diff --git a/changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md b/changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md
new file mode 100644
index 00000000000..64d37e1302e
--- /dev/null
+++ b/changelog/security/2023-08-01-linux-firmware-20230625_p20230724.md
@@ -0,0 +1 @@
+- linux-firmware ([CVE-2023-20593](https://nvd.nist.gov/vuln/detail/CVE-2023-20593))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
index 64dce521c71..1b49142ee60 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/make.defaults
@@ -62,10 +62,12 @@ USE="${USE} bindist"
 #
 # netperf - license for net-analyzer/netperf
 # no-source-code - license for sys-kernel/coreos-firmware
+# linux-fw-redistributable - license for sys-kernel/coreos-firmware
 # freedist - license for sys-kernel/coreos-kernel
 # BSD-2-Clause-Patent - license for sys-firmware/edk2-aarch64
 # intel-ucode - license for sys-firmware/intel-microcode
-ACCEPT_LICENSE="${ACCEPT_LICENSE} netperf no-source-code freedist BSD-2-Clause-Patent intel-ucode"
+ACCEPT_LICENSE="${ACCEPT_LICENSE} netperf no-source-code
+    linux-fw-redistributable freedist BSD-2-Clause-Patent intel-ucode"
 
 # Favor our own mirrors over Gentoo's
 GENTOO_MIRRORS="
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
index ff46bac4dae..fa71770299b 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
@@ -1 +1 @@
-DIST linux-firmware-20230625.tar.xz 280854212 BLAKE2B 8ad8ce864e2a7b7d542569f5171ae0a7d9b05a1d55a04c507dbfb1939a60507ac8275eef24a165814aca8fdf93e6dbf3f7fbeaf25a8f46f022ca47b7b512401d SHA512 0e48aa7f63495485426d37491c7cb61843165625bd47f912c5d83628c6de871759f1a78be3af3d651f7c396bd87dff07e21ba7afc47896c1c143106d5f16d351
+DIST linux-firmware-20230625_p20230724.tar.gz 441906566 BLAKE2B 5bed31d9ad78440bb12feeacb1ba27a07ad30b0eb8c7bfd03a4e7a7590012af1f9535a49fbf031abf79dd05ca90be79566f06db6f955910edfdca61281831c67 SHA512 daaf07422eb6f3e1b50f8a5dba5bfff747fe6750c0210ab798745f61d774eef7642ab45b9b404c668cf017d6b7fcf89c34bce9e6c77053b1b81f1a3498c5be18
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625_p20230724.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20230625_p20230724.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
index 49f3564d48a..a14b76a9a3d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
@@ -1,64 +1,100 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
-# Tell linux-info where to find the kernel source/build
+# Flatcar: Tell linux-info where to find the kernel source/build
 KERNEL_DIR="${SYSROOT%/}/usr/src/linux"
 KBUILD_OUTPUT="${SYSROOT%/}/var/cache/portage/sys-kernel/coreos-kernel"
 inherit linux-info savedconfig
 
 # In case this is a real snapshot, fill in commit below.
 # For normal, tagged releases, leave blank
-MY_COMMIT=
+MY_COMMIT="59fbffa9ec8e4b0b31d2d13e715cf6580ad0e99c"
 
+# Flatcar: use linux-firmware instead of ${PN}, coreos-firmware to avoid naming conflicts.
 if [[ ${PV} == 99999999* ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git"
 else
 	if [[ -n "${MY_COMMIT}" ]]; then
 		SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/${MY_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz"
+		S="${WORKDIR}/${MY_COMMIT}"
 	else
 		SRC_URI="https://mirrors.edge.kernel.org/pub/linux/kernel/firmware/linux-firmware-${PV}.tar.xz -> linux-firmware-${PV}.tar.xz"
 	fi
-	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~mips ppc ppc64 s390 sparc x86"
+	KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
 fi
 
 DESCRIPTION="Linux firmware files"
 HOMEPAGE="https://git.kernel.org/?p=linux/kernel/git/firmware/linux-firmware.git"
 
 LICENSE="GPL-2 GPL-2+ GPL-3 BSD MIT || ( MPL-1.1 GPL-2 )
-	BSD-2 BSD BSD-4 ISC MIT no-source-code"
+	redistributable? ( linux-fw-redistributable BSD-2 BSD BSD-4 ISC MIT )
+	unknown-license? ( all-rights-reserved )"
 SLOT="0"
-IUSE="savedconfig"
+IUSE="compress-xz compress-zstd initramfs +redistributable savedconfig unknown-license"
+REQUIRED_USE="initramfs? ( redistributable )
+	?? ( compress-xz compress-zstd )"
 
