diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml
index 3bddc7cf4..4917a4e8c 100644
--- a/.github/workflows/release-arm.yaml
+++ b/.github/workflows/release-arm.yaml
@@ -113,7 +113,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@master
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
@@ -229,7 +229,7 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@master
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
@@ -303,7 +303,7 @@ jobs:
           platforms: all
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to Quay Registry
         run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
       - name: Build iso  🔧
@@ -343,7 +343,7 @@ jobs:
           platforms: all
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to Quay Registry
         run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
       - name: Build iso  🔧
diff --git a/.github/workflows/reusable-image-and-iso-arm-generic.yaml b/.github/workflows/reusable-image-and-iso-arm-generic.yaml
index 886ef524d..898520a9e 100644
--- a/.github/workflows/reusable-image-and-iso-arm-generic.yaml
+++ b/.github/workflows/reusable-image-and-iso-arm-generic.yaml
@@ -27,7 +27,7 @@ jobs:
       - name: Set up Docker Buildx
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to Quay Registry
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         run: echo ${{ secrets.QUAY_PASSWORD }} | docker login -u ${{ secrets.QUAY_USERNAME }} --password-stdin quay.io
diff --git a/.github/workflows/reusable-upgrade-latest-test.yaml b/.github/workflows/reusable-upgrade-latest-test.yaml
index 9727a0504..166820696 100644
--- a/.github/workflows/reusable-upgrade-latest-test.yaml
+++ b/.github/workflows/reusable-upgrade-latest-test.yaml
@@ -51,7 +51,7 @@ jobs:
           # A flag to set the download target as latest release
           # The default value is 'false'
           latest: true
-          fileName: 'kairos-${{ inputs.flavor }}-v*.iso'
+          fileName: 'kairos-core-${{ inputs.flavor }}-amd64-generic-v*.iso'
           out-file-path: ""
       - name: Display structure of downloaded files
         run: ls -las .
@@ -65,7 +65,10 @@ jobs:
           sudo iptables -I INPUT -s 169.254.169.254 -j DROP
           sudo iptables -I OUTPUT -d 169.254.169.254 -j DROP
       - run: |
-          earthly +run-qemu-test --PREBUILT_ISO=$(ls kairos-${{ inputs.flavor }}*.iso) \
+          # release-downloader globing matches more than one iso. Make sure
+          # we use the right one.
+          ISO=$(ls kairos-core-${{ inputs.flavor }}-amd64-generic-v*.iso | grep -v ipxe)
+          earthly +run-qemu-test --PREBUILT_ISO=$ISO \
             --FLAVOR=${{ inputs.flavor }} \
             --CONTAINER_IMAGE=ttl.sh/kairos-${{ inputs.flavor }}-${{ github.sha }}:24h \
             --TEST_SUITE=upgrade-latest-with-cli
diff --git a/Earthfile b/Earthfile
index 1ae5e93ed..f7b343be3 100644
--- a/Earthfile
+++ b/Earthfile
@@ -13,7 +13,7 @@ ARG OS_NAME=${OS_ID}-${VARIANT}-${FLAVOR}
 # renovate: datasource=docker depName=quay.io/luet/base
 ARG LUET_VERSION=0.35.0
 # renovate: datasource=docker depName=aquasec/trivy
-ARG TRIVY_VERSION=0.45.0
+ARG TRIVY_VERSION=0.45.1
 ARG COSIGN_SKIP=".*quay.io/kairos/.*"
 # TODO: rename ISO_NAME to something like ARTIFACT_NAME because there are place where we use ISO_NAME to refer to the artifact name
 
@@ -288,6 +288,9 @@ framework:
         ELSE IF [[ "$FLAVOR" =~ -rpi$ ]]
             COPY ./images/rpi/bootargs.cfg /framework/etc/cos/bootargs.cfg
             COPY ./images/rpi/config.txt /framework/boot/config.txt
+        ELSE IF [[ "$FLAVOR" =~ ^fips-systemd* ]]
+            # Use a generic one like redhat which has selinux disabled so it can be used on all flavors??
+            COPY ./images/redhat/bootargs.cfg /framework/etc/cos/bootargs.cfg
         END
     END
 
