diff --git a/.github/actions/setup-opentitan/action.yml b/.github/actions/setup-opentitan/action.yml
deleted file mode 100644
index e0bef99ab..000000000
--- a/.github/actions/setup-opentitan/action.yml
+++ /dev/null
@@ -1,79 +0,0 @@
-# Copyright (c) The mldsa-native project authors
-# Copyright (c) The mlkem-native project authors
-# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
-
-name: Setup OpenTitan
-description: Setup OpenTitan for build testing
-
-inputs:
-  expo-repository:
-    description: 'Expo repository to clone'
-    required: false
-    default: 'https://github.com/zerorisc/expo'
-  expo-commit:
-    description: 'Expo commit to checkout'
-    required: false
-    default: 'master'
-
-runs:
-  using: composite
-  steps:
-    - name: Fetch expo repository
-      shell: bash
-      run: |
-        # Ensure HOME is set for self-hosted runners
-        echo "HOME=${HOME:-/home/runner}" >> $GITHUB_ENV
-
-        git clone ${{ inputs.expo-repository }}
-        cd expo
-        git checkout ${{ inputs.expo-commit }}
-
-        # Remember expo directory
-        echo EXPO_DIR="$GITHUB_WORKSPACE/expo" >> $GITHUB_ENV
-
-    - name: Install OpenTitan dependencies
-      shell: bash
-      run: |
-        sudo apt update
-        cd expo
-        sed -e '/^#/d' -e '/libncursesw5/d' ./apt-requirements.txt | xargs sudo apt install -y
-        # Install runtime dependencies needed by tools
-        sudo apt install -y gcc g++ libtinfo5 srecord pkg-config libudev-dev libssl-dev \
-          libftdi1-dev libelf-dev zlib1g-dev
-        pip3 install --user -r python-requirements.txt --require-hashes
-
-    - name: Cache Verilator
-      id: cache-verilator
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      with:
-        path: /tools/verilator/4.210
-        key: verilator-4.210-ubuntu22-${{ runner.os }}
-
-    - name: Install Verilator
-      if: steps.cache-verilator.outputs.cache-hit != 'true'
-      shell: bash
-      run: |
-        # Install build-time dependencies for Verilator
-        sudo apt install -y make autoconf bison flex libfl-dev gcc-11 g++-11
-
-        # Build and install Verilator
-        export VERILATOR_VERSION=4.210
-        git clone https://github.com/verilator/verilator.git
-        cd verilator
-        git checkout v$VERILATOR_VERSION
-        autoconf
-        CC=gcc-11 CXX=g++-11 ./configure --prefix=/tools/verilator/$VERILATOR_VERSION
-        CC=gcc-11 CXX=g++-11 make -j$(nproc)
-        sudo CC=gcc-11 CXX=g++-11 make install
-
-    - name: Add Verilator to PATH
-      shell: bash
-      run: |
-        echo "/tools/verilator/4.210/bin" >> $GITHUB_PATH
-
-    - name: Set Bazel cache directory and mirror
-      shell: bash
-      run: |
-        echo "BAZEL_CACHE_DIR=/home/runner/bazel_cache" >> $GITHUB_ENV
-        # Use GitHub mirror for Bazel binaries to avoid certificate issues with releases.bazel.build
-        echo "BAZELISK_BASE_URL=https://github.com/bazelbuild/bazel/releases/download" >> $GITHUB_ENV
diff --git a/.github/actions/setup-pavona/action.yml b/.github/actions/setup-pavona/action.yml
new file mode 100644
index 000000000..8c85a887e
--- /dev/null
+++ b/.github/actions/setup-pavona/action.yml
@@ -0,0 +1,46 @@
+# Copyright (c) The mldsa-native project authors
+# Copyright (c) The mlkem-native project authors
+# SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
+
+name: Setup Pavona
+description: Setup Pavona for build testing
+
+inputs:
+  pavona-repository:
+    description: 'Pavona repository to clone'
+    required: false
+    default: 'https://github.com/pavona/pavona'
+  pavona-commit:
+    description: 'Pavona commit to checkout'
+    required: false
+    default: 'main'
+
+runs:
+  using: composite
+  steps:
+    - name: Fetch pavona repository
+      shell: bash
+      run: |
+        # Ensure HOME is set for self-hosted runners
+        echo "HOME=${HOME:-/home/runner}" >> $GITHUB_ENV
+
+        git clone ${{ inputs.pavona-repository }}
+        cd pavona
+        git checkout ${{ inputs.pavona-commit }}
+
+        # Remember pavona directory
+        echo PAVONA_DIR="$GITHUB_WORKSPACE/pavona" >> $GITHUB_ENV
+
+    - name: Install Pavona dependencies
+      shell: bash
+      run: |
+        sudo apt update
+        cd pavona
+        sed '/^#/d' apt-requirements.txt | xargs sudo apt install -y
+
+    - name: Set Bazel cache directory and mirror
+      shell: bash
+      run: |
+        echo "BAZEL_CACHE_DIR=/home/runner/bazel_cache" >> $GITHUB_ENV
+        # Use GitHub mirror for Bazel binaries to avoid certificate issues with releases.bazel.build
+        echo "BAZELISK_BASE_URL=https://github.com/bazelbuild/bazel/releases/download" >> $GITHUB_ENV
diff --git a/.github/workflows/all.yml b/.github/workflows/all.yml
index 853736399..b9c4fe058 100644
--- a/.github/workflows/all.yml
+++ b/.github/workflows/all.yml
@@ -93,13 +93,13 @@ jobs:
     needs: [ base ]
     uses: ./.github/workflows/baremetal.yml
     secrets: inherit
-  opentitan_integration:
-    name: OpenTitan
+  pavona_integration:
+    name: Pavona
     permissions:
       contents: 'read'
       id-token: 'write'
     needs: [ base ]
-    uses: ./.github/workflows/integration-opentitan.yml
+    uses: ./.github/workflows/integration-pavona.yml
     secrets: inherit
   isabelle:
     name: Isabelle
diff --git a/.github/workflows/integration-opentitan.yml b/.github/workflows/integration-pavona.yml
similarity index 71%
rename from .github/workflows/integration-opentitan.yml
rename to .github/workflows/integration-pavona.yml
index e9d4eaf22..5c6537494 100644
--- a/.github/workflows/integration-opentitan.yml
+++ b/.github/workflows/integration-pavona.yml
@@ -2,7 +2,7 @@
 # Copyright (c) The mlkem-native project authors
 # SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT
 
