diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp
index 46b8ef263..cebfa5d12 100644
--- a/libcutils/ashmem-dev.cpp
+++ b/libcutils/ashmem-dev.cpp
@@ -114,8 +114,14 @@ static bool __has_memfd_support() {
     // Check if kernel support exists, otherwise fall back to ashmem.
     // This code needs to build on old API levels, so we can't use the libc
     // wrapper.
+    //
+    // MFD_NOEXEC_SEAL is used to match the semantics of the ashmem device,
+    // which did not have executable permissions. This also seals the executable
+    // permissions of the buffer (i.e. they cannot be changed by fchmod()).
+    //
+    // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
     android::base::unique_fd fd(
-            syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING));
+            syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL));
     if (fd == -1) {
         ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno));
         return false;
@@ -289,7 +295,13 @@ int ashmem_valid(int fd)
 static int memfd_create_region(const char* name, size_t size) {
     // This code needs to build on old API levels, so we can't use the libc
     // wrapper.
-    android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING));
+    //
+    // MFD_NOEXEC_SEAL to match the semantics of the ashmem device, which did
+    // not have executable permissions. This also seals the executable
+    // permissions of the buffer (i.e. they cannot be changed by fchmod()).
+    //
+    // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
+    android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_NOEXEC_SEAL));
 
     if (fd == -1) {
         ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno));
diff --git a/rootdir/init.rc b/rootdir/init.rc
index e487797aa..ae6a6588b 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -1004,6 +1004,11 @@ on post-fs-data
     exec_start system_aconfigd_mainline_init
     start system_aconfigd_socket_service
 
+    # start mainline aconfigd init, after transition, the above system_aconfigd_mainline_init
+    # will be deprecated
+    exec_start mainline_aconfigd_init
+    start mainline_aconfigd_socket_service
+
     # Create directories for boot animation.
     mkdir /data/misc/bootanim 0755 system system
 
diff --git a/trusty/trusty-storage-cf.mk b/trusty/trusty-storage-cf.mk
index 3b46445da..acefd3e99 100644
--- a/trusty/trusty-storage-cf.mk
+++ b/trusty/trusty-storage-cf.mk
@@ -22,4 +22,5 @@
 PRODUCT_PACKAGES += \
 	storageproxyd.system \
 	rpmb_dev.system \
+	rpmb_dev.test.system \
 
diff --git a/trusty/utils/rpmb_dev/Android.bp b/trusty/utils/rpmb_dev/Android.bp
index ef23cc50f..2f362e8b7 100644
--- a/trusty/utils/rpmb_dev/Android.bp
+++ b/trusty/utils/rpmb_dev/Android.bp
@@ -58,3 +58,12 @@ cc_binary {
         "rpmb_dev.wv.system.rc",
     ],
 }
+
+cc_binary {
+    name: "rpmb_dev.test.system",
+    defaults: ["rpmb_dev.cc_defaults"],
+    system_ext_specific: true,
+    init_rc: [
+        "rpmb_dev.test.system.rc",
+    ],
+}
diff --git a/trusty/utils/rpmb_dev/rpmb_dev.test.system.rc b/trusty/utils/rpmb_dev/rpmb_dev.test.system.rc
new file mode 100644
index 000000000..2127798e1
--- /dev/null
+++ b/trusty/utils/rpmb_dev/rpmb_dev.test.system.rc
@@ -0,0 +1,56 @@
+service trusty_test_vm /apex/com.android.virt/bin/vm run \
+    /data/local/tmp/TrustyTestVM_UnitTests/trusty-test_vm-config.json
+    disabled
+    user system
+    group system
+
+service storageproxyd_test_system /system_ext/bin/storageproxyd.system \
+        -d VSOCK:${trusty.test_vm.vm_cid}:1 \
+        -r /dev/socket/rpmb_mock_test_system \
+        -p /data/secure_storage_test_system \
+        -t sock
+    disabled
+    class hal
+    user system
+    group system
+
+service rpmb_mock_init_test_system /system_ext/bin/rpmb_dev.test.system \
+        --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA --init --size 2048
+    disabled
+    user system
+    group system
+    oneshot
+
+service rpmb_mock_test_system /system_ext/bin/rpmb_dev.test.system \
+        --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA \
+        --sock rpmb_mock_test_system
+    disabled
+    user system
+    group system
+    socket rpmb_mock_test_system stream 660 system system
+
+# RPMB Mock
+on post-fs-data
+    # Create a persistent location for the RPMB data
+    # (work around lack of RPMb block device on CF).
+    # file contexts secure_storage_rpmb_system_file
+    # (only used on Cuttlefish as this is non secure)
+    mkdir /metadata/secure_storage_rpmb_test_system 0770 system system
+    mkdir /mnt/secure_storage_rpmb_test_system 0770 system system
+    symlink /metadata/secure_storage_rpmb_test_system \
+            /mnt/secure_storage_rpmb_test_system/persist
+    # Create a system persist directory in /metadata
+    # (work around lack of dedicated system persist partition).
+    # file contexts secure_storage_persist_system_file
+    mkdir /metadata/secure_storage_persist_test_system 0770 system system
+    mkdir /mnt/secure_storage_persist_test_system 0770 system system
+    symlink /metadata/secure_storage_persist_test_system \
+            /mnt/secure_storage_persist_test_system/persist
+    # file contexts secure_storage_system_file
+    mkdir /data/secure_storage_test_system 0770 root system
+    symlink /mnt/secure_storage_persist_test_system/persist \
+            /data/secure_storage_test_system/persist
+    chown root system /data/secure_storage_test_system/persist
+    # setprop storageproxyd_test_system.trusty_ipc_dev VSOCK:${trusty.test_vm.vm_cid}:1
+    exec_start rpmb_mock_init_test_system
+    start rpmb_mock_test_system