diff --git a/.github/workflows/portage-stable-packages-list b/.github/workflows/portage-stable-packages-list
index fadaeee206a..7e92f85d4a6 100644
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@@ -123,6 +123,7 @@ app-crypt/libb2
 app-crypt/libmd
 app-crypt/mhash
 app-crypt/mit-krb5
+app-crypt/p11-kit
 app-crypt/pinentry
 app-crypt/rhash
 app-crypt/shash
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest
deleted file mode 100644
index 8b75e07bb5a..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/Manifest
+++ /dev/null
@@ -1 +0,0 @@
-DIST p11-kit-0.23.22.tar.xz 830016 BLAKE2B 4e1edfd9e2441d237c07a16c003aee5ffde38f1cf545c26e435645429f2cfa4fe7ca61cdc3c3940390aa040ba991f2ee3995b14cc31bb886d5eeffa8ed5e1721 SHA512 098819e6ca4ad9cc2a0bc2e478aea67354d051a4f03e6c7d75d13d2469b6dc7654f26b15530052f6ed51acb35531c2539e0f971b31e29e6673e857c903afb080
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md
deleted file mode 100644
index 92a30382726..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/README.md
+++ /dev/null
@@ -1,4 +0,0 @@
-We forked this package to fix the systemd user unit directory and bash
-completion directory detection in the cross-compilation scenario.
-
-These fixes could be upstreamed to gentoo.
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml
deleted file mode 100644
index ff17590b69a..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/metadata.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
-	<maintainer type="person">
-		<email>zlogene@gentoo.org</email>
-		<name>Mikle Kolyada</name>
-	</maintainer>
-	<use>
-		<flag name="asn1">Enable ASN.1 certificate support</flag>
-		<flag name="trust">Build the trust policy module</flag>
-	</use>
-	<upstream>
-		<remote-id type="github">p11-glue/p11-kit</remote-id>
-	</upstream>
-</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild
deleted file mode 100644
index b36df3db264..00000000000
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/p11-kit/p11-kit-0.23.22.ebuild
+++ /dev/null
@@ -1,69 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-# Flatcar: inherit systemd eclass for the systemd user unit directory
-# getter, and bash-completion-r1 for bash completion directory getter.
-inherit multilib-minimal systemd bash-completion-r1
-
-DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
-HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
-SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
-
-LICENSE="MIT"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="+asn1 debug +libffi systemd +trust"
-REQUIRED_USE="trust? ( asn1 )"
-
-RDEPEND="asn1? ( >=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}] )
-	libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
-	systemd? ( sys-apps/systemd:= )
-	trust? ( app-misc/ca-certificates )"
-DEPEND="${RDEPEND}"
-BDEPEND="virtual/pkgconfig"
-
-pkg_setup() {
-	# disable unsafe tests, bug#502088
-	export FAKED_MODE=1
-}
-
-src_prepare() {
-	if [[ ${CHOST} == *-solaris2.* && ${CHOST##*-solaris2.} -lt 11 ]] ; then
-		# Solaris 10 and before doesn't know about XPG7 (XOPEN_SOURCE=700)
-		# drop to XPG6 to make feature_tests.h happy
-		sed -i -e '/define _XOPEN_SOURCE/s/700/600/' common/compat.c || die
-		# paths.h isn't available, oddly enough also not used albeit included
-		sed -i -e '/#include <paths.h>/d' trust/test-trust.c || die
-		# we don't have SUN_LEN here
-		sed -i -e 's/SUN_LEN \(([^)]\+)\)/strlen (\1->sun_path)/' \
-			p11-kit/server.c || die
-	fi
-	default
-}
-
-multilib_src_configure() {
-	# Flatcar: Override the detection of the systemd user unit
-	# directory and bash completion directory with these
-	# environment variables.
