Loading an FM Into the HSM Firmware
A signed FM must be loaded into the HSM firmware to provide new functionality. The HSM SO can load FMs using
NOTE A certificate used to sign an FM must have attribute CKA_PRIVATE set as true.
If an existing certificate has Private=F, you can use the CMU tool to export that cert, then re-import it while setting -private=T.
Or, if the partition retains the FM signing keypair, you can run cmu selfsigncertificate again to re-create the certificate, this time setting -private=T explicitly.
>Your HSM must meet the criteria described in Preparing the Luna Network HSM to Use FMs.
>HSM policy 50: Allow Functionality Modules must be enabled.
>HSM policy 51: Enable SMFS Auto Activation must be enabled, if you intend to use auto-activation (recommended). Changing this policy later will erase all partitions and installed FMs.
>Ensure that all destructive policies are set before you load FMs into the HSM firmware. Any change of a destructive policy will erase all loaded FMs.
>You require the FM signing certificate. If you have previously loaded an FM signed by the same key, the correct certificate is already present in the
NOTE If you load an FM with the same FM ID as an already-loaded FM, it is considered an update, and replaces the existing FM.
To load an FM into the HSM firmware
1.Use pscp or scp to transfer the signed FM to the appliance admin account.
pscp <signed_FM> admin@<host/IP>:
2.Use pscp or scp to transfer the signing certificate to the appliance admin account. If you have previously loaded an FM signed by the same key, it should already be in the appliance admin files.
3.Connect to the appliance via SSH or a serial connection, and log in to LunaSH as admin.
4.Log in as HSM SO.
lunash:> hsm login
5.[Optional] Confirm that the signed FM and the correct certificate are present in the admin files.
lunash:> my file list
6.Load the FM to the HSM by specifying the FM and signing certificate files.
lunash:> hsm fm load -certFile <cert_file> -fmFile <FM_file>
7.Restart the HSM. It is not necessary to reboot the appliance.
lunash:> hsm restart
NOTE If you have FMs loaded, you must restart the HSM whenever you perform any of the following operations:
>create a new partition
>make a destructive change like re-initializing or zeroizing the HSM, or changing a destructive policy.
You will be unable to use the loaded FMs with new partitions until you restart the HSM. Use
8.Log back in as HSM SO.
lunash:> hsm login
9.Activate the Secure Memory File System.
lunash:> hsm fm smfs activate
10.[Optional] Confirm that the FM was loaded and is now enabled.
lunash:> hsm fm status