diff --git a/apex/sign_virt_apex.py b/apex/sign_virt_apex.py
index a975be0..b21a355 100644
--- a/apex/sign_virt_apex.py
+++ b/apex/sign_virt_apex.py
@@ -108,6 +108,7 @@
         action='store_true',
         help='This will NOT update the vbmeta related bootconfigs while signing the apex.\
             Used for testing only!!')
+    parser.add_argument('--do_not_validate_avb_version', action='store_true', help='Do not validate the avb_version when updating vbmeta bootconfig. Only use in tests!')
     args = parser.parse_args(argv)
     # preprocess --key_override into a map
     args.key_overrides = {}
@@ -328,7 +329,8 @@
             detach_bootconfigs(initrd, tmp_initrd, tmp_bc)
             bc_file = open(tmp_bc, "rt", encoding="utf-8")
             bc_data = bc_file.read()
-            validate_avb_version(bc_data)
+            if not args.do_not_validate_avb_version:
+                validate_avb_version(bc_data)
             bc_data = update_vbmeta_digest(bc_data)
             bc_data = update_vbmeta_size(bc_data)
             bc_file.close()
diff --git a/libs/bssl/src/aead.rs b/libs/bssl/src/aead.rs
index e0c9fbb..1ac2c22 100644
--- a/libs/bssl/src/aead.rs
+++ b/libs/bssl/src/aead.rs
@@ -18,8 +18,8 @@
 use bssl_avf_error::{ApiName, Result};
 use bssl_ffi::{
     EVP_AEAD_CTX_free, EVP_AEAD_CTX_new, EVP_AEAD_CTX_open, EVP_AEAD_CTX_seal,
-    EVP_AEAD_max_overhead, EVP_AEAD_nonce_length, EVP_aead_aes_256_gcm, EVP_AEAD, EVP_AEAD_CTX,
-    EVP_AEAD_DEFAULT_TAG_LENGTH,
+    EVP_AEAD_max_overhead, EVP_AEAD_nonce_length, EVP_aead_aes_256_gcm,
+    EVP_aead_aes_256_gcm_randnonce, EVP_AEAD, EVP_AEAD_CTX, EVP_AEAD_DEFAULT_TAG_LENGTH,
 };
 use core::ptr::NonNull;
 
@@ -51,6 +51,17 @@
         Self(unsafe { &*p })
     }
 
+    /// AES-256 in Galois Counter Mode with internal nonce generation.
+    /// The 12-byte nonce is appended to the tag and is generated internally.
+    pub fn aes_256_gcm_randnonce() -> Self {
+        // SAFETY: This function does not access any Rust variables and simply returns
+        // a pointer to the static variable in BoringSSL.
+        let p = unsafe { EVP_aead_aes_256_gcm_randnonce() };
+        // SAFETY: The returned pointer should always be valid and points to a static
+        // `EVP_AEAD`.
+        Self(unsafe { &*p })
+    }
+
     /// Returns the maximum number of additional bytes added by the act of sealing data.
     pub fn max_overhead(&self) -> usize {
         // SAFETY: This function only reads from self.
diff --git a/libs/bssl/tests/eckey_test.rs b/libs/bssl/tests/eckey_test.rs
index 9c7eb4f..3c0e45d 100644
--- a/libs/bssl/tests/eckey_test.rs
+++ b/libs/bssl/tests/eckey_test.rs
@@ -15,8 +15,8 @@
 use bssl_avf::{sha256, ApiName, Digester, EcKey, EcdsaError, Error, PKey, Result};
 use coset::CborSerializable;
 use spki::{
-    der::{AnyRef, Decode},
-    AlgorithmIdentifier, ObjectIdentifier, SubjectPublicKeyInfo,
+    der::{AnyRef, Decode, Encode},
+    AlgorithmIdentifier, ObjectIdentifier, SubjectPublicKeyInfoRef,
 };
 
 /// OID value for general-use NIST EC keys held in PKCS#8 and X.509; see RFC 5480 s2.1.1.
@@ -46,13 +46,14 @@
     let pkey: PKey = ec_key.try_into()?;
     let subject_public_key_info = pkey.subject_public_key_info()?;
 
-    let subject_public_key_info = SubjectPublicKeyInfo::from_der(&subject_public_key_info).unwrap();
+    let subject_public_key_info =
+        SubjectPublicKeyInfoRef::from_der(&subject_public_key_info).unwrap();
     let expected_algorithm = AlgorithmIdentifier {
         oid: X509_NIST_OID,
         parameters: Some(AnyRef::from(&ALGO_PARAM_P256_OID)),
     };
     assert_eq!(expected_algorithm, subject_public_key_info.algorithm);
-    assert!(!subject_public_key_info.subject_public_key.to_vec().is_empty());
+    assert!(!subject_public_key_info.subject_public_key.to_der().unwrap().is_empty());
     Ok(())
 }
 
diff --git a/libs/libfdt/src/lib.rs b/libs/libfdt/src/lib.rs
index aae75f7..7eb08b2 100644
--- a/libs/libfdt/src/lib.rs
+++ b/libs/libfdt/src/lib.rs
@@ -527,6 +527,32 @@
             Ok(None)
         }
     }
+
+    /// Returns the subnode of the given name. The name doesn't need to be nul-terminated.
+    pub fn subnode(&self, name: &CStr) -> Result<Option<Self>> {
+        let offset = self.subnode_offset(name.to_bytes())?;
+        Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
+    }
+
+    /// Returns the subnode of the given name bytes
+    pub fn subnode_with_name_bytes(&self, name: &[u8]) -> Result<Option<Self>> {
+        let offset = self.subnode_offset(name)?;
+        Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
+    }
+
+    fn subnode_offset(&self, name: &[u8]) -> Result<Option<c_int>> {
+        let namelen = name.len().try_into().unwrap();
+        // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
+        let ret = unsafe {
+            libfdt_bindgen::fdt_subnode_offset_namelen(
+                self.fdt.as_ptr(),
+                self.offset,
+                name.as_ptr().cast::<_>(),
+                namelen,
+            )
+        };
+        fdt_err_or_option(ret)
+    }
 }
 
 impl<'a> PartialEq for FdtNode<'a> {
@@ -751,24 +777,38 @@
         fdt_err(ret)
     }
 
-    /// Returns the subnode of the given name with len.
-    pub fn subnode_with_namelen(&'a mut self, name: &CStr, namelen: usize) -> Result<Option<Self>> {
-        let offset = self.subnode_offset(&name.to_bytes()[..namelen])?;
-        Ok(offset.map(|offset| Self { fdt: self.fdt, offset }))
+    /// Returns the first subnode of this
+    pub fn first_subnode(&'a mut self) -> Result<Option<Self>> {
+        // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+        let ret = unsafe { libfdt_bindgen::fdt_first_subnode(self.fdt.as_ptr(), self.offset) };
+
+        Ok(fdt_err_or_option(ret)?.map(|offset| Self { fdt: self.fdt, offset }))
     }
 
-    fn subnode_offset(&self, name: &[u8]) -> Result<Option<c_int>> {
-        let namelen = name.len().try_into().unwrap();
-        // SAFETY: Accesses are constrained to the DT totalsize (validated by ctor).
-        let ret = unsafe {
-            libfdt_bindgen::fdt_subnode_offset_namelen(
-                self.fdt.as_ptr(),
-                self.offset,
-                name.as_ptr().cast::<_>(),
-                namelen,
-            )
-        };
-        fdt_err_or_option(ret)
+    /// Returns the next subnode that shares the same parent with this
+    pub fn next_subnode(self) -> Result<Option<Self>> {
+        // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+        let ret = unsafe { libfdt_bindgen::fdt_next_subnode(self.fdt.as_ptr(), self.offset) };
+
+        Ok(fdt_err_or_option(ret)?.map(|offset| Self { fdt: self.fdt, offset }))
+    }
+
+    /// Deletes the current node and returns the next subnode
+    pub fn delete_and_next_subnode(mut self) -> Result<Option<Self>> {
+        // SAFETY: Accesses (read-only) are constrained to the DT totalsize.
+        let ret = unsafe { libfdt_bindgen::fdt_next_subnode(self.fdt.as_ptr(), self.offset) };
+
+        let next_offset = fdt_err_or_option(ret)?;
+
+        if Some(self.offset) == next_offset {
+            return Err(FdtError::Internal);
+        }
+
+        // SAFETY: nop_self() only touches bytes of the self and its properties and subnodes, and
+        // doesn't alter any other blob in the tree. self.fdt and next_offset would remain valid.
+        unsafe { self.nop_self()? };
+
+        Ok(next_offset.map(|offset| Self { fdt: self.fdt, offset }))
     }
 
     fn parent(&'a self) -> Result<FdtNode<'a>> {
diff --git a/libs/libfdt/tests/api_test.rs b/libs/libfdt/tests/api_test.rs
index d5d6ece..e68557f 100644
--- a/libs/libfdt/tests/api_test.rs
+++ b/libs/libfdt/tests/api_test.rs
@@ -262,14 +262,15 @@
     let subnode_name = cstr!("123456789");
 
     for len in 0..subnode_name.to_bytes().len() {
-        let mut node = fdt.node_mut(node_path).unwrap().unwrap();
-        assert!(node.subnode_with_namelen(subnode_name, len).unwrap().is_none());
+        let name = &subnode_name.to_bytes()[0..len];
+        let node = fdt.node(node_path).unwrap().unwrap();
+        assert_eq!(Ok(None), node.subnode_with_name_bytes(name));
 
         let mut node = fdt.node_mut(node_path).unwrap().unwrap();
         node.add_subnode_with_namelen(subnode_name, len).unwrap();
 
