
 def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
@@ -238,9 +180,6 @@
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [], [])
 
-    old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
-    if old_cve_whitelist:
-        bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
     cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
 
     import sqlite3
diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass
index be5ec60..810459d 100644
--- a/poky/meta/classes/insane.bbclass
+++ b/poky/meta/classes/insane.bbclass
@@ -835,11 +835,11 @@
         try:
             rvar = bb.utils.explode_dep_versions2(localdata.getVar(var) or "")
         except ValueError as e:
-            bb.fatal("%s_%s: %s" % (var, pkg, e))
+            bb.fatal("%s:%s: %s" % (var, pkg, e))
         for dep in rvar:
             for v in rvar[dep]:
                 if v and not v.startswith(('< ', '= ', '> ', '<= ', '>=')):
-                    error_msg = "%s_%s is invalid: %s (%s)   only comparisons <, =, >, <=, and >= are allowed" % (var, pkg, dep, v)
+                    error_msg = "%s:%s is invalid: %s (%s)   only comparisons <, =, >, <=, and >= are allowed" % (var, pkg, dep, v)
                     package_qa_handle_error("dep-cmp", error_msg, d)
 
     check_valid_deps('RDEPENDS')
@@ -888,7 +888,7 @@
     expanded_d = d.getVar('D')
 
     for var in 'FILES','pkg_preinst', 'pkg_postinst', 'pkg_prerm', 'pkg_postrm':
-        bbvar = d.getVar(var + "_" + package) or ""
+        bbvar = d.getVar(var + ":" + package) or ""
         if expanded_d in bbvar:
             if var == 'FILES':
                 package_qa_add_message(messages, "expanded-d", "FILES in %s recipe should not contain the ${D} variable as it references the local build directory not the target filesystem, best solution is to remove the ${D} reference" % package)
@@ -1325,10 +1325,10 @@
     if prog.search(pn):
         package_qa_handle_error("uppercase-pn", 'PN: %s is upper case, this can result in unexpected behavior.' % pn, d)
 
-    # Some people mistakenly use DEPENDS_${PN} instead of DEPENDS and wonder
+    # Some people mistakenly use DEPENDS:${PN} instead of DEPENDS and wonder
     # why it doesn't work.
-    if (d.getVar(d.expand('DEPENDS_${PN}'))):
-        package_qa_handle_error("pkgvarcheck", "recipe uses DEPENDS_${PN}, should use DEPENDS", d)
+    if (d.getVar(d.expand('DEPENDS:${PN}'))):
+        package_qa_handle_error("pkgvarcheck", "recipe uses DEPENDS:${PN}, should use DEPENDS", d)
 
     issues = []
     if (d.getVar('PACKAGES') or "").split():
diff --git a/poky/meta/classes/kernel-fitimage.bbclass b/poky/meta/classes/kernel-fitimage.bbclass
index a9d1002..2ef8f06 100644
--- a/poky/meta/classes/kernel-fitimage.bbclass
+++ b/poky/meta/classes/kernel-fitimage.bbclass
@@ -60,6 +60,14 @@
 # Sign individual images as well
 FIT_SIGN_INDIVIDUAL ?= "0"
 
+# Keys used to sign individually image nodes.
+# The keys to sign image nodes must be different from those used to sign
+# configuration nodes, otherwise the "required" property, from
+# UBOOT_DTB_BINARY, will be set to "conf", because "conf" prevails on "image".
+# Then the images signature checking will not be mandatory and no error will be
+# raised in case of failure.
+# UBOOT_SIGN_IMG_KEYNAME = "dev2" # keys name in keydir (eg. "dev2.crt", "dev2.key")
+
 #
 # Emit the fitImage ITS header
 #
@@ -121,7 +129,7 @@
 
 	kernel_csum="${FIT_HASH_ALG}"
 	kernel_sign_algo="${FIT_SIGN_ALG}"
-	kernel_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+	kernel_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 
 	ENTRYPOINT="${UBOOT_ENTRYPOINT}"
 	if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then
@@ -167,7 +175,7 @@
 
 	dtb_csum="${FIT_HASH_ALG}"
 	dtb_sign_algo="${FIT_SIGN_ALG}"
-	dtb_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+	dtb_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 
 	dtb_loadline=""
 	dtb_ext=${DTB##*.}
@@ -214,7 +222,7 @@
 
         bootscr_csum="${FIT_HASH_ALG}"
 	bootscr_sign_algo="${FIT_SIGN_ALG}"
-	bootscr_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+	bootscr_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 
         cat << EOF >> ${1}
                 bootscr-${2} {
@@ -278,7 +286,7 @@
 
 	ramdisk_csum="${FIT_HASH_ALG}"
 	ramdisk_sign_algo="${FIT_SIGN_ALG}"
-	ramdisk_sign_keyname="${UBOOT_SIGN_KEYNAME}"
+	ramdisk_sign_keyname="${UBOOT_SIGN_IMG_KEYNAME}"
 	ramdisk_loadline=""
 	ramdisk_entryline=""
 
@@ -475,6 +483,10 @@
 	bootscr_id=""
 	rm -f ${1} arch/${ARCH}/boot/${2}
 
+	if [ ! -z "${UBOOT_SIGN_IMG_KEYNAME}" -a "${UBOOT_SIGN_KEYNAME}" = "${UBOOT_SIGN_IMG_KEYNAME}" ]; then
+		bbfatal "Keys used to sign images and configuration nodes must be different."
+	fi
+
 	fitimage_emit_fit_header ${1}
 
 	#
@@ -674,7 +686,7 @@
 
 	if [ "${UBOOT_SIGN_ENABLE}" = "1" ] && [ "${FIT_GENERATE_KEYS}" = "1" ]; then
 
-		# Generate keys only if they don't already exist
+		# Generate keys to sign configuration nodes, only if they don't already exist
 		if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key ] || \
 			[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt ]; then
 
@@ -691,6 +703,24 @@
 				-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".key \
 				-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_KEYNAME}".crt
 		fi
+
+		# Generate keys to sign image nodes, only if they don't already exist
+		if [ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key ] || \
+			[ ! -f "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt ]; then
+
+			# make directory if it does not already exist
+			mkdir -p "${UBOOT_SIGN_KEYDIR}"
+
+			echo "Generating RSA private key for signing fitImage"
+			openssl genrsa ${FIT_KEY_GENRSA_ARGS} -out \
+				"${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+			"${FIT_SIGN_NUMBITS}"
+
+			echo "Generating certificate for signing fitImage"
+			openssl req ${FIT_KEY_REQ_ARGS} "${FIT_KEY_SIGN_PKCS}" \
+				-key "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".key \
+				-out "${UBOOT_SIGN_KEYDIR}/${UBOOT_SIGN_IMG_KEYNAME}".crt
+		fi
 	fi
 }
 
diff --git a/poky/meta/classes/multilib.bbclass b/poky/meta/classes/multilib.bbclass
index c3be897..3cbda5d 100644
--- a/poky/meta/classes/multilib.bbclass
+++ b/poky/meta/classes/multilib.bbclass
@@ -35,7 +35,7 @@
         e.data.setVar('SDKTARGETSYSROOT', e.data.getVar('SDKTARGETSYSROOT'))
         override = ":virtclass-multilib-" + variant
         e.data.setVar("OVERRIDES", e.data.getVar("OVERRIDES", False) + override)
-        target_vendor = e.data.getVar("TARGET_VENDOR_" + "virtclass-multilib-" + variant, False)
+        target_vendor = e.data.getVar("TARGET_VENDOR:" + "virtclass-multilib-" + variant, False)
         if target_vendor:
             e.data.setVar("TARGET_VENDOR", target_vendor)
         return
@@ -82,7 +82,7 @@
     e.data.setVar("WHITELIST_GPL-3.0", pkgs)
 
     # DEFAULTTUNE can change TARGET_ARCH override so expand this now before update_data
-    newtune = e.data.getVar("DEFAULTTUNE_" + "virtclass-multilib-" + variant, False)
+    newtune = e.data.getVar("DEFAULTTUNE:" + "virtclass-multilib-" + variant, False)
     if newtune:
         e.data.setVar("DEFAULTTUNE", newtune)
 }
diff --git a/poky/meta/classes/overlayfs.bbclass b/poky/meta/classes/overlayfs.bbclass
new file mode 100644
index 0000000..8d9b59c
--- /dev/null
+++ b/poky/meta/classes/overlayfs.bbclass
@@ -0,0 +1,111 @@
+# Class for generation of overlayfs mount units
+#
+# It's often desired in Embedded System design to have a read-only rootfs.
+# But a lot of different applications might want to have a read-write access to
+# some parts of a filesystem. It can be especially useful when your update mechanism
+# overwrites the whole rootfs, but you want your application data to be preserved
+# between updates. This class provides a way to achieve that by means
+# of overlayfs and at the same time keeping the base rootfs read-only.
+#
+# Usage example.
+#
+# Set a mount point for a partition overlayfs is going to use as upper layer
+# in your machine configuration. Underlying file system can be anything that
+# is supported by overlayfs. This has to be done in your machine configuration.
+# QA check fails to catch file existence if you redefine this variable in your recipe!
+#
+#   OVERLAYFS_MOUNT_POINT[data] ?= "/data"
+#
+# The class assumes you have a data.mount systemd unit defined in your
+# systemd-machine-units recipe and installed to the image.
+#
+# Then you can specify writable directories on a recipe base
+#
+#   OVERLAYFS_WRITABLE_PATHS[data] = "/usr/share/my-custom-application"
+#
+# To support several mount points you can use a different variable flag. Assume we
+# want to have a writable location on the file system, but not interested where the data
+# survive a reboot. Then we could have a mnt-overlay.mount unit for a tmpfs file system:
+#
+#   OVERLAYFS_MOUNT_POINT[mnt-overlay] = "/mnt/overlay"
+#   OVERLAYFS_WRITABLE_PATHS[mnt-overlay] = "/usr/share/another-application"
+#
+# Note: the class does not support /etc directory itself, because systemd depends on it
+
+REQUIRED_DISTRO_FEATURES += "systemd overlayfs"
+
+inherit systemd features_check
+
+python do_create_overlayfs_units() {
+    CreateDirsUnitTemplate = """[Unit]
+Description=Overlayfs directories setup
+Requires={DATA_MOUNT_UNIT}
+After={DATA_MOUNT_UNIT}
+DefaultDependencies=no
+
+[Service]
+Type=oneshot
+ExecStart=mkdir -p {DATA_MOUNT_POINT}/workdir{LOWERDIR} && mkdir -p {DATA_MOUNT_POINT}/upper{LOWERDIR}
+RemainAfterExit=true
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
+"""
+    MountUnitTemplate = """[Unit]
+Description=Overlayfs mount unit
+Requires={CREATE_DIRS_SERVICE}
+After={CREATE_DIRS_SERVICE}
+
+[Mount]
+What=overlay
+Where={LOWERDIR}
+Type=overlay
+Options=lowerdir={LOWERDIR},upperdir={DATA_MOUNT_POINT}/upper{LOWERDIR},workdir={DATA_MOUNT_POINT}/workdir{LOWERDIR}
+
+[Install]
+WantedBy=multi-user.target
+"""
+
+    def prepareUnits(data, lower):
+        from oe.overlayfs import mountUnitName, helperUnitName
+
+        args = {
+            'DATA_MOUNT_POINT': data,
+            'DATA_MOUNT_UNIT': mountUnitName(data),
+            'CREATE_DIRS_SERVICE': helperUnitName(lower),
+            'LOWERDIR': lower,
+        }
+
+        with open(os.path.join(d.getVar('WORKDIR'), mountUnitName(lower)), 'w') as f:
+            f.write(MountUnitTemplate.format(**args))
+
+        with open(os.path.join(d.getVar('WORKDIR'), helperUnitName(lower)), 'w') as f:
+            f.write(CreateDirsUnitTemplate.format(**args))
+
+    overlayMountPoints = d.getVarFlags("OVERLAYFS_MOUNT_POINT")
+    for mountPoint in overlayMountPoints:
+        for lower in d.getVarFlag('OVERLAYFS_WRITABLE_PATHS', mountPoint).split():
+            prepareUnits(d.getVarFlag('OVERLAYFS_MOUNT_POINT', mountPoint), lower)
+}
+
+# we need to generate file names early during parsing stage
+python () {
+    from oe.overlayfs import strForBash, unitFileList
+
+    unitList = unitFileList(d)
+    for unit in unitList:
+        d.appendVar('SYSTEMD_SERVICE:' + d.getVar('PN'), ' ' + unit);
+        d.appendVar('FILES:' + d.getVar('PN'), ' ' + strForBash(unit))
+
+    d.setVar('OVERLAYFS_UNIT_LIST', ' '.join([strForBash(s) for s in unitList]))
+}
+
+do_install:append() {
+    install -d ${D}${systemd_system_unitdir}
+    for unit in ${OVERLAYFS_UNIT_LIST}; do
+        install -m 0444 ${WORKDIR}/${unit} ${D}${systemd_system_unitdir}
+    done
+}
+
+addtask create_overlayfs_units before do_install
diff --git a/poky/meta/classes/package.bbclass b/poky/meta/classes/package.bbclass
index a659a1e..a9138ff 100644
--- a/poky/meta/classes/package.bbclass
+++ b/poky/meta/classes/package.bbclass
@@ -1663,12 +1663,12 @@
                 val = write_if_exists(sf, pkg, var)
 
             write_if_exists(sf, pkg, 'FILERPROVIDESFLIST')
-            for dfile in (d.getVar('FILERPROVIDESFLIST_' + pkg) or "").split():
-                write_if_exists(sf, pkg, 'FILERPROVIDES_' + dfile)
+            for dfile in (d.getVar('FILERPROVIDESFLIST:' + pkg) or "").split():
+                write_if_exists(sf, pkg, 'FILERPROVIDES:' + dfile)
 
             write_if_exists(sf, pkg, 'FILERDEPENDSFLIST')
-            for dfile in (d.getVar('FILERDEPENDSFLIST_' + pkg) or "").split():
-                write_if_exists(sf, pkg, 'FILERDEPENDS_' + dfile)
+            for dfile in (d.getVar('FILERDEPENDSFLIST:' + pkg) or "").split():
+                write_if_exists(sf, pkg, 'FILERDEPENDS:' + dfile)
 
             sf.write('%s_%s: %d\n' % ('PKGSIZE', pkg, total_size))
 
@@ -1714,11 +1714,11 @@
 
 # Collect perfile run-time dependency metadata
 # Output:
-#  FILERPROVIDESFLIST_pkg - list of all files w/ deps
-#  FILERPROVIDES_filepath_pkg - per file dep
+#  FILERPROVIDESFLIST:pkg - list of all files w/ deps
+#  FILERPROVIDES:filepath:pkg - per file dep
 #
-#  FILERDEPENDSFLIST_pkg - list of all files w/ deps
-#  FILERDEPENDS_filepath_pkg - per file dep
+#  FILERDEPENDSFLIST:pkg - list of all files w/ deps
+#  FILERDEPENDS:filepath:pkg - per file dep
 
 python package_do_filedeps() {
     if d.getVar('SKIP_FILEDEPS') == '1':
@@ -1755,18 +1755,18 @@
 
         for file in sorted(provides):
             provides_files[pkg].append(file)
-            key = "FILERPROVIDES_" + file + "_" + pkg
+            key = "FILERPROVIDES:" + file + ":" + pkg
             d.appendVar(key, " " + " ".join(provides[file]))
 
         for file in sorted(requires):
             requires_files[pkg].append(file)
-            key = "FILERDEPENDS_" + file + "_" + pkg
+            key = "FILERDEPENDS:" + file + ":" + pkg
             d.appendVar(key, " " + " ".join(requires[file]))
 
     for pkg in requires_files:
-        d.setVar("FILERDEPENDSFLIST_" + pkg, " ".join(requires_files[pkg]))
+        d.setVar("FILERDEPENDSFLIST:" + pkg, " ".join(requires_files[pkg]))
     for pkg in provides_files:
-        d.setVar("FILERPROVIDESFLIST_" + pkg, " ".join(provides_files[pkg]))
+        d.setVar("FILERPROVIDESFLIST:" + pkg, " ".join(provides_files[pkg]))
 }
 
 SHLIBSDIRS = "${WORKDIR_PKGDATA}/${MLPREFIX}shlibs2"
diff --git a/poky/meta/classes/pypi.bbclass b/poky/meta/classes/pypi.bbclass
index 272c220..9405d58 100644
--- a/poky/meta/classes/pypi.bbclass
+++ b/poky/meta/classes/pypi.bbclass
@@ -8,12 +8,12 @@
 
 PYPI_PACKAGE ?= "${@pypi_package(d)}"
 PYPI_PACKAGE_EXT ?= "tar.gz"
+PYPI_ARCHIVE_NAME ?= "${PYPI_PACKAGE}-${PV}.${PYPI_PACKAGE_EXT}"
 
 def pypi_src_uri(d):
     package = d.getVar('PYPI_PACKAGE')
-    package_ext = d.getVar('PYPI_PACKAGE_EXT')
-    pv = d.getVar('PV')
-    return 'https://files.pythonhosted.org/packages/source/%s/%s/%s-%s.%s' % (package[0], package, package, pv, package_ext)
+    archive_name = d.getVar('PYPI_ARCHIVE_NAME')
+    return 'https://files.pythonhosted.org/packages/source/%s/%s/%s' % (package[0], package, archive_name)
 
 PYPI_SRC_URI ?= "${@pypi_src_uri(d)}"
 
diff --git a/poky/meta/classes/rootfs-postcommands.bbclass b/poky/meta/classes/rootfs-postcommands.bbclass
index fbfa63f..c5746eb 100644
--- a/poky/meta/classes/rootfs-postcommands.bbclass
+++ b/poky/meta/classes/rootfs-postcommands.bbclass
@@ -39,6 +39,8 @@
 
 ROOTFS_POSTPROCESS_COMMAND += 'empty_var_volatile;'
 
+ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("DISTRO_FEATURES", "overlayfs", "overlayfs_qa_check;", "", d)}'
+
 inherit image-artifact-names
 
 # Sort the user and group entries in /etc by ID in order to make the content
@@ -373,3 +375,26 @@
 		fi
 	fi
 }
+
+python overlayfs_qa_check() {
+    from oe.overlayfs import mountUnitName
+
+    # this is a dumb check for unit existence, not its validity
+    overlayMountPoints = d.getVarFlags("OVERLAYFS_MOUNT_POINT")
+    imagepath = d.getVar("IMAGE_ROOTFS")
+    searchpaths = [oe.path.join(imagepath, d.getVar("sysconfdir"), "systemd", "system"),
+                   oe.path.join(imagepath, d.getVar("systemd_system_unitdir"))]
+
+    allUnitExist = True;
+    for mountPoint in overlayMountPoints:
+        path = d.getVarFlag('OVERLAYFS_MOUNT_POINT', mountPoint)
+        unit = mountUnitName(path)
+
+        if not any(os.path.isfile(oe.path.join(dirpath, unit))
+                   for dirpath in searchpaths):
+            bb.warn('Unit name %s not found in systemd unit directories' % unit)
+            allUnitExist = False;
+
+    if not allUnitExist:
+        bb.fatal('Not all mount units are installed by the BSP')
+}
diff --git a/poky/meta/classes/sstate.bbclass b/poky/meta/classes/sstate.bbclass
index 554e401..2175ace 100644
--- a/poky/meta/classes/sstate.bbclass
+++ b/poky/meta/classes/sstate.bbclass
@@ -705,6 +705,7 @@
             pass
         except OSError as e:
             # Handle read-only file systems gracefully
+            import errno
             if e.errno != errno.EROFS:
                 raise e
 
@@ -1152,6 +1153,7 @@
                 pass
             except OSError as e:
                 # Handle read-only file systems gracefully
+                import errno
                 if e.errno != errno.EROFS:
                     raise e
 
diff --git a/poky/meta/classes/terminal.bbclass b/poky/meta/classes/terminal.bbclass
index 6059ae9..a564ee7 100644
--- a/poky/meta/classes/terminal.bbclass
+++ b/poky/meta/classes/terminal.bbclass
@@ -26,6 +26,9 @@
     bb.utils.mkdirhier(os.path.dirname(runfile))
 
     with open(runfile, 'w') as script:
+        # Override the shell shell_trap_code specifies.
+        # If our shell is bash, we might well face silent death.
+        script.write("#!/bin/bash\n")
         script.write(bb.build.shell_trap_code())
         bb.data.emit_func(cmd_func, script, envdata)
         script.write(cmd_func)
@@ -37,7 +40,7 @@
 def oe_terminal(command, title, d):
     import oe.data
     import oe.terminal
-
+    
     envdata = bb.data.init()
 
     for v in os.environ:
diff --git a/poky/meta/conf/bitbake.conf b/poky/meta/conf/bitbake.conf
index 1d5f5b7..f6fb2aa 100644
--- a/poky/meta/conf/bitbake.conf
+++ b/poky/meta/conf/bitbake.conf
@@ -236,8 +236,8 @@
 # The following two are commented out because they result in a recursive
 # definition of the variable in some corner cases.  These are left in
 # to illustrate the intended behavior.
-#SUMMARY_${PN} ?= "${SUMMARY}"
-#DESCRIPTION_${PN} ?= "${DESCRIPTION}"
+#SUMMARY:${PN} ?= "${SUMMARY}"
+#DESCRIPTION:${PN} ?= "${DESCRIPTION}"
 
 SUMMARY:${PN}-src ?= "${SUMMARY} - Source files"
 DESCRIPTION:${PN}-src ?= "${DESCRIPTION}  \
@@ -597,7 +597,7 @@
 ASNEEDED ?= "-Wl,--as-needed"
 
 export LDFLAGS = "${TARGET_LDFLAGS}"
-TARGET_LDFLAGS = "-Wl,-O1 ${TARGET_LINK_HASH_STYLE} ${ASNEEDED}"
+TARGET_LDFLAGS = "-Wl,-O1 ${TARGET_LINK_HASH_STYLE} ${ASNEEDED} ${DEBUG_PREFIX_MAP}"
 # mips does not support GNU hash style therefore we override
 LINKER_HASH_STYLE:mipsarch:libc-musl = "sysv"
 
