Upgrading firmware
This appendix describes how to load an updated image file and associated firmware onto your nShield hardware security module.
Version Security Number (VSN)
The firmware includes a Version Security Number (VSN). This number is increased whenever we improve the security of the firmware.
We supply several versions of the module firmware. You can always upgrade to firmware with an equal or higher VSN than that currently installed on your module.
You can never load firmware with a lower VSN than the currently installed firmware. |
Ensuring you use firmware with the highest available VSN allows you to benefit from security improvements and enhanced functionality. It also prevents future downgrades of the firmware that could potentially weaken security. However, you may choose to install an associated firmware that does not have the highest available VSN. For example, if you have a regulatory requirement to use FIPS-approved firmware, you should install the latest available FIPS-validated firmware, which may not have the highest VSN. Similarly, if you want to install a version with enhanced features without committing yourself to the upgrade, you can do so providing you upgrade only to firmware with a VSN equal to that currently installed on your module.
Firmware on the installation media
Your nShield Solo and Firmware installation media contains several sets of firmware for each supplied product. These can include the latest available:
-
FIPS-approved firmware with the base VSN
-
FIPS-approved firmware with a higher VSN
-
Firmware awaiting FIPS approval with the base VSN
-
Firmware awaiting FIPS approval with a higher VSN.
You should ensure you are using the latest firmware, unless you have a regulatory requirement to use firmware that has been FIPS validated. In the latter case, you should ensure that you are using the latest available FIPS validated firmware.
Recognising firmware files
The firmware and monitor files are stored in subdirectories within the firmware
directory on the installation media.
The subdirectories are named by product and then certification status, which can be latest
, fips-pending
, fips
, or cc
.
Firmware and monitor files for hardware modules have a .nff
filename suffix.
Monitor filenames have a solo-monitor
prefix and are in the Solo Monitor
subdirectory.
(Files that have a .ftv
suffix are used for checking similarly named firmware files.
They are not firmware files.)
Files for use with nShield Solo modules have solo
in the filename and are in the Solo
subdirectory.
Files for use with nShield Solo XC modules have soloxc
in the filename and are in the SoloXC
subdirectory.
Files for use with nShield Edge modules have edge
in the filename and are in the Edge
subdirectory.
The VSN of a firmware file is incorporated into its filename and is denoted by a dash and the letters "vsn" followed by the digits of the VSN.
For example, -vsn24
means the VSN is 24.
To display information about a firmware file on the installation media, enter the following command:
- Linux
-
loadrom --view /disc-name/firmware/product/status/firmware_file.nff
In this command, disc-name is the directory on which you mounted the installation media, product is the type of product, status is the certification status, and firmware_file is the file name.
- Windows
-
loadrom --view E:\firmware\product\status\firmware_file.nff
In this command, E is the drive letter of your installation media, product is the type of product, status is the certification status, and firmware_file is the file name.
Using new firmware
To use the new firmware, you must:
-
Install the latest software. See the Installation Guide for more information about software installation.
-
Install the latest firmware, as described below.
Windows-only This appendix assumes that you have installed the hardserver as a service. This is the default installation procedure. See the Installation Guide for more information about software installation. |
This chapter describes how to upgrade module firmware for nShield PCIe and USB-attached HSMs. If you have an nShield network-attached HSM, refer to the corresponding chapter in the User Guide for that nShield HSM. |
Firmware installation overview
The process of installing or updating firmware on an nShield module depends on whether you need to upgrade the module’s monitor.
The Solo XC module does not have a separate monitor program, see Upgrading firmware only. |
Each module has a monitor, which allows you to load firmware onto the module.
To check the version number of the monitor on the module:
-
Log in to the host as a user in the group
nfast
(Linux) or as an Administrator (Windows). -
Put the module in Maintenance mode and reset the module.
-
The HSM must be in pre-initialization mode. See Checking and changing the mode on an nShield Solo module for more about changing the mode.
-
-
Run the
enquiry
command-line utility and check that the module is in the pre-maintenance state.The
Version
number shown is for the monitor.
If you need to upgrade both the monitor and firmware, you must use the nfloadmon
utility; see Upgrading both the monitor and firmware.
If you need to upgrade the firmware only, you must use the loadrom
utility; see Upgrading firmware only.
If you are upgrading a module which has SEE program data or NVRAM-stored keys in its nonvolatile memory, use the nvram-backup utility to backup your data first.
|
Upgrading both the monitor and firmware
You must only use this procedure if you need to upgrade the monitor and firmware on an nShield module, for example, for Remote Administration functionality. If you only need to upgrade the firmware, (or have a Solo XC module), see Upgrading firmware only.
Follow this procedure carefully. Do not interrupt power to the module during this upgrade process. |
To upgrade the monitor and firmware on a module:
-
Log in to the host as a user in the group
nfast
(Linux) or as an Administrator (Windows). -
Run the command:
- Linux
-
nfloadmon -m<module_number> --automode /disc_name/firmware/product/monitor/status/monitor_file.nff /disc-name/firmware/product/status/firmware_file.nff
- Windows
-
nfloadmon -m<module_number> --automode E:\firmware\product\monitor\status\monitor_file.nff E:\firmware\product\status\firmware_file.nff
In this command:
-
<module_number>
is the module number (such as-m2
for module 2). -
disc_name
(Linux) is the directory on which you mounted the installation media. -
E
(Windows) is the drive letter of your installation media. -
status
is the certification status. -
monitor_file
is the monitor file name. -
product
is the type of product. -
firmware_file
is the firmware file name.