-        let mut node = fdt.node_mut(node_path).unwrap().unwrap();
-        assert!(node.subnode_with_namelen(subnode_name, len).unwrap().is_some());
+        let node = fdt.node(node_path).unwrap().unwrap();
+        assert_ne!(Ok(None), node.subnode_with_name_bytes(name));
     }
 
     let node_path = node_path.to_str().unwrap();
@@ -283,6 +284,48 @@
 }
 
 #[test]
+fn node_subnode() {
+    let data = fs::read(TEST_TREE_PHANDLE_PATH).unwrap();
+    let fdt = Fdt::from_slice(&data).unwrap();
+
+    let name = cstr!("node_a");
+    let root = fdt.root().unwrap();
+    let node = root.subnode(name).unwrap();
+    assert_ne!(None, node);
+    let node = node.unwrap();
+
+    assert_eq!(Ok(name), node.name());
+}
+
+#[test]
+fn node_subnode_with_name_bytes() {
+    let data = fs::read(TEST_TREE_PHANDLE_PATH).unwrap();
+    let fdt = Fdt::from_slice(&data).unwrap();
+
+    let name = b"node_aaaaa";
+    let root = fdt.root().unwrap();
+    let node = root.subnode_with_name_bytes(&name[0..6]).unwrap();
+    assert_ne!(None, node);
+    let node = node.unwrap();
+
+    assert_eq!(Ok(cstr!("node_a")), node.name());
+}
+
+#[test]
+fn node_subnode_borrow_checker() {
+    let data = fs::read(TEST_TREE_PHANDLE_PATH).unwrap();
+    let fdt = Fdt::from_slice(&data).unwrap();
+
+    let name = cstr!("node_a");
+    let node = {
+        let root = fdt.root().unwrap();
+        root.subnode(name).unwrap().unwrap()
+    };
+
+    assert_eq!(Ok(name), node.name());
+}
+
+#[test]
 fn fdt_symbols() {
     let mut data = fs::read(TEST_TREE_PHANDLE_PATH).unwrap();
     let fdt = Fdt::from_mut_slice(&mut data).unwrap();
@@ -328,3 +371,31 @@
         ]
     );
 }
+
+#[test]
+fn node_mut_delete_and_next_subnode() {
+    let mut data = fs::read(TEST_TREE_PHANDLE_PATH).unwrap();
+    let fdt = Fdt::from_mut_slice(&mut data).unwrap();
+
+    let mut root = fdt.root_mut().unwrap();
+    let mut subnode_iter = root.first_subnode().unwrap();
+
+    while let Some(subnode) = subnode_iter {
+        if subnode.as_node().name() == Ok(cstr!("node_z")) {
+            subnode_iter = subnode.delete_and_next_subnode().unwrap();
+        } else {
+            subnode_iter = subnode.next_subnode().unwrap();
+        }
+    }
+
+    let root = fdt.root().unwrap();
+    let expected_names = vec![
+        Ok(cstr!("node_a")),
+        Ok(cstr!("node_b")),
+        Ok(cstr!("node_c")),
+        Ok(cstr!("__symbols__")),
+    ];
+    let subnode_names: Vec<_> = root.subnodes().unwrap().map(|node| node.name()).collect();
+
+    assert_eq!(expected_names, subnode_names);
+}
diff --git a/pvmfw/src/config.rs b/pvmfw/src/config.rs
index 2fe4ec9..3f78a88 100644
--- a/pvmfw/src/config.rs
+++ b/pvmfw/src/config.rs
@@ -19,11 +19,10 @@
 use core::num::NonZeroUsize;
 use core::ops::Range;
 use core::result;
-use core::slice;
 use log::{info, warn};
 use static_assertions::const_assert_eq;
 use vmbase::util::RangeExt;
-use zerocopy::{FromBytes, FromZeroes, LayoutVerified};
+use zerocopy::{FromBytes, FromZeroes};
 
 /// Configuration data header.
 #[repr(C, packed)]
@@ -129,12 +128,14 @@
 
 impl Entry {
     const COUNT: usize = Self::_VARIANT_COUNT as usize;
+
+    const ALL_ENTRIES: [Entry; Self::COUNT] = [Self::Bcc, Self::DebugPolicy, Self::VmDtbo];
 }
 
 #[derive(Default)]
 pub struct Entries<'a> {
     pub bcc: &'a mut [u8],
-    pub debug_policy: Option<&'a mut [u8]>,
+    pub debug_policy: Option<&'a [u8]>,
     pub vm_dtbo: Option<&'a mut [u8]>,
 }
 
@@ -203,7 +204,7 @@
         }
 
         let (header, rest) =
-            LayoutVerified::<_, Header>::new_from_prefix(bytes).ok_or(Error::HeaderMisaligned)?;
+            zerocopy::Ref::<_, Header>::new_from_prefix(bytes).ok_or(Error::HeaderMisaligned)?;
         let header = header.into_ref();
 
         if header.magic != Header::MAGIC {
@@ -230,7 +231,7 @@
         };
 
         let (header_entries, body) =
-            LayoutVerified::<_, [HeaderEntry]>::new_slice_from_prefix(rest, header.entry_count()?)
+            zerocopy::Ref::<_, [HeaderEntry]>::new_slice_from_prefix(rest, header.entry_count()?)
                 .ok_or(Error::BufferTooSmall)?;
 
         // Validate that we won't get an invalid alignment in the following due to padding to u64.
@@ -240,7 +241,7 @@
         let limits = header.body_lowest_bound()?..total_size;
         let mut ranges: [Option<NonEmptyRange>; Entry::COUNT] = [None; Entry::COUNT];
         let mut last_end = 0;
-        for entry in [Entry::Bcc, Entry::DebugPolicy, Entry::VmDtbo] {
+        for entry in Entry::ALL_ENTRIES {
             let Some(header_entry) = header_entries.get(entry as usize) else { continue };
             let entry_offset = header_entry.offset.try_into().unwrap();
             let entry_size = header_entry.size.try_into().unwrap();
@@ -266,36 +267,31 @@
         Ok(Self { body, ranges })
     }
 
-    /// Get slice containing the platform BCC.
-    pub fn get_entries(&mut self) -> Entries<'_> {
-        // This assumes that the blobs are in-order w.r.t. the entries.
-        let bcc_range = self.get_entry_range(Entry::Bcc);
-        let dp_range = self.get_entry_range(Entry::DebugPolicy);
-        let vm_dtbo_range = self.get_entry_range(Entry::VmDtbo);
-        // TODO(b/291191157): Provision device assignment with this.
-        if let Some(vm_dtbo_range) = vm_dtbo_range {
-            info!("Found VM DTBO at {:?}", vm_dtbo_range);
+    /// Locate the various config entries.
+    pub fn get_entries(self) -> Entries<'a> {
+        // We require the blobs to be in the same order as the `Entry` enum (and this is checked
+        // in `new` above)
+        // So we can just work through the body range and split off the parts we are interested in.
+        let mut offset = 0;
+        let mut body = self.body;
+
+        let mut entries: [Option<&mut [u8]>; Entry::COUNT] = Default::default();
+        for (i, range) in self.ranges.iter().enumerate() {
+            if let Some(range) = range {
+                body = &mut body[range.start - offset..];
+                let (chunk, rest) = body.split_at_mut(range.len());
+                offset = range.end();
+                body = rest;
+                entries[i] = Some(chunk);
+            }
         }
+        let [bcc, debug_policy, vm_dtbo] = entries;
 