diff --git a/poky/meta/conf/distro/include/tcmode-default.inc b/poky/meta/conf/distro/include/tcmode-default.inc
index 7afe28a..47f23f5 100644
--- a/poky/meta/conf/distro/include/tcmode-default.inc
+++ b/poky/meta/conf/distro/include/tcmode-default.inc
@@ -20,7 +20,7 @@
 SDKGCCVERSION ?= "${GCCVERSION}"
 BINUVERSION ?= "2.37%"
 GDBVERSION ?= "10.%"
-GLIBCVERSION ?= "2.33"
+GLIBCVERSION ?= "2.34"
 LINUXLIBCVERSION ?= "5.13%"
 QEMUVERSION ?= "6.0%"
 GOVERSION ?= "1.16%"
diff --git a/poky/meta/conf/machine/include/arm/arch-armv7em.inc b/poky/meta/conf/machine/include/arm/arch-armv7em.inc
new file mode 100644
index 0000000..adcab27
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/arch-armv7em.inc
@@ -0,0 +1,17 @@
+#
+# Defaults for ARMv7e-m
+#
+DEFAULTTUNE ?= "armv7em"
+
+TUNEVALID[armv7em] = "Enable instructions for ARMv7e-m"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv7em', ' -march=armv7e-m', '', d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv7em', 'armv7em:', '', d)}"
+
+TUNECONFLICTS[armv7em] = "armv4 armv5 armv6 armv7a"
+
+require conf/machine/include/arm/arch-armv7m.inc
+
+AVAILTUNES                            += "armv7em"
+ARMPKGARCH:tune-armv7em                = "armv7em"
+TUNE_FEATURES:tune-armv7em             = "armv7em"
+PACKAGE_EXTRA_ARCHS:tune-armv7em       = "armv7em"
diff --git a/poky/meta/conf/machine/include/arm/arch-armv7m.inc b/poky/meta/conf/machine/include/arm/arch-armv7m.inc
new file mode 100644
index 0000000..a36c265
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/arch-armv7m.inc
@@ -0,0 +1,17 @@
+#
+# Defaults for ARMv7-m
+#
+DEFAULTTUNE ?= "armv7m"
+
+TUNEVALID[armv7m] = "Enable instructions for ARMv7-m"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv7m', ' -march=armv7-m', '', d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv7m', 'armv7m:', '', d)}"
+
+TUNECONFLICTS[armv7m] = "armv4 armv5 armv6 armv7a"
+
+require conf/machine/include/arm/arch-armv6m.inc
+
+AVAILTUNES                            += "armv7m"
+ARMPKGARCH:tune-armv7m                 = "armv7m"
+TUNE_FEATURES:tune-armv7m              = "armv7m"
+PACKAGE_EXTRA_ARCHS:tune-armv7m        = "armv7m"
diff --git a/poky/meta/conf/machine/include/arm/arch-armv8-1m-main.inc b/poky/meta/conf/machine/include/arm/arch-armv8-1m-main.inc
new file mode 100644
index 0000000..9171b31
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/arch-armv8-1m-main.inc
@@ -0,0 +1,18 @@
+#
+#
+# Defaults for ARMv8.1-M.main
+#
+DEFAULTTUNE ?= "armv8-1m-main"
+
+TUNEVALID[armv8-1m-main] = "Enable instructions for ARMv8.1-m.main"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv8-1m-main', ' -march=armv8.1-m.main', '', d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv8-1m-main', 'armv8-1m-main:', '', d)}"
+
+TUNECONFLICTS[armv8-1m-main] = "armv4 armv5 armv6 armv7a"
+
+require conf/machine/include/arm/arch-armv8m-main.inc
+
+AVAILTUNES                            += "armv8-1m-main"
+ARMPKGARCH:tune-armv8-1m-main          = "armv8-1m-main"
+TUNE_FEATURES:tune-armv8-1m-main       = "armv8-1m-main"
+PACKAGE_EXTRA_ARCHS:tune-armv8-1m-main = "armv8-1m-main"
diff --git a/poky/meta/conf/machine/include/arm/arch-armv8m-base.inc b/poky/meta/conf/machine/include/arm/arch-armv8m-base.inc
new file mode 100644
index 0000000..d9a341c
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/arch-armv8m-base.inc
@@ -0,0 +1,17 @@
+#
+# Defaults for ARMv8-m.base
+#
+DEFAULTTUNE ?= "armv8m-base"
+
+TUNEVALID[armv8m-base] = "Enable instructions for ARMv8-m.base"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv8m-base', ' -march=armv8-m.base', '', d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv8m-base', 'armv8m-base:', '', d)}"
+
+TUNECONFLICTS[armv8m-base] = "armv4 armv5 armv6 armv7a"
+
+require conf/machine/include/arm/arch-armv7m.inc
+
+AVAILTUNES                          += "armv8m-base"
+ARMPKGARCH:tune-armv8m-base          = "armv8m-base"
+TUNE_FEATURES:tune-armv8m-base       = "armv8m-base"
+PACKAGE_EXTRA_ARCHS:tune-armv8m-base = "armv8m-base"
diff --git a/poky/meta/conf/machine/include/arm/arch-armv8m-main.inc b/poky/meta/conf/machine/include/arm/arch-armv8m-main.inc
new file mode 100644
index 0000000..27f552b
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/arch-armv8m-main.inc
@@ -0,0 +1,36 @@
+#
+# Defaults for ARMv8-m.main
+#
+DEFAULTTUNE ?= "armv8m-main"
+
+require conf/machine/include/arm/arch-armv8m-base.inc
+
+TUNEVALID[armv8m-main] = "Enable instructions for ARMv8-m.main"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'armv8m-main', ' -march=armv8-m.main${MARCH_DSP}${MARCH_FPU}', '', d)}"
+MACHINEOVERRIDES =. "${@bb.utils.contains('TUNE_FEATURES', 'armv8m-main', 'armv8m-main:', '', d)}"
+
+TUNECONFLICTS[armv8m-main] = "armv4 armv5 armv6 armv7a"
+
+# FIXME - below taken from meta/conf/machine/include/arm/arch-armv5-dsp.inc and should be put into something more generic
+TUNEVALID[dsp] = "ARM DSP functionality"
+ARMPKGSFX_DSP = "${@bb.utils.contains('TUNE_FEATURES', [ 'dsp' ], 'e', '', d)}"
+MARCH_DSP = "${@bb.utils.contains('TUNE_FEATURES', [ 'dsp' ], '+dsp', '+nodsp', d)}"
+
+# FIXME - Below belongs in meta/conf/machine/include/arm/feature-arm-neon.inc
+TUNEVALID[vfpv5spd16] = "Enable Vector Floating Point Version 5, Single Precision. with 16 registers (fpv5-sp-d16) unit."
+TUNE_CCARGS_MFPU .= "${@bb.utils.contains('TUNE_FEATURES', 'vfpv5spd16', 'fpv5-sp-d16', '', d)}"
+MARCH_FPU = "${@bb.utils.contains('TUNE_FEATURES', [ 'vfpv5spd16' ], '+fp', '+nofp', d)}"
+
+AVAILTUNES                                      += "armv8m-main armv8m-mainearmv8m-main-vfpv5spd16 armv8m-maine-vfpv5spd16"
+ARMPKGARCH:tune-armv8m-main                      = "armv8m-main"
+ARMPKGARCH:tune-armv8m-maine                     = "armv8m-main"
+ARMPKGARCH:tune-armv8m-main-vfpv5spd16           = "armv8m-main"
+ARMPKGARCH:tune-armv8m-maine-vfpv5spd16          = "armv8m-main"
+TUNE_FEATURES:tune-armv8m-main                   = "armv8m-main"
+TUNE_FEATURES:tune-armv8m-maine                  = "${TUNE_FEATURES:tune-armv8m-main} dsp"
+TUNE_FEATURES:tune-armv8m-main-vfpv5spd16        = "${TUNE_FEATURES:tune-armv8m-main} vfpv5spd16"
+TUNE_FEATURES:tune-armv8m-maine-vfpv5spd16       = "${TUNE_FEATURES:tune-armv8m-main-vfpv5spd16} dsp"
+PACKAGE_EXTRA_ARCHS:tune-armv8m-main             = "armv8m-main"
+PACKAGE_EXTRA_ARCHS:tune-armv8m-maine            = "${PACKAGE_EXTRA_ARCHS:tune-armv8m-main} armv8m-maine"
+PACKAGE_EXTRA_ARCHS:tune-armv8m-main-vfpv5spd16  = "${PACKAGE_EXTRA_ARCHS:tune-armv8m-main} armv8m-main-fpv5-spd16"
+PACKAGE_EXTRA_ARCHS:tune-armv8m-maine-vfpv5spd16 = "${PACKAGE_EXTRA_ARCHS:tune-armv8m-main} armv8m-maine-fpv5-spd16"
diff --git a/poky/meta/conf/machine/include/arm/armv8-1m/tune-cortexm55.inc b/poky/meta/conf/machine/include/arm/armv8-1m/tune-cortexm55.inc
new file mode 100644
index 0000000..493ad67
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/armv8-1m/tune-cortexm55.inc
@@ -0,0 +1,14 @@
+#
+# Tune Settings for Cortex-M55
+#
+DEFAULTTUNE ?= "cortexm55"
+
+TUNEVALID[cortexm55] = "Enable Cortex-M55 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm55', ' -mcpu=cortex-m55', '', d)}"
+
+require conf/machine/include/arm/arch-armv8-1m-main.inc
+
+AVAILTUNES                            += "cortexm55"
+ARMPKGARCH:tune-cortexm55              = "cortexm55"
+TUNE_FEATURES:tune-cortexm55           = "${TUNE_FEATURES:tune-armv8-1m-main} cortexm55"
+PACKAGE_EXTRA_ARCHS:tune-cortexm55     = "${PACKAGE_EXTRA_ARCHS:tune-armv8-1m-main} cortexm55"
diff --git a/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm23.inc b/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm23.inc
new file mode 100644
index 0000000..25780bc
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm23.inc
@@ -0,0 +1,14 @@
+#
+# Tune Settings for Cortex-M23
+#
+DEFAULTTUNE ?= "cortexm23"
+
+TUNEVALID[cortexm23] = "Enable Cortex-M23 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm23', ' -mcpu=cortex-m23', '', d)}"
+
+require conf/machine/include/arm/arch-armv8m-base.inc
+
+AVAILTUNES                          += "cortexm23"
+ARMPKGARCH:tune-cortexm23            = "cortexm23"
+TUNE_FEATURES:tune-cortexm23         = "${TUNE_FEATURES:tune-armv8m-base} cortexm23"
+PACKAGE_EXTRA_ARCHS:tune-cortexm23   = "${PACKAGE_EXTRA_ARCHS:tune-armv8m-base} cortexm23"
diff --git a/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm33.inc b/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm33.inc
new file mode 100644
index 0000000..04d1fe2
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm33.inc
@@ -0,0 +1,17 @@
+#
+# Tune Settings for Cortex-M33
+#
+DEFAULTTUNE ?= "cortexm33"
+
+TUNEVALID[cortexm33] = "Enable Cortex-M33 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm33', ' -mcpu=cortex-m33', '', d)}"
+
+require conf/machine/include/arm/arch-armv8m-main.inc
+
+# GCC thnks that DSP and VFP are required, but Arm docs say it is
+# optional.  So forcing below so that compiling works, but this should
+# be fixed in GCC
+AVAILTUNES                          += "cortexm33"
+ARMPKGARCH:tune-cortexm33            = "cortexm33"
+TUNE_FEATURES:tune-cortexm33         = "${TUNE_FEATURES:tune-armv8m-maine-vfpv5spd16} cortexm33"
+PACKAGE_EXTRA_ARCHS:tune-cortexm33   = "${PACKAGE_EXTRA_ARCHS:tune-armv8m-maine-vfpv5spd16} cortexm33e-fpv5-spd16"
diff --git a/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm35p.inc b/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm35p.inc
new file mode 100644
index 0000000..60e978f
--- /dev/null
+++ b/poky/meta/conf/machine/include/arm/armv8-m/tune-cortexm35p.inc
@@ -0,0 +1,17 @@
+#
+# Tune Settings for Cortex-M35P
+#
+DEFAULTTUNE ?= "cortexm35p"
+
+TUNEVALID[cortexm35p] = "Enable Cortex-M35p specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm35p', ' -mcpu=cortex-m35p', '', d)}"
+
+require conf/machine/include/arm/arch-armv8m-main.inc
+
+# GCC thnks that DSP and VFP are required, but Arm docs say it is
+# optional.  So forcing below so that compiling works, but this should
+# be fixed in GCC
+AVAILTUNES                          += "cortexm35p"
+ARMPKGARCH:tune-cortexm35p           = "cortexm35p"
+TUNE_FEATURES:tune-cortexm35p        = "${TUNE_FEATURES:tune-armv8m-maine-vfpv5spd16} cortexm35p"
+PACKAGE_EXTRA_ARCHS:tune-cortexm35p  = "${PACKAGE_EXTRA_ARCHS:tune-armv8m-maine-vfpv5spd16} cortexm35pe-fpv5-spd16"
diff --git a/poky/meta/conf/machine/include/tune-cortexm1.inc b/poky/meta/conf/machine/include/tune-cortexm1.inc
new file mode 100644
index 0000000..16661f3
--- /dev/null
+++ b/poky/meta/conf/machine/include/tune-cortexm1.inc
@@ -0,0 +1,14 @@
+#
+# Tune Settings for Cortex-M1
+#
+DEFAULTTUNE ?= "cortexm1"
+
+TUNEVALID[cortexm1] = "Enable Cortex-M1 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm1', ' -mcpu=cortex-m1', '', d)}"
+
+require conf/machine/include/arm/arch-armv6m.inc
+
+AVAILTUNES                            += "cortexm1"
+ARMPKGARCH:tune-cortexm1               = "cortexm1"
+TUNE_FEATURES:tune-cortexm1            = "${TUNE_FEATURES:tune-armv6m} cortexm1"
+PACKAGE_EXTRA_ARCHS:tune-cortexm1      = "${PACKAGE_EXTRA_ARCHS:tune-armv6m} cortexm1"
diff --git a/poky/meta/conf/machine/include/tune-cortexm3.inc b/poky/meta/conf/machine/include/tune-cortexm3.inc
new file mode 100644
index 0000000..a6cb566
--- /dev/null
+++ b/poky/meta/conf/machine/include/tune-cortexm3.inc
@@ -0,0 +1,14 @@
+#
+# Tune Settings for Cortex-M3
+#
+DEFAULTTUNE ?= "cortexm3"
+
+TUNEVALID[cortexm3] = "Enable Cortex-M3 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm3', ' -mcpu=cortex-m3', '', d)}"
+
+require conf/machine/include/arm/arch-armv7m.inc
+
+AVAILTUNES                            += "cortexm3"
+ARMPKGARCH:tune-cortexm3               = "cortexm3"
+TUNE_FEATURES:tune-cortexm3            = "${TUNE_FEATURES:tune-armv7m} cortexm3"
+PACKAGE_EXTRA_ARCHS:tune-cortexm3      = "${PACKAGE_EXTRA_ARCHS:tune-armv7m} cortexm3"
diff --git a/poky/meta/conf/machine/include/tune-cortexm4.inc b/poky/meta/conf/machine/include/tune-cortexm4.inc
new file mode 100644
index 0000000..e86622f
--- /dev/null
+++ b/poky/meta/conf/machine/include/tune-cortexm4.inc
@@ -0,0 +1,14 @@
+#
+# Tune Settings for Cortex-M4
+#
+DEFAULTTUNE ?= "cortexm4"
+
+TUNEVALID[cortexm4] = "Enable Cortex-M4 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm4', ' -mcpu=cortex-m4', '', d)}"
+
+require conf/machine/include/arm/arch-armv7em.inc
+
+AVAILTUNES                            += "cortexm4"
+ARMPKGARCH:tune-cortexm4               = "cortexm4"
+TUNE_FEATURES:tune-cortexm4            = "${TUNE_FEATURES:tune-armv7em} cortexm4"
+PACKAGE_EXTRA_ARCHS:tune-cortexm4      = "${PACKAGE_EXTRA_ARCHS:tune-armv7em} cortexm4"
diff --git a/poky/meta/conf/machine/include/tune-cortexm7.inc b/poky/meta/conf/machine/include/tune-cortexm7.inc
new file mode 100644
index 0000000..6434ec6
--- /dev/null
+++ b/poky/meta/conf/machine/include/tune-cortexm7.inc
@@ -0,0 +1,14 @@
+#
+# Tune Settings for Cortex-M7
+#
+DEFAULTTUNE ?= "cortexm7"
+
+TUNEVALID[cortexm7] = "Enable Cortex-M7 specific processor optimizations"
+TUNE_CCARGS .= "${@bb.utils.contains('TUNE_FEATURES', 'cortexm7', ' -mcpu=cortex-m7', '', d)}"
+
+require conf/machine/include/arm/arch-armv7em.inc
+
+AVAILTUNES                            += "cortexm7"
+ARMPKGARCH:tune-cortexm7               = "cortexm7"
+TUNE_FEATURES:tune-cortexm7            = "${TUNE_FEATURES:tune-armv7em} cortexm7"
+PACKAGE_EXTRA_ARCHS:tune-cortexm7      = "${PACKAGE_EXTRA_ARCHS:tune-armv7em} cortexm7"
diff --git a/poky/meta/conf/machine/qemuppc64.conf b/poky/meta/conf/machine/qemuppc64.conf
index 0682e75..a5270e9 100644
--- a/poky/meta/conf/machine/qemuppc64.conf
+++ b/poky/meta/conf/machine/qemuppc64.conf
@@ -18,7 +18,7 @@
 QB_OPT_APPEND = "-usb -device usb-tablet"
 
 #prelink broken on ppc64
-#USER_CLASSES_remove = "image-prelink"
-#IMAGE_PREPROCESS_COMMAND_remove = "prelink_image;"
+#USER_CLASSES:remove = "image-prelink"
+#IMAGE_PREPROCESS_COMMAND:remove = "prelink_image;"
 
 MACHINE_EXTRA_RRECOMMENDS += " kernel-modules"
diff --git a/poky/meta/files/toolchain-shar-relocate.sh b/poky/meta/files/toolchain-shar-relocate.sh
index 8ea6194..3ece04d 100644
--- a/poky/meta/files/toolchain-shar-relocate.sh
+++ b/poky/meta/files/toolchain-shar-relocate.sh
@@ -72,7 +72,7 @@
 
 # change all symlinks pointing to @SDKPATH@
 for l in $($SUDO_EXEC find $native_sysroot -type l); do
-	$SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$DEFAULT_INSTALL_DIR:$target_sdk_dir:") $l
+	$SUDO_EXEC ln -sfn $(readlink $l|$SUDO_EXEC sed -e "s:$SDK_BUILD_PATH:$target_sdk_dir:") $l
 	if [ $? -ne 0 ]; then
 		echo "Failed to setup symlinks. Relocate script failed. Abort!"
 		exit 1
diff --git a/poky/meta/lib/oe/cve_check.py b/poky/meta/lib/oe/cve_check.py
index a1d7c29..0302bee 100644
--- a/poky/meta/lib/oe/cve_check.py
+++ b/poky/meta/lib/oe/cve_check.py
@@ -63,3 +63,86 @@
     else:
         _pre = float(pre_v) if pre_v else float('-inf')
     return _release, _patch, _pre
+
+
+def get_patched_cves(d):
+    """
+    Get patches that solve CVEs using the "CVE: " tag.
+    """
+
+    import re
+    import oe.patch
+
+    pn = d.getVar("PN")
+    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+
+    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+
+    patched_cves = set()
+    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
+    for url in oe.patch.src_patches(d):
+        patch_file = bb.fetch.decodeurl(url)[2]
+
+        if not os.path.isfile(patch_file):
+            bb.error("File Not found: %s" % patch_file)
+            raise FileNotFoundError
+
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+
+        with open(patch_file, "r", encoding="utf-8") as f:
+            try:
+                patch_text = f.read()
+            except UnicodeDecodeError:
+                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
+                        " trying with iso8859-1" %  patch_file)
+                f.close()
+                with open(patch_file, "r", encoding="iso8859-1") as f:
+                    patch_text = f.read()
+
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
+            # Get only the CVEs without the "CVE: " tag
+            cves = patch_text[match.start()+5:match.end()]
+            for cve in cves.split():
+                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
+                patched_cves.add(cve)
+                text_match = True
+
+        if not fname_match and not text_match:
+            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+
+    return patched_cves
+
+
+def get_cpe_ids(cve_product, version):
+    """
+    Get list of CPE identifiers for the given product and version
+    """
+
+    version = version.split("+git")[0]
+
+    cpe_ids = []
+    for product in cve_product.split():
+        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
+        # use wildcard for vendor.
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "*"
+
+        cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*'
+        cpe_ids.append(cpe_id)
+
+    return cpe_ids
diff --git a/poky/meta/lib/oe/overlayfs.py b/poky/meta/lib/oe/overlayfs.py
new file mode 100644
index 0000000..21ef710
--- /dev/null
+++ b/poky/meta/lib/oe/overlayfs.py
@@ -0,0 +1,43 @@
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# This file contains common functions for overlayfs and its QA check
+
+# this function is based on https://github.com/systemd/systemd/blob/main/src/basic/unit-name.c
+def escapeSystemdUnitName(path):
+    escapeMap = {
+        '/': '-',
+        '-': "\\x2d",
+        '\\': "\\x5d"
+    }
+    return "".join([escapeMap.get(c, c) for c in path.strip('/')])
+
+def strForBash(s):
+    return s.replace('\\', '\\\\')
+
+def mountUnitName(unit):
+    return escapeSystemdUnitName(unit) + '.mount'
+
+def helperUnitName(unit):
+    return escapeSystemdUnitName(unit) + '-create-upper-dir.service'
+
+def unitFileList(d):
+    fileList = []
+    overlayMountPoints = d.getVarFlags("OVERLAYFS_MOUNT_POINT")
+
+    if not overlayMountPoints:
+        bb.fatal("A recipe uses overlayfs class but there is no OVERLAYFS_MOUNT_POINT set in your MACHINE configuration")
+
+    # check that we have required mount points set first
+    requiredMountPoints = d.getVarFlags('OVERLAYFS_WRITABLE_PATHS')
+    for mountPoint in requiredMountPoints:
+        if mountPoint not in overlayMountPoints:
+            bb.fatal("Missing required mount point for OVERLAYFS_MOUNT_POINT[%s] in your MACHINE configuration" % mountPoint)
+
+    for mountPoint in overlayMountPoints:
+        for path in d.getVarFlag('OVERLAYFS_WRITABLE_PATHS', mountPoint).split():
+            fileList.append(mountUnitName(path))
+            fileList.append(helperUnitName(path))
+
+    return fileList
+
diff --git a/poky/meta/lib/oe/packagedata.py b/poky/meta/lib/oe/packagedata.py
index 22261d2..0b17897 100644
--- a/poky/meta/lib/oe/packagedata.py
+++ b/poky/meta/lib/oe/packagedata.py
@@ -45,14 +45,14 @@
     return read_pkgdatafile(fn)
 
 #
-# Collapse FOO_pkg variables into FOO
+# Collapse FOO:pkg variables into FOO
 #
 def read_subpkgdata_dict(pkg, d):
     ret = {}
     subd = read_pkgdatafile(get_subpkgedata_fn(pkg, d))
     for var in subd:
-        newvar = var.replace("_" + pkg, "")
-        if newvar == var and var + "_" + pkg in subd:
+        newvar = var.replace(":" + pkg, "")
+        if newvar == var and var + ":" + pkg in subd:
             continue
         ret[newvar] = subd[var]
     return ret
diff --git a/poky/meta/lib/oeqa/runtime/cases/date.py b/poky/meta/lib/oeqa/runtime/cases/date.py
index e143229..bd65374 100644
--- a/poky/meta/lib/oeqa/runtime/cases/date.py
+++ b/poky/meta/lib/oeqa/runtime/cases/date.py
@@ -28,14 +28,13 @@
         self.assertEqual(status, 0, msg=msg)
         oldDate = output
 
-        sampleDate = '"2016-08-09 10:00:00"'
-        (status, output) = self.target.run("date -s %s" % sampleDate)
+        sampleTimestamp = 1488800000
+        (status, output) = self.target.run("date -s @%d" % sampleTimestamp)
         self.assertEqual(status, 0, msg='Date set failed, output: %s' % output)
 
-        (status, output) = self.target.run("date -R")
-        p = re.match('Tue, 09 Aug 2016 10:00:.. \+0000', output)
+        (status, output) = self.target.run('date +"%s"')
         msg = 'The date was not set correctly, output: %s' % output
-        self.assertTrue(p, msg=msg)
+        self.assertTrue(int(output) - sampleTimestamp < 300, msg=msg)
 
         (status, output) = self.target.run('date -s "%s"' % oldDate)
         msg = 'Failed to reset date, output: %s' % output
diff --git a/poky/meta/lib/oeqa/sdk/buildtools-cases/README b/poky/meta/lib/oeqa/sdk/buildtools-cases/README
new file mode 100644
index 0000000..d4f20fa
--- /dev/null
+++ b/poky/meta/lib/oeqa/sdk/buildtools-cases/README
@@ -0,0 +1,2 @@
+These test cases are used by buildtools-tarball, and are not used by the testsdk
+class.
diff --git a/poky/meta/lib/oeqa/sdk/buildtools-cases/build.py b/poky/meta/lib/oeqa/sdk/buildtools-cases/build.py
new file mode 100644
index 0000000..5a17ab9
--- /dev/null
+++ b/poky/meta/lib/oeqa/sdk/buildtools-cases/build.py
@@ -0,0 +1,23 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import os, tempfile
+from oeqa.sdk.case import OESDKTestCase
+from oeqa.utils.subprocesstweak import errors_have_output
+errors_have_output()
+
+class BuildTests(OESDKTestCase):
+    """
+    Verify that bitbake can build virtual/libc inside the buildtools.
+    """
+    def test_libc(self):
+        with tempfile.TemporaryDirectory(prefix='bitbake-build-', dir=self.tc.sdk_dir) as testdir:
+            corebase = self.td['COREBASE']
+
+            self._run('. %s/oe-init-build-env %s' % (corebase, testdir))
+            with open(os.path.join(testdir, 'conf', 'local.conf'), 'ta') as conf:
+                conf.write('\n')
+                conf.write('DL_DIR = "%s"\n' % self.td['DL_DIR'])
+
+            self._run('. %s/oe-init-build-env %s && bitbake virtual/libc' % (corebase, testdir))
diff --git a/poky/meta/lib/oeqa/sdk/buildtools-cases/sanity.py b/poky/meta/lib/oeqa/sdk/buildtools-cases/sanity.py
new file mode 100644
index 0000000..64baaa8
--- /dev/null
+++ b/poky/meta/lib/oeqa/sdk/buildtools-cases/sanity.py
@@ -0,0 +1,22 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+import shutil
+import os.path
+from oeqa.sdk.case import OESDKTestCase
+
+class SanityTests(OESDKTestCase):
+    def test_tools(self):
+        """
+        Test that wget and tar come from the buildtools, not the host. This
+        verifies that the buildtools have installed correctly. We can't check
+        for gcc as that is only installed by buildtools-extended.
+        """
+        for command in ("tar", "wget"):
+            # Canonicalise the SDK root
+            sdk_base = os.path.realpath(self.tc.sdk_dir)
+            # Canonicalise the location of this command
+            tool_path = os.path.realpath(self._run("command -v %s" % command).strip())
+            # Assert that the tool was found inside the SDK root
+            self.assertEquals(os.path.commonprefix((sdk_base, tool_path)), sdk_base)
diff --git a/poky/meta/lib/oeqa/selftest/cases/fitimage.py b/poky/meta/lib/oeqa/selftest/cases/fitimage.py
index 815ee48..184c877 100644
--- a/poky/meta/lib/oeqa/selftest/cases/fitimage.py
+++ b/poky/meta/lib/oeqa/selftest/cases/fitimage.py
@@ -114,7 +114,8 @@
 UBOOT_SIGN_ENABLE = "1"
 FIT_GENERATE_KEYS = "1"
 UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
 FIT_SIGN_INDIVIDUAL = "1"
 UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart comment'"
 """
@@ -173,11 +174,11 @@
 
         reqsigvalues_image = {
             'algo': '"sha256,rsa2048"',
-            'key-name-hint': '"oe-selftest"',
+            'key-name-hint': '"img-oe-selftest"',
         }
         reqsigvalues_config = {
             'algo': '"sha256,rsa2048"',
-            'key-name-hint': '"oe-selftest"',
+            'key-name-hint': '"cfg-oe-selftest"',
             'sign-images': '"kernel", "fdt"',
         }
 
@@ -215,7 +216,10 @@
         self.assertIn('conf-am335x-boneblack.dtb', signed_sections)
         for signed_section, values in signed_sections.items():
             value = values.get('Sign algo', None)
-            self.assertEqual(value, 'sha256,rsa2048:oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
+            if signed_section.startswith("conf"):
+                self.assertEqual(value, 'sha256,rsa2048:cfg-oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
+            else:
+                self.assertEqual(value, 'sha256,rsa2048:img-oe-selftest', 'Signature algorithm for %s not expected value' % signed_section)
             value = values.get('Sign value', None)
             self.assertEqual(len(value), 512, 'Signature value for section %s not expected length' % signed_section)
 
