Home > |
---|
When you perform a firmware update operation, a newer firmware version is installed in the HSM, and the firmware that was previously active is retained in case you wish to roll back to that previous version. This allows you to try out a new version, without being committed to it. At any time there can be no more than one active firmware and one potential rollback firmware.
From the factory, normally only the active firmware is installed, and there is no rollback option until you have updated firmware at least once.
If the HSM contains a rollback firmware version (call it 'B') and a currently active firmware version (call it 'C'), and you then perform a firmware update operation to raise the current version to a newer version (call it 'D'), then the 'C' firmware assumes the rollback status and the 'B' version is now gone from the HSM. If you do perform rollback, then 'C' becomes the current version, and there is no rollback option from there.
CAUTION: The rollback operation is destructive to application partitions and contents, so perform backups, as necessary, before rolling back.
After rollback, the no-longer-valid client/partition assignment configuration files remain, and must be cleared before you create any new partitions. HSM initialization clears those files and is a required operation following firmware rollback.
For SafeNet PCIe HSM and SafeNet USB HSM, you can have newer firmware in the host file system, ready to install.
1.Ensure that the host computer and, if applicable, any attached USB HSM or Backup HSM, are connected to an uninterruptible power supply.
2.Launch LunaCM.
3.Use slot list command to see the slot number for the desired HSM.
4.Use slot set command to select the slot corresponding to the HSM that is to have its firmware rolled back.
5.Use the hsm showinfo command to see the current firmware version and the rollback firmware version:
lunacm:> hsm showinfo lunacm:> hsm showinfo Partition Label -> myusbhsm Partition Manufacturer -> Safenet, Inc. Partition Model -> G5 Base Partition Serial Number -> 150022 Partition Status -> OK Token Flags -> CKF_RESTORE_KEY_NOT_NEEDED CKF_PROTECTED_AUTHENTICATION_PATH CKF_TOKEN_INITIALIZED RPV Initialized -> Yes Slot Id -> 1 Tunnel Slot Id -> 2 Session State -> CKS_RW_PUBLIC_SESSION Role Status -> none logged in Token Flags -> TOKEN_KCV_CREATED Partition OUID: 0000000000000000064a0200 Partition Storage: Total Storage Space: 262144 Used Storage Space: 0 Free Storage Space: 262144 Object Count: 0 Overhead: 9280 *** The HSM is NOT in FIPS 140-2 approved operation mode. *** Firmware Version -> 6.27.0 Rollback Firmware Version -> 6.10.9 HSM Storage: Total Storage Space: 2097152 Used Storage Space: 174288 Free Storage Space: 1922864 Allowed Partitions: 1 Number of Partitions: 1 License Count -> 9 1. 621000026-000 K6 base configuration 1. 620127-000 Elliptic curve cryptography 1. 620114-001 Key backup via cloning protocol 1. 620109-000 PIN entry device (PED) enabled 1. 621010358-001 Enable a split of the master tamper key to be s tored externally 1. 621010089-001 Enable remote PED capability 1. 621000021-001 Performance level 15 1. 621000079-001 Enable Small Form Factor Backup 1. 621000099-001 Enable per-partition Security Officer Command Result : No Error
6.Login if you have not already done so, and run the hsm rollbackfw command.
lunacm:> hsm login Please attend to the PED. Command Result : No Error lunacm:> hsm rollbackFW You are about to rollback the firmware. The HSM will be reset. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now -> proceed Rolling back firmware. This may take several minutes. Firmware rollback passed. Resetting HSM Command Result : No Error
7. Following rollback, initialize the HSM with command hsm init :
.