Home > |
---|
This command rolls back (downgrades) the HSM firmware to the previously installed version. You do not need to obtain the previously installed version - it was automatically saved to a special rollback holding area when you used the command hsm firmware upgrade.
Note: For PED-authenticated HSMs, you must disable SRK before you can update the firmware. Use the hsm srk show command to determine whether SRK is enabled on your HSM. If it is, the first line of the output of the hsm srk show command reads "External split enabled: yes". If this is the case, run the hsm srk disable command to disable SRK on the HSM. You must have the appropriate purple PED Key to disable SRK. If you attempt to update the firmware update while SRK is enabled, the system responds with an error: 0x80000030 (CKR_OPERATION_NOT_ALLOWED).
Note: This command is intended primarily for SafeNet internal use (for example, for automated testing). It is recommended that you use this command only when instructed to do so by SafeNet technical support. The HSM capabilities and performance following a firmware rollback are uncertain.
CAUTION: This command is considered destructive, because an earlier firmware version can have fewer or older mechanisms and might have security vulnerabilities that a newer version does not. Therefore, the HSM requires that the SO be logged in to perform the hsm firmware rollback operation.
After rollback is complete, the command hsm show indicates that you cannot rollback from the rolled-back firmware.
If you wish to reassert the newer firmware that was in the HSM before you rolled back, then use command hsm firmware upgrade, to [re-]upgrade to the newer firmware version. That version remains on standby in the appliance, so there is no need to re-upload or to re-install appliance software.
hsm firmware rollback [-force]
Parameter |
Shortcut |
Description |
---|---|---|
-force | -f |
Force the action |
The following example show the HSM configuration before and after the firmware rollback.
[local_host] lunash:>hsm show Appliance Details: ================== Software Version: 6.1.0-1 HSM Details: ============ HSM Label: mysa6 Serial #: 7000022 Firmware: 6.27.0 HSM Model: K6 Base Authentication Method: PED keys HSM Admin login status: Logged In HSM Admin login attempts left: 3 before HSM zeroization! RPV Initialized: Yes Audit Role Initialized: No Remote Login Initialized: No Manually Zeroized: No Partitions created on HSM: ========================== .... (snip)... Command Result : 0 (Success) lunash:> [local_host] lunash:>hsm firmware rollback WARNING: This operation will rollback your HSM to the previous firmware version !!! (1) This is a destructive operation. (2) You will lose all your partitions. (3) You might lose some capabilities. (4) You must re-initialize the HSM. (5) If the PED use is remote, you must re-connect it. Type 'proceed' to continue, or 'quit' to quit now. > proceed Proceeding... Rolling back firmware. This may take several minutes. Command Result : 0 (Success) [local_host] lunash:>hsm show Appliance Details: ================== Software Version: 6.1.0-1 HSM Details: ============ HSM Label: mysa6 Serial #: 7000022 Firmware: 6.22.0 HSM Model: K6 Base Authentication Method: PED keys HSM Admin login status: Not Logged In HSM Admin login attempts left: 3 before HSM zeroization! RPV Initialized: Yes Audit Role Initialized: No Remote Login Initialized: No Manually Zeroized: No Partitions created on HSM: ==========================
.... (snip)... Command Result : 0 (Success)