-        // SAFETY: When instantiated, ranges are validated to be in the body range without
-        // overlapping.
-        let (bcc, debug_policy, vm_dtbo) = unsafe {
-            let ptr = self.body.as_mut_ptr() as usize;
-            (
-                Self::from_raw_range_mut(ptr, bcc_range.unwrap()),
-                dp_range.map(|dp_range| Self::from_raw_range_mut(ptr, dp_range)),
-                vm_dtbo_range.map(|vm_dtbo_range| Self::from_raw_range_mut(ptr, vm_dtbo_range)),
-            )
-        };
+        // The platform BCC has always been required.
+        let bcc = bcc.unwrap();
+
+        // We have no reason to mutate so drop the `mut`.
+        let debug_policy = debug_policy.map(|x| &*x);
         Entries { bcc, debug_policy, vm_dtbo }
     }
-
-    fn get_entry_range(&self, entry: Entry) -> Option<NonEmptyRange> {
-        self.ranges[entry as usize]
-    }
-
-    unsafe fn from_raw_range_mut(ptr: usize, range: NonEmptyRange) -> &'a mut [u8] {
-        // SAFETY: The caller must ensure that the range is valid from ptr.
-        unsafe { slice::from_raw_parts_mut((ptr + range.start) as *mut u8, range.len()) }
-    }
 }
diff --git a/pvmfw/src/crypto.rs b/pvmfw/src/crypto.rs
deleted file mode 100644
index 8f31553..0000000
--- a/pvmfw/src/crypto.rs
+++ /dev/null
@@ -1,271 +0,0 @@
-// Copyright 2023, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Wrapper around BoringSSL/OpenSSL symbols.
-
-use core::convert::AsRef;
-use core::ffi::{c_char, c_int, CStr};
-use core::fmt;
-use core::mem::MaybeUninit;
-use core::num::NonZeroU32;
-use core::ptr;
-
-use bssl_ffi::CRYPTO_library_init;
-use bssl_ffi::ERR_get_error_line;
-use bssl_ffi::ERR_lib_error_string;
-use bssl_ffi::ERR_reason_error_string;
-use bssl_ffi::EVP_AEAD_CTX_aead;
-use bssl_ffi::EVP_AEAD_CTX_init;
-use bssl_ffi::EVP_AEAD_CTX_open;
-use bssl_ffi::EVP_AEAD_CTX_seal;
-use bssl_ffi::EVP_AEAD_max_overhead;
-use bssl_ffi::EVP_aead_aes_256_gcm_randnonce;
-use bssl_ffi::EVP_AEAD;
-use bssl_ffi::EVP_AEAD_CTX;
-use cstr::cstr;
-
-#[derive(Debug)]
-pub struct Error {
-    packed: NonZeroU32,
-    file: Option<&'static CStr>,
-    line: c_int,
-}
-
-impl Error {
-    fn get() -> Option<Self> {
-        let mut file = ptr::null();
-        let mut line = 0;
-        // SAFETY: The function writes to the provided pointers, which are valid because they come
-        // from references. It doesn't retain them after it returns.
-        let packed = unsafe { ERR_get_error_line(&mut file, &mut line) };
-
-        let packed = packed.try_into().ok()?;
-        // SAFETY: Any non-NULL result is expected to point to a global const C string.
-        let file = unsafe { as_static_cstr(file) };
-
-        Some(Self { packed, file, line })
-    }
-
-    fn packed_value(&self) -> u32 {
-        self.packed.get()
-    }
-
-    fn library_name(&self) -> Option<&'static CStr> {
-        // SAFETY: Call to a pure function.
-        let name = unsafe { ERR_lib_error_string(self.packed_value()) };
-        // SAFETY: Any non-NULL result is expected to point to a global const C string.
-        unsafe { as_static_cstr(name) }
-    }
-
-    fn reason(&self) -> Option<&'static CStr> {
-        // SAFETY: Call to a pure function.
-        let reason = unsafe { ERR_reason_error_string(self.packed_value()) };
-        // SAFETY: Any non-NULL result is expected to point to a global const C string.
-        unsafe { as_static_cstr(reason) }
-    }
-}
-
-impl fmt::Display for Error {
-    fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
-        let packed = self.packed_value();
-        let library = self.library_name().unwrap_or(cstr!("{unknown library}")).to_str().unwrap();
-        let reason = self.reason().unwrap_or(cstr!("{unknown reason}")).to_str().unwrap();
-        let file = self.file.unwrap_or(cstr!("??")).to_str().unwrap();
-        let line = self.line;
-
-        write!(f, "{file}:{line}: {library}: {reason} ({packed:#x})")
-    }
-}
-
-#[derive(Copy, Clone)]
-pub struct ErrorIterator {}
-
-impl Iterator for ErrorIterator {
-    type Item = Error;
-
-    fn next(&mut self) -> Option<Self::Item> {
-        Self::Item::get()
-    }
-}
-
-pub type Result<T> = core::result::Result<T, ErrorIterator>;
-
-#[repr(transparent)]
-pub struct Aead(EVP_AEAD);
-
-impl Aead {
-    pub fn aes_256_gcm_randnonce() -> Option<&'static Self> {
-        // SAFETY: Returned pointer is checked below.
-        let aead = unsafe { EVP_aead_aes_256_gcm_randnonce() };
-        if aead.is_null() {
-            None
-        } else {
-            // SAFETY: We assume that the non-NULL value points to a valid and static EVP_AEAD.
-            Some(unsafe { &*(aead as *const _) })
-        }
-    }
-
-    pub fn max_overhead(&self) -> usize {
-        // SAFETY: Function should only read from self.
-        unsafe { EVP_AEAD_max_overhead(self.as_ref() as *const _) }
-    }
-}
-
-#[repr(transparent)]
-pub struct AeadCtx(EVP_AEAD_CTX);
-
-impl AeadCtx {
-    pub fn new_aes_256_gcm_randnonce(key: &[u8]) -> Result<Self> {
-        let aead = Aead::aes_256_gcm_randnonce().unwrap();
-
-        Self::new(aead, key)
-    }
-
-    fn new(aead: &'static Aead, key: &[u8]) -> Result<Self> {
-        const DEFAULT_TAG_LENGTH: usize = 0;
-        let engine = ptr::null_mut(); // Use default implementation.
-        let mut ctx = MaybeUninit::zeroed();
-        // SAFETY: Initialize the EVP_AEAD_CTX with const pointers to the AEAD and key.
-        let result = unsafe {
-            EVP_AEAD_CTX_init(
-                ctx.as_mut_ptr(),
-                aead.as_ref() as *const _,
-                key.as_ptr(),
-                key.len(),
-                DEFAULT_TAG_LENGTH,
-                engine,
-            )
-        };
-
-        if result == 1 {
-            // SAFETY: We assume that the non-NULL value points to a valid and static EVP_AEAD.
-            Ok(Self(unsafe { ctx.assume_init() }))
-        } else {
-            Err(ErrorIterator {})
-        }
-    }
-
-    pub fn aead(&self) -> Option<&'static Aead> {
-        // SAFETY: The function should only read from self.
-        let aead = unsafe { EVP_AEAD_CTX_aead(self.as_ref() as *const _) };
-        if aead.is_null() {
-            None
-        } else {
-            // SAFETY: We assume that the non-NULL value points to a valid and static EVP_AEAD.
-            Some(unsafe { &*(aead as *const _) })
-        }
-    }
-
-    pub fn open<'b>(&self, out: &'b mut [u8], data: &[u8]) -> Result<&'b mut [u8]> {
-        let nonce = ptr::null_mut();
-        let nonce_len = 0;
-        let ad = ptr::null_mut();
-        let ad_len = 0;
-        let mut out_len = MaybeUninit::uninit();
-        // SAFETY: The function should only read from self and write to out (at most the provided
-        // number of bytes) and out_len while reading from data (at most the provided number of
-        // bytes), ignoring any NULL input.
-        let result = unsafe {
-            EVP_AEAD_CTX_open(
-                self.as_ref() as *const _,
-                out.as_mut_ptr(),
-                out_len.as_mut_ptr(),
-                out.len(),
-                nonce,
-                nonce_len,
-                data.as_ptr(),
-                data.len(),
-                ad,
-                ad_len,
-            )
-        };
-
-        if result == 1 {
-            // SAFETY: Any value written to out_len could be a valid usize. The value itself is
-            // validated as being a proper slice length by panicking in the following indexing
-            // otherwise.
-            let out_len = unsafe { out_len.assume_init() };
-            Ok(&mut out[..out_len])
-        } else {
-            Err(ErrorIterator {})
-        }
-    }
-
-    pub fn seal<'b>(&self, out: &'b mut [u8], data: &[u8]) -> Result<&'b mut [u8]> {
-        let nonce = ptr::null_mut();
-        let nonce_len = 0;
-        let ad = ptr::null_mut();
-        let ad_len = 0;
-        let mut out_len = MaybeUninit::uninit();
-        // SAFETY: The function should only read from self and write to out (at most the provided
-        // number of bytes) while reading from data (at most the provided number of bytes),
-        // ignoring any NULL input.
-        let result = unsafe {
-            EVP_AEAD_CTX_seal(
-                self.as_ref() as *const _,
-                out.as_mut_ptr(),
-                out_len.as_mut_ptr(),
-                out.len(),
-                nonce,
-                nonce_len,
-                data.as_ptr(),
-                data.len(),
-                ad,
-                ad_len,
-            )
-        };
-
-        if result == 1 {
-            // SAFETY: Any value written to out_len could be a valid usize. The value itself is
-            // validated as being a proper slice length by panicking in the following indexing
-            // otherwise.
-            let out_len = unsafe { out_len.assume_init() };
-            Ok(&mut out[..out_len])
-        } else {
-            Err(ErrorIterator {})
-        }
-    }
-}
-
-/// Cast a C string pointer to a static non-mutable reference.
-///
-/// # Safety
-///
-/// The caller needs to ensure that the pointer is null or points to a valid C string and that the
-/// C lifetime of the string is compatible with a static Rust lifetime.
-unsafe fn as_static_cstr(p: *const c_char) -> Option<&'static CStr> {
-    if p.is_null() {
-        None
-    } else {
-        // Safety: Safe given the requirements of this function.
-        Some(unsafe { CStr::from_ptr(p) })
-    }
-}
-
-impl AsRef<EVP_AEAD> for Aead {
-    fn as_ref(&self) -> &EVP_AEAD {
-        &self.0
-    }
-}
-
-impl AsRef<EVP_AEAD_CTX> for AeadCtx {
-    fn as_ref(&self) -> &EVP_AEAD_CTX {
-        &self.0
-    }
-}
-
-pub fn init() {
-    // SAFETY: Configures the internal state of the library - may be called multiple times.
-    unsafe { CRYPTO_library_init() }
-}
diff --git a/pvmfw/src/device_assignment.rs b/pvmfw/src/device_assignment.rs
index 19ace5f..8d4d840 100644
--- a/pvmfw/src/device_assignment.rs
+++ b/pvmfw/src/device_assignment.rs
@@ -183,6 +183,15 @@
     }
 }
 