@@ -266,7 +270,8 @@
 UBOOT_SIGN_ENABLE = "1"
 FIT_GENERATE_KEYS = "1"
 UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
 FIT_SIGN_INDIVIDUAL = "1"
 """
         self.write_config(config)
@@ -348,7 +353,8 @@
 UBOOT_SIGN_ENABLE = "1"
 FIT_GENERATE_KEYS = "1"
 UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
 FIT_SIGN_INDIVIDUAL = "1"
 UBOOT_MKIMAGE_SIGN_ARGS = "-c 'a smart U-Boot comment'"
 """
@@ -592,7 +598,8 @@
 UBOOT_SIGN_ENABLE = "1"
 FIT_GENERATE_KEYS = "1"
 UBOOT_SIGN_KEYDIR = "${TOPDIR}/signing-keys"
-UBOOT_SIGN_KEYNAME = "kernel-oe-selftest"
+UBOOT_SIGN_IMG_KEYNAME = "img-oe-selftest"
+UBOOT_SIGN_KEYNAME = "cfg-oe-selftest"
 FIT_SIGN_INDIVIDUAL = "1"
 """
         self.write_config(config)
diff --git a/poky/meta/lib/oeqa/selftest/cases/overlayfs.py b/poky/meta/lib/oeqa/selftest/cases/overlayfs.py
new file mode 100644
index 0000000..0184d52
--- /dev/null
+++ b/poky/meta/lib/oeqa/selftest/cases/overlayfs.py
@@ -0,0 +1,171 @@
+#
+# SPDX-License-Identifier: MIT
+#
+
+from oeqa.selftest.case import OESelftestTestCase
+from oeqa.utils.commands import runCmd, bitbake, get_bb_var, runqemu
+
+class OverlayFSTests(OESelftestTestCase):
+    """Overlayfs class usage tests"""
+
+    def getline(self, res, line):
+        for l in res.output.split('\n'):
+            if line in l:
+                return l
+
+    def add_overlay_conf_to_machine(self):
+        machine_inc = """
+OVERLAYFS_MOUNT_POINT[mnt-overlay] = "/mnt/overlay"
+"""
+        self.set_machine_config(machine_inc)
+
+    def test_distro_features_missing(self):
+        """
+        Summary:   Check that required DISTRO_FEATURES are set
+        Expected:  Fail when either systemd or overlayfs are not in DISTRO_FEATURES
+        Author:    Vyacheslav Yurkov <uvv.mail@gmail.com>
+        """
+
+        config = """
+IMAGE_INSTALL:append = " overlayfs-user"
+"""
+        overlayfs_recipe_append = """
+inherit overlayfs
+"""
+        self.write_config(config)
+        self.add_overlay_conf_to_machine()
+        self.write_recipeinc('overlayfs-user', overlayfs_recipe_append)
+
+        res = bitbake('core-image-minimal', ignore_status=True)
+        line = self.getline(res, "overlayfs-user was skipped: missing required distro features")
+        self.assertTrue("overlayfs" in res.output, msg=res.output)
+        self.assertTrue("systemd" in res.output, msg=res.output)
+        self.assertTrue("ERROR: Required build target 'core-image-minimal' has no buildable providers." in res.output, msg=res.output)
+
+    def test_not_all_units_installed(self):
+        """
+        Summary:   Test QA check that we have required mount units in the image
+        Expected:  Fail because mount unit for overlay partition is not installed
+        Author:    Vyacheslav Yurkov <uvv.mail@gmail.com>
+        """
+
+        config = """
+IMAGE_INSTALL:append = " overlayfs-user"
+DISTRO_FEATURES += "systemd overlayfs"
+"""
+
+        self.write_config(config)
+        self.add_overlay_conf_to_machine()
+
+        res = bitbake('core-image-minimal', ignore_status=True)
+        line = self.getline(res, "Unit name mnt-overlay.mount not found in systemd unit directories")
+        self.assertTrue(line and line.startswith("WARNING:"), msg=res.output)
+        line = self.getline(res, "Not all mount units are installed by the BSP")
+        self.assertTrue(line and line.startswith("ERROR:"), msg=res.output)
+
+    def test_mount_unit_not_set(self):
+        """
+        Summary:   Test whether mount unit was set properly
+        Expected:  Fail because mount unit was not set
+        Author:    Vyacheslav Yurkov <uvv.mail@gmail.com>
+        """
+
+        config = """
+IMAGE_INSTALL:append = " overlayfs-user"
+DISTRO_FEATURES += "systemd overlayfs"
+"""
+
+        self.write_config(config)
+
+        res = bitbake('core-image-minimal', ignore_status=True)
+        line = self.getline(res, "A recipe uses overlayfs class but there is no OVERLAYFS_MOUNT_POINT set in your MACHINE configuration")
+        self.assertTrue(line and line.startswith("Parsing recipes...ERROR:"), msg=res.output)
+
+    def test_wrong_mount_unit_set(self):
+        """
+        Summary:   Test whether mount unit was set properly
+        Expected:  Fail because not the correct flag used for mount unit
+        Author:    Vyacheslav Yurkov <uvv.mail@gmail.com>
+        """
+
+        config = """
+IMAGE_INSTALL:append = " overlayfs-user"
+DISTRO_FEATURES += "systemd overlayfs"
+"""
+
+        wrong_machine_config = """
+OVERLAYFS_MOUNT_POINT[usr-share-overlay] = "/usr/share/overlay"
+"""
+
+        self.write_config(config)
+        self.set_machine_config(wrong_machine_config)
+
+        res = bitbake('core-image-minimal', ignore_status=True)
+        line = self.getline(res, "Missing required mount point for OVERLAYFS_MOUNT_POINT[mnt-overlay] in your MACHINE configuration")
+        self.assertTrue(line and line.startswith("Parsing recipes...ERROR:"), msg=res.output)
+
+    def test_correct_image(self):
+        """
+        Summary:   Check that we can create an image when all parameters are
+                   set correctly
+        Expected:  Image is created successfully
+        Author:    Vyacheslav Yurkov <uvv.mail@gmail.com>
+        """
+
+        config = """
+IMAGE_INSTALL:append = " overlayfs-user systemd-machine-units"
+DISTRO_FEATURES += "systemd overlayfs"
+
+# Use systemd as init manager
+VIRTUAL-RUNTIME_init_manager = "systemd"
+
+# enable overlayfs in the kernel
+KERNEL_EXTRA_FEATURES:append = " features/overlayfs/overlayfs.scc"
+"""
+
+        systemd_machine_unit_append = """
+SYSTEMD_SERVICE:${PN} += " \
+    mnt-overlay.mount \
+"
+
+do_install:append() {
+    install -d ${D}${systemd_system_unitdir}
+    cat <<EOT > ${D}${systemd_system_unitdir}/mnt-overlay.mount
+[Unit]
+Description=Tmpfs directory
+DefaultDependencies=no
+
+[Mount]
+What=tmpfs
+Where=/mnt/overlay
+Type=tmpfs
+Options=mode=1777,strictatime,nosuid,nodev
+
+[Install]
+WantedBy=multi-user.target
+EOT
+}
+
+"""
+
+        self.write_config(config)
+        self.add_overlay_conf_to_machine()
+        self.write_recipeinc('systemd-machine-units', systemd_machine_unit_append)
+
+        bitbake('core-image-minimal')
+
+        def getline_qemu(out, line):
+            for l in out.split('\n'):
+                if line in l:
+                    return l
+
+        with runqemu('core-image-minimal') as qemu:
+            # Check that we have /mnt/overlay fs mounted as tmpfs and
+            # /usr/share/my-application as an overlay (see overlayfs-user recipe)
+            status, output = qemu.run_serial("/bin/mount -t tmpfs,overlay")
+
+            line = getline_qemu(output, "on /mnt/overlay")
+            self.assertTrue(line and line.startswith("tmpfs"), msg=output)
+
+            line = getline_qemu(output, "upperdir=/mnt/overlay/upper/usr/share/my-application")
+            self.assertTrue(line and line.startswith("overlay"), msg=output)
diff --git a/poky/meta/recipes-bsp/u-boot/u-boot.inc b/poky/meta/recipes-bsp/u-boot/u-boot.inc
index 4340b17..971fdbb 100644
--- a/poky/meta/recipes-bsp/u-boot/u-boot.inc
+++ b/poky/meta/recipes-bsp/u-boot/u-boot.inc
@@ -210,7 +210,7 @@
     fi
 }
 
-PACKAGE_BEFORE_PN += "${PN}-env"
+PACKAGE_BEFORE_PN += "${PN}-env ${PN}-extlinux"
 
 RPROVIDES:${PN}-env += "u-boot-default-env"
 ALLOW_EMPTY:${PN}-env = "1"
@@ -219,6 +219,9 @@
     ${sysconfdir}/fw_env.config \
 "
 
+FILES:${PN}-extlinux = "${UBOOT_EXTLINUX_INSTALL_DIR}/${UBOOT_EXTLINUX_CONF_NAME}"
+RDEPENDS:${PN} += "${@bb.utils.contains('UBOOT_EXTLINUX', '1', '${PN}-extlinux', '', d)}"
+
 FILES:${PN} = "/boot ${datadir}"
 RDEPENDS:${PN} += "${PN}-env"
 
diff --git a/poky/meta/recipes-core/dbus/dbus-glib_0.112.bb b/poky/meta/recipes-core/dbus/dbus-glib_0.112.bb
index a03b2ad..99b0a20 100644
--- a/poky/meta/recipes-core/dbus/dbus-glib_0.112.bb
+++ b/poky/meta/recipes-core/dbus/dbus-glib_0.112.bb
@@ -20,7 +20,7 @@
 inherit autotools pkgconfig gettext bash-completion gtk-doc
 
 #default disable regression tests, some unit test code in non testing code
-#PACKAGECONFIG_pn-${PN} = "tests" enable regression tests local.conf
+#PACKAGECONFIG:pn-${PN} = "tests" enable regression tests local.conf
 PACKAGECONFIG ??= ""
 PACKAGECONFIG[tests] = "--enable-tests,,,"
 
diff --git a/poky/meta/recipes-core/dbus/dbus.inc b/poky/meta/recipes-core/dbus/dbus.inc
index b237476..adc138b 100644
--- a/poky/meta/recipes-core/dbus/dbus.inc
+++ b/poky/meta/recipes-core/dbus/dbus.inc
@@ -8,6 +8,7 @@
            file://tmpdir.patch \
            file://dbus-1.init \
            file://clear-guid_from_server-if-send_negotiate_unix_f.patch \
+           file://stop_using_selinux_set_mapping.patch \
 "
 
 SRC_URI[md5sum] = "dfe8a71f412e0b53be26ed4fbfdc91c4"
@@ -15,12 +16,10 @@
 
 EXTRA_OECONF = "--disable-xml-docs \
                 --disable-doxygen-docs \
-                --disable-libaudit \
                 --enable-largefile \
                 --with-system-socket=/run/dbus/system_bus_socket \
                 "
 EXTRA_OECONF:append:class-target = " SYSTEMCTL=${base_bindir}/systemctl"
-EXTRA_OECONF:append:class-native = " --disable-selinux"
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'systemd x11', d)} \
                    user-session \
@@ -32,3 +31,5 @@
 PACKAGECONFIG[x11] = "--with-x --enable-x11-autolaunch,--without-x --disable-x11-autolaunch, virtual/libx11 libsm"
 PACKAGECONFIG[user-session] = "--enable-user-session --with-systemduserunitdir=${systemd_user_unitdir},--disable-user-session"
 PACKAGECONFIG[verbose-mode] = "--enable-verbose-mode,,,"
+PACKAGECONFIG[audit] = "--enable-libaudit,--disable-libaudit,audit"
+PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
diff --git a/poky/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch b/poky/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
new file mode 100644
index 0000000..7035098
--- /dev/null
+++ b/poky/meta/recipes-core/dbus/dbus/stop_using_selinux_set_mapping.patch
@@ -0,0 +1,148 @@
+From 6072f8b24153d844a3033108a17bcd0c1a967816 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Sat, 3 Mar 2018 11:15:23 +0100
+Subject: [PATCH] Stop using selinux_set_mapping() function
+
+Currently, if the "dbus" security class or the associated AV doesn't
+exist, dbus-daemon fails to initialize and exits immediately. Also the
+security classes or access vector cannot be reordered in the policy.
+This can be a problem for people developing their own policy or trying
+to access a machine where, for some reasons, there is not policy defined
+at all.
+
+The code here copy the behaviour of the selinux_check_access() function.
+We cannot use this function here as it doesn't allow us to define the
+AVC entry reference.
+
+See the discussion at https://marc.info/?l=selinux&m=152163374332372&w=2
+
+Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/198
+---
+ bus/selinux.c | 75 ++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+
+Upstream-Status: Backport
+Signed-off-by: Nisha.Parrakat <Nisha.Parrakat@kpit.com>
+diff --git a/bus/selinux.c b/bus/selinux.c
+
+--- a/bus/selinux.c	2021-08-11 14:45:59.048513026 +0000
++++ b/bus/selinux.c	2021-08-11 14:57:47.144846966 +0000
+@@ -311,24 +311,6 @@
+ #endif
+ }
+ 
+-/*
+- * Private Flask definitions; the order of these constants must
+- * exactly match that of the structure array below!
+- */
+-/* security dbus class constants */
+-#define SECCLASS_DBUS       1
+-
+-/* dbus's per access vector constants */
+-#define DBUS__ACQUIRE_SVC   1
+-#define DBUS__SEND_MSG      2
+-
+-#ifdef HAVE_SELINUX
+-static struct security_class_mapping dbus_map[] = {
+-  { "dbus", { "acquire_svc", "send_msg", NULL } },
+-  { NULL }
+-};
+-#endif /* HAVE_SELINUX */
+-
+ /**
+  * Establish dynamic object class and permission mapping and
+  * initialize the user space access vector cache (AVC) for D-Bus and set up
+@@ -350,13 +332,6 @@
+ 
+   _dbus_verbose ("SELinux is enabled in this kernel.\n");
+ 
+-  if (selinux_set_mapping (dbus_map) < 0)
+-    {
+-      _dbus_warn ("Failed to set up security class mapping (selinux_set_mapping():%s).",
+-                   strerror (errno));
+-      return FALSE; 
+-    }
+-
+   avc_entry_ref_init (&aeref);
+   if (avc_init ("avc", &mem_cb, &log_cb, &thread_cb, &lock_cb) < 0)
+     {
+@@ -421,19 +396,53 @@
+ static dbus_bool_t
+ bus_selinux_check (BusSELinuxID        *sender_sid,
+                    BusSELinuxID        *override_sid,
+-                   security_class_t     target_class,
+-                   access_vector_t      requested,
++                   const char          *target_class,
++                   const char          *requested,
+ 		   DBusString          *auxdata)
+ {
++  int saved_errno;
++  security_class_t security_class;
++  access_vector_t requested_access;
++
+   if (!selinux_enabled)
+     return TRUE;
+ 
++  security_class = string_to_security_class (target_class);
++  if (security_class == 0)
++    {
++      saved_errno = errno;
++      log_callback (SELINUX_ERROR, "Unknown class %s", target_class);
++      if (security_deny_unknown () == 0)
++        {
++          return TRUE;
++	}
++
++      _dbus_verbose ("Unknown class %s\n", target_class);
++      errno = saved_errno;
++      return FALSE;
++    }
++
++  requested_access = string_to_av_perm (security_class, requested);
++  if (requested_access == 0)
++    {
++      saved_errno = errno;
++      log_callback (SELINUX_ERROR, "Unknown permission %s for class %s", requested, target_class);
++      if (security_deny_unknown () == 0)
++        {
++          return TRUE;
++	}
++
++      _dbus_verbose ("Unknown permission %s for class %s\n", requested, target_class);
++      errno = saved_errno;
++      return FALSE;
++    }
++
+   /* Make the security check.  AVC checks enforcing mode here as well. */
+   if (avc_has_perm (SELINUX_SID_FROM_BUS (sender_sid),
+                     override_sid ?
+                     SELINUX_SID_FROM_BUS (override_sid) :
+                     bus_sid,
+-                    target_class, requested, &aeref, auxdata) < 0)
++                    security_class, requested_access, &aeref, auxdata) < 0)
+     {
+     switch (errno)
+       {
+@@ -500,8 +509,8 @@
+   
+   ret = bus_selinux_check (connection_sid,
+ 			   service_sid,
+-			   SECCLASS_DBUS,
+-			   DBUS__ACQUIRE_SVC,
++			   "dbus",
++			   "acquire_svc",
+ 			   &auxdata);
+ 
+   _dbus_string_free (&auxdata);
+@@ -629,8 +638,8 @@
+ 
+   ret = bus_selinux_check (sender_sid, 
+ 			   recipient_sid,
+-			   SECCLASS_DBUS, 
+-			   DBUS__SEND_MSG,
++			   "dbus", 
++			   "send_msg",
+ 			   &auxdata);
+ 
+   _dbus_string_free (&auxdata);
diff --git a/poky/meta/recipes-core/ell/ell_0.41.bb b/poky/meta/recipes-core/ell/ell_0.42.bb
similarity index 90%
rename from poky/meta/recipes-core/ell/ell_0.41.bb
rename to poky/meta/recipes-core/ell/ell_0.42.bb
index f6da957..7d021c5 100644
--- a/poky/meta/recipes-core/ell/ell_0.41.bb
+++ b/poky/meta/recipes-core/ell/ell_0.42.bb
@@ -17,7 +17,7 @@
 SRC_URI = "https://mirrors.edge.kernel.org/pub/linux/libs/${BPN}/${BPN}-${PV}.tar.xz \
            file://0001-pem.c-do-not-use-rawmemchr.patch \
            "
-SRC_URI[sha256sum] = "4e8dba6c53cf152dbd0fd1dc3d4c7b04abf79e20a948895f85943e586870505c"
+SRC_URI[sha256sum] = "8b926eebb053f545a03349c0e3d02be586f5aa041f5660b6ced85b55fc531bb7"
 
 do_configure:prepend () {
     mkdir -p ${S}/build-aux
diff --git a/poky/meta/recipes-core/gettext/gettext_0.21.bb b/poky/meta/recipes-core/gettext/gettext_0.21.bb
index 4247b48..5ada709 100644
--- a/poky/meta/recipes-core/gettext/gettext_0.21.bb
+++ b/poky/meta/recipes-core/gettext/gettext_0.21.bb
@@ -171,6 +171,7 @@
         find ${D}${PTEST_PATH}/ -name "*.o" -exec rm {} \;
         chmod 0755 ${D}${PTEST_PATH}/tests/lang-vala ${D}${PTEST_PATH}/tests/plural-1 ${D}${PTEST_PATH}/tests/xgettext-tcl-4 \
                    ${D}${PTEST_PATH}/tests/xgettext-vala-1  ${D}${PTEST_PATH}/tests/xgettext-po-2
+        sed -i -e 's|${DEBUG_PREFIX_MAP}||g' ${D}${PTEST_PATH}/tests/init-env
     fi
 }
 
diff --git a/poky/meta/recipes-core/glib-2.0/glib.inc b/poky/meta/recipes-core/glib-2.0/glib.inc
index 4859d28..7528337 100644
--- a/poky/meta/recipes-core/glib-2.0/glib.inc
+++ b/poky/meta/recipes-core/glib-2.0/glib.inc
@@ -45,8 +45,9 @@
 # libelf is auto-detected without a configuration option
 PACKAGECONFIG[libelf] = ",,elfutils"
 PACKAGECONFIG[tests] = "-Dinstalled_tests=true,-Dinstalled_tests=false,dbus"
+PACKAGECONFIG[selinux] = "-Dselinux=enabled,-Dselinux=disabled,libselinux"
 
-EXTRA_OEMESON = "-Ddtrace=false -Dfam=false -Dsystemtap=false -Dselinux=disabled"
+EXTRA_OEMESON = "-Ddtrace=false -Dfam=false -Dsystemtap=false"
 
 do_configure:prepend() {
 	sed -i -e '1s,#!.*,#!${USRBINPATH}/env python3,' ${S}/gio/gdbus-2.0/codegen/gdbus-codegen.in
diff --git a/poky/meta/recipes-core/glibc/cross-localedef-native_2.33.bb b/poky/meta/recipes-core/glibc/cross-localedef-native_2.34.bb
similarity index 73%
rename from poky/meta/recipes-core/glibc/cross-localedef-native_2.33.bb
rename to poky/meta/recipes-core/glibc/cross-localedef-native_2.34.bb
index ec59c6b..6100f3d 100644
--- a/poky/meta/recipes-core/glibc/cross-localedef-native_2.33.bb
+++ b/poky/meta/recipes-core/glibc/cross-localedef-native_2.34.bb
@@ -25,14 +25,13 @@
            file://0001-localedef-Add-hardlink-resolver-from-util-linux.patch \
            file://0002-localedef-fix-ups-hardlink-to-make-it-compile.patch \
            \
-           file://0016-timezone-re-written-tzselect-as-posix-sh.patch \
-           file://0017-Remove-bash-dependency-for-nscd-init-script.patch \
-           file://0018-eglibc-Cross-building-and-testing-instructions.patch \
-           file://0019-eglibc-Help-bootstrap-cross-toolchain.patch \
-           file://0020-eglibc-Resolve-__fpscr_values-on-SH4.patch \
-           file://0021-eglibc-Forward-port-cross-locale-generation-support.patch \
-           file://0022-Define-DUMMY_LOCALE_T-if-not-defined.patch \
-           file://0023-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch \
+           file://0017-timezone-re-written-tzselect-as-posix-sh.patch \
+           file://0018-Remove-bash-dependency-for-nscd-init-script.patch \
+           file://0019-eglibc-Cross-building-and-testing-instructions.patch \
+           file://0020-eglibc-Help-bootstrap-cross-toolchain.patch \
+           file://0021-eglibc-Resolve-__fpscr_values-on-SH4.patch \
+           file://0022-eglibc-Forward-port-cross-locale-generation-support.patch \
+           file://0024-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch \
 "
 # Makes for a rather long rev (22 characters), but...
 #
diff --git a/poky/meta/recipes-core/glibc/glibc-common.inc b/poky/meta/recipes-core/glibc/glibc-common.inc
index 782b260..f695cd6 100644
--- a/poky/meta/recipes-core/glibc/glibc-common.inc
+++ b/poky/meta/recipes-core/glibc/glibc-common.inc
@@ -22,4 +22,4 @@
 #
 COMPATIBLE_HOST:libc-musl:class-target = "null"
 
-PV = "2.33"
+PV = "2.34"
diff --git a/poky/meta/recipes-core/glibc/glibc-locale_2.33.bb b/poky/meta/recipes-core/glibc/glibc-locale_2.34.bb
similarity index 100%
rename from poky/meta/recipes-core/glibc/glibc-locale_2.33.bb
rename to poky/meta/recipes-core/glibc/glibc-locale_2.34.bb
diff --git a/poky/meta/recipes-core/glibc/glibc-mtrace_2.33.bb b/poky/meta/recipes-core/glibc/glibc-mtrace_2.34.bb
similarity index 100%
rename from poky/meta/recipes-core/glibc/glibc-mtrace_2.33.bb
rename to poky/meta/recipes-core/glibc/glibc-mtrace_2.34.bb
diff --git a/poky/meta/recipes-core/glibc/glibc-package.inc b/poky/meta/recipes-core/glibc/glibc-package.inc
index 4bf5038..3026aec 100644
--- a/poky/meta/recipes-core/glibc/glibc-package.inc
+++ b/poky/meta/recipes-core/glibc/glibc-package.inc
@@ -1,6 +1,6 @@
 INHIBIT_SYSROOT_STRIP = "1"
 
-PACKAGES = "${PN}-dbg catchsegv sln nscd ldconfig ldd tzcode glibc-thread-db ${PN}-pic libcidn libmemusage libnss-db libsegfault ${PN}-pcprofile libsotruss ${PN} ${PN}-utils glibc-extra-nss ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-src"
+PACKAGES = "${PN}-dbg catchsegv sln nscd ldconfig ldd tzcode glibc-thread-db ${PN}-pic libcidn libmemusage malloc-debug libnss-db libsegfault ${PN}-pcprofile libsotruss ${PN} ${PN}-utils glibc-extra-nss ${PN}-dev ${PN}-staticdev ${PN}-doc ${PN}-src"
 
 # The ld.so in this glibc supports the GNU_HASH
 RPROVIDES:${PN} = "eglibc rtld(GNU_HASH)"
@@ -30,6 +30,7 @@
 FILES:libsegfault = "${base_libdir}/libSegFault*"
 FILES:libcidn = "${base_libdir}/libcidn-*.so ${base_libdir}/libcidn.so.*"
 FILES:libmemusage = "${base_libdir}/libmemusage.so"
+FILES:malloc-debug = "${base_libdir}/libc_malloc_debug.so.0"
 FILES:libnss-db = "${base_libdir}/libnss_db.so.* ${base_libdir}/libnss_db-*.so ${localstatedir}/db/Makefile ${localstatedir}/db/makedbs.sh"
 RDEPENDS:libnss-db = "${PN}-utils"
 FILES:glibc-extra-nss = "${base_libdir}/libnss_*-*.so ${base_libdir}/libnss_*.so.*"
@@ -118,6 +119,8 @@
 		ln -s ${@oe.path.relative('${root_prefix}/lib', '${base_libdir}')}/${ARCH_DYNAMIC_LOADER} \
 				${D}${root_prefix}/lib/${ARCH_DYNAMIC_LOADER}
 	fi
+        lnr ${D}${base_libdir}/libpthread.so.0 ${D}${libdir}/libpthread.so
+        lnr ${D}${base_libdir}/librt.so.1 ${D}${libdir}/librt.so
 }
 
 def get_libc_fpu_setting(bb, d):
diff --git a/poky/meta/recipes-core/glibc/glibc-scripts_2.33.bb b/poky/meta/recipes-core/glibc/glibc-scripts_2.34.bb
similarity index 100%
rename from poky/meta/recipes-core/glibc/glibc-scripts_2.33.bb
rename to poky/meta/recipes-core/glibc/glibc-scripts_2.34.bb
diff --git a/poky/meta/recipes-core/glibc/glibc-testsuite_2.33.bb b/poky/meta/recipes-core/glibc/glibc-testsuite_2.34.bb
similarity index 100%
rename from poky/meta/recipes-core/glibc/glibc-testsuite_2.33.bb
rename to poky/meta/recipes-core/glibc/glibc-testsuite_2.34.bb
diff --git a/poky/meta/recipes-core/glibc/glibc-version.inc b/poky/meta/recipes-core/glibc/glibc-version.inc
index 376ead6..281df7e 100644
--- a/poky/meta/recipes-core/glibc/glibc-version.inc
+++ b/poky/meta/recipes-core/glibc/glibc-version.inc
@@ -1,7 +1,7 @@
-SRCBRANCH ?= "release/2.33/master"
-PV = "2.33"
-SRCREV_glibc ?= "3f5080aedd164c1f92a53552dd3e0b82ac6d2bd3"
-SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28"
+SRCBRANCH ?= "release/2.34/master"
+PV = "2.34"
+SRCREV_glibc ?= "ae37d06c7d127817ba43850f0f898b793d42aea7"
+SRCREV_localedef ?= "95c0221703ad970a52445e9eaf91c4aff35eebef"
 
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
 
diff --git a/poky/meta/recipes-core/glibc/glibc.inc b/poky/meta/recipes-core/glibc/glibc.inc
index 04e6db9..80a3e0b 100644
--- a/poky/meta/recipes-core/glibc/glibc.inc
+++ b/poky/meta/recipes-core/glibc/glibc.inc
@@ -42,7 +42,7 @@
 EXTRA_OEMAKE += "SHELL=/bin/bash"
 
 do_configure:prepend() {
-	sed -e "s#@BASH@#/bin/sh#" -i ${S}/elf/ldd.bash.in
+	sed -e "s#/bin/bash#/bin/sh#" -i ${S}/elf/ldd.bash.in
 }
 
 # Enable backtrace from abort()
diff --git a/poky/meta/recipes-core/glibc/glibc/0001-localedef-Add-hardlink-resolver-from-util-linux.patch b/poky/meta/recipes-core/glibc/glibc/0001-localedef-Add-hardlink-resolver-from-util-linux.patch
index f96da83..3ff485b 100644
--- a/poky/meta/recipes-core/glibc/glibc/0001-localedef-Add-hardlink-resolver-from-util-linux.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0001-localedef-Add-hardlink-resolver-from-util-linux.patch
@@ -1,4 +1,4 @@
-From d1f1671034a222417f9a829dcaa4f0c3d4f8954d Mon Sep 17 00:00:00 2001
+From d34ba0833cd811f8869a6262044af55f9e7b59d8 Mon Sep 17 00:00:00 2001
 From: Jason Wessel <jason.wessel@windriver.com>
 Date: Sat, 7 Dec 2019 09:59:22 -0800
 Subject: [PATCH] localedef: Add hardlink resolver from util-linux
diff --git a/poky/meta/recipes-core/glibc/glibc/0002-localedef-fix-ups-hardlink-to-make-it-compile.patch b/poky/meta/recipes-core/glibc/glibc/0002-localedef-fix-ups-hardlink-to-make-it-compile.patch
index 3dc4582..2445aa5 100644
--- a/poky/meta/recipes-core/glibc/glibc/0002-localedef-fix-ups-hardlink-to-make-it-compile.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0002-localedef-fix-ups-hardlink-to-make-it-compile.patch
@@ -1,4 +1,4 @@
-From 14d256e2db009f8bac9a265e8393d7ed25050df9 Mon Sep 17 00:00:00 2001
+From d7bb36a9a27e5e4c3be6378493b41286513750e9 Mon Sep 17 00:00:00 2001
 From: Jason Wessel <jason.wessel@windriver.com>
 Date: Sat, 7 Dec 2019 10:01:37 -0800
 Subject: [PATCH] localedef: fix-ups hardlink to make it compile
diff --git a/poky/meta/recipes-core/glibc/glibc/0003-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch b/poky/meta/recipes-core/glibc/glibc/0003-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch
index c4718a1..210cc10 100644
--- a/poky/meta/recipes-core/glibc/glibc/0003-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0003-nativesdk-glibc-Look-for-host-system-ld.so.cache-as-.patch
@@ -1,4 +1,4 @@
-From 32a4b8ae046fe4bb1b19f61378d079d44deaede7 Mon Sep 17 00:00:00 2001
+From 776a53db6afba8a7ff4412aba88b0679227877f9 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 01:48:24 +0000
 Subject: [PATCH] nativesdk-glibc: Look for host system ld.so.cache as well
@@ -30,10 +30,10 @@
  1 file changed, 8 insertions(+), 8 deletions(-)
 
 diff --git a/elf/dl-load.c b/elf/dl-load.c
-index 9e2089cfaa..ad01674027 100644
+index a08df001af..d09daf9e41 100644
 --- a/elf/dl-load.c
 +++ b/elf/dl-load.c
-@@ -2175,6 +2175,14 @@ _dl_map_object (struct link_map *loader, const char *name,
+@@ -2196,6 +2196,14 @@ _dl_map_object (struct link_map *loader, const char *name,
              }
          }
  
