Updating the SafeNet Luna PCIe HSM Firmware
To update the firmware on a SafeNet Luna PCIe HSM, download the desired firmware version from the Thales Group Support Portal. Use LunaCM on the host workstation to apply the update. You require:
>SafeNet Luna HSM firmware update file (<filename>.fuf) and/or
>the firmware update authentication code file(s) (<filename>.txt)
CAUTION! Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.
To update the SafeNet Luna PCIe HSM firmware
1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the Luna HSM Client root directory.
•Windows: C:\Program Files\SafeNet\LunaClient
•Linux: /usr/safenet/lunaclient/bin
•Solaris: /opt/safenet/lunaclient/bin
NOTE On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.
2.Launch LunaCM.
3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.
lunacm:> slot set -slot <slot_number>
4.Log in as HSM SO.
lunacm:> role login -name so
5.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the Luna HSM Client root directory, specify the filepaths.
lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt
Changing the Firmware Upgrade Permissions (Linux only)
By default, the root user and any user who is part of the hsmusers group can perform a firmware update. You can use this procedure to restrict firmware update operations to root only (that is, disable firmware update for members of the hsmusers group).
To restrict firmware update operations to the root user only
1.Open the the /etc/modprobe.d/k7.conf file for editing:
sudoedit /etc/modprobe.d/k7.conf
2.Change the k7_rootonly_reset option from 0 to 1. Save the file and exit the editor.
3.Stop any processes that are using the K7 driver. Typically this means stopping the pedclient service, and the luna-snmp service, if you are using SNMP.
sudo systemctl stop pedclient_service
sudo systemctl stop luna-snmp
4.Reload the driver:
sudo systemctl reload k7