-	local -x systemduserunitdir=$(systemd_get_userunitdir)
-	local -x bashcompdir=$(get_bashcompdir)
-	ECONF_SOURCE="${S}" econf \
-		$(use_enable trust trust-module) \
-		$(use_with trust trust-paths ${EPREFIX}/etc/ssl/certs/ca-certificates.crt) \
-		$(use_enable debug) \
-		$(use_with libffi) \
-		$(use_with asn1 libtasn1) \
-		$(multilib_native_use_with systemd)
-
-	if multilib_is_native_abi; then
-		# re-use provided documentation
-		ln -s "${S}"/doc/manual/html doc/manual/html || die
-	fi
-}
-
-multilib_src_install_all() {
-	einstalldocs
-	find "${D}" -name '*.la' -delete || die
-}
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/Manifest b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/Manifest
new file mode 100644
index 00000000000..851345f5f63
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/Manifest
@@ -0,0 +1,2 @@
+DIST p11-kit-0.25.3.tar.xz 991528 BLAKE2B 5c695c1ef95edf4bbbab001aa634076c433df0bc89cb8104deaec2ce00c6908640e467755b49c6900e5d7d5d81e1a3871f4978a212c6f6ae088386ac0b95289a SHA512 ad2d393bf122526cbba18dc9d5a13f2c1cad7d70125ec90ffd02059dfa5ef30ac59dfc0bb9bc6380c8f317e207c9e87e895f1945634f56ddf910c2958868fb4c
+DIST p11-kit-0.25.5.tar.xz 1002056 BLAKE2B 96d6a9c2807586abafae4da4df89f566672733963997d6a83e00aaf83a7a0c0e2995638f505e98fb87a90c60bde28814f1e8b7d5071bf0af96bb0467105a1ddc SHA512 177ec6ff5eb891901078306dce2bf3f5c1a0e5c2a8c493bdf5a08ae1ff1240fdf6952961e973c373f80ac3d1d5a9927e07f4da49e4ff92269d992e744889fc94
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/files/p11-kit-0.25.3-pointer.patch b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/files/p11-kit-0.25.3-pointer.patch
new file mode 100644
index 00000000000..9b316ee2fad
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/files/p11-kit-0.25.3-pointer.patch
@@ -0,0 +1,109 @@
+https://bugs.gentoo.org/918982
+https://github.com/p11-glue/p11-kit/commit/d49c92c8420db6ee4c88515bdb014f68f4d471d9
+
+From d49c92c8420db6ee4c88515bdb014f68f4d471d9 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Sat, 2 Dec 2023 09:24:01 +0900
+Subject: [PATCH] import-object: Avoid integer truncation on 32-bit platforms
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The build fails when compiling for 32-bit platforms with
+-Werror=incompatible-pointer-types:
+
+  CFLAGS="-m32 -march=i686 -Werror=incompatible-pointer-types -Werror=implicit -Werror=int-conversion" setarch i686 -- meson setup _build
+  setarch i686 -- meson compile -C _build -v
+  ...