+fn is_overlayable_node(dtbo_path: &CStr) -> bool {
+    dtbo_path
+        .to_bytes()
+        .split(|char| *char == b'/')
+        .filter(|&component| !component.is_empty())
+        .nth(1)
+        .map_or(false, |name| name == b"__overlay__")
+}
+
 impl AsRef<Fdt> for VmDtbo {
     fn as_ref(&self) -> &Fdt {
         &self.0
@@ -417,6 +426,9 @@
             let symbol_prop_value = symbol_prop.value()?;
             let dtbo_node_path = CStr::from_bytes_with_nul(symbol_prop_value)
                 .or(Err(DeviceAssignmentError::InvalidSymbols))?;
+            if !is_overlayable_node(dtbo_node_path) {
+                continue;
+            }
             let assigned_device =
                 AssignedDeviceInfo::parse(fdt, vm_dtbo, dtbo_node_path, &pviommus, hypervisor)?;
             if let Some(assigned_device) = assigned_device {
@@ -428,7 +440,15 @@
         if assigned_devices.is_empty() {
             return Ok(None);
         }
+
+        // Clean up any nodes that wouldn't be overlaid but may contain reference to filtered nodes.
+        // Otherwise, `fdt_apply_overlay()` would fail because of missing phandle reference.
         filtered_dtbo_paths.push(CString::new("/__symbols__").unwrap());
+        // TODO(b/277993056): Also filter other unused nodes/props in __local_fixups__
+        filtered_dtbo_paths.push(CString::new("/__local_fixups__/host").unwrap());
+
+        // Note: Any node without __overlay__ will be ignored by fdt_apply_overlay,
+        // so doesn't need to be filtered.
 
         Ok(Some(Self { pviommus: unique_pviommus, assigned_devices, filtered_dtbo_paths }))
     }
@@ -449,22 +469,6 @@
             node.nop()?;
         }
 
-        // Filters pvmfw-specific properties in assigned device node.
-        const FILTERED_VM_DTBO_PROP: [&CStr; 3] = [
-            cstr!("android,pvmfw,phy-reg"),
-            cstr!("android,pvmfw,phy-iommu"),
-            cstr!("android,pvmfw,phy-sid"),
-        ];
-        for assigned_device in &self.assigned_devices {
-            let mut node = vm_dtbo.node_mut(&assigned_device.dtbo_node_path).unwrap().unwrap();
-            for prop in FILTERED_VM_DTBO_PROP {
-                match node.nop_property(prop) {
-                    Err(FdtError::NotFound) => Ok(()), // allows not exists
-                    other => other,
-                }?;
-            }
-        }
-
         Ok(())
     }
 
@@ -649,8 +653,8 @@
         let device_info = DeviceAssignmentInfo::parse(fdt, vm_dtbo, &hypervisor).unwrap().unwrap();
 
         let expected = [AssignedDeviceInfo {
-            node_path: CString::new("/backlight").unwrap(),
-            dtbo_node_path: cstr!("/fragment@backlight/__overlay__/backlight").into(),
+            node_path: CString::new("/bus0/backlight").unwrap(),
+            dtbo_node_path: cstr!("/fragment@backlight/__overlay__/bus0/backlight").into(),
             reg: vec![[0x9, 0xFF].into()],
             interrupts: into_fdt_prop(vec![0x0, 0xF, 0x4]),
             iommus: vec![],
@@ -721,7 +725,8 @@
         let led = vm_dtbo.node(cstr!("/fragment@led/__overlay__/led")).unwrap();
         assert_eq!(led, None);
 
-        let backlight = vm_dtbo.node(cstr!("/fragment@backlight/__overlay__/backlight")).unwrap();
+        let backlight =
+            vm_dtbo.node(cstr!("/fragment@backlight/__overlay__/bus0/backlight")).unwrap();
         assert_eq!(backlight, None);
 
         let symbols_node = vm_dtbo.symbols().unwrap();
@@ -750,6 +755,10 @@
         }
         device_info.patch(platform_dt).unwrap();
 
+        let rng_node = platform_dt.node(cstr!("/bus0/backlight")).unwrap().unwrap();
+        let phandle = rng_node.getprop_u32(cstr!("phandle")).unwrap();
+        assert_ne!(None, phandle);
+
         // Note: Intentionally not using AssignedDeviceNode for matching all props.
         type FdtResult<T> = libfdt::Result<T>;
         let expected: Vec<(FdtResult<&CStr>, FdtResult<Vec<u8>>)> = vec![
@@ -757,10 +766,10 @@
             (Ok(cstr!("compatible")), Ok(Vec::from(*b"android,backlight\0"))),
             (Ok(cstr!("interrupts")), Ok(into_fdt_prop(vec![0x0, 0xF, 0x4]))),
             (Ok(cstr!("iommus")), Ok(Vec::new())),
+            (Ok(cstr!("phandle")), Ok(into_fdt_prop(vec![phandle.unwrap()]))),
             (Ok(cstr!("reg")), Ok(into_fdt_prop(vec![0x0, 0x9, 0x0, 0xFF]))),
         ];
 
-        let rng_node = platform_dt.node(cstr!("/backlight")).unwrap().unwrap();
         let mut properties: Vec<_> = rng_node
             .properties()
             .unwrap()
diff --git a/pvmfw/src/entry.rs b/pvmfw/src/entry.rs
index f4078a3..2475f32 100644
--- a/pvmfw/src/entry.rs
+++ b/pvmfw/src/entry.rs
@@ -15,9 +15,9 @@
 //! Low-level entry and exit points of pvmfw.
 
 use crate::config;
-use crate::crypto;
 use crate::fdt;
 use crate::memory;
+use bssl_ffi::CRYPTO_library_init;
 use core::arch::asm;
 use core::mem::{drop, size_of};
 use core::num::NonZeroUsize;
@@ -196,7 +196,12 @@
     // - only access non-pvmfw memory once (and while) it has been mapped
 
     log::set_max_level(LevelFilter::Info);
-    crypto::init();
+    // TODO(https://crbug.com/boringssl/35): Remove this init when BoringSSL can handle this
+    // internally.
+    // SAFETY: Configures the internal state of the library - may be called multiple times.
+    unsafe {
+        CRYPTO_library_init();
+    }
 
     let page_table = memory::init_page_table().map_err(|e| {
         error!("Failed to set up the dynamic page tables: {e}");
@@ -207,7 +212,7 @@
     // then remapped by `init_page_table()`.
     let appended_data = unsafe { get_appended_data_slice() };
 
