diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index 41ca2cc8b3..a58ebb0886 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -35,6 +35,7 @@ jobs:
           - firecracker
           - kata-ctl
           - kernel
+          - kernel-confidential
           - kernel-sev
           - kernel-dragonball-experimental
           - kernel-tdx-experimental
diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile
index b2de80dac2..21ad3626df 100644
--- a/tools/packaging/kata-deploy/local-build/Makefile
+++ b/tools/packaging/kata-deploy/local-build/Makefile
@@ -20,6 +20,7 @@ endif
 ifeq ($(ARCH), x86_64)
 BASE_TARBALLS = serial-targets \
 	firecracker-tarball \
+	kernel-confidential-tarball \
 	kernel-dragonball-experimental-tarball \
 	kernel-nvidia-gpu-tarball \
 	kernel-nvidia-gpu-snp-tarball \
@@ -110,6 +111,9 @@ kernel-nvidia-gpu-tdx-experimental-tarball:
 kernel-tarball:
 	${MAKE} $@-build
 
+kernel-confidential-tarball:
+	${MAKE} $@-build
+
 kernel-tdx-experimental-tarball:
 	${MAKE} $@-build
 
diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
index f02302907d..8f0c2dd634 100755
--- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
+++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh
@@ -92,6 +92,7 @@ options:
 	firecracker
 	kata-ctl
 	kernel
+	kernel-confidential
 	kernel-dragonball-experimental
 	kernel-experimental
 	kernel-nvidia-gpu
@@ -280,7 +281,7 @@ install_cached_kernel_tarball_component() {
 		"${final_tarball_path}" \
 		|| return 1
 	
-	if [[ "${kernel_name}" != "kernel-sev" ]]; then
+	if [[ "${kernel_name}" != "kernel-sev" ]] && [[ "${kernel_name}" != "kernel-confidential" ]]; then
 		return 0
 	fi
 
@@ -289,13 +290,13 @@ install_cached_kernel_tarball_component() {
 		"${kernel_name}" \
 		"${latest_artefact}" \
 		"${latest_builder_image}" \
-		"kata-static-kernel-sev-modules.tar.xz" \
-		"${workdir}/kata-static-kernel-sev-modules.tar.xz" \
+		"kata-static-${kernel_name}-modules.tar.xz" \
+		"${workdir}/kata-static-${kernel_name}-modules.tar.xz" \
 		|| return 1
 
 	if [[ -n "${module_dir}" ]]; then
 		mkdir -p "${module_dir}"
-		tar xvf "${workdir}/kata-static-kernel-sev-modules.tar.xz" -C  "${module_dir}" && return 0
+		tar xvf "${workdir}/kata-static-${kernel_name}-modules.tar.xz" -C  "${module_dir}" && return 0
 	fi
 
 	return 1
@@ -315,6 +316,10 @@ install_kernel_helper() {
 		kernel_version="$(get_from_kata_deps assets.kernel.sev.version)"
 		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
 		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-sev/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
+	elif [[ "${kernel_name}" == "kernel-confidential" ]]; then
+		kernel_version="$(get_from_kata_deps assets.kernel.confidential.version)"
+		default_patches_dir="${repo_root_dir}/tools/packaging/kernel/patches"
+		module_dir="${repo_root_dir}/tools/packaging/kata-deploy/local-build/build/kernel-confidential/builddir/kata-linux-${kernel_version#v}-${kernel_kata_config_version}/lib/modules/${kernel_version#v}"
 	fi
 
 	install_cached_kernel_tarball_component ${kernel_name} ${module_dir} && return 0
@@ -332,6 +337,15 @@ install_kernel() {
 		"-f"
 }
 
+install_kernel_confidential() {
+	local kernel_url="$(get_from_kata_deps assets.kernel.confidential.url)"
+
+	install_kernel_helper \
+		"assets.kernel.confidential.version" \
+		"kernel" \
+		"-x confidential -u ${kernel_url}"
+}
+
 install_kernel_dragonball_experimental() {
 	install_kernel_helper \
 		"assets.kernel-dragonball-experimental.version" \
@@ -741,6 +755,7 @@ handle_build() {
 		install_initrd_sev
 		install_kata_ctl
 		install_kernel
+		install_kernel_confidential
 		install_kernel_dragonball_experimental
 		install_kernel_tdx_experimental
 		install_log_parser_rs
@@ -776,6 +791,8 @@ handle_build() {
 
 	kernel) install_kernel ;;
 