@@ -48,7 +48,7 @@
  #ifdef USE_LDCONFIG
        if (fd == -1
  	  && (__glibc_likely ((mode & __RTLD_SECURE) == 0)
-@@ -2233,14 +2241,6 @@ _dl_map_object (struct link_map *loader, const char *name,
+@@ -2254,14 +2262,6 @@ _dl_map_object (struct link_map *loader, const char *name,
  	}
  #endif
  
diff --git a/poky/meta/recipes-core/glibc/glibc/0004-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch b/poky/meta/recipes-core/glibc/glibc/0004-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch
index a8e625d..010b816 100644
--- a/poky/meta/recipes-core/glibc/glibc/0004-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0004-nativesdk-glibc-Fix-buffer-overrun-with-a-relocated-.patch
@@ -1,4 +1,4 @@
-From aa8393bff257e4badfd208b88473ead175c69362 Mon Sep 17 00:00:00 2001
+From df18bae1eeee55ecb9db36d13fe67c58355682eb Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 01:50:00 +0000
 Subject: [PATCH] nativesdk-glibc: Fix buffer overrun with a relocated SDK
@@ -21,10 +21,10 @@
  1 file changed, 12 insertions(+)
 
 diff --git a/elf/dl-load.c b/elf/dl-load.c
-index ad01674027..f455207e79 100644
+index d09daf9e41..2c6270e2a7 100644
 --- a/elf/dl-load.c
 +++ b/elf/dl-load.c
-@@ -1871,7 +1871,19 @@ open_path (const char *name, size_t namelen, int mode,
+@@ -1892,7 +1892,19 @@ open_path (const char *name, size_t namelen, int mode,
         given on the command line when rtld is run directly.  */
      return -1;
  
diff --git a/poky/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch b/poky/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch
index 197caae..bf9f3e3 100644
--- a/poky/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0005-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch
@@ -1,4 +1,4 @@
-From 3ea08e491a8494ff03e598b5e0fc2d8131e75da9 Mon Sep 17 00:00:00 2001
+From 6af8ce8eceed86addbc188f773a2d36d83ee4042 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 01:51:38 +0000
 Subject: [PATCH] nativesdk-glibc: Raise the size of arrays containing dl paths
@@ -26,10 +26,10 @@
  8 files changed, 16 insertions(+), 10 deletions(-)
 
 diff --git a/elf/dl-cache.c b/elf/dl-cache.c
-index 32f3bef5ea..71f3a82dc0 100644
+index 2b8da8650d..3d9787bda4 100644
 --- a/elf/dl-cache.c
 +++ b/elf/dl-cache.c
-@@ -359,6 +359,10 @@ search_cache (const char *string_table, uint32_t string_table_size,
+@@ -355,6 +355,10 @@ search_cache (const char *string_table, uint32_t string_table_size,
    return best;
  }
  
@@ -41,7 +41,7 @@
  _dl_cache_libcmp (const char *p1, const char *p2)
  {
 diff --git a/elf/dl-load.c b/elf/dl-load.c
-index f455207e79..a144e24fcf 100644
+index 2c6270e2a7..23018d2f7e 100644
 --- a/elf/dl-load.c
 +++ b/elf/dl-load.c
 @@ -115,8 +115,8 @@ enum { ncapstr = 1, max_capstrlen = 0 };
@@ -56,7 +56,7 @@
    SYSTEM_DIRS_LEN
  };
 diff --git a/elf/dl-usage.c b/elf/dl-usage.c
-index 6e26818bd7..f09e8b93e5 100644
+index 5ad3a72559..88f26d3692 100644
 --- a/elf/dl-usage.c
 +++ b/elf/dl-usage.c
 @@ -25,6 +25,8 @@
@@ -77,7 +77,7 @@
    --library-path PATH   use given PATH instead of content of the environment\n\
                          variable LD_LIBRARY_PATH\n\
    --glibc-hwcaps-prepend LIST\n\
-@@ -266,7 +268,7 @@ setting environment variables (which would be inherited by subprocesses).\n\
+@@ -267,7 +269,7 @@ setting environment variables (which would be inherited by subprocesses).\n\
  \n\
  This program interpreter self-identifies as: " RTLD "\n\
  ",
@@ -98,10 +98,10 @@
 +const char __invoke_dynamic_linker__[4096] __attribute__ ((section (".interp")))
    = RUNTIME_LINKER;
 diff --git a/elf/ldconfig.c b/elf/ldconfig.c
-index 28ed637a29..5d38a60c5d 100644
+index 1037e8d0cf..ffdac84952 100644
 --- a/elf/ldconfig.c
 +++ b/elf/ldconfig.c
-@@ -176,6 +176,9 @@ static struct argp argp =
+@@ -177,6 +177,9 @@ static struct argp argp =
    options, parse_opt, NULL, doc, NULL, more_help, NULL
  };
  
@@ -112,7 +112,7 @@
     a platform.  */
  static int
 diff --git a/elf/rtld.c b/elf/rtld.c
-index 596b6ac3d9..1ccd33f668 100644
+index fbbd60b446..fce9940f80 100644
 --- a/elf/rtld.c
 +++ b/elf/rtld.c
 @@ -185,6 +185,7 @@ dso_name_valid_for_suid (const char *p)
@@ -124,11 +124,11 @@
  static void
  audit_list_init (struct audit_list *list)
 diff --git a/iconv/gconv_conf.c b/iconv/gconv_conf.c
-index 682f949834..7eed87bc9d 100644
+index 62bee28769..67b60dc88c 100644
 --- a/iconv/gconv_conf.c
 +++ b/iconv/gconv_conf.c
 @@ -36,7 +36,7 @@
- 
+ #include <gconv_parseconfdir.h>
  
  /* This is the default path where we look for module lists.  */
 -static const char default_gconv_path[] = GCONV_PATH;
diff --git a/poky/meta/recipes-core/glibc/glibc/0006-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch b/poky/meta/recipes-core/glibc/glibc/0006-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch
index 172ade8..3a37f7a 100644
--- a/poky/meta/recipes-core/glibc/glibc/0006-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0006-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch
@@ -1,4 +1,4 @@
-From 19e3e45eb1838ee80af13c3d27fcff446773211e Mon Sep 17 00:00:00 2001
+From b30f380cd88ae181a4a6a3a4784206ffe3ccd19b Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Thu, 31 Dec 2015 14:35:35 -0800
 Subject: [PATCH] nativesdk-glibc: Allow 64 bit atomics for x86
diff --git a/poky/meta/recipes-core/glibc/glibc/0007-nativesdk-glibc-Make-relocatable-install-for-locales.patch b/poky/meta/recipes-core/glibc/glibc/0007-nativesdk-glibc-Make-relocatable-install-for-locales.patch
index 1469756..d763178 100644
--- a/poky/meta/recipes-core/glibc/glibc/0007-nativesdk-glibc-Make-relocatable-install-for-locales.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0007-nativesdk-glibc-Make-relocatable-install-for-locales.patch
@@ -1,4 +1,4 @@
-From 732d4f4954fe60718870048d0583a20a7a8a8540 Mon Sep 17 00:00:00 2001
+From 24bffe9c2645cd6542e29cb57786dc703cced07b Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 3 Aug 2018 09:55:12 -0700
 Subject: [PATCH] nativesdk-glibc: Make relocatable install for locales
@@ -41,7 +41,7 @@
    else
      /* We really have to load some data.  First see whether the name is
 diff --git a/locale/loadarchive.c b/locale/loadarchive.c
-index 4177fc8972..40247b1e68 100644
+index 512769eaec..436619091b 100644
 --- a/locale/loadarchive.c
 +++ b/locale/loadarchive.c
 @@ -42,7 +42,7 @@
@@ -67,7 +67,7 @@
  /* Load the locale data for CATEGORY from the file specified by *NAME.
     If *NAME is "", use environment variables as specified by POSIX, and
 diff --git a/locale/programs/locale.c b/locale/programs/locale.c
-index 575b208e82..5ec630c3a4 100644
+index ca0a95be99..6b98895203 100644
 --- a/locale/programs/locale.c
 +++ b/locale/programs/locale.c
 @@ -632,6 +632,7 @@ nameentcmp (const void *a, const void *b)
diff --git a/poky/meta/recipes-core/glibc/glibc/0008-nativesdk-glibc-Fall-back-to-faccessat-on-faccess2-r.patch b/poky/meta/recipes-core/glibc/glibc/0008-nativesdk-glibc-Fall-back-to-faccessat-on-faccess2-r.patch
new file mode 100644
index 0000000..f4fc1d6
--- /dev/null
+++ b/poky/meta/recipes-core/glibc/glibc/0008-nativesdk-glibc-Fall-back-to-faccessat-on-faccess2-r.patch
@@ -0,0 +1,32 @@
+From 2761400989bcbf11e10bc85f90c3a2ba1305c4ae Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sat, 6 Mar 2021 14:48:56 -0800
+Subject: [PATCH] nativesdk-glibc: Fall back to faccessat on faccess2 returns
+ EPERM
+
+Fedora-specific workaround for systemd-nspawn
+
+Upstream-Status: Inappropriate [Distro Specific]
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ sysdeps/unix/sysv/linux/faccessat.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c
+index 13160d3249..ee3ddc9b79 100644
+--- a/sysdeps/unix/sysv/linux/faccessat.c
++++ b/sysdeps/unix/sysv/linux/faccessat.c
+@@ -30,7 +30,11 @@ __faccessat (int fd, const char *file, int mode, int flag)
+ #if __ASSUME_FACCESSAT2
+   return ret;
+ #else
+-  if (ret == 0 || errno != ENOSYS)
++  /* Fedora-specific workaround:
++     As a workround for a broken systemd-nspawn that returns
++     EPERM when a syscall is not allowed instead of ENOSYS
++     we must check for EPERM here and fall back to faccessat.  */
++  if (ret == 0 || !(errno == ENOSYS || errno == EPERM))
+     return ret;
+ 
+   if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS))
diff --git a/poky/meta/recipes-core/glibc/glibc/0008-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch b/poky/meta/recipes-core/glibc/glibc/0009-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch
similarity index 99%
rename from poky/meta/recipes-core/glibc/glibc/0008-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch
rename to poky/meta/recipes-core/glibc/glibc/0009-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch
index 2162bf3..01de227 100644
--- a/poky/meta/recipes-core/glibc/glibc/0008-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0009-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch
@@ -1,4 +1,4 @@
-From 3d58330390a7d4f4ed32f4a9c25628af3e0dd5c1 Mon Sep 17 00:00:00 2001
+From 74923ca4b1ae0ed5a2478e7d265b37534f6815d7 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:01:50 +0000
 Subject: [PATCH] fsl e500/e5500/e6500/603e fsqrt implementation
diff --git a/poky/meta/recipes-core/glibc/glibc/0009-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch b/poky/meta/recipes-core/glibc/glibc/0010-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch
similarity index 99%
rename from poky/meta/recipes-core/glibc/glibc/0009-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch
rename to poky/meta/recipes-core/glibc/glibc/0010-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch
index 0c8bf94..5c1130c 100644
--- a/poky/meta/recipes-core/glibc/glibc/0009-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0010-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch
@@ -1,4 +1,4 @@
-From 3b5fe5b1a7390cde0f07351415e3891f62d1f7e0 Mon Sep 17 00:00:00 2001
+From 5da3da7f2d276c2a6ae1b04419b28e96953803ec Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:15:07 +0000
 Subject: [PATCH] ppc/sqrt: Fix undefined reference to `__sqrt_finite'
diff --git a/poky/meta/recipes-core/glibc/glibc/0010-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch b/poky/meta/recipes-core/glibc/glibc/0011-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
similarity index 99%
rename from poky/meta/recipes-core/glibc/glibc/0010-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
rename to poky/meta/recipes-core/glibc/glibc/0011-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
index cadaa0b..b72e790 100644
--- a/poky/meta/recipes-core/glibc/glibc/0010-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0011-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
@@ -1,4 +1,4 @@
-From 6b6e1dcd707017598ea3bdc2d91a761943b62218 Mon Sep 17 00:00:00 2001
+From 77f1c90d67a2f8852184fb8fd95cb0ed63065dc7 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:16:38 +0000
 Subject: [PATCH] __ieee754_sqrt{,f} are now inline functions and call out
diff --git a/poky/meta/recipes-core/glibc/glibc/0011-Quote-from-bug-1443-which-explains-what-the-patch-do.patch b/poky/meta/recipes-core/glibc/glibc/0012-Quote-from-bug-1443-which-explains-what-the-patch-do.patch
similarity index 97%
rename from poky/meta/recipes-core/glibc/glibc/0011-Quote-from-bug-1443-which-explains-what-the-patch-do.patch
rename to poky/meta/recipes-core/glibc/glibc/0012-Quote-from-bug-1443-which-explains-what-the-patch-do.patch
index e4c78b5..07d4411 100644
--- a/poky/meta/recipes-core/glibc/glibc/0011-Quote-from-bug-1443-which-explains-what-the-patch-do.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0012-Quote-from-bug-1443-which-explains-what-the-patch-do.patch
@@ -1,4 +1,4 @@
-From 297bac9429260f8df495b81d3fae8ae4c6913f5f Mon Sep 17 00:00:00 2001
+From add514edf4299d1bf540d85d0aa0bd5fe0d46b78 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:20:09 +0000
 Subject: [PATCH] Quote from bug 1443 which explains what the patch does :
diff --git a/poky/meta/recipes-core/glibc/glibc/0012-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch b/poky/meta/recipes-core/glibc/glibc/0013-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch
similarity index 94%
rename from poky/meta/recipes-core/glibc/glibc/0012-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch
rename to poky/meta/recipes-core/glibc/glibc/0013-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch
index c5e8e64..c2766ef 100644
--- a/poky/meta/recipes-core/glibc/glibc/0012-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0013-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch
@@ -1,4 +1,4 @@
-From f389babf3c920e68b7d7391556a78ebf62a21ebe Mon Sep 17 00:00:00 2001
+From c5047b8f7d1a17324cfa02b99f07a70ebcec2cf2 Mon Sep 17 00:00:00 2001
 From: Ting Liu <b28495@freescale.com>
 Date: Wed, 19 Dec 2012 04:39:57 -0600
 Subject: [PATCH] eglibc: run libm-err-tab.pl with specific dirs in ${S}
diff --git a/poky/meta/recipes-core/glibc/glibc/0013-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch b/poky/meta/recipes-core/glibc/glibc/0014-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
similarity index 96%
rename from poky/meta/recipes-core/glibc/glibc/0013-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
rename to poky/meta/recipes-core/glibc/glibc/0014-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
index 7f362ca..088b810 100644
--- a/poky/meta/recipes-core/glibc/glibc/0013-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0014-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch
@@ -1,4 +1,4 @@
-From 4b0d41a315e66f688fef7b0c2e2b6ce9fa16ec93 Mon Sep 17 00:00:00 2001
+From 133870f12ba36686dd8df1311fac32a4c5b28579 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:24:46 +0000
 Subject: [PATCH] __ieee754_sqrt{,f} are now inline functions and call out
diff --git a/poky/meta/recipes-core/glibc/glibc/0014-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch b/poky/meta/recipes-core/glibc/glibc/0015-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch
similarity index 94%
rename from poky/meta/recipes-core/glibc/glibc/0014-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch
rename to poky/meta/recipes-core/glibc/glibc/0015-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch
index 4da0e00..e8332a5 100644
--- a/poky/meta/recipes-core/glibc/glibc/0014-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0015-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch
@@ -1,4 +1,4 @@
-From c062a462fee53a30a85d693c8288b5bd8fe4ec6e Mon Sep 17 00:00:00 2001
+From b4613f814ba7ba5db95d18116172f81a83ac8f5b Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:27:10 +0000
 Subject: [PATCH] sysdeps/gnu/configure.ac: handle correctly
diff --git a/poky/meta/recipes-core/glibc/glibc/0016-timezone-re-written-tzselect-as-posix-sh.patch b/poky/meta/recipes-core/glibc/glibc/0016-timezone-re-written-tzselect-as-posix-sh.patch
deleted file mode 100644
index 79bd704..0000000
--- a/poky/meta/recipes-core/glibc/glibc/0016-timezone-re-written-tzselect-as-posix-sh.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 3feb4213628f1485000ffe1d3fd26e37a7b14336 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 18 Mar 2015 00:33:03 +0000
-Subject: [PATCH] timezone: re-written tzselect as posix sh
-
-To avoid the bash dependency.
-
-Upstream-Status: Pending
-
-Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- timezone/Makefile     | 2 +-
- timezone/tzselect.ksh | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/timezone/Makefile b/timezone/Makefile
-index 395abfeebd..2d939edf75 100644
---- a/timezone/Makefile
-+++ b/timezone/Makefile
-@@ -123,7 +123,7 @@ $(testdata)/XT%: testdata/XT%
- 	cp $< $@
- 
- $(objpfx)tzselect: tzselect.ksh $(common-objpfx)config.make
--	sed -e 's|/bin/bash|$(BASH)|' \
-+	sed -e 's|/bin/bash|/bin/sh|' \
- 	    -e 's|TZDIR=[^}]*|TZDIR=$(zonedir)|' \
- 	    -e '/TZVERSION=/s|see_Makefile|"$(version)"|' \
- 	    -e '/PKGVERSION=/s|=.*|="$(PKGVERSION)"|' \
-diff --git a/timezone/tzselect.ksh b/timezone/tzselect.ksh
-index 18fce27e24..70745f9d36 100755
---- a/timezone/tzselect.ksh
-+++ b/timezone/tzselect.ksh
-@@ -34,7 +34,7 @@ REPORT_BUGS_TO=tz@iana.org
- 
- # Specify default values for environment variables if they are unset.
- : ${AWK=awk}
--: ${TZDIR=`pwd`}
-+: ${TZDIR=$(pwd)}
- 
- # Output one argument as-is to standard output.
- # Safer than 'echo', which can mishandle '\' or leading '-'.
diff --git a/poky/meta/recipes-core/glibc/glibc/0015-yes-within-the-path-sets-wrong-config-variables.patch b/poky/meta/recipes-core/glibc/glibc/0016-yes-within-the-path-sets-wrong-config-variables.patch
similarity index 98%
rename from poky/meta/recipes-core/glibc/glibc/0015-yes-within-the-path-sets-wrong-config-variables.patch
rename to poky/meta/recipes-core/glibc/glibc/0016-yes-within-the-path-sets-wrong-config-variables.patch
index 15e83f8..f7e7f1c 100644
--- a/poky/meta/recipes-core/glibc/glibc/0015-yes-within-the-path-sets-wrong-config-variables.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0016-yes-within-the-path-sets-wrong-config-variables.patch
@@ -1,4 +1,4 @@
-From 0bd39d8907953f18e01742f42b24647ac7689d0a Mon Sep 17 00:00:00 2001
+From 7be3e82b66394a7b242e56c6fc609e858b8e2436 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:31:06 +0000
 Subject: [PATCH] 'yes' within the path sets wrong config variables
@@ -29,7 +29,7 @@
  12 files changed, 28 insertions(+), 28 deletions(-)
 
 diff --git a/sysdeps/aarch64/configure b/sysdeps/aarch64/configure
-index 83c3a23e44..a68c946277 100644
+index 4c1fac49f3..597314f476 100644
 --- a/sysdeps/aarch64/configure
 +++ b/sysdeps/aarch64/configure
 @@ -157,12 +157,12 @@ else
@@ -48,7 +48,7 @@
  else
    libc_cv_aarch64_be=no
 diff --git a/sysdeps/aarch64/configure.ac b/sysdeps/aarch64/configure.ac
-index 66f755078a..a32b265bbe 100644
+index 3347c13fa1..4af163c0b6 100644
 --- a/sysdeps/aarch64/configure.ac
 +++ b/sysdeps/aarch64/configure.ac
 @@ -17,8 +17,8 @@ AC_DEFINE(SUPPORT_STATIC_PIE)
diff --git a/poky/meta/recipes-core/glibc/glibc/0017-timezone-re-written-tzselect-as-posix-sh.patch b/poky/meta/recipes-core/glibc/glibc/0017-timezone-re-written-tzselect-as-posix-sh.patch
new file mode 100644
index 0000000..100d085
--- /dev/null
+++ b/poky/meta/recipes-core/glibc/glibc/0017-timezone-re-written-tzselect-as-posix-sh.patch
@@ -0,0 +1,34 @@
+From 2731fa0c7463cd160361a8ac92f3bd7f984d953d Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Wed, 18 Mar 2015 00:33:03 +0000
+Subject: [PATCH] timezone: re-written tzselect as posix sh
+
+To avoid the bash dependency.
+
+Upstream-Status: Pending
+
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ timezone/tzselect.ksh | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/timezone/tzselect.ksh b/timezone/tzselect.ksh
+index 18fce27e24..7705df83d7 100755
+--- a/timezone/tzselect.ksh
++++ b/timezone/tzselect.ksh
+@@ -1,4 +1,4 @@
+-#!/bin/bash
++#!/bin/sh
+ # Ask the user about the time zone, and output the resulting TZ value to stdout.
+ # Interact with the user via stderr and stdin.
+ 
+@@ -34,7 +34,7 @@ REPORT_BUGS_TO=tz@iana.org
+ 
+ # Specify default values for environment variables if they are unset.
+ : ${AWK=awk}
+-: ${TZDIR=`pwd`}
++: ${TZDIR=$(pwd)}
+ 
+ # Output one argument as-is to standard output.
+ # Safer than 'echo', which can mishandle '\' or leading '-'.
diff --git a/poky/meta/recipes-core/glibc/glibc/0017-Remove-bash-dependency-for-nscd-init-script.patch b/poky/meta/recipes-core/glibc/glibc/0018-Remove-bash-dependency-for-nscd-init-script.patch
similarity index 96%
rename from poky/meta/recipes-core/glibc/glibc/0017-Remove-bash-dependency-for-nscd-init-script.patch
rename to poky/meta/recipes-core/glibc/glibc/0018-Remove-bash-dependency-for-nscd-init-script.patch
index c32d70b..23296da 100644
--- a/poky/meta/recipes-core/glibc/glibc/0017-Remove-bash-dependency-for-nscd-init-script.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0018-Remove-bash-dependency-for-nscd-init-script.patch
@@ -1,4 +1,4 @@
-From f6119b98a9caa80642d69a97edc98f57ecef5c3c Mon Sep 17 00:00:00 2001
+From 412d33bbfe42a10a9b1f62afcc73fe121a0363b0 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Thu, 31 Dec 2015 14:33:02 -0800
 Subject: [PATCH] Remove bash dependency for nscd init script
diff --git a/poky/meta/recipes-core/glibc/glibc/0018-eglibc-Cross-building-and-testing-instructions.patch b/poky/meta/recipes-core/glibc/glibc/0019-eglibc-Cross-building-and-testing-instructions.patch
similarity index 99%
rename from poky/meta/recipes-core/glibc/glibc/0018-eglibc-Cross-building-and-testing-instructions.patch
rename to poky/meta/recipes-core/glibc/glibc/0019-eglibc-Cross-building-and-testing-instructions.patch
index 826e5af..8fb9182 100644
--- a/poky/meta/recipes-core/glibc/glibc/0018-eglibc-Cross-building-and-testing-instructions.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0019-eglibc-Cross-building-and-testing-instructions.patch
@@ -1,4 +1,4 @@
-From 060ba13b5ac5e90517d540f009ebdcdcf62f9685 Mon Sep 17 00:00:00 2001
+From db9674ffc6583a508da1a3cb044c3ccf3febaea1 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:42:58 +0000
 Subject: [PATCH] eglibc: Cross building and testing instructions
diff --git a/poky/meta/recipes-core/glibc/glibc/0019-eglibc-Help-bootstrap-cross-toolchain.patch b/poky/meta/recipes-core/glibc/glibc/0020-eglibc-Help-bootstrap-cross-toolchain.patch
similarity index 93%
rename from poky/meta/recipes-core/glibc/glibc/0019-eglibc-Help-bootstrap-cross-toolchain.patch
rename to poky/meta/recipes-core/glibc/glibc/0020-eglibc-Help-bootstrap-cross-toolchain.patch
index afac2e0..9b76cfd 100644
--- a/poky/meta/recipes-core/glibc/glibc/0019-eglibc-Help-bootstrap-cross-toolchain.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0020-eglibc-Help-bootstrap-cross-toolchain.patch
@@ -1,4 +1,4 @@
-From f13c2f525e9bc82ce13e4cf486f7fe0831fc3fac Mon Sep 17 00:00:00 2001
+From 7856684f76c100155cad11b5b236fb31234b6e28 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:49:28 +0000
 Subject: [PATCH] eglibc: Help bootstrap cross toolchain
@@ -29,7 +29,7 @@
  create mode 100644 include/stubs-bootstrap.h
 
 diff --git a/Makefile b/Makefile
-index 50f99ca611..31eed15f02 100644
+index f98d5a9e67..c36d04da0f 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -79,9 +79,18 @@ subdir-dirs = include
@@ -52,7 +52,7 @@
  ifeq (yes,$(build-shared))
  headers += gnu/lib-names.h
  endif
-@@ -416,6 +425,16 @@ others: $(common-objpfx)testrun.sh $(common-objpfx)debugglibc.sh
+@@ -415,6 +424,16 @@ others: $(common-objpfx)testrun.sh $(common-objpfx)debugglibc.sh
  
  subdir-stubs := $(foreach dir,$(subdirs),$(common-objpfx)$(dir)/stubs)
  
