Loading an FM Into the HSM Firmware

A signed FM must be loaded into the HSM firmware to provide new functionality. The HSM SO can load FMs using LunaSH and the following procedure.

NOTE   A certificate used to sign an FM must have attribute CKA_PRIVATE set as true.

If an existing certificate has Private=F, you can use the CMU tool to export that cert, then re-import it while setting -private=T.

Or, if the partition retains the FM signing keypair, you can run cmu selfsigncertificate again to re-create the certificate, this time setting -private=T explicitly.


>Your HSM must meet the criteria described in Preparing the Luna Network HSM 7 to Use FMs.

>HSM policy 50: Allow Functionality Modules must be enabled.

>HSM policy 51: Enable SMFS Auto Activation must be enabled, if you intend to use auto-activation (recommended). Changing this policy later will erase all partitions and installed FMs.

>Ensure that all destructive policies are set before you load FMs into the HSM firmware. Any change of a destructive policy will erase all loaded FMs.

>The FM must be signed as described in Building and Signing an FM, using Luna HSM Client 7.4.0 or newer. FMs built using the Luna 7.0.4 Tech Preview release are not compatible with this Luna version.

>You require the FM signing certificate. If you have previously loaded an FM signed by the same key, the correct certificate is already present in the appliance admin files.

NOTE   If you load an FM with the same FM ID as an already-loaded FM, it is considered an update, and replaces the existing FM.

To load an FM into the HSM firmware

1.Use pscp or scp to transfer the signed FM to the appliance admin account.

pscp <signed_FM> admin@<host/IP>:

2.Use pscp or scp to transfer the signing certificate to the appliance admin account. If you have previously loaded an FM signed by the same key, it should already be in the appliance admin files.

3.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin.

4.Log in as HSM SO.

lunash:> hsm login

5.[Optional] Confirm that the signed FM and the correct certificate are present in the admin files.

lunash:> my file list

6.Load the FM to the HSM by specifying the FM and signing certificate files.

lunash:> hsm fm load -certFile <cert_file> -fmFile <FM_file>

7.Restart the HSM. It is not necessary to reboot the appliance.

lunash:> hsm restart

NOTE   If you have FMs loaded, you must restart the HSM whenever you perform any of the following operations:

>create a new partition and assign it to a client (even if it has the same slot number as a recently-deleted partition),

>make a destructive change like re-initializing or zeroizing the HSM, or changing a destructive policy.

You will be unable to use the loaded FMs with new partitions until you restart the HSM. Use lunash:> hsm restart.

8.Log back in as HSM SO.

lunash:> hsm login

9.Activate the Secure Memory File System.

lunash:> hsm fm smfs activate

10.[Optional] Confirm that the FM was loaded and is now enabled.

lunash:> hsm fm status