Luna Cloud HSM Firmware Version 3.0

New Features and Enhancements

In order to comply with the latest FIPS 140-3 certification requirements please review the following changes and ensure you make the necessary adjustments that apply to your environment.

**WARNING** FW 3.0 includes breaking changes as a result of the latest FIPS 140-3 certification requirements. Please ensure that your application is updated to avoid the use of these mechanisms when operating in the FIPS approved mode.

Firmware Versions

Firmware upgrades are planned for the following dates. Please consult the changelog for exact roll out dates.

Environment	Version	Estimated Release to Production
NA FIPS	3.0	H2 2026
NA non-FIPS	3.0	H2 2025
EU FIPS	3.0	H2 2026
EU non-FIPS	3.0	H2 2025

NOTE When the Luna Cloud HSM service is upgraded to FW 3.0, Hybrid HA operations with a Luna Network HSM will require Luna Client UC10.8.0 or higher. Using a client version prior to 10.8.0 will result in CKR_FUNCTION_NOT_SUPPORTED returned when attempting to login to a Hybrid HA group.

Luna HSM firmware 3.0 includes the following new features and enhancements:

Blocked Pre-Hash Verify Operations

All pre-hashed verify operations will be blocked due to the identification of a new requirement in the latest FIPS 140-3 certification.

The list of affected commands and mechanisms is as follows:

Blocked Commands:
LUNA_VERIFY
LUNA_VERIFY_END
LUNA_VERIFY_INIT
LUNA_VERIFY_SINGLEPART

For the following mechanisms:
CKM_DSA
CKM_ECDSA
CKM_RSA_X9_31
CKM_RSA_PKCS
CKM_RSA_PKCS_PSS

Security enhancing crypto changes

To comply with the latest FIPS 140-3 certification requirements, RSA-based key transport schemes that use only PKCS#1-v1.5 padding are disallowed, notably the mechanism CKM_RSA_PKCS for encrypt/decrypt/wrap/unwrap. Other mechanisms might now prohibit forward operations (new encryption or signing or wrapping,) while continuing to permit others (decrypt/unwrap) to support legacy situations. Refer to the Mechanism pages in the SDK Reference Guide section of this documentation for specific indications.

Block use of non-SP800-186 Compliant Curves

Signature creation for Curve448 and Curve25519 (ECDH) are blocked.

Deprecation of CPv1 Cloning

CPv1 has been removed from FIPS firmware support as it is no longer compliant with the latest certification requirements. As this only affects FIPS mode, all affected users should use CPv4 or transition service to non-FIPS mode.

Updated encryption

Cloning encryption is now ECC-based (formerly RSA) and separates session-key negotiation from the use of session keys for migrating/transfering keys and objects within the security perimeter of the cryptographic module with the following advantages:

> Consolidate HSM resources with secure and transparent exchanges of cryptographic material among mixed authentication modes:

• multifactor quorum-authentication

• password-authenticated partitions

> Transfer keys to an entirely new domain, providing full interoperability between on-premises Luna PCIe HSM 7 partitions and Luna Cloud HSM services.

ECC Curves

The user can now update the ECC curves without disabling the policy on FW upgrades if the module is configured in ‘FIPS mode’.

Error Logging

Log recording KAT failures can be found in:

Windows operating systems print Application Error Logs and Curl Logs to the Windows Event Viewer.
Linux operating systems print Application Error Logs and Curl Logs to /var/log/messages.

Environmental Failure Prevention (EFP) or Environment Failure Testing (EFT) Mandated at Level 3

EFP/EFT is now mandated at Level 3 for the latest requirements of FIPS 140-3 certification. The Bootloader will be halted should the temperature or voltage step outside the limits defined by us. This change will separately list and report the version of the firmware running on the sensor micro-controller alongside ensuring it had its own integrity mechanisms, KAT and periodic self-test.

FIPS 140-3 Changes in Luna Cloud HSM Firmware 3.0 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF), to comply with NIST's planned withdrawal of FIPS SP800-67 Rev2 on January 1, 2024 and in order to maintain the latest FIPS 140-3 certification requirements.

Mechanisms not permitted to encrypt objects in FIPS mode

The following mechanisms are not permitted to encrypt objects in FIPS mode:

>CKM_DES_CFB8

>CKM_DES_CFB64

>CKM_DES_OFB64

>CKM_DES3_CBC

>CKM_DES3_CBC_PAD

>CKM_DES3_CTR

>CKM_DES3_ECB

The following encryption mechanisms are no longer available in FIPS mode:

>CKM_DES3_CBC_ENCRYPT_DATA

>CKM_DES3_ECB_ENCRYPT_DATA

DES3 encryption is blocked in ECIES mechanisms.

HMAC mechanisms are blocked from using a DES3 key for signing.

>CKM_SHA3_224_HMAC

>CKM_SHA3_224_HMAC_GENERAL

>CKM_SHA3_256_HMAC

>CKM_SHA3_256_HMAC_GENERAL

>CKM_SHA3_384_HMAC

>CKM_SHA3_384_HMAC_GENERAL

>CKM_SHA3_512_HMAC

>CKM_SHA3_512_HMAC_GENERAL

Mechanisms not permitted to sign objects in FIPS mode

The following mechanisms are not permitted to sign objects in FIPS mode:

>CKM_DES3_CMAC

>CKM_DES3_CMAC_GENERAL

CKM_RSA_PKCS not permitted to decrypt/unwrap objects in FIPS mode

CKM_RSA_PKCS is now restricted from performing decrypt/unwrap operations in FIPS mode.

Known Issues

Error Messages

The following error messages are appearing when "partition showinfo" is run in lunacm:
0x82 (CKR_OBJECT_HANDLE_INVALID)
SMK OUIDs are not available
These errors are appearing in FW 3.0 however it does not affect the performance of the release. This has not appeared in previous FW releases.

lunacm:>par si        Partition Label -> test_acvp_partition_fips

Partition Manufacturer ->

Partition Model -> Cryptovisor7

Partition Serial Number -> 1386841530803

Partition Status -> L3 Device

HSM Certificates ->     *** Test Certs ***

HSM Part Number -> Not Available

HSM Serial Number -> 595644

Token Flags ->

CKF_RNG

CKF_LOGIN_REQUIRED

CKF_USER_PIN_INITIALIZED

CKF_RESTORE_KEY_NOT_NEEDED

CKF_TOKEN_INITIALIZED

RPV Initialized -> Not Available

Slot Id -> 6

Session State -> CKS_RW_USER_FUNCTIONS

Role Status ->   Crypto Officer logged in

Partition SMK OUIDs are not available (CKR_OBJECT_HANDLE_INVALID)                    Extended Token Flags ->

TOKEN_KCV_CREATED

Partition OUID: Not Available

Partition Storage:

Total Storage Space:  159744

Used Storage Space:   0

Free Storage Space:   159744

Object Count:         0

Overhead:             16008

*** The HSM is in FIPS approved operation mode. ***

FM HW Status -> FM Not Supported

Firmware Version -> 7.8.1

CV Firmware Version ->  3.0.0

Rollback Firmware Version -> 7.3.0

Command Result : 0x82 (CKR_OBJECT_HANDLE_INVALID)



	SUPPORT	LEGAL
Luna Cloud HSM Documentation © Copyright 2001-2025, Thales Group Last Updated: 2025-03-27 18:14:01 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Document Information