7 files changed, 37 insertions, 13 deletions
diff --git a/README b/README
index 2480f10d5d..1e55da23f6 100644
--- a/README
+++ b/README
@@ -209,21 +209,35 @@ REQUIREMENTS:
         libblkid >= 2.24 (from util-linux) (optional)
         libkmod >= 15 (optional)
         PAM >= 1.1.2 (optional)
-        libcryptsetup (optional), >= 2.3.0 required for signed Verity images support
+        libcryptsetup >= 2.0.1 (optional),
+                      >= 2.3.0 is required for signed Verity images support
         libaudit (optional)
         libacl (optional)
-        libbpf >= 0.1.0 (optional)
+        libbpf >= 0.1.0 (optional),
+               >= 1.4.0 is required for using GCC as a bpf compiler
         libfdisk >= 2.32 (from util-linux) (optional)
-        libselinux (optional)
+        libselinux >= 2.1.9 (optional)
+        libapparmor >= 2.13 (optional)
+        libxenctrl >= 4.9 (optional)
+        zlib (optional)
+        bzip2 (optional)
         liblzma (optional)
         liblz4 >= 1.3.0 / 130 (optional)
         libzstd >= 1.4.0 (optional)
+        libarchive >= 3.0 (optional)
+        libxkbcommon >= 0.3.0 (optional)
+        libpcre2 (optional)
         libgcrypt (optional)
-        libqrencode (optional)
-        libmicrohttpd (optional)
+        libqrencode >= 3 (optional)
+        libmicrohttpd >= 0.9.33 (optional)
+        libcurl >= 7.32.0 (optional)
         libidn2 or libidn (optional)
-        gnutls >= 3.1.4 (optional, >= 3.6.0 is required to support DNS-over-TLS with gnutls)
+        gnutls >= 3.1.4 (optional)
+               >= 3.6.0 is required to support DNS-over-TLS with gnutls
         openssl >= 1.1.0 (optional, required to support DNS-over-TLS with openssl)
+        p11-kit >= 0.23.3 (optional)
+        libfido2 (optional)
+        tpm2-tss (optional)
         elfutils >= 158 (optional)
         polkit (optional)
         tzdata >= 2014f (optional)
@@ -239,6 +253,7 @@ REQUIREMENTS:
         meson >= 0.60.0
         ninja
         gcc >= 8.4
+            >= 13.1.0 is required to build BPF program by using GCC
         awk, sed, grep, and similar tools
         clang >= 10.0, llvm >= 10.0 (optional, required to build BPF programs
                 from source code in C)
@@ -368,7 +383,8 @@ USERS AND GROUPS:
         need to be resolvable by getgrnam() at any time, even in the very early
         boot stages, where no other databases and network are available:
 
-        audio, cdrom, dialout, disk, input, kmem, kvm, lp, render, tape, tty, video
+          audio, cdrom, clock, dialout, disk, input, kmem, kvm, lp, render,
+          sgx, tape, tty, video
 
         During runtime, the journal daemon requires the "systemd-journal" system
         group to exist. New journal files will be readable by this group (but
diff --git a/TODO b/TODO
index 81d8151cae..c465353171 100644
--- a/TODO
+++ b/TODO
@@ -122,6 +122,8 @@ Deprecations and removals:
 
 Features:
 
+* systemd-firstboot: optionally install am ssh key for root for offline use.
+
 * add a small tool that reads user records/group records from a credential, and
   then places them in the userdb drop-in dirs (either /run/ or /var/). While
   doing so it processes them:
diff --git a/docs/HACKING.md b/docs/HACKING.md
index e4359e277a..d302a15f28 100644
--- a/docs/HACKING.md
+++ b/docs/HACKING.md
@@ -50,7 +50,7 @@ To build and boot an OS image with the latest systemd installed:
 ```sh
 $ mkosi -f genkey                               # Generate signing keys once.
 $ mkosi -f sandbox meson compile -C build mkosi # (re-)build the OS image
-$ sudo mkosi boot                               # Boot the image with systemd-nspawn.
+$ run0 mkosi boot                               # Boot the image with systemd-nspawn.
 $ mkosi vm                                      # Boot the image with qemu.
 ```
 
