User HSM Installation and Setup User Guide

User HSM Installation and Setup
User Guide
For Libero SoC v11.7 SP2
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Referenced Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1 U-HSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Server Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security World and HSM Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2 U-HSM Installation and Setup Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3 Initial U-HSM Server Installation and Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
U-HSM Server Software Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HSM Hardware Module Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
U-HSM Server Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FTP Server Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10
10
10
14
26
4 U-HSM Reconfiguration and Post-Installation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
HSM Module Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import the Public Keys of the M-HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Export the Public Keys for Sending to an M-HSM/MFG-HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create the DFK DB and Manufacturing Keys for the M-HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrade the HSM Module Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
35
35
36
36
36
5 U-HSM Server Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Install the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copy Over the Security World . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Copy Over the U-HSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Install a New HSM Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Start the U-HSM Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Set Up the FTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
37
37
37
37
37
37
A Product Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Customer Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Customer Technical Support Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contacting the Customer Technical Support Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ITAR Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
38
38
38
38
39
Revision 1
2
Introduction
This User Guide provides installation and setup instructions for the User HSM (U-HSM) Server. The
U-HSM server is configured to generate HSM jobs. The U-HSM server can generate jobs for the
following scenarios:
•
Test-execution of the job on the same U-HSM server utilizing the Manufacturer HSM Server
(M-HSM) function of U-HSM.
•
Job execution is done on the contract manufacturer side using M-HSM.
•
Job execution is done by the Secure In-house Programming Solution (sIHP).
Refer to the Secure Production Programming Solution (SPPS) User Guide for information about the
scenarios above and a description of the HSM flow.
This User Guide contains the following chapters:
Chapter 1, "U-HSM Server", describes the U-HSM server components and system requirements.
Chapter 2, "U-HSM Installation and Setup Scenarios", provides a general description of the installation
scenarios.
Chapter 3, "Initial U-HSM Server Installation and Setup", explains the installation and setup process.
Chapter 4, "U-HSM Reconfiguration and Post-Installation Actions", provides instructions for the setup
and maintenance actions that can be performed on an installed and provisioned U-HSM server.
Chapter 5, "U-HSM Server Replication", explains how to replicate an existing U-HSM server to one or
more new U-HSM servers.
For installation and setup instructions for the Contract Manufacturer HSM (M-HSM), refer to the
Manufacturer HSM Installation and Setup Guide.
Referenced Documents
This User Guide references the following documents:
•
Secure Production Programming Solution (SPPS) User Guide (Microsemi SOC)
•
Programming Job Manager User Guide (Microsemi SOC)
•
FlashPro Express User’s Guide (Microsemi SOC)
•
Libero User’s Guide (Microsemi SOC)
•
nShield Edge and Solo User Guide for Windows (Thales)
•
Manufacturer HSM Installation and Setup Guide (Microsemi SOC)
Revision 1
3
1 – U-HSM Server
The U-HSM server is used to generate programming jobs and securely send them for execution to a
contract manufacturer or Secure In-house Programming Solution (sIHP) system. Test-execution of the
HSM job can be done using the M-HSM function of the U-HSM server.
The U-HSM server is designed to serve requests from the Job Manager Tool which, once the U-HSM
server is up and running, needs to be configured to work with it. Refer to the Programming Job Manager
User Guide for more information.
Server Components
Figure 1-1 shows the components of the U-HSM server.
Figure 1-1 • U-HSM Server Components
Security World and HSM Modules
The most important component of the U-HSM server is the HSM module. The HSM module carries out
cryptographic operations involving protected security keys. All data is stored outside the module on the
disk of the host system in encrypted form. Every module is associated with the Security World (see the
nShield Edge and Solo User Guide for Windows) that combines a set of keys giving module access to
the information in the database located on the PC side. The same Security World can be replicated to
multiple HSM servers, if needed. The HSM module is controlled via standard Thales nShield software
that includes hardware drivers and low level components providing access to the services inside the
module. Custom SEE firmware (algorithms related to the protocols implemented in Microsemi devices)
and known as the SEE Machine is stored on the disk of the host PC, and is loaded into the module as
part of the power up process.
Revision 1
4
HSM Module Types
Microsemi is the official redistributor of nShield Edge (Figure 1-2) and nShield Solo HSM Modules
(Figure 1-3).
Figure 1-2 • Thales nShield Edge HSM Module
.
