|
Home > |
HSM Administration Guide > Tamper Events
|
|---|
SafeNet Luna HSMs detect hardware anomalies (such as card over-temperature) and physical events (such as card removal or chassis intrusion), and register them as tamper events. A tamper event is considered a security breach, and effectively locks the HSM.
If your HSM provides the capability Enable Decommission on Tamper (available as a factory option only), you can enable Policy 40: Decommission on Tamper to decommission the HSM in the event of a tamper. See HSM Capabilities and Policiesand Comparing Zeroize, Decommission, and Factory Reset for more information.
Unless Policy 40: Decommission on Tamper is enabled, the contents of the HSM are not affected by the tamper event. The HSM, however, remains locked until the HSM is reset (some low-severity events do not required a reset).
If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation (see HSM Capabilities and Policies). While the HSM is in the tamper state, only the subset of
When a tamper event occurs, the HSM halts. For PED-authenticated HSMs, the cached PED key data that allows activation is zeroized, and activation is disabled. All commands, except those required to view the HSM status and clear the tamper, are disabled. When an HSM is in the tamper state, only the HSM SO is able to log in to the HSM.
There are several conditions that can result in a tamper. The tamper state is indicated by the HSM Tamper State field in the output of the LunaSH hsm show command. If tamper events have been detected and not cleared, the tamper state will be Tamper(s) detected. Use the hsm tamper show command to view detailed information for the tamper, including whether the tamper event requires an HSM reset, in addition to a tamper clear.
| Tamper event | Response |
|---|---|
| Chassis intrusion |
Halt the HSM. Deactivate activated partitions. Decommission the HSM if policy 40: Decommission on Tamper is enabled. Note: Chassis Open resets the HSM hardware, including the PCIe logic. This prevent the HSM from reporting any of the statuses including the Chassis Open condition. The only thing which is detected in this case is k7pf0: ALM0015: PCIe Link Failure. |
| Card removal |
Halt the HSM. Deactivate activated partitions. Decommission the HSM if policy 40: Decommission on Tamper is enabled. |
| Over/under temperature |
Halt the HSM. Deactivate activated partitions. Decommission the HSM if policy 40: Decommission on Tamper is enabled. Warnings are logged for mild over/under temperature events. Warnings are self-clearing if the condition is resolved. |
| Over/under voltage |
Halt the HSM. Deactivate activated partitions. Decommission the HSM if policy 40: Decommission on Tamper is enabled. Warnings are logged for mild over/under voltage events. Warnings are self-clearing if the condition is resolved. |
| Battery removal/depletion |
Halt the HSM. Deactivate activated partitions. Decommission the HSM. Warnings are logged for low battery conditions. |
How you recover from a tamper depends on how the following HSM policies are set. See HSM Capabilities and Policies for more information:
| Policy 40: Decommission on tamper | If enabled, the HSM is decommissioned in the event of a tamper. If the HSM is decommissioned on tamper, you must re-initialize the HSM SO, clear the tamper, re-create your partitions, restore the partition contents from backup, and re-initialize the partition roles (Partition SO, Crypto Officer, and Crypto User, and Audit, as relevant). |
| Policy 48: Do Controlled Tamper Recovery | If enabled, the tamper that halted the HSM must be cleared by the HSM SO (by issuing the tamper clear command), before the HSM can be reset to resume normal operations. |
If you are using activation or auto-activation on your PED-authenticated partitions, it is disabled when a tamper is detected, or if any uncleared tamper conditions are detected on reboot. See Activation and Auto-Activation on PED-Authenticated Partitions and Partition Capabilities and Policies for more information.
1.If the HSM was decommissioned as a result of the tamper, you must reinitialize the HSM, as described in HSM Initialization in the Configuration Guide.
2.Log in to the HSM as the HSM SO.
3.Use the hsm tamper show command to display the last tamper event.
Note: The hsm tamper show command only shows the last tamper event, even if several tampers have occurred. To view a complete list of the tamper events that have occurred on the HSM, use the LunaSH hsm supportinfo commmand.
4.Resolve the issue(s) that caused the tamper event.
5.If Policy 48: Do Controlled Tamper Recovery is enabled, clear the tamper condition. Otherwise, go to the next step:
lunash:> hsm tamper clear
6.If the tamper message indicates that a reset is required, use the LunaSH sysconf appliance reboot command to reboot the HSM:
lunash:> sysconf appliance reboot
7.Verify that all tampers have been cleared:
lunash:> hsm tamper show
8.If the HSM was decommissioned as a result of the tamper, you must re-create your partitions, re-initialize the partition roles (Partition SO, Crypto Officer, and Crypto User, and Audit as relevant), and restore the partition contents from backup See the following sections in the Configuration Guide .
a.To re-create your partitions, see Create Application Partitions.
b.To re-initialize the partition roles, see Configure Application Partitions.
c.To restore the partition contents from backup, see Backup and Restore HSMs and Partitions.
9.If the Policy 22: Allow Activation and/or Policy 23: Allow AutoActivation are enabled on your PED-authenticated partitions, the CO and CU (if enabled) must log in to reactivate those roles:
lunacm:> role login -name <role>