Error codes
If a Hardware Security Module (HSM) encounters an unrecoverable error, it enters the error state. In the error state, the module does not respond to commands and does not write data to the bus.
In some cases you can reset a unit in an error state by powering down the unit and then reapplying power, or with hsmadmin reset
.
Not all errors can be reset in this way.
Errors are a rare occurrence.
If any module goes into the error state, except as a result of you issuing the nopclearfail --fail
command, contact Entrust Support, and give full details of your set up and the error code.
Contact Entrust Support even if you successfully recover from the error by taking the recommended action. For troubleshooting information, see the relevant Installation Guide for your module.
Error codes shown on the LED
The nShield HSM is fitted with a tri-color LED on the back panel. This LED shows information about the status of the HSM, see the Installation Guide.
If an error occurs, the LED flashes with a pattern corresponding to one of the error codes listed below. The LED will flash red unless marked as 'Blue LED' in the table below.
Reading LED codes
All the LED error codes are a 3 digit code. The first digit is given by the number of dots, the second digit by the number of dashes, and the third digit by a subsequent number of dots. There is then a longer gap and the error code repeats. The Morse code equivalent is shown in the table below.
The following guidelines are useful when reading LED code messages from the module:
-
The duration of a dash (
-
) is 3 times the duration of a dot (.
). -
The gap between components of a letter has the same duration as a dot.
-
The gap between letters has the same duration as a dash.
-
The duration of the gap between the code repeating is 7 times the duration of a dot.
Code | Morse code | Dots and dashes | Meaning |
---|---|---|---|
1-1-1 |
E T E |
. - . |
Battery voltage out of spec |
1-2-1 |
E M E |
. - - . |
Crypto SerDes core voltage out of spec |
1-2-2 |
E M I |
. - - . . |
Main processor SerDes core voltage out of spec |
1-2-3 |
E M S |
. - - . . . |
Main processor core voltage out of spec |
1-2-4 |
E M H |
. - - . . . . |
Main processor SerDes core IO voltage out of spec |
1-2-5 |
E M 5 |
. - - . . . . . |
Crypto SerDes IO voltage out of spec |
1-3-1 |
E O E |
. - - - . |
Main processor IFC IO voltage out of spec |
1-3-2 |
E O I |
. - - - . . |
DDR access voltage out of spec |
1-3-3 |
E O S |
. - - - . . . |
DDR IO voltage out of spec |
1-3-4 |
E O H |
. - - - . . . . |
V12 voltage out of spec |
1-3-5 |
E O 5 |
. - - - . . . . . |
Security processor voltage out of spec |
1-5-1 |
E 0 E |
. - - - - - . |
Security processor temperature out of spec |
1-5-2 |
E 0 I |
. - - - - - . . |
Main processor temperature out of spec |
1-5-3 |
E 0 S |
. - - - - - . . . |
Crypto temperature out of spec |
1-5-4 |
E 0 H |
. - - - - - . . . . |
Security processor app blank |
1-5-5 |
E 0 5 |
. - - - - - . . . . . |
Security processor app invalid |
2-1-1 |
I T E |
. . - . |
Security processor secure state corrupted |
2-1-2 |
I T I |
. . - . . |
No bootloader heartbeat |
2-1-3 |
I T S |
. . - . . . |
Board-ID PROM failed |
2-1-5 |
I T 5 |
. . - . . . . . |
Firmware signature auth failure (Blue LED) |
2-2-2 |
I M I |
. . - - . . |
Crypto known-answer tests failed |
2-2-3 |
I M S |
. . – . . . |
RNG driver failed |
2-2-4 |
I M H |
. . - - . . . . |
FIPS DRBG failed |
2-2-5 |
I M 5 |
. . - - . . . . . |
OpenSSL failed |
2-3-1 |
I O E |
. . - - - . |
OpenSSH failed |
2-3-2 |
I O I |
. . - - - . . |
Library signature verification failed |
2-3-3 |
I O S |
. . - - - . . . |
FPGA initialisation failed |
2-3-4 |
I O H |
. . - - - . . . . |
Init script failed |
Error codes available remotely
The error codes listed in this chapter are reported by the enquiry
utility in the hardware status field
of the Module
and are included in the hardserver log.
Runtime library errors
The runtime library error codes could be caused by firmware bugs or by faulty hardware. If any of these errors occur, reset the module.
Code | Meaning |
---|---|
O L C |
SIGABRT: assertion failure and/or |
O L D |
Interrupt occurred when disabled. |
O L E |
SIGSEGV: access violation. |
O L J |
SIGFPE: unsupported arithmetic exception (such as division by 0). |
O L K |
SIGOSERROR: runtime library internal error. |
O L L |
SIGUNKNOWN: invalid signal raised. |
Codes OLD
and OLE
are more likely to indicate a hardware problem than a firmware problem.
Hardware driver errors
In general, the hardware driver error codes described in the following table indicate that some form of automatic hardware detection has failed. As well as indicating simple hardware failure, one of these error codes could indicate that there is a bug in the firmware or that the wrong firmware has been loaded.
If any of these errors is indicated, contact Entrust support.
Code | Meaning |
---|---|
H L |
M48T37 NVRAM (or battery) failed |
H C V |
CPLD wrong version for PCI policing firmware. |
H C X |
No crypto offload hardware detected. |
H P P |
PCI Interface Policing failure. |
H V |
Environment sensors failed (for example, temperature sensor) |
H D |
Failure reading unique serial number. |
H R |
Random number generator failed. |
H R F O |
FIPS continuous RNG failed. |
H R A O |
Periodic RNG test failed. |
H R S |
RNG startup failed. |
H R T |
RNG selftest failed. |
H R T P |
Periodic (scheduled daily) RNG selftest failed. |
H R M |
RNG data matched. |
H R Z |
Impossible RNG Failure (match after PRNG) |
H S S |
Security processor internal semaphore error |
H O |
Token interface initialization failed. |
H E |
EEPROM failed on initialization. |
H C |
Processing thread initialization failed. |
H C P |
Card poll thread initialization failed. |
H F |
Starting up crypto offload. |
H C V |
CPLD version number incorrect. |
H J V |
IPC-watcher failed |
H J U |
IPC-EPD failed |
H J R |
Module reset notification failed. |
K R |
RSA selftest failed. |
H H D |
Unique serial number detection failed. |
H H P |
PCI bus hardware detection failed. |
H H R |
RTC hardware detection failed or random number generator detection failed. |
H S C |
Error writing correct SOS message. |
Operational mode errors
The following runtime library error codes could be caused either by bugs in the firmware or by faulty hardware.
Code | Meaning | Action |
---|---|---|
T |
Temperature of the module has exceeded the maximum allowable. |
Restart your host computer, and improve module cooling. |
D |
Fail command received. |
Reset module by turning it off and then on again. |
G G G |
Failure when performing |
Contact Entrust Support. |
I J A |
Audit logging: failed to send audit log message. |
Contact Entrust Support. |
I J B |
Audit logging: no module memory (therefore failed to send audit log message). |
Contact Entrust Support. |
I J C |
Audit logging: key problem or FIPS incompatibility (therefore failed to sign audit log message). |
Contact Entrust Support. |
I J D |
Audit logging: NVRAM problem (therefore failed to configure or send audit log message). |
Contact Entrust Support. |
SOS IJA can occur for any type of log message (i.e. a log message, signature block or certifier block). |
For the cooling requirements for your module, see the Installation Guide. |