FM Deployment Constraints
This section describes important considerations and constraints associated with deploying your Functionality Modules (FMs). Your SafeNet Luna PCIe HSM must meet all the criteria described in Preparing the SafeNet Luna PCIe HSM to Use FMs.
Introducing FMs into your SafeNet Luna PCIe HSM deployment will change the functionality of certain HSM features. Please take the following constraints into consideration before using FMs:
>FMs and High-Availability (HA)
>FMs and Backup/Restore/Cloning
>FMs and HSM Firmware Rollback
>FM Configuration and Remote PED
>FM-Enabled HSM Cannot be Verified With CMU
>No EDDSA or EC_MONTGOMERY Private Keys with C_CreateObject
>FM Sample Applications Dependent on General Cryptoki Samples
CAUTION! Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy.
If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.
FMs and FIPS Mode
FMs change the capabilities of the HSM firmware, adding new cryptographic algorithms or other functions. Since the new functionality is not certified by NIST, no HSM with an FM installed can be considered FIPS-certified.
To be certain that your organization is meeting FIPS requirements, ensure that you are using a FIPS-certified version of the Luna HSM firmware, and that your SafeNet Luna PCIe HSM has the following HSM policy settings:
>HSM policy 12: Allow non-FIPS algorithms: 0
>HSM policy 50: Allow Functionality Modules: 0
For more information about HSM policies, see HSM Capabilities and Policies.
FMs and High-Availability (HA)
FM-specific functions must specify the exact HSM that will handle the operations. Therefore, the SafeNet Luna HSM Client's HA implementation currently cannot accommodate FM functionality. If you want your FM-specific operations to be load-balanced across multiple HSMs, you must program this functionality into your applications yourself.
HA will still work with standard Luna operations.
For HA to function, all HSMs with application partitions in the HA group must have the same algorithms and functionality available. If one member partition does not have a required algorithm available in HSM firmware, cryptographic objects using that algorithm cannot be cloned to that partition, and this will disrupt HA functions.
Therefore, all HSMs containing HA group members must have FMs enabled (as described in Preparing the SafeNet Luna PCIe HSM to Use FMs), and they must all have the same FM(s) loaded. HA login requires two FM-enabled HSMs.
For more information about HA, see High-Availability Groups.
FMs and Backup/Restore/Cloning
It is currently not possible to back up cryptographic material from an FM-enabled SafeNet Luna PCIe HSM to a SafeNet Luna Backup HSM, or to clone those objects to a partition on a non-FM-enabled Luna HSM. To back up your important keys, you must clone key material to another FM-ready or FM-enabled Luna HSM partition, either manually using lunacm:> partition clone or by setting up an HA group.
Similarly, material that has been backed-up from non-FM-enabled HSMs cannot be restored onto an FM-enabled HSM partition.
To back up keys stored in the SMFS, your application must provide all the functions to back up and restore these keys.
FMs and HSM Firmware Rollback
Enabling HSM Policy 50 permanently disables the ability to roll back the HSM firmware to a version lower than 7.4.0. Attempting to roll back the firmware once HSM policy 50 has been enabled will return the following error:
Error in execution: CKR_OPERATION_NOT_ALLOWED.
Command Result : 0x80000030 (CKR_OPERATION_NOT_ALLOWED)
FM Configuration and Remote PED
Various FM functions require HSM resets (for example, creating a partition or enabling an FM).
If you are configuring FMs while authenticating with Remote PED, the Remote PED connection is broken with each reset. LunaCM continues to show an active Remote PED connection until you restart LunaCM. You must close that apparent connection with
This might be required several times during SafeNet Luna PCIe HSM setup for FMs. To prevent this, enable HSM Policy 51: Allow SMFS Auto Activation. If SMFS is not auto-activated, then the SMFS will require further individual PED prompts during the configuration process (SMFS is deactivated upon HSM reset if SMFS auto-activation is off).
NOTE Gemalto recommends that first time configuration of FM's be done locally, to minimize the issues mentioned above.
FM-Enabled HSM Cannot be Verified With CMU
The FM-enabled SafeNet Luna PCIe HSM does not currently support confirming the HSM's authenticity using cmu verifyhsm, as described in Confirm the HSM's Authenticity, or retrieving and confirming a Public Key Confirmation from the HSM using cmu getpkc and cmu verifypkc.
Key Attributes
On an HSM with FMs enabled, keys that are derived or generated have the "always-sensitive" and the "never-extractable" attributes set to "false".
No EDDSA or EC_MONTGOMERY Private Keys with C_CreateObject
This release of the SafeNet Luna PCIe HSM firmware does not allow FMs to use C_CreateObject to create EDDSA or EC_MONTGOMERY private keys. Use C_GenerateKeyPair to create these types of key.
FM Sample Applications Dependent on General Cryptoki Samples
When you install the FM SDK, the installation script ensures that the general Luna (PKCS) SDK and samples are also installed (first). This satisfies source dependencies for the FM samples. If you later delete or remove the Luna SDK, you might break those dependencies, and the FM samples will not build. You can manually correct this by performing a manual rpm -i of the cksample package.
Space for FMs
Multiple FMs can be loaded into the FM space of the HSM, with a total memory limit of
>8 megabytes for FMs and
>4 megabytes of SMFS.
Unused FMs can be deleted, to free some memory space.
