Loading an FM Into the HSM Firmware
A signed FM must be loaded into the HSM firmware to provide new functionality. The HSM SO can load FMs using
NOTE A certificate used to sign an FM must have attribute CKA_PRIVATE set as true.
If an existing certificate has Private=F, you can use the CMU tool to export that cert, then re-import it while setting -private=T.
Or, if the partition retains the FM signing keypair, you can run cmu selfsigncertificate again to re-create the certificate, this time setting -private=T explicitly.
Prerequisites
>Your HSM must meet the criteria described in Preparing the Luna PCIe HSM to Use FMs.
>HSM policy 50: Allow Functionality Modules must be enabled.
>HSM policy 51: Enable SMFS Auto Activation must be enabled, if you intend to use auto-activation (recommended). Changing this policy later will erase all partitions and installed FMs.
>Ensure that all destructive policies are set before you load FMs into the HSM firmware. Any change of a destructive policy will erase all loaded FMs.
>The FM must be signed as described in Building and Signing an FM, using the Luna HSM Client 7.4 or higher. FMs built using the Luna 7.0.4 Tech Preview release are not compatible with this Luna version.
>You require the FM signing certificate. If you have previously loaded an FM signed by the same key, the correct certificate is already present in the
NOTE If you load an FM with the same FM ID as an already-loaded FM, it is considered an update, and replaces the existing FM.
To load an FM into the HSM firmware
1.Use ctfm on the Luna PCIe HSM host workstation to load the FM, specifying filepaths for the FM and the signing certificate. If you have previously loaded an FM signed by the same private key, the certificate is already stored on the HSM Admin partition, and you only need to specify the certificate label. If you have more than one Luna PCIe HSM installed, specify the Admin partition slot number for the desired HSM. You are prompted for the HSM SO credential.
ctfm i -f <filepath/fm_filename>.fm {-c <filepath/cert_filename>.cert | -l <stored_cert_label>} [-s <slot_number>]
2.Reset the HSM.
lunareset <dev_path>
lunacm:> hsm restart
NOTE If you have FMs loaded, you must restart the HSM whenever you perform any of the following operations:
>create a new partition (even if it has the same slot number as a recently-deleted partition),
>make a destructive change like re-initializing or zeroizing the HSM, or changing a destructive policy.
You will be unable to use the loaded FMs with new partitions until you restart the HSM. Use
3.Activate the Secure Memory File System (SMFS). You are prompted for the HSM SO credential.
ctfm a
4.[Optional] Confirm the FM status.
ctfm q