Figure 1-3 • nShield Solo PCIe HSM Module
The nShield Edge module is attached to USB 2.0 port of the PC and has an integrated card reader. The
nShield Solo module is PCIe-based and requires a desktop PC with a spare PCIe port. The card reader
is attached to the module via cable.
Note: For the HSM module specification, including performance characteristics, refer to the nShield Edge
and Solo User Guide for Windows.
Revision 1
5
Security World Cards
Both types of HSM modules are shipped with the nShield Security World cards (Figure 1-4) that can be
used to create an Administrator Card Set (ACS). The ACS provides access to the administrative
functions of the Security World:
•
Control access to Security World configuration
•
Authorize recovery and replacement operations
ACS cards are initialized upon creation of the Security World.
Figure 1-4 • Example of nShield Security World Card
Note: There is a special requirement regarding total and quorum numbers of ASC cards. Refer to the
nShield Edge and Solo User Guide for Windows for more information.
Activator Card and Feature Licensing (Thales)
The Activator Card (Figure 1-5) enables HSM Module product features and is generated along with the
license purchase. Installation instructions in this document show how to use this type of card.
Figure 1-5 • Example of Activator Card
Revision 1
6
This card is linked to the specific hardware module and must match the module serial number (see
Figure 1-6). The "Serial Number" field shown on the back of the card should match the Serial Number of
the module.
All features that can be enabled by this card are listed on the back of the card.
Figure 1-6 • Back of the Activator Card
Note: In addition to Activation Cards, licensing features can be enabled using a file on disk or by entering
an initialization bitstream from the keyboard. Additional licensing features can be added to the
module later via a separate PO process.
Module Warrant File (Thales)
Every nShield HSM Module comes with a warrant file generated by Thales. This file provides
cryptographic proof of module origin (explained in the key management section of the Secure Production
Programming Solution (SPPS) User Guide). The warrant file is provided via the HSM Module purchase
process.
HSM Module License File (Microsemi)
Microsemi provides a Microsemi-generated license file that binds the user-created Security World with
one or more HSM modules through their serial numbers.
System Requirements
The U-HSM server can run on Windows 7 x64 Pro or Windows 8.1 x64 operating systems. Server
software is installed on a dedicated physical machine with one nShield Edge or Solo HSM module
attached.
Note: It is possible to use a virtual machine to run HSM server. However, Microsemi has only validated
U-HSM server functionality on the nShield Edge module using a VMWare virtual machine.
Validation was performed using the Thales-suggested method of connecting the Edge module
directly to the host system and then giving the virtual machine module access via a virtual COM
interface added to the host system by the module driver. See the nShield Edge and Solo User
Guide for Windows for setup instructions.
Revision 1
7
Acquire the U-HSM Components
HSM hardware modules are purchased directly from Microsemi. Every module comes with the
components described in "Security World and HSM Modules" on page 4.
The following is a list of the U-HSM components. Figure 1-7 provides a high level flow view:
1. nShield Edge or Solo HSM Module
–
Module
–
Card Reader (Solo module only. Edge module has integrated card reader)
–
Mounting hardware for regular and compact desktop form factors (Solo module only)
–
Set of Security World cards
–
Activator Card (additional licensing features can be provided in a separate file)
2. Warrant File (created by Thales, supplied by Microsemi)
3. Licensing File (created and provided by Microsemi after a Security World UUID is issued)
4. User provides PC with supported operating systems installed (see "System Requirements" on
page 7).
Figure 1-7 • Acquiring U-HSM Parts
Revision 1
8
2 – U-HSM Installation and Setup Scenarios
This User Guide describes the following installation and setup options:
1. Initial installation
a. Install all required software components.
b. Update all required configuration files.
c. Install the HSM module.
d. Provision the U-HSM server.
–
Create new Security World and Administrator Card Set (ACS).
–
Generate all required keys.
–
Exchange public encryption and public verify keys with M-HSM or sIHP server.
–
Exchange public keys with MFG-HSM.
–
Import Diversified Factory Key Database (DFK DB) (see the Secure Production Programming
Solution (SPPS) User Guide for information about DFK DB) and the MFG keys received from
Microsemi.
–
If job execution is done with the help of a contract manufacturer, prepare DFK DB and MFG
keys for use by M-HSM.
