diff -Nru opencryptoki-3.13.0+dfsg/debian/changelog opencryptoki-3.13.0+dfsg/debian/changelog
--- opencryptoki-3.13.0+dfsg/debian/changelog	2021-03-02 14:09:59.000000000 +0100
+++ opencryptoki-3.13.0+dfsg/debian/changelog	2022-05-18 10:38:07.000000000 +0200
@@ -1,3 +1,16 @@
+opencryptoki (3.13.0+dfsg-0ubuntu5.2) focal; urgency=medium
+
+  * d/p/b40982e1-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
+    and d/p/6759faed-EP11-Fix-host-library-version-query.patch to
+    fix unavailability of Dilithium support in OpenCryptoki >= 3.13
+    with upgraded EP11 host library
+    Thanks to Ingo Franzki (LP: #1973296)
+  * Refreshed patches:
+    d/p/patch 03-dlopen-soname.patch and
+    d/p/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
+
+ -- Frank Heimes <frank.heimes@canonical.com>  Wed, 18 May 2022 10:38:07 +0200
+
 opencryptoki (3.13.0+dfsg-0ubuntu5.1) focal; urgency=medium
 
   * debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
diff -Nru opencryptoki-3.13.0+dfsg/debian/patches/03-dlopen-soname.patch opencryptoki-3.13.0+dfsg/debian/patches/03-dlopen-soname.patch
--- opencryptoki-3.13.0+dfsg/debian/patches/03-dlopen-soname.patch	2019-10-22 14:49:49.000000000 +0200
+++ opencryptoki-3.13.0+dfsg/debian/patches/03-dlopen-soname.patch	2022-05-18 10:11:53.000000000 +0200
@@ -2,11 +2,9 @@
 Description:
  Opening libopencryptoki correctly with soname major (Closes: #463593).
 
-Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcscca/pkcscca.c
-===================================================================
---- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcscca/pkcscca.c
-+++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcscca/pkcscca.c
-@@ -1357,7 +1357,7 @@ CK_FUNCTION_LIST *p11_init(void)
+--- a/usr/sbin/pkcscca/pkcscca.c
++++ b/usr/sbin/pkcscca/pkcscca.c
+@@ -1423,7 +1423,7 @@
      CK_RV rv;
      CK_RV (*pfoo) ();
      char *loc1_lib = "/usr/lib/pkcs11/PKCS11_API.so64";
@@ -15,11 +13,9 @@
      CK_FUNCTION_LIST *funcs = NULL;
  
  
-Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsconf/pkcsconf.c
-===================================================================
---- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsconf/pkcsconf.c
-+++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsconf/pkcsconf.c
-@@ -1047,7 +1047,7 @@ CK_RV init(void)
+--- a/usr/sbin/pkcsconf/pkcsconf.c
++++ b/usr/sbin/pkcsconf/pkcsconf.c
+@@ -1095,7 +1095,7 @@
       * error */
      /* The host machine should have the right library in the
       * LD_LIBRARY_PATH */
@@ -28,11 +24,9 @@
      if (!dllPtr) {
          printf("Error loading PKCS#11 library\n");
          printf("dlopen error: %s\n", dlerror());
-Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
-===================================================================
---- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
-+++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
-@@ -298,7 +298,7 @@ static int do_GetFunctionList(void)
+--- a/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
++++ b/usr/sbin/pkcsep11_migrate/pkcsep11_migrate.c
+@@ -384,7 +384,7 @@
      CK_RV (*func_list) () = NULL;
      void *d;
      char *evar;
@@ -41,11 +35,9 @@
  
