Upgrading firmware
This appendix describes how to load an updated image file and associated firmware onto your nShield hardware security module.
Version Security Number (VSN)
All nShield firmware includes a Version Security Number (VSN). This number is increased whenever we improve the security of the firmware.
We supply several versions of the module firmware. You can always upgrade to firmware with an equal or higher VSN than that currently installed on your module.
You can never load firmware with a lower VSN than the currently installed firmware. |
Ensuring you use firmware with the highest available VSN allows you to benefit from security improvements and enhanced functionality. It also prevents future downgrades of the firmware that could potentially weaken security. However, you may choose to install an associated firmware that does not have the highest available VSN. For example, if you have a regulatory requirement to use FIPS-approved firmware, you should install the latest available FIPS-validated firmware, which may not have the highest VSN. Similarly, if you want to install a version with enhanced features without committing yourself to the upgrade, you can do so providing you upgrade only to firmware with a VSN equal to that currently installed on your module.
Firmware on the installation media
Your Connect and Firmware installation media contains several sets of firmware for each supplied product. These can include the latest available:
-
FIPS-approved firmware with the base VSN
-
FIPS-approved firmware with a higher VSN
-
Firmware awaiting FIPS approval with the base VSN
-
Firmware awaiting FIPS approval with a higher VSN.
You should ensure you are using the latest firmware, unless you have a regulatory requirement to use firmware that has been FIPS validated. In the latter case, you should ensure that you are using the latest available FIPS validated firmware.
Recognising firmware files
The firmware and monitor files are stored in subdirectories within the firmware
directory on the installation media.
The subdirectories are named by version number.
Firmware and monitor files for hardware modules have a .nff
filename suffix.
Monitor filenames have an ldb
prefix. (Files that have a .ftv
suffix are used for checking similarly named firmware files.
They are not firmware files.)
Files for use with nShield Solo modules have ncx3p
in the filename.
Files for use with nShield SoloXC modules have ncx5e
in the filename.
Files for use with nShield Edge modules have ncx1z
in the filename.
The VSN of a firmware file is incorporated into its filename and is denoted by a dash followed by the digits of the VSN.
For example, -24
means the VSN is 24.
To display information about a firmware file on the installation media, enter the following command:
loadrom --view /disc-name/firmware/firmware_ver/firmware_file.nff
In this command, disc-name is the directory on which you mounted the installation media, firmware_ver is the firmware version number, and firmware_file is the file name.
Using new firmware
To use the new firmware, you must:
-
Install the latest software. See the Installation Guide for more information about software installation.
-
Install the latest firmware, as described below.
This chapter describes how to upgrade module firmware for nShield Solo modules only. If you have another type of module (for example, an nShield Connect module), refer to the corresponding chapter in the User Guide. |
Firmware installation overview
The process of installing or updating firmware on an nShield module depends on whether you need to upgrade the module’s monitor.
The Solo XC module does not have a separate monitor program, see Upgrading firmware only. |
Each module has a monitor, which allows you to load firmware onto the module, refer to the Release Notes for monitor firmware versions.
To check the version number of the monitor on the module:
-
Log in to the host as
root
or as a user in the groupnfast
. -
Put the module in Maintenance mode and reset the module.
See Checking and changing the mode on an nShield Solo module for more about changing the mode.
-
Run the
enquiry
command-line utility and check that the module is in the pre-maintenance state.The
Version
number shown is for the monitor.
If you need to upgrade both the monitor and firmware, you must use the nfloadmon
utility; see Upgrading both the monitor and firmware.
If you need to upgrade the firmware only, you must use the loadrom
utility; see Upgrading firmware only.
If you are upgrading a module which has SEE program data or NVRAM-stored keys in its nonvolatile memory, use the nvram‑backup utility to backup your data first.
|
Upgrading both the monitor and firmware
You must only use this procedure if you need to upgrade the monitor and firmware on an nShield module, for example, for Remote Administration functionality. If you only need to upgrade the firmware, (or have a Solo XC module), see Upgrading firmware only.