+	kernel-confidential) install_kernel_confidential ;;
+
 	kernel-dragonball-experimental) install_kernel_dragonball_experimental ;;
 
 	kernel-nvidia-gpu) install_kernel_nvidia_gpu ;;
diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh
index f1d1bb62c2..a92c8183ed 100755
--- a/tools/packaging/kernel/build-kernel.sh
+++ b/tools/packaging/kernel/build-kernel.sh
@@ -110,7 +110,7 @@ Options:
 	-t <hypervisor>	: Hypervisor_target.
 	-u <url>	: Kernel URL to be used to download the kernel tarball.
 	-v <version>	: Kernel version to use if kernel path not provided.
-	-x <type>	: Confidential guest protection type, such as sev, snp and tdx
+	-x <type>	: Confidential guest protection type, such as sev, snp, tdx, or "confidential" (for all of those).
 EOF
 	exit "$exit_code"
 }
@@ -151,7 +151,7 @@ get_tee_kernel() {
 
 	local kernel_tarball="${version}.tar.gz"
 
-	# Depending on where we're getting the terball from it may have a
+	# Depending on where we're getting the tarball from it may have a
 	# different name, such as linux-${version}.tar.gz or simply
 	# ${version}.tar.gz.  Let's try both before failing.
 	curl --fail -L "${kernel_url}/linux-${kernel_tarball}" -o ${kernel_tarball} || curl --fail -OL "${kernel_url}/${kernel_tarball}"
@@ -457,7 +457,7 @@ build_kernel() {
 	arch_target=$(arch_to_kernel "${arch_target}")
 	pushd "${kernel_path}" >>/dev/null
 	make -j $(nproc ${CI:+--ignore 1}) ARCH="${arch_target}" ${CROSS_BUILD_ARG}
-	if [ "${conf_guest}" == "sev" ]; then
+	if [ "${conf_guest}" == "sev" ] || [ "${conf_guest}" == "confidential" ]; then
 		make -j $(nproc ${CI:+--ignore 1}) INSTALL_MOD_STRIP=1 INSTALL_MOD_PATH=${kernel_path} modules_install
 	fi
 	[ "$arch_target" != "powerpc" ] && ([ -e "arch/${arch_target}/boot/bzImage" ] || [ -e "arch/${arch_target}/boot/Image.gz" ])
@@ -603,7 +603,7 @@ main() {
 			x)
 				conf_guest="${OPTARG}"
 				case "$conf_guest" in
-					sev|snp|tdx) ;;
+					confidential|sev|snp|tdx) ;;
 					*) die "Confidential guest type '$conf_guest' not supported" ;;
 				esac
 				;;
diff --git a/tools/packaging/kernel/configs/fragments/common/base.conf b/tools/packaging/kernel/configs/fragments/common/base.conf
index 12d249e756..362608470f 100644
--- a/tools/packaging/kernel/configs/fragments/common/base.conf
+++ b/tools/packaging/kernel/configs/fragments/common/base.conf
@@ -4,13 +4,6 @@ CONFIG_SECTION_MISMATCH_WARN_ONLY=y
 CONFIG_SMP=y
 # Note, no nested VM support enabled here
 
