Upgrading firmware

This appendix describes how to load an updated image file and associated firmware onto your nShield hardware security module.

Version Security Number (VSN)

All nShield firmware includes a Version Security Number (VSN). This number is increased whenever we improve the security of the firmware.

We supply several versions of the module firmware. You can always upgrade to firmware with an equal or higher VSN than that currently installed on your module.

You can never load firmware with a lower VSN than the currently installed firmware.

Ensuring you use firmware with the highest available VSN allows you to benefit from security improvements and enhanced functionality. It also prevents future downgrades of the firmware that could potentially weaken security. However, you may choose to install an associated firmware that does not have the highest available VSN. For example, if you have a regulatory requirement to use FIPS-approved firmware, you should install the latest available FIPS-validated firmware, which may not have the highest VSN. Similarly, if you want to install a version with enhanced features without committing yourself to the upgrade, you can do so providing you upgrade only to firmware with a VSN equal to that currently installed on your module.

Firmware on the installation media

Your Connect and Firmware installation media contains several sets of firmware for each supplied product. These can include the latest available:

  • FIPS-approved firmware with the base VSN

  • FIPS-approved firmware with a higher VSN

  • Firmware awaiting FIPS approval with the base VSN

  • Firmware awaiting FIPS approval with a higher VSN.

You should ensure you are using the latest firmware, unless you have a regulatory requirement to use firmware that has been FIPS validated. In the latter case, you should ensure that you are using the latest available FIPS validated firmware.

Recognising firmware files

The firmware and monitor files are stored in subdirectories within the firmware directory on the installation media. The subdirectories are named by version number.

Firmware and monitor files for hardware modules have a .nff filename suffix. Monitor filenames have an ldb prefix. (Files that have a .ftv suffix are used for checking similarly named firmware files. They are not firmware files.)

Files for use with nShield Solo modules have ncx3p in the filename. Files for use with nShield SoloXC modules have ncx5e in the filename. Files for use with nShield Edge modules have ncx1z in the filename.

The VSN of a firmware file is incorporated into its filename and is denoted by a dash followed by the digits of the VSN. For example, -24 means the VSN is 24.

To display information about a firmware file on the installation media, enter the following command:

loadrom --view /disc-name/firmware/firmware_ver/firmware_file.nff

In this command, disc-name is the directory on which you mounted the installation media, firmware_ver is the firmware version number, and firmware_file is the file name.

Using new firmware

To use the new firmware, you must:

  1. Install the latest software. See the Installation Guide for more information about software installation.

  2. Install the latest firmware, as described below.

This chapter describes how to upgrade module firmware for nShield Solo modules only. If you have another type of module (for example, an nShield Connect module), refer to the corresponding chapter in the User Guide.

Firmware installation overview

The process of installing or updating firmware on an nShield module depends on whether you need to upgrade the module’s monitor.

The Solo XC module does not have a separate monitor program, see Upgrading firmware only.

Each module has a monitor, which allows you to load firmware onto the module, refer to the Release Notes for monitor firmware versions.

To check the version number of the monitor on the module:

  1. Log in to the host as root or as a user in the group nfast.

  2. Put the module in Maintenance mode and reset the module.

    See Checking and changing the mode on an nShield Solo module for more about changing the mode.

  3. Run the enquiry command-line utility and check that the module is in the pre-maintenance state.

    The Version number shown is for the monitor.

If you need to upgrade both the monitor and firmware, you must use the nfloadmon utility; see Upgrading both the monitor and firmware.

If you need to upgrade the firmware only, you must use the loadrom utility; see Upgrading firmware only.

If you are upgrading a module which has SEE program data or NVRAM-stored keys in its nonvolatile memory, use the nvram‑backup utility to backup your data first.

Upgrading both the monitor and firmware

You must only use this procedure if you need to upgrade the monitor and firmware on an nShield module, for example, for Remote Administration functionality. If you only need to upgrade the firmware, (or have a Solo XC module), see Upgrading firmware only.

Follow this procedure carefully. Do not interrupt power to the module during this upgrade process.

