Setup

FM developers should ensure that their development environment is configured correctly and that all required files and library locations are set. This section is provided as a guideline for setting up the development environment so that required files can be accessed during the FM compile and link routines.

Environment Variables

In order to be able to use the build scripts, the following environment variables are used:

FMSDK Specifies the installed location of the Luna FM SDK package if it is not installed in the default location.

Software Installation

Refer to the installation guide for hardware and software installation instructions. See SafeNet Luna HSM Client Software Installation.

Install all device drivers and Luna Client software.

If the server is to be used for FM creation then you need to install these:

>eldk-5.6.fm package

>Luna FM SDK package

All servers need to also install:

>Luna FM Tools package

Requirements

The Luna FM SDK package provides the tools and sources to allow a developer to create and sign a FM and to load that FM into a compliant HSM.

Creating an FM:

A Linux operating system is required to perform the FM build.

For a list of supported platforms see the Customer Release Notes at the Gemalto Support Portal.

Signing an FM:

To sign a FM you can use mkfm. This tool requires a PKCS#11 implementation capable of 2048 bit CKM_SHA512_RSA_PKCS signature operation. Any Luna HSM would be suitable for this purpose. However, a smart card or other type of HSM would suffice.

Compliant HSM:

You can use the Luna FM SDK package to develop FMs for the SafeNet HSMs that were introduced in release 7.4. A SafeNet Luna Network HSM or PCIe HSM with capability to host FM is required.

Before any FM can be loaded the HSM must have the FM capability configured. The ctfm utility will report if the HSM is not configured for FMs.

HSM Recovery:

If an HSM becomes unresponsive due to a malformed or buggy FM being loaded, then the HSM needs to be restored by erasing the FM.

For Luna PCIe HSMs, see fmrecover