-CDEPEND=">=sys-kernel/coreos-modules-4.6.3-r1:="
-DEPEND="${CDEPEND}
-		sys-kernel/coreos-sources"
+RESTRICT="binchecks strip test
+	unknown-license? ( bindist )"
+
+BDEPEND="initramfs? ( app-arch/cpio )
+	compress-xz? ( app-arch/xz-utils )
+	compress-zstd? ( app-arch/zstd )"
+
+# Flatcar: depend on Kernel source and modules
+DEPEND=">=sys-kernel/coreos-modules-6.1:=
+	sys-kernel/coreos-sources"
 #add anything else that collides to this
 RDEPEND="!savedconfig? (
-		!sys-firmware/alsa-firmware[alsa_cards_ca0132]
-		!sys-firmware/alsa-firmware[alsa_cards_korg1212]
-		!sys-firmware/alsa-firmware[alsa_cards_maestro3]
-		!sys-firmware/alsa-firmware[alsa_cards_sb16]
-		!sys-firmware/alsa-firmware[alsa_cards_ymfpci]
-		!net-dialup/ueagle-atm
-		!net-dialup/ueagle4-atm
-		!sys-block/qla-fc-firmware
-		!sys-firmware/iwl1000-ucode
-		!sys-firmware/iwl6005-ucode
-		!sys-firmware/iwl6030-ucode
-		!sys-firmware/iwl6050-ucode
-		!sys-firmware/iwl3160-ucode
-		!sys-firmware/iwl7260-ucode
-		!sys-firmware/iwl3160-7260-bt-ucode
+		redistributable? (
+			!sys-firmware/alsa-firmware[alsa_cards_ca0132]
+			!sys-block/qla-fc-firmware
+			!sys-firmware/iwl1000-ucode
+			!sys-firmware/iwl6005-ucode
+			!sys-firmware/iwl6030-ucode
+			!sys-firmware/iwl3160-ucode
+			!sys-firmware/iwl7260-ucode
+			!sys-firmware/iwl3160-7260-bt-ucode
+			!sys-firmware/raspberrypi-wifi-ucode
+		)
+		unknown-license? (
+			!sys-firmware/alsa-firmware[alsa_cards_korg1212]
+			!sys-firmware/alsa-firmware[alsa_cards_maestro3]
+			!sys-firmware/alsa-firmware[alsa_cards_sb16]
+			!sys-firmware/alsa-firmware[alsa_cards_ymfpci]
+		)
 	)"
 
-RESTRICT="binchecks strip"
+QA_PREBUILT="*"
 
-# source name is linux-firmware, not coreos-firmware
+# Flatcar: source name is linux-firmware, not coreos-firmware
 S="${WORKDIR}/linux-firmware-${PV}"
 
+pkg_setup() {
+	if use compress-xz || use compress-zstd ; then
+		local CONFIG_CHECK
+
+		if kernel_is -ge 5 19; then
+			use compress-xz && CONFIG_CHECK="~FW_LOADER_COMPRESS_XZ"
+			use compress-zstd && CONFIG_CHECK="~FW_LOADER_COMPRESS_ZSTD"
+		else
+			use compress-xz && CONFIG_CHECK="~FW_LOADER_COMPRESS"
+			if use compress-zstd; then
+				eerror "Kernels <5.19 do not support ZSTD-compressed firmware files"
+			fi
+		fi
+		linux-info_pkg_setup
+	fi
+}
+
+pkg_pretend() {
+	use initramfs && mount-boot_pkg_pretend
+}
+
+# Flatcar: create symlinks for cxgb and ice firmwares
 CXGB_VERSION="1.27.3.0"
 ICE_DDP_VERSION="1.3.30.0"
 
@@ -67,7 +103,14 @@ src_unpack() {
 		git-r3_src_unpack
 	else
 		default
-		# Upstream linux-firmware tarball does not contain
+		# rename directory from git snapshot tarball
+		# Flatcar: move a correct directory ${MY_COMMIT}, as defined
+		# above in ${S}.
+		if [[ ${#MY_COMMIT} -gt 8 ]]; then
+			mv ${MY_COMMIT}/ linux-firmware-${PV} || die
+		fi
+
+		# Flatcar: Upstream linux-firmware tarball does not contain
 		# symlinks for cxgb4 firmware files, but "modinfo
 		# cxgb4.ko" shows it requires t?fw.bin files. These
 		# normally are installed by the copy-firmware.sh
@@ -82,27 +125,17 @@ src_unpack() {
 		ln -sfn t5fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t5fw.bin
 		ln -sfn t6fw-${CXGB_VERSION}.bin linux-firmware-${PV}/cxgb4/t6fw.bin
 