      evar = getenv("PKCSLIB");
      if (evar == NULL) {
-Index: opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_session/pkcsep11_session.c
-===================================================================
---- opencryptoki-3.11.0+dfsg.orig/usr/sbin/pkcsep11_session/pkcsep11_session.c
-+++ opencryptoki-3.11.0+dfsg/usr/sbin/pkcsep11_session/pkcsep11_session.c
-@@ -214,7 +214,7 @@ static int do_GetFunctionList(void)
+--- a/usr/sbin/pkcsep11_session/pkcsep11_session.c
++++ b/usr/sbin/pkcsep11_session/pkcsep11_session.c
+@@ -229,7 +229,7 @@
      CK_RV (*func_list)() = NULL;
      void *d;
      char *evar;
diff -Nru opencryptoki-3.13.0+dfsg/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch opencryptoki-3.13.0+dfsg/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch
--- opencryptoki-3.13.0+dfsg/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch	1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.13.0+dfsg/debian/patches/6759faed-EP11-Fix-host-library-version-query.patch	2022-05-18 10:26:39.000000000 +0200
@@ -0,0 +1,60 @@
+Description: EP11: Fix host library version query
+ Look at release and modification level, not just the modification level.
+ Release and modification level are encoded into the one byte minor
+ field of a CK_VERSION. The high order 4 bits are the release number, the
+ low order 4 bits the modification level.
+ This allows host library version checks for release and modification levels.
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Origin: backport, 6759faed4c7a2e154ca2f2c56a5b51aec68227fc 
+Bug-IBM: Bugzilla 198153
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1973296
+Forwarded: not-needed
+Applied-Upstream: 3.18
+Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
+Last-Update: 2022-05-18
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -8559,8 +8559,19 @@
+                     rc);
+         return rc;
+     }
++    TRACE_DEVEL("%s host_version=0x08%x\n", __func__, host_version);
+     lib_version->major = (host_version & 0x00FF0000) >> 16;
+-    lib_version->minor = host_version & 0x000000FF;
++    /* Minor is 4 bits release number and 4 bits modification level */
++    lib_version->minor = (host_version & 0x00000F00) >> 4 |
++                                            (host_version & 0x0000000F);
++    if ((host_version & 0x0000F000) != 0) {
++        lib_version->minor |= 0xF0;
++        TRACE_DEVEL("%s relelase > 15, treating as 15\n", __func__);
++    }
++    if ((host_version & 0x000000F0) != 0) {
++        lib_version->minor |= 0x0F;
++        TRACE_DEVEL("%s modification level > 15, treating as 15\n", __func__);
++    }
+     /*
+      * EP11 host library < v2.0 returns an invalid version (i.e. 0x100). This
+      * can safely be treated as version 1.0
+@@ -8584,9 +8595,10 @@
+     if (rc != CKR_OK)
+         return rc;
+ 
+-    TRACE_INFO("%s Host library version: %d.%d\n", __func__,
++    TRACE_INFO("%s Host library version: %d.%d.%d\n", __func__,
+                ep11_data->ep11_lib_version.major,
+-               ep11_data->ep11_lib_version.minor);
++               (ep11_data->ep11_lib_version.minor & 0xF0) >> 4,
++               (ep11_data->ep11_lib_version.minor & 0x0F));
+ 
+     memset(&qv, 0, sizeof(qv));
+     qv.ep11_data = ep11_data;
+@@ -8671,6 +8683,7 @@
+     if (ep11_data->card_versions != NULL)
+         pInfo->hardwareVersion = ep11_data->card_versions->firmware_version;
+     pInfo->firmwareVersion = ep11_data->ep11_lib_version;
++    pInfo->firmwareVersion.minor >>= 4; /* report release, skip mod-level */
+     memcpy(pInfo->serialNumber, ep11_data->serialNumber,
+            sizeof(pInfo->serialNumber));
+ }
diff -Nru opencryptoki-3.13.0+dfsg/debian/patches/b40982e1-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch opencryptoki-3.13.0+dfsg/debian/patches/b40982e1-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
--- opencryptoki-3.13.0+dfsg/debian/patches/b40982e1-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch	1970-01-01 01:00:00.000000000 +0100
+++ opencryptoki-3.13.0+dfsg/debian/patches/b40982e1-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch	2022-05-18 10:10:28.000000000 +0200
@@ -0,0 +1,61 @@
+Description: EP11: Dilithium: Specify OID of key strength at key generation
+ Newer EP11 firmware versions require that the OID of the desired
+ Dilithium key strength is specified with attribute CKA_IBM_PQC_PARAMS
+ at key generation. Older firmware versions ignore this attribute.
+Author: Ingo Franzki <ifranzki@linux.ibm.com>
+Origin: backport, b40982e19e27b22ef724c7431a1a475f1858e199
+Bug-IBM: Bugzilla 198153
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1973296
+Forwarded: not-needed
+Applied-Upstream: 3.18
+Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
+Last-Update: 2022-05-18
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/usr/lib/ep11_stdll/ep11_specific.c
++++ b/usr/lib/ep11_stdll/ep11_specific.c
+@@ -534,6 +534,8 @@
+ #define CKM_IBM_SM3                        CKM_VENDOR_DEFINED + 0x0005000e
+ #define CKM_IBM_CPACF_WRAP                 CKM_VENDOR_DEFINED + 0x00060001
+ 
++#define CKA_IBM_PQC_PARAMS                 CKA_VENDOR_DEFINED + 0x0001000e
++
+ static CK_RV cleanse_attribute(TEMPLATE *template,
+                                CK_ATTRIBUTE_TYPE attr_type)
+ {
+@@ -4631,6 +4633,8 @@
+     CK_ULONG ep11_pin_blob_len = 0;
+     ep11_session_t *ep11_session = (ep11_session_t *) sess->private_data;
+     CK_BYTE *rho, *t1;
++    const CK_BYTE dilithium_oid[] = { 0x06, 0x0b, 0x2b, 0x06, 0x01, 0x04, 0x01,
++                                      0x02, 0x82, 0x0b, 0x01, 0x06, 0x05 };
+ 
+     UNUSED(h);
+ 
+@@ -4677,6 +4681,26 @@
+         goto error;
+     }
+ 
++    rc = add_to_attribute_array(&new_pPublicKeyTemplate,
++                                &new_ulPublicKeyAttributeCount,
++                                CKA_IBM_PQC_PARAMS, (CK_BYTE *)dilithium_oid,
++                                sizeof(dilithium_oid));
++    if (rc != CKR_OK) {
++        TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n",
++                    __func__, rc);
++        goto error;
++    }
++
++    rc = add_to_attribute_array(&new_pPrivateKeyTemplate,
++                                &new_ulPrivateKeyAttributeCount,
++                                CKA_IBM_PQC_PARAMS,(CK_BYTE *)dilithium_oid,
++                                sizeof(dilithium_oid));
++    if (rc != CKR_OK) {
++        TRACE_ERROR("%s add_to_attribute_array failed with rc=0x%lx\n",
++                    __func__, rc);
++        goto error;
++    }
++
+     /* debug */
+     for (i = 0; i < new_ulPrivateKeyAttributeCount; i++) {
+         TRACE_INFO("%s gen priv attr type=0x%lx valuelen=0x%lx attrcnt=0x%lx\n",
diff -Nru opencryptoki-3.13.0+dfsg/debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch opencryptoki-3.13.0+dfsg/debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
--- opencryptoki-3.13.0+dfsg/debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch	2021-03-02 14:09:59.000000000 +0100
+++ opencryptoki-3.13.0+dfsg/debian/patches/f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch	2022-05-18 10:12:36.000000000 +0200
@@ -18,11 +18,9 @@
  usr/sbin/pkcscca/pkcscca.c | 14 --------------
  1 file changed, 14 deletions(-)
 