2. Replication of the existing U-HSM server (creates a copy of already provisioned U-HSM
server)
a. Install all required software components.
b. Copy Security World from the source U-HSM server.
c. Copy the U-HSM server software.
d. Copy the existing DFK DB.
e. Install and connect an HSM module to the Security World new HSM module.
3. Post-installation (maintenance) steps
a. Upgrade the HSM Module Firmware.
b. Replace the HSM module.
c. Exchange public keys with MFG-HSM.
d. Import public keys of an M-HSM.
e. Export public keys for sending to an M-HSM.
f. Prepare the DFK DB for sending to an M-HSM.
Revision 1
9
3 – Initial U-HSM Server Installation and Setup
This chapter describes how to install and set up a new U-HSM server.
Note: Text highlighted in red in this chapter indicates commands or other information to take note of.
Software Installation
This section explains the manual installation process for setting up the U-HSM server.
One of the supported operating systems must be installed with all security and stability updates applied.
1. Microsoft Visual C++ 2010 Redistributable Package (x64) available from Microsoft
2. Visual C++ Redistributable for Visual Studio 2012 (x64) available from Microsoft
3. .NET Framework 4.0 or up available from Microsoft
4. FTP Server (e.g. FileZilla)
5. Java Runtime 2 available from Oracle
6. Latest version of the nShield Security World Software (coming with the HSM modules).
–
The installation disk contains a folder with documentation in PDF format.
–
Installation of SNMP client can be ignored as the software for this implementation does not
use it.
–
The default installation directory for the Security World is C:\Program Files
(x86)\nCipher\nfast.
–
All Security World utilities referred to in this guide are located in %NFAST_HOME%\bin.
–
The Microsemi SPPS solution is tested against the specific version of the Security World.
Refer to the U-HSM server Release Notes for the compatible version number.
U-HSM Server Software Installation
1. Create the top level directory.
Note: This User Guide uses C:\Microsemi as an example
2. Unpack all files and subdirectories from the provided zip file under the U-HSM directory and copy
to C:\Microsemi.
3. Verify that the following additional subdirectories exist:
–
C:\Microsemi\DFKDB - This location will be used for storing imported DFK databases
–
C:\Microsemi\JobDB - This location will store job ticket database files
–
C:\Microsemi\JobDB\JobDBArchive - Folder for archiving completed job ticket database files
–
C:\Microsemi\Logs - For log files
HSM Hardware Module Installation
Note: This section provides the steps to connect a new HSM module to the PC. If you are replacing the
HSM module on a configured U-HSM server, start from "HSM Module Replacement" on page 35. If
you are replicating the U-HSM server, refer to "Set Up a New HSM Module" on page 35.
The U-HSM server requires the presence of a single HSM module. After the installation of nShield
software, as shown in "Software Installation" on page 10, the system should have module drivers and all
nShield utilities installed.
Revision 1
10
Connect the HSM Module to the PC
Follow the instructions in the nShield Edge and Solo User Guide for Windows to physically connect the
module to the PC.
Once the module is connected, read module status with the nfkminfo utility. The output of nfkminfo shows
information about the attached module, such as ESN (serial number), status, etc. If the module is not
detected or in the "failed" state, restart the nfast server and read the module status again:
net stop "nfast server"
net start "nfast server"
Note: If necessary, the HSM module can be erased to the factory state using the new-world command.
Example: new-world -e -m1 erases the module with the ID=1 to the factory state. This operation is
done in the pre-initialization mode.
Upgrade HSM Module Firmware
This section provides instructions for Thales firmware upgrade. This firmware physically resides inside
the HSM module and is different from the Microsemi-provided SEE machine.
Firmware Revisions
The firmware revision of the HSM module that is used in SPPS must be approved by Microsemi. The list
of the approved firmware revisions is available in the U-HSM Release Notes. Additional instructions
about firmware revisions may be published via Microsemi security advisories.
Note: Any HSM firmware revision that is not approved by Microsemi is not guaranteed to work
and is not guaranteed to satisfy security requirements of the SPPS solution. The use of
such firmware revisions is done at customer's own risk.
Thales HSM module firmware images are available in the HSM Installation media, or can be obtained
directly from Thales customer service.
Note: Installation media may include various versions of the firmware that may be FIPS certified or
awaiting FIPS certification. Your choice depends on the security policies of your organization.
Compatibility of Firmware Revisions
Warning! The firmware upgrade may be non-reversible. Read this section for important details.
