Advisory Notes

This section highlights important issues you should be aware of before deploying this release.

Encryption and Decryption Limitation

When calling PKCS #11 encryption and decryption functions, if the output buffer is not large enough, CKR_BUFFER_TOO_SMALL is returned without returning the expected size. Developers should use the output length prediction technique defined in PKCS #11 before calling for actual encryption/decryption.

The following functions are affected:

>Encryption Functions

>Decryption Functions

Expired Firmware Upgrade Certificate

The CKA_START_DATE and CKA_END_DATE attributes of the Firmware Upgrade Certificate object (FwUpgradeCert), which verifies firmware upgrades to the HSM, indicate that this certificate has expired. However, this certificate is valid for the lifetime of ProtectToolkit and the firmware upgrade utilities released with ProtectToolkit 5.9.1 work appropriately. FwUpgradeCert is managed internally at Thales and upcoming versions/platforms will include a new certificate.

Support Ended For Some Authentication Features

Firmware 5.06.00 ended support for the following features:

>Auth challenge response (CT_Gen_AUTH_Response and CT_GetAuthChallenge)

>Temporary PINs (CT_GetTmpPin)

Support Ended For Legacy Serial Smart Card Readers

Firmware 5.06.00 ended support for the following legacy serial smart card readers:

>OMNI 3111

>GCR410

>PE122

>DUMB

FMs Compiled With FMSDK 5.7 and Newer Not Compatible With Older Firmware

FMs compiled using FMSDK/CProv 5.7 or newer are not compatible with HSM firmware 5.03.xx or older. The FM will fail to load, producing an error (Could not verify Functionality Module, logs record 0x0100 incompatible library version).

If an FM is intended to run on a ProtectServer HSM with firmware 5.04.xx or newer, use FMSDK 5.7 or above to build the FM. If the FM is intended for use with firmware 5.03.xx or older, use FMSDK 5.6 or the version that corresponds with the firmware release.

Uninstall Previous PTK Client Software on Windows 10 Systems

If you previously installed the ProtectServer PCIe Access Provider software on a host workstation running Windows 10, uninstall any previous client software and the driver. You must also manually delete all LunaK4-related files in the C:\Windows directory before installing PTK 5.9.1.

Firmware 5.01.xx and Newer Not Compatible with Older Client Software

Firmware newer than version 5.01.xx is not compatible with client software older than release 5.4. If you are using firmware older than 5.01.xx, upgrade your PTK client software to 5.9.1 before you upgrade the HSM firmware.

NOTE   Please refer to Technical Note KB0016370 for more information on this issue.

FMs Compiled With FMSDK 5.4 and Newer Not Compatible With Older Firmware

FMs compiled using FMSDK 5.4 or newer will not load correctly on an HSM with firmware 5.00.xx. If an HSM with a newer FM and firmware 5.01.xx is downgraded to firmware 5.00.xx, the FM will be deleted. To avoid this, use FMSDK 5.3 to compile FMs intended for use with firmware 5.00.xx.

HA/WLD Limitations

While ProtectToolkit is designed to be backwards-compatible with older ProtectServer HSMs, capabilities vary between firmware versions, and these differences may cause issues. Newer firmware uses more cryptographic mechanisms, so calls to C_GetMechanismList will return different data lengths than with older firmware. Should an HA/WLD handover occur between obtaining the required length of a buffer and reading data into it, a “buffer too small” error may occur. To avoid this, query each HSM in the cluster to establish the correct size for the mechanism list buffer. Calls to the C_GetMechanismList function should be handled on a slot-by-slot basis.

GCC Tree-Vectorize Error

In some cases, a bug in the GCC 4.6.x optimizer (the version used for ProtectToolkit 5.x FMs) will cause a compilation failure with the following error:

Internal compiler error: in vect_transform_stmt, at tree-vect-stmts.c:4887

To avoid this bug, add -fno-tree-vectorize to the gcc command line. This can be done by including the following line in your FM makefiles, or at the end of opt/safenet/fm-toolchain/fmgcc-ppc440e-1.0.0/fmconfig.mk:

CFLAGS += -fno-tree-vectorize

Run ctconf -t on First Install of HSM

The first time you install a ProtectServer HSM, execute the command ctconf -t to synchronize the card clock with the machine clock before running any other command. You should also initialize the user token, as there are some performance tests that are skipped if the user token is not initialized.

Use Tamper to Recover From an Unresponsive State

If the ProtectServer HSM enters a non-useful or non-responsive state that does not resolve itself after a system reboot, try “tampering” the card. For the ProtectServer PCIe HSM, remove the card from the computer for a few minutes and then re-insert it. For the ProtectServer Network HSM, use the tamper key located on the rear of the appliance. If the HSM does not return to normal operation, contact Thales Group Customer Support (see Support Contacts).

Loading an FM Causes Halt and Reset

When you load an FM, the HSM is automatically halted and reset. The halt/reset is reported as an error in the event logs and in /var/log/messages. This error can be safely ignored.