+
+  ../p11-kit/import-object.c: In function ‘add_attrs_pubkey_rsa’:
+  ../p11-kit/import-object.c:223:62: error: passing argument 3 of ‘p11_asn1_read’ from incompatible pointer type [-Werror=incompatible-pointer-types]
+    223 |         attr_modulus.pValue = p11_asn1_read (asn, "modulus", &attr_modulus.ulValueLen);
+        |                                                              ^~~~~~~~~~~~~~~~~~~~~~~~
+        |                                                              |
+        |                                                              long unsigned int *
+
+Reported by Sam James in:
+https://github.com/p11-glue/p11-kit/issues/608
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ p11-kit/import-object.c | 30 +++++++++++++++++++++++++++---
+ 1 file changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/p11-kit/import-object.c b/p11-kit/import-object.c
+index feee0765..fb47b964 100644
+--- a/p11-kit/import-object.c
++++ b/p11-kit/import-object.c
+@@ -55,6 +55,7 @@
+ #endif
+ 
+ #include <assert.h>
++#include <limits.h>
+ #include <stdbool.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -201,6 +202,7 @@ add_attrs_pubkey_rsa (CK_ATTRIBUTE *attrs,
+ 	CK_ATTRIBUTE attr_encrypt = { CKA_ENCRYPT, &tval, sizeof (tval) };
+ 	CK_ATTRIBUTE attr_modulus = { CKA_MODULUS, };
+ 	CK_ATTRIBUTE attr_exponent = { CKA_PUBLIC_EXPONENT, };
++	size_t len = 0;
+ 
+ 	pubkey = p11_asn1_read (info, "subjectPublicKey", &pubkey_len);
+ 	if (pubkey == NULL) {
+@@ -220,17 +222,31 @@ add_attrs_pubkey_rsa (CK_ATTRIBUTE *attrs,
+ 		goto cleanup;
+ 	}
+ 
+-	attr_modulus.pValue = p11_asn1_read (asn, "modulus", &attr_modulus.ulValueLen);
++	attr_modulus.pValue = p11_asn1_read (asn, "modulus", &len);
+ 	if (attr_modulus.pValue == NULL) {
+ 		p11_message (_("failed to obtain modulus"));
+ 		goto cleanup;
+ 	}
++#if ULONG_MAX < SIZE_MAX
++	if (len > ULONG_MAX) {
++		p11_message (_("failed to obtain modulus"));
++		goto cleanup;
++	}
++#endif
++	attr_modulus.ulValueLen = len;
+ 
+-	attr_exponent.pValue = p11_asn1_read (asn, "publicExponent", &attr_exponent.ulValueLen);
++	attr_exponent.pValue = p11_asn1_read (asn, "publicExponent", &len);
+ 	if (attr_exponent.pValue == NULL) {
+ 		p11_message (_("failed to obtain exponent"));
+ 		goto cleanup;
+ 	}
++#if ULONG_MAX < SIZE_MAX
++	if (len > ULONG_MAX) {
++		p11_message (_("failed to obtain exponent"));
++		goto cleanup;
++	}
++#endif
++	attr_exponent.ulValueLen = len;
+ 
+ 	result = p11_attrs_build (attrs, &attr_key_type, &attr_encrypt, &attr_modulus, &attr_exponent, NULL);
+ 	if (result == NULL) {
+@@ -260,12 +276,20 @@ add_attrs_pubkey_ec (CK_ATTRIBUTE *attrs,
+ 	CK_ATTRIBUTE attr_key_type = { CKA_KEY_TYPE, &key_type, sizeof (key_type) };
+ 	CK_ATTRIBUTE attr_ec_params = { CKA_EC_PARAMS, };
+ 	CK_ATTRIBUTE attr_ec_point = { CKA_EC_POINT, };
++	size_t len = 0;
+ 
+-	attr_ec_params.pValue = p11_asn1_read (info, "algorithm.parameters", &attr_ec_params.ulValueLen);
++	attr_ec_params.pValue = p11_asn1_read (info, "algorithm.parameters", &len);
+ 	if (attr_ec_params.pValue == NULL) {
+ 		p11_message (_("failed to obtain EC parameters"));
+ 		goto cleanup;
+ 	}
++#if ULONG_MAX < SIZE_MAX
++	if (len > ULONG_MAX) {
++		p11_message (_("failed to obtain EC parameters"));
++		goto cleanup;
++	}
++#endif
++	attr_ec_params.ulValueLen = len;
+ 
+ 	/* subjectPublicKey is read as BIT STRING value which contains
+ 	 * EC point data. We need to DER encode this data as OCTET STRING.
