Luna HSM Bootloader 1.1.5 Patch
This patch, which updates the bootloader on the Luna HSM to version 1.1.5, was released in April 2023. It includes important security updates.
>Download Luna HSM Bootloader 1.1.5
NOTE If you have Luna HSM Firmware 7.8.1 or newer installed, you do not need to apply this patch; Luna HSM bootloader 1.1.5 is included with the firmware.
This patch will update the bootloader to version 1.1.5 permanently; you do not need to apply the patch again
Bootloader 1.1.5 is FIPS-validated. Refer to NIST certificate #4090 for FIPS 140-2 Level 3 certification:
https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4090
Bootloader 1.1.5 is considered a minor change that does not affect Common Criteria validation. Assurance is maintained, as indicated in this report:
Common Criteria maintenance report for Boot Loader 1.1.5
Valid Update Paths
You can install the Luna HSM Bootloader 1.1.5 Patch on any Luna HSM with Luna HSM Firmware 7.8.0 or older.
Update Procedure
Use the following procedure to install the Luna HSM Bootloader 1.1.5 Patch:
1.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.
pscp <path>/lunasa_update_bootloader-1.1.5.spkg admin@<appliance_host/IP>:
2.Stop all client applications to the Luna Network HSM 7 appliance.
3.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).
4.Log in as HSM SO (see Logging In as HSM Security Officer).
lunash:> hsm login
5.[Optional Step] Verify that the secure package file is present on the Luna Network HSM 7.
lunash:> package listfile
6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales.
lunash:> package verify lunasa_update_bootloader-1.1.5.spkg -authcode <code_string>
7.Install the update on the Luna Network HSM 7.
lunash:> package update lunasa_update_bootloader-1.1.5.spkg -authcode <code_string>
The bootloader update package is now stored in reserve on the appliance, waiting to be installed.
8.[Optional] After installing the update, you can check to see that the update is ready to install. It is reported as firmware version 7.8.1, but only the bootloader 1.1.5 update is actually included.
lunash:> hsm firmware show
Upgrade Firmware: 7.8.1
9.Update the bootloader to version 1.1.5.
lunash:> hsm firmware upgrade
10.[Optional] Check that the bootloader version has been updated. If you are using Luna Appliance Software 7.7.0 or newer, the bootloader version is included in the information from lunash:> hsm show:
lunash:> hsm show
Bootloader: 1.1.5
If you are using appliance software older than Luna Appliance Software 7.7.0, you can confirm that the update was successful by checking the recent system logs:
lunash:> syslog tail -logname messages -entries 1000 -search Loader
2023 Apr 10 12:35:56 10 kern info kernel: k7pf0: [hsm] Boot Loader 1 Revision K7 1.1.5 2023 Apr 10 12:36:00 10 kern info kernel: k7pf0: [hsm] Boot Loader 2 Revision K7 1.1.5
Advisory Notes
This section highlights important issues you should be aware of before installing the Luna HSM Bootloader 1.1.5 Patch.
Patch Overwrites the Firmware Update Version Stored on the HSM
If you previously updated the appliance software, but did not update the HSM firmware to the version included with that secure package (use lunash:> hsm firmware show to check if there is a firmware version available for update), that reserve firmware version will be overwritten by the Luna HSM Bootloader 1.1.5 Patch. You will be unable to update the firmware until after the next appliance software update.
Firmware Cannot Be Rolled Back After Installing the Patch
After installing the bootloader update package, you cannot roll back to the previous firmware version.