Recovering the HSM After FM Failure
In the event that an FM bug causes problems on the HSM, such as halting the HSM or other functionality issues, the HSM SO can take steps to recover the HSM. If you have important FM key objects stored in the Secure Memory File System (SMFS), you may be able to regain access to them. If you encounter issues with FM functionality, try the following before you proceed with recovery operations:
1.Debug your FM code. Build and sign the FM (Building and Signing an FM), and attempt to load it onto the HSM (Loading an FM Into the HSM Firmware). Loading an updated FM with the same FM ID will erase the old version and replace it.
2.If this does not fix the problem, or you are unable to load the patched FM, delete the old FM first (Deleting an FM From the HSM Firmware).
3.If this does not work, continue to the recovery procedure below.
Prerequisites
>Try the methods above before continuing. If you are running multiple FMs, it may be simpler to delete and replace the one that is causing the issue.
To recover the HSM after FM failure
1.Erase all FMs currently loaded on the HSM. This will leave the SMFS intact and preserve any key material you may have stored there. You must specify the SafeNet Luna PCIe HSM device node:
fmrecover --fm <K7_node>
You may now attempt to load a patched version of your FM that addresses the cause of the issue. If this does not resolve the problem, continue to step 2.
2.Erase the SMFS.
CAUTION! This will erase any cryptographic objects you have stored in the SMFS. If this is important key material, erasing the SMFS is a last resort to restore HSM functions.
fmrecover --smfs <K7_node>
3.Load your patched FM and restart the SMFS (see Loading an FM Into the HSM Firmware).