-diff --git a/usr/sbin/pkcscca/pkcscca.c b/usr/sbin/pkcscca/pkcscca.c
-index c09f16b3..aa74eeb8 100644
 --- a/usr/sbin/pkcscca/pkcscca.c
 +++ b/usr/sbin/pkcscca/pkcscca.c
-@@ -1142,7 +1142,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
+@@ -1973,7 +1973,6 @@
  {
      CK_FUNCTION_LIST *funcs;
      CK_KEY_TYPE key_type = 0;
@@ -30,7 +28,7 @@
      CK_SESSION_HANDLE sess;
      CK_RV rv;
      struct key_count count = { 0, 0, 0, 0, 0, 0, 0 };
-@@ -1154,19 +1153,6 @@ int migrate_wrapped_keys(CK_SLOT_ID slot_id, char *userpin, int masterkey)
+@@ -1985,19 +1984,6 @@
          return 2;
      }
  
@@ -50,6 +48,3 @@
      rv = funcs->C_OpenSession(slot_id, CKF_RW_SESSION |
                                CKF_SERIAL_SESSION, NULL_PTR, NULL_PTR, &sess);
      if (rv != CKR_OK) {
--- 
-2.25.1
-
diff -Nru opencryptoki-3.13.0+dfsg/debian/patches/series opencryptoki-3.13.0+dfsg/debian/patches/series
--- opencryptoki-3.13.0+dfsg/debian/patches/series	2021-03-02 14:09:59.000000000 +0100
+++ opencryptoki-3.13.0+dfsg/debian/patches/series	2022-05-18 10:20:38.000000000 +0200
@@ -3,3 +3,5 @@
 04-pkcsslotd-cmdline-args.patch
 
 f1f176cbb4183bcb8a0f7b4d7f649d84a731dd43.patch
+b40982e1-EP11-Dilithium-Specify-OID-of-key-strength-at-key-ge.patch
+6759faed-EP11-Fix-host-library-version-query.patch