diff --git a/build_library/oem_sysext_util.sh b/build_library/oem_sysext_util.sh
index 21e014db48..e5e057bdcd 100755
--- a/build_library/oem_sysext_util.sh
+++ b/build_library/oem_sysext_util.sh
@@ -68,6 +68,8 @@ oem_sysext_create() {
     local sysext_work_dir="${work_dir}/sysext-${oem}"
     local prod_rw_image="${sysext_work_dir}/prod_for_sysext.bin"
     local prod_rw_rootfs="${sysext_work_dir}/prod_rw_rootfs"
+    local sysext_overlay_work="${sysext_work_dir}/overlay.work"
+    local sysext_overlay_upper="${sysext_work_dir}/overlay.upper"
 
     local cleanup_actions=()
     trap '_invoke_actions "${cleanup_actions[@]}"' EXIT
@@ -82,21 +84,29 @@ oem_sysext_create() {
     info 'Preparing work image for mounting'
     "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=base \
         tune --randomize_uuid "${prod_rw_image}" OEM
-    "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=base \
-        tune --enable2fs_rw "${prod_rw_image}" USR-A
 
     info "Mounting work image to ${prod_rw_rootfs}"
     _prepend_action cleanup_actions rmdir "${prod_rw_rootfs}"
     _prepend_action cleanup_actions "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=base \
         umount "${prod_rw_rootfs}"
     "${BUILD_LIBRARY_DIR}/disk_util" --disk_layout=base \
-        mount --writable_verity "${prod_rw_image}" "${prod_rw_rootfs}"
+        mount "${prod_rw_image}" "${prod_rw_rootfs}"
 
     local initial_files="${sysext_work_dir}/initial_files"
     info "Generating list of initial files in work image"
     _prepend_action cleanup_actions rm -f "${initial_files}"
     _generate_listing "${prod_rw_rootfs}" "${initial_files}"
 
+    # /usr partition may be too small to fit the sysext files, so mount
+    # an overlay temporarily.
+    _prepend_action cleanup_actions sudo rm -rf "${sysext_overlay_work}" "${sysext_overlay_upper}"
+    mkdir -p "${sysext_overlay_work}" "${sysext_overlay_upper}"
+
+    _prepend_action cleanup_actions sudo umount "${prod_rw_rootfs}/usr"
+    sudo mount -t overlay usr-overlay \
+        -o lowerdir="${prod_rw_rootfs}/usr",upperdir="${sysext_overlay_upper}",workdir="${sysext_overlay_work}" \
+        "${prod_rw_rootfs}/usr"
+
     info "Stuffing package database into into ${prod_rw_rootfs}"
     sudo tar -xf "${prod_pkgdb}" -C "${prod_rw_rootfs}"
 
diff --git a/ci-automation/ci-config.env b/ci-automation/ci-config.env
index 5ddc05accc..5773a4c1c6 100644
--- a/ci-automation/ci-config.env
+++ b/ci-automation/ci-config.env
@@ -28,8 +28,8 @@ CI_GIT_AUTHOR="flatcar-ci"
 CI_GIT_EMAIL="infra+ci@flatcar-linux.org"
 
 # build artifacts go here (in container)
-CONTAINER_TORCX_ROOT="/home/sdk/build/torcx"
-CONTAINER_IMAGE_ROOT="/home/sdk/build/images"
+CONTAINER_TORCX_ROOT="/home/sdk/trunk/src/build/torcx"
+CONTAINER_IMAGE_ROOT="/home/sdk/trunk/src/build/images"
 
 # Set it to "1" or "true" or "t" or "y" or "yes" to always run a full
 # nightly build. Any other value will allow build shortcuts.
diff --git a/ci-automation/image.sh b/ci-automation/image.sh
index f45b78eaac..92e9a22cd5 100644
--- a/ci-automation/image.sh
+++ b/ci-automation/image.sh
@@ -84,11 +84,17 @@ function _image_build_impl() {
             official_arg="--noofficial"
     fi
 
+    local torcx_root_tar="torcx_root.tar.zst"
     apply_local_patches
+    copy_from_buildcache "images/${arch}/${vernum}/torcx/${torcx_root_tar}" .
+
     # build image and related artifacts
     ./run_sdk_container -x ./ci-cleanup.sh -n "${image_container}" -C "${packages_image}" \
             -v "${vernum}" \
-            mkdir -p "${CONTAINER_IMAGE_ROOT}"
+            mkdir -p "${CONTAINER_IMAGE_ROOT}" "${CONTAINER_TORCX_ROOT}"
+    ./run_sdk_container -n "${image_container}" -C "${packages_image}" \
+            -v "${vernum}" \
+            tar --zstd -xf "${torcx_root_tar}" -C "${CONTAINER_TORCX_ROOT}"
     ./run_sdk_container -n "${image_container}" -C "${packages_image}" \
             -v "${vernum}" \
             ./set_official --board="${arch}-usr" "${official_arg}"
diff --git a/ci-automation/packages.sh b/ci-automation/packages.sh
index add6fc3c61..1d4faf42c8 100644
--- a/ci-automation/packages.sh
+++ b/ci-automation/packages.sh
@@ -123,6 +123,11 @@ function _packages_build_impl() {
     # generate image + push to build cache
     docker_commit_to_buildcache "${packages_container}" "${packages_image}" "${docker_vernum}"
 
+    # publish torcx output root for consumption by build_image
+    local torcx_root_tar="torcx_root.tar.zst"
+    tar --zstd -cpf "${torcx_root_tar}" -C "${torcx_tmp}/torcx" .
+    copy_to_buildcache "images/${arch}/${vernum}/torcx" "${torcx_root_tar}"
+
     # Publish torcx manifest and docker tarball to "images" cache so tests can pull it later.
     create_digests "${SIGNER}" \
         "${torcx_tmp}/torcx/${arch}-usr/latest/torcx_manifest.json" \