@@ -133,17 +133,17 @@ To upgrade the systemd packages on the host system to the newer versions built
 by mkosi, run the following:
 
 ```sh
-dnf upgrade build/mkosi.builddir/<distribution>~<release>~<architecture>/*.rpm                                           # Fedora/CentOS
-apt-get install build/mkosi.builddir/<distribution>~<release>~<architecture>/*.deb                                       # Debian/Ubuntu
-pacman --upgrade --needed --noconfirm build/mkosi.builddir/<distribution>~<release>~<architecture>/*.pkg.tar             # Arch Linux
-zypper --non-interactive install --allow-unsigned-rpm build/mkosi.builddir/<distribution>~<release>~<architecture>/*.rpm # OpenSUSE
+run0 dnf upgrade build/mkosi.builddir/<distribution>~<release>~<architecture>/*.rpm                                           # Fedora/CentOS
+run0 apt-get install build/mkosi.builddir/<distribution>~<release>~<architecture>/*.deb                                       # Debian/Ubuntu
+run0 pacman --upgrade --needed --noconfirm build/mkosi.builddir/<distribution>~<release>~<architecture>/*.pkg.tar             # Arch Linux
+run0 zypper --non-interactive install --allow-unsigned-rpm build/mkosi.builddir/<distribution>~<release>~<architecture>/*.rpm # OpenSUSE
 ```
 
 To downgrade back to the old version shipped by the distribution, run the
 following:
 
 ```sh
-dnf downgrade "systemd*" # Fedora/CentOS
+run0 dnf downgrade "systemd*" # Fedora/CentOS
 # TODO: Other distributions
 ```
 
diff --git a/meson.build b/meson.build
index 48ba967d0e..617d6d2452 100644
--- a/meson.build
+++ b/meson.build
@@ -939,6 +939,7 @@ static_ugids = []
 foreach option : ['adm-gid',
                   'audio-gid',
                   'cdrom-gid',
+                  'clock-gid',
                   'dialout-gid',
                   'disk-gid',
                   'input-gid',
diff --git a/meson_options.txt b/meson_options.txt
index edf8053e51..c616f23297 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -291,6 +291,8 @@ option('audio-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "audio" group')
 option('cdrom-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "cdrom" group')
+option('clock-gid', type : 'integer', value : 0,
+       description : 'soft-static allocation for the "clock" group')
 option('dialout-gid', type : 'integer', value : 0,
        description : 'soft-static allocation for the "dialout" group')
 option('disk-gid', type : 'integer', value : 0,
diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
index 8fa518cd8f..078a78ad1a 100644
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@@ -10,6 +10,7 @@ SUBSYSTEM=="block", KERNEL=="md*", ENV{ID_IGNORE_DISKSEQ}="1"
 
 SUBSYSTEM=="virtio-ports", KERNEL=="vport*", ATTR{name}=="?*", SYMLINK+="virtio-ports/$attr{name}"
 
+SUBSYSTEM=="rtc", GROUP="clock", MODE="0660"
 # select "system RTC" or just use the first one
 SUBSYSTEM=="rtc", ATTR{hctosys}=="1", SYMLINK+="rtc"
 SUBSYSTEM=="rtc", KERNEL=="rtc0", SYMLINK+="rtc", OPTIONS+="link_priority=-100"
@@ -30,6 +31,7 @@ SUBSYSTEM=="pci|usb|platform", IMPORT{builtin}="path_id"
 
 SUBSYSTEM=="net", IMPORT{builtin}="net_driver"
 
+SUBSYSTEM=="ptp", GROUP="clock", MODE="0660"
 SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
 SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
 
diff --git a/sysusers.d/basic.conf.in b/sysusers.d/basic.conf.in
index 84bbe3854f..503a4c4dac 100644
--- a/sysusers.d/basic.conf.in
+++ b/sysusers.d/basic.conf.in
@@ -25,6 +25,7 @@ g utmp    {{UTMP_GID   }}     -            -
 # Physical and virtual hardware access groups
 g audio   {{AUDIO_GID  }}     -            -
 g cdrom   {{CDROM_GID  }}     -            -
+g clock   {{CLOCK_GID  }}     -            -
 g dialout {{DIALOUT_GID}}     -            -
 g disk    {{DISK_GID   }}     -            -
 g input   {{INPUT_GID  }}     -            -