To upgrade the monitor and firmware on a module:

  1. Log in to the host as root or as a user in the group nfast.

  2. Run the command:

    nfloadmon -m<module_number> --automode /disc_name/firmware/monitor_ver/monitor_file.nff /disc-name/firmware/firmware_ver/firmware_file.nff

    In this command, <module_number> is the module number (such as -m2 for module 2). --automode enables automated mode switching for nShield Solos, when supported in Remote Administration environments.

    Monitor version 2.60.1 is required to enable remote mode switching.

    disc_name is the directory on which you mounted the installation media, monitor_ver is the monitor version number, monitor_file is the monitor file name, firmware_ver is the firmware version number, and firmware_file is the firmware file name.

    For example:

    nfloadmon -m2 /mnt/cdromname/firmware/2-50-16/ldb_ncx3p-24.nff mnt/cdromname/firmware/2-50-16/ncx3p-25.nff

    The firmware files are signed and encrypted; you can load only the correct version for your module.

  3. Confirm the version of the monitor and firmware.

  4. Put the module into the different modes if and when prompted to do so. When supported, the mode of the nShield Solo changes automatically.

    For information on changing the mode, see Checking and changing the mode on an nShield Solo module .

  5. When the nfloadmon utility has completed, put the module into initialization mode (if prompted), and then initialize the module by running the command:

    initunit

  6. Put the module in Maintenance mode and reset the module.

  7. Run the enquiry command to verify the module is in maintenance state and has the correct monitor version.

    In Maintenance mode, the enquiry command shows the version number of the monitor.

  8. Put the module in Operational mode and reset the module.

  9. Run the enquiry command to verify the module is in operational state and has the correct firmware version.

  10. Log in to the host as normal.

    In Operational mode, the enquiry command shows the version number of the firmware.

Upgrading firmware only

The firmware is provided on a separate .iso and not on the Security World installation media. For the latest nShield firmware, request a DVD or .iso download link from Entrust Support at nshield.support@entrust.com.

To upgrade the firmware on a module:

  1. Log in to the host as root or as a user in the group nfast.

  2. Put the module in Maintenance mode and reset the module.

    See Checking and changing the mode on an nShield Solo module for more about changing the mode.

  3. Run the enquiry command-line utility to check that the module is in the pre-maintenance state.

  4. Insert the firmware DVD or mount the firmware .iso, depending on the provided upgrade media format.

  5. Load the new firmware by running the command:

    loadrom -m<module_number> /disc_name/firmware/firmware_ver/firmware_file.nff

    In this command, <module_number> is the module number (such as -m2 for module 2), disc_name is the directory on which you mounted the installation media, firmware_ver is the firmware version number, and firmware_file is the firmware file name.

    For example:

    loadrom -m2 /mnt/cdromname/firmware/2-50-16/ncx3p-25.nff

    The firmware files are signed and encrypted; you can load only the correct version for your module.

  6. Solo XC only

    Reboot the Solo XC for the firmware upgrade to take effect.

    • Bare metal environments: With the module in Maintenance mode, run the following command to reboot the Solo XC.

      nopclearfail -S -m<module_number>

      Wait for the Solo XC to reboot, which will take about ten minutes on a host machine running Linux.

      The module has completed rebooting when running enquiry no longer shows the module as Offline.

    • Virtual environment hosts: Reboot the Solo XC by rebooting the system that is hosting the Solo XC.

  7. Put the module in initialization mode and reset the module.

  8. Initialize the module by running the command:

    initunit

  9. Put the module in Operational mode and reset the module.

  10. Run the enquiry command to verify the module is in operational state and has the correct firmware version.

    In Operational mode, the enquiry command shows the version number of the firmware.

  11. Log in to the host as normal.

After firmware installation

After you have installed new firmware and initialized the HSM, you can create a new Security World with the HSM or reinitialize the HSM into an existing Security World.

If you are initializing the HSM into a new Security World, see Creating a Security World.

If you are re-initializing the HSM into an existing Security World, see Adding or restoring an HSM to the Security World.