AC1) Subpolicy PQ is available. AC2) Applying PQ on top of base policies (LEGACY, DEFAULT, FUTURE) does not produce any warnings. AC3) Applying PQ on top of base policies prepend the following to opensslcnf, nss and rpm-sequoia generated policy (only, other generated policies are not changed): prepend the following to group: MLKEM768-X25519, P256-MLKEM768, P384-MLKEM1024 and MLKEM1024-X448 prepend the following to sign: MLDSA44, MLDSA65 and MLDSA87

.RHEL 9.7 `crypto-policies` supports post-quantum cryptography With this update of the system-wide cryptographic policies, you can enable support for post-quantum cryptography (PQC) through the new PQ subpolicy. The most notable changes in RHEL 9.7 `crypto-policies` include: * After you apply the PQ subpolicy, for example, by using the `update-crypto-policies --set DEFAULT:PQ` command, hybrid Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) and pure Module-Lattice-Based Digital Signature Standard (ML-DSA) post-quantum cryptographic algorithms are enabled in LEGACY, DEFAULT, FUTURE, and FIPS cryptographic policies with the highest priorities. * The PQC algorithms are enabled for the Sequoia PGP tool in all policies with the PQ subpolicy. * The new OpenSSL group selection syntax prioritizes post-quantum groups over classical ones if you enable the PQ subpolicy. You can revert this behavior only by disabling all PQ groups. * The ML-DSA-44, ML-DSA-65, and ML-DSA-87 PQC algorithms are enabled for NSS TLS connections in all cryptographic policies with the PQ subpolicy. * The PQ subpolicy also enables the `mlkem768x25519`, `secp256r1mlkem768`, and `secp384r1mlkem1024` hybrid ML-KEM groups for NSS TLS negotiations.