Luna HSM Bootloader 1.1.5 Patch

This patch, which updates the bootloader on the Luna HSM to version 1.1.5, was released in April 2023. It includes important security updates.

>Download Luna HSM Bootloader 1.1.5

NOTE   If you have Luna HSM Firmware 7.8.1 or newer installed, you do not need to apply this patch; Luna HSM bootloader 1.1.5 is included with the firmware.

This patch will update the bootloader to version 1.1.5 permanently; you do not need to apply the patch again, even after Re-Imaging the Appliance to Baseline Software/Firmware Versions.

Bootloader 1.1.5 is FIPS-validated. Refer to NIST certificate #4090 for FIPS 140-2 Level 3 certification:

Valid Update Paths

You can install the Luna HSM Bootloader 1.1.5 Patch on any Luna HSM with Luna HSM Firmware 7.8.0 or older. Your appliance software version must be at Luna Appliance Software 7.8.0 or older to install the patch.

Update Procedure

Use the following procedure to install the Luna HSM Bootloader 1.1.5 Patch:

1.Transfer the secure package update file to the Luna Network HSM 7 using pscp or scp.

pscp <path>/lunasa_update_bootloader-1.1.5.spkg admin@<appliance_host/IP>:

2.Stop all client applications to the Luna Network HSM 7 appliance.

3.Using a serial or SSH connection, log in to the appliance as admin (see Logging In to LunaSH).

4.Log in as HSM SO (see Logging In as HSM Security Officer).

lunash:> hsm login

5.[Optional Step] Verify that the secure package file is present on the Luna Network HSM 7.

lunash:> package listfile

6. [Optional Step] Verify the package file, specifying the authorization code you received from Thales.

lunash:> package verify lunasa_update_bootloader-1.1.5.spkg -authcode <code_string>

7.Install the update on the Luna Network HSM 7.

lunash:> package update lunasa_update_bootloader-1.1.5.spkg -authcode <code_string>

The bootloader update package is now stored in reserve on the appliance, waiting to be installed.

8.[Optional] After installing the update, you can check to see that the update is ready to install. It is reported as firmware version 7.8.1, but only the bootloader 1.1.5 update is actually included.

lunash:> hsm firmware show

Upgrade Firmware:                   7.8.1

9.Update the bootloader to version 1.1.5.

lunash:> hsm firmware upgrade

10.[Optional] Check that the bootloader version has been updated. If you are using Luna Appliance Software 7.7.0 or newer, the bootloader version is included in the information from lunash:> hsm show:

lunash:> hsm show

Bootloader:                         1.1.5

If you are using appliance software older than Luna Appliance Software 7.7.0, you can confirm that the update was successful by checking the recent system logs:

lunash:> syslog tail -logname messages -entries 1000 -search Loader

2023 Apr 10 12:35:56 10  kern info  kernel: k7pf0: [hsm] Boot Loader 1 Revision K7 1.1.5
2023 Apr 10 12:36:00 10  kern info  kernel: k7pf0: [hsm] Boot Loader 2 Revision K7 1.1.5

Advisory Notes

This section highlights important issues you should be aware of before installing the Luna HSM Bootloader 1.1.5 Patch.

Patch Overwrites the Firmware Update Version Stored on the HSM

If you previously updated the appliance software, but did not update the HSM firmware to the version included with that secure package (use lunash:> hsm firmware show to check if there is a firmware version available for update), that reserve firmware version will be overwritten by the Luna HSM Bootloader 1.1.5 Patch. You will be unable to update the firmware until after the next appliance software update.

Firmware Cannot Be Rolled Back After Installing the Patch

After installing the bootloader update package, you cannot roll back to the previous firmware version.