@@ -644,6 +647,27 @@ iso:
     SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
     SAVE ARTIFACT /build/$ISO_NAME.iso.sha256 kairos.iso.sha256 AS LOCAL build/$ISO_NAME.iso.sha256
 
+
+iso-uki:
+    COPY +version/VERSION ./
+    ARG VERSION=$(cat VERSION)
+    ARG TARGETARCH
+    ARG ISO_NAME=${OS_ID}-${VARIANT}-${FLAVOR}-${TARGETARCH}-${MODEL}-${VERSION}
+    ARG OSBUILDER_IMAGE
+    FROM $OSBUILDER_IMAGE
+    WORKDIR /build
+    COPY +uki/uki.efi /build/uki.efi
+    RUN mkdir -p /build/efi
+    # TODO: Create the img size based ont eh actual efi size!
+    RUN dd if=/dev/zero of=/build/efi/efiboot.img bs=1G count=1
+    RUN mkfs.msdos -F 32 -n 'EFIBOOTISO' /build/efi/efiboot.img
+    RUN mmd -i /build/efi/efiboot.img ::EFI
+    RUN mmd -i /build/efi/efiboot.img ::EFI/BOOT
+    # TODO: TARGETARCH should change the output name to BOOTAA64.EFI in arm64!
+    RUN mcopy -i /build/efi/efiboot.img /build/uki.efi ::EFI/BOOT/BOOTX64.EFI
+    RUN xorriso -as mkisofs -V 'EFI_ISO_BOOT' -e efiboot.img -no-emul-boot -o /build/$ISO_NAME.iso /build/efi/
+    SAVE ARTIFACT /build/$ISO_NAME.iso kairos.iso AS LOCAL build/$ISO_NAME.iso
+
 # This target builds an iso using a remote docker image as rootfs instead of building the whole rootfs
 # This should be really fast as it uses an existing image. This requires a pushed image from the +image target
 # defaults to use the $IMAGE name (so ttl.sh/core-opensuse-leap:latest)
diff --git a/framework-profile.yaml b/framework-profile.yaml
index f2ee740be..470c50f41 100755
--- a/framework-profile.yaml
+++ b/framework-profile.yaml
@@ -174,9 +174,9 @@ repositories:
     priority: 2
     urls:
       - "quay.io/kairos/packages"
-    reference: 20230913100915-repository.yaml
+    reference: 20230915145241-repository.yaml
   - !!merge <<: *kairos
     arch: arm64
     urls:
       - "quay.io/kairos/packages-arm64"
-    reference: 20230913100853-repository.yaml
+    reference: 20230915154712-repository.yaml
diff --git a/tests/assets/live-overlay.tmpl b/tests/assets/live-overlay.tmpl
index 0f03e76b3..d919da2eb 100644
--- a/tests/assets/live-overlay.tmpl
+++ b/tests/assets/live-overlay.tmpl
@@ -6,6 +6,6 @@ install:
   grub_options:
     extra_cmdline: foobarzz
   bundles:
-  - rootfs_path: /usr/local/lib/extensions/kubo
+  - rootfs_path: /var/lib/extensions/kubo
     targets:
     - container://${BUNDLE_IMAGE}
diff --git a/tests/bundles_test.go b/tests/bundles_test.go
index 9f7535502..2c084c4b0 100644
--- a/tests/bundles_test.go
+++ b/tests/bundles_test.go
@@ -70,7 +70,7 @@ var _ = Describe("kairos bundles test", Label("bundles-test"), func() {
 					out, _ = vm.Sudo("cat /oem/90_custom.yaml")
 					result = result + fmt.Sprintf("90_custom.yaml:\n%s\n", out)
 
-					out, _ = vm.Sudo("cat /usr/local/lib/extensions/kubo/usr/lib/extension-release.d/extension-release.kubo")
+					out, _ = vm.Sudo("cat /var/lib/extensions/kubo/usr/lib/extension-release.d/extension-release.kubo")
 					result = result + fmt.Sprintf("extension-release.kubo:\n%s\n", out)
 
 					out, _ = vm.Sudo("systemd-sysext status")