Loading an FM Into the HSM Firmware

A signed FM must be loaded into the HSM firmware to provide new functionality. The HSM SO can load FMs using the ctfm tool provided with the SafeNet Luna HSM Client software and the following procedure.

Prerequisites

>Your HSM must meet the criteria described in Preparing the SafeNet Luna PCIe HSM to Use FMs.

>HSM policy 50: Allow Functionality Modules must be enabled.

>HSM policy 51: Enable SMFS Auto Activation must be enabled, if you intend to use auto-activation (recommended). Changing this policy later will erase all partitions and installed FMs.

>Ensure that all destructive policies are set before you load FMs into the HSM firmware. Any change of a destructive policy will erase all loaded FMs.

>The FM must be signed as described in Building and Signing an FM, using the Luna HSM Client 7.4 or higher. FMs built using the Luna 7.0.4 Tech Preview release are not compatible with this Luna version.

>You require the FM signing certificate. If you have previously loaded an FM signed by the same key, the correct certificate is already present in the HSM Admin partition.

NOTE   If you load an FM with the same FM ID as an already-loaded FM, it is considered an update, and replaces the existing FM.

To load an FM into the HSM firmware

1.Use ctfm on the SafeNet Luna PCIe HSM host workstation to load the FM, specifying filepaths for the FM and the signing certificate. If you have previously loaded an FM signed by the same private key, the certificate is already stored on the HSM Admin partition, and you only need to specify the certificate label. If you have more than one SafeNet Luna PCIe HSM installed, specify the Admin partition slot number for the desired HSM. You are prompted for the HSM SO credential.

ctfm i -f <filepath/fm_filename>.fm {-c <filepath/cert_filename>.cert | -l <stored_cert_label>} [-s <slot_number>]

2.Reset the HSM.

lunareset <dev_path>

lunacm:> hsm restart

NOTE   If you have FMs loaded, you must restart the HSM whenever you perform any of the following operations:

>create a new partition (even if it has the same slot number as a recently-deleted partition),

>make a destructive change like re-initializing or zeroizing the HSM, or changing a destructive policy.

You will be unable to use the loaded FMs with new partitions until you restart the HSM. Use lunacm:> hsm restart or the lunareset utility.

3.Activate the Secure Memory File System (SMFS). You are prompted for the HSM SO credential.

ctfm a

4.[Optional] Confirm the FM status.

ctfm q


Customer Support Portal

SafeNet Luna PCIe HSM 7.4 Product Documentation  13 December 2019  Copyright 2001-2019 Thales. All rights reserved.