Luna HSM Firmware 7.1.0

Luna HSM firmware 7.1.0 was released in December 2017.

>Download Luna Network HSM 7 Appliance Software 7.1.0 (includes Luna HSM Firmware 7.1.0 update)

>Download Luna HSM Firmware 7.1.0 (firmware only)

New Features and Enhancements

Luna HSM firmware 7.1.0 includes the following new features and enhancements:

Policy Templates

The HSM or Partition SO can save a copy of their organization's preferred HSM or partition policy settings to a template. They can then use this template to configure policy settings when initializing other HSMs or partitions.

This can save time and effort when deploying multiple HSMs or partitions. It also ensures consistency across your HSMs and partitions, which helps to simplify future audit and compliance requirements.

See Setting HSM Policies Using a Template and Setting Partition Policies Using a Template.

This feature also requires Luna HSM Client 7.1.0 (for partition policies) and Luna Appliance Software 7.1.0 (for HSM policies).

Configurable Policies for Export of Private Keys

The Partition SO can use partition policies to control whether or not the private keys in a given partition can be exported off the HSM. The ability to export private keys is particularly useful in use cases such as smart card & identity issuance, secure manufacturing, etc.

This gives organizations the ability to support a wider variety of use cases with their HSM, and also provides Partition SOs with more flexibility overall.

See Configuring the Partition for Cloning or Export of Private/Secret Keys.

Curve 25519 Available in FIPS Mode

Curve 25519 is now available for use in FIPS mode.

Valid Update Paths

You can update the Luna HSM firmware to version 7.1.0 from the following previous versions:

>7.0.1, 7.0.2

Advisory Notes

This section highlights important issues you should be aware of before deploying HSM firmware 7.1.0.

Resolved Issue LKX-3338

Thales has identified an issue with asymmetric digest-and-sign, or digest-and-verify mechanisms when the data length exceeds 64KB, for all SHAxxx_RSA_xxx, SHAxxx_DSA and SHAxxx_ECDSA mechanisms.

Please note:

>Simple (i.e. not combined with digest) RSA/ECDSA/DSA sign/verify operations are NOT affected, and work as expected for all HSM models.

>This issue only affects HSMs with standard- and enterprise-level performance (*700 and *750 models). Maximum-performance (*790) models are not affected.

This issue is resolved in both Luna HSM Firmware 7.2.0 and Luna HSM Firmware 7.0.3.

Thales strongly recommends that you update to Luna HSM Firmware 7.2.0 or newer, or Luna HSM Firmware 7.0.3, to avoid this issue in the future.

CKA_EXTRACTABLE=FALSE on New Private Keys

Using Luna HSM firmware 7.1.0 or newer, private keys now have their CKA_EXTRACTABLE attribute set to FALSE by default when they are created. Your applications must specify a value of 1 (TRUE) for this attribute on private keys you wish to wrap and export in Key Export mode.

A patch for the Luna Java Provider (LunaProvider) on 32-bit and 64-bit Linux client systems is available from the Thales Customer Support Portal.