Follow this procedure carefully. Do not interrupt power to the module during this upgrade process. |
To upgrade the monitor and firmware on a module:
-
Log in to the host as
root
or as a user in the groupnfast
. -
Run the command:
nfloadmon -m<module_number> --automode /disc_name/firmware/monitor_ver/monitor_file.nff /disc-name/firmware/firmware_ver/firmware_file.nff
In this command, <module_number> is the module number (such as
-m2
for module 2).--automode
enables automated mode switching for nShield Solos, when supported in Remote Administration environments.Monitor version 2.60.1 is required to enable remote mode switching. disc_name is the directory on which you mounted the installation media, monitor_ver is the monitor version number, monitor_file is the monitor file name, firmware_ver is the firmware version number, and firmware_file is the firmware file name.
For example:
nfloadmon -m2 /mnt/cdromname/firmware/2-50-16/ldb_ncx3p-24.nff mnt/cdromname/firmware/2-50-16/ncx3p-25.nff
The firmware files are signed and encrypted; you can load only the correct version for your module.
-
Confirm the version of the monitor and firmware.
-
Put the module into the different modes if and when prompted to do so. When supported, the mode of the nShield Solo changes automatically.
For information on changing the mode, see Checking and changing the mode on an nShield Solo module .
-
When the
nfloadmon
utility has completed, put the module into initialization mode (if prompted), and then initialize the module by running the command:initunit
-
Put the module in Maintenance mode and reset the module.
-
Run the
enquiry
command to verify the module is in maintenance state and has the correct monitor version.In Maintenance mode, the
enquiry
command shows the version number of the monitor. -
Put the module in Operational mode and reset the module.
-
Run the
enquiry
command to verify the module is in operational state and has the correct firmware version. -
Log in to the host as normal.
In Operational mode, the
enquiry
command shows the version number of the firmware.
Upgrading firmware only
The firmware is provided on a separate .iso and not on the Security World installation media.
For the latest nShield firmware, request a DVD or .iso download link from Entrust Support at nshield.support@entrust.com.
|
To upgrade the firmware on a module:
-
Log in to the host as
root
or as a user in the groupnfast
. -
Put the module in Maintenance mode and reset the module.
See Checking and changing the mode on an nShield Solo module for more about changing the mode. -
Run the
enquiry
command-line utility to check that the module is in the pre-maintenance state. -
Insert the firmware DVD or mount the firmware
.iso
, depending on the provided upgrade media format. -
Load the new firmware by running the command:
loadrom -m<module_number> /disc_name/firmware/firmware_ver/firmware_file.nff
In this command, <module_number> is the module number (such as
-m2
for module 2), disc_name is the directory on which you mounted the installation media, firmware_ver is the firmware version number, and firmware_file is the firmware file name.For example:
loadrom -m2 /mnt/cdromname/firmware/2-50-16/ncx3p-25.nff
The firmware files are signed and encrypted; you can load only the correct version for your module.
-
Solo XC only
Reboot the Solo XC for the firmware upgrade to take effect.
-
Bare metal environments: With the module in Maintenance mode, run the following command to reboot the Solo XC.
nopclearfail -S -m<module_number>
Wait for the Solo XC to reboot, which will take about ten minutes on a host machine running Linux.
The module has completed rebooting when running
enquiry
no longer shows the module as Offline. -
Virtual environment hosts: Reboot the Solo XC by rebooting the system that is hosting the Solo XC.
-
-
Put the module in initialization mode and reset the module.
-
Initialize the module by running the command:
initunit
-
Put the module in Operational mode and reset the module.
-
Run the
enquiry
command to verify the module is in operational state and has the correct firmware version.In Operational mode, the
enquiry
command shows the version number of the firmware. -
Log in to the host as normal.
After firmware installation
After you have installed new firmware and initialized the HSM, you can create a new Security World with the HSM or reinitialize the HSM into an existing Security World.
If you are initializing the HSM into a new Security World, see Creating a Security World.
If you are re-initializing the HSM into an existing Security World, see Adding or restoring an HSM to the Security World.