HSM SO Creates PED-Authenticated Partition, Local to Client

An application owner/user has requested an application partition on the HSM, on which applications will run cryptographic operations. These instructions are the actions to be taken by the HSM SO. These instructions assume a PED-authenticated SafeNet Luna PCIe HSM.

These instructions assume an HSM installed locally to the host computer, where SafeNet Luna HSM Client software is installed, and where administrative access to the HSM is carried out via the LunaCM utility.

Requirements

You will need:

>A Luna PED and PED keys with labels and a locally-connected PED.

Verification

These instructions assume that the HSM is new, or has undergone factory reset and is in zeroized state with no HSM SO or Administrator role set. This can be verified by running the lunacm command hsm showinfo while the HSM is the selected cryptographic slot. For example:

lunacm:>slot list
 
        Slot Id ->              103
        Label ->
        Serial Number ->        532018
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           L3 Device, Zeroized
 
 
        Current Slot Id: 103
 
 
Command Result : No Error
 

The output shows that the host computer contains a PED-authenticated SafeNet Luna PCIe HSM at the desired firmware version, as slot 103. The SafeNet Luna PCIe HSM admin partition is the currently-set slot, so all commands are directed to that HSM. When new partitions are created, or other SafeNet Luna HSMs are attached, you will need to select their slots using the LunaCM command slot set to direct commands to them. 

lunacm:>hsm showinfo
 
        Partition Label ->
        Partition Manufacturer -> SafeNet
        Partition Model -> Luna K7
        Partition Serial Number -> 532018
        Partition Status -> L3 Device, Zeroized
        HSM Part Number -> 808-000048-002
        Token Flags ->
                CKF_RESTORE_KEY_NOT_NEEDED
                CKF_PROTECTED_AUTHENTICATION_PATH
        RPV Initialized -> No
        Slot Id -> 103
        Session State -> CKS_RW_PUBLIC_SESSION
        Role Status ->   none logged in
        Token Flags ->
 
        Partition OUID: Not Available
        Partition Storage:
                Total Storage Space:  393216
                Used Storage Space:   0
                Free Storage Space:   393216
                Object Count:         4
                Overhead:             9640
 
        *** The HSM is NOT in FIPS 140-2 approved operation mode. ***
 
        Firmware Version -> 7.0.1
        Rollback Firmware Version -> Not Available
 
        Environmental:
                Fan 1 Status                            : active
                Fan 2 Status                            : active
                Battery Voltage                         : 3.093 V
                Battery Warning Threshold Voltage       : 2.750 V
                System Temp                             : 42 deg. C
                System Temperature Warning Threshold    : 75 deg. C
 
        HSM Storage:
                Total Storage Space:  33554432
                Used Storage Space:   0
                Free Storage Space:   33554432
                Allowed Partitions:   100
                Number of Partitions: 0
 
        License Count -> 10
                1. 621000153-000 K7 base configuration
                2. 621010185-003 Key backup via cloning protocol
                3. 621000046-002 Maximum 100 partitions
                4. 621000134-002 Enable 32 megabytes of object storage
                5. 621000135-002 Enable allow decommissioning
                6. 621000021-002 Maximum performance
                7. 621000138-001 Controlled tamper recovery
                8. 621000154-001 Enable decommission on tamper with policy off
                9. 621000145-002 Enable PED authentication with M of N
                10. 621010089-002 Enable remote PED capability
 
Command Result : No Error
 

The HSM in the current slot is zeroized and ready to be configured.

Configuration

Have a blue HSM SO PED key and a red Domain PED key ready, and have a Luna PED connected to the HSM, set to Local Mode.

1.Initialize the HSM.

hsm init -label <label>

lunacm:>hsm init -label myPCIeHSM
 
        You are about to initialize the HSM.
        All contents of the HSM will be destroyed.
 
        Are you sure you wish to continue?
 
        Type 'proceed' to continue, or 'quit' to quit now ->proceed
 
        Please attend to the PED.
 

Respond to Luna PED prompts...

Command Result : No Error
 

PKCS slot numbering starts at zero. A slot zero (0) always exists, as a placeholder for partitions to be created. For consistency in operation, the HSM administrative partition must always be the highest-numbered slot on that HSM. The admin partition's slot number will depend on the number of possible partitions that can be created on your model of HSM.

2.List the slots to see that the HSM is no longer zeroized.

slot list

lunacm:>slot list
 
        Slot Id ->              103
        Label ->                myPCIeHSM
        Serial Number ->        532018
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           L3 Device
 
 
        Current Slot Id: 103
 
 
Command Result : No Error
 

3.Log in as the HSM Security Officer.

role login -name SO 

lunacm:>role login -n so
 
        Please attend to the PED.
 

Respond to Luna PED prompts...

Command Result : No Error
 

4.Create an application partition. You can specify a slot to be used for the current session by specifying the -slot option. Slots will be reordered the next time you restart LunaCM. Note that the HSM administrative partition is always the highest-numbered slot.

partition create 

lunacm:> partition create
 
Command Result : No Error

 

5.Verify the slot occupied by the new, empty, application partition, and check the currently active slot.

slot list 

lunacm:>slot list
 
        Slot Id ->              3
        Label ->
        Serial Number ->        1238700701509
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna User Partition With SO (PED) Signing With Cloning Mode
        Slot Description ->     User Token Slot
 
        Slot Id ->              103
        Label ->                myPCIeHSM
        Serial Number ->        532018
        Model ->                Luna K7
        Firmware Version ->     7.0.1
        Configuration ->        Luna HSM Admin Partition (PED) Signing With Cloning Mode
        Slot Description ->     Admin Token Slot
        HSM Configuration ->    Luna HSM Admin Partition (PED)
        HSM Status ->           L3 Device
 
 
        Current Slot Id: 103
 
Command Result : No Error
 

6.The HSM SO now informs the intended Partition SO:

a. The newly created, empty application partition is ready

b.How to access the partition

This concludes the HSM SO's actions for a partition. Further action in the new partition must be initiated by the Partition SO, who takes over responsibility as the chief authority of that partition. The HSM SO has no visibility into the new partition.

Go to Initialize the Partition SO and Crypto Officer Roles on a PED-Auth Partition.


Customer Support Portal

SafeNet Luna PCIe HSM 7.1 Product Documentation  13 December 2019  Copyright 2001-2019 Thales Group. All rights reserved.