Network HSM Appliance BIOS and BMC Firmware Update Patch

CAUTION!   Before updating to appliance 7.7.0,you must install lunasa-reboot-patch-3.spkg first - the package is bundled with the Luna Network HSM 7.7.0 update package, and prevents an intermittent appliance boot issue that could have serious consequences if it occurred during a firmware update procedure.

Patch Contents

The file contains the following:

> lunasa-bios-update-1.0.0-3.auth

>lunasa-bios-update-1.0.0-3.spkg

>README .

Purpose of the lunasa-reboot-patch

The Luna Network HSM Appliance can intermittently fail to reboot. This update provides

>a new BIOS version ATLAS070 and

>a new Baseboard Management Controller (BMC) firmware 7.00

that are applied to the appliance motherboard, along with

>updates to Luna appliance services to ensure proper shutdown of those services

that are applied to the software of Luna Network HSM appliances, to fix the reboot issue.

The package is bundled with the Luna Network HSM 7.7.0 update package, and this update MUST be uploaded and installed before updating to Appliance Software 7.7.0 .

Target

Luna Network HSM running Software 7.0.0 to 7.4.0.

Considerations before you start  

>For LUNA versions 7.0 - 7.4 (irrespective of FW.) you need to deploy this BIOS/BMC patch.

>For a re-imaged unit, the patch MUST be applied again.

>For Luna Network HSM appliances that are on versions PRIOR to 7.3:

If you apply the patch and THEN upgrade to a version prior to 7.3, you overwrite some of the patch updates, and must re-apply the patch.

For example:

Your Luna Network HSM is on appliance software version Luna 7.1 with the contained HSM at firmware version 7.X and you apply the patch.

If you then upgrade to appliance software Luna 7.2 and HSM firmware 7.X, this overwrites the changes made to the services - and thus the patch must be re-applied.

>Upgrading the BIOS and BMC firmware is persistent and will not change after appliance reimage or software upgrade.  

>It is safe to apply the patch again; it will not reinstall BIOS or BMC firmware.
It only cleans up some services if they have been overwritten by appliance reimage or software upgrade.

Expected Warnings

Depending on the version of Luna appliance to which the patch is applied - some services being removed have already been cleaned up. As such, a warning message like the following can be ignored:

"28...warning: file /etc/systemd/system/lcdController-shutdown.service: remove failed: No such file or directory."

Instructions

Before starting, review the Troubleshooting section at the end of this page.

Disconnect all clients from the current appliance, before installing this package.

CAUTION!    

Back up your partitions before upgrading the appliance BIOS.

Do not interrupt the update, or power off, or reboot the system while the BIOS upgrade is in progress; doing so might allow the system to enter an unrecoverable state, requiring return to Thales.

1. Securely copy lunasa-bios-update-1.0.0-3.spkg to the Luna Network HSM (use scp, PSCP, or similar).

2.Log in to LunaSH on the appliance as admin, and run the following commands to upgrade the BIOS:

a. lunash:>hsm login

b. lunash:>package update lunasa-bios-update-1.0.0-3.spkg -authcode <content of lunasa-bios-update-1.0.0-3.auth>

NOTE   Updating the BMC firmware and the BIOS takes about 15 minutes to complete and must not be interrupted, nor the system rebooted, before the update-completed messages are displayed.

During the patch process you should see progress messages that the BIOS has been upgraded to version 070:

Upgrading the BIOS from 061 to 070: started  
Upgrading the BIOS from 061 to 070: completed  

as well as messages that the BMC firmware has been upgraded to version 7.00:

Upgrading the BMC firmware from 6.01 to 7.00: started  
Upgrading the BMC firmware from 6.01 to 7.00: completed  

CAUTION!   Reboot the appliance ONLY if the BIOS and BMC Firmware updated successfully, otherwise contact Thales Customer Support for assistance.

You can search for "Upgrading the BIOS" or "Upgrading the BMC firmware" in the syslog log file before or after reboot.

lunash:>syslog tail  -logname messages -entries 10000 -search "Upgrading"

c.lunash:>sysconf appliance reboot

The Luna Network HSM will use BIOS ATLAS070 after reboot.

3.Verify that the BIOS has been upgraded to version ATLAS070.

a. Find the current BIOS version for Luna Network HSM software version 7.3.0 to 7.4.0

Look in the 'messages' log files after reboot:

        
       lunash:>syslog tail -logname messages -entries 200000 -search "ATLAS"

You should see the following message:

       kern info  kernel: DMI: AIC OB111-AN/ANTLIA, BIOS ATLAS070 10/25/2017 

'ATLAS070' is the BIOS version and '05/14/2019' is the BIOS release date.

b. Alternatively, find the current BIOS version for Luna Network HSM software version 7.0.0 to 7.4.0

View the 'dmesg' log files after reboot:

    lunash:>syslog tarlogs 

Securely copy 'logs.tgz' from the Luna Network HSM (use scp, PSCP, or similar) to another machine.

Extract 'dmesg' file from 'logs.tgz' Search for "ATLAS" in 'dmesg' file, you should find the following message:

               
               DMI: AIC OB111-AN/ANTLIA, BIOS ATLAS070 05/14/2019 

'ATLAS070' is the BIOS version and '05/14/2019' is the BIOS release date.

NOTE   The 'dmesg' log file is created after reboot and it always shows the current BIOS version. The 'dmesg.old' in the 'logs.tgz' is from the previous reboot. You can find the previous BIOS version in the 'dmesg.old' file.

CAUTION!   Reboot the appliance ONLY if the BIOS and BMC Firmware updated successfully, otherwise contact Thales Customer Support for assistance.

Troubleshooting

If upgrading the BIOS or BMC firmware fails, do not reboot or power off the appliance. Take a picture of the screen and send it along with the log files for further instructions.

> lunash:>syslog tarlogs  

>Using SCP, PSCP or similar tools, copy logs.tgz from the Luna Network HSM appliance to another machine  

>Send the screen picture and logs.tgz to Thales support team.

You can see the patch log file at:

/var/log/reboot-patch-[Timestamp].log