Upgrading firmware: PCIe and USB HSMs

This appendix describes how to load an updated image file and associated firmware onto your nShield hardware security module.

Version Security Number (VSN)

The firmware includes a Version Security Number (VSN). This number is increased whenever we improve the security of the firmware.

We supply several versions of the module firmware. You can always upgrade to firmware with an equal or higher VSN than that currently installed on your module.

You can never load firmware with a lower VSN than the currently installed firmware.

Ensuring you use firmware with the highest available VSN allows you to benefit from security improvements and enhanced functionality. It also prevents future downgrades of the firmware that could potentially weaken security. However, you may choose to install an associated firmware that does not have the highest available VSN. For example, if you have a regulatory requirement to use FIPS-approved firmware, you should install the latest available FIPS-validated firmware, which may not have the highest VSN. Similarly, if you want to install a version with enhanced features without committing yourself to the upgrade, you can do so providing you upgrade only to firmware with a VSN equal to that currently installed on your module.

Firmware on the installation media

Your nShield HSM and Firmware installation media contains several sets of firmware for each supplied product. These can include the latest available:

  • FIPS-approved firmware with the base VSN

  • FIPS-approved firmware with a higher VSN

  • Firmware awaiting FIPS approval with the base VSN

  • Firmware awaiting FIPS approval with a higher VSN.

You should ensure you are using the latest firmware, unless you have a regulatory requirement to use firmware that has been FIPS validated. In the latter case, you should ensure that you are using the latest available FIPS validated firmware.

Recognising firmware files

The firmware and monitor files are stored in subdirectories within the firmware directory on the installation media. The subdirectories are named by product and then certification status, which can be latest, fips-pending, fips, or cc.

Firmware and monitor files for hardware modules have a .nff filename suffix. Monitor filenames have a solo-monitor prefix and are in the Solo Monitor subdirectory. (Files that have a .ftv suffix are used for checking similarly named firmware files. They are not firmware files.)

Files for use with nShield Solo modules have solo in the filename and are in the Solo subdirectory. Files for use with nShield Solo XC modules have soloxc in the filename and are in the SoloXC subdirectory. Files for use with nShield Edge modules have edge in the filename and are in the Edge subdirectory.

The VSN of a firmware file is incorporated into its filename and is denoted by a dash and the letters "vsn" followed by the digits of the VSN. For example, -vsn24 means the VSN is 24.

To display information about a firmware file on the installation media, enter the following command:

Linux
loadrom --view /disc-name/firmware/product/status/firmware_file.nff

In this command, disc-name is the directory on which you mounted the installation media, product is the type of product, status is the certification status, and firmware_file is the file name.

Windows
loadrom --view E:\firmware\product\status\firmware_file.nff

In this command, E is the drive letter of your installation media, product is the type of product, status is the certification status, and firmware_file is the file name.

Using new firmware

To use the new firmware, you must:

  1. Install the latest software. See the Installation Guide for more information about software installation.

  2. Install the latest firmware, as described below.

Windows-only This appendix assumes that you have installed the hardserver as a service. This is the default installation procedure. See the Installation Guide for more information about software installation.

This chapter describes how to upgrade module firmware for nShield PCIe and USB-attached HSMs. If you have an nShield network-attached HSM, refer to the corresponding chapter in the User Guide for that nShield HSM.

Firmware installation overview

The process of installing or updating firmware on an nShield module depends on whether you need to upgrade the module’s monitor.

The Solo XC module does not have a separate monitor program, see Upgrading firmware only.

Each module has a monitor, which allows you to load firmware onto the module.

To check the version number of the monitor on the module:

  1. Log in to the host as a user in the group nfast (Linux) or as an Administrator (Windows).

  2. Put the module in Maintenance mode and reset the module.

    • The HSM must be in pre-initialization mode.

  3. Run the enquiry command-line utility and check that the module is in the pre-maintenance state.

    The Version number shown is for the monitor.

If you need to upgrade both the monitor and firmware, you must use the nfloadmon utility; see Upgrading both the monitor and firmware.

If you need to upgrade the firmware only, you must use the loadrom utility; see Upgrading firmware only.

If you are upgrading a module which has SEE program data or NVRAM-stored keys in its nonvolatile memory, use the nvram-backup utility to backup your data first.

Upgrading both the monitor and firmware

You must only use this procedure if you need to upgrade the monitor and firmware on an nShield module, for example, for Remote Administration functionality. If you only need to upgrade the firmware, or have a Solo XC module, see Upgrading firmware only.

Follow this procedure carefully. Do not interrupt power to the module during this upgrade process.

To upgrade the monitor and firmware on a module:

  1. Log in to the host as a user in the group nfast (Linux) or as an Administrator (Windows).

  2. Run the command:

    Linux
    nfloadmon -m<module_number> --automode /disc_name/firmware/product/monitor/status/monitor_file.nff /disc-name/firmware/product/status/firmware_file.nff
    Windows
    nfloadmon -m<module_number> --automode E:\firmware\product\monitor\status\monitor_file.nff E:\firmware\product\status\firmware_file.nff

    In this command:

    • <module_number> is the module number (such as -m2 for module 2).

    • disc_name (Linux) is the directory on which you mounted the installation media.

    • E (Windows) is the drive letter of your installation media.

    • status is the certification status.

