diff --git a/Dockerfile b/Dockerfile
index 4d121d3c4..62617b4a9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1154,7 +1154,7 @@ COPY --from=pkg-ca-certificates / /
 ARG TESTPKGS
 ENV PLATFORM=container
 ENV GOFIPS140=latest
-ENV GODEBUG=fips140=only
+ENV GODEBUG=fips140=only,tlsmlkem=0
 ARG GO_LDFLAGS
 RUN --security=insecure --mount=type=cache,id=testspace,target=/tmp --mount=type=cache,target=/.cache,id=talos/.cache go test \
     -ldflags "${GO_LDFLAGS}" \
diff --git a/Makefile b/Makefile
index ccc2be1a1..1825f20d7 100644
--- a/Makefile
+++ b/Makefile
@@ -25,9 +25,9 @@ DEBUG_TOOLS_SOURCE := scratch
 EMBED_TARGET ?= embed
 
 TOOLS_PREFIX ?= ghcr.io/siderolabs/tools
-TOOLS ?= v1.12.0-alpha.0-1-g52db66e
+TOOLS ?= v1.12.0-alpha.0-3-gedafd5f
 PKGS_PREFIX ?= ghcr.io/siderolabs
-PKGS ?= v1.12.0-alpha.0-12-gab4e975
+PKGS ?= v1.12.0-alpha.0-13-g2cfb920
 GENERATE_VEX_PREFIX ?= ghcr.io/siderolabs/generate-vex
 GENERATE_VEX ?= latest
 
@@ -87,7 +87,7 @@ PKG_ZLIB ?= $(PKGS_PREFIX)/zlib:$(PKGS)
 PKG_ZSTD ?= $(PKGS_PREFIX)/zstd:$(PKGS)
 
 # renovate: datasource=github-tags depName=golang/go
-GO_VERSION ?= 1.24
+GO_VERSION ?= 1.25
 # renovate: datasource=npm depName=markdownlint-cli
 MARKDOWNLINTCLI_VERSION ?= 0.45.0
 # renovate: datasource=docker versioning=docker depName=hugomods/hugo
diff --git a/go.mod b/go.mod
index 41388a1a6..d0b43478d 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/siderolabs/talos
 
-go 1.24.5
+go 1.25.0
 
 replace (
 	// see e.g. https://github.com/grpc/grpc-go/issues/6696
@@ -150,7 +150,7 @@ require (
 	github.com/siderolabs/go-circular v0.2.3
 	github.com/siderolabs/go-cmd v0.1.3
 	github.com/siderolabs/go-copy v0.1.0
-	github.com/siderolabs/go-debug v0.5.0
+	github.com/siderolabs/go-debug v0.6.0
 	github.com/siderolabs/go-kmsg v0.1.4
 	github.com/siderolabs/go-kubeconfig v0.1.1
 	github.com/siderolabs/go-kubernetes v0.2.25
diff --git a/go.sum b/go.sum
index 1f7980a7d..67bb2dba3 100644
--- a/go.sum
+++ b/go.sum
@@ -633,8 +633,8 @@ github.com/siderolabs/go-cmd v0.1.3 h1:JrgZwqhJQeoec3QRON0LK+fv+0y7d0DyY7zsfkO6c
 github.com/siderolabs/go-cmd v0.1.3/go.mod h1:bg7HY4mRNu4zKebAgUevSwuYNtcvPMJfuhLRkVKHZ0k=
 github.com/siderolabs/go-copy v0.1.0 h1:OIWCtSg+rhOtnIZTpT31Gfpn17rv5kwJqQHG+QUEgC8=
 github.com/siderolabs/go-copy v0.1.0/go.mod h1:4bF2rZOZAR/ags/U4AVSpjFE5RPGdEeSkOq6yR9YOkU=
-github.com/siderolabs/go-debug v0.5.0 h1:AQwFtvyFkSYTA1of4/UyDvVu8dVLoQP5sUYgmcp/u+4=
-github.com/siderolabs/go-debug v0.5.0/go.mod h1:qtqaKzHrtj5ork8hhzswb3c225221aSVveehKTjBwBw=
+github.com/siderolabs/go-debug v0.6.0 h1:wcftcXv3fFeUHwsj4bJpHaXRJ6JJXL+eeaY69fCtHoY=
+github.com/siderolabs/go-debug v0.6.0/go.mod h1:BtkctCvlYnkvqO9LVmVyM8CkkdhMgREHihOZBL1KW5s=
 github.com/siderolabs/go-kmsg v0.1.4 h1:RLAa90O9bWuhA3pXPAYAdrI+kzcqTshZASRA5yso/mo=
 github.com/siderolabs/go-kmsg v0.1.4/go.mod h1:BLkt2N2DHT0wsFMz32lMw6vNEZL90c8ZnBjpIUoBb/M=
 github.com/siderolabs/go-kubeconfig v0.1.1 h1:tZlgpelj/OqrcHVUwISPN0NRgObcflpH9WtE41mtQZ0=
diff --git a/go.work b/go.work
index d02650b4b..a41cdafa6 100644
--- a/go.work
+++ b/go.work
@@ -1,4 +1,4 @@
-go 1.24.5
+go 1.25.0
 