Thales HSM module firmware has two versioning characteristics:
•
Firmware revision number
•
Version Security Number (VSN)
The firmware revision number identifies the individual version of the firmware, while the VSN can group
multiple revisions together and is used to restrict revision downgrade, so that intruders cannot move a
module to the firmware with known security issues. The downgrade is possible to any firmware revision
with the same VSN as the one in the module. The upgrade can be done to any revision with the same or
higher VSN number.
Information about firmware revisions and their respective VSN numbers is available on the Security
World installation media of firmware upgrade media distributed as part of Thales security advisories.
Read the HSM Module Firmware Revision Info
The current revision of the HSM firmware can be checked using the "enquiry" Security World utility.
An example of reading the firmware revision number is shown in Figure 3-1.
Revision 1
11
Module #1:
enquiry reply flags none
enquiry reply level Six
serial number
1301-C8A9-BEF7
mode
operational
version
2.55.1
speed index
544
rec. queue
19..152
level one flags
Hardware HasTokens
version string
2.55.1cam7 built on Jul 08 2015 14:24:15
checked in
000000004856847b Mon Jun 16 08:19:23 2008
level two flags
none
max. write size
8192
level three flags
KeyStorage
level four flags
OrderlyClearUnit HasRTC HasNVRAM HasNSOPermsCmd ServerHasPollCmds
FastPollSlotList HasSEE HasKLF H
asShareACL HasFeatureEnable HasFileOp HasPCIPush HasKernelInterface HasLongJobs ServerHasLongJobs
AESModuleKeys NTokenCm
ds JobFragmentation LongJobsPreferred Type2Smartcard ServerHasCreateClient HasInitialiseUnitEx
module type code
7
product name
nC1003P/nC3023P/nC3033P
device name
#1 PCI bus 6 slot 5
EnquirySix version
6
impath kx groups
DHPrime1024 DHPrime3072
feature ctrl flags
LongTerm
features enabled
GeneralSEE StandardKM
version serial
26
rec. LongJobs queue 18
SEE machine type
PowerPCSXF
supported KML types DSAp1024s160 DSAp3072s256
Figure 3-1 • Reading HSM Module Firmware Revision
Upgrade Firmware
This section provides general guidance for the firmware update. If the firmware upgrade is done due to a
Microsemi security advisory, please follow the instructions in the advisory. General description of the
upgrade process and instruction for switching HSM module into specific mode is available in the nShield
Edge and Solo User Guide for Windows.
Note: The firmware upgrade process erases all information contained in the module, except the enabled
licensing features explained in "Enable the Module Licensing Feature" on page 13.
Step 1
Switch the module mode to the "maintenance" mode.
To switch the nShield Edge module to maintenance state, use the Mode button to change mode to the
"M" (maintenance mode) and then push and hold down the "Clear" button to activate the "M" state.
The mode switching on the Solo HSM module is done by moving the three-position switch to the "M"
state and resetting the module using a paper clip. Both module controls are located on the Solo module
and are accessible outside the PC box.
For more detailed mode switching instructions, refer to the nShield Edge and Solo User Guide for
Windows.
Step 2
Load the new firmware using the "loadrom" command, pointing to the firmware image.
Note: When entered, the "loadrom" command starts without prompting for user confirmation.
Revision 1
12
An example of the output during firmware upgrade is shown in Figure 3-2.
C:\>loadrom -m1 C:\shared\FWUpgrade\firmware\2-55-1\ncx1z-26.nff
version 2.50.16cam18 built on Sep 23 2010 20:36:19
programming module #1
module erased
starting programming *+
firmware integrity mech. DSAhSHA256
module accepted signature
block size allowed by unit 1910, using 1910
loading chunk 0 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 1 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 2 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 3 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 4 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 5 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 6 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 7 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 8 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 9 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 10 +++++++++++++++++++++++++++++++++++ programming done
loading chunk 11 +++++++++++++++++++++++++++++++++++ programming done
programming done
Figure 3-2 • Firmware Upgrade
Step 3
Switch module mode to the "pre-init" mode.
Step 4
Initialize the module using the "initunit" command:
C:\>initunit
Initialising Unit 1 (SetNSOPerms)
Setting dummy HKNSO
Module Key Info:
HKNSO is:C8 39 AC 0D EE D9 A9 65 AC F9 12 0F F2 02 F9 79 8C 2C A4 5D
HKM[0] is:FD 2D 47 53 86 05 CF F4 27 53 1A 01 FD 8D E8 02 00 DD C7 55
Figure 3-3 • Module Initialization during firmware upgrade
Step 5
Confirm module firmware revision is upgraded as expected using the "enquiry" command.
