Luna HSM Firmware 7.7.1

Luna HSM firmware 7.7.1 was released in April 2021 for Luna Network HSM only. It was included in the secure package update for Luna Network HSM appliances (see Luna Network HSM Appliance Software 7.7.1). It includes bug fixes and updated FIPS compliance requirements.

>Download Luna Network HSM Appliance Software 7.7.1 (includes firmware update to Luna HSM Firmware 7.7.1)

Refer to NIST certificate #4090 for FIPS 140-2 Level 3 certification:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/4090

New Features and Enhancements

Luna HSM firmware 7.7.1 includes the following new features and enhancements:

Set FIPS Mode by Application Partition

Application partitions on HSMs using Luna HSM firmware 7.7.1 can set FIPS mode independently of other partitions on the same HSM, using the new partition policy 43: Allow Non-FIPS Algorithms. With HSM policy 12 set to ON, FIPS mode is still enforced on all partitions on the HSM.

Refer to HSM Capabilities and Policies and Partition Capabilities and Policies.

Valid Update Paths

You can update the Luna HSM firmware to version 7.7.1 from the following previous versions:

>7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.3.0, 7.3.3, 7.4.0, 7.4.1, 7.4.2, 7.7.0

Advisory Notes

This section highlights important issues you should be aware of before deploying HSM firmware 7.7.1.

Special Considerations for Luna HSM Firmware 7.7.0 and Newer

Luna HSM Firmware 7.7.0 introduces new capabilities, features, and other significant changes that affect the operation of the HSM. Due to some of these changes, you must be aware of some special considerations before updating to Luna HSM Firmware 7.7.0 or newer. For more information, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the update.

FIPS Restrictions in Luna HSM Firmware 7.7.0 and Newer

New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS Algorithms set to OFF), to comply with FIPS SP800-131a Rev2 published in March 2019.

The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):

The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):

>CKM_AES_MAC

>CKM_AES_MAC_GENERAL

>CKM_DES3_MAC

>CKM_DES3_MAC_GENERAL

>CKM_DSA_SHA1

>CKM_ECDSA_SHA1

>CKM_SHA1_RSA_PKCS

>CKM_SHA1_RSA_PKCS_PSS

>CKM_SHA1_RSA_X9_31

RSA Keygen Mechanism Remapping on Luna 7.7.1 or Newer Partitions Requires Minimum Luna HSM Client 10.4.0

Luna HSM Firmware 7.7.1 or newer partitions that have been individually set to FIPS mode using the new partition policy 43 require Luna HSM Client 10.4.0 or newer to automatically remap older RSA mechanisms as described in Mechanism Remap for FIPS Compliance.



	SUPPORT	LEGAL
Luna Network HSM Documentation © Copyright 2001-2023, Thales Group Last Updated: 2023-03-30 15:48:53 GMT-04:00	Customer Release Notes Customer Support Portal Support Contacts	End User License Agreement Third Party Software Licenses Document Information