Luna HSM Firmware 7.7.1-20 Patch

This patch for Luna HSM firmware 7.7.1 was released in March 2023, and is the FIPS-validated firmware version recommended by Thales. It includes an important fix for an Out of Memory error affecting the following previously-released firmware versions:

>Luna HSM Firmware 7.7.1

>Luna HSM Firmware 7.7.0

If you are using either of these firmware versions, Thales recommends installing this firmware patch. The fix for this error is also included in Luna HSM Firmware 7.8.1 and newer.

>Download Luna HSM Firmware 7.7.1-20 Patch

Refer to NIST certificate #4090 for FIPS 140-2 Level 3 certification:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4090

This release is certified under the Common Criteria standard (also requires Luna HSM Bootloader 1.1.5 Patch). The certificates are posted here:

>https://www.commoncriteriaportal.org/files/epfiles/CC-20-195307.pdf

>CC Certificate -- Thales Luna K7 HSM

Valid Update Paths

You can update the Luna HSM firmware to version 7.7.1-20 from the following previous versions:

>7.7.0, 7.7.1

NOTE   You must have Luna Appliance Software 7.7.1 installed to apply the patch.

Update Procedure

Use the following procedure to install the Luna HSM Firmware 7.7.1-20 Patch:

1.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.

pscp <path>/<filename>.spkg admin@<appliance_host/IP>:

2.Stop all client applications to the Luna Network HSM 7 appliance.

3.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).

4.Log in as HSM SO (see Logging In as HSM Security Officer).

lunash:> hsm login

5.[Optional Step] Verify that the secure package file is present on the Luna Network HSM 7.

lunash:> package listfile

6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales.

lunash:> package verify <filename>.spkg -authcode <code_string>

7.Install the update on the Luna Network HSM 7.

lunash:> package update <filename>.spkg -authcode <code_string>

The latest firmware update package is now stored in reserve on the appliance, waiting to be installed.

8.[Optional] Check that the desired firmware version is ready to install. The minor version (-20) is not displayed in the output.

lunash:> hsm firmware show

Upgrade Firmware:                   7.7.1

9.Update the firmware to the version currently stored on the appliance.

lunash:> hsm firmware upgrade

Confirm that the patch is added

The output of lunash command hsm show is unchanged after the patch is applied. To determine if the Luna Network HSM 7 firmware patch 7.7.1-20 [KB0027005] is installed successfully, check the supportInfo.txt as follows:

1.Generate and download the supportInfo.txt file from the HSM.

lunash:>hsm supportInfo

2.Use 'scp' from a client to get the file named supportInfo.txt

3.Search the supportInfo.txt for “FW Rev 7.7.1”

If the Firmware patch 7.7.1-20 was successfully applied, a firmware log entry displays

LOG(INFO): FW Rev 7.7.1-20 

If the patch was not successfully applied on an HSM, the supportInfo.txt shows a lower version like: FW Rev 7.7.1-19

Advisory Notes

This section highlights important issues you should be aware of before deploying HSM firmware 7.7.1-20.

Firmware Cannot Be Rolled Back to Unpatched Version of Luna HSM Firmware 7.7.1

The interface currently considers only the major firmware version. The output of hsm firmware show command, after a minor firmware version update package has been installed (package update command installs appliance software, if any, and places any included firmware in the standby location), but before the newer-minor-version firmware itself is installed, shows:

>Current firmware as the existing current major version,

>Rollback firmware as the prior major version, and

>Upgrade firmware as N/A (since it sees no difference with the currently installed version).

After hsm firmware update command installs the newer-minor-version firmware, the output of hsm firmware show command, shows:

>Current firmware as the existing current major version, now the new one,

>Rollback firmware as the same major version, because it doesn't see a difference, and

>Upgrade firmware as N/A

This also means that Firmware Rollback is not available until after your next major-firmware-version update.

Once the hsm firmware show output has Current and Rollback versions displayed as the same version, you know that the minor-version update was successful.

RSA Keygen Mechanism Remapping on Luna 7.7.1 or Newer Partitions Requires Minimum Luna HSM Client 10.4.0

Luna HSM Firmware 7.7.1 or newer partitions that have been individually set to FIPS mode using the new partition policy 43 require Luna HSM Client 10.4.0 or newer to automatically remap older RSA mechanisms as described in Mechanism Remap for FIPS Compliance.

Special Considerations for Luna HSM Firmware 7.7.0 and Newer

Luna HSM Firmware 7.7.0 introduces new capabilities, features, and other significant changes that affect the operation of the HSM. Due to some of these changes, you must be aware of some special considerations before updating to Luna HSM Firmware 7.7.0 or newer. For more information, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the update.

3DES Usage Counter

For Luna HSM Firmware 7.7.0 and newer, triple-DES keys have a usage counter that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms is set to 0). When the counter runs out for a key instance, that key instance can no longer be used for encryption or wrapping or deriving or signing, but can still be used for decrypting and unwrapping and verifying pre-existing objects.

The CKA_BYTES_REMAINING attribute is available when HSM policy 12: Allow non-FIPS algorithms is set to 0, but cannot be viewed if that policy is set to 1.

The attribute is preserved during backup/restore using a Luna Backup HSM 7; restoring puts the counter back to whatever value it had before backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring sets the counter to like-new state (no usage).

FIPS Changes in Luna HSM Firmware 7.7.0 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF), to comply with FIPS SP800-131a Rev2, published in March 2019.

Mechanisms not permitted to wrap objects in FIPS mode

The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):

>CKM_AES_CBC

>CKM_AES_CBC_PAD

>CKM_AES_CTR

>CKM_AES_ECB

>CKM_DES3_CBC

>CKM_DES3_CBC_PAD

>CKM_DES3_CTR

>CKM_DES3_ECB

>CKM_RSA_PKCS

Mechanisms not permitted to sign data in FIPS mode

The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):

>CKM_AES_MAC

>CKM_AES_MAC_GENERAL

>CKM_DES3_MAC

>CKM_DES3_MAC_GENERAL

>CKM_DSA_SHA1

>CKM_ECDSA_SHA1

>CKM_SHA1_RSA_PKCS

>CKM_SHA1_RSA_PKCS_PSS

>CKM_SHA1_RSA_X9_31