-# Turn off embedded mode, as it disabled 'too much', and we
-# no longer pass all the tests. We should refine this, and
-# work out which of the ~66 items it enables are really needed.
-# I believe this is the actual syntax we need for a fragment to
-# disable an item...
-# CONFIG_EMBEDDED is not set
-
 # Note, no virt enabled baloon yet
 CONFIG_INPUT=y
 CONFIG_PRINTK=y
diff --git a/tools/packaging/kernel/configs/fragments/common/fs.conf b/tools/packaging/kernel/configs/fragments/common/fs.conf
index c3be9f925e..8ff5573c17 100644
--- a/tools/packaging/kernel/configs/fragments/common/fs.conf
+++ b/tools/packaging/kernel/configs/fragments/common/fs.conf
@@ -31,7 +31,6 @@ CONFIG_FSNOTIFY=y
 CONFIG_DNOTIFY=y
 CONFIG_INOTIFY_USER=y
 CONFIG_FANOTIFY=y
-CONFIG_AUTOFS4_FS=y
 CONFIG_AUTOFS_FS=y
 CONFIG_TMPFS=y
 CONFIG_DEVTMPFS=y
diff --git a/tools/packaging/kernel/configs/fragments/common/lsm.conf b/tools/packaging/kernel/configs/fragments/common/lsm.conf
index 6dc685fca7..fa29f43159 100644
--- a/tools/packaging/kernel/configs/fragments/common/lsm.conf
+++ b/tools/packaging/kernel/configs/fragments/common/lsm.conf
@@ -7,6 +7,5 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_DEVELOP=y
-CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=0
 CONFIG_SECURITY_SELINUX_SIDTAB_HASH_BITS=9
 CONFIG_SECURITY_SELINUX_SID2STR_CACHE_SIZE=256
diff --git a/tools/packaging/kernel/configs/fragments/common/netfilter.conf b/tools/packaging/kernel/configs/fragments/common/netfilter.conf
index 02aeda788f..55b5d330d2 100644
--- a/tools/packaging/kernel/configs/fragments/common/netfilter.conf
+++ b/tools/packaging/kernel/configs/fragments/common/netfilter.conf
@@ -190,7 +190,6 @@ CONFIG_IP_NF_TARGET_MASQUERADE=y
 CONFIG_IP_NF_TARGET_NETMAP=y
 CONFIG_IP_NF_TARGET_REDIRECT=y
 CONFIG_IP_NF_MANGLE=y
-CONFIG_IP_NF_TARGET_CLUSTERIP=y
 CONFIG_IP_NF_TARGET_ECN=y
 CONFIG_IP_NF_TARGET_TTL=y
 CONFIG_IP_NF_RAW=y
diff --git a/tools/packaging/kernel/configs/fragments/common/network.conf b/tools/packaging/kernel/configs/fragments/common/network.conf
index 7bdc3de7a0..2270c9a14a 100644
--- a/tools/packaging/kernel/configs/fragments/common/network.conf
+++ b/tools/packaging/kernel/configs/fragments/common/network.conf
@@ -42,7 +42,6 @@ CONFIG_BRIDGE=y
 CONFIG_BRIDGE_IGMP_SNOOPING=y
 CONFIG_LLC=y
 CONFIG_NET_SCHED=y
-CONFIG_NET_SCH_CBQ=y
 CONFIG_NET_SCH_MULTIQ=y
 CONFIG_NET_SCH_FQ_CODEL=y
 CONFIG_NET_SCH_FQ=y
diff --git a/tools/packaging/kernel/configs/fragments/whitelist.conf b/tools/packaging/kernel/configs/fragments/whitelist.conf
index e6b2711511..39d34eedd3 100644
--- a/tools/packaging/kernel/configs/fragments/whitelist.conf
+++ b/tools/packaging/kernel/configs/fragments/whitelist.conf
@@ -2,10 +2,13 @@
 # without generating an error in fragment merging
 CONFIG_ARCH_RANDOM
 CONFIG_ARM64_CRYPTO
+CONFIG_AUTOFS4_FS
 CONFIG_GENERIC_MSI_IRQ_DOMAIN
+CONFIG_IP_NF_TARGET_CLUSTERIP
 CONFIG_PCI_MSI_IRQ_DOMAIN
 CONFIG_CLK_LGM_CGU
 CONFIG_MEMCG_SWAP
+CONFIG_NET_SCH_CBQ
 CONFIG_NF_NAT_IPV4
 CONFIG_NF_NAT_NEEDED
 CONFIG_NF_NAT_PROTO_DCCP
@@ -20,6 +23,7 @@ CONFIG_NF_LOG_COMMON
 CONFIG_MANDATORY_FILE_LOCKING
 CONFIG_ARM64_UAO
 CONFIG_VFIO_MDEV_DEVICE
+CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE
 CONFIG_SPECULATION_MITIGATIONS
 CONFIG_X86_SGX
 CONFIG_VIRTIO_IOMMU
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
new file mode 120000
index 0000000000..9dda7d6ead
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/sev.conf
@@ -0,0 +1 @@
+../sev/sev.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
new file mode 120000
index 0000000000..83464ffe3b
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/snp.conf
@@ -0,0 +1 @@
+../snp/snp.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
new file mode 120000
index 0000000000..f4f9ffeb3e
--- /dev/null
+++ b/tools/packaging/kernel/configs/fragments/x86_64/confidential/tdx.conf
@@ -0,0 +1 @@
+../tdx/tdx.conf
\ No newline at end of file
diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version
index 52bd8e43af..9289ddcee3 100644
--- a/tools/packaging/kernel/kata_config_version
+++ b/tools/packaging/kernel/kata_config_version
@@ -1 +1 @@
-120
+121
diff --git a/tools/packaging/kernel/patches/6.7.x/no_patches.txt b/tools/packaging/kernel/patches/6.7.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/packaging/qemu/patches/8.1.x/no_patches.txt b/tools/packaging/qemu/patches/8.1.x/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/packaging/qemu/patches/tag_patches/tdx-qemu-upstream-2023.9.21-v8.1.0/no_patches.txt b/tools/packaging/qemu/patches/tag_patches/tdx-qemu-upstream-2023.9.21-v8.1.0/no_patches.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tools/packaging/scripts/configure-hypervisor.sh b/tools/packaging/scripts/configure-hypervisor.sh
index 8bdfc94de1..2f54921a14 100755
--- a/tools/packaging/scripts/configure-hypervisor.sh
+++ b/tools/packaging/scripts/configure-hypervisor.sh
@@ -331,22 +331,7 @@ generate_qemu_options() {
 	# From Kata Containers 2.5.0-alpha2 all arches but powerpc have been
 	# using the new implementation of virtiofs daemon, which is not part
 	# of QEMU.
-	# For the power, at least for now, keep building virtiofsd while
-	# building QEMU.
-	case "$arch" in
-	aarch64)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	x86_64)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	ppc64le)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	s390x)
-		qemu_options+=(functionality:--disable-virtiofsd)
-		;;
-	esac
+	qemu_options+=(functionality:--disable-virtiofsd)
 