-    let mut appended = AppendedPayload::new(appended_data).ok_or_else(|| {
+    let appended = AppendedPayload::new(appended_data).ok_or_else(|| {
         error!("No valid configuration found");
         RebootReason::InvalidConfig
     })?;
@@ -438,7 +443,7 @@
         }
     }
 
-    fn get_entries(&mut self) -> config::Entries<'_> {
+    fn get_entries(self) -> config::Entries<'a> {
         match self {
             Self::Config(cfg) => cfg.get_entries(),
             Self::LegacyBcc(bcc) => config::Entries { bcc, ..Default::default() },
diff --git a/pvmfw/src/fdt.rs b/pvmfw/src/fdt.rs
index 2cd1061..2a6819b 100644
--- a/pvmfw/src/fdt.rs
+++ b/pvmfw/src/fdt.rs
@@ -200,19 +200,27 @@
     Ok(())
 }
 
-fn read_vendor_public_key_from(fdt: &Fdt) -> libfdt::Result<Option<Vec<u8>>> {
+fn read_vendor_hashtree_descriptor_root_digest_from(fdt: &Fdt) -> libfdt::Result<Option<Vec<u8>>> {
     if let Some(avf_node) = fdt.node(cstr!("/avf"))? {
-        if let Some(vendor_public_key) = avf_node.getprop(cstr!("vendor_public_key"))? {
-            return Ok(Some(vendor_public_key.to_vec()));
+        if let Some(vendor_hashtree_descriptor_root_digest) =
+            avf_node.getprop(cstr!("vendor_hashtree_descriptor_root_digest"))?
+        {
+            return Ok(Some(vendor_hashtree_descriptor_root_digest.to_vec()));
         }
     }
     Ok(None)
 }
 
-fn patch_vendor_public_key(fdt: &mut Fdt, vendor_public_key: &[u8]) -> libfdt::Result<()> {
+fn patch_vendor_hashtree_descriptor_root_digest(
+    fdt: &mut Fdt,
+    vendor_hashtree_descriptor_root_digest: &[u8],
+) -> libfdt::Result<()> {
     let mut root_node = fdt.root_mut()?;
     let mut avf_node = root_node.add_subnode(cstr!("/avf"))?;
-    avf_node.setprop(cstr!("vendor_public_key"), vendor_public_key)?;
+    avf_node.setprop(
+        cstr!("vendor_hashtree_descriptor_root_digest"),
+        vendor_hashtree_descriptor_root_digest,
+    )?;
     Ok(())
 }
 
@@ -608,7 +616,7 @@
     serial_info: SerialInfo,
     pub swiotlb_info: SwiotlbInfo,
     device_assignment: Option<DeviceAssignmentInfo>,
-    vendor_public_key: Option<Vec<u8>>,
+    vendor_hashtree_descriptor_root_digest: Option<Vec<u8>>,
 }
 
 impl DeviceTreeInfo {
@@ -738,15 +746,17 @@
 
     // TODO(b/285854379) : A temporary solution lives. This is for enabling
     // microdroid vendor partition for non-protected VM as well. When passing
-    // DT path containing vendor_public_key via fstab, init stage will check
-    // if vendor_public_key exists in the init stage, regardless the protection.
-    // Adding this temporary solution will prevent fatal in init stage for
-    // protected VM. However, this data is not trustable without validating
-    // with vendor public key value comes from ABL.
-    let vendor_public_key = read_vendor_public_key_from(fdt).map_err(|e| {
-        error!("Failed to read vendor_public_key from DT: {e}");
-        RebootReason::InvalidFdt
-    })?;
+    // DT path containing vendor_hashtree_descriptor_root_digest via fstab, init
+    // stage will check if vendor_hashtree_descriptor_root_digest exists in the
+    // init stage, regardless the protection. Adding this temporary solution
+    // will prevent fatal in init stage for protected VM. However, this data is
+    // not trustable without validating root digest of vendor hashtree
+    // descriptor comes from ABL.
+    let vendor_hashtree_descriptor_root_digest =
+        read_vendor_hashtree_descriptor_root_digest_from(fdt).map_err(|e| {
+            error!("Failed to read vendor_hashtree_descriptor_root_digest from DT: {e}");
+            RebootReason::InvalidFdt
+        })?;
 
     Ok(DeviceTreeInfo {
         kernel_range,
@@ -758,7 +768,7 @@
         serial_info,
         swiotlb_info,
         device_assignment,
-        vendor_public_key,
+        vendor_hashtree_descriptor_root_digest,
     })
 }
 
@@ -811,9 +821,12 @@
             RebootReason::InvalidFdt
         })?;
     }
-    if let Some(vendor_public_key) = &info.vendor_public_key {
-        patch_vendor_public_key(fdt, vendor_public_key).map_err(|e| {
-            error!("Failed to patch vendor_public_key to DT: {e}");
+    if let Some(vendor_hashtree_descriptor_root_digest) =
+        &info.vendor_hashtree_descriptor_root_digest
+    {
+        patch_vendor_hashtree_descriptor_root_digest(fdt, vendor_hashtree_descriptor_root_digest)
+            .map_err(|e| {
+            error!("Failed to patch vendor_hashtree_descriptor_root_digest to DT: {e}");
             RebootReason::InvalidFdt
         })?;
     }
@@ -827,7 +840,7 @@
     bcc: &[u8],
     new_instance: bool,
     strict_boot: bool,
-    debug_policy: Option<&mut [u8]>,
+    debug_policy: Option<&[u8]>,
     debuggable: bool,
     kaslr_seed: u64,
 ) -> libfdt::Result<()> {
diff --git a/pvmfw/src/instance.rs b/pvmfw/src/instance.rs
index a998bfb..e98f663 100644
--- a/pvmfw/src/instance.rs
+++ b/pvmfw/src/instance.rs
@@ -14,13 +14,11 @@
 
 //! Support for reading and writing to the instance.img.
 
-use crate::crypto;
-use crate::crypto::AeadCtx;
 use crate::dice::PartialInputs;
 use crate::gpt;
 use crate::gpt::Partition;
 use crate::gpt::Partitions;
-use bssl_avf::{self, hkdf, Digester};
+use bssl_avf::{self, hkdf, Aead, AeadContext, Digester};
 use core::fmt;
 use core::mem::size_of;
 use diced_open_dice::DiceMode;
@@ -40,12 +38,8 @@
 pub enum Error {
     /// Unexpected I/O error while accessing the underlying disk.
     FailedIo(gpt::Error),
-    /// Failed to decrypt the entry.
-    FailedOpen(crypto::ErrorIterator),
     /// Failed to generate a random salt to be stored.
     FailedSaltGeneration(rand::Error),
-    /// Failed to encrypt the entry.
-    FailedSeal(crypto::ErrorIterator),
     /// Impossible to create a new instance.img entry.
     InstanceImageFull,
     /// Badly formatted instance.img header block.
@@ -72,21 +66,7 @@
     fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
         match self {
             Self::FailedIo(e) => write!(f, "Failed I/O to disk: {e}"),
-            Self::FailedOpen(e_iter) => {
-                writeln!(f, "Failed to open the instance.img partition:")?;
-                for e in *e_iter {
-                    writeln!(f, "\t{e}")?;
-                }
-                Ok(())
-            }
             Self::FailedSaltGeneration(e) => write!(f, "Failed to generate salt: {e}"),
-            Self::FailedSeal(e_iter) => {
-                writeln!(f, "Failed to seal the instance.img partition:")?;
-                for e in *e_iter {
-                    writeln!(f, "\t{e}")?;
-                }
-                Ok(())
-            }
             Self::InstanceImageFull => write!(f, "Failed to obtain a free instance.img partition"),
             Self::InvalidInstanceImageHeader => write!(f, "instance.img header is invalid"),
             Self::MissingInstanceImage => write!(f, "Failed to find the instance.img partition"),
@@ -124,6 +104,13 @@
     trace!("Found pvmfw instance.img entry: {entry:?}");
 
     let key = hkdf::<32>(secret, /* salt= */ &[], b"vm-instance", Digester::sha512())?;
+    let tag_len = None;
+    let aead_ctx = AeadContext::new(Aead::aes_256_gcm_randnonce(), key.as_slice(), tag_len)?;
+    let ad = &[];
+    // The nonce is generated internally for `aes_256_gcm_randnonce`, so no additional
+    // nonce is required.
+    let nonce = &[];
+
     let mut blk = [0; BLK_SIZE];
     match entry {
         PvmfwEntry::Existing { header_index, payload_size } => {
@@ -136,9 +123,7 @@
 
             let payload = &blk[..payload_size];
             let mut entry = [0; size_of::<EntryBody>()];
-            let aead =
-                AeadCtx::new_aes_256_gcm_randnonce(key.as_slice()).map_err(Error::FailedOpen)?;
-            let decrypted = aead.open(&mut entry, payload).map_err(Error::FailedOpen)?;
+            let decrypted = aead_ctx.open(payload, nonce, ad, &mut entry)?;
 
             let body = EntryBody::read_from(decrypted).unwrap();
             if dice_inputs.rkp_vm_marker {
@@ -166,12 +151,10 @@
             let salt = rand::random_array().map_err(Error::FailedSaltGeneration)?;
             let body = EntryBody::new(dice_inputs, &salt);
 
