Luna HSM Firmware 7.7.1-20

This updated version of Luna HSM Firmware 7.7.1 was released in March 2023. It includes an important fix for an Out of Memory error affecting Luna HSM Firmware 7.7.0.

If you are using Luna HSM Firmware 7.7.0, Thales recommends installing this firmware update. The fix for this error is also included in Luna HSM Firmware 7.8.1 and newer.

>Download Luna HSM Firmware 7.7.1-20

Refer to NIST certificate #4090 for FIPS 140-2 Level 3 certification:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4090

NOTE   This firmware version also requires Luna HSM Bootloader 1.1.5 Patch.

New Features and Enhancements

Luna HSM firmware 7.7.1 was originally released for Luna Network HSM 7 only. This updated version has been made available for Luna PCIe HSM 7 and includes the following new features and enhancements:

Set FIPS Mode by Application Partition

Application partitions on HSMs using Luna HSM firmware 7.7.1 can set FIPS mode independently of other partitions on the same HSM, using the new partition policy 43: Allow non-FIPS algorithms. With HSM policy 12: Allow non-FIPS algorithms set to OFF, FIPS mode is still enforced on all partitions on the HSM.

Valid Update Paths

You can update the Luna HSM firmware to version 7.7.1-20 from the following previous versions:

>7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.3.0, 7.3.3, 7.4.0, 7.4.1, 7.7.0

NOTE   If you are updating from a firmware version older than 7.7.0, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before you continue.

Update Procedure

Use the following procedure to install Luna HSM Firmware 7.7.1-20:

1.Copy the firmware file (<filename>.fuf) and the authentication code file (<filename>.txt) to the Luna HSM Client root directory.

Windows: C:\Program Files\SafeNet\LunaClient

Linux/AIX: /usr/safenet/lunaclient/bin

Solaris: /opt/safenet/lunaclient/bin

NOTE   On some Windows configurations, you might not have authority to copy or unzip files directly into C:\Program Files\.... If this is the case, put the files in a known location that you can reference in a LunaCM command.

2.Launch LunaCM.

3.If more than one HSM is installed, set the active slot to the Admin partition of the HSM you wish to update.

lunacm:> slot set -slot <slot_number>

4.Log in as HSM SO.

lunacm:> role login -name so

5.Apply the new firmware update by specifying the update file and the authentication code file. If the files are not located in the Luna HSM Client root directory, specify the full filepaths.

lunacm:> hsm updatefw -fuf <filename>.fuf -authcode <filename>.txt

Advisory Notes

This section highlights important issues you should be aware of before deploying HSM firmware 7.7.1-20.

RSA Keygen Mechanism Remapping on Luna 7.7.1 or Newer Partitions Requires Minimum Luna HSM Client 10.4.0

Luna HSM Firmware 7.7.1 or newer partitions that have been individually set to FIPS mode using the new partition policy 43 require Luna HSM Client 10.4.0 or newer to automatically remap older RSA mechanisms as described in RSA Mechanism Remap for FIPS Compliance.

Special Considerations for Luna HSM Firmware 7.7.0 and Newer

Luna HSM Firmware 7.7.0 introduces new capabilities, features, and other significant changes that affect the operation of the HSM. Due to some of these changes, you must be aware of some special considerations before updating to Luna HSM Firmware 7.7.0 or newer. For more information, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the update.

3DES Usage Counter

For Luna HSM Firmware 7.7.0 and newer, triple-DES keys have a usage counter that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms is set to 0). When the counter runs out for a key instance, that key instance can no longer be used for encryption or wrapping or deriving or signing, but can still be used for decrypting and unwrapping and verifying pre-existing objects.

The CKA_BYTES_REMAINING attribute is available when HSM policy 12: Allow non-FIPS algorithms is set to 0, but cannot be viewed if that policy is set to 1.

The attribute is preserved during backup/restore using a Luna Backup HSM 7; restoring puts the counter back to whatever value it had before backup.

The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring sets the counter to like-new state (no usage).

FIPS Changes in Luna HSM Firmware 7.7.0 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms set to OFF), to comply with FIPS SP800-131a Rev2, published in March 2019.

Mechanisms not permitted to wrap objects in FIPS mode

The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):

>CKM_AES_CBC

>CKM_AES_CBC_PAD

>CKM_AES_CTR

>CKM_AES_ECB

>CKM_DES3_CBC

>CKM_DES3_CBC_PAD

>CKM_DES3_CTR

>CKM_DES3_ECB

>CKM_RSA_PKCS

Mechanisms not permitted to sign data in FIPS mode

The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):

>CKM_AES_MAC

>CKM_AES_MAC_GENERAL

>CKM_DES3_MAC

>CKM_DES3_MAC_GENERAL

>CKM_DSA_SHA1

>CKM_ECDSA_SHA1

>CKM_SHA1_RSA_PKCS

>CKM_SHA1_RSA_PKCS_PSS

>CKM_SHA1_RSA_X9_31

NOTE   This page lists FIPS-related changes made since the last FIPS-validated firmware release. For a comprehensive list of changes across all released versions of the Luna HSM firmware, see Changes to FIPS Mode Mechanisms and Operations by Firmware Version. Refer to this section if you are updating from a firmware version that is older than the last FIPS-validated version.