The pcscd service now includes the --disable-polkit option, enabling users to disable the PolicyKit authorization framework. With this enhancement you can accessing PKCS #11 devices in limited environments, such as the initial RAM disk, and you can automate the unlocking of LUKS-encrypted volumes at boot time using a PKCS #11 device.

The pkcs11-tool -L and pkcs11-tool -O commands now include the uri: field in their output, providing URI information that can be used when configuring the pkcs11 Clevis pin for automated unlocking of LUKS-encrypted drives with PKCS #11 devices.

The crypto-policies now uses the openssl -CBC CipherString directive, disabling CBC cipher suites in OpenSSL if none are enabled in crypto-policies.

The nettle library package has been updated to version 3.10.1.

This update includes several key enhancements and changes:

• Performance improvements for certain cryptographic operations.
• The addition of DRBG-CTR-AES256, a new deterministic random-bit generator.
• The introduction of RSA-OAEP, an RSA encryption/decryption method that uses a new OAEP padding scheme.
• The inclusion of SHAKE-128, an arbitrary-length hash function from the SHA-3 family.
• A streaming API for SHAKE-128 and SHAKE-256.
• The removal of the MD5 assembly, which might result in a slight performance impact.

For more information, see the upstream information on https://git.lysator.liu.se/nettle/nettle/-/blob/master/NEWS?ref_type=heads.

The rsyslog packages have been updated to version 8.2412.0.

This update provides various fixes and enhancements, such as the ability to bind a ruleset to the imjournal module, which reduces the load on the main message queue and minimizes resource usage.

OpenSCAP has been updated to version 1.3.11.

This updates includes a new script, oscap-im, used in Containerfiles to build hardened bootable container images to run as Image Mode OS.

The update includes several maintenance and bug fixes, including:

• Fixing Python 3.13 compatibility
• Fixing RPM database path in RPM probes
• Ensuring xlink namespace exists, enabling OpenSCAP scans with DISA content using tailoring files
• Stopping the printing of useless component reference information in "oscap info"

For more information, see the upstream release notes on https://github.com/OpenSCAP/openscap/releases/tag/1.3.11.

The clevis packages have been updated to version 21.

This update adds support for PKCS #11 devices and providing various enhancements and bug fixes, including the clevis-pin-pkcs11 subpackage for unlocking LUKS-encrypted volumes using PKCS #11 devices, two checks to the clevis-udisks2 subpackage, and a fix that prevents the "Address in use" errors.

The new keylime-policy tool integrates all management tasks of Keylime runtime policies and measured boot policies, improving the performance of generating policies.

SELinux now assigns the hfi1_device_t type to the /dev/hfi1_0 device, enabling proper access control.

The SELinux policy has been strengthened with the addition of new rules that restrict the following systemd services:

• iio-sensor-proxy
• power-profiles-daemon
• switcheroo-control
• samba-bgqd

These services now operate under a confined SELinux context, rather than being labeled as unconfined_service_t, which was non-compliant with the CIS Server Level 2 benchmark rule "Ensure No Daemons are Unconfined by SELinux." By running in SELinux enforcing mode, these services contribute to a more secure and compliant system.

The SCAP Security Guide has been updated to version 0.1.76.

Keylime components have enhanced their revocation notification webhooks to use a more secure configuration for HTTPS connections. Before, the revocation notifier used only the system-installed CA certificates. Now, you can configure the CA certificate used for HTTPS connections by adding it to the trusted_server_ca configuration option or to the system trust store.

The ignoreduplicates option is now available in the logrotate package. This option ignores any duplicate file paths in the logrotate configuration and is disabled by default.