FM Samples

There are three sample FMs provided with the Luna FM SDK package:

>Sample: skeleton

>Sample: pinenc:

>Sample: wrap-comp:

NOTE   Sample FMs are distributed with the Luna FM SDK package. They have a similar file layout.

Each of the FM samples is structured in a similar way. Each sample directory contains:

Within the FM directory are files like these:

Within the host directory are files like this:

The samples are built using gnu make and the provided Makefiles. When working on a platform that has a native gnu make, such as Linux, you can use the system make command.  (For Windows, consider nmake.)

>Production build, no debug information in binaries:
make

>Production build, with debug information in binaries and optimization turned off:
make DEBUG=1

Binary files generated by the above variants are placed in different directories. The directory names used are:

Host Binary files generated by the above variants are placed in different directories. The directory names used are:

The binaries generated from each variant can be deleted using the target ‘clean’.

make DEBUG=1 clean

Signing FM Images

The build scripts generate the unsigned FM binary image when the HSM builds are performed. The binary images are named ‘<samplename>.bin’. Since these images are not signed yet, it is not possible to load them into the HSM. To use the key management scheme (using self-signed FM certificates), follow the steps listed below:

1.Generate the key pair on the Admin token. Execute:

cmu generatekeypair -slot <adminslot> -password <userpin> -label <fmsign> -keytype <rsa> -sign <true> -verify <true> -modulusbits <2048>

This will generate a 2048 bit RSA key pair. The minimum key size for FM signing should be 2048 bits.

2.To obtain the handles of the new key objects. Execute:

cmu list -slot <adminslot> -password <userpin> -handle -class -label <fmsign>

3.To make a self signed certificate, execute:

cmu selfsigncertificate -slot <adminslot> -password <userpin> -publichandle <pubkeyhd1> -privatehandle <prikeyhd1> -label <fmcert> -cn <fmcert>

4.Now, the binary image can be signed using mkfm. In the directory where the binary image is generated, execute:

mkfm -k SLOTID=<adminslot>/<fmsign> -f<sampleN.bin> -osampleN.fm

where “<adminslot>” is the slot id where the signing key is located and <fmsign> is the label of the private signing key that was previously generated and <sampleN> is the binary image of the sample FM being signed. This will generate a signed FM binary image, named “sampleN.fm”. This command requires the user password of the HSM partition to be entered.

5. Export the self-signed certificate to a file:

/usr/safenet/lunaclient/bin/cmu export -slot <slot> -password <userpin> -label <fmcert label> -outputfile=<fmcert.cert> 

6.Exit from all cryptoki applications that are still active, and load the FM image into the HSM.

     For Luna PCIe HSM

Execute this command:

ctfm i -p <password> -k SLOTID=<adminslot>/<fmcert> -f <sampleN.fm>

where <fmcert> is the name of the certificate in Admin Token used to verify the FM binary image integrity.

The load operation can be checked by executing the command:

ctfm q

and ensuring that the FM name is correct, and the FM status is “Loaded”.

     For Luna Network HSM

Log in via Luna Shell, with hsm login and execute:

hsm fm load -certFile <filename> -fmFile <filename>

The load operation can be checked by executing the command:

hsm fm status

7.Copy the exported certificate file to the host of the HSM that is to use the FM. If the destination is a Luna Network HSM, use pscp or scp:  

scp <fmcert.cert> admin@<hostname-or-ip-of-appliance>:

8.To enable the newly signed FM you must restart the HSM.

hsm restart

PATH=C:\Program Files\SafeNet\LunaClient\

LD_LIBRARY_PATH=C:\Program Files\SafeNet\LunaClient\