-            let aead =
-                AeadCtx::new_aes_256_gcm_randnonce(key.as_slice()).map_err(Error::FailedSeal)?;
             // We currently only support single-blk entries.
             let plaintext = body.as_bytes();
-            assert!(plaintext.len() + aead.aead().unwrap().max_overhead() < blk.len());
-            let encrypted = aead.seal(&mut blk, plaintext).map_err(Error::FailedSeal)?;
+            assert!(plaintext.len() + aead_ctx.aead().max_overhead() < blk.len());
+            let encrypted = aead_ctx.seal(plaintext, nonce, ad, &mut blk)?;
             let payload_size = encrypted.len();
             let payload_index = header_index + 1;
             instance_img.write_block(payload_index, &blk).map_err(Error::FailedIo)?;
diff --git a/pvmfw/src/main.rs b/pvmfw/src/main.rs
index 1d55a84..f80bae1 100644
--- a/pvmfw/src/main.rs
+++ b/pvmfw/src/main.rs
@@ -22,7 +22,6 @@
 mod bcc;
 mod bootargs;
 mod config;
-mod crypto;
 mod device_assignment;
 mod dice;
 mod entry;
@@ -63,7 +62,7 @@
     signed_kernel: &[u8],
     ramdisk: Option<&[u8]>,
     current_bcc_handover: &[u8],
-    mut debug_policy: Option<&mut [u8]>,
+    mut debug_policy: Option<&[u8]>,
 ) -> Result<Range<usize>, RebootReason> {
     info!("pVM firmware");
     debug!("FDT: {:?}", fdt.as_ptr());
diff --git a/pvmfw/testdata/test_pvmfw_devices_vm_dtbo.dts b/pvmfw/testdata/test_pvmfw_devices_vm_dtbo.dts
index 691d15a..91693f7 100644
--- a/pvmfw/testdata/test_pvmfw_devices_vm_dtbo.dts
+++ b/pvmfw/testdata/test_pvmfw_devices_vm_dtbo.dts
@@ -1,61 +1,118 @@
 /dts-v1/;
-/plugin/;
 
 / {
-	fragment@rng {
-		target-path = "/";
-		__overlay__ {
-			rng {
-				compatible = "android,rng";
-				android,rng,ignore-gctrl-reset;
-				android,pvmfw,phy-reg = <0x0 0x12F00000 0x1000>;
-				android,pvmfw,phy-iommu = <0x0 0x12E40000>;
-				android,pvmfw,phy-sid = <3>;
-			};
-		};
-	};
-
-	fragment@sensor {
-		target-path = "/";
-		__overlay__ {
-			light {
-				compatible = "android,light";
-				version = <0x1 0x2>;
-				android,pvmfw,phy-reg = <0x0 0xF00000 0x1000>, <0x0 0xF10000 0x1000>;
-				android,pvmfw,phy-iommu = <0x0 0x40000>, <0x0 0x50000>;
-				android,pvmfw,phy-sid = <4>, <5>;
-			};
-		};
-	};
-
-	fragment@led {
-		target-path = "/";
-		__overlay__ {
-			led {
-				compatible = "android,led";
-				prop = <0x555>;
-				android,pvmfw,phy-reg = <0x0 0x12000000 0x1000>;
-				android,pvmfw,phy-iommu = <0x0 0x12E40000>;
-				android,pvmfw,phy-sid = <3>;
-			};
-		};
-	};
-
-	fragment@backlight {
-		target-path = "/";
-		__overlay__ {
-			backlight {
-				compatible = "android,backlight";
-				android,backlight,ignore-gctrl-reset;
-				android,pvmfw,phy-reg = <0x0 0x300 0x100>;
-			};
-		};
-	};
-
-	__symbols__ {
-		rng = "/fragment@rng/__overlay__/rng";
-		sensor = "/fragment@sensor/__overlay__/light";
-		led = "/fragment@led/__overlay__/led";
-		backlight = "/fragment@backlight/__overlay__/backlight";
-	};
+    host {
+        #address-cells = <0x2>;
+        #size-cells = <0x1>;
+        rng {
+            reg = <0x0 0x12f00000 0x1000>;
+            iommus = <0x1 0x3>;
+            android,pvmfw,target = <0x2>;
+        };
+        light {
+            reg = <0x0 0x00f00000 0x1000>, <0x0 0x00f10000 0x1000>;
+            iommus = <0x3 0x4>, <0x4 0x5>;
+            android,pvmfw,target = <0x5>;
+        };
+        led {
+            reg = <0x0 0x12000000 0x1000>;
+            iommus = <0x1 0x3>;
+            android,pvmfw,target = <0x6>;
+        };
+        bus0 {
+            #address-cells = <0x1>;
+            #size-cells = <0x1>;
+            backlight {
+                reg = <0x300 0x100>;
+                android,pvmfw,target = <0x7>;
+            };
+        };
+        iommu0 {
+            #iommu-cells = <0x1>;
+            android,pvmfw,token = <0x0 0x12e40000>;
+            phandle = <0x1>;
+        };
+        iommu1 {
+            #iommu-cells = <0x1>;
+            android,pvmfw,token = <0x0 0x40000>;
+            phandle = <0x3>;
+        };
+        iommu2 {
+            #iommu-cells = <0x1>;
+            android,pvmfw,token = <0x0 0x50000>;
+            phandle = <0x4>;
+        };
+    };
+    fragment@rng {
+        target-path = "/";
+        __overlay__ {
+            rng {
+                compatible = "android,rng";
+                android,rng,ignore-gctrl-reset;
+                phandle = <0x2>;
+            };
+        };
+    };
+    fragment@sensor {
+        target-path = "/";
+        __overlay__ {
+            light {
+                compatible = "android,light";
+                version = <0x1 0x2>;
+                phandle = <0x5>;
+            };
+        };
+    };
+    fragment@led {
+        target-path = "/";
+        __overlay__ {
+            led {
+                compatible = "android,led";
+                prop = <0x555>;
+                phandle = <0x6>;
+            };
+        };
+    };
+    fragment@backlight {
+        target-path = "/";
+        __overlay__ {
+            bus0 {
+                backlight {
+                    compatible = "android,backlight";
+                    android,backlight,ignore-gctrl-reset;
+                    phandle = <0x7>;
+                };
+            };
+        };
+    };
+    __symbols__ {
+        iommu0 = "/host/iommu0";
+        iommu1 = "/host/iommu1";
+        iommu2 = "/host/iommu2";
+        rng = "/fragment@rng/__overlay__/rng";
+        light = "/fragment@sensor/__overlay__/light";
+        led = "/fragment@led/__overlay__/led";
+        backlight = "/fragment@backlight/__overlay__/bus0/backlight";
+    };
+    __local_fixups__ {
+        host {
+            rng {
+                iommus = <0x0>;
+                android,pvmfw,target = <0x0>;
+            };
+            light {
+                iommus = <0x0 0x8>;
+                android,pvmfw,target = <0x0>;
+            };
+            led {
+                iommus = <0x0>;
+                android,pvmfw,target = <0x0>;
+            };
+            bus0 {
+                backlight {
+                    android,pvmfw,target = <0x0>;
+                };
+            };
+        };
+    };
 };
diff --git a/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_without_symbols.dts b/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_without_symbols.dts
index 18b9e79..2bc8081 100644
--- a/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_without_symbols.dts
+++ b/pvmfw/testdata/test_pvmfw_devices_vm_dtbo_without_symbols.dts
@@ -1,43 +1,114 @@
 /dts-v1/;
-/plugin/;
 