@@ -69,7 +69,7 @@
  ifndef abi-variants
  installed-stubs = $(inst_includedir)/gnu/stubs.h
  else
-@@ -442,6 +461,7 @@ $(inst_includedir)/gnu/stubs.h: $(+force)
+@@ -441,6 +460,7 @@ $(inst_includedir)/gnu/stubs.h: $(+force)
  
  install-others-nosubdir: $(installed-stubs)
  endif
diff --git a/poky/meta/recipes-core/glibc/glibc/0020-eglibc-Resolve-__fpscr_values-on-SH4.patch b/poky/meta/recipes-core/glibc/glibc/0021-eglibc-Resolve-__fpscr_values-on-SH4.patch
similarity index 93%
rename from poky/meta/recipes-core/glibc/glibc/0020-eglibc-Resolve-__fpscr_values-on-SH4.patch
rename to poky/meta/recipes-core/glibc/glibc/0021-eglibc-Resolve-__fpscr_values-on-SH4.patch
index 9a610c6..74c8c10 100644
--- a/poky/meta/recipes-core/glibc/glibc/0020-eglibc-Resolve-__fpscr_values-on-SH4.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0021-eglibc-Resolve-__fpscr_values-on-SH4.patch
@@ -1,4 +1,4 @@
-From 330c4e50e28e29c31fb8d6ab39cdbb2af4d3def7 Mon Sep 17 00:00:00 2001
+From 111ab95a85314d1e70fb159a14250354cc69d899 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:55:53 +0000
 Subject: [PATCH] eglibc: Resolve __fpscr_values on SH4
@@ -21,10 +21,10 @@
  2 files changed, 12 insertions(+)
 
 diff --git a/sysdeps/unix/sysv/linux/sh/Versions b/sysdeps/unix/sysv/linux/sh/Versions
-index e0938c4165..ca1d7da339 100644
+index 9c734ff755..974e33b4b1 100644
 --- a/sysdeps/unix/sysv/linux/sh/Versions
 +++ b/sysdeps/unix/sysv/linux/sh/Versions
-@@ -2,6 +2,7 @@ libc {
+@@ -3,6 +3,7 @@ libc {
    GLIBC_2.2 {
      # functions used in other libraries
      __xstat64; __fxstat64; __lxstat64;
diff --git a/poky/meta/recipes-core/glibc/glibc/0022-Define-DUMMY_LOCALE_T-if-not-defined.patch b/poky/meta/recipes-core/glibc/glibc/0022-Define-DUMMY_LOCALE_T-if-not-defined.patch
deleted file mode 100644
index 33d912d..0000000
--- a/poky/meta/recipes-core/glibc/glibc/0022-Define-DUMMY_LOCALE_T-if-not-defined.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From c8df3cf4556d8d78a98675865395ce42f3b67109 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Wed, 20 Apr 2016 21:11:00 -0700
-Subject: [PATCH] Define DUMMY_LOCALE_T if not defined
-
-This is a hack to fix building the locale bits on an older
-CentOs 5.X machine
-
-Upstream-Status: Inappropriate [other]
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- locale/programs/config.h | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/locale/programs/config.h b/locale/programs/config.h
-index 2edcf3696c..5350101e38 100644
---- a/locale/programs/config.h
-+++ b/locale/programs/config.h
-@@ -19,6 +19,9 @@
- #ifndef _LD_CONFIG_H
- #define _LD_CONFIG_H	1
- 
-+#ifndef DUMMY_LOCALE_T
-+#define DUMMY_LOCALE_T
-+#endif
- /* Use the internal textdomain used for libc messages.  */
- #define PACKAGE _libc_intl_domainname
- #ifndef VERSION
diff --git a/poky/meta/recipes-core/glibc/glibc/0021-eglibc-Forward-port-cross-locale-generation-support.patch b/poky/meta/recipes-core/glibc/glibc/0022-eglibc-Forward-port-cross-locale-generation-support.patch
similarity index 98%
rename from poky/meta/recipes-core/glibc/glibc/0021-eglibc-Forward-port-cross-locale-generation-support.patch
rename to poky/meta/recipes-core/glibc/glibc/0022-eglibc-Forward-port-cross-locale-generation-support.patch
index 0b2f020..a9ff8e9 100644
--- a/poky/meta/recipes-core/glibc/glibc/0021-eglibc-Forward-port-cross-locale-generation-support.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0022-eglibc-Forward-port-cross-locale-generation-support.patch
@@ -1,4 +1,4 @@
-From 557ed640b26bd208ce8d4a6fd725b124893668d7 Mon Sep 17 00:00:00 2001
+From 4e5de801a39d66b8bd93d09f5912dcbe5db4ef04 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 01:33:49 +0000
 Subject: [PATCH] eglibc: Forward port cross locale generation support
@@ -148,7 +148,7 @@
    return NULL;
  }
 diff --git a/locale/programs/ld-collate.c b/locale/programs/ld-collate.c
-index 0af21e05e2..4980b0c52f 100644
+index b6406b775d..bfa4adba9c 100644
 --- a/locale/programs/ld-collate.c
 +++ b/locale/programs/ld-collate.c
 @@ -349,7 +349,7 @@ new_element (struct locale_collate_t *collate, const char *mbs, size_t mbslen,
@@ -160,7 +160,7 @@
        uint32_t zero = 0;
        /* Handle <U0000> as a single character.  */
        if (nwcs == 0)
-@@ -1772,8 +1772,7 @@ symbol `%s' has the same encoding as"), (*eptr)->name);
+@@ -1775,8 +1775,7 @@ symbol `%s' has the same encoding as"), (*eptr)->name);
  
  	      if ((*eptr)->nwcs == runp->nwcs)
  		{
@@ -170,7 +170,7 @@
  
  		  if (c == 0)
  		    {
-@@ -2000,9 +1999,9 @@ add_to_tablewc (uint32_t ch, struct element_t *runp)
+@@ -2003,9 +2002,9 @@ add_to_tablewc (uint32_t ch, struct element_t *runp)
  	     one consecutive entry.  */
  	  if (runp->wcnext != NULL
  	      && runp->nwcs == runp->wcnext->nwcs
@@ -183,7 +183,7 @@
  	      && (runp->wcs[runp->nwcs - 1]
  		  == runp->wcnext->wcs[runp->nwcs - 1] + 1))
  	    {
-@@ -2026,9 +2025,9 @@ add_to_tablewc (uint32_t ch, struct element_t *runp)
+@@ -2029,9 +2028,9 @@ add_to_tablewc (uint32_t ch, struct element_t *runp)
  		runp = runp->wcnext;
  	      while (runp->wcnext != NULL
  		     && runp->nwcs == runp->wcnext->nwcs
diff --git a/poky/meta/recipes-core/glibc/glibc/0023-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch b/poky/meta/recipes-core/glibc/glibc/0024-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch
similarity index 96%
rename from poky/meta/recipes-core/glibc/glibc/0023-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch
rename to poky/meta/recipes-core/glibc/glibc/0024-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch
index a5a7a0c..50c2e14 100644
--- a/poky/meta/recipes-core/glibc/glibc/0023-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0024-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch
@@ -1,4 +1,4 @@
-From 2ec233ce078b74030de9195096058cd502fdc395 Mon Sep 17 00:00:00 2001
+From 13bc0e53cc91e102472d532f28b3d44c30d291fc Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 3 Aug 2018 09:42:06 -0700
 Subject: [PATCH] localedef --add-to-archive uses a hard-coded locale path
@@ -18,7 +18,7 @@
  1 file changed, 25 insertions(+), 10 deletions(-)
 
 diff --git a/locale/programs/locarchive.c b/locale/programs/locarchive.c
-index 6bb189ae37..0711c5c44e 100644
+index f38e835c52..8d8f8699b2 100644
 --- a/locale/programs/locarchive.c
 +++ b/locale/programs/locarchive.c
 @@ -340,12 +340,24 @@ enlarge_archive (struct locarhandle *ah, const struct locarhead *head)
diff --git a/poky/meta/recipes-core/glibc/glibc/0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch b/poky/meta/recipes-core/glibc/glibc/0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch
similarity index 95%
rename from poky/meta/recipes-core/glibc/glibc/0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch
rename to poky/meta/recipes-core/glibc/glibc/0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch
index d2691e1..fb0a609 100644
--- a/poky/meta/recipes-core/glibc/glibc/0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch
@@ -1,4 +1,4 @@
-From f8289aa320b00f6db43213979cceab2325a7a611 Mon Sep 17 00:00:00 2001
+From 50b605dece16606dd9d1c737e579c13725eab11d Mon Sep 17 00:00:00 2001
 From: Mark Hatle <mark.hatle@windriver.com>
 Date: Thu, 18 Aug 2016 14:07:58 -0500
 Subject: [PATCH] elf/dl-deps.c: Make _dl_build_local_scope breadth first
diff --git a/poky/meta/recipes-core/glibc/glibc/0025-intl-Emit-no-lines-in-bison-generated-files.patch b/poky/meta/recipes-core/glibc/glibc/0026-intl-Emit-no-lines-in-bison-generated-files.patch
similarity index 94%
rename from poky/meta/recipes-core/glibc/glibc/0025-intl-Emit-no-lines-in-bison-generated-files.patch
rename to poky/meta/recipes-core/glibc/glibc/0026-intl-Emit-no-lines-in-bison-generated-files.patch
index 32f8fd2..998db39 100644
--- a/poky/meta/recipes-core/glibc/glibc/0025-intl-Emit-no-lines-in-bison-generated-files.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0026-intl-Emit-no-lines-in-bison-generated-files.patch
@@ -1,4 +1,4 @@
-From 3156464f9a95bf1dafd2e22d19d7bf89c520acc1 Mon Sep 17 00:00:00 2001
+From 99ab34278a6ebec134267412b4f619f43e278dea Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 3 Aug 2018 09:44:00 -0700
 Subject: [PATCH] intl: Emit no lines in bison generated files
diff --git a/poky/meta/recipes-core/glibc/glibc/0027-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch b/poky/meta/recipes-core/glibc/glibc/0027-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch
index 782d931..2bfa2aa 100644
--- a/poky/meta/recipes-core/glibc/glibc/0027-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0027-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch
@@ -1,4 +1,4 @@
-From 881f5b8134afd9a30049b93fc79dda7a44947a5f Mon Sep 17 00:00:00 2001
+From 3190ada9ecaec915794886a608221655c120f90c Mon Sep 17 00:00:00 2001
 From: Martin Jansa <martin.jansa@gmail.com>
 Date: Mon, 17 Dec 2018 21:36:18 +0000
 Subject: [PATCH] locale: prevent maybe-uninitialized errors with -Os [BZ
diff --git a/poky/meta/recipes-core/glibc/glibc/0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch b/poky/meta/recipes-core/glibc/glibc/0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch
index d273cab..8042caa 100644
--- a/poky/meta/recipes-core/glibc/glibc/0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch
@@ -1,4 +1,4 @@
-From b4e0a034b12b313dcb82d22341bef6a66b3e9ef9 Mon Sep 17 00:00:00 2001
+From 5d201a75918a0e181ee6206f701901fdb91baf81 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Wed, 18 Mar 2015 00:11:22 +0000
 Subject: [PATCH] readlib: Add OECORE_KNOWN_INTERPRETER_NAMES to known names
diff --git a/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch b/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
index 11a77cd..8e01169 100644
--- a/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
@@ -1,4 +1,4 @@
-From 2ae3ff3ae28abb1d0d100b4722da7ff188de9a30 Mon Sep 17 00:00:00 2001
+From baba3c6021340a9070b734f931a15cea4cfe6c31 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 15 May 2020 17:05:45 -0700
 Subject: [PATCH] wordsize.h: Unify the header between arm and aarch64
@@ -50,7 +50,7 @@
  /* Determine the wordsize from the preprocessor defines.
  
 -   Copyright (C) 2016-2021 Free Software Foundation, Inc.
-+   Copyright (C) 2016-2021 Free Software Foundation, Inc.
++   Copyright (C) 2016-2020 Free Software Foundation, Inc.
     This file is part of the GNU C Library.
  
