Rolling Back the Luna HSM Firmware

When updating the HSM firmware, the Luna Network HSM 7 saves the previously-installed firmware version on the HSM. If required, you can roll back to this previously-installed version. Rollback allows you to try firmware without permanently committing to the new version.

Rollback does not create a new rollback target; a single rollback target is preserved when a firmware update is performed. After a rollback operation, no further rollback is possible until the next firmware update saves the pre-update version as the new rollback target.

CAUTION!   Update any factory-fresh Luna Network HSM 7 to newer firmware before rolling back. The firmware rollback feature is intended to return the firmware to the previously installed version. Attempting a firmware rollback on a new appliance received directly from the Thales factory can result in RMA (return of product), as the pre-shipment firmware is a factory-test version that does not accept your credentials.

Firmware rollback is destructive; earlier firmware versions might have older mechanisms and security vulnerabilities that a new version does not. Back up any important materials before rolling back the firmware. This procedure zeroizes the HSM and all cryptographic objects are erased.

NOTE   Firmware rollback is not supported on HSMs that use Functionality Modules. If you have ever enabled HSM policy 50: Allow Functionality Modules, even if the policy is currently disabled, you cannot roll back the HSM firmware. See FM Deployment Constraints for details.

To roll back the Luna HSM firmware to the previous version

1.Check the previous firmware version that is available on the HSM.

lunash:> hsm firmware show

2.Back up any important cryptographic objects currently stored on the HSM (see Partition Backup and Restore).

3.At the LunaSH prompt, login as HSM SO.

lunash:> hsm login

4.Roll back the HSM firmware.

lunash:> hsm firmware rollback

5.Re-initialize the HSM and restore your partition(s) from backup.