Setting SafeNet Luna PCIe HSM Policies, PED-authenticated
HSM Capabilities represent the underlying factory configurations of the HSM. HSM Policies are the settings based on those configuration elements, and can be modified by the HSM Security Officer (SO). If a Capability is turned off (disabled), then it cannot be switched on with a Policy setting. Only re-manufacturing or the application of a Secure Capability Update can enable a Capability. If a Capability is enabled, then the SO may be able to alter it with a Policy change, but only to make it more restrictive. The SO cannot make a Capability less restrictive.
In most cases, Configurations and Policies are either off or on (disabled or enabled, where 0 [zero] equals off/disabled and 1 [one] equals on/enabled), but some involve a range of values.
Example Policy Change Procedure
In this example, we show the initial values of the HSM Capabilities and their corresponding Policies, then we change one Policy, and show the values again. The settings you would see for a password-authenticated HSM and a PED-authenticated HSM might differ slightly, but the general principle and the operation of policy change are the same.
1.First, for this example, display the basic HSM information.
lunacm:>hsm showinfo
Partition Label -> myPCIeHSM
Partition Manufacturer -> Gemalto
Partition Model -> Luna K7
Partition Serial Number -> 123456
Partition Status -> L3 Device
HSM Part Number -> 808-000048-002
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
RPV Initialized -> No
Slot Id -> 103
Session State -> CKS_RW_PUBLIC_SESSION
Role Status -> none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 00000000000000001b030100
Partition Storage:
Total Storage Space: 393216
Used Storage Space: 0
Free Storage Space: 393216
Object Count: 4
Overhead: 9640
*** The HSM is NOT in FIPS 140-2 approved operation mode. ***
Firmware Version -> 7.0.1
Rollback Firmware Version -> Not Available
Environmental:
Fan 1 Status : active
Fan 2 Status : active
Battery Voltage : 3.093 V
Battery Warning Threshold Voltage : 2.750 V
System Temp : 34 deg. C
System Temperature Warning Threshold : 75 deg. C
HSM Storage:
Total Storage Space: 33554432
Used Storage Space: 0
Free Storage Space: 33554432
Allowed Partitions: 100
Number of Partitions: 0
License Count -> 8
1. 621000153-000 K7 base configuration
2. 621010185-003 Key backup via cloning protocol
3. 621000046-002 Maximum 100 partitions
4. 621000134-002 Enable 32 megabytes of object storage
5. 621000135-002 Enable allow decommissioning
6. 621000021-002 Maximum performance
7. 621000138-001 Controlled tamper recovery
8. 621000154-001 Enable decommission on tamper with policy off
9. 621000145-002 Enable PED authentication with M of N
10. 621010089-002 Enable remote PED capability
Command Result : No Error
Note the message stating that the HSM is not in FIPS 140-2 approved operation mode. This is a condition that we are about to change for the purpose of providing an example; you do not need to make this particular change unless your organization's security policy calls for it.
2.Now display the controlling policies as they currently exist on the HSM.
lunacm:>hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 0
1: Enable PED-based authentication : 1
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 1
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 1
27: HSM non-volatile storage space : 33554432
30: Enable unmasking : 1
33: Maximum number of partitions : 100
35: Enable Single Domain : 0
36: Enable Unified PED Key : 0
37: Enable MofN : 0
38: Enable small form factor backup/restore : 0
39: Enable Secure Trusted Channel : 1
40: Enable decommission on tamper : 1
42: Enable partition re-initialize : 0
43: Enable low level math acceleration : 1
45: Enable Fast-Path : 0
46: Allow Disabling Decommission : 1
47: Enable Tunnel Slot : 0
48: Enable Controlled Tamper Recovery : 1
HSM Policies
0: PIN-based authentication : 0
1: PED-based authentication : 1
6: Allow masking : 0
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 1
15: SO can reset partition PIN : 0
16: Allow network replication : 1
21: Force user PIN change after set/reset : 1
22: Allow offboard storage : 1
23: Allow partition groups : 0
25: Allow remote PED usage : 1
30: Allow unmasking : 1
33: Current maximum number of partitions : 100
35: Force Single Domain : 0
36: Allow Unified PED Key : 0
37: Allow MofN : 0
38: Allow small form factor backup/restore : 0
39: Allow Secure Trusted Channel : 0
40: Decommission on tamper : 0
42: Allow partition re-initialize : 0
43: Allow low level math acceleration : 1
45: Allow Fast-Path : 0
46: Disable Decommission : 0
47: Allow Tunnel Slot : 0
48: Do Controlled Tamper Recovery : 1
Command Result : No Error
3.For this example, to change an HSM Policy setting, you must provide the number that identifies the Policy and then the value for the desired state. First login to the HSM using Luna PED (Luna PED must be connected and ready before you login). For a password-authenticated HSM the password is needed, and no PED is involved). Type the hsm changeHSMPolicy command:
lunacm:>role login -name so
Please attend to the PED.
NOTE At this time, you must respond to the prompts on the Luna PED screen.