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/metadata.xml b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/metadata.xml
new file mode 100644
index 00000000000..91df1af79aa
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/metadata.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+	<upstream>
+		<remote-id type="github">p11-glue/p11-kit</remote-id>
+	</upstream>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.3-r2.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.3-r2.ebuild
new file mode 100644
index 00000000000..f27bbaf48cf
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.3-r2.ebuild
@@ -0,0 +1,77 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..13} )
+inherit bash-completion-r1 meson-multilib python-any-r1
+
+DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
+HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
+SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="+libffi gtk-doc nls systemd test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	app-misc/ca-certificates
+	>=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}]
+	libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	${PYTHON_DEPS}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	virtual/pkgconfig
+	gtk-doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )
+"
+
+PATCHES=(
+	"${FILESDIR}"/p11-kit-0.25.3-pointer.patch
+)
+
+src_prepare() {
+	default
+
+	# Relies on dlopen which won't work for multilib tests (bug #913971)
+	cat <<-EOF > "${S}"/p11-kit/test-server.sh || die
+	#!/bin/sh
+	exit 77
+	EOF
+}
+
+multilib_src_configure() {
+	# Disable unsafe tests, bug#502088
+	export FAKED_MODE=1
+
+	local native_file="${T}"/meson.${CHOST}.${ABI}.ini.local
+
+	# p11-kit doesn't need this to build and castxml needs Clang. To get
+	# a deterministic non-automagic build, always disable the search for
+	# castxml.
+	cat >> ${native_file} <<-EOF || die
+	[binaries]
+	castxml='castxml-falseified'
+	EOF
+
+	local emesonargs=(
+		--native-file "${native_file}"
+		-Dbashcompdir="$(get_bashcompdir)"
+		-Dtrust_module=enabled
+		-Dtrust_paths="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
+		$(meson_feature libffi)
+		$(meson_use nls)
+		$(meson_use test)
+		$(meson_native_use_bool gtk-doc gtk_doc)
+		$(meson_native_true man)
+		$(meson_native_use_feature systemd)
+	)
+
+	meson_src_configure
+}
diff --git a/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.5.ebuild b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.5.ebuild
new file mode 100644
index 00000000000..0c23a73251f
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/p11-kit/p11-kit-0.25.5.ebuild
@@ -0,0 +1,73 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..13} )
+inherit bash-completion-r1 meson-multilib python-any-r1
+
+DESCRIPTION="Provides a standard configuration setup for installing PKCS#11"
+HOMEPAGE="https://p11-glue.github.io/p11-glue/p11-kit.html"
+SRC_URI="https://github.com/p11-glue/p11-kit/releases/download/${PV}/${P}.tar.xz"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="+libffi gtk-doc nls systemd test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	app-misc/ca-certificates
+	>=dev-libs/libtasn1-3.4:=[${MULTILIB_USEDEP}]
+	libffi? ( dev-libs/libffi:=[${MULTILIB_USEDEP}] )
+	systemd? ( sys-apps/systemd:= )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="
+	${PYTHON_DEPS}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	virtual/pkgconfig
+	gtk-doc? ( dev-util/gtk-doc )
+	nls? ( sys-devel/gettext )
+"
+
+src_prepare() {
+	default
+
+	# Relies on dlopen which won't work for multilib tests (bug #913971)
+	cat <<-EOF > "${S}"/p11-kit/test-server.sh || die
+	#!/bin/sh
+	exit 77
+	EOF
+}
+
+multilib_src_configure() {
+	# Disable unsafe tests, bug#502088
+	export FAKED_MODE=1
+
+	local native_file="${T}"/meson.${CHOST}.${ABI}.ini.local
+
+	# p11-kit doesn't need this to build and castxml needs Clang. To get
+	# a deterministic non-automagic build, always disable the search for
+	# castxml.
+	cat >> ${native_file} <<-EOF || die
+	[binaries]
+	castxml='castxml-falseified'
+	EOF
+
+	local emesonargs=(
+		--native-file "${native_file}"
+		-Dbashcompdir="$(get_bashcompdir)"
+		-Dtrust_module=enabled
+		-Dtrust_paths="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
+		$(meson_feature libffi)
+		$(meson_use nls)
+		$(meson_use test)
+		$(meson_native_use_bool gtk-doc gtk_doc)
+		$(meson_native_true man)
+		$(meson_native_use_feature systemd)
+	)
+
+	meson_src_configure
+}