Luna HSM Firmware 7.0.3
Luna HSM firmware 7.0.3 was released in December 2017, and includes bug fixes and security updates for FIPS certification.
>Download Luna Network HSM Appliance Software 7.2.0 (includes Luna HSM Firmware 7.0.3 update)
Refer to NIST certificate #3205 for FIPS 140-2 Level 3 certification:
New Features and Enhancements
Luna HSM firmware 7.0.3 includes the following new features and enhancements:
Partition Security Officer
All application partitions now have a Partition Security Officer (PO) role that is completely distinct from the HSM Security Officer (HSM SO) role. In this security model, the HSM SO is responsible only for initializing the HSM, setting HSM-level security policies, and creating and deleting partitions. After creating the partitions, the HSM SO has no access to the contents of the partitions. Partitions are owned by the PO, who is responsible for initializing the partition, setting the partition-level security policies and initializing the cryptographic roles on the partition. This model permits a complete separation of roles on the HSM
See Partition Roles.
Luna Network HSM 7 provides cryptographic performance that is 10x faster than the release 5.x and 6.x Luna HSMs.
Luna Network HSM 7 provides enhanced environmental failure protection and tamper resistance.
Improved Random Number Generation
The performance of Luna Network HSM 7's AES-256 CTR DRBG random number generation is significantly increased from previous versions. The RNG is fully compliant with the latest entropy standards:
New Cryptographic Mechanism Support
Luna Network HSM 7 adds support for the following cryptographic algorithms:
>SP800-108 HMAC (RSA & ECC)
>AES-XTS - disk encryption standard
Increased Key Storage Capacity
Luna Network HSM 7 provides up to 32 MB of cryptographic object storage (depending on the model).
Secure Transport Mode Redesigned
Secure Transport Mode (STM) in Luna Network HSM 7 provides a simple, secure method for shipping an HSM to a new location and verifying its integrity upon receipt. When the HSM SO enables STM, it locks the HSM and its contents, and records the current configuration as a pair of unique strings. When the HSM is recovered from STM, the unique strings are redisplayed. If the strings match, the HSM has not been tampered or modified during transport.
Controlled Tamper Recovery
If Policy 48: Do Controlled Tamper Recovery is enabled (the default), the HSM SO must clear the tamper condition before the HSM is reset, to return the HSM to normal operation.
See Tamper Events.
Special Instructions for Installing Firmware 7.0.3 if Your Current Firmware Version is 7.1.0
Firmware 7.0.3 is FIPS-certified Luna firmware. If you are using firmware 7.0.1 or 7.0.2, you can proceed with the standard update procedure. If you previously updated to firmware 7.1.0, and you wish to use firmware 7.0.3, follow this procedure to ensure a successful update.
Luna Network HSM does not allow you to update the firmware from a higher-numbered to a lower-numbered version. Therefore, if you are currently running firmware 7.1.0, you must first perform a firmware rollback.
CAUTION! Firmware rollback is destructive; earlier firmware versions might have older mechanisms and security vulnerabilities that a new version does not. Back up any important materials before rolling back the firmware. This procedure zeroizes the HSM and all cryptographic objects are erased.
If you are using STC, or have ever enabled HSM policy 39, you may encounter a known issue LKX-3184. If this is the case, do not roll back the HSM firmware.
To install firmware 7.0.3 on an HSM running firmware 7.1.0
1.Check the previous firmware version that is available on the HSM. The firmware available for rollback must be 7.0.1 or 7.0.2.
lunash:>hsm firmware show
2.Back up any important cryptographic objects currently stored on the HSM.
3.Log in as HSM SO.
4.Perform a firmware rollback.
lunash:>hsm firmware rollback
5.Initialize the HSM and log in as HSM SO.
6.Install the Luna Network HSM Appliance Software 7.2.0 update that includes firmware 7.0.3, as described in the product documentation.
7.Update the firmware to version 7.0.3, which is now stored on the appliance.
lunash:>hsm firmware upgrade
8.Recreate your application partition
This section highlights important issues you should be aware of before deploying HSM firmware 7.0.3.
Resolved Issue LKX-3338
Thales has identified an issue with asymmetric digest-and-sign, or digest-and-verify mechanisms when the data length exceeds 64KB, for all SHAxxx_RSA_xxx, SHAxxx_DSA and SHAxxx_ECDSA mechanisms.
>Simple (i.e. not combined with digest) RSA/ECDSA/DSA sign/verify operations are NOT affected, and work as expected for all HSM models.
>This issue only affects HSMs with standard- and enterprise-level performance (*700 and *750 models). Maximum-performance (*790) models are not affected.
This issue is resolved in both Luna HSM Firmware 7.2.0 and Luna HSM Firmware 7.0.3.
Thales strongly recommends that you update to Luna HSM Firmware 7.2.0 or newer, or Luna HSM Firmware 7.0.3, to avoid this issue in the future.
Resolved Issues LKX-2832/LUNA-956: CKA_EXTRACTABLE Default Setting
Formerly, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys was incorrectly set to TRUE by default. This was resolved in Luna HSM Firmware 7.0.2 and newer. In Luna HSM Firmware 7.0.2 and newer, the CKA_EXTRACTABLE attribute on new, unwrapped, and derived keys is set to FALSE by default.
NOTE If you have existing code or applications that expect keys to be extractable by default, you must modify them to explicitly set the CKA_EXTRACTABLE attribute value to TRUE.
PED Firmware Upgrade Needed for Luna 6 PEDs
If you have older Luna PEDs that you intend to use with Luna HSM Firmware 7.0.1 or newer, you must upgrade to Luna PED Firmware 2.7.1 (or newer). The upgrade and accompanying documentation (007-012337-003_PED_upgrade_2-7-1-5.pdf) are available from ThalesDocs.
Deprecated and Discontinued Features
The following features are deprecated or discontinued in Luna 7. If you have been using any of these Luna 5/6 features, plan for a new configuration and workflow that does not make use of the feature:
>Host trust links (HTL)
>NTLS keys in hardware
>Small form factor (SFF) backup
>Watchdog, CPU Governor