 use (
 	.
diff --git a/hack/modules-amd64.txt b/hack/modules-amd64.txt
index 58f73394c..a02ccd8c7 100644
--- a/hack/modules-amd64.txt
+++ b/hack/modules-amd64.txt
@@ -1,8 +1,11 @@
+kernel/arch/x86/lib/crc-t10dif-x86.ko
+kernel/arch/x86/lib/crc64-x86.ko
 kernel/crypto/async_tx/async_memcpy.ko
 kernel/crypto/async_tx/async_pq.ko
 kernel/crypto/async_tx/async_raid6_recov.ko
 kernel/crypto/async_tx/async_tx.ko
 kernel/crypto/async_tx/async_xor.ko
+kernel/crypto/hkdf.ko
 kernel/crypto/xor.ko
 kernel/drivers/ata/ahci.ko
 kernel/drivers/ata/libahci.ko
@@ -35,6 +38,7 @@ kernel/drivers/edac/x38_edac.ko
 kernel/drivers/gpu/drm/display/drm_display_helper.ko
 kernel/drivers/gpu/drm/drm_buddy.ko
 kernel/drivers/gpu/drm/drm_exec.ko
+kernel/drivers/gpu/drm/drm_panel_backlight_quirks.ko
 kernel/drivers/gpu/drm/drm_suballoc_helper.ko
 kernel/drivers/gpu/drm/drm_ttm_helper.ko
 kernel/drivers/gpu/drm/scheduler/gpu-sched.ko
@@ -73,6 +77,7 @@ kernel/drivers/infiniband/hw/irdma/irdma.ko
 kernel/drivers/infiniband/hw/mlx4/mlx4_ib.ko
 kernel/drivers/infiniband/hw/mlx5/mlx5_ib.ko
 kernel/drivers/infiniband/sw/rxe/rdma_rxe.ko
+kernel/drivers/leds/led-class-multicolor.ko
 kernel/drivers/md/bcache/bcache.ko
 kernel/drivers/md/dm-bio-prison.ko
 kernel/drivers/md/dm-cache-smq.ko
@@ -83,6 +88,7 @@ kernel/drivers/md/dm-round-robin.ko
 kernel/drivers/md/dm-thin-pool.ko
 kernel/drivers/md/persistent-data/dm-persistent-data.ko
 kernel/drivers/md/raid456.ko
+kernel/drivers/media/cec/core/cec.ko
 kernel/drivers/message/fusion/mptbase.ko
 kernel/drivers/message/fusion/mptsas.ko
 kernel/drivers/message/fusion/mptscsih.ko
@@ -93,6 +99,7 @@ kernel/drivers/misc/hpilo.ko
 kernel/drivers/mmc/host/sdhci-acpi.ko
 kernel/drivers/mmc/host/sdhci-pci.ko
 kernel/drivers/mmc/host/sdhci-pltfm.ko
+kernel/drivers/mmc/host/sdhci-uhs2.ko
 kernel/drivers/mmc/host/sdhci-xenon-driver.ko
 kernel/drivers/mmc/host/sdhci_f_sdh30.ko
 kernel/drivers/net/ethernet/amazon/ena/ena.ko
@@ -156,7 +163,7 @@ kernel/drivers/nvme/target/nvmet-fc.ko
 kernel/drivers/nvme/target/nvmet-rdma.ko
 kernel/drivers/nvme/target/nvmet-tcp.ko
 kernel/drivers/nvme/target/nvmet.ko
-kernel/drivers/platform/x86/intel/intel_vsec.ko
+kernel/drivers/platform/x86/intel/intel-vsec.ko
 kernel/drivers/platform/x86/intel/pmc/intel_pmc_core.ko
 kernel/drivers/platform/x86/intel/pmc/intel_pmc_core_pltdrv.ko
 kernel/drivers/platform/x86/intel/pmt/pmt_class.ko
@@ -188,8 +195,7 @@ kernel/drivers/vfio/vfio_iommu_type1.ko
 kernel/drivers/virt/coco/sev-guest/sev-guest.ko
 kernel/drivers/virt/coco/tsm.ko
 kernel/drivers/virtio/virtio_balloon.ko
-kernel/drivers/virtio/virtio_input.ko
-kernel/drivers/virtio/virtio_mmio.ko
+kernel/drivers/virtio/virtio_mem.ko
 kernel/drivers/virtio/virtio_pci.ko
 kernel/drivers/virtio/virtio_pci_legacy_dev.ko
 kernel/drivers/virtio/virtio_pci_modern_dev.ko