     The GNU C Library is free software; you can redistribute it and/or
diff --git a/poky/meta/recipes-core/glibc/glibc/0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch b/poky/meta/recipes-core/glibc/glibc/0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch
index 5ef1ac2..22df820 100644
--- a/poky/meta/recipes-core/glibc/glibc/0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch
+++ b/poky/meta/recipes-core/glibc/glibc/0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch
@@ -1,4 +1,4 @@
-From 5cc14938f05ae1354c8062f017a21f39d5fc9729 Mon Sep 17 00:00:00 2001
+From 60aa53f547911163b42a1c436d695a15c87f34ee Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Fri, 7 Aug 2020 14:31:16 -0700
 Subject: [PATCH] powerpc: Do not ask compiler for finding arch
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch
deleted file mode 100644
index fd73b23..0000000
--- a/poky/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
-From: Andreas Schwab <schwab@linux-m68k.org>
-Date: Thu, 27 May 2021 12:49:47 +0200
-Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
-
-Make a deep copy of the pthread attribute object to remove a potential
-use-after-free issue.
-
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb]
-CVE: CVE-2021-33574
-Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
----
-diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
-index cc575a0cdd8..6f46d29d1dc 100644
---- a/sysdeps/unix/sysv/linux/mq_notify.c
-+++ b/sysdeps/unix/sysv/linux/mq_notify.c
-@@ -133,8 +133,11 @@ helper_thread (void *arg)
- 	    (void) __pthread_barrier_wait (&notify_barrier);
- 	}
-       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
--	/* The only state we keep is the copy of the thread attributes.  */
--	free (data.attr);
-+	{
-+	  /* The only state we keep is the copy of the thread attributes.  */
-+	  pthread_attr_destroy (data.attr);
-+	  free (data.attr);
-+	}
-     }
-   return NULL;
- }
-@@ -255,8 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
-       if (data.attr == NULL)
- 	return -1;
- 
--      memcpy (data.attr, notification->sigev_notify_attributes,
--	      sizeof (pthread_attr_t));
-+      int ret = __pthread_attr_copy (data.attr,
-+				     notification->sigev_notify_attributes);
-+      if (ret != 0)
-+	{
-+	  free (data.attr);
-+	  __set_errno (ret);
-+	  return -1;
-+	}
-     }
- 
-   /* Construct the new request.  */
-@@ -269,8 +278,11 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
-   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
- 
-   /* If it failed, free the allocated memory.  */
--  if (__glibc_unlikely (retval != 0))
--    free (data.attr);
-+  if (retval != 0 && data.attr != NULL)
-+    {
-+      pthread_attr_destroy (data.attr);
-+      free (data.attr);
-+    }
- 
-   return retval;
- }
diff --git a/poky/meta/recipes-core/glibc/glibc/faccessat2-perm.patch b/poky/meta/recipes-core/glibc/glibc/faccessat2-perm.patch
deleted file mode 100644
index 2ee7110..0000000
--- a/poky/meta/recipes-core/glibc/glibc/faccessat2-perm.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-Older seccomp-based filters used in container frameworks will block faccessat2
-calls as it's a relatively new syscall.  This isn't a big problem with
-glibc <2.33 but 2.33 will call faccessat2 itself, get EPERM, and thenn be confused
-about what to do as EPERM isn't an expected error code.
-
-This manifests itself as mysterious errors, for example a kernel failing to link.
-
-The root cause of bad seccomp filters is mostly fixed (systemd 247, Docker 20.10.0)
-but we can't expect everyone to upgrade, so add a workaound (originally from 
-Red Hat) to handle EPERM like ENOSYS and fallback to faccessat().
-
-Upstream-Status: Inappropriate
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-diff --git a/sysdeps/unix/sysv/linux/faccessat.c b/sysdeps/unix/sysv/linux/faccessat.c
-index 56cb6dcc8b4d58d3..5de75032bbc93a2c 100644
---- a/sysdeps/unix/sysv/linux/faccessat.c
-+++ b/sysdeps/unix/sysv/linux/faccessat.c
-@@ -34,7 +34,11 @@ faccessat (int fd, const char *file, int mode, int flag)
- #if __ASSUME_FACCESSAT2
-   return ret;
- #else
--  if (ret == 0 || errno != ENOSYS)
-+  /* Fedora-specific workaround:
-+     As a workround for a broken systemd-nspawn that returns
-+     EPERM when a syscall is not allowed instead of ENOSYS
-+     we must check for EPERM here and fall back to faccessat.  */
-+  if (ret == 0 || !(errno == ENOSYS || errno == EPERM))
-     return ret;
- 
-   if (flag & ~(AT_SYMLINK_NOFOLLOW | AT_EACCESS))
diff --git a/poky/meta/recipes-core/glibc/glibc/mte-backports.patch b/poky/meta/recipes-core/glibc/glibc/mte-backports.patch
deleted file mode 100644
index d9604fd..0000000
--- a/poky/meta/recipes-core/glibc/glibc/mte-backports.patch
+++ /dev/null
@@ -1,1238 +0,0 @@
-Backport a number of patches from master to improve Arm MTE support.
-
-Upstream-Status: Backport [will be in 2.34]
-Signed-off-by: Ross Burton <ross.burton@arm.com>
-
-From 2643466c2928a93de7b80a61f6a8f61a653862e1 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Thu, 11 Mar 2021 14:09:56 +0000
-Subject: [PATCH 01/11] malloc: Fix a potential realloc issue with memory
- tagging
-
-At an _int_free call site in realloc the wrong size was used for tag
-clearing: the chunk header of the next chunk was also cleared which
-in practice may work, but logically wrong.
-
-The tag clearing is moved before the memcpy to save a tag computation,
-this avoids a chunk2mem.  Another chunk2mem is removed because newmem
-does not have to be recomputed. Whitespaces got fixed too.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/malloc.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 8f8f12c276..51cec67e55 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -4851,14 +4851,14 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
-             }
-           else
-             {
--	      void *oldmem = chunk2mem (oldp);
-+	      void *oldmem = chunk2rawmem (oldp);
-+	      size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
-+	      (void) TAG_REGION (oldmem, sz);
- 	      newmem = TAG_NEW_USABLE (newmem);
--	      memcpy (newmem, oldmem,
--		      CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ);
--	      (void) TAG_REGION (chunk2rawmem (oldp), oldsize);
--              _int_free (av, oldp, 1);
--              check_inuse_chunk (av, newp);
--              return chunk2mem (newp);
-+	      memcpy (newmem, oldmem, sz);
-+	      _int_free (av, oldp, 1);
-+	      check_inuse_chunk (av, newp);
-+	      return newmem;
-             }
-         }
-     }
--- 
-2.25.1
-
-
-From 32f3132be063e4b16a5cdb058980af354126e2f4 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Thu, 28 Jan 2021 17:34:36 +0000
-Subject: [PATCH 02/11] malloc: Move MTAG_MMAP_FLAGS definition
-
-This is only used internally in malloc.c, the extern declaration
-was wrong, __mtag_mmap_flags has internal linkage.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- include/malloc.h | 7 -------
- malloc/malloc.c  | 2 ++
- 2 files changed, 2 insertions(+), 7 deletions(-)
-
-diff --git a/include/malloc.h b/include/malloc.h
-index 7ae08d53d3..b77761f74d 100644
---- a/include/malloc.h
-+++ b/include/malloc.h
-@@ -16,11 +16,4 @@ typedef struct malloc_state *mstate;
- 
- # endif /* !_ISOMAC */
- 
--#ifdef USE_MTAG
--extern int __mtag_mmap_flags;
--#define MTAG_MMAP_FLAGS __mtag_mmap_flags
--#else
--#define MTAG_MMAP_FLAGS 0
--#endif
--
- #endif
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 51cec67e55..61c25d0f93 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -463,11 +463,13 @@ static void *(*__tag_region)(void *, size_t) = __default_tag_region;
- static void *(*__tag_new_usable)(void *) = __default_tag_nop;
- static void *(*__tag_at)(void *) = __default_tag_nop;
- 
-+# define MTAG_MMAP_FLAGS __mtag_mmap_flags
- # define TAG_NEW_MEMSET(ptr, val, size) __tag_new_memset (ptr, val, size)
- # define TAG_REGION(ptr, size) __tag_region (ptr, size)
- # define TAG_NEW_USABLE(ptr) __tag_new_usable (ptr)
- # define TAG_AT(ptr) __tag_at (ptr)
- #else
-+# define MTAG_MMAP_FLAGS 0
- # define TAG_NEW_MEMSET(ptr, val, size) memset (ptr, val, size)
- # define TAG_REGION(ptr, size) (ptr)
- # define TAG_NEW_USABLE(ptr) (ptr)
--- 
-2.25.1
-
-
-From 4b13f77fb97f9618a7868ab767d05e0c2d7c6f6f Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Thu, 4 Feb 2021 11:38:23 +0000
-Subject: [PATCH 03/11] malloc: Simplify __mtag_tag_new_usable
-
-The chunk cannot be a dumped one here.  The only non-obvious cases
-are free and realloc which may be called on a dumped area chunk,
-but in both cases it can be verified that tagging is already
-avoided for dumped area chunks.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/arena.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/malloc/arena.c b/malloc/arena.c
-index bf17be27d4..0777dc70c6 100644
---- a/malloc/arena.c
-+++ b/malloc/arena.c
-@@ -298,11 +298,6 @@ __mtag_tag_new_usable (void *ptr)
-   if (ptr)
-     {
-       mchunkptr cp = mem2chunk(ptr);
--      /* This likely will never happen, but we can't handle retagging
--	 chunks from the dumped main arena.  So just return the
--	 existing pointer.  */
--      if (DUMPED_MAIN_ARENA_CHUNK (cp))
--	return ptr;
-       ptr = __libc_mtag_tag_region (__libc_mtag_new_tag (ptr),
- 				    CHUNK_AVAILABLE_SIZE (cp) - CHUNK_HDR_SZ);
-     }
--- 
-2.25.1
-
-
-From 4f05837ba6934c5b8bbc6738f8883890493f50b6 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Thu, 4 Feb 2021 11:52:14 +0000
-Subject: [PATCH 04/11] malloc: Avoid taggig mmaped memory on free
-
-Either the memory belongs to the dumped area, in which case we don't
-want to tag (the dumped area has the same tag as malloc internal data
-so tagging is unnecessary, but chunks there may not have the right
-alignment for the tag granule), or the memory will be unmapped
-immediately (and thus tagging is not useful).
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/malloc.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 61c25d0f93..ecb87350b0 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -3284,9 +3284,6 @@ __libc_free (void *mem)
- 
-   p = mem2chunk (mem);
- 
--  /* Mark the chunk as belonging to the library again.  */
--  (void)TAG_REGION (chunk2rawmem (p), CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
--
-   if (chunk_is_mmapped (p))                       /* release mmapped memory. */
-     {
-       /* See if the dynamic brk/mmap threshold needs adjusting.
-@@ -3307,6 +3304,10 @@ __libc_free (void *mem)
-     {
-       MAYBE_INIT_TCACHE ();
- 
-+      /* Mark the chunk as belonging to the library again.  */
-+      (void)TAG_REGION (chunk2rawmem (p),
-+			CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
-+
-       ar_ptr = arena_for_chunk (p);
-       _int_free (ar_ptr, p, 0);
-     }
--- 
-2.25.1
-
-
-From 673fad3798846101b77a89595cfa17f334a1c898 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Tue, 16 Feb 2021 14:12:25 +0000
-Subject: [PATCH 05/11] malloc: Refactor TAG_ macros to avoid indirection
-
-This does not change behaviour, just removes one layer of indirection
-in the internal memory tagging logic.
-
-Use tag_ and mtag_ prefixes instead of __tag_ and __mtag_ since these
-are all symbols with internal linkage, private to malloc.c, so there
-is no user namespace pollution issue.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/arena.c  | 16 +++++-----
- malloc/hooks.c  | 10 +++---
- malloc/malloc.c | 81 +++++++++++++++++++++++--------------------------
- 3 files changed, 51 insertions(+), 56 deletions(-)
-
-diff --git a/malloc/arena.c b/malloc/arena.c
-index 0777dc70c6..d0778fea92 100644
---- a/malloc/arena.c
-+++ b/malloc/arena.c
-@@ -332,12 +332,12 @@ ptmalloc_init (void)
-       if (__MTAG_SBRK_UNTAGGED)
- 	__morecore = __failing_morecore;
- 
--      __mtag_mmap_flags = __MTAG_MMAP_FLAGS;
--      __tag_new_memset = __mtag_tag_new_memset;
--      __tag_region = __libc_mtag_tag_region;
--      __tag_new_usable = __mtag_tag_new_usable;
--      __tag_at = __libc_mtag_address_get_tag;
--      __mtag_granule_mask = ~(size_t)(__MTAG_GRANULE_SIZE - 1);
-+      mtag_mmap_flags = __MTAG_MMAP_FLAGS;
-+      tag_new_memset = __mtag_tag_new_memset;
-+      tag_region = __libc_mtag_tag_region;
-+      tag_new_usable = __mtag_tag_new_usable;
-+      tag_at = __libc_mtag_address_get_tag;
-+      mtag_granule_mask = ~(size_t)(__MTAG_GRANULE_SIZE - 1);
-     }
- #endif
- 
-@@ -557,7 +557,7 @@ new_heap (size_t size, size_t top_pad)
-             }
-         }
-     }
--  if (__mprotect (p2, size, MTAG_MMAP_FLAGS | PROT_READ | PROT_WRITE) != 0)
-+  if (__mprotect (p2, size, mtag_mmap_flags | PROT_READ | PROT_WRITE) != 0)
-     {
-       __munmap (p2, HEAP_MAX_SIZE);
-       return 0;
-@@ -587,7 +587,7 @@ grow_heap (heap_info *h, long diff)
-     {
-       if (__mprotect ((char *) h + h->mprotect_size,
-                       (unsigned long) new_size - h->mprotect_size,
--                      MTAG_MMAP_FLAGS | PROT_READ | PROT_WRITE) != 0)
-+                      mtag_mmap_flags | PROT_READ | PROT_WRITE) != 0)
-         return -2;
- 
-       h->mprotect_size = new_size;
-diff --git a/malloc/hooks.c b/malloc/hooks.c
-index efec05f0a8..d8e304c31c 100644
---- a/malloc/hooks.c
-+++ b/malloc/hooks.c
-@@ -68,7 +68,7 @@ __malloc_check_init (void)
-    tags, so fetch the tag at each location before dereferencing
-    it.  */
- #define SAFE_CHAR_OFFSET(p,offset) \
--  ((unsigned char *) TAG_AT (((unsigned char *) p) + offset))
-+  ((unsigned char *) tag_at (((unsigned char *) p) + offset))
- 
- /* A simple, standard set of debugging hooks.  Overhead is `only' one
-    byte per chunk; still this will catch most cases of double frees or
-@@ -249,7 +249,7 @@ malloc_check (size_t sz, const void *caller)
-   top_check ();
-   victim = _int_malloc (&main_arena, nb);
-   __libc_lock_unlock (main_arena.mutex);
--  return mem2mem_check (TAG_NEW_USABLE (victim), sz);
-+  return mem2mem_check (tag_new_usable (victim), sz);
- }
- 
- static void
-@@ -280,7 +280,7 @@ free_check (void *mem, const void *caller)
-   else
-     {
-       /* Mark the chunk as belonging to the library again.  */
--      (void)TAG_REGION (chunk2rawmem (p), CHUNK_AVAILABLE_SIZE (p)
-+      (void)tag_region (chunk2rawmem (p), CHUNK_AVAILABLE_SIZE (p)
-                                          - CHUNK_HDR_SZ);
-       _int_free (&main_arena, p, 1);
-       __libc_lock_unlock (main_arena.mutex);
-@@ -375,7 +375,7 @@ invert:
- 
-   __libc_lock_unlock (main_arena.mutex);
- 
--  return mem2mem_check (TAG_NEW_USABLE (newmem), bytes);
-+  return mem2mem_check (tag_new_usable (newmem), bytes);
- }
- 
- static void *
-@@ -417,7 +417,7 @@ memalign_check (size_t alignment, size_t bytes, const void *caller)
-   top_check ();
-   mem = _int_memalign (&main_arena, alignment, bytes + 1);
-   __libc_lock_unlock (main_arena.mutex);
--  return mem2mem_check (TAG_NEW_USABLE (mem), bytes);
-+  return mem2mem_check (tag_new_usable (mem), bytes);
- }
- 
- #if SHLIB_COMPAT (libc, GLIBC_2_0, GLIBC_2_25)
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index ecb87350b0..62d00f54cc 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -413,26 +413,26 @@ void *(*__morecore)(ptrdiff_t) = __default_morecore;
-    operations can continue to be used.  Support macros are used to do
-    this:
- 
--   void *TAG_NEW_MEMSET (void *ptr, int, val, size_t size)
-+   void *tag_new_memset (void *ptr, int, val, size_t size)
- 
-    Has the same interface as memset(), but additionally allocates a
-    new tag, colors the memory with that tag and returns a pointer that
-    is correctly colored for that location.  The non-tagging version
-    will simply call memset.
- 
--   void *TAG_REGION (void *ptr, size_t size)
-+   void *tag_region (void *ptr, size_t size)
- 
-    Color the region of memory pointed to by PTR and size SIZE with
-    the color of PTR.  Returns the original pointer.
- 
--   void *TAG_NEW_USABLE (void *ptr)
-+   void *tag_new_usable (void *ptr)
- 
-    Allocate a new random color and use it to color the user region of
-    a chunk; this may include data from the subsequent chunk's header
-    if tagging is sufficiently fine grained.  Returns PTR suitably
-    recolored for accessing the memory there.
- 
--   void *TAG_AT (void *ptr)
-+   void *tag_at (void *ptr)
- 
-    Read the current color of the memory at the address pointed to by
-    PTR (ignoring it's current color) and return PTR recolored to that
-@@ -455,25 +455,20 @@ __default_tag_nop (void *ptr)
-   return ptr;
- }
- 
--static int __mtag_mmap_flags = 0;
--static size_t __mtag_granule_mask = ~(size_t)0;
-+static int mtag_mmap_flags = 0;
-+static size_t mtag_granule_mask = ~(size_t)0;
- 
--static void *(*__tag_new_memset)(void *, int, size_t) = memset;
--static void *(*__tag_region)(void *, size_t) = __default_tag_region;
--static void *(*__tag_new_usable)(void *) = __default_tag_nop;
--static void *(*__tag_at)(void *) = __default_tag_nop;
-+static void *(*tag_new_memset)(void *, int, size_t) = memset;
-+static void *(*tag_region)(void *, size_t) = __default_tag_region;
-+static void *(*tag_new_usable)(void *) = __default_tag_nop;
-+static void *(*tag_at)(void *) = __default_tag_nop;
- 
--# define MTAG_MMAP_FLAGS __mtag_mmap_flags
--# define TAG_NEW_MEMSET(ptr, val, size) __tag_new_memset (ptr, val, size)
--# define TAG_REGION(ptr, size) __tag_region (ptr, size)
--# define TAG_NEW_USABLE(ptr) __tag_new_usable (ptr)
--# define TAG_AT(ptr) __tag_at (ptr)
- #else
--# define MTAG_MMAP_FLAGS 0
--# define TAG_NEW_MEMSET(ptr, val, size) memset (ptr, val, size)
--# define TAG_REGION(ptr, size) (ptr)
--# define TAG_NEW_USABLE(ptr) (ptr)
--# define TAG_AT(ptr) (ptr)
-+# define mtag_mmap_flags 0
-+# define tag_new_memset(ptr, val, size) memset (ptr, val, size)
-+# define tag_region(ptr, size) (ptr)
-+# define tag_new_usable(ptr) (ptr)
-+# define tag_at(ptr) (ptr)
- #endif
- 
- #include <string.h>
-@@ -1305,8 +1300,8 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- /* Convert between user mem pointers and chunk pointers, updating any
-    memory tags on the pointer to respect the tag value at that
-    location.  */
--#define chunk2mem(p) ((void*)TAG_AT (((char*)(p) + CHUNK_HDR_SZ)))
--#define mem2chunk(mem) ((mchunkptr)TAG_AT (((char*)(mem) - CHUNK_HDR_SZ)))
-+#define chunk2mem(p) ((void *)tag_at (((char*)(p) + CHUNK_HDR_SZ)))
-+#define mem2chunk(mem) ((mchunkptr)tag_at (((char*)(mem) - CHUNK_HDR_SZ)))
- 
- /* The smallest possible chunk */
- #define MIN_CHUNK_SIZE        (offsetof(struct malloc_chunk, fd_nextsize))
-@@ -1337,7 +1332,7 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- #ifdef USE_MTAG
- #define CHUNK_AVAILABLE_SIZE(p) \
-   ((chunksize (p) + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))	\
--   & __mtag_granule_mask)
-+   & mtag_granule_mask)
- #else
- #define CHUNK_AVAILABLE_SIZE(p) \
-   (chunksize (p) + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))
-@@ -1361,7 +1356,7 @@ checked_request2size (size_t req, size_t *sz) __nonnull (1)
-      number.  Ideally, this would be part of request2size(), but that
-      must be a macro that produces a compile time constant if passed
-      a constant literal.  */
--  req = (req + ~__mtag_granule_mask) & __mtag_granule_mask;
-+  req = (req + ~mtag_granule_mask) & mtag_granule_mask;
- #endif
- 
-   *sz = request2size (req);
-@@ -2467,7 +2462,7 @@ sysmalloc (INTERNAL_SIZE_T nb, mstate av)
-       if ((unsigned long) (size) > (unsigned long) (nb))
-         {
-           mm = (char *) (MMAP (0, size,
--			       MTAG_MMAP_FLAGS | PROT_READ | PROT_WRITE, 0));
-+			       mtag_mmap_flags | PROT_READ | PROT_WRITE, 0));
- 
-           if (mm != MAP_FAILED)
-             {
-@@ -2665,7 +2660,7 @@ sysmalloc (INTERNAL_SIZE_T nb, mstate av)
-           if ((unsigned long) (size) > (unsigned long) (nb))
-             {
-               char *mbrk = (char *) (MMAP (0, size,
--					   MTAG_MMAP_FLAGS | PROT_READ | PROT_WRITE,
-+					   mtag_mmap_flags | PROT_READ | PROT_WRITE,
- 					   0));
- 
-               if (mbrk != MAP_FAILED)
-@@ -3221,14 +3216,14 @@ __libc_malloc (size_t bytes)
-       && tcache->counts[tc_idx] > 0)
-     {
-       victim = tcache_get (tc_idx);
--      return TAG_NEW_USABLE (victim);
-+      return tag_new_usable (victim);
-     }
-   DIAG_POP_NEEDS_COMMENT;
- #endif
- 
-   if (SINGLE_THREAD_P)
-     {
--      victim = TAG_NEW_USABLE (_int_malloc (&main_arena, bytes));
-+      victim = tag_new_usable (_int_malloc (&main_arena, bytes));
-       assert (!victim || chunk_is_mmapped (mem2chunk (victim)) ||
- 	      &main_arena == arena_for_chunk (mem2chunk (victim)));
-       return victim;
-@@ -3249,7 +3244,7 @@ __libc_malloc (size_t bytes)
-   if (ar_ptr != NULL)
-     __libc_lock_unlock (ar_ptr->mutex);
- 
--  victim = TAG_NEW_USABLE (victim);
-+  victim = tag_new_usable (victim);
- 
-   assert (!victim || chunk_is_mmapped (mem2chunk (victim)) ||
-           ar_ptr == arena_for_chunk (mem2chunk (victim)));
-@@ -3305,7 +3300,7 @@ __libc_free (void *mem)
-       MAYBE_INIT_TCACHE ();
- 
-       /* Mark the chunk as belonging to the library again.  */
--      (void)TAG_REGION (chunk2rawmem (p),
-+      (void)tag_region (chunk2rawmem (p),
- 			CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
- 
-       ar_ptr = arena_for_chunk (p);
-@@ -3408,7 +3403,7 @@ __libc_realloc (void *oldmem, size_t bytes)
- 	     reused.  There's a performance hit for both us and the
- 	     caller for doing this, so we might want to
- 	     reconsider.  */
--	  return TAG_NEW_USABLE (newmem);
-+	  return tag_new_usable (newmem);
- 	}
- #endif
-       /* Note the extra SIZE_SZ overhead. */
-@@ -3451,7 +3446,7 @@ __libc_realloc (void *oldmem, size_t bytes)
-         {
- 	  size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
- 	  memcpy (newp, oldmem, sz);
--	  (void) TAG_REGION (chunk2rawmem (oldp), sz);
-+	  (void) tag_region (chunk2rawmem (oldp), sz);
-           _int_free (ar_ptr, oldp, 0);
-         }
-     }
-@@ -3509,7 +3504,7 @@ _mid_memalign (size_t alignment, size_t bytes, void *address)
-       p = _int_memalign (&main_arena, alignment, bytes);
-       assert (!p || chunk_is_mmapped (mem2chunk (p)) ||
- 	      &main_arena == arena_for_chunk (mem2chunk (p)));
--      return TAG_NEW_USABLE (p);
-+      return tag_new_usable (p);
-     }
- 
-   arena_get (ar_ptr, bytes + alignment + MINSIZE);
-@@ -3527,7 +3522,7 @@ _mid_memalign (size_t alignment, size_t bytes, void *address)
- 
-   assert (!p || chunk_is_mmapped (mem2chunk (p)) ||
-           ar_ptr == arena_for_chunk (mem2chunk (p)));
--  return TAG_NEW_USABLE (p);
-+  return tag_new_usable (p);
- }
- /* For ISO C11.  */
- weak_alias (__libc_memalign, aligned_alloc)
-@@ -3544,7 +3539,7 @@ __libc_valloc (size_t bytes)
-   void *address = RETURN_ADDRESS (0);
-   size_t pagesize = GLRO (dl_pagesize);
-   p = _mid_memalign (pagesize, bytes, address);
--  return TAG_NEW_USABLE (p);
-+  return tag_new_usable (p);
- }
- 
- void *
-@@ -3569,7 +3564,7 @@ __libc_pvalloc (size_t bytes)
-   rounded_bytes = rounded_bytes & -(pagesize - 1);
- 
-   p = _mid_memalign (pagesize, rounded_bytes, address);
--  return TAG_NEW_USABLE (p);
-+  return tag_new_usable (p);
- }
- 
- void *
-@@ -3666,7 +3661,7 @@ __libc_calloc (size_t n, size_t elem_size)
-      regardless of MORECORE_CLEARS, so we zero the whole block while
-      doing so.  */
- #ifdef USE_MTAG
--  return TAG_NEW_MEMSET (mem, 0, CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
-+  return tag_new_memset (mem, 0, CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
- #else
-   INTERNAL_SIZE_T csz = chunksize (p);
- 
-@@ -4821,7 +4816,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
-           av->top = chunk_at_offset (oldp, nb);
-           set_head (av->top, (newsize - nb) | PREV_INUSE);
-           check_inuse_chunk (av, oldp);
--          return TAG_NEW_USABLE (chunk2rawmem (oldp));
-+          return tag_new_usable (chunk2rawmem (oldp));
-         }
- 
-       /* Try to expand forward into next chunk;  split off remainder below */
-@@ -4856,8 +4851,8 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
-             {
- 	      void *oldmem = chunk2rawmem (oldp);
- 	      size_t sz = CHUNK_AVAILABLE_SIZE (oldp) - CHUNK_HDR_SZ;
--	      (void) TAG_REGION (oldmem, sz);
--	      newmem = TAG_NEW_USABLE (newmem);
-+	      (void) tag_region (oldmem, sz);
-+	      newmem = tag_new_usable (newmem);
- 	      memcpy (newmem, oldmem, sz);
- 	      _int_free (av, oldp, 1);
- 	      check_inuse_chunk (av, newp);
-@@ -4881,7 +4876,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
-     {
-       remainder = chunk_at_offset (newp, nb);
-       /* Clear any user-space tags before writing the header.  */
--      remainder = TAG_REGION (remainder, remainder_size);
-+      remainder = tag_region (remainder, remainder_size);
-       set_head_size (newp, nb | (av != &main_arena ? NON_MAIN_ARENA : 0));
-       set_head (remainder, remainder_size | PREV_INUSE |
-                 (av != &main_arena ? NON_MAIN_ARENA : 0));
-@@ -4891,7 +4886,7 @@ _int_realloc(mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize,
-     }
- 
-   check_inuse_chunk (av, newp);
--  return TAG_NEW_USABLE (chunk2rawmem (newp));
-+  return tag_new_usable (chunk2rawmem (newp));
- }
- 
- /*
-@@ -5108,7 +5103,7 @@ musable (void *mem)
-       /* The usable space may be reduced if memory tagging is needed,
- 	 since we cannot share the user-space data with malloc's internal
- 	 data structure.  */
--      result &= __mtag_granule_mask;
-+      result &= mtag_granule_mask;
- #endif
-       return result;
-     }
--- 
-2.25.1
-
-
-From f0ea41e819f40aacedf25431bedd95da9c5db534 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Wed, 27 Jan 2021 15:45:43 +0000
-Subject: [PATCH 06/11] malloc: Use global flag instead of function pointer
- dispatch for mtag
-
-A flag check can be faster than function pointers because of how
-branch prediction and speculation works and it can also remove a layer
-of indirection when there is a mismatch between the malloc internal
-tag_* api and __libc_mtag_* target hooks.
-
-Memory tagging wrapper functions are moved to malloc.c from arena.c and
-the logic now checks mmap_enabled.  The definition of tag_new_usable is
-moved after chunk related definitions.
-
-This refactoring also allows using mtag_enabled checks instead of
-USE_MTAG ifdefs when memory tagging support only changes code logic
-when memory tagging is enabled at runtime. Note: an "if (false)" code
-block is optimized away even at -O0 by gcc.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/arena.c  | 33 +---------------------------
- malloc/malloc.c | 58 ++++++++++++++++++++++++++++++++-----------------
- 2 files changed, 39 insertions(+), 52 deletions(-)
-
-diff --git a/malloc/arena.c b/malloc/arena.c
-index d0778fea92..1e83bb66bd 100644
---- a/malloc/arena.c
-+++ b/malloc/arena.c
-@@ -287,34 +287,6 @@ extern struct dl_open_hook *_dl_open_hook;
- libc_hidden_proto (_dl_open_hook);
- #endif
- 
--#ifdef USE_MTAG
--
--/* Generate a new (random) tag value for PTR and tag the memory it
--   points to upto the end of the usable size for the chunk containing
--   it.  Return the newly tagged pointer.  */
--static void *
--__mtag_tag_new_usable (void *ptr)
--{
--  if (ptr)
--    {
--      mchunkptr cp = mem2chunk(ptr);
--      ptr = __libc_mtag_tag_region (__libc_mtag_new_tag (ptr),
--				    CHUNK_AVAILABLE_SIZE (cp) - CHUNK_HDR_SZ);
--    }
--  return ptr;
--}
--
--/* Generate a new (random) tag value for PTR, set the tags for the
--   memory to the new tag and initialize the memory contents to VAL.
--   In practice this function will only be called with VAL=0, but we
--   keep this parameter to maintain the same prototype as memset.  */
--static void *
--__mtag_tag_new_memset (void *ptr, int val, size_t size)
--{
--  return __libc_mtag_memset_with_tag (__libc_mtag_new_tag (ptr), val, size);
--}
--#endif
--
- static void
- ptmalloc_init (void)
- {
-@@ -332,11 +304,8 @@ ptmalloc_init (void)
-       if (__MTAG_SBRK_UNTAGGED)
- 	__morecore = __failing_morecore;
- 
-+      mtag_enabled = true;
-       mtag_mmap_flags = __MTAG_MMAP_FLAGS;
--      tag_new_memset = __mtag_tag_new_memset;
--      tag_region = __libc_mtag_tag_region;
--      tag_new_usable = __mtag_tag_new_usable;
--      tag_at = __libc_mtag_address_get_tag;
-       mtag_granule_mask = ~(size_t)(__MTAG_GRANULE_SIZE - 1);
-     }
- #endif
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 62d00f54cc..253a919ec5 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -441,35 +441,41 @@ void *(*__morecore)(ptrdiff_t) = __default_morecore;
- */
- 
- #ifdef USE_MTAG
-+static bool mtag_enabled = false;
-+static int mtag_mmap_flags = 0;
-+static size_t mtag_granule_mask = ~(size_t)0;
-+#else
-+# define mtag_enabled false
-+# define mtag_mmap_flags 0
-+#endif
- 
--/* Default implementaions when memory tagging is supported, but disabled.  */
--static void *
--__default_tag_region (void *ptr, size_t size)
-+static __always_inline void *
-+tag_region (void *ptr, size_t size)
- {
-+  if (__glibc_unlikely (mtag_enabled))
-+    return __libc_mtag_tag_region (ptr, size);
-   return ptr;
- }
- 
--static void *
--__default_tag_nop (void *ptr)
-+static __always_inline void *
-+tag_new_memset (void *ptr, int val, size_t size)
- {
--  return ptr;
-+  if (__glibc_unlikely (mtag_enabled))
-+    return __libc_mtag_memset_with_tag (__libc_mtag_new_tag (ptr), val, size);
-+  return memset (ptr, val, size);
- }
- 
--static int mtag_mmap_flags = 0;
--static size_t mtag_granule_mask = ~(size_t)0;
--
--static void *(*tag_new_memset)(void *, int, size_t) = memset;
--static void *(*tag_region)(void *, size_t) = __default_tag_region;
--static void *(*tag_new_usable)(void *) = __default_tag_nop;
--static void *(*tag_at)(void *) = __default_tag_nop;
-+/* Defined later.  */
-+static void *
-+tag_new_usable (void *ptr);
- 
--#else
--# define mtag_mmap_flags 0
--# define tag_new_memset(ptr, val, size) memset (ptr, val, size)
--# define tag_region(ptr, size) (ptr)
--# define tag_new_usable(ptr) (ptr)
--# define tag_at(ptr) (ptr)
--#endif
-+static __always_inline void *
-+tag_at (void *ptr)
-+{
-+  if (__glibc_unlikely (mtag_enabled))
-+    return __libc_mtag_address_get_tag (ptr);
-+  return ptr;
-+}
- 
- #include <string.h>
- 
-@@ -1460,6 +1466,18 @@ checked_request2size (size_t req, size_t *sz) __nonnull (1)
- #pragma GCC poison mchunk_size
- #pragma GCC poison mchunk_prev_size
- 
-+static __always_inline void *
-+tag_new_usable (void *ptr)
-+{
-+  if (__glibc_unlikely (mtag_enabled) && ptr)
-+    {
-+      mchunkptr cp = mem2chunk(ptr);
-+      ptr = __libc_mtag_tag_region (__libc_mtag_new_tag (ptr),
-+				    CHUNK_AVAILABLE_SIZE (cp) - CHUNK_HDR_SZ);
-+    }
-+  return ptr;
-+}
-+
- /*
-    -------------------- Internal data structures --------------------
- 
--- 
-2.25.1
-
-
-From 8597244d5c3edbd672b285eea5f6dea833256f9d Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Wed, 17 Feb 2021 10:39:37 +0000
-Subject: [PATCH 07/11] malloc: Ensure the generic mtag hooks are not used
-
-Use inline functions instead of macros, because macros can cause unused
-variable warnings and type conversion issues.  We assume these functions
-may appear in the code but only in dead code paths (hidden by a runtime
-check), so it's important that they can compile with correct types, but
-if they are actually used that should be an error.
-
-Currently the hooks are only used when USE_MTAG is true which only
-happens on aarch64 and then the aarch64 specific code is used not this
-generic header.  However followup refactoring will allow the hooks to
-be used with !USE_MTAG.
-
-Note: the const qualifier in the comment was wrong: changing tags is a
-write operation.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- sysdeps/generic/libc-mtag.h | 41 ++++++++++++++++++++++++++++---------
- 1 file changed, 31 insertions(+), 10 deletions(-)
-
-diff --git a/sysdeps/generic/libc-mtag.h b/sysdeps/generic/libc-mtag.h
-index 1a866cdc0c..e8fc236b6c 100644
---- a/sysdeps/generic/libc-mtag.h
-+++ b/sysdeps/generic/libc-mtag.h
-@@ -31,22 +31,43 @@
- /* Extra flags to pass to mmap() to request a tagged region of memory.  */
- #define __MTAG_MMAP_FLAGS 0
- 
-+/* Memory tagging target hooks are only called when memory tagging is
-+   enabled at runtime.  The generic definitions here must not be used.  */
-+void __libc_mtag_link_error (void);
-+
- /* Set the tags for a region of memory, which must have size and alignment
--   that are multiples of __MTAG_GRANULE_SIZE.  Size cannot be zero.
--   void *__libc_mtag_tag_region (const void *, size_t)  */
--#define __libc_mtag_tag_region(p, s) (p)
-+   that are multiples of __MTAG_GRANULE_SIZE.  Size cannot be zero.  */
-+static inline void *
-+__libc_mtag_tag_region (void *p, size_t n)
-+{
-+  __libc_mtag_link_error ();
-+  return p;
-+}
- 
- /* Optimized equivalent to __libc_mtag_tag_region followed by memset.  */
--#define __libc_mtag_memset_with_tag memset
-+static inline void *
-+__libc_mtag_memset_with_tag (void *p, int c, size_t n)
-+{
-+  __libc_mtag_link_error ();
-+  return memset (p, c, n);
-+}
- 
- /* Convert address P to a pointer that is tagged correctly for that
--   location.
--   void *__libc_mtag_address_get_tag (void*)  */
--#define __libc_mtag_address_get_tag(p) (p)
-+   location.  */
-+static inline void *
-+__libc_mtag_address_get_tag (void *p)
-+{
-+  __libc_mtag_link_error ();
-+  return p;
-+}
- 
- /* Assign a new (random) tag to a pointer P (does not adjust the tag on
--   the memory addressed).
--   void *__libc_mtag_new_tag (void*)  */
--#define __libc_mtag_new_tag(p) (p)
-+   the memory addressed).  */
-+static inline void *
-+__libc_mtag_new_tag (void *p)
-+{
-+  __libc_mtag_link_error ();
-+  return p;
-+}
- 
- #endif /* _GENERIC_LIBC_MTAG_H */
--- 
-2.25.1
-
-
-From 3d9e16280ad881d038aedba0b6fcbd9e78b29072 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Fri, 29 Jan 2021 17:07:28 +0000
-Subject: [PATCH 08/11] malloc: Only support zeroing and not arbitrary memset
- with mtag
-
-The memset api is suboptimal and does not provide much benefit. Memory
-tagging only needs a zeroing memset (and only for memory that's sized
-and aligned to multiples of the tag granule), so change the internal
-api and the target hooks accordingly.  This is to simplify the
-implementation of the target hook.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/malloc.c                                | 17 ++++++++---------
- sysdeps/aarch64/Makefile                       |  2 +-
- ...g_memset_tag.S => __mtag_tag_zero_region.S} | 18 +++++++-----------
- sysdeps/aarch64/libc-mtag.h                    |  4 ++--
- sysdeps/generic/libc-mtag.h                    |  6 +++---
- 5 files changed, 21 insertions(+), 26 deletions(-)
- rename sysdeps/aarch64/{__mtag_memset_tag.S => __mtag_tag_zero_region.S} (82%)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 253a919ec5..01cf6e9325 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -413,12 +413,11 @@ void *(*__morecore)(ptrdiff_t) = __default_morecore;
-    operations can continue to be used.  Support macros are used to do
-    this:
- 
--   void *tag_new_memset (void *ptr, int, val, size_t size)
-+   void *tag_new_zero_region (void *ptr, size_t size)
- 
--   Has the same interface as memset(), but additionally allocates a
--   new tag, colors the memory with that tag and returns a pointer that
--   is correctly colored for that location.  The non-tagging version
--   will simply call memset.
-+   Allocates a new tag, colors the memory with that tag, zeros the
-+   memory and returns a pointer that is correctly colored for that
-+   location.  The non-tagging version will simply call memset with 0.
- 
-    void *tag_region (void *ptr, size_t size)
- 
-@@ -458,11 +457,11 @@ tag_region (void *ptr, size_t size)
- }
- 
- static __always_inline void *
--tag_new_memset (void *ptr, int val, size_t size)
-+tag_new_zero_region (void *ptr, size_t size)
- {
-   if (__glibc_unlikely (mtag_enabled))
--    return __libc_mtag_memset_with_tag (__libc_mtag_new_tag (ptr), val, size);
--  return memset (ptr, val, size);
-+    return __libc_mtag_tag_zero_region (__libc_mtag_new_tag (ptr), size);
-+  return memset (ptr, 0, size);
- }
- 
- /* Defined later.  */
-@@ -3679,7 +3678,7 @@ __libc_calloc (size_t n, size_t elem_size)
-      regardless of MORECORE_CLEARS, so we zero the whole block while
-      doing so.  */
- #ifdef USE_MTAG
--  return tag_new_memset (mem, 0, CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
-+  return tag_new_zero_region (mem, CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
- #else
-   INTERNAL_SIZE_T csz = chunksize (p);
- 
-diff --git a/sysdeps/aarch64/Makefile b/sysdeps/aarch64/Makefile
-index d3ab37a40a..259070cfad 100644
---- a/sysdeps/aarch64/Makefile
-+++ b/sysdeps/aarch64/Makefile
-@@ -41,7 +41,7 @@ endif
- ifeq ($(subdir),misc)
- sysdep_headers += sys/ifunc.h
- sysdep_routines += __mtag_address_get_tag \
--		   __mtag_memset_tag \
-+		   __mtag_tag_zero_region \
- 		   __mtag_new_tag \
- 		   __mtag_tag_region
- 
-diff --git a/sysdeps/aarch64/__mtag_memset_tag.S b/sysdeps/aarch64/__mtag_tag_zero_region.S
-similarity index 82%
-rename from sysdeps/aarch64/__mtag_memset_tag.S
-rename to sysdeps/aarch64/__mtag_tag_zero_region.S
-index 3c202888a4..74d398bba5 100644
---- a/sysdeps/aarch64/__mtag_memset_tag.S
-+++ b/sysdeps/aarch64/__mtag_tag_zero_region.S
-@@ -20,9 +20,6 @@
- 
- #ifdef USE_MTAG
- 
--/* Use the same register names and assignments as memset.  */
--#include "memset-reg.h"
--
- 	.arch armv8.5-a
- 	.arch_extension memtag
- 
-@@ -31,16 +28,15 @@
- /* FIXME: This is a minimal implementation.  We could do much better than
-    this for large values of COUNT.  */
- 
--ENTRY(__libc_mtag_memset_with_tag)
-+#define dstin x0
-+#define count x1
-+#define dst   x2
- 
--	and	valw, valw, 255
--	orr	valw, valw, valw, lsl 8
--	orr	valw, valw, valw, lsl 16
--	orr	val, val, val, lsl 32
--	mov	dst, dstin
-+ENTRY(__libc_mtag_tag_zero_region)
- 
-+	mov	dst, dstin
- L(loop):
--	stgp	val, val, [dst], #16
-+	stzg	dst, [dst], #16
- 	subs	count, count, 16
- 	bne	L(loop)
- #if 0
-@@ -49,5 +45,5 @@ L(loop):
- 	ldg	dstin, [dstin] // Recover the tag created (might be untagged).
- #endif
- 	ret
--END (__libc_mtag_memset_with_tag)
-+END (__libc_mtag_tag_zero_region)
- #endif /* USE_MTAG */
-diff --git a/sysdeps/aarch64/libc-mtag.h b/sysdeps/aarch64/libc-mtag.h
-index 979cbb743e..f58402ccf9 100644
---- a/sysdeps/aarch64/libc-mtag.h
-+++ b/sysdeps/aarch64/libc-mtag.h
-@@ -39,8 +39,8 @@
-    void *__libc_mtag_tag_region (const void *, size_t)  */
- void *__libc_mtag_tag_region (void *, size_t);
- 
--/* Optimized equivalent to __libc_mtag_tag_region followed by memset.  */
--void *__libc_mtag_memset_with_tag (void *, int, size_t);
-+/* Optimized equivalent to __libc_mtag_tag_region followed by memset to 0.  */
-+void *__libc_mtag_tag_zero_region (void *, size_t);
- 
- /* Convert address P to a pointer that is tagged correctly for that
-    location.
-diff --git a/sysdeps/generic/libc-mtag.h b/sysdeps/generic/libc-mtag.h
-index e8fc236b6c..4743e873f1 100644
---- a/sysdeps/generic/libc-mtag.h
-+++ b/sysdeps/generic/libc-mtag.h
-@@ -44,12 +44,12 @@ __libc_mtag_tag_region (void *p, size_t n)
-   return p;
- }
- 
--/* Optimized equivalent to __libc_mtag_tag_region followed by memset.  */
-+/* Optimized equivalent to __libc_mtag_tag_region followed by memset to 0.  */
- static inline void *
--__libc_mtag_memset_with_tag (void *p, int c, size_t n)
-+__libc_mtag_tag_zero_region (void *p, size_t n)
- {
-   __libc_mtag_link_error ();
--  return memset (p, c, n);
-+  return memset (p, 0, n);
- }
- 
- /* Convert address P to a pointer that is tagged correctly for that
--- 
-2.25.1
-
-
-From 4d596cb72342ba0734dc847653431e078a70edfc Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Tue, 16 Feb 2021 17:02:44 +0000
-Subject: [PATCH 09/11] malloc: Change calloc when tagging is disabled
-
-When glibc is built with memory tagging support (USE_MTAG) but it is not
-enabled at runtime (mtag_enabled) then unconditional memset was used
-even though that can be often avoided.
-
-This is for performance when tagging is supported but not enabled.
-The extra check should have no overhead: tag_new_zero_region already
-had a runtime check which the compiler can now optimize away.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/malloc.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 01cf6e9325..0b2aff3768 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -3591,11 +3591,9 @@ __libc_calloc (size_t n, size_t elem_size)
-   mchunkptr oldtop;
-   INTERNAL_SIZE_T sz, oldtopsize;
-   void *mem;
--#ifndef USE_MTAG
-   unsigned long clearsize;
-   unsigned long nclears;
-   INTERNAL_SIZE_T *d;
--#endif
-   ptrdiff_t bytes;
- 
-   if (__glibc_unlikely (__builtin_mul_overflow (n, elem_size, &bytes)))
-@@ -3674,12 +3672,13 @@ __libc_calloc (size_t n, size_t elem_size)
-     return 0;
- 
-   mchunkptr p = mem2chunk (mem);
-+
-   /* If we are using memory tagging, then we need to set the tags
-      regardless of MORECORE_CLEARS, so we zero the whole block while
-      doing so.  */
--#ifdef USE_MTAG
--  return tag_new_zero_region (mem, CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
--#else
-+  if (__glibc_unlikely (mtag_enabled))
-+    return tag_new_zero_region (mem, CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ);
-+
-   INTERNAL_SIZE_T csz = chunksize (p);
- 
-   /* Two optional cases in which clearing not necessary */
-@@ -3733,7 +3732,6 @@ __libc_calloc (size_t n, size_t elem_size)
-     }
- 
-   return mem;
--#endif
- }
- 
- /*
--- 
-2.25.1
-
-
-From 287a35fba55a0a817db7af71ee966a37b7642bf0 Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Mon, 8 Feb 2021 12:39:01 +0000
-Subject: [PATCH 10/11] malloc: Use branches instead of mtag_granule_mask
-
-The branches may be better optimized since mtag_enabled is widely used.
-
-Granule size larger than a chunk header is not supported since then we
-cannot have both the chunk header and user area granule aligned.  To
-fix that for targets with large granule, the chunk layout has to change.
-
-So code that attempted to handle the granule mask generally was changed.
-This simplified CHUNK_AVAILABLE_SIZE and the logic in malloc_usable_size.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/arena.c  |  1 -
- malloc/malloc.c | 34 ++++++++++++++--------------------
- 2 files changed, 14 insertions(+), 21 deletions(-)
-
-diff --git a/malloc/arena.c b/malloc/arena.c
-index 1e83bb66bd..9fbbb38a15 100644
---- a/malloc/arena.c
-+++ b/malloc/arena.c
-@@ -306,7 +306,6 @@ ptmalloc_init (void)
- 
-       mtag_enabled = true;
-       mtag_mmap_flags = __MTAG_MMAP_FLAGS;
--      mtag_granule_mask = ~(size_t)(__MTAG_GRANULE_SIZE - 1);
-     }
- #endif
- 
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 0b2aff3768..849bd8e2c9 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -442,7 +442,6 @@ void *(*__morecore)(ptrdiff_t) = __default_morecore;
- #ifdef USE_MTAG
- static bool mtag_enabled = false;
- static int mtag_mmap_flags = 0;
--static size_t mtag_granule_mask = ~(size_t)0;
- #else
- # define mtag_enabled false
- # define mtag_mmap_flags 0
-@@ -1333,15 +1332,16 @@ nextchunk-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-    ((req) + SIZE_SZ + MALLOC_ALIGN_MASK) & ~MALLOC_ALIGN_MASK)
- 
- /* Available size of chunk.  This is the size of the real usable data
--   in the chunk, plus the chunk header.  */
--#ifdef USE_MTAG
--#define CHUNK_AVAILABLE_SIZE(p) \
--  ((chunksize (p) + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))	\
--   & mtag_granule_mask)
--#else
--#define CHUNK_AVAILABLE_SIZE(p) \
--  (chunksize (p) + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))
--#endif
-+   in the chunk, plus the chunk header.  Note: If memory tagging is
-+   enabled the layout changes to accomodate the granule size, this is
-+   wasteful for small allocations so not done by default.  The logic
-+   does not work if chunk headers are not granule aligned.  */
-+_Static_assert (__MTAG_GRANULE_SIZE <= CHUNK_HDR_SZ,
-+		"memory tagging is not supported with large granule.");
-+#define CHUNK_AVAILABLE_SIZE(p)                                       \
-+  (__MTAG_GRANULE_SIZE > SIZE_SZ && __glibc_unlikely (mtag_enabled) ? \
-+    chunksize (p) :                                                   \
-+    chunksize (p) + (chunk_is_mmapped (p) ? 0 : SIZE_SZ))
- 
- /* Check if REQ overflows when padded and aligned and if the resulting value
-    is less than PTRDIFF_T.  Returns TRUE and the requested size or MINSIZE in
-@@ -1353,7 +1353,6 @@ checked_request2size (size_t req, size_t *sz) __nonnull (1)
-   if (__glibc_unlikely (req > PTRDIFF_MAX))
-     return false;
- 
--#ifdef USE_MTAG
-   /* When using tagged memory, we cannot share the end of the user
-      block with the header for the next chunk, so ensure that we
-      allocate blocks that are rounded up to the granule size.  Take
-@@ -1361,8 +1360,9 @@ checked_request2size (size_t req, size_t *sz) __nonnull (1)
-      number.  Ideally, this would be part of request2size(), but that
-      must be a macro that produces a compile time constant if passed
-      a constant literal.  */
--  req = (req + ~mtag_granule_mask) & mtag_granule_mask;
--#endif
-+  if (__glibc_unlikely (mtag_enabled))
-+    req = (req + (__MTAG_GRANULE_SIZE - 1)) &
-+	  ~(size_t)(__MTAG_GRANULE_SIZE - 1);
- 
-   *sz = request2size (req);
-   return true;
-@@ -5112,14 +5112,8 @@ musable (void *mem)
- 	    result = chunksize (p) - CHUNK_HDR_SZ;
- 	}
-       else if (inuse (p))
--	result = chunksize (p) - SIZE_SZ;
-+	result = CHUNK_AVAILABLE_SIZE (p) - CHUNK_HDR_SZ;
- 
--#ifdef USE_MTAG
--      /* The usable space may be reduced if memory tagging is needed,
--	 since we cannot share the user-space data with malloc's internal
--	 data structure.  */
--      result &= mtag_granule_mask;
--#endif
-       return result;
-     }
-   return 0;
--- 
-2.25.1
-
-
-From 66de173bf919e601e408dc78772c6841ad6388ab Mon Sep 17 00:00:00 2001
-From: Szabolcs Nagy <szabolcs.nagy@arm.com>
-Date: Wed, 17 Feb 2021 10:15:18 +0000
-Subject: [PATCH 11/11] malloc: Use mtag_enabled instead of USE_MTAG
-
-Use the runtime check where possible: it should not cause slow down in
-the !USE_MTAG case since then mtag_enabled is constant false, but it
-allows compiling the tagging logic so it's less likely to break or
-diverge when developers only test the !USE_MTAG case.
-
-Reviewed-by: DJ Delorie <dj@redhat.com>
----
- malloc/hooks.c  | 10 ++++------
- malloc/malloc.c | 10 ++++------
- 2 files changed, 8 insertions(+), 12 deletions(-)
-
-diff --git a/malloc/hooks.c b/malloc/hooks.c
-index d8e304c31c..9474e199c3 100644
---- a/malloc/hooks.c
-+++ b/malloc/hooks.c
-@@ -262,11 +262,10 @@ free_check (void *mem, const void *caller)
- 
-   int err = errno;
- 
--#ifdef USE_MTAG
-   /* Quickly check that the freed pointer matches the tag for the memory.
-      This gives a useful double-free detection.  */
--  *(volatile char *)mem;
--#endif
-+  if (__glibc_unlikely (mtag_enabled))
-+    *(volatile char *)mem;
- 
-   __libc_lock_lock (main_arena.mutex);
-   p = mem2chunk_check (mem, NULL);
-@@ -310,11 +309,10 @@ realloc_check (void *oldmem, size_t bytes, const void *caller)
-       return NULL;
-     }
- 
--#ifdef USE_MTAG
-   /* Quickly check that the freed pointer matches the tag for the memory.
-      This gives a useful double-free detection.  */
--  *(volatile char *)oldmem;
--#endif
-+  if (__glibc_unlikely (mtag_enabled))
-+    *(volatile char *)oldmem;
- 
-   __libc_lock_lock (main_arena.mutex);
-   const mchunkptr oldp = mem2chunk_check (oldmem, &magic_p);
-diff --git a/malloc/malloc.c b/malloc/malloc.c
-index 849bd8e2c9..36583120ce 100644
---- a/malloc/malloc.c
-+++ b/malloc/malloc.c
-@@ -3286,11 +3286,10 @@ __libc_free (void *mem)
-   if (mem == 0)                              /* free(0) has no effect */
-     return;
- 
--#ifdef USE_MTAG
-   /* Quickly check that the freed pointer matches the tag for the memory.
-      This gives a useful double-free detection.  */
--  *(volatile char *)mem;
--#endif
-+  if (__glibc_unlikely (mtag_enabled))
-+    *(volatile char *)mem;
- 
-   int err = errno;
- 
-@@ -3352,11 +3351,10 @@ __libc_realloc (void *oldmem, size_t bytes)
-   if (oldmem == 0)
-     return __libc_malloc (bytes);
- 
--#ifdef USE_MTAG
-   /* Perform a quick check to ensure that the pointer's tag matches the
-      memory's tag.  */
--  *(volatile char*) oldmem;
--#endif
-+  if (__glibc_unlikely (mtag_enabled))
-+    *(volatile char*) oldmem;
- 
-   /* chunk corresponding to oldmem */
-   const mchunkptr oldp = mem2chunk (oldmem);
--- 
-2.25.1
-
diff --git a/poky/meta/recipes-core/glibc/glibc_2.33.bb b/poky/meta/recipes-core/glibc/glibc_2.34.bb
similarity index 77%
rename from poky/meta/recipes-core/glibc/glibc_2.33.bb
rename to poky/meta/recipes-core/glibc/glibc_2.34.bb
index 67eb3f0..66494c5 100644
--- a/poky/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/poky/meta/recipes-core/glibc/glibc_2.34.bb
@@ -25,7 +25,7 @@
            file://0005-nativesdk-glibc-Raise-the-size-of-arrays-containing-.patch \
            file://0006-nativesdk-glibc-Allow-64-bit-atomics-for-x86.patch \
            file://0007-nativesdk-glibc-Make-relocatable-install-for-locales.patch \
-           file://faccessat2-perm.patch \
+           file://0008-nativesdk-glibc-Fall-back-to-faccessat-on-faccess2-r.patch \
 "
 
 SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
@@ -34,30 +34,27 @@
            file://makedbs.sh \
            \
            ${NATIVESDKFIXES} \
-           file://0008-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch \
-           file://0009-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch \
-           file://0010-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch \
-           file://0011-Quote-from-bug-1443-which-explains-what-the-patch-do.patch \
-           file://0012-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch \
-           file://0013-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch \
-           file://0014-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch \
-           file://0015-yes-within-the-path-sets-wrong-config-variables.patch \
-           file://0016-timezone-re-written-tzselect-as-posix-sh.patch \
-           file://0017-Remove-bash-dependency-for-nscd-init-script.patch \
-           file://0018-eglibc-Cross-building-and-testing-instructions.patch \
-           file://0019-eglibc-Help-bootstrap-cross-toolchain.patch \
-           file://0020-eglibc-Resolve-__fpscr_values-on-SH4.patch \
-           file://0021-eglibc-Forward-port-cross-locale-generation-support.patch \
-           file://0022-Define-DUMMY_LOCALE_T-if-not-defined.patch \
-           file://0023-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch \
-           file://0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch \
-           file://0025-intl-Emit-no-lines-in-bison-generated-files.patch \
+           file://0009-fsl-e500-e5500-e6500-603e-fsqrt-implementation.patch \
+           file://0010-ppc-sqrt-Fix-undefined-reference-to-__sqrt_finite.patch \
+           file://0011-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch \
+           file://0012-Quote-from-bug-1443-which-explains-what-the-patch-do.patch \
+           file://0013-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch \
+           file://0014-__ieee754_sqrt-f-are-now-inline-functions-and-call-o.patch \
+           file://0015-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch \
+           file://0016-yes-within-the-path-sets-wrong-config-variables.patch \
+           file://0017-timezone-re-written-tzselect-as-posix-sh.patch \
+           file://0018-Remove-bash-dependency-for-nscd-init-script.patch \
+           file://0019-eglibc-Cross-building-and-testing-instructions.patch \
+           file://0020-eglibc-Help-bootstrap-cross-toolchain.patch \
+           file://0021-eglibc-Resolve-__fpscr_values-on-SH4.patch \
+           file://0022-eglibc-Forward-port-cross-locale-generation-support.patch \
+           file://0024-localedef-add-to-archive-uses-a-hard-coded-locale-pa.patch \
+           file://0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch \
+           file://0026-intl-Emit-no-lines-in-bison-generated-files.patch \
            file://0027-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
            file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \
            file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
            file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
-           file://mte-backports.patch \
-           file://CVE-2021-33574.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
@@ -81,7 +78,6 @@
                 --enable-tunables \
                 --enable-bind-now \
                 --enable-stack-protector=strong \
-                --enable-stackguard-randomization \
                 --disable-crypt \
                 --with-default-link \
                 ${@bb.utils.contains_any('SELECTED_OPTIMIZATION', '-O0 -Og', '--disable-werror', '', d)} \
diff --git a/poky/meta/recipes-core/meta/buildtools-tarball.bb b/poky/meta/recipes-core/meta/buildtools-tarball.bb
index 9775430..6e96cf6 100644
--- a/poky/meta/recipes-core/meta/buildtools-tarball.bb
+++ b/poky/meta/recipes-core/meta/buildtools-tarball.bb
@@ -99,3 +99,16 @@
 
 # The recipe doesn't need any default deps
 INHIBIT_DEFAULT_DEPS = "1"
+
+python do_testsdk() {
+    import oeqa.sdk.testsdk
+    testsdk = oeqa.sdk.testsdk.TestSDK()
+
+    cases_path = os.path.join(os.path.abspath(os.path.dirname(oeqa.sdk.testsdk.__file__)), "buildtools-cases")
+    testsdk.context_executor_class.default_cases = cases_path
+
+    testsdk.run(d)
+}
+addtask testsdk
+do_testsdk[nostamp] = "1"
+do_testsdk[depends] += "xz-native:do_populate_sysroot"
diff --git a/poky/meta/recipes-core/systemd/systemd_249.1.bb b/poky/meta/recipes-core/systemd/systemd_249.1.bb
index 5d47202..a6759c7 100644
--- a/poky/meta/recipes-core/systemd/systemd_249.1.bb
+++ b/poky/meta/recipes-core/systemd/systemd_249.1.bb
@@ -93,7 +93,7 @@
     userdb \
     utmp \
     vconsole \
-    xz \
+    zstd \
 "
 
 PACKAGECONFIG:remove:libc-musl = " \
@@ -199,6 +199,7 @@
 PACKAGECONFIG[xkbcommon] = "-Dxkbcommon=true,-Dxkbcommon=false,libxkbcommon"
 PACKAGECONFIG[xz] = "-Dxz=true,-Dxz=false,xz"
 PACKAGECONFIG[zlib] = "-Dzlib=true,-Dzlib=false,zlib"
+PACKAGECONFIG[zstd] = "-Dzstd=true,-Dzstd=false,zstd"
 
 # Helper variables to clarify locations.  This mirrors the logic in systemd's
 # build system.
diff --git a/poky/meta/recipes-core/util-linux/util-linux.inc b/poky/meta/recipes-core/util-linux/util-linux.inc
index a76fb9e..0f17c73 100644
--- a/poky/meta/recipes-core/util-linux/util-linux.inc
+++ b/poky/meta/recipes-core/util-linux/util-linux.inc
@@ -35,6 +35,7 @@
            file://run-ptest \
            file://display_testname_for_subtest.patch \
            file://avoid_parallel_tests.patch \
+           file://CVE-2021-37600.patch \
            "
 
 SRC_URI[sha256sum] = "8e4bd42053b726cf86eb4d13a73bc1d9225a2c2e1a2e0d2a891f1020f83e6b76"
diff --git a/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch b/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
new file mode 100644
index 0000000..2b306c4
--- /dev/null
+++ b/poky/meta/recipes-core/util-linux/util-linux/CVE-2021-37600.patch
@@ -0,0 +1,33 @@
+From 1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c Mon Sep 17 00:00:00 2001
+From: Karel Zak <kzak@redhat.com>
+Date: Tue, 27 Jul 2021 11:58:31 +0200
+Subject: [PATCH] sys-utils/ipcutils: be careful when call calloc() for uint64
+ nmembs
+
+Fix: https://github.com/karelzak/util-linux/issues/1395
+Signed-off-by: Karel Zak <kzak@redhat.com>
+
+CVE: CVE-2021-37600
+Upstream-Status: Backport [1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c]
+
+Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
+---
+ sys-utils/ipcutils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sys-utils/ipcutils.c b/sys-utils/ipcutils.c
+index e784c4dcb..18868cfd3 100644
+--- a/sys-utils/ipcutils.c
++++ b/sys-utils/ipcutils.c
+@@ -218,7 +218,7 @@ static void get_sem_elements(struct sem_data *p)
+ {
+ 	size_t i;
+ 
+-	if (!p || !p->sem_nsems || p->sem_perm.id < 0)
++	if (!p || !p->sem_nsems || p->sem_nsems > SIZE_MAX || p->sem_perm.id < 0)
+ 		return;
+ 
+ 	p->elements = xcalloc(p->sem_nsems, sizeof(struct sem_elem));
+-- 
+2.25.1
+
diff --git a/poky/meta/recipes-core/util-linux/util-linux_2.37.1.bb b/poky/meta/recipes-core/util-linux/util-linux_2.37.1.bb
index b67c3dc..9351595 100644
--- a/poky/meta/recipes-core/util-linux/util-linux_2.37.1.bb
+++ b/poky/meta/recipes-core/util-linux/util-linux_2.37.1.bb
@@ -1,7 +1,7 @@
 require util-linux.inc
 
 #gtk-doc is not enabled as it requires xmlto which requires util-linux
-inherit autotools gettext pkgconfig systemd update-alternatives python3-dir bash-completion ptest
+inherit autotools gettext manpages pkgconfig systemd update-alternatives python3-dir bash-completion ptest
 DEPENDS = "libcap-ng ncurses virtual/crypt zlib util-linux-libuuid"
 
 PACKAGES =+ "${PN}-swaponoff"
@@ -92,6 +92,9 @@
 #
 PACKAGECONFIG ?= "pcre2"
 PACKAGECONFIG:class-target ?= "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'chfn-chsh pam', '', d)}"
+# inherit manpages requires this to be present, however util-linux does not have
+# configuration options, and installs manpages always
+PACKAGECONFIG[manpages] = ""
 PACKAGECONFIG[pam] = "--enable-su --enable-runuser,--disable-su --disable-runuser, libpam,"
 # Respect the systemd feature for uuidd
 PACKAGECONFIG[systemd] = "--with-systemd --with-systemdsystemunitdir=${systemd_system_unitdir}, --without-systemd --without-systemdsystemunitdir,systemd"
@@ -263,6 +266,32 @@
 ALTERNATIVE_LINK_NAME[uuidgen] = "${bindir}/uuidgen"
 ALTERNATIVE_LINK_NAME[wall] = "${bindir}/wall"
 
+ALTERNATIVE:${PN}-doc = "\
+blkid.8 eject.1 findfs.8 fsck.8 kill.1 last.1 lastb.1 libblkid.3 logger.1 mesg.1 \
+mountpoint.1 nologin.8 rfkill.8 sulogin.8 utmpdump.1 uuid.3 wall.1\
+"
+ALTERNATIVE:${PN}-doc += "${@bb.utils.contains('PACKAGECONFIG', 'pam', 'su.1', '', d)}"
+
+ALTERNATIVE_LINK_NAME[blkid.8] = "${mandir}/man8/blkid.8"
+ALTERNATIVE_LINK_NAME[eject.1] = "${mandir}/man1/eject.1"
+ALTERNATIVE_LINK_NAME[findfs.8] = "${mandir}/man8/findfs.8"
+ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
+ALTERNATIVE_LINK_NAME[kill.1] = "${mandir}/man1/kill.1"
+ALTERNATIVE_LINK_NAME[last.1] = "${mandir}/man1/last.1"
+ALTERNATIVE_LINK_NAME[lastb.1] = "${mandir}/man1/lastb.1"
+ALTERNATIVE_LINK_NAME[libblkid.3] = "${mandir}/man3/libblkid.3"
+ALTERNATIVE_LINK_NAME[logger.1] = "${mandir}/man1/logger.1"
+ALTERNATIVE_LINK_NAME[mesg.1] = "${mandir}/man1/mesg.1"
+ALTERNATIVE_LINK_NAME[mountpoint.1] = "${mandir}/man1/mountpoint.1"
+ALTERNATIVE_LINK_NAME[nologin.8] = "${mandir}/man8/nologin.8"
+ALTERNATIVE_LINK_NAME[rfkill.8] = "${mandir}/man8/rfkill.8"
+ALTERNATIVE_LINK_NAME[setpriv.1] = "${mandir}/man1/setpriv.1"
+ALTERNATIVE_LINK_NAME[su.1] = "${mandir}/man1/su.1"
+ALTERNATIVE_LINK_NAME[sulogin.8] = "${mandir}/man8/sulogin.8"
+ALTERNATIVE_LINK_NAME[utmpdump.1] = "${mandir}/man1/utmpdump.1"
+ALTERNATIVE_LINK_NAME[uuid.3] = "${mandir}/man3/uuid.3"
+ALTERNATIVE_LINK_NAME[wall.1] = "${mandir}/man1/wall.1"
+
 BBCLASSEXTEND = "native nativesdk"
 
 PTEST_BINDIR = "1"
diff --git a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
new file mode 100644
index 0000000..caeb560
--- /dev/null
+++ b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs/big-inodes-for-small-fs.patch
@@ -0,0 +1,22 @@
+Ensure "small" file systems also have the default inode size (256 bytes) so that
+can store 64-bit timestamps and work past 2038.
+
+The "small" type is any size >3MB and <512MB, which covers a lot of relatively
+small filesystems built by OE, especially when they're sized to fit the contents
+and expand to the storage on boot.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+diff --git a/misc/mke2fs.conf.in b/misc/mke2fs.conf.in
+index 01e35cf8..29f41dc0 100644
+--- a/misc/mke2fs.conf.in
++++ b/misc/mke2fs.conf.in
+@@ -16,7 +16,6 @@
+ 	}
+ 	small = {
+ 		blocksize = 1024
+-		inode_size = 128
+ 		inode_ratio = 4096
+ 	}
+ 	floppy = {
diff --git a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.2.bb b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.2.bb
index d68d131..8cc046c 100644
--- a/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.2.bb
+++ b/poky/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.46.2.bb
@@ -10,6 +10,7 @@
 
 SRC_URI:append:class-native = " file://e2fsprogs-fix-missing-check-for-permission-denied.patch \
                                 file://quiet-debugfs.patch \
+                                file://big-inodes-for-small-fs.patch \
 "
 
 
diff --git a/poky/meta/recipes-devtools/elfutils/elfutils_0.185.bb b/poky/meta/recipes-devtools/elfutils/elfutils_0.185.bb
index 5031ab9..7a88c52 100644
--- a/poky/meta/recipes-devtools/elfutils/elfutils_0.185.bb
+++ b/poky/meta/recipes-devtools/elfutils/elfutils_0.185.bb
@@ -127,7 +127,7 @@
 FILES:libdebuginfod = "${libdir}/libdebuginfod-${PV}.so ${libdir}/libdebuginfod.so.*"
 # Some packages have the version preceeding the .so instead properly
 # versioned .so.<version>, so we need to reorder and repackage.
-#FILES_${PN} += "${libdir}/*-${PV}.so ${base_libdir}/*-${PV}.so"
+#FILES:${PN} += "${libdir}/*-${PV}.so ${base_libdir}/*-${PV}.so"
 #FILES_SOLIBSDEV = "${libdir}/libasm.so ${libdir}/libdw.so ${libdir}/libelf.so"
 
 # The package contains symlinks that trip up insane
diff --git a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
index c1cbceb..6748d74 100644
--- a/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
+++ b/poky/meta/recipes-devtools/libtool/libtool-2.4.6.inc
@@ -23,6 +23,7 @@
            file://0001-libtool-Check-for-static-libs-for-internal-compiler-.patch \
            file://0001-Makefile.am-make-sure-autoheader-run-before-autoconf.patch \
            file://0001-Makefile.am-make-sure-autoheader-run-before-automake.patch \
+           file://lto-prefix.patch \
           "
 
 SRC_URI[md5sum] = "addf44b646ddb4e3919805aa88fa7c5e"
diff --git a/poky/meta/recipes-devtools/libtool/libtool/lto-prefix.patch b/poky/meta/recipes-devtools/libtool/libtool/lto-prefix.patch
new file mode 100644
index 0000000..2bd010b
--- /dev/null
+++ b/poky/meta/recipes-devtools/libtool/libtool/lto-prefix.patch
@@ -0,0 +1,22 @@
+If lto is enabled, we need the prefix-map variables to be passed to the linker.
+Add these to the list of options libtool passes through.
+
+Upstream-Status: Pending
+Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+
+Index: libtool-2.4.6/build-aux/ltmain.in
+===================================================================
+--- libtool-2.4.6.orig/build-aux/ltmain.in
++++ libtool-2.4.6/build-aux/ltmain.in
+@@ -5424,9 +5424,10 @@ func_mode_link ()
+       # --sysroot=*          for sysroot support
+       # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+       # -stdlib=*            select c++ std lib with clang
++      # -f*-prefix-map*      needed for lto linking
+       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+       -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
+-      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
++      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*|-f*-prefix-map*)
+         func_quote_for_eval "$arg"
+ 	arg=$func_quote_for_eval_result
+         func_append compile_command " $arg"
diff --git a/poky/meta/recipes-devtools/perl/perl_5.34.0.bb b/poky/meta/recipes-devtools/perl/perl_5.34.0.bb
index cc01321..ab19a8d 100644
--- a/poky/meta/recipes-devtools/perl/perl_5.34.0.bb
+++ b/poky/meta/recipes-devtools/perl/perl_5.34.0.bb
@@ -361,7 +361,7 @@
     awk '{if ($3 != "\x22"$1"\x22"){ print $0}}'| \
     grep -v -e "\-vms\-" -e module-5 -e "^$" -e "\\$" -e your -e tk -e autoperl -e html -e http -e parse-cpan -e perl-ostype -e ndbm-file -e module-mac -e fcgi -e lwp -e dbd -e dbix | \
     sort -u | \
-    sed 's/^/RDEPENDS_/;s/perl-module-/${PN}-module-/g;s/module-\(module-\)/\1/g;s/\(module-load\)-conditional/\1/g;s/encode-configlocal/&-pm/;' | \
+    sed 's/^/RDEPENDS:/;s/perl-module-/${PN}-module-/g;s/module-\(module-\)/\1/g;s/\(module-load\)-conditional/\1/g;s/encode-configlocal/&-pm/;' | \
     egrep -wv '=>|module-a|module-apache.?|module-apr|module-authen-sasl|module-b-asmdata|module-convert-ebcdic|module-devel-size|module-digest-perl-md5|module-dumpvalue|module-extutils-constant-aaargh56hash|module-extutils-xssymset|module-file-bsdglob|module-for|module-it|module-io-socket-inet6|module-io-socket-ssl|module-io-string|module-ipc-system-simple|module-lexical|module-local-lib|metadata|module-modperl-util|module-pluggable-object|module-test-builder-io-scalar|module-test2|module-text-unidecode|module-unicore|module-win32|objects\sload|syscall.ph|systeminfo.ph|%s' | \
     egrep -wv '=>|module-algorithm-diff|module-carp|module-c<extutils-mm-unix>|module-l<extutils-mm-unix>|module-encode-hanextra|module-extutils-makemaker-version-regex|module-file-spec|module-io-compress-lzma|module-io-uncompress-unxz|module-locale-maketext-lexicon|module-log-agent|module-meta-notation|module-net-localcfg|module-net-ping-external|module-b-deparse|module-scalar-util|module-some-module|module-symbol|module-uri|module-win32api-file' > ${WORKDIR}/perl-rdepends.generated
     cat ${WORKDIR}/perl-rdepends.inc ${WORKDIR}/perl-rdepends.generated > ${THISDIR}/files/perl-rdepends.txt
diff --git a/poky/meta/recipes-devtools/python/python3-scons-native_4.1.0.bb b/poky/meta/recipes-devtools/python/python3-scons-native_4.2.0.bb
similarity index 100%
rename from poky/meta/recipes-devtools/python/python3-scons-native_4.1.0.bb
rename to poky/meta/recipes-devtools/python/python3-scons-native_4.2.0.bb
diff --git a/poky/meta/recipes-devtools/python/python3-scons/0001-Fix-man-page-installation.patch b/poky/meta/recipes-devtools/python/python3-scons/0001-Fix-man-page-installation.patch
index ff212b8..6dffe64 100644
--- a/poky/meta/recipes-devtools/python/python3-scons/0001-Fix-man-page-installation.patch
+++ b/poky/meta/recipes-devtools/python/python3-scons/0001-Fix-man-page-installation.patch
@@ -1,4 +1,4 @@
-From 82be2b7b9758a2f62ee11931da674cd541076041 Mon Sep 17 00:00:00 2001
+From 8b482e618047e94833545dce3a26924ef4f075db Mon Sep 17 00:00:00 2001
 From: Tim Orling <ticotimo@gmail.com>
 Date: Sat, 22 May 2021 11:20:46 -0700
 Subject: [PATCH] Fix man page installation
@@ -9,10 +9,10 @@
 Upstream-Status: Inappropriate [oe specific]
 
