diff --git a/build_library/catalyst_toolchains.sh b/build_library/catalyst_toolchains.sh
index 07428f7350..2ab4c46dae 100644
--- a/build_library/catalyst_toolchains.sh
+++ b/build_library/catalyst_toolchains.sh
@@ -19,17 +19,22 @@ configure_target_root() {
     CBUILD="$(portageq envvar CBUILD)" \
         CHOST="${cross_chost}" \
         ROOT="/build/${board}" \
-        SYSROOT="/usr/${cross_chost}" \
+        SYSROOT="/build/${board}" \
         _configure_sysroot "${profile}"
 }
 
 build_target_toolchain() {
     local board="$1"
     local ROOT="/build/${board}"
+    local SYSROOT="/usr/$(get_board_chost "${board}")"
+
+    mkdir -p "${ROOT}/usr"
+    cp -at "${ROOT}" "${SYSROOT}"/lib*
+    cp -at "${ROOT}"/usr "${SYSROOT}"/usr/include "${SYSROOT}"/usr/lib*
 
     # --root is required because run_merge overrides ROOT=
     PORTAGE_CONFIGROOT="$ROOT" \
-        run_merge -u --root="$ROOT" "${TOOLCHAIN_PKGS[@]}"
+        run_merge -u --root="$ROOT" --sysroot="$ROOT" "${TOOLCHAIN_PKGS[@]}"
 }
 
 configure_crossdev_overlay / /tmp/crossdev
diff --git a/build_library/toolchain_util.sh b/build_library/toolchain_util.sh
index 0ba6a4063f..a497f0aaca 100644
--- a/build_library/toolchain_util.sh
+++ b/build_library/toolchain_util.sh
@@ -256,7 +256,7 @@ _configure_sysroot() {
     $sudo eselect profile set --force "$profile"
 
     $sudo tee "${ROOT}/etc/portage/make.conf" >/dev/null <<EOF
-$(portageq envvar -v CHOST CBUILD ROOT SYSROOT \
+$(portageq envvar -v CHOST CBUILD ROOT \
     PORTDIR PORTDIR_OVERLAY DISTDIR PKGDIR)
 HOSTCC=\${CBUILD}-gcc
 PKG_CONFIG_PATH="\${SYSROOT}/usr/lib/pkgconfig/"
@@ -371,7 +371,7 @@ install_cross_libs() {
     done | $sudo tee "${package_provided}/cross-${cross_chost}" >/dev/null
 
     # OK, clear as mud? Install those dependencies now!
-    PORTAGE_CONFIGROOT="$ROOT" ROOT="$ROOT" $sudo emerge "$@" -u $cross_deps
+    PORTAGE_CONFIGROOT="$ROOT" $sudo emerge --root="$ROOT" --sysroot="$ROOT" "$@" -u $cross_deps
 }
 
 # Get the latest GCC profile for a given CHOST
diff --git a/build_library/vm_image_util.sh b/build_library/vm_image_util.sh
index eab411d7fe..b14b1bd553 100644
--- a/build_library/vm_image_util.sh
+++ b/build_library/vm_image_util.sh
@@ -464,7 +464,7 @@ install_oem_package() {
     # build anything else from source here. emerge doesn't have a way to
     # enforce this in a single command.
     info "Building ${oem_pkg}"
-    USE="${oem_use}" emerge-${BOARD} --root="${oem_tmp}" \
+    USE="${oem_use}" emerge-${BOARD} \
         --nodeps --buildpkgonly --usepkg n \
         --quiet "${oem_pkg}"
 
@@ -474,7 +474,8 @@ install_oem_package() {
     fi
 
     info "Installing ${oem_pkg} to OEM partition"
-    USE="${oem_use}" emerge-${BOARD} --root="${oem_tmp}" \
+    USE="${oem_use}" emerge-${BOARD} \
+        --root="${oem_tmp}" --sysroot="${oem_tmp}" \
         --root-deps=rdeps --usepkgonly ${getbinpkg} \
         --quiet --jobs=2 "${oem_pkg}"
     sudo rsync -a "${oem_tmp}/usr/share/oem/" "${VM_TMP_ROOT}/usr/share/oem/"
diff --git a/build_torcx_store b/build_torcx_store
index b4583f73ad..2b1562a046 100755
--- a/build_torcx_store
+++ b/build_torcx_store
@@ -79,12 +79,25 @@ function torcx_build() (
         [ -s "${tmproot}/etc/portage/bashrc" ] &&
         . "${tmproot}/etc/portage/bashrc"
 
