diff --git a/CMakeLists.txt b/CMakeLists.txt
index e8c640ad40..65f0e6c70e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -717,6 +717,7 @@ if(ARCH STREQUAL "ARM")
 
                 list(APPEND WOLFBOOT_DEFS
                     SECURE_PKCS11
+                    WOLFPKCS11_USER_SETTINGS
                     WOLFSSL_PKCS11_RW_TOKENS
                     WP11_HASH_PIN_COST=3)
                 list(APPEND WOLFBOOT_DEFS "CK_CALLABLE=__attribute__\\(\\(cmse_nonsecure_entry\\)\\)")
diff --git a/hal/sim.c b/hal/sim.c
index 58eb743f6f..74372e760f 100644
--- a/hal/sim.c
+++ b/hal/sim.c
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
+#include <sys/syscall.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
@@ -87,6 +88,18 @@ uint32_t hal_sim_get_dualbank_state(void);
 char **main_argv;
 int main_argc;
 
+static int sim_memfd_create(const char *name, unsigned int flags)
+{
+#if defined(__linux__) && defined(SYS_memfd_create)
+    return (int)syscall(SYS_memfd_create, name, flags);
+#else
+    (void)name;
+    (void)flags;
+    errno = ENOSYS;
+    return -1;
+#endif
+}
+
 #ifdef WOLFBOOT_ENABLE_WOLFHSM_CLIENT
 
 /* Client configuration/contexts */
@@ -558,7 +571,7 @@ void do_boot(const uint32_t *app_offset)
     exit(0);
 #else
     char *envp[1] = {NULL};
-    int fd = memfd_create("test_app", 0);
+    int fd = sim_memfd_create("test_app", 0);
     size_t wret;
     if (fd == -1) {
         wolfBoot_printf( "memfd error\n");
diff --git a/include/user_settings.h b/include/user_settings.h
index a513b9e93e..52cc16d487 100644
--- a/include/user_settings.h
+++ b/include/user_settings.h
@@ -367,7 +367,9 @@ extern int tolower(int c);
 #   define HAVE_PBKDF2
 #   define WOLFPKCS11_CUSTOM_STORE
 #   define WOLFBOOT_SECURE_PKCS11
-#   define WOLFPKCS11_USER_SETTINGS
+#   ifndef WOLFPKCS11_USER_SETTINGS
+#       define WOLFPKCS11_USER_SETTINGS
+#   endif
 #   define WOLFPKCS11_NO_TIME
 #ifndef WOLFSSL_AES_COUNTER
 #   define WOLFSSL_AES_COUNTER
diff --git a/lib/wolfPKCS11 b/lib/wolfPKCS11
index 52be35889a..a1c62599d2 160000
--- a/lib/wolfPKCS11
+++ b/lib/wolfPKCS11
@@ -1 +1 @@
-Subproject commit 52be35889a76ecf208ea6049c04ea8a0a3ce2ae6
+Subproject commit a1c62599d24f40cbdb3e90bf4ef00023be3b4fe9
diff --git a/lib/wolfPSA b/lib/wolfPSA
index ac6a40411a..bb36f76632 160000
--- a/lib/wolfPSA
+++ b/lib/wolfPSA
@@ -1 +1 @@
-Subproject commit ac6a40411a2d2e47bb22ddc687df148d2d2f2192
+Subproject commit bb36f766321230c516af1b50e3264ed290fe5955
diff --git a/lib/wolfTPM b/lib/wolfTPM
index 6d5df60e24..d1756f96c2 160000
--- a/lib/wolfTPM
+++ b/lib/wolfTPM
@@ -1 +1 @@
-Subproject commit 6d5df60e2416a88cdd5dbad1967169aa2a9e6f7a
+Subproject commit d1756f96c2da425b56cbfac164c7226fb8d00e52
diff --git a/lib/wolfssl b/lib/wolfssl
index 8741805e9d..63f6f0511b 160000
--- a/lib/wolfssl
+++ b/lib/wolfssl
@@ -1 +1 @@
-Subproject commit 8741805e9d1fd9c3014b5b774ad09a77ccb5b0dc
+Subproject commit 63f6f0511b76c78f4266d5bee3114506d890cfcc
diff --git a/options.mk b/options.mk
index 814e1d9987..ff8df2c4ad 100644
--- a/options.mk
+++ b/options.mk
@@ -131,6 +131,10 @@ ifeq ($(WOLFBOOT_SMALL_STACK),1)
   OBJS+=./src/xmalloc.o
 endif
 