 	qemu_options+=(functionality:--enable-virtfs)
 
diff --git a/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh b/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
index 1e0541c541..ecae287167 100755
--- a/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
+++ b/tools/packaging/static-build/qemu/build-static-qemu-experimental.sh
@@ -14,18 +14,12 @@ source "${script_dir}/../../scripts/lib.sh"
 
 qemu_repo="${qemu_repo:-}"
 qemu_version="${qemu_version:-}"
-qemu_suffix="${qemu_suffix:-experimental}"
-qemu_tarball_name="${qemu_tarball_name:-kata-static-qemu-experimental.tar.gz}"
+qemu_suffix="${qemu_suffix:-}"
+qemu_tarball_name="${qemu_tarball_name:-}"
 
-if [ -z "$qemu_repo" ]; then
-	info "Get qemu information from runtime versions.yaml"
-	qemu_url=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.url")
-	[ -n "$qemu_url" ] || die "failed to get qemu url"
-	qemu_repo="${qemu_url}.git"
-fi
 [ -n "$qemu_repo" ] || die "failed to get qemu repo"
-
-[ -n "$qemu_version" ] || qemu_version=$(get_from_kata_deps "assets.hypervisor.qemu-experimental.version")
 [ -n "$qemu_version" ] || die "failed to get qemu version"
+[ -n "$qemu_suffix" ] || die "failed to get qemu suffix"
+[ -n "$qemu_tarball_name" ] || die "failed to get qemu tarball name"
 
 "${script_dir}/build-base-qemu.sh" "${qemu_repo}" "${qemu_version}" "${qemu_suffix}" "${qemu_tarball_name}"
diff --git a/versions.yaml b/versions.yaml
index d6280c636c..564e42de03 100644
--- a/versions.yaml
+++ b/versions.yaml
@@ -99,11 +99,6 @@ assets:
         https://github.com/qemu/qemu/tags
         .*/v?(\d\S+)\.tar\.gz
 
-    qemu-experimental:
-      description: "QEMU with virtiofs support"
-      url: "https://github.com/qemu/qemu"
-      version: "7a800cf9496fddddf71b21a00991e0ec757a170a"
-
     qemu-tdx-experimental:
       # yamllint disable-line rule:line-length
       description: "QEMU with TDX support - based on https://github.com/intel/tdx-tools/releases/tag/2023ww15"
@@ -175,6 +170,10 @@ assets:
     description: "Linux kernel optimised for virtual machines"
     url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
     version: "v6.1.62"
+    confidential:
+      description: "Linux kernel with x86_64 TEEs (SEV, SNP, and TDX) support"
+      url: "https://cdn.kernel.org/pub/linux/kernel/v6.x/"
+      version: "v6.7"
     sev:
       description: "Linux kernel that supports SEV and SNP"
       url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/"