-		# Upstream linux-firmware tarball does not contain
+		# Flatcar: Upstream linux-firmware tarball does not contain
 		# a correct symlink to intel/ice/ddp/ice-1.3.28.0.pkg,
 		# but "modinfo ice.ko" shows it requires ice.pkg.
 		# So we need to create the symlink to avoid failures at the
 		# firmware scanning stage.
 		ln -sfn ice-${ICE_DDP_VERSION}.pkg linux-firmware-${PV}/intel/ice/ddp/ice.pkg
-
-		# The xhci-pci.ko kernel module started requiring a
-		# renesas_usb_fw.mem firmware file, but this file is
-		# nowhere to be found in the tarball. So we just fake
-		# the existence of the firmware, so the firmware
-		# scanning stage won't fail. Obviously, this means
-		# that if someone is going to use this specific
-		# renesas controller that requires the firmware, it
-		# won't work. Hopefully that file appears at some
-		# point in the tarball.
-		touch "linux-firmware-${PV}/renesas_usb_fw.mem"
 	fi
 }
 
 src_prepare() {
+	# Flatcar: generate a list of firmware
 	local kernel_mods="${SYSROOT%/}/lib/modules/${KV_FULL}"
 
 	# Fail if any firmware is missing.
@@ -173,11 +206,156 @@ src_prepare() {
 		# remove empty directories, bug #396073
 		find -type d -empty -delete || die
 	fi
+
+	# whitelist of misc files
+	local misc_files=(
+		copy-firmware.sh
+		WHENCE
+		README
+	)
+
+	# whitelist of images with a free software license
+	local free_software=(
+		# keyspan_pda (GPL-2+)
+		keyspan_pda/keyspan_pda.fw
+		keyspan_pda/xircom_pgs.fw
+		# dsp56k (GPL-2+)
+		dsp56k/bootstrap.bin
+		# ath9k_htc (BSD GPL-2+ MIT)
+		ath9k_htc/htc_7010-1.4.0.fw
+		ath9k_htc/htc_9271-1.4.0.fw
+		# pcnet_cs, 3c589_cs, 3c574_cs, serial_cs (dual GPL-2/MPL-1.1)
+		cis/LA-PCM.cis
+		cis/PCMLM28.cis
+		cis/DP83903.cis
+		cis/NE2K.cis
+		cis/tamarack.cis
+		cis/PE-200.cis
+		cis/PE520.cis
+		cis/3CXEM556.cis
+		cis/3CCFEM556.cis
+		cis/MT5634ZLX.cis
+		cis/RS-COM-2P.cis
+		cis/COMpad2.cis
+		cis/COMpad4.cis
+		# serial_cs (GPL-3)
+		cis/SW_555_SER.cis
+		cis/SW_7xx_SER.cis
+		cis/SW_8xx_SER.cis
+		# dvb-ttpci (GPL-2+)
+		av7110/bootcode.bin
+		# usbdux, usbduxfast, usbduxsigma (GPL-2+)
+		usbdux_firmware.bin
+		usbduxfast_firmware.bin
+		usbduxsigma_firmware.bin
+		# brcmfmac (GPL-2+)
+		brcm/brcmfmac4330-sdio.Prowise-PT301.txt
+		brcm/brcmfmac43340-sdio.meegopad-t08.txt
+		brcm/brcmfmac43362-sdio.cubietech,cubietruck.txt
+		brcm/brcmfmac43362-sdio.lemaker,bananapro.txt
+		brcm/brcmfmac43430a0-sdio.jumper-ezpad-mini3.txt
+		"brcm/brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt"
+		brcm/brcmfmac43430-sdio.AP6212.txt
+		brcm/brcmfmac43430-sdio.Hampoo-D2D3_Vi8A1.txt
+		brcm/brcmfmac43430-sdio.MUR1DX.txt
+		brcm/brcmfmac43430-sdio.raspberrypi,3-model-b.txt
+		brcm/brcmfmac43455-sdio.raspberrypi,3-model-b-plus.txt
+		brcm/brcmfmac4356-pcie.gpd-win-pocket.txt
+		# isci (GPL-2)
+		isci/isci_firmware.bin
+		# carl9170 (GPL-2+)
+		carl9170-1.fw
+		# atusb (GPL-2+)
+		atusb/atusb-0.2.dfu
+		atusb/atusb-0.3.dfu
+		atusb/rzusb-0.3.bin
+		# mlxsw_spectrum (dual BSD/GPL-2)
+		mellanox/mlxsw_spectrum-13.1420.122.mfa2
+		mellanox/mlxsw_spectrum-13.1530.152.mfa2
+		mellanox/mlxsw_spectrum-13.1620.192.mfa2
+		mellanox/mlxsw_spectrum-13.1702.6.mfa2
+		mellanox/mlxsw_spectrum-13.1703.4.mfa2
+		mellanox/mlxsw_spectrum-13.1910.622.mfa2
+		mellanox/mlxsw_spectrum-13.2000.1122.mfa2
+	)
+
+	# blacklist of images with unknown license
+	# Flatcar: remove Alteon AceNIC drivers from unknown_license to install
+	# the firmware files: acenic/tg?.bin.
+	local unknown_license=(
+		korg/k1212.dsp
+		ess/maestro3_assp_kernel.fw
+		ess/maestro3_assp_minisrc.fw
+		yamaha/ds1_ctrl.fw
+		yamaha/ds1_dsp.fw
+		yamaha/ds1e_ctrl.fw
+		ttusb-budget/dspbootcode.bin
+		emi62/bitstream.fw
+		emi62/loader.fw
+		emi62/midi.fw
+		emi62/spdif.fw
+		ti_3410.fw
+		ti_5052.fw
+		mts_mt9234mu.fw
+		mts_mt9234zba.fw
+		whiteheat.fw
+		whiteheat_loader.fw
+		cpia2/stv0672_vp4.bin
+		vicam/firmware.fw
+		edgeport/boot.fw
+		edgeport/boot2.fw
+		edgeport/down.fw
+		edgeport/down2.fw
+		edgeport/down3.bin
+		sb16/mulaw_main.csp
+		sb16/alaw_main.csp
+		sb16/ima_adpcm_init.csp
+		sb16/ima_adpcm_playback.csp
+		sb16/ima_adpcm_capture.csp
+		sun/cassini.bin
+		adaptec/starfire_rx.bin
+		adaptec/starfire_tx.bin
+		yam/1200.bin
+		yam/9600.bin
+		ositech/Xilinx7OD.bin
+		qlogic/isp1000.bin
+		myricom/lanai.bin
+		yamaha/yss225_registers.bin
+		lgs8g75.fw
+	)
+
+	if use !unknown-license; then
+		einfo "Removing files with unknown license ..."
+		# Flatcar: do not die even if no such license file is there.
+		rm -v "${unknown_license[@]}"
+	fi
+
+	if use !redistributable; then
+		# remove files _not_ in the free_software or unknown_license lists
+		# everything else is confirmed (or assumed) to be redistributable
+		# based on upstream acceptance policy
+		einfo "Removing non-redistributable files ..."
+		local OLDIFS="${IFS}"
+		local IFS=$'\n'
+		set -o pipefail
+		find ! -type d -printf "%P\n" \
+			| grep -Fvx -e "${misc_files[*]}" -e "${free_software[*]}" -e "${unknown_license[*]}" \
+			| xargs -d '\n' --no-run-if-empty rm -v
+
+		[[ ${?} -ne 0 ]] && die "Failed to remove non-redistributable files"
+
+		IFS="${OLDIFS}"
+	fi
+
+	restore_config ${PN}.conf
 }
 