+        # Build binary packages using dev files in the board root.
+        emerge-${BOARD} \
+            --buildpkg \
+            --buildpkgonly \
+            --nodeps \
+            --oneshot \
+            --quiet \
+            --root-deps=rdeps \
+            "${pkg}"
+
+        # Install the binary packages in the temporary torcx image root.
         emerge-${BOARD} \
             --nodeps \
             --oneshot \
+            --quiet \
             --root="${tmproot}" \
             --root-deps=rdeps \
-            --quiet \
+            --sysroot="${tmproot}" \
+            --usepkgonly \
             "${pkg}"
 )
 
diff --git a/common.sh b/common.sh
index 90ad07bd48..bcd571f01c 100644
--- a/common.sh
+++ b/common.sh
@@ -319,7 +319,7 @@ else
 fi
 
 # Compatibility alias
-COREOS_VERSION_STRING="${COREOS_VERSION}"
+FLATCAR_VERSION_STRING="${FLATCAR_VERSION}"
 
 # Calculate what today's build version should be, used by release
 # scripts to provide a reasonable default value. The value is the number
diff --git a/kernel_menuconfig b/kernel_menuconfig
deleted file mode 100755
index 39da3e2127..0000000000
--- a/kernel_menuconfig
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/bin/bash
-
-# Copyright (c) 2015 The CoreOS Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-SCRIPT_ROOT=$(dirname "$(readlink -f "$0")")
-. "${SCRIPT_ROOT}/common.sh" || exit 1
-
-# Script must run inside the chroot
-assert_inside_chroot
-
-assert_not_root_user
-
-# Flags
-DEFINE_string board "${DEFAULT_BOARD}" \
-  "Board to use for kernel source and architecture."
-DEFINE_string overlay "coreos" \
-  "Portage repo containing the kernel ebuild."
-DEFINE_string package "sys-kernel/coreos-modules" \
-  "Portage ebuild name for the kernel."
-
-# Parse command line
-FLAGS "$@" || exit 1
-eval set -- "${FLAGS_ARGV}"
-
-# Die on any errors.
-switch_to_strict_mode
-
-if [[ -z "${FLAGS_board}" ]] ; then
-  die_notrace "--board is required."
-fi
-
-. "${BUILD_LIBRARY_DIR}/toolchain_util.sh"
-. "${BUILD_LIBRARY_DIR}/board_options.sh"
-
-KERNEL_ARCH=$(get_kernel_arch "${CHOST}")
-KERNEL_CLFAGS="-nopie -fstack-check=no"
-KERNEL_SRC="${BOARD_ROOT}/usr/src/linux"
-if [[ ! -f "${KERNEL_SRC}/Makefile" ]]; then
-  die_notrace "No kernel source found at ${KERNEL_SRC}"
-fi
-
-KERNEL_BUILD=$(mktemp -d)
-trap "rm -rf '${KERNEL_BUILD}'" EXIT
-
-# Set up a ccache friendly build tree
-mkdir -p "${KERNEL_BUILD}/build"
-ln -s "${KERNEL_SRC}"/* "${KERNEL_BUILD}"
-
-if [[ -d /usr/lib/ccache/bin ]]; then
-  export PATH="/usr/lib/ccache/bin:${PATH}"
-  export CCACHE_BASEDIR="${KERNEL_BUILD}"
-fi
-
-kmake() {
-  make -C "${KERNEL_BUILD}" \
-    ARCH="${KERNEL_ARCH}" \
-    CROSS_COMPILE="${CHOST}-" \
-    KBUILD_OUTPUT="build" \
-    KCFLAGS="${KERNEL_CFLAGS}" \
-    LDFLAGS="" \
-    "$@"
-}
-
-kmake_var() {
-  echo -e "e:\\n\\t@echo \$(${1})\\ninclude Makefile" | kmake -s -f -
-}
-
-KERNEL_MAJOR=$(kmake_var VERSION)
-KERNEL_MINOR=$(kmake_var PATCHLEVEL)
-
-OVERLAY=$(portageq get_repo_path / "${FLAGS_overlay}")
-FILESDIR="${OVERLAY}/${FLAGS_package}/files"
-DEFCONFIG_NAME="${ARCH}_defconfig-${KERNEL_MAJOR}.${KERNEL_MINOR}"
-DEFCONFIG_PATH="${FILESDIR}/${DEFCONFIG_NAME}"
-COMMONCONFIG_NAME="commonconfig-${KERNEL_MAJOR}.${KERNEL_MINOR}"
-COMMONCONFIG_PATH="${FILESDIR}/${COMMONCONFIG_NAME}"
-
-cat "${DEFCONFIG_PATH}" "${COMMONCONFIG_PATH}" > "${KERNEL_BUILD}/build/.config"
-kmake olddefconfig
-cp "${KERNEL_BUILD}/build/.config" "${KERNEL_BUILD}/build/.config.bak"
-kmake menuconfig
-kmake savedefconfig
-diff -u "${KERNEL_BUILD}/build/.config.bak" "${KERNEL_BUILD}/build/.config" || true
diff --git a/setup_board b/setup_board
index 1ca62f369f..140a14ac2d 100755
--- a/setup_board
+++ b/setup_board
@@ -305,19 +305,28 @@ if [[ ${FLAGS_regen_configs} -eq ${FLAGS_FALSE} ]]; then
       EMERGE_FLAGS+=" --usepkg"
     fi
     EMERGE_FLAGS+=" --getbinpkg"
-    EMERGE_TOOLCHAIN_FLAGS+=" --usepkgonly --getbinpkg --rebuilt-binaries n"
-  else
-    # When binary packages are disabled we need to make sure the cross
-    # sysroot includes any build dependencies for the toolchain.
-    info "Installing toolchain build dependencies"
-    install_cross_libs "${BOARD_CHOST}" ${EMERGE_FLAGS} --buildpkg=n
   fi
 
