Updating the Luna PCIe HSM Firmware

To update the firmware on a Luna PCIe HSM, download the desired firmware version from the Thales Support Portal. Use LunaCM on the host workstation to apply the update. You require:

>Luna PCIe HSM firmware update file (<filename>.fuf) and

>the firmware update authentication code file (<filename>.txt)

CAUTION!   Use an uninterruptible power supply (UPS) to power your HSM. There is a small chance that a power failure during an update could leave your HSM in an unrecoverable condition.

NOTE   If you are updating the firmware to version 7.7.x or newer, objects and partitions must be re-sized to include additional object overhead associated with the new V1 partitions - this is included in the process, no additional action from you (see What are "pre-firmware 7.7.0", and V0, and V1 partitions?). This conversion can take much longer than previous firmware updates, depending on the number of objects stored on the HSM (a few minutes to several hours). Ensure that you can leave the update operation uninterrupted for this amount of time. Do not interrupt the procedure even if the operation appears to have stalled.

To update the Luna PCIe HSM firmware

1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the Luna HSM Client root directory.

•Windows: C:\Program Files\SafeNet\LunaClient

•Linux: /usr/safenet/lunaclient/bin

•Solaris: /opt/safenet/lunaclient/bin

NOTE   On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.

2.Launch LunaCM.

3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.

lunacm:> slot set -slot <slot_number>

4.Log in as HSM SO.

lunacm:> role login -name so

5.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the Luna HSM Client root directory, specify the full filepaths.

lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt

Changing the Firmware Upgrade Permissions (Linux only)

By default, the root user and any user who is part of the hsmusers group can perform a firmware update. You can use this procedure to restrict firmware update operations to root only (that is, disable firmware update for members of the hsmusers group).

To restrict firmware update operations to the root user only

1.Open the the /etc/modprobe.d/k7.conf file for editing:

sudoedit /etc/modprobe.d/k7.conf

2.Change the k7_rootonly_reset option from 0 to 1. Save the file and exit the editor.

3.Stop any processes that are using the K7 driver. Typically this means stopping the pedclient service, and the luna-snmp service, if you are using SNMP.

sudo systemctl stop pedclient_service

sudo systemctl stop luna-snmp

4.Reload the driver:

sudo systemctl reload k7