Home >

Administration Guide > Software Updates and Maintenance > Firmware Rollback

Firmware Rollback

When you perform a firmware update operation, a newer firmware version is installed in the HSM, and the firmware that was previously active is retained in case you wish to roll back to that previous version. This allows you to try out a new version, without being committed to it. At any time there can be no more than one active firmware and one potential rollback firmware.

From the factory, normally only the active firmware is installed, and there is no rollback option until you have updated firmware at least once.

If the HSM contains a rollback firmware version (call it 'B') and a currently active firmware version (call it 'C'), and you then perform a firmware update operation to raise the current version to a newer version (call it 'D'), then the 'C' firmware assumes the rollback status and the 'B' version is now gone from the HSM. If you do perform rollback, then 'C' becomes the current version, and there is no rollback option from there.  

CAUTION:  The rollback operation is destructive to application partitions and contents, so perform backups, as necessary, before rolling back.  

After rollback, the no-longer-valid client/partition assignment configuration files remain, and must be cleared before you create any new partitions. HSM initialization clears those files and is a required operation following firmware rollback.

In the Network HSM appliance, you can have an uploaded newer firmware version on the appliance file system, ready to install.  

To roll back HSM firmware  

1.In Luna Shell, use command hsm firmware show to verify the HSM's current firmware version and the available rollback version:

lunash:>hsm firmware show

   Current Firmware:                   6.27.0
   Rollback Firmware:                  6.10.9
   Upgrade Firmware:                   N/A

Command Result : 0 (Success)
 

2.Run the hsm firmware rollback command:  

lunash:>hsm firmware rollback

WARNING: This operation will rollback your HSM to the previous firmware version !!!

         (1) This is a destructive operation.
         (2) You will lose all your partitions.
         (3) You might lose some capabilities.
         (4) You must re-initialize the HSM.
         (5) If the PED use is remote, you must re-connect it.

Type 'proceed' to continue, or 'quit' to quit now.

> proceed
Proceeding...

Rolling back firmware.  This may take several minutes.


Command Result : 0 (Success)
 

3.Verify the rollback with the hsm show command:

lunash:>hsm show

   Appliance Details:
   ==================
   Software Version:                6.3.0

   HSM Details:
   ============
   HSM Label:                          mysa6
   Serial #:                           7000022
   Firmware:                           6.10.9   
   HSM Model:                          K6 Base
   Authentication Method:              PED keys
   HSM Admin login status:             Not Logged In
   HSM Admin login attempts left:      3 before HSM zeroization!
   RPV Initialized:                    Yes
   Audit Role Initialized:             No
   Remote Login Initialized:           No
   Manually Zeroized:                  No

   Partitions created on HSM:
   ==========================
 
.... (snip)...

Command Result : 0 (Success)
 

4.Following rollback, initialize the HSM with command hsm init :

lunash:> hsm init -label mysa6  

CAUTION:  Are you sure you wish to re-initialize this HSM?  
All partitions and data will be erased.  
Type 'proceed' to initialize the HSM, or 'quit' to quit now.  
> proceed  

Luna PED operation required to initialize HSM - use Security Officer (blue) PED Key  
'hsm -init successful'  

Command result : 0 (Success)