    • monitor_file is the monitor file name.

    • product is the type of product.

    • firmware_file is the firmware file name.

    --automode enables automated mode switching for nShield PCIe HSMs, when supported in Remote Administration environments.

    Monitor version 2.60.1 is required to enable remote mode switching. Remote mode switching is not supported on nShield USB-attached HSMs.

    For example:

    Linux
    nfloadmon -m2 /mnt/cdromname/firmware/Solo/monitor/latest/solo-2-60-1-vsn26.nff mnt/cdromname/firmware/Solo/latest/solo-13-3-1-vsn29.nff
    Windows
    nfloadmon -m2 --automode E:\firmware\Solo\monitor\latest\solo-2-60-1-vsn26.nff E:\firmware\Solo\latest\solo-13-3-1-vsn29.nff

    The firmware files are signed and encrypted; you can load only the correct version for your module.

    Upgrading the nShield Solo XC to 13.3.x firmware also triggers additional reboots. These additional reboots are only triggered on the Solo XC and when upgrading to 13.3.x. They are not triggered on other nShield HSMs during firmware upgrade. On the Solo XC, the additional reboots increase the upgrade time by up to five minutes and require that you keep both the Solo XC and the host connected to the power.
  3. Confirm the version of the monitor and firmware.

  4. Put the module into the different modes if and when prompted to do so. When supported, the mode of the nShield PCIe HSM changes automatically. Changing mode on an nShield USB-attached HSM requires the Clear switch to be pressed.

    For information on changing the mode, see * The HSM must be in pre-initialization mode.

  5. When the nfloadmon utility has completed, put the module into initialization mode (if prompted), and then initialize the module by running the command:

    initunit
  6. Put the module in Maintenance mode and reset the module.

  7. Run the enquiry command to verify the module is in maintenance state and has the correct monitor version.

    In Maintenance mode, the enquiry command shows the version number of the monitor.

  8. Put the module in Operational mode and reset the module.

  9. Run the enquiry command to verify the module is in operational state and has the correct firmware version.

  10. Log in to the host as normal.

    In Operational mode, the enquiry command shows the version number of the firmware.

Upgrading firmware only

PCIe HSMs

The firmware is provided on a separate .iso and not on the Security World installation media. For the latest nShield firmware, request a DVD or .iso download link from Entrust Support at nshield.support@entrust.com.

If the HSM to be upgraded is part of an audit logging Security World you will need to finalize the audit log before starting the upgrade. See audit logging and firmware upgrade for information on how to do this.

To upgrade the firmware on a module:

  1. Log in to the host as a user in the group nfast (Linux) or as an Administrator (Windows).

  2. Put the module in Maintenance mode and reset the module.

    • The HSM must be in pre-initialization mode.

  3. Run the enquiry command-line utility to check that the module is in the pre-maintenance state.

  4. Insert the firmware DVD or mount the firmware .iso, depending on the provided upgrade media format.

  5. Load the new firmware by running the command:

    Linux
    loadrom -m<module_number> /disc_name/firmware/product/status/firmware_file.nff
    Windows
    loadrom -m<module_number> E:\firmware\product\status\firmware_file.nff

    In this command:

    • <module_number> is the module number (such as -m2 for module 2).

    • disc_name` is the directory on which you mounted the installation media.

    • E` is the drive letter of your installation media.

    • product is the type of product.

    • status is the certification status.

    • firmware_file is the firmware file name.

    For example:

    Linux
    loadrom -m2 /mnt/cdromname/firmware/Solo/latest/solo-13-3-1-vsn29.nff
    Windows
    loadrom -m2 E:\firmware\Solo\latest\solo-13-3-1-vsn29.nff

    The firmware files are signed and encrypted; you can load only the correct version for your module.

    Upgrading the nShield Solo XC to 13.3.x firmware also triggers additional reboots. These additional reboots are only triggered on the Solo XC and when upgrading to 13.3.x. They are not triggered on other nShield HSMs during firmware upgrade. On the Solo XC, the additional reboots increase the upgrade time by up to five minutes and require that you keep both the Solo XC and the host connected to the power.
  6. Solo XC only

    Reboot the Solo XC for the firmware upgrade to take effect:

    Linux bare metal environments

    With the module in Maintenance mode, run the following command to reboot the Solo XC.

    nopclearfail -S -m<module_number>
    Linux virtual environment hosts

    Reboot the Solo XC by rebooting the system that is hosting the Solo XC.

    Windows

    With the module in Maintenance mode, reboot the system that is hosting the Solo XC.

    Wait for the Solo XC to reboot. This takes around 10 minutes on a host machine running Linux. The module has completed rebooting when running enquiry no longer shows the module as Offline.

  7. Put the module in initialization mode and reset the module.

  8. Initialize the module by running the command:

    initunit
  9. Put the module in Operational mode and reset the module.

  10. Run the enquiry command to verify the module is in operational state and has the correct firmware version.

    In Operational mode, the enquiry command shows the version number of the firmware.

  11. Log in to the host as normal.

After firmware installation

After you have installed new firmware and initialized the HSM, you can create a new Security World with the HSM or reinitialize the HSM into an existing Security World.

If you are initializing the HSM into a new Security World, see Create a new Security World.

If you are re-initializing the HSM into an existing Security World, see Adding or restoring an HSM to the Security World.