 / {
-	fragment@rng {
-		target-path = "/";
-		__overlay__ {
-			rng {
-				compatible = "android,rng";
-				android,rng,ignore-gctrl-reset;
-				android,pvmfw,phy-reg = <0x0 0x12F00000 0x1000>;
-				android,pvmfw,phy-iommu = <0x0 0x12E40000>;
-				android,pvmfw,phy-sid = <3>;
-			};
-		};
-	};
-
-	fragment@sensor {
-		target-path = "/";
-		__overlay__ {
-			light {
-				compatible = "android,light";
-				version = <0x1 0x2>;
-				android,pvmfw,phy-reg = <0x0 0xF00000 0x1000>;
-				android,pvmfw,phy-iommu = <0x0 0x40000>, <0x0 0x50000>;
-				android,pvmfw,phy-sid = <4>, <5>;
-			};
-		};
-	};
-
-	fragment@led {
-		target-path = "/";
-		__overlay__ {
-			led {
-				compatible = "android,led";
-				prop;
-				android,pvmfw,phy-reg = <0x0 0x12F00000 0x1000>;
-				android,pvmfw,phy-iommu = <0x0 0x20000>, <0x0 0x30000>;
-				android,pvmfw,phy-sid = <7>, <8>;
-			};
-		};
-	};
+    host {
+        #address-cells = <0x2>;
+        #size-cells = <0x1>;
+        rng {
+            reg = <0x0 0x12f00000 0x1000>;
+            iommus = <0x1 0x3>;
+            android,pvmfw,target = <0x2>;
+        };
+        light {
+            reg = <0x0 0x00f00000 0x1000>, <0x0 0x00f10000 0x1000>;
+            iommus = <0x3 0x4>, <0x4 0x5>;
+            android,pvmfw,target = <0x5>;
+        };
+        led {
+            reg = <0x0 0x12000000 0x1000>;
+            iommus = <0x1 0x3>;
+            android,pvmfw,target = <0x6>;
+        };
+        bus0 {
+            #address-cells = <0x1>;
+            #size-cells = <0x1>;
+            backlight {
+                reg = <0x300 0x100>;
+                android,pvmfw,target = <0x7>;
+            };
+        };
+        iommu0 {
+            #iommu-cells = <0x1>;
+            android,pvmfw,token = <0x0 0x12e40000>;
+            phandle = <0x1>;
+        };
+        iommu1 {
+            #iommu-cells = <0x1>;
+            android,pvmfw,token = <0x0 0x40000>;
+            phandle = <0x3>;
+        };
+        iommu2 {
+            #iommu-cells = <0x1>;
+            android,pvmfw,token = <0x0 0x50000>;
+            phandle = <0x4>;
+        };
+    };
+    fragment@rng {
+        target-path = "/";
+        __overlay__ {
+            rng {
+                compatible = "android,rng";
+                android,rng,ignore-gctrl-reset;
+                phandle = <0x2>;
+            };
+        };
+    };
+    fragment@sensor {
+        target-path = "/";
+        __overlay__ {
+            light {
+                compatible = "android,light";
+                version = <0x1 0x2>;
+                phandle = <0x5>;
+            };
+        };
+    };
+    fragment@led {
+        target-path = "/";
+        __overlay__ {
+            led {
+                compatible = "android,led";
+                prop = <0x555>;
+                phandle = <0x6>;
+            };
+        };
+    };
+    fragment@backlight {
+        target-path = "/";
+        __overlay__ {
+            bus0 {
+                backlight {
+                    compatible = "android,backlight";
+                    android,backlight,ignore-gctrl-reset;
+                    phandle = <0x7>;
+                };
+            };
+        };
+    };
+    __symbols__ {
+        iommu0 = "/host/iommu0";
+        iommu1 = "/host/iommu1";
+        iommu2 = "/host/iommu2";
+    };
+    __local_fixups__ {
+        host {
+            rng {
+                iommus = <0x0>;
+                android,pvmfw,target = <0x0>;
+            };
+            light {
+                iommus = <0x0 0x8>;
+                android,pvmfw,target = <0x0>;
+            };
+            led {
+                iommus = <0x0>;
+                android,pvmfw,target = <0x0>;
+            };
+            bus0 {
+                backlight {
+                    android,pvmfw,target = <0x0>;
+                };
+            };
+        };
+    };
 };
diff --git a/pvmfw/testdata/test_pvmfw_devices_without_iommus.dts b/pvmfw/testdata/test_pvmfw_devices_without_iommus.dts
index 2036c9c..1a12c87 100644
--- a/pvmfw/testdata/test_pvmfw_devices_without_iommus.dts
+++ b/pvmfw/testdata/test_pvmfw_devices_without_iommus.dts
@@ -4,11 +4,16 @@
 /include/ "test_crosvm_dt_base.dtsi"
 
 / {
-    backlight@90000000 {
-        compatible = "android,backlight";
-        reg = <0x0 0x9 0x0 0xFF>;
-        interrupts = <0x0 0xF 0x4>;
-        google,eh,ignore-gctrl-reset;
-        status = "okay";
+    bus0 {
+        #address-cells = <0x2>;
+        #size-cells = <0x2>;
+
+        backlight@90000000 {
+            compatible = "android,backlight";
+            reg = <0x0 0x9 0x0 0xFF>;
+            interrupts = <0x0 0xF 0x4>;
+            google,eh,ignore-gctrl-reset;
+            status = "okay";
+        };
     };
 };
diff --git a/service_vm/requests/src/cert.rs b/service_vm/requests/src/cert.rs
index 73828a7..91281e7 100644
--- a/service_vm/requests/src/cert.rs
+++ b/service_vm/requests/src/cert.rs
@@ -18,7 +18,7 @@
 use alloc::vec;
 use alloc::vec::Vec;
 use der::{
-    asn1::{BitStringRef, ObjectIdentifier, UIntRef, Utf8StringRef},
+    asn1::{BitString, ObjectIdentifier, OctetString, Utf8StringRef},
     oid::AssociatedOid,
     Decode, Sequence,
 };
@@ -27,6 +27,7 @@
     certificate::{Certificate, TbsCertificate, Version},
     ext::Extension,
     name::Name,
+    serial_number::SerialNumber,
     time::Validity,
 };
 
@@ -111,14 +112,14 @@
 ///   signature            BIT STRING
 /// }
 /// ```
-pub(crate) fn build_certificate<'a>(
-    tbs_cert: TbsCertificate<'a>,
-    signature: &'a [u8],
-) -> der::Result<Certificate<'a>> {
+pub(crate) fn build_certificate(
+    tbs_cert: TbsCertificate,
+    signature: &[u8],
+) -> der::Result<Certificate> {
     Ok(Certificate {
-        signature_algorithm: tbs_cert.signature,
+        signature_algorithm: tbs_cert.signature.clone(),
         tbs_certificate: tbs_cert,
-        signature: BitStringRef::new(0, signature)?,
+        signature: BitString::new(0, signature)?,
     })
 }
 
@@ -141,24 +142,24 @@
 ///                        -- If present, version MUST be v3 --
 /// }
 /// ```
-pub(crate) fn build_tbs_certificate<'a>(
-    serial_number: &'a [u8],
-    issuer: Name<'a>,
-    subject: Name<'a>,
+pub(crate) fn build_tbs_certificate(
+    serial_number: &[u8],
+    issuer: Name,
+    subject: Name,
     validity: Validity,
-    subject_public_key_info: &'a [u8],
-    attestation_ext: &'a [u8],
-) -> der::Result<TbsCertificate<'a>> {
+    subject_public_key_info: &[u8],
+    attestation_ext: &[u8],
+) -> der::Result<TbsCertificate> {
     let signature = AlgorithmIdentifier { oid: ECDSA_WITH_SHA_256, parameters: None };
     let subject_public_key_info = SubjectPublicKeyInfo::from_der(subject_public_key_info)?;
     let extensions = vec![Extension {
         extn_id: AttestationExtension::OID,
         critical: false,
-        extn_value: attestation_ext,
+        extn_value: OctetString::new(attestation_ext)?,
     }];
     Ok(TbsCertificate {
         version: Version::V3,
-        serial_number: UIntRef::new(serial_number)?,
+        serial_number: SerialNumber::new(serial_number)?,
         signature,
         issuer,
         validity,
diff --git a/service_vm/requests/src/client_vm.rs b/service_vm/requests/src/client_vm.rs
index c2f39e7..5b1bf6c 100644
--- a/service_vm/requests/src/client_vm.rs
+++ b/service_vm/requests/src/client_vm.rs
@@ -103,7 +103,7 @@
         client_vm_dice_chain.all_entries_are_secure(),
         vm_components,
     )
-    .to_vec()?;
+    .to_der()?;
     let tbs_cert = cert::build_tbs_certificate(
         &serial_number,
         rkp_cert.tbs_certificate.subject,
@@ -122,9 +122,9 @@
                 RequestProcessingError::FailedToDecryptKeyBlob
             })?;
     let ec_private_key = EcKey::from_ec_private_key(private_key.as_slice())?;
-    let signature = ecdsa_sign(&ec_private_key, &tbs_cert.to_vec()?)?;
+    let signature = ecdsa_sign(&ec_private_key, &tbs_cert.to_der()?)?;
     let certificate = cert::build_certificate(tbs_cert, &signature)?;
-    Ok(certificate.to_vec()?)
+    Ok(certificate.to_der()?)
 }
 