-name: OpenTitan
+name: Pavona
 permissions:
   contents: read
 on:
@@ -12,7 +12,7 @@ on:
 env:
   AWS_ROLE: arn:aws:iam::904233116199:role/mldsa-native-ci
   AWS_REGION: us-east-1
-  AMI_UBUNTU_22_04_X86_64: ami-0bbdd8c17ed981ef9
+  AMI_UBUNTU_X86_64: ami-05cf1e9f73fbad2e2 # Ubuntu 24.04 LTS (2026-04-24)
 
 jobs:
   start-ec2-runner:
@@ -43,29 +43,29 @@ jobs:
           ec2-instance-type: c7i.2xlarge
           ec2-volume-size: 32
           availability-zones-config: >-
-            [{"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-094d73eb42eb6bf5b","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-04a982f6584de8063","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-077637f396b264f82","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-00e89932da1332c35","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-0262f9d5f938f38bc","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-06e0645f1b6520c42","securityGroupId":"sg-0282706dbc92a1579"},
-             {"imageId":"${{ env.AMI_UBUNTU_22_04_X86_64 }}","subnetId":"subnet-0c726ece1c22f45d9","securityGroupId":"sg-0282706dbc92a1579"}]
+            [{"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-094d73eb42eb6bf5b","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-04a982f6584de8063","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-077637f396b264f82","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-00e89932da1332c35","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-0262f9d5f938f38bc","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-06e0645f1b6520c42","securityGroupId":"sg-0282706dbc92a1579"},
+             {"imageId":"${{ env.AMI_UBUNTU_X86_64 }}","subnetId":"subnet-0c726ece1c22f45d9","securityGroupId":"sg-0282706dbc92a1579"}]
 