 Signed-off-by: Tim Orling <ticotimo@gmail.com>
+
 ---
  MANIFEST.in | 2 +-
- setup.cfg   | 6 +++---
- 2 files changed, 4 insertions(+), 4 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/MANIFEST.in b/MANIFEST.in
 index 04ec000..937f6f3 100644
@@ -27,20 +27,3 @@
  
  
  
-diff --git a/setup.cfg b/setup.cfg
-index 37e5204..677c00a 100644
---- a/setup.cfg
-+++ b/setup.cfg
-@@ -56,9 +56,9 @@ console_scripts =
- scons.tool.docbook = *.*
- 
- [options.data_files]
--. = build/doc/man/scons.1
--	build/doc/man/scons-time.1
--	build/doc/man/sconsign.1
-+. = scons.1
-+	scons-time.1
-+	sconsign.1
- 
- [sdist]
- dist-dir = build/dist
diff --git a/poky/meta/recipes-devtools/python/python3-scons_4.1.0.bb b/poky/meta/recipes-devtools/python/python3-scons_4.2.0.bb
similarity index 77%
rename from poky/meta/recipes-devtools/python/python3-scons_4.1.0.bb
rename to poky/meta/recipes-devtools/python/python3-scons_4.2.0.bb
index 5a5b550..23527a2 100644
--- a/poky/meta/recipes-devtools/python/python3-scons_4.1.0.bb
+++ b/poky/meta/recipes-devtools/python/python3-scons_4.2.0.bb
@@ -2,10 +2,10 @@
 HOMEPAGE = "https://github.com/SCons/scons"
 SECTION = "devel/python"
 LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=b94c6e2be9670c62b38f7118c12866d2"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d903b0b8027f461402bac9b5169b36f7"
 
 SRC_URI += " file://0001-Fix-man-page-installation.patch"
-SRC_URI[sha256sum] = "accb8035be2c9cfbab06471286eaeff86a10037a8064cf4ef4c3df04ea5a7387"
+SRC_URI[sha256sum] = "691893b63f38ad14295f5104661d55cb738ec6514421c6261323351c25432b0a"
 
 PYPI_PACKAGE = "SCons"
 
diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc
index 4de8a90..0bbc4b1 100644
--- a/poky/meta/recipes-devtools/qemu/qemu.inc
+++ b/poky/meta/recipes-devtools/qemu/qemu.inc
@@ -110,7 +110,7 @@
 
 B = "${WORKDIR}/build"
 
-#EXTRA_OECONF_append = " --python=${HOSTTOOLS_DIR}/python3"
+#EXTRA_OECONF:append = " --python=${HOSTTOOLS_DIR}/python3"
 
 do_configure:prepend:class-native() {
 	# Append build host pkg-config paths for native target since the host may provide sdl
diff --git a/poky/meta/recipes-devtools/ruby/ruby/0002-template-Makefile.in-filter-out-f-prefix-map.patch b/poky/meta/recipes-devtools/ruby/ruby/0002-template-Makefile.in-filter-out-f-prefix-map.patch
new file mode 100644
index 0000000..9387506
--- /dev/null
+++ b/poky/meta/recipes-devtools/ruby/ruby/0002-template-Makefile.in-filter-out-f-prefix-map.patch
@@ -0,0 +1,42 @@
+Subject: [PATCH] template/Makefile.in: filter out -f*prefix-map
+
+If we add DEBUG_PREFIX_MAP into LDFLAGS, ruby and ruby-dbg are no longer
+reproducible.  Fix this.
+
+Upstream-Status: Inapproppriate [oe-core specific]
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+---
+--- a/tool/mjit_archflag.sh
++++ b/tool/mjit_archflag.sh
+@@ -7,6 +7,20 @@ quote() {
+     echo
+ }
+ 
++quote_filtered() {
++    printf "#${indent}define $1"
++    while shift && [ "$#" -gt 0 ]; do
++	case "$1" in
++	    -ffile-prefix-map=*|-fdebug-prefix-map=*|-fmacro-prefix-map=*)
++		;;
++	    *)
++		printf ' "%s"'$sep "$1"
++		;;
++	esac
++    done
++    echo
++}
++
+ archs=""
+ arch_flag=""
+ 
+--- a/template/Makefile.in
++++ b/template/Makefile.in
+@@ -666,7 +666,7 @@ mjit_config.h:
+ 	quote "MJIT_OPTFLAGS   " $(MJIT_OPTFLAGS); \
+ 	quote "MJIT_DEBUGFLAGS " $(MJIT_DEBUGFLAGS); \
+ 	quote "MJIT_LDSHARED   " ; \
+-	quote "MJIT_DLDFLAGS    MJIT_ARCHFLAG" $(MJIT_DLDFLAGS); \
++	quote_filtered "MJIT_DLDFLAGS    MJIT_ARCHFLAG" $(MJIT_DLDFLAGS); \
+ 	quote "MJIT_LIBS       " $(LIBRUBYARG_SHARED); \
+ 	quote 'PRELOADENV       "@PRELOADENV@"'; \
+ 	indent=$${archs:+'  '}; \
diff --git a/poky/meta/recipes-devtools/ruby/ruby_3.0.2.bb b/poky/meta/recipes-devtools/ruby/ruby_3.0.2.bb
index a082735..38e594a 100644
--- a/poky/meta/recipes-devtools/ruby/ruby_3.0.2.bb
+++ b/poky/meta/recipes-devtools/ruby/ruby_3.0.2.bb
@@ -6,6 +6,7 @@
            file://remove_has_include_macros.patch \
            file://run-ptest \
            file://0001-template-Makefile.in-do-not-write-host-cross-cc-item.patch \
+           file://0002-template-Makefile.in-filter-out-f-prefix-map.patch \
            "
 
 SRC_URI[sha256sum] = "5085dee0ad9f06996a8acec7ebea4a8735e6fac22f22e2d98c3f2bc3bef7e6f1"
@@ -55,6 +56,10 @@
            -e 's:${RECIPE_SYSROOT}::g' \
            -e 's:${BASE_WORKDIR}/${MULTIMACH_TARGET_SYS}::g' \
         ${D}$rbconfig_rb
+
+    sed -i -e 's|${DEBUG_PREFIX_MAP}||g' \
+        ${D}${libdir}/pkgconfig/*.pc
+
 }
 
 do_install_ptest () {
diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64 b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
index b4fc8af..440e8be 100644
--- a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
+++ b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-aarch64
@@ -236,3 +236,5 @@
 memcheck/tests/writev1
 memcheck/tests/xml1
 memcheck/tests/linux/stack_changes
+gdbserver_tests/hginfo
+memcheck/tests/linux/timerfd-syscall
diff --git a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all
index c3fc639..cb8d10b 100644
--- a/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all
+++ b/poky/meta/recipes-devtools/valgrind/valgrind/remove-for-all
@@ -1 +1,8 @@
 none/tests/amd64/fb_test_amd64
+gdbserver_tests/hginfo
+memcheck/tests/supp_unknown
+helgrind/tests/tls_threads
+drd/tests/bar_bad_xml
+drd/tests/pth_barrier_thr_cr
+drd/tests/thread_name_xml
+massif/tests/deep-D
diff --git a/poky/meta/recipes-extended/parted/files/0002-libparted_fs_resize-link-against-libuuid-explicitly-.patch b/poky/meta/recipes-extended/parted/files/0002-libparted_fs_resize-link-against-libuuid-explicitly-.patch
deleted file mode 100644
index bd2b5c5..0000000
--- a/poky/meta/recipes-extended/parted/files/0002-libparted_fs_resize-link-against-libuuid-explicitly-.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 5c99d7e4c2b5e7a957dc922aff03debfebbd6154 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Andreas=20M=C3=BCller?= <schnitzeltony@googlemail.com>
-Date: Fri, 3 Mar 2017 21:49:15 +0100
-Subject: [PATCH] libparted_fs_resize: link against libuuid explicitly to
- unbreak gold linking on test
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-| ../libparted/fs/.libs/libparted-fs-resize.so: error: undefined reference to 'uuid_generate'
-
-Upstream-Status: Pending
-
-Signed-off-by: Andreas Müller <schnitzeltony@googlemail.com>
----
- libparted/fs/Makefile.am | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/libparted/fs/Makefile.am b/libparted/fs/Makefile.am
-index d3cc8bc..c301b0b 100644
---- a/libparted/fs/Makefile.am
-+++ b/libparted/fs/Makefile.am
-@@ -113,6 +113,8 @@ libparted_fs_resize_la_SOURCES = \
-   r/hfs/reloc_plus.c		\
-   r/hfs/reloc_plus.h
- 
-+libparted_fs_resize_la_LIBADD   = $(UUID_LIBS)
-+
- AM_CPPFLAGS = \
-   -I$(top_srcdir)/libparted/labels	\
-   $(partedincludedir)			\
--- 
-2.9.3
-
diff --git a/poky/meta/recipes-extended/parted/files/check-vfat.patch b/poky/meta/recipes-extended/parted/files/check-vfat.patch
index c64130a..fad5029 100644
--- a/poky/meta/recipes-extended/parted/files/check-vfat.patch
+++ b/poky/meta/recipes-extended/parted/files/check-vfat.patch
@@ -1,7 +1,7 @@
 Add checks for both mkfs.vfat and the vfat file system in the kernel before
 running tests.
 
-Upstream-Status: Pending
+Upstream-Status: Submitted [https://alioth-lists.debian.net/pipermail/parted-devel/2021-August/005653.html]
 Signed-off-by: Ross Burton <ross.burton@arm.com>
 
 diff --git a/tests/t-lib-helpers.sh b/tests/t-lib-helpers.sh
diff --git a/poky/meta/recipes-extended/parted/parted_3.4.bb b/poky/meta/recipes-extended/parted/parted_3.4.bb
index 8924bdb..ffab627 100644
--- a/poky/meta/recipes-extended/parted/parted_3.4.bb
+++ b/poky/meta/recipes-extended/parted/parted_3.4.bb
@@ -8,7 +8,6 @@
 
 SRC_URI = "${GNU_MIRROR}/parted/parted-${PV}.tar.xz \
            file://fix-doc-mandir.patch \
-           file://0002-libparted_fs_resize-link-against-libuuid-explicitly-.patch \
            file://run-ptest \
            file://check-vfat.patch \
            "
diff --git a/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb b/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.31.bb
similarity index 71%
rename from poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
rename to poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.31.bb
index cdc43b5..1848ef6 100644
--- a/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.27.bb
+++ b/poky/meta/recipes-extended/perl/libconvert-asn1-perl_0.31.bb
@@ -1,14 +1,14 @@
 SUMMARY = "Convert::ASN1 - Perl ASN.1 Encode/Decode library"
 SECTION = "libs"
-HOMEPAGE = "https://metacpan.org/source/GBARR/Convert-ASN1-0.27"
+HOMEPAGE = "http://search.cpan.org/dist/Convert-ASN1/"
 DESCRIPTION = "Convert::ASN1 is a perl library for encoding/decoding data using ASN.1 definitions."
 LICENSE = "Artistic-1.0 | GPL-1.0+"
 LIC_FILES_CHKSUM = "file://README.md;beginline=91;endline=97;md5=ceff7fd286eb6d8e8e0d3d23e096a63f"
 
-SRC_URI = "http://search.cpan.org/CPAN/authors/id/G/GB/GBARR/Convert-ASN1-${PV}.tar.gz"
+SRC_URI = "https://cpan.metacpan.org/authors/id/T/TI/TIMLEGGE/Convert-ASN1-${PV}.tar.gz"
 
-SRC_URI[md5sum] = "68723e96be0b258a9e20480276e8a62c"
-SRC_URI[sha256sum] = "74a4a78ae0c5e973100ac0a8f203a110f76fb047b79dae4fc1fd7d6814d3d58a"
+SRC_URI[md5sum] = "1e12b263a5042804bb1c59ddce899876"
+SRC_URI[sha256sum] = "6fe4c1ba744c3a8212bf2c9b2703d93530acc153435cf2f93633540b439fbbeb"
 
 S = "${WORKDIR}/Convert-ASN1-${PV}"
 
diff --git a/poky/meta/recipes-extended/shadow/shadow.inc b/poky/meta/recipes-extended/shadow/shadow.inc
index 2834509..97ffae9 100644
--- a/poky/meta/recipes-extended/shadow/shadow.inc
+++ b/poky/meta/recipes-extended/shadow/shadow.inc
@@ -46,9 +46,7 @@
 
 export CONFIG_SHELL="/bin/sh"
 
-EXTRA_OECONF += "--without-audit \
-                 --without-libcrack \
-                 --without-selinux \
+EXTRA_OECONF += "--without-libcrack \
                  --with-group-name-max-length=24 \
                  --enable-subordinate-ids=yes \
                  --without-sssd \
@@ -81,6 +79,8 @@
 PACKAGECONFIG[pam] = "--with-libpam,--without-libpam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[attr] = "--with-attr,--without-attr,attr"
 PACKAGECONFIG[acl] = "--with-acl,--without-acl,acl"
+PACKAGECONFIG[audit] = "--with-audit,--without-audit,audit"
+PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux libsemanage"
 
 RDEPENDS:${PN} = "shadow-securetty \
                   base-passwd \
diff --git a/poky/meta/recipes-extended/tar/tar_1.34.bb b/poky/meta/recipes-extended/tar/tar_1.34.bb
index c096a8c..98755a1 100644
--- a/poky/meta/recipes-extended/tar/tar_1.34.bb
+++ b/poky/meta/recipes-extended/tar/tar_1.34.bb
@@ -61,3 +61,6 @@
 NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}"
 
 BBCLASSEXTEND = "native nativesdk"
+
+# These are both specific to the NPM package node-tar
+CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804"
diff --git a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.0.bb b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.0.bb
index 3b8130a..9d0a338 100644
--- a/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.0.bb
+++ b/poky/meta/recipes-graphics/jpeg/libjpeg-turbo_2.1.0.bb
@@ -46,6 +46,7 @@
 # Provide a workaround if Altivec unit is not present in PPC
 EXTRA_OECMAKE:append:class-target:powerpc = " ${@bb.utils.contains("TUNE_FEATURES", "altivec", "", "-DWITH_SIMD=False", d)}"
 EXTRA_OECMAKE:append:class-target:powerpc64 = " ${@bb.utils.contains("TUNE_FEATURES", "altivec", "", "-DWITH_SIMD=False", d)}"
+EXTRA_OECMAKE:append:class-target:powerpc64le = " ${@bb.utils.contains("TUNE_FEATURES", "altivec", "", "-DWITH_SIMD=False", d)}"
 
 DEBUG_OPTIMIZATION:append:armv4 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}"
 DEBUG_OPTIMIZATION:append:armv5 = " ${@bb.utils.contains('TUNE_CCARGS', '-mthumb', '-fomit-frame-pointer', '', d)}"
diff --git a/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb b/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb
index 00dd680..ab9595c 100644
--- a/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb
+++ b/poky/meta/recipes-graphics/xorg-lib/pixman_0.40.0.bb
@@ -34,4 +34,8 @@
 # disable iwmmxt due to compile fails on most arm platforms.
 EXTRA_OEMESON += "-Diwmmxt=disabled"
 
+EXTRA_OEMESON:append:class-target:powerpc = " ${@bb.utils.contains("TUNE_FEATURES", "altivec", "-Dvmx=enabled", "-Dvmx=disabled", d)}"
+EXTRA_OEMESON:append:class-target:powerpc64 = " ${@bb.utils.contains("TUNE_FEATURES", "altivec", "-Dvmx=enabled", "-Dvmx=disabled", d)}"
+EXTRA_OEMESON:append:class-target:powerpc64le = " ${@bb.utils.contains("TUNE_FEATURES", "altivec", "-Dvmx=enabled", "-Dvmx=disabled", d)}"
+
 BBCLASSEXTEND = "native nativesdk"
diff --git a/poky/meta/recipes-kernel/kmod/kmod_git.bb b/poky/meta/recipes-kernel/kmod/kmod_git.bb
index 853561a..eb5d176 100644
--- a/poky/meta/recipes-kernel/kmod/kmod_git.bb
+++ b/poky/meta/recipes-kernel/kmod/kmod_git.bb
@@ -24,13 +24,13 @@
                 lnr ${D}${base_bindir}/kmod ${D}${base_sbindir}/${tool}
         done
         # configuration directories
-        install -dm755 ${D}${base_libdir}/depmod.d
-        install -dm755 ${D}${base_libdir}/modprobe.d
+        install -dm755 ${D}${nonarch_base_libdir}/depmod.d
+        install -dm755 ${D}${nonarch_base_libdir}/modprobe.d
         install -dm755 ${D}${sysconfdir}/depmod.d
         install -dm755 ${D}${sysconfdir}/modprobe.d
 
         # install depmod.d file for search/ dir
-        install -Dm644 "${WORKDIR}/depmod-search.conf" "${D}${base_libdir}/depmod.d/search.conf"
+        install -Dm644 "${WORKDIR}/depmod-search.conf" "${D}${nonarch_base_libdir}/depmod.d/search.conf"
 }
 
 do_compile:prepend() {
@@ -57,6 +57,6 @@
 PACKAGES =+ "libkmod"
 
 FILES:libkmod = "${base_libdir}/libkmod*${SOLIBS} ${libdir}/libkmod*${SOLIBS}"
-FILES:${PN} += "${base_libdir}/depmod.d ${base_libdir}/modprobe.d"
+FILES:${PN} += "${nonarch_base_libdir}/depmod.d ${nonarch_base_libdir}/modprobe.d"
 
 BBCLASSEXTEND = "nativesdk"
diff --git a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb
index fe46cb5..d91a556 100644
--- a/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb
+++ b/poky/meta/recipes-kernel/linux-firmware/linux-firmware_20210511.bb
@@ -303,8 +303,11 @@
              ${PN}-qat ${PN}-qat-license \
              ${PN}-qcom-license \
              ${PN}-qcom-venus-1.8 ${PN}-qcom-venus-4.2 ${PN}-qcom-venus-5.2 ${PN}-qcom-venus-5.4 \
-             ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 ${PN}-qcom-adreno-a630 \
+             ${PN}-qcom-vpu-1.0 ${PN}-qcom-vpu-2.0 \
+             ${PN}-qcom-adreno-a3xx ${PN}-qcom-adreno-a530 \
+             ${PN}-qcom-adreno-a630 ${PN}-qcom-adreno-a650 ${PN}-qcom-adreno-a660 \
              ${PN}-qcom-sdm845-audio ${PN}-qcom-sdm845-compute ${PN}-qcom-sdm845-modem \
+             ${PN}-qcom-sm8250-audio ${PN}-qcom-sm8250-compute \
              ${PN}-amlogic-vdec-license ${PN}-amlogic-vdec \
              ${PN}-lt9611uxc ${PN}-lontium-license \
              ${PN}-whence-license \
@@ -952,22 +955,34 @@
 FILES:${PN}-qcom-venus-4.2 = "${nonarch_base_libdir}/firmware/qcom/venus-4.2/*"
 FILES:${PN}-qcom-venus-5.2 = "${nonarch_base_libdir}/firmware/qcom/venus-5.2/*"
 FILES:${PN}-qcom-venus-5.4 = "${nonarch_base_libdir}/firmware/qcom/venus-5.4/*"
+FILES:${PN}-qcom-vpu-1.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-1.0/*"
+FILES:${PN}-qcom-vpu-2.0 = "${nonarch_base_libdir}/firmware/qcom/vpu-2.0/*"
 FILES:${PN}-qcom-adreno-a3xx = "${nonarch_base_libdir}/firmware/qcom/a300_*.fw ${nonarch_base_libdir}/firmware/a300_*.fw"
 FILES:${PN}-qcom-adreno-a530 = "${nonarch_base_libdir}/firmware/qcom/a530*.*"
 FILES:${PN}-qcom-adreno-a630 = "${nonarch_base_libdir}/firmware/qcom/a630*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/a630*.*"
+FILES:${PN}-qcom-adreno-a650 = "${nonarch_base_libdir}/firmware/qcom/a650*.* ${nonarch_base_libdir}/firmware/qcom/sm8250/a650*.*"
+FILES:${PN}-qcom-adreno-a660 = "${nonarch_base_libdir}/firmware/qcom/a660*.*"
 FILES:${PN}-qcom-sdm845-audio = "${nonarch_base_libdir}/firmware/qcom/sdm845/adsp*.*"
 FILES:${PN}-qcom-sdm845-compute = "${nonarch_base_libdir}/firmware/qcom/sdm845/cdsp*.*"
 FILES:${PN}-qcom-sdm845-modem = "${nonarch_base_libdir}/firmware/qcom/sdm845/mba.mbn ${nonarch_base_libdir}/firmware/qcom/sdm845/modem*.* ${nonarch_base_libdir}/firmware/qcom/sdm845/wlanmdsp.mbn"
+FILES:${PN}-qcom-sm8250-audio = "${nonarch_base_libdir}/firmware/qcom/sm8250/adsp*.*"
+FILES:${PN}-qcom-sm8250-compute = "${nonarch_base_libdir}/firmware/qcom/sm8250/cdsp*.*"
 RDEPENDS:${PN}-qcom-venus-1.8 = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-venus-4.2 = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-venus-5.2 = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-venus-5.4 = "${PN}-qcom-license"
+RDEPENDS:${PN}-qcom-vpu-1.0 = "${PN}-qcom-license"
+RDEPENDS:${PN}-qcom-vpu-2.0 = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-adreno-a3xx = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-adreno-a530 = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-adreno-a630 = "${PN}-qcom-license"
+RDEPENDS:${PN}-qcom-adreno-a650 = "${PN}-qcom-license"
+RDEPENDS:${PN}-qcom-adreno-a660 = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-sdm845-audio = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-sdm845-compute = "${PN}-qcom-license"
 RDEPENDS:${PN}-qcom-sdm845-modem = "${PN}-qcom-license"
+RDEPENDS:${PN}-qcom-sm8250-audio = "${PN}-qcom-license"
+RDEPENDS:${PN}-qcom-sm8250-compute = "${PN}-qcom-license"
 
 FILES:${PN}-liquidio = "${nonarch_base_libdir}/firmware/liquidio"
 
diff --git a/poky/meta/recipes-support/curl/curl_7.78.0.bb b/poky/meta/recipes-support/curl/curl_7.78.0.bb
index 2e2be66..dece0ba 100644
--- a/poky/meta/recipes-support/curl/curl_7.78.0.bb
+++ b/poky/meta/recipes-support/curl/curl_7.78.0.bb
@@ -73,6 +73,7 @@
 	    -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
 	    -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \
 	    -e 's|${DEBUG_PREFIX_MAP}||g' \
+	    -e 's|${@" ".join(d.getVar("DEBUG_PREFIX_MAP").split())}||g' \
 	    ${D}${bindir}/curl-config
 }
 
diff --git a/poky/scripts/contrib/convert-overrides.py b/poky/scripts/contrib/convert-overrides.py
index e4a310d..4d41a4c 100755
--- a/poky/scripts/contrib/convert-overrides.py
+++ b/poky/scripts/contrib/convert-overrides.py
@@ -69,15 +69,15 @@
 
 vars_re = {}
 for exp in vars:
-    vars_re[exp] = (re.compile('((^|[\'"\s\-\+])[A-Za-z0-9_\-:${}\.]+)_' + exp), r"\1:" + exp)
+    vars_re[exp] = (re.compile('((^|[#\'"\s\-\+])[A-Za-z0-9_\-:${}\.]+)_' + exp), r"\1:" + exp)
 
 shortvars_re = {}
 for exp in shortvars:
-    shortvars_re[exp] = (re.compile('((^|[\'"\s\-\+])[A-Za-z0-9_\-:${}\.]+)_' + exp + '([\(\'"\s:])'), r"\1:" + exp + r"\3")
+    shortvars_re[exp] = (re.compile('((^|[#\'"\s\-\+])[A-Za-z0-9_\-:${}\.]+)_' + exp + '([\(\'"\s:])'), r"\1:" + exp + r"\3")
 
 package_re = {}
 for exp in packagevars:
-    package_re[exp] = (re.compile('(^|[\'"\s\-\+]+)' + exp + '_' + '([$a-z"\'\s%\[<{\\\*].)'), r"\1" + exp + r":\2")
+    package_re[exp] = (re.compile('(^|[#\'"\s\-\+]+)' + exp + '_' + '([$a-z"\'\s%\[<{\\\*].)'), r"\1" + exp + r":\2")
 
 # Other substitutions to make
 subs = {
diff --git a/poky/scripts/lib/wic/canned-wks/common.wks.inc b/poky/scripts/lib/wic/canned-wks/common.wks.inc
index 4fd29fa..89880b4 100644
--- a/poky/scripts/lib/wic/canned-wks/common.wks.inc
+++ b/poky/scripts/lib/wic/canned-wks/common.wks.inc
@@ -1,3 +1,3 @@
 # This file is included into 3 canned wks files from this directory
 part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --use-uuid --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024
+part / --source rootfs --use-uuid --fstype=ext4 --label platform --align 1024
diff --git a/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks b/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks
index cf16c0c..8d7d8de 100644
--- a/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks
+++ b/poky/scripts/lib/wic/canned-wks/directdisk-gpt.wks
@@ -4,7 +4,7 @@
 
 
 part /boot --source bootimg-pcbios --ondisk sda --label boot --active --align 1024
-part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default" --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
 
 bootloader  --ptable gpt --timeout=0  --append="rootwait rootfstype=ext4 video=vesafb vga=0x318 console=tty0 console=ttyS0,115200n8"
 
diff --git a/poky/scripts/lib/wic/canned-wks/mkefidisk.wks b/poky/scripts/lib/wic/canned-wks/mkefidisk.wks
index d1878e2..9f534fe 100644
--- a/poky/scripts/lib/wic/canned-wks/mkefidisk.wks
+++ b/poky/scripts/lib/wic/canned-wks/mkefidisk.wks
@@ -4,7 +4,7 @@
 
 part /boot --source bootimg-efi --sourceparams="loader=grub-efi" --ondisk sda --label msdos --active --align 1024
 
-part / --source rootfs --ondisk sda --fstype=ext4 --mkfs-extraopts "-T default"  --label platform --align 1024 --use-uuid
+part / --source rootfs --ondisk sda --fstype=ext4 --label platform --align 1024 --use-uuid
 
 part swap --ondisk sda --size 44 --label swap1 --fstype=swap