   info "Installing baselayout"
   "${EMERGE_WRAPPER}" ${EMERGE_FLAGS} --nodeps sys-apps/baselayout
 
+  if [[ "${FLAGS_usepkg}" -ne "${FLAGS_TRUE}" ||
+        "${FLAGS_getbinpkg}" -ne "${FLAGS_TRUE}" ]]
+  then
+    # When binary packages are disabled we need to make sure the cross
+    # sysroot includes any build dependencies for the toolchain.
+    info "Installing toolchain build dependencies"
+    install_cross_libs "${BOARD_CHOST}" ${EMERGE_FLAGS} --buildpkg=n
+
+    info "Building toolchain"
+    "${EMERGE_WRAPPER}" --buildpkg --buildpkgonly \
+        --root="/usr/${BOARD_CHOST}" --sysroot="/usr/${BOARD_CHOST}" \
+	${EMERGE_TOOLCHAIN_FLAGS} "${TOOLCHAIN_PKGS[@]}"
+  fi
+
   info "Installing toolchain"
-  SYSROOT="/usr/${BOARD_CHOST}" "${EMERGE_WRAPPER}" \
+  "${EMERGE_WRAPPER}" \
+      --usepkgonly --getbinpkg --rebuilt-binaries n \
       ${EMERGE_TOOLCHAIN_FLAGS} "${TOOLCHAIN_PKGS[@]}"
 fi
 
diff --git a/signing/sign.sh b/signing/sign.sh
index 717ff31d8d..a7ed93f4d5 100755
--- a/signing/sign.sh
+++ b/signing/sign.sh
@@ -4,9 +4,11 @@ set -ex
 DATA_DIR="$(readlink -f "$1")"
 KEYS_DIR="$(readlink -f "$(dirname "$0")")"
 
+echo "===     Verifying update payload...     ==="
 gpg2 --verify "${DATA_DIR}/flatcar_production_update.bin.bz2.sig"
 gpg2 --verify "${DATA_DIR}/flatcar_production_image.vmlinuz.sig"
 gpg2 --verify "${DATA_DIR}/flatcar_production_update.zip.sig"
+echo "===   Decompressing update payload...   ==="
 bunzip2 --keep "${DATA_DIR}/flatcar_production_update.bin.bz2"
 unzip "${DATA_DIR}/flatcar_production_update.zip" -d "${DATA_DIR}"