--automode
enables automated mode switching for nShield PCIe HSMs, when supported in Remote Administration environments.Monitor version 2.60.1 is required to enable remote mode switching. Remote mode switching is not supported on nShield USB-attached HSMs. For example:
- Linux
-
nfloadmon -m2 /mnt/cdromname/firmware/Solo/monitor/latest/solo-2-60-1-vsn26.nff mnt/cdromname/firmware/Solo/latest/solo-13-3-1-vsn29.nff
- Windows
-
nfloadmon -m2 --automode E:\firmware\Solo\monitor\latest\solo-2-60-1-vsn26.nff E:\firmware\Solo\latest\solo-13-3-1-vsn29.nff
The firmware files are signed and encrypted; you can load only the correct version for your module.
Upgrading the nShield Solo XC to 13.3.x firmware also triggers additional reboots. These additional reboots are only triggered on the Solo XC and when upgrading to 13.3.x. They are not triggered on other nShield HSMs during firmware upgrade. On the Solo XC, the additional reboots increase the upgrade time by up to five minutes and require that you keep both the Solo XC and the host connected to the power. -
Confirm the version of the monitor and firmware.
-
Put the module into the different modes if and when prompted to do so. When supported, the mode of the nShield PCIe HSM changes automatically. Changing mode on an nShield USB-attached HSM requires the Clear switch to be pressed.
For information on changing the mode, see * The HSM must be in pre-initialization mode. See Checking and changing the mode on an nShield Solo module for more about changing the mode.
-
When the
nfloadmon
utility has completed, put the module into initialization mode (if prompted), and then initialize the module by running the command:initunit
-
Put the module in Maintenance mode and reset the module.
-
Run the
enquiry
command to verify the module is in maintenance state and has the correct monitor version.In Maintenance mode, the
enquiry
command shows the version number of the monitor. -
Put the module in Operational mode and reset the module.
-
Run the
enquiry
command to verify the module is in operational state and has the correct firmware version. -
Log in to the host as normal.
In Operational mode, the
enquiry
command shows the version number of the firmware.
Upgrading firmware only
The firmware is provided on a separate .iso and not on the Security World installation media.
For the latest nShield firmware, request a DVD or .iso download link from Entrust Support at nshield.support@entrust.com.
|
To upgrade the firmware on a module:
-
Log in to the host as a user in the group
nfast
(Linux) or as an Administrator (Windows). -
Put the module in Maintenance mode and reset the module.
-
The HSM must be in pre-initialization mode. See Checking and changing the mode on an nShield Solo module for more about changing the mode.
-
-
Run the
enquiry
command-line utility to check that the module is in the pre-maintenance state. -
Insert the firmware DVD or mount the firmware
.iso
, depending on the provided upgrade media format. -
Load the new firmware by running the command:
- Linux
-
loadrom -m<module_number> /disc_name/firmware/product/status/firmware_file.nff
- Windows
-
loadrom -m<module_number> E:\firmware\product\status\firmware_file.nff
In this command:
-
<module_number>
is the module number (such as-m2
for module 2). -
disc_name`
is the directory on which you mounted the installation media. -
E`
is the drive letter of your installation media. -
product
is the type of product. -
status
is the certification status. -
firmware_file
is the firmware file name.
For example:
- Linux
-
loadrom -m2 /mnt/cdromname/firmware/Solo/latest/solo-13-3-1-vsn29.nff
- Windows
-
loadrom -m2 E:\firmware\Solo\latest\solo-13-3-1-vsn29.nff
The firmware files are signed and encrypted; you can load only the correct version for your module.
Upgrading the nShield Solo XC to 13.3.x firmware also triggers additional reboots. These additional reboots are only triggered on the Solo XC and when upgrading to 13.3.x. They are not triggered on other nShield HSMs during firmware upgrade. On the Solo XC, the additional reboots increase the upgrade time by up to five minutes and require that you keep both the Solo XC and the host connected to the power. -
Solo XC only
Reboot the Solo XC for the firmware upgrade to take effect:
- Linux bare metal environments
-
With the module in Maintenance mode, run the following command to reboot the Solo XC.
nopclearfail -S -m<module_number>
- Linux virtual environment hosts
-
Reboot the Solo XC by rebooting the system that is hosting the Solo XC.
- Windows
-
With the module in Maintenance mode, reboot the system that is hosting the Solo XC.
Wait for the Solo XC to reboot. This takes around 10 minutes on a host machine running Linux. The module has completed rebooting when running
enquiry
no longer shows the module as Offline. -
Put the module in initialization mode and reset the module.
-
Initialize the module by running the command:
initunit
-
Put the module in Operational mode and reset the module.
-
Run the
enquiry
command to verify the module is in operational state and has the correct firmware version.In Operational mode, the
enquiry
command shows the version number of the firmware. -
Log in to the host as normal.
After firmware installation
After you have installed new firmware and initialized the HSM, you can create a new Security World with the HSM or reinitialize the HSM into an existing Security World.
If you are initializing the HSM into a new Security World, see Creating a Security World.
If you are re-initializing the HSM into an existing Security World, see Adding or restoring an HSM to the Security World.