HSM Tamper Behavior
Tampering with the Appliance
Hardware tamper events are detectable events that imply intrusion into the appliance interior.
One such event is removal of the lid (top cover). The lid is secured by anti-tamper screws, so any event that lifts that lid is likely to be a serious intrusion.
Another event that is considered tampering is opening of the bay containing the ventilation fans.
You can use the thumbscrew to access the mesh air filter in front of the fans, without disturbing the system. However, if you open the fan-retaining panel behind that, which requires a Torx #8 screwdriver, then the system registers a tamper.
Therefore, cleaning of the filter is encouraged, especially if you work in a dusty environment, but fan module removal and replacement are discouraged unless you have good reason to suspect that a fan module is faulty. See Fan Maintenance.
Decommission
The red "Decommission" button recessed behind the back panel is not a tamper switch. Its purpose is different. See HSM Emergency Decommission Button for a description.
What Happens When You Tamper - Including Opening the Fan Bay
First, the HSM disconnects and disallows any communication.
Second, the system turns on the "HSM Offline" alarm to alert system admins. This will happen within 30 seconds.
Third, if the system is unable to communicate with the HSM consecutively for 5 minutes, it restarts itself to ensure that all sensitive cached information is erased from the running system. If the system is still unable to communicate with the HSM after a restart, services are prevented from starting up and the status API reflects this problem. In addition, the GUI displays an error indicating a problem communicating with the HSM.
A tampered system does not recover by itself and requires the system admin to intervene. Recovering requires console access (for example SSH) and access to the HSM PED and the corresponding HSM tokens.
To clear a tamper flag on HSM
Make sure an HSM admin slot is selected.
Run the
/usr/safenet/lunaclient/bin/lunacm
tool in the console as the system admin (ksadmin).Check the available slots.
lunacm:> slot list
Look for a slot with description "Admin Token Slot".
Select the active slot.
lunacm:> slot set -slot <number>
Verify that the system is unable to communicate with the HSM using this command:
lunacm:> hsm tampershow
Response:
Driver command failed: Input/output error Failed to display tampers error=5. Command Result : No Error
An HSM restart is required before any operations can be performed against the HSM using this command:
lunacm:> hsm restart
Note
If the PED is connected to the system, it is required at this time to reconnect it by physically unplugging and reconnecting the USB cable; otherwise it will not be able to communicate with the HSM.
Make sure an HSM admin slot is selected. Refer to step 1 for details.
After the HSM has restarted, view the tamper event using this command:
lunacm:> hsm tampershow
You can now clear the tamper flag using these commands:
lunacm:> role login -name so lunacm:> hsm tamperclear
At this point the HSM should be operational again.
Note
During tampering all cached HSM tokens are cleared. Therefore, any CipherTrust Manager attempt to log in to the HSM will trigger PED authenticate. Re-authentication using the black PED key is required to get the appliance running again.