-  opentitan_build:
-    name: OpenTitan ML-DSA Build Test
+  pavona_build:
+    name: Pavona ML-DSA Build Test
     needs: start-ec2-runner
     if: ${{ github.repository_owner == 'pq-code-package' && !github.event.pull_request.head.repo.fork }}
     runs-on: ${{ needs.start-ec2-runner.outputs.label }}
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/setup-opentitan
+      - uses: ./.github/actions/setup-pavona
         with:
-          expo-repository: https://github.com/zerorisc/expo
-          expo-commit: 53619a73e64cb96ee6e61a4b4b992f7250ab7477 # master (2026-04-21)
+          pavona-repository: https://github.com/pavona/pavona
+          pavona-commit: release/2026.05.p0
 
       - name: Patch mldsa-native dependency
         run: |
-          cd "$EXPO_DIR"
+          cd "$PAVONA_DIR"
 
           # Calculate sha256 of mldsa-native at the new commit
           SHA256=$(curl -sL "https://github.com/$GITHUB_REPOSITORY/archive/$GITHUB_SHA.tar.gz" | sha256sum | cut -d' ' -f1)
@@ -83,8 +83,8 @@ jobs:
 
       - name: Apply integration patches
         run: |
-          cd "$EXPO_DIR"
-          for patch in "$GITHUB_WORKSPACE"/integration/opentitan/*.patch; do
+          cd "$PAVONA_DIR"
+          for patch in "$GITHUB_WORKSPACE"/integration/pavona/*.patch; do
             if [ -f "$patch" ]; then
               echo "Applying $patch"
               git apply "$patch"
@@ -93,7 +93,7 @@ jobs:
 
       - name: Build mldsa functest
         run: |
-          cd "$EXPO_DIR"
+          cd "$PAVONA_DIR"
           # Build only -- ML-DSA simulation is too slow for CI
           ./bazelisk.sh build \
             --disk_cache="$BAZEL_CACHE_DIR" \
@@ -107,7 +107,7 @@ jobs:
       id-token: 'write'
     needs:
       - start-ec2-runner
-      - opentitan_build # required to wait when the main job is done
+      - pavona_build # required to wait when the main job is done
     runs-on: ubuntu-latest
     if: ${{ always() && needs.start-ec2-runner.result != 'skipped' }} # required to stop the runner even if errors occur
     steps:
diff --git a/README.md b/README.md
index 56a16630d..006b186b0 100644
--- a/README.md
+++ b/README.md
@@ -52,7 +52,7 @@ make test
 mldsa-native is used in
  - AWS' Cryptography library [AWS-LC](https://github.com/aws/aws-lc/)
  - [libOQS](https://github.com/open-quantum-safe/liboqs/) of the Open Quantum Safe project
- - The [zeroRISC's fork of OpenTitan](https://github.com/zerorisc/expo) - an open source silicon Root of Trust (RoT)
+ - [Pavona](https://github.com/pavona/pavona) - an open source silicon Root of Trust (RoT)
  - [CHERIoT-PQC](https://github.com/CHERIoT-Platform/cheriot-pqc) — post-quantum cryptography support for the CHERIoT platform
 
 ## Formal Verification
diff --git a/integration/opentitan/add_polyvec_lazy.patch b/integration/pavona/add_polyvec_lazy.patch
similarity index 100%
rename from integration/opentitan/add_polyvec_lazy.patch
rename to integration/pavona/add_polyvec_lazy.patch
diff --git a/integration/opentitan/reduce_alloc.patch b/integration/pavona/reduce_alloc.patch
similarity index 100%
rename from integration/opentitan/reduce_alloc.patch
rename to integration/pavona/reduce_alloc.patch