@@ -201,7 +207,9 @@ kernel/drivers/watchdog/sp5100_tco.ko
 kernel/drivers/watchdog/watchdog.ko
 kernel/drivers/watchdog/wdat_wdt.ko
 kernel/drivers/watchdog/xen_wdt.ko
+kernel/lib/crc-t10dif.ko
 kernel/lib/crc64.ko
+kernel/lib/crc8.ko
 kernel/lib/objagg.ko
 kernel/lib/parman.ko
 kernel/lib/raid6/raid6_pq.ko
diff --git a/hack/modules-arm64.txt b/hack/modules-arm64.txt
index 1dbd07f78..15d958493 100644
--- a/hack/modules-arm64.txt
+++ b/hack/modules-arm64.txt
@@ -3,6 +3,7 @@ kernel/crypto/async_tx/async_pq.ko
 kernel/crypto/async_tx/async_raid6_recov.ko
 kernel/crypto/async_tx/async_tx.ko
 kernel/crypto/async_tx/async_xor.ko
+kernel/crypto/hkdf.ko
 kernel/crypto/xor.ko
 kernel/drivers/ata/ahci.ko
 kernel/drivers/ata/pata_amd.ko
@@ -14,6 +15,7 @@ kernel/drivers/crypto/tegra/tegra-se.ko
 kernel/drivers/gpu/drm/display/drm_dp_aux_bus.ko
 kernel/drivers/gpu/drm/drm_buddy.ko
 kernel/drivers/gpu/drm/drm_exec.ko
+kernel/drivers/gpu/drm/drm_panel_backlight_quirks.ko
 kernel/drivers/gpu/drm/drm_suballoc_helper.ko
 kernel/drivers/gpu/drm/drm_ttm_helper.ko
 kernel/drivers/gpu/drm/drm_vram_helper.ko
@@ -53,7 +55,9 @@ kernel/drivers/infiniband/hw/irdma/irdma.ko
 kernel/drivers/infiniband/hw/mlx4/mlx4_ib.ko
 kernel/drivers/infiniband/hw/mlx5/mlx5_ib.ko
 kernel/drivers/infiniband/sw/rxe/rdma_rxe.ko
+kernel/drivers/irqchip/irq-bcm2712-mip.ko
 kernel/drivers/irqchip/irq-imx-mu-msi.ko
+kernel/drivers/leds/led-class-multicolor.ko
 kernel/drivers/mailbox/bcm-flexrm-mailbox.ko
 kernel/drivers/md/bcache/bcache.ko
 kernel/drivers/md/dm-bio-prison.ko
@@ -66,7 +70,6 @@ kernel/drivers/md/dm-thin-pool.ko
 kernel/drivers/md/persistent-data/dm-persistent-data.ko
 kernel/drivers/md/raid456.ko
 kernel/drivers/misc/hpilo.ko
-kernel/drivers/mmc/host/sdhci_f_sdh30.ko
 kernel/drivers/mmc/host/sdhci-acpi.ko
 kernel/drivers/mmc/host/sdhci-brcmstb.ko
 kernel/drivers/mmc/host/sdhci-cadence.ko
@@ -78,7 +81,9 @@ kernel/drivers/mmc/host/sdhci-of-esdhc.ko
 kernel/drivers/mmc/host/sdhci-pci.ko
 kernel/drivers/mmc/host/sdhci-pltfm.ko
 kernel/drivers/mmc/host/sdhci-tegra.ko
+kernel/drivers/mmc/host/sdhci-uhs2.ko
 kernel/drivers/mmc/host/sdhci-xenon-driver.ko
+kernel/drivers/mmc/host/sdhci_f_sdh30.ko
 kernel/drivers/net/ethernet/amazon/ena/ena.ko
 kernel/drivers/net/ethernet/aquantia/atlantic/atlantic.ko
 kernel/drivers/net/ethernet/atheros/alx/alx.ko
@@ -92,7 +97,6 @@ kernel/drivers/net/ethernet/google/gve/gve.ko
 kernel/drivers/net/ethernet/hisilicon/hip04_eth.ko
 kernel/drivers/net/ethernet/hisilicon/hisi_femac.ko
 kernel/drivers/net/ethernet/hisilicon/hix5hd2_gmac.ko
-kernel/drivers/net/ethernet/hisilicon/hns_mdio.ko
 kernel/drivers/net/ethernet/hisilicon/hns/hnae.ko
 kernel/drivers/net/ethernet/hisilicon/hns/hns_dsaf.ko
 kernel/drivers/net/ethernet/hisilicon/hns/hns_enet_drv.ko
