Preparing the Luna PCIe HSM to Use FMs

This section provides information on how to prepare your Luna PCIe HSM to accept Functionality Modules (FMs). FMs require a specific factory configuration, the correct firmware version, a license upgrade, and the correct policy settings, as described below:

>Step 1: Ensure You Have FM-Ready Hardware

>Step 2: Update to Luna HSM Firmware 7.4.0 or Higher

>Step 3: Purchase and Apply the FM Capability License

>Step 4: Apply HSM Policy Settings

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.

If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.

Step 1: Ensure You Have FM-Ready Hardware

The FM feature requires a specific Luna PCIe HSM hardware configuration that must be created by Thales at the factory. Luna PCIe HSMs that have this configuration are "FM-ready". If your Luna PCIe HSM is not FM-ready, contact your Thales representative or Thales Customer Support for further guidance.

Determining Whether the HSM is FM-Ready

Starting with release 7.4, all Luna PCIe HSMs are FM-ready from the factory. HSMs shipped prior to 7.4 are not. To determine if your HSM is FM-ready, check the Product Part # on the PCIe card label:

If the last 3-digit section of the Product Part # is 003 or higher, your HSM is FM-ready. If 002 or lower, contact your Thales representative or Thales Customer Support for guidance on how to obtain FM-ready hardware.

Step 2: Update to Luna HSM Firmware 7.4.0 or Higher

To use FMs, you require HSM firmware version 7.4.0 or higher. You can download the latest software/firmware packages from the Thales Support Portal (see Updating the Luna Backup HSM (G5) Firmware).

When you have completed the upgrade, you can check the output from lunacm:>hsm showinfo to ensure that the HSM is FM-ready:

FM HW Status ->         FM Ready
Firmware Version -> 7.4.0

Step 3: Purchase and Apply the FM Capability License

To use FMs, contact your Thales sales representative to purchase the FM capability license. The FM license is delivered as a .cuf file that is specific to your HSM serial number. Refer to Upgrading HSM Capabilities for the procedure.

When you have activated your license on the HSM, you can use lunacm:>hsm showinfo to check that it is installed:

License Count -> 8
        1. 621000068-000 K7 Base
        2. 621010185-003 Key backup via cloning protocol
        3. 621000134-002 Enable 32 megabytes of object storage
        4. 621000135-002 Enable allow decommissioning
        5. 621000021-002 Maximum performance
        6. 621000138-001 Controlled tamper recovery
        7. 621000154-001 Enable decommission on tamper with policy off
        8. 621000074-001 Enable Functionality Modules

Step 4: Apply HSM Policy Settings

Applying the FM capability license allows you to set 4 new HSM policies that affect FMs on the Luna PCIe HSM (see HSM Capabilities and Policies). Use lunacm:>hsm showpolicies to list HSM policies.

50: Allow Functionality Modules : 0
51: Allow SMFS Auto Activation : 0
52: Restrict FM Privilege Level : 0
53: Encrypt keys passing from FM to HSM : 0

HSM Policy 50: Allow Functionality Modules

With this policy enabled, Functionality Modules may be loaded to the HSM, permitting custom cryptographic operations. Allows use of the ctfm utility and FM-related commands, and the use of Functionality Modules in general with this HSM.

The HSM SO must set HSM policy 50 to 1 (ON) to use FMs on the Luna PCIe HSM. Changing this policy (OFF-to-ON or ON-to-OFF) will zeroize the HSM and it must be re-initialized.

CAUTION!   Enabling FMs (HSM policy 50) introduces changes to Luna HSM functionality, some of which are permanent; they cannot be removed by disabling the policy. FM-enabled status is not reversible by Factory Reset.Refer to FM Deployment Constraints for details before enabling.

If you are using Crypto Command Center, ensure that your CCC version supports FM-enabled HSMs before you enable HSM policy 50. Refer to the CCC CRN for details.

NOTE   After setting HSM policy 50, you must add the following entry to the Chrystoki.conf/crystoki.ini configuration file before you can re-initialize the HSM:

[Misc]
LoginAllowedOnFMEnabledHSMs=1

HSM Policy 51: Allow SMFS Auto Activation

With this policy enabled, the Secure Memory File System (SMFS) is automatically activated on startup, providing a secure, tamper-enabled location in the HSM memory where Functionality Modules can load keys and parameters. Auto-activation for SMFS, like auto-activation for PED-authenticated partitions in general, persists through a power outage of up to 2 hours duration.If disabled, the HSM SO must manually activate the SMFS each time the HSM reboots or loses power.

Thales recommends setting HSM policy 51 to 1 (ON) to avoid having to manually re-activate the SMFS if you need to reboot the HSM. Changing this policy destroys all existing application partitions.

HSM Policy 52: Restrict FM Privilege Level

With this policy enabled, FM privilege is restricted. By default, FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).

FM privilege permits FMs to see the sensitive key attributes (including key values) of cryptographic objects on application partitions. This privilege is necessary for most FMs, so that the Crypto Officer (CO) and Crypto User (CU) roles can use partition objects with the FM. However, some FMs might not require this privilege and it can be restricted to satisfy some certification requirements (such as Common Criteria).

Unless you require CC certification, Thales does not recommend changing this policy from its default setting (OFF). Changing this policy destroys all existing application partitions.

HSM Policy 53: Encrypt Keys Passing from FM to HSM

With this policy enabled, keys created by an FM are encrypted before crossing from the FM to the Functionality Module Crypto Engine interface (FMCE). This internal encryption may be required to satisfy some certification requirements (such as Common Criteria).

Unless you require CC certification, Thales does not recommend changing this policy from its default setting (OFF). Changing this policy (OFF-to-ON or ON-to-OFF) will destroy all existing application partitions.