Luna HSM Firmware 7.7.2
Luna HSM Firmware 7.7.2 was released in December 2021. It includes bug fixes and updated FIPS 140-3 compliance requirements.
>Download Luna HSM Firmware 7.7.2 for Network HSM
New Features and Enhancements
Luna HSM firmware 7.7.2 includes the following new features and enhancements:
ECIES Hardware Acceleration using Curve25519
Luna HSM firmware 7.7.2 adds enhanced performance for ECIES using Curve25519.
ECIES AES-CTR ICB Derivation
Luna HSM firmware 7.7.2 adds the derivation of the Initial Counter block (ICB) for ECIES AES-CTR encryption scheme to support the 5G 3GPP TS 33.501 standard, for processing of Subscription Concealed Identifier (SUCI) de-concealment requests. See CKM_ECIES.
This feature also requires minimum Luna HSM Client 10.3.0, or Luna HSM Client 10.4.0 for JCPROV.
Key Wrapping/Unwrapping with AES GCM
Luna HSM firmware 7.7.2 supports wrap/unwrap operations using the CKM_AES_GCM mechanism.
Validate Integrity of Functionality Modules
The FMSW_GetImage API call returns a pointer to a Functionality Module image and a pointer to the size of the image, to assist the verification of FMs in compliance with industry and national standards. See FMSW_GetImage API to validate an FM.
Valid Update Paths
You can update the Luna HSM firmware to version 7.7.2 from the following previous versions:
>7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.3.0, 7.3.3, 7.4.0, 7.4.1
This section highlights important issues you should be aware of before deploying HSM firmware 7.7.2.
Minimum Password Length is Increased to 8 Characters
Luna HSM Firmware 7.7.2 and newer enforces minimum 8-character passwords and challenge secrets, to comply with FIPS 140-3 requirements. The previous limit was 7 characters. If you were using a 7-character password prior to upgrading the firmware, that password continues to work. Future password changes will use the new 8-character minimum.
If you have an existing HA group whose member partitions use a 7-character password/challenge secret, you must change all members to use a minimum 8-character password before adding a new member that uses Luna HSM Firmware 7.7.2 or newer.
RSA Keygen Mechanism Remapping on Luna 7.7.1 or Newer Partitions Requires Minimum Luna HSM Client 10.4.0
Luna HSM Firmware 7.7.1 or newer partitions that have been individually set to FIPS mode using the new partition policy 43 require Luna HSM Client 10.4.0 or newer to automatically remap older RSA mechanisms as described in Mechanism Remap for FIPS Compliance.
Special Considerations for Luna HSM Firmware 7.7.0 and Newer
Luna HSM Firmware 7.7.0 introduces new capabilities, features, and other significant changes that affect the operation of the HSM. Due to some of these changes, you must be aware of some special considerations before updating to Luna HSM Firmware 7.7.0 or newer. For more information, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the update.
FIPS Restrictions in Luna HSM Firmware 7.7.0 and Newer
New restrictions have been added to some mechanisms when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS Algorithms set to OFF), to comply with FIPS SP800-131a Rev2 published in March 2019.
The following mechanisms are not permitted to wrap objects in FIPS mode (unwrap operations are permitted):
The following mechanisms are not permitted to sign data in FIPS mode (verify operations are permitted):
Luna Network HSM Appliance Software 7.7.1 Required for Firmware 7.7.2 Update
The SPKG file containing the Luna HSM firmware 7.7.2 update requires minimum Luna Network HSM Appliance Software 7.7.1. Update your appliance software before installing the firmware package.