@@ -101,6 +105,7 @@ kernel/drivers/net/ethernet/hisilicon/hns3/hclge.ko
 kernel/drivers/net/ethernet/hisilicon/hns3/hclgevf.ko
 kernel/drivers/net/ethernet/hisilicon/hns3/hnae3.ko
 kernel/drivers/net/ethernet/hisilicon/hns3/hns3.ko
+kernel/drivers/net/ethernet/hisilicon/hns_mdio.ko
 kernel/drivers/net/ethernet/intel/e100.ko
 kernel/drivers/net/ethernet/intel/e1000/e1000.ko
 kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko
@@ -183,22 +188,22 @@ kernel/drivers/scsi/mpt3sas/mpt3sas.ko
 kernel/drivers/scsi/qedf/qedf.ko
 kernel/drivers/scsi/qla2xxx/qla2xxx.ko
 kernel/drivers/scsi/smartpqi/smartpqi.ko
-kernel/drivers/uio/uio_pci_generic.ko
 kernel/drivers/uio/uio.ko
+kernel/drivers/uio/uio_pci_generic.ko
 kernel/drivers/usb/serial/ch341.ko
 kernel/drivers/usb/serial/cp210x.ko
 kernel/drivers/usb/serial/ftdi_sio.ko
 kernel/drivers/usb/serial/pl2303.ko
 kernel/drivers/vfio/pci/vfio-pci-core.ko
 kernel/drivers/vfio/pci/vfio-pci.ko
-kernel/drivers/vfio/vfio_iommu_type1.ko
 kernel/drivers/vfio/vfio.ko
+kernel/drivers/vfio/vfio_iommu_type1.ko
 kernel/drivers/virtio/virtio_balloon.ko
 kernel/drivers/virtio/virtio_input.ko
 kernel/drivers/virtio/virtio_mmio.ko
+kernel/drivers/virtio/virtio_pci.ko
 kernel/drivers/virtio/virtio_pci_legacy_dev.ko
 kernel/drivers/virtio/virtio_pci_modern_dev.ko
-kernel/drivers/virtio/virtio_pci.ko
 kernel/drivers/watchdog/sbsa_gwdt.ko
 kernel/lib/objagg.ko
 kernel/lib/parman.ko
diff --git a/hack/release.toml b/hack/release.toml
index d31acb6be..cc9b39476 100644
--- a/hack/release.toml
+++ b/hack/release.toml
@@ -18,7 +18,7 @@ preface = """
     [notes.updates]
         title = "Component Updates"
         description = """\
-Linux: 6.12.43
+Linux: 6.15.11
 Kubernetes: 1.34.0-rc.2
 runc: 1.3.0
 etcd: 3.6.4
diff --git a/internal/pkg/selinux/policy/policy.33 b/internal/pkg/selinux/policy/policy.33
index 4a32e637d..f7cc87f09 100644
Binary files a/internal/pkg/selinux/policy/policy.33 and b/internal/pkg/selinux/policy/policy.33 differ
diff --git a/internal/pkg/selinux/policy/selinux/immutable/classes.cil b/internal/pkg/selinux/policy/selinux/immutable/classes.cil
index 609a2a318..6fb006c62 100644
--- a/internal/pkg/selinux/policy/selinux/immutable/classes.cil
+++ b/internal/pkg/selinux/policy/selinux/immutable/classes.cil
@@ -150,6 +150,9 @@
     syslog_console
     syslog_mod
     syslog_read
+    firmware_load
+    kexec_image_load
+    kexec_initramfs_load
 ))
 (class process2 (nnp_transition nosuid_transition))
 (class fd (use))
diff --git a/internal/pkg/selinux/policy/selinux/services/machined.cil b/internal/pkg/selinux/policy/selinux/services/machined.cil
index 6dbd61b02..959592d3d 100644
--- a/internal/pkg/selinux/policy/selinux/services/machined.cil
+++ b/internal/pkg/selinux/policy/selinux/services/machined.cil
@@ -79,6 +79,7 @@
 
