Upgrading firmware
This appendix describes how to load an updated image file and associated firmware onto your nShield hardware security module.
Version Security Number (VSN)
The firmware includes a Version Security Number (VSN). This number is increased whenever we improve the security of the firmware.
We supply several versions of the module firmware. You can always upgrade to firmware with an equal or higher VSN than that currently installed on your module.
You can never load firmware with a lower VSN than the currently installed firmware. |
Ensuring you use firmware with the highest available VSN allows you to benefit from security improvements and enhanced functionality. It also prevents future downgrades of the firmware that could potentially weaken security. However, you may choose to install an associated firmware that does not have the highest available VSN. For example, if you have a regulatory requirement to use FIPS-approved firmware, you should install the latest available FIPS-validated firmware, which may not have the highest VSN. Similarly, if you want to install a version with enhanced features without committing yourself to the upgrade, you can do so providing you upgrade only to firmware with a VSN equal to that currently installed on your module.
Firmware on the installation media
Your nShield Solo and Firmware installation media contains several sets of firmware for each supplied product. These can include the latest available:
-
FIPS-approved firmware with the base VSN
-
FIPS-approved firmware with a higher VSN
-
Firmware awaiting FIPS approval with the base VSN
-
Firmware awaiting FIPS approval with a higher VSN.
You should ensure you are using the latest firmware, unless you have a regulatory requirement to use firmware that has been FIPS validated. In the latter case, you should ensure that you are using the latest available FIPS validated firmware.
Recognising firmware files
The firmware and monitor files are stored in subdirectories within the firmware
directory on the installation media.
The subdirectories are named by product and then certification status, which can be latest
, fips-pending
, fips
, or cc
.
Firmware and monitor files for hardware modules have a .nff
filename suffix.
Monitor filenames have a solo-monitor
prefix and are in the Solo Monitor
subdirectory. (Files that have a .ftv
suffix are used for checking similarly named firmware files.
They are not firmware files.)
Files for use with nShield Solo modules have solo
in the filename and are in the Solo
subdirectory.
Files for use with nShield Solo XC modules have soloxc
in the filename and are in the SoloXC
subdirectory.
Files for use with nShield Edge modules have edge
in the filename and are in the Edge
subdirectory.
The VSN of a firmware file is incorporated into its filename and is denoted by a dash and the letters "vsn" followed by the digits of the VSN.
For example, -vsn24
means the VSN is 24.
To display information about a firmware file on the installation media, enter the following command:
Using new firmware
To use the new firmware, you must:
-
Install the latest software. See the Installation Guide for more information about software installation.
-
Install the latest firmware, as described below.
This chapter describes how to upgrade module firmware for nShield PCIe and USB-attached HSMs. If you have an nShield network-attached HSM, refer to the corresponding chapter in the User Guide for that nShield HSM. |
Firmware installation overview
The process of installing or updating firmware on an nShield module depends on whether you need to upgrade the module’s monitor.
The Solo XC module does not have a separate monitor program, see Upgrading firmware only. |
Each module has a monitor, which allows you to load firmware onto the module.
To check the version number of the monitor on the module:
If you need to upgrade both the monitor and firmware, you must use the nfloadmon
utility; see Upgrading both the monitor and firmware.
If you need to upgrade the firmware only, you must use the loadrom
utility; see Upgrading firmware only.
If you are upgrading a module which has SEE program data or NVRAM-stored keys in its nonvolatile memory, use the nvram-backup utility to backup your data first.
|
Upgrading both the monitor and firmware
You must only use this procedure if you need to upgrade the monitor and firmware on an nShield module, for example, for Remote Administration functionality. If you only need to upgrade the firmware, (or have a Solo XC module), see Upgrading firmware only.
Follow this procedure carefully. Do not interrupt power to the module during this upgrade process. |
To upgrade the monitor and firmware on a module:
Upgrading firmware only
The firmware is provided on a separate .iso and not on the Security World installation media.
For the latest nShield firmware, request a DVD or .iso download link from Entrust Support at nshield.support@entrust.com.
|
To upgrade the firmware on a module:
After firmware installation
After you have installed new firmware and initialized the HSM, you can create a new Security World with the HSM or reinitialize the HSM into an existing Security World.
If you are initializing the HSM into a new Security World, see Creating a Security World.
If you are re-initializing the HSM into an existing Security World, see Adding or restoring an HSM to the Security World.