Security

The following features, enhancements, and changes related to security are introduced in this Oracle Linux 9 release.

NSS Updated to 3.112

With Oracle Linux 9.7, the NSS cryptographic toolkit packages are updated to upstream version 3.112 with many improvements and fixes.

See https://firefox-source-docs.mozilla.org/security/nss/releases/index.html for more information.

Notably:

  • This update adds support for the Module-Lattice-Based Digital Signature Algorithm (ML-DSA), a post-quantum cryptography (PQC) standard.
  • You can take advantage of hybrid SSL support with the MLKEM1024 key encapsulation mechanism.

crypto-policies Include Post-Quantum Cryptography

Oracle Linux 9.7 introduces a PQ subpolicy in crypto-policies that enables post-quantum cryptography. Notable changes include:

  • DEFAULT, FUTURE, and FIPS policies now prioritize hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and pure Module-Lattice-Based Digital Signature Standard (ML-DSA) post-quantum cryptographic algorithms for maximum security.
  • ML-DSA-44, ML-DSA-65, and ML-DSA-87 PQC algorithms are enabled for NSS TLS connections in all cryptographic policies with the PQ subpolicy.
  • The PQ subpolicy also enables the mlkem768x25519, secp256r1mlkem768, and secp384r1mlkem1024 hybrid ML-KEM groups for NSS TLS negotiations.
  • PQC algorithms are enabled for the Sequoia PGP tool in all policies with the PQ subpolicy.
  • New OpenSSL group selection syntax prioritizes post-quantum groups if you enable the PQ subpolicy.

You can apply the PQ subpolicy, for example, by running update-crypto-policies --set DEFAULT:PQ.

You can apply the FIPS PQ subpolicy if the system is in FIPS mode, by running update-crypto-policies --set FIPS:PQ.

OpenSSL Updated to 3.5

With Oracle Linux 9.7, OpenSSL is updated to version 3.5. You can now improve security for TLS connections and cryptographic operations in Oracle Linux environments, preparing systems for a quantum-safe future.

The following notable changes are available in this update:

  • Includes ML-KEM, ML-DSA, SLH-DSA post-quantum algorithms.
  • Hybrid ML-KEM algorithms are added to the default TLS group list.
  • QUIC transport protocol is available.
  • SHAKE-128 and SHAKE-256 implementations no longer have a default digest length.
  • Clients can send multiple key shares in TLS 1.3 connections.

OpenSSL SSLKEYLOGFILE Environment Variable For Debugging

With Oracle Linux 9.7, use the SSLKEYLOGFILE environment variable to instruct OpenSSL to log TLS connection secrets to a file.

Caution:

Only enable this feature in test or debug environments. Logging key material can introduce security risks.

Hybrid ML-KEM Cryptography Works in FIPS Mode

Oracle Linux 9.7 adds FIPS mode support for hybrid Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM), so OpenSSL uses both classical and post-quantum algorithms for key exchanges.

crypto-policies Support Ed25519 in NSS

crypto-policies in Oracle Linux 9.7 now enable Ed25519 in DEFAULT, LEGACY, and FUTURE policies for NSS, so you can use this efficient elliptic curve algorithm.

rpm-sequoia Package for Quantum-Resistant RPM Signatures

With Oracle Linux 9.7, you can use the rpm-sequoia package to verify RPM packages with post-quantum cryptographic algorithms such as ML-DSA for enhanced security.

RPM signatures with PQ certificates can be verified using extra pqrpm package. You can use the DNF multisig plugin once the you have run the pqrpm rpmkeys setup utility. Only RPMs signed with a regular signature and the additional PQ signature pass validation.

SCAP Security Guide Updated to 0.1.78

Oracle Linux 9.7 updates the SCAP Security Guide to version 0.1.78 and delivers updated profiles for PCI-DSS, HIPAA, and other standards.

Notable updates include:

  • DISA STIG updated to V2R5 for Oracle Linux 8, and DISA STIG updated to V1R2 for Oracle Linux 9
  • The auditd_freq rule correctly honors the XCCDF variable.
  • Added support for systemd drop-in files for coredump rules
  • Updated a regular expression to match .so files in rules relating to library dirs.
  • Updated accounts_passwords_pam_faillock related rules to support only newer Oracle Linux versions
  • Improved detection of the retry option in password complexity.

SELinux Assigns diagnostic_device_t type to /dev/diag

Oracle Linux 9.7 now includes the diagnostic_device_t type for /dev/diag in the SELinux policy. This type lets you control access to the device for diagnostics.

This change increases security by restricting /dev/diag to appropriate SELinux contexts in Oracle Linux systems.

SELinux Policy Adds Rules for qgs Daemon

Oracle Linux 9.7 introduces a new qgs_t type and access rules for the qgs daemon in the SELinux policy, which lets the daemon operate securely in TDX confidential VM environments.

With these rules, SELinux can control access for qgs in Oracle Linux, strengthening security for confidential computing deployments.

Three Services Removed from SELinux Permissive Mode

In Oracle Linux 9.7, the SELinux domains for powerprofiles_t, samba_bgqd_t, and switcheroo_control_t now run in enforcing mode and no longer operate in permissive mode.

This update provides full SELinux enforcement for these services, which previously ran in permissive mode as a temporary measure.

tuned-ppd Confined in SELinux Policy

The tuned-ppd SELinux policy is updated to confine the tuned-ppd service. The service previously ran with the unconfined_service_t SELinux label. With this update, the service is no longer unconfined and runs successfully in SELinux enforcing mode.

fips-provider-next Package Added

The fips-provider-next package is offered as a technology preview of the next version of the FIPS provider. This package might be submitted to the National Institute of Standards and Technology (NIST) for future validation. The openssl-fips-provider remains the validated FIPS provider.

To switch to the fips-provider-next, run the following command: 

sudo dnf swap openssl-fips-provider fips-provider-next --allowerasing --disablerepo=ol9_baseos_latest

Keylime Updated to Version 7.12.1

Oracle Linux 9.7 updates Keylime to version 7.12.1.

See https://github.com/keylime/keylime/releases/tag/v7.12.1 for more information.

openCryptoki Updated to Version 3.25.0

Version 3.25.0 of the openCryptoki packages is now available.

See https://github.com/opencryptoki/opencryptoki/releases/tag/v3.25.0 for more information.