 ; reboot & kexec
 (allow init_t self (capability (sys_boot)))
+(allow init_t tmpfs_t (system (kexec_image_load kexec_initramfs_load)))
 
 ; labeling FS
 (allow init_t any_f (fs_classes (relabelfrom relabelto)))
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index acd119e3b..ec86fe32e 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -14,7 +14,7 @@ import (
 
 const (
 	// DefaultKernelVersion is the default Linux kernel version.
-	DefaultKernelVersion = "6.12.43-talos"
+	DefaultKernelVersion = "6.15.11-talos"
 
 	// KernelParamConfig is the kernel parameter name for specifying the URL.
 	// to the config.
@@ -1108,7 +1108,7 @@ const (
 	DBusClientSocketLabel = "system_u:object_r:dbus_client_socket_t:s0"
 
 	// GoVersion is the version of Go compiler this release was built with.
-	GoVersion = "go1.24.6"
+	GoVersion = "go1.25.0"
 
 	// KubernetesTalosAPIServiceName is the name of the Kubernetes service to access Talos API.
 	KubernetesTalosAPIServiceName = "talos"
diff --git a/pkg/machinery/gendata/data/pkgs b/pkg/machinery/gendata/data/pkgs
index ccb393c5f..4718210a8 100644
--- a/pkg/machinery/gendata/data/pkgs
+++ b/pkg/machinery/gendata/data/pkgs
@@ -1 +1 @@
-v1.12.0-alpha.0-12-gab4e975
\ No newline at end of file
+v1.12.0-alpha.0-13-g2cfb920
\ No newline at end of file
diff --git a/pkg/machinery/gendata/data/tools b/pkg/machinery/gendata/data/tools
index 75ffce8cf..9df465aaa 100644
--- a/pkg/machinery/gendata/data/tools
+++ b/pkg/machinery/gendata/data/tools
@@ -1 +1 @@
-v1.12.0-alpha.0-1-g52db66e
\ No newline at end of file
+v1.12.0-alpha.0-3-gedafd5f
\ No newline at end of file
diff --git a/pkg/provision/providers/vm/internal/ipxe/data/ipxe/amd64/snp.efi b/pkg/provision/providers/vm/internal/ipxe/data/ipxe/amd64/snp.efi
index 73fe9f6a5..99701f976 100644
Binary files a/pkg/provision/providers/vm/internal/ipxe/data/ipxe/amd64/snp.efi and b/pkg/provision/providers/vm/internal/ipxe/data/ipxe/amd64/snp.efi differ