 src_install() {
-	# Flatcar: Don't save the firmware config to /etc/portage/savedconfig/
-	# if use !savedconfig; then
+	# Flatcar: take a simplified approach instead of cumbersome installation
+	# like done in Gentoo.
+	#
+	# Don't save the firmware config to /etc/portage/savedconfig/
+	# if we use !savedconfig; then
 	# 	save_config ${PN}.conf
 	# fi
 	rm ${PN}.conf || die
@@ -189,9 +367,41 @@ pkg_preinst() {
 	if use savedconfig; then
 		ewarn "USE=savedconfig is active. You must handle file collisions manually."
 	fi
+
+	# Fix 'symlink is blocked by a directory' Bug #871315
+	if has_version "<${CATEGORY}/${PN}-20220913-r2" ; then
+		rm -rf "${EROOT}"/lib/firmware/qcom/LENOVO/21BX
+	fi
+
+	# Make sure /boot is available if needed.
+	use initramfs && mount-boot_pkg_preinst
 }
 
 pkg_postinst() {
 	elog "If you are only interested in particular firmware files, edit the saved"
 	elog "configfile and remove those that you do not want."
+
+	local ver
+	for ver in ${REPLACING_VERSIONS}; do
+		if ver_test ${ver} -lt 20190514; then
+			elog
+			elog 'Starting with version 20190514, installation of many firmware'
+			elog 'files is controlled by USE flags. Please review your USE flag'
+			elog 'and package.license settings if you are missing some files.'
+			break
+		fi
+	done
+
+	# Don't forget to umount /boot if it was previously mounted by us.
+	use initramfs && mount-boot_pkg_postinst
+}
+
+pkg_prerm() {
+	# Make sure /boot is mounted so that we can remove /boot/amd-uc.img!
+	use initramfs && mount-boot_pkg_prerm
+}
+
+pkg_postrm() {
+	# Don't forget to umount /boot if it was previously mounted by us.
+	use initramfs && mount-boot_pkg_postrm
 }