+# GCC 13 overestimates some wolfTPM wrapper stack usage; keep TPM
+# limits above 10 KB to avoid false -Wstack-usage failures.
+STACK_USAGE_WOLFTPM=10680
+
 
 ECC_OBJS= \
     $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/ecc.o
@@ -192,7 +196,7 @@ ifeq ($(SIGN),ECC256)
        STACK_USAGE=4096
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=7616
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=5264
@@ -216,7 +220,7 @@ ifeq ($(SIGN),ECC384)
        STACK_USAGE=5880
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=6680
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=11248
@@ -240,7 +244,7 @@ ifeq ($(SIGN),ECC521)
        STACK_USAGE=4096
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=6680
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=11256
@@ -261,7 +265,7 @@ ifeq ($(SIGN),ED25519)
   WOLFCRYPT_OBJS+=$(ED25519_OBJS)
   CFLAGS+=-D"WOLFBOOT_SIGN_ED25519"
   ifeq ($(WOLFTPM),1)
-    STACK_USAGE=6680
+    STACK_USAGE=$(STACK_USAGE_WOLFTPM)
   else
     STACK_USAGE?=5000
   endif
@@ -275,7 +279,7 @@ ifeq ($(SIGN),ED448)
   SIGN_OPTIONS+=--ed448
   WOLFCRYPT_OBJS+= $(ED448_OBJS)
   ifeq ($(WOLFTPM),1)
-    STACK_USAGE=6680
+    STACK_USAGE=$(STACK_USAGE_WOLFTPM)
   else
     ifeq ($(WOLFBOOT_SMALL_STACK),1)
       STACK_USAGE?=1024
@@ -313,7 +317,7 @@ ifneq ($(findstring RSA2048,$(SIGN)),)
     endif
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=9096
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=35952
@@ -346,7 +350,7 @@ ifneq ($(findstring RSA3072,$(SIGN)),)
     endif
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=9096
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=52592
@@ -383,7 +387,7 @@ ifneq ($(findstring RSA4096,$(SIGN)),)
     endif
   else
     ifeq ($(WOLFTPM),1)
-      STACK_USAGE=10680
+      STACK_USAGE=$(STACK_USAGE_WOLFTPM)
     else
       ifneq ($(SPMATH),1)
         STACK_USAGE=69232
@@ -791,6 +795,7 @@ endif
 
 ifeq ($(WOLFCRYPT_TZ_PKCS11),1)
   CFLAGS+=-DSECURE_PKCS11
+  CFLAGS+=-DWOLFPKCS11_USER_SETTINGS
   CFLAGS+=-DWOLFSSL_PKCS11_RW_TOKENS
   CFLAGS+=-DCK_CALLABLE="__attribute__((cmse_nonsecure_entry))"
   CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11)
@@ -899,7 +904,6 @@ ifeq ($(WOLFTPM),1)
   CFLAGS+=-I$(WOLFBOOT_LIB_WOLFTPM)
   CFLAGS+=-D"WOLFBOOT_TPM"
   CFLAGS+=-D"WOLFTPM_SMALL_STACK"
-  CFLAGS+=-D"WOLFTPM_AUTODETECT"
   ifneq ($(SPI_FLASH),1)
     # don't use spi if we're using simulator
     ifeq ($(TARGET),sim)
@@ -910,7 +914,7 @@ ifeq ($(WOLFTPM),1)
       OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/src/tpm2_swtpm.o
     else
       # Use memory-mapped WOLFTPM on x86-64
-       ifeq ($(ARCH),x86_64)
+        ifeq ($(ARCH),x86_64)
           CFLAGS+=-DWOLFTPM_MMIO -DWOLFTPM_EXAMPLE_HAL -DWOLFTPM_INCLUDE_IO_FILE
           OBJS+=$(WOLFBOOT_LIB_WOLFTPM)/hal/tpm_io_mmio.o
         # By default, on other architectures, provide SPI driver
diff --git a/test-app/CMakeLists.txt b/test-app/CMakeLists.txt
index a24104365b..228e84d6a0 100644
--- a/test-app/CMakeLists.txt
+++ b/test-app/CMakeLists.txt
@@ -205,7 +205,7 @@ if(BUILD_TEST_APPS)
     endif()
 
     if(WOLFCRYPT_TZ_PKCS11)
-        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11)
+        list(APPEND TEST_APP_COMPILE_DEFINITIONS WOLFBOOT_PKCS11_APP SECURE_PKCS11 WOLFPKCS11_USER_SETTINGS)
         set(WOLFSSL_PKCS11_SOURCES
             wcs/pkcs11_stub.c
             wcs/pkcs11_test_ecc.c
diff --git a/tools/scripts/sim-sunnyday-update.sh b/tools/scripts/sim-sunnyday-update.sh
index 53036d01b4..40a96d9da0 100755
--- a/tools/scripts/sim-sunnyday-update.sh
+++ b/tools/scripts/sim-sunnyday-update.sh
@@ -14,5 +14,3 @@ fi
 