 fn ecdsa_verify(key: &EcKey, signature: &[u8], message: &[u8]) -> bssl_avf::Result<()> {
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 43ab098..a54a22a 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -175,6 +175,12 @@
         if (!updateBootconfigs) {
             command.add("--do_not_update_bootconfigs");
         }
+        // In some cases we run a CTS binary that is built from a different branch that the /system
+        // image under test. In such cases we might end up in a situation when avb_version used in
+        // CTS binary and avb_version used to sign the com.android.virt APEX do not match.
+        // This is a weird configuration, but unfortunately it can happen, hence we pass here
+        // --do_not_validate_avb_version flag to make sure that CTS doesn't fail on it.
+        command.add("--do_not_validate_avb_version");
         keyOverrides.forEach(
                 (filename, keyFile) ->
                         command.add("--key_override " + filename + "=" + keyFile.getPath()));
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index 88e9c70..60c94fc 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -38,6 +38,7 @@
         "libclap",
         "libcommand_fds",
         "libdisk",
+        "libhex",
         "libhypervisor_props",
         "liblazy_static",
         "liblibc",
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 7b30f48..8c2099f 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -116,7 +116,7 @@
 
 const UNFORMATTED_STORAGE_MAGIC: &str = "UNFORMATTED-STORAGE";
 
-/// Roughly estimated sufficient size for storing vendor public key into DTBO.
+/// Rough size for storing root digest of vendor hash descriptor into DTBO.
 const EMPTY_VENDOR_DT_OVERLAY_BUF_SIZE: usize = 10000;
 
 /// crosvm requires all partitions to be a multiple of 4KiB.
@@ -381,13 +381,17 @@
             check_gdb_allowed(config)?;
         }
 
-        let vendor_public_key = extract_vendor_public_key(config)
-            .context("Failed to extract vendor public key")
-            .or_service_specific_exception(-1)?;
-        let dtbo_vendor = if let Some(vendor_public_key) = vendor_public_key {
+        let vendor_hashtree_descriptor_root_digest =
+            extract_vendor_hashtree_descriptor_root_digest(config)
+                .context("Failed to extract root digest of vendor")
+                .or_service_specific_exception(-1)?;
+        let dtbo_vendor = if let Some(vendor_hashtree_descriptor_root_digest) =
+            vendor_hashtree_descriptor_root_digest
+        {
+            let root_digest_hex = hex::encode(vendor_hashtree_descriptor_root_digest);
             let dtbo_for_vendor_image = temporary_directory.join("dtbo_vendor");
-            create_dtbo_for_vendor_image(&vendor_public_key, &dtbo_for_vendor_image)
-                .context("Failed to write vendor_public_key")
+            create_dtbo_for_vendor_image(root_digest_hex.as_bytes(), &dtbo_for_vendor_image)
+                .context("Failed to write root digest of vendor")
                 .or_service_specific_exception(-1)?;
             let file = File::open(dtbo_for_vendor_image)
                 .context("Failed to open dtbo_vendor")
@@ -571,7 +575,9 @@
     }
 }
 
-fn extract_vendor_public_key(config: &VirtualMachineConfig) -> Result<Option<Vec<u8>>> {
+fn extract_vendor_hashtree_descriptor_root_digest(
+    config: &VirtualMachineConfig,
+) -> Result<Option<Vec<u8>>> {
     let VirtualMachineConfig::AppConfig(config) = config else {
         return Ok(None);
     };
@@ -586,15 +592,19 @@
     let size = file.metadata().context("Failed to get metadata from microdroid-vendor.img")?.len();
     let vbmeta = VbMetaImage::verify_reader_region(&file, 0, size)
         .context("Failed to get vbmeta from microdroid-vendor.img")?;
-    let vendor_public_key = vbmeta
-        .public_key()
-        .ok_or(anyhow!("No public key is extracted from microdroid-vendor.img"))?
-        .to_vec();
 
-    Ok(Some(vendor_public_key))
+    for descriptor in vbmeta.descriptors()?.iter() {
+        if let vbmeta::Descriptor::Hashtree(_) = descriptor {
+            return Ok(Some(descriptor.to_hashtree()?.root_digest().to_vec()));
+        }
+    }
+    Err(anyhow!("No root digest is extracted from microdroid-vendor.img"))
 }
 
-fn create_dtbo_for_vendor_image(vendor_public_key: &[u8], dtbo: &PathBuf) -> Result<()> {
+fn create_dtbo_for_vendor_image(
+    vendor_hashtree_descriptor_root_digest: &[u8],
+    dtbo: &PathBuf,
+) -> Result<()> {
     if dtbo.exists() {
         return Err(anyhow!("DTBO file already exists"));
     }
@@ -622,10 +632,16 @@
     let mut avf_node = overlay_node
         .add_subnode(avf_node_name.as_c_str())
         .map_err(|e| anyhow!("Failed to create avf node: {:?}", e))?;
-    let vendor_public_key_name = CString::new("vendor_public_key")?;
+    let vendor_hashtree_descriptor_root_digest_name =
+        CString::new("vendor_hashtree_descriptor_root_digest")?;
     avf_node
-        .setprop(vendor_public_key_name.as_c_str(), vendor_public_key)
-        .map_err(|e| anyhow!("Failed to set avf/vendor_public_key: {:?}", e))?;
+        .setprop(
+            vendor_hashtree_descriptor_root_digest_name.as_c_str(),
+            vendor_hashtree_descriptor_root_digest,
+        )
+        .map_err(|e| {
+            anyhow!("Failed to set avf/vendor_hashtree_descriptor_root_digest: {:?}", e)
+        })?;
 
     fdt.pack().map_err(|e| anyhow!("Failed to pack fdt: {:?}", e))?;
     let mut file = File::create(dtbo)?;
@@ -1528,13 +1544,14 @@
 
     #[test]
     fn test_create_dtbo_for_vendor_image() -> Result<()> {
-        let vendor_public_key = String::from("foo");
-        let vendor_public_key = vendor_public_key.as_bytes();
+        let vendor_hashtree_descriptor_root_digest = String::from("foo");
+        let vendor_hashtree_descriptor_root_digest =
+            vendor_hashtree_descriptor_root_digest.as_bytes();
 
         let tmp_dir = tempfile::TempDir::new()?;
         let dtbo_path = tmp_dir.path().to_path_buf().join("bar");
 
-        create_dtbo_for_vendor_image(vendor_public_key, &dtbo_path)?;
+        create_dtbo_for_vendor_image(vendor_hashtree_descriptor_root_digest, &dtbo_path)?;
 
         let data = std::fs::read(dtbo_path)?;
         let fdt = Fdt::from_slice(&data).unwrap();
@@ -1555,9 +1572,11 @@
         let Some(avf_node) = avf_node else {
             bail!("avf_node shouldn't be None.");
         };
-        let vendor_public_key_name = CString::new("vendor_public_key")?;
-        let key_from_dtbo = avf_node.getprop(vendor_public_key_name.as_c_str()).unwrap();
-        assert_eq!(key_from_dtbo, Some(vendor_public_key));
+        let vendor_hashtree_descriptor_root_digest_name =
+            CString::new("vendor_hashtree_descriptor_root_digest")?;
+        let digest_from_dtbo =
+            avf_node.getprop(vendor_hashtree_descriptor_root_digest_name.as_c_str()).unwrap();
+        assert_eq!(digest_from_dtbo, Some(vendor_hashtree_descriptor_root_digest));
 
         tmp_dir.close()?;
         Ok(())
@@ -1565,15 +1584,17 @@
 
     #[test]
     fn test_create_dtbo_for_vendor_image_throws_error_if_already_exists() -> Result<()> {
-        let vendor_public_key = String::from("foo");
-        let vendor_public_key = vendor_public_key.as_bytes();
+        let vendor_hashtree_descriptor_root_digest = String::from("foo");
+        let vendor_hashtree_descriptor_root_digest =
+            vendor_hashtree_descriptor_root_digest.as_bytes();
 
         let tmp_dir = tempfile::TempDir::new()?;
         let dtbo_path = tmp_dir.path().to_path_buf().join("bar");
 
-        create_dtbo_for_vendor_image(vendor_public_key, &dtbo_path)?;
+        create_dtbo_for_vendor_image(vendor_hashtree_descriptor_root_digest, &dtbo_path)?;
 
-        let ret_second_trial = create_dtbo_for_vendor_image(vendor_public_key, &dtbo_path);
+        let ret_second_trial =
+            create_dtbo_for_vendor_image(vendor_hashtree_descriptor_root_digest, &dtbo_path);
         assert!(ret_second_trial.is_err(), "should fail");
 
         tmp_dir.close()?;