Command Result : No Error
lunacm:>hsm changehsmpolicy -policy 12 -value 0
You are about to change a destructive HSM policy.
All partitions of the HSM will be destroyed.
Are you sure you wish to continue?
Type 'proceed' to continue, or 'quit' to quit now ->proceed
Command Result : No Error
LunaCM v7.0.0. Copyright (c) 2006-2017 SafeNet.
Available HSMs:
Slot Id -> 103
Label -> myPCIeHSM
Serial Number -> 123456
Model -> Luna K7
Firmware Version -> 7.0.1
Configuration -> Luna HSM Admin Partition (PED) Signing With Cloning Mode
Slot Description -> Admin Token Slot
HSM Configuration -> Luna HSM Admin Partition (PED)
HSM Status -> L3 Device
Current Slot Id: 103
lunacm:>hsm showpolicies
HSM Capabilities
0: Enable PIN-based authentication : 0
1: Enable PED-based authentication : 1
2: Performance level : 15
4: Enable domestic mechanisms & key sizes : 1
6: Enable masking : 0
7: Enable cloning : 1
9: Enable full (non-backup) functionality : 1
12: Enable non-FIPS algorithms : 1
15: Enable SO reset of partition PIN : 1
16: Enable network replication : 1
17: Enable Korean Algorithms : 0
18: FIPS evaluated : 0
19: Manufacturing Token : 0
21: Enable forcing user PIN change : 1
22: Enable offboard storage : 1
23: Enable partition groups : 0
25: Enable remote PED usage : 1
27: HSM non-volatile storage space : 33554432
30: Enable unmasking : 1
33: Maximum number of partitions : 100
35: Enable Single Domain : 0
36: Enable Unified PED Key : 0
37: Enable MofN : 0
38: Enable small form factor backup/restore : 0
39: Enable Secure Trusted Channel : 1
40: Enable decommission on tamper : 1
42: Enable partition re-initialize : 0
43: Enable low level math acceleration : 1
45: Enable Fast-Path : 0
46: Allow Disabling Decommission : 1
47: Enable Tunnel Slot : 0
48: Enable Controlled Tamper Recovery : 1
HSM Policies
0: PIN-based authentication : 0
1: PED-based authentication : 1
6: Allow masking : 0
7: Allow cloning : 1
12: Allow non-FIPS algorithms : 0
15: SO can reset partition PIN : 0
16: Allow network replication : 1
21: Force user PIN change after set/reset : 1
22: Allow offboard storage : 1
23: Allow partition groups : 0
25: Allow remote PED usage : 1
30: Allow unmasking : 1
33: Current maximum number of partitions : 100
35: Force Single Domain : 0
36: Allow Unified PED Key : 0
37: Allow MofN : 0
38: Allow small form factor backup/restore : 0
39: Allow Secure Trusted Channel : 0
40: Decommission on tamper : 0
42: Allow partition re-initialize : 0
43: Allow low level math acceleration : 1
45: Allow Fast-Path : 0
46: Disable Decommission : 0
47: Allow Tunnel Slot : 0
48: Do Controlled Tamper Recovery : 1
Command Result : No Error
lunacm:>hsm showinfo
Partition Label -> myLunaHSM
Partition Manufacturer -> Gemalto
Partition Model -> Luna K7
Partition Serial Number -> 532018
Partition Status -> L3 Device
HSM Part Number -> 808-000048-002
Token Flags ->
CKF_RESTORE_KEY_NOT_NEEDED
CKF_TOKEN_INITIALIZED
RPV Initialized -> Not Supported
Slot Id -> 103
Session State -> CKS_RW_PUBLIC_SESSION
Role Status -> none logged in
Token Flags ->
TOKEN_KCV_CREATED
Partition OUID: 00000000000000001b030100
Partition Storage:
Total Storage Space: 393216
Used Storage Space: 0
Free Storage Space: 393216
Object Count: 4
Overhead: 9640
*** The HSM is in FIPS 140-2 approved operation mode. ***
Note in the above example that HSM Capability
"12: Enable non-FIPS algorithms : 1" still has a value of 1
(meaning that it remains enabled), but the associated Policy "12:
Allow non-FIPS algorithm : 0 " now
has a value of 0 (meaning that it has been disallowed by the SO).
Note also that the message in the middle of the "show" information
now says "***
The HSM is in FIPS 140-2 approved operation mode. *** " because the
HSM is now restricted to using only FIPS-approved algorithms.
Destructive Change of HSM Policy
The above example is a change to a destructive policy. This means that if you apply this policy, the HSM is zeroized and all contents are lost. For this reason, you are prompted to confirm if that is what you really wish to do. You must now re-initialize the HSM.
While this is not an issue when you have just initialized an HSM, it may be a very important consideration if your SafeNet Luna HSM has been in a “live” or “production” environment and contains useful or important data, keys, certificates.
Backup any important HSM or partition contents before making any destructive policy change, and then restore from backup after the HSM is re-initialized and the partition re-created.