 echo Test successful.
 exit 0
-
-
diff --git a/tools/test.mk b/tools/test.mk
index 7ebf13e41f..f61941b742 100644
--- a/tools/test.mk
+++ b/tools/test.mk
@@ -1144,13 +1144,13 @@ test-all: clean
 
 
 test-size-all:
-	make test-size SIGN=NONE LIMIT=5060 NO_ARM_ASM=1
+	make test-size SIGN=NONE LIMIT=5066 NO_ARM_ASM=1
 	make keysclean
-	make test-size SIGN=ED25519 LIMIT=11778 NO_ARM_ASM=1
+	make test-size SIGN=ED25519 LIMIT=11818 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=ECC256  LIMIT=18944 NO_ARM_ASM=1
 	make clean
-	make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13894 NO_ARM_ASM=1
+	make test-size SIGN=ECC256 NO_ASM=1 LIMIT=13914 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=RSA2048 LIMIT=11916 NO_ARM_ASM=1
 	make clean
@@ -1162,9 +1162,9 @@ test-size-all:
 	make keysclean
 	make test-size SIGN=ECC384 LIMIT=19888 NO_ARM_ASM=1
 	make clean
-	make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15270 NO_ARM_ASM=1
+	make test-size SIGN=ECC384 NO_ASM=1 LIMIT=15290 NO_ARM_ASM=1
 	make keysclean
-	make test-size SIGN=ED448 LIMIT=13846 NO_ARM_ASM=1
+	make test-size SIGN=ED448 LIMIT=13862 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=RSA3072 LIMIT=12056 NO_ARM_ASM=1
 	make clean
@@ -1172,12 +1172,12 @@ test-size-all:
 	make keysclean
 	make test-size SIGN=LMS LMS_LEVELS=2 LMS_HEIGHT=5 LMS_WINTERNITZ=8 \
 		WOLFBOOT_SMALL_STACK=0 IMAGE_SIGNATURE_SIZE=2644 \
-		IMAGE_HEADER_SIZE?=5288 LIMIT=7782 NO_ARM_ASM=1
+		IMAGE_HEADER_SIZE?=5288 LIMIT=7798 NO_ARM_ASM=1
 	make keysclean
 	make test-size SIGN=XMSS XMSS_PARAMS='XMSS-SHA2_10_256' \
 		IMAGE_SIGNATURE_SIZE=2500 IMAGE_HEADER_SIZE?=4096 \
-		LIMIT=8638 NO_ARM_ASM=1
+		LIMIT=8658 NO_ARM_ASM=1
 	make keysclean
 	make clean
-	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19392 \
+	make test-size SIGN=ML_DSA ML_DSA_LEVEL=2 LIMIT=19400 \
 		IMAGE_SIGNATURE_SIZE=2420 IMAGE_HEADER_SIZE?=8192
diff --git a/tools/unit-tests/Makefile b/tools/unit-tests/Makefile
index 8a889a8393..667820d9f1 100644
--- a/tools/unit-tests/Makefile
+++ b/tools/unit-tests/Makefile
@@ -87,7 +87,7 @@ unit-enc-nvm-flagshome:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS \
 	-DEXT_ENCRYPTED -DENCRYPT_WITH_CHACHA -DEXT_FLASH -DHAVE_CHACHA -DFLAGS_HOME
 unit-enc-nvm-flagshome:WOLFCRYPT_SRC+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.c
 unit-delta:CFLAGS+=-DNVM_FLASH_WRITEONCE -DMOCK_PARTITIONS -DDELTA_UPDATES -DDELTA_BLOCK_SIZE=512
-unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11
+unit-pkcs11_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPKCS11) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DSECURE_PKCS11 -DWOLFPKCS11_USER_SETTINGS
 unit-psa_store:CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA) -DMOCK_PARTITIONS -DMOCK_KEYVAULT -DWOLFCRYPT_TZ_PSA
 unit-update-flash:CFLAGS+=-DMOCK_PARTITIONS -DWOLFBOOT_NO_SIGN -DUNIT_TEST_AUTH \
 	-DWOLFBOOT_HASH_SHA256 -DPRINTF_ENABLED -DEXT_FLASH -DPART_UPDATE_EXT -DPART_SWAP_EXT