Remote attestation via TNC supports the SHA-256 based TPM 2.0 BIOS/EFI measurements introduced with the Linux 5.4 kernel. This includes support for the BIOS/EFI event log and variable sized PCR banks.
The tpm plugin supports SHA-3 and CMAC with TPM 2.0.
Nonces in OCSP responses are not enforced anymore (added with 5.8.2) and only validated if a nonce is actually contained (#3557).
Fixed an issue when only some fragments of a retransmitted IKEv2 message were received, which prevented processing a following fragmented message (non-fragmented messages were correctly processed, 6586f07162).
All remaining queued vici messages are now sent to subscribed clients during shutdown, which includes ike/child-updown events triggered when all established SAs are deleted (ef636316d2).
CHILD_SA IP addresses are now updated before installation of the IPsec SAs and policies to allow MOBIKE updates happening while retransmitting a CREATE_CHILD_SA request (#3164).
When looking for a route to the peer, the kernel-netlink plugin now ignores the current source address if it's deprecated. It also updates the flags associated with cached IP addresses and triggers a roam event if they change. So a MOBIKE update now switches to a new address if the current one gets deprecated (#3511).
The file and syslog loggers support logging the log level of each message after the subsystem (e.g. [IKE2], #3509).