Enable the Module Licensing Feature
This section shows how to enable specific HSM module features.
Note: To activate new license features using the fet utility, the module must be switched to the preinitialization mode.
Revision 1
13
To run custom firmware created for the SPPS system (SEE Machine), the module must have the "SEE
Activation (EU+10)" feature enabled as shown in the sample in Figure 3-4. Feature status of the module
can be checked or activated using fet (feature enabling tool).
C:\>fet
Feature Enable Tool
===================
payShield Activation
| ISO Smart Card Support
|
| Remote Operator
|
|
| Korean Algorithms
|
|
|
| SEE Activation (EU+10)
|
|
|
|
| SEE Activation (Restricted)
|
|
|
|
|
| CodeSafe SSL
|
|
|
|
|
|
| Elliptic Curve algorithms
|
|
|
|
|
|
|
| Elliptic Curve MQV
|
|
|
|
|
|
|
|
| Accelerated ECC
|
|
|
|
|
|
|
|
|
|
Mod
Electronic
No. Serial Number
1 586F-B963-9146 -- NO
0.
1.
2.
3.
4.
NO
NO
NO
YES NO
NO
NO
NO
NO
Exit Feature Enable Tool.
Read FEM certificate(s) from a smart card or cards.
Read FEM certificate from a file.
Read FEM certificate from keyboard.
Write table to file.
Enter option :
Figure 3-4 • Sample output of the Feature Activation Tool
Choose option #1 and activate the features listed on your Activator Card (see "Activator Card and
Feature Licensing (Thales)" on page 6). The feature activating tool auto-detects the card and performs
activation. New activation status is printed on the screen.
If your Activator Card did not include the "SEE Activation (EU+10)" feature, it may have been provided to
you in a separate file. The file name includes the module serial number, for example:
USProdCGT3-01253481317_SEEUE_8FD6-2609-F7A2.txt
This file can be used during activation independently from the Activator Card by selecting option #2.
Note: Erasing a module to the factory settings does not remove licensing features enabled using the fet
tool. Licensing feature reset can only be done at the factory.
U-HSM Server Provisioning
Create the Security World
Security World is created with the new-world utility documented in the nShield Edge and Solo User Guide
for Windows. The module must be moved to the pre-initialization mode.
The example shown in Figure 3-5 creates a new Security World:
-i
Creates a new Security World.
-m
Specifies ID of the physical HSM module to be added to the Security World.
-Q
Specifies the minimum number of smart cards needed from the ACS to authorize a feature
and the total number of smart cards to be used in the ACS. This example has a total of two
cards, with only one card needed to authorize a feature.
-c
Tells the utility what type of key to use for the new Security World. This example uses the
1024 bit AES key. Options should be considered based on desired security strength.
Revision 1
14
During creation of the Security World, the user is prompted to insert and initialize all ACS cards specified
by the -Q option.
C:\Microsemi\Tools>new-world -i -m 1 -Q 1/2 -c DLf1024s160mRijndael dseeall
Create Security World:
Module 1: 0 cards of 2 written
Module 1 slot 0: empty
Module 1 slot 0: unknown card
Module 1 slot 0:- no passphrase specified - overwriting card
Module 1: 1 card of 2 written
Module 1 slot 0: remove already-written card #1
Module 1 slot 0: empty
Module 1 slot 0: unknown card
Module 1 slot 0:- no passphrase specified - overwriting card
Card writing complete.
security world generated on module #1; hknso = 15d0780e37252b3a1d8bf339a9bd6d779d1991bc
Figure 3-5 • Sample output from creation of new Security World
Tip: The values of the hknso parameters can be used to uniquely identify the Security World.
Tip: If the module is not in the pre-initialization state, creation of the Security World may encounter an
error, as shown in Figure 3-6.
12:46:57 WARNING: Module #1: Module has failed
new-world: module 1 not suitable: module key type Rijndael not supported
new-world: Aborting world operation.
Figure 3-6 • Error message if module is not in pre-initialization state
The new Security World is a file that is created in the following location: %NFAST_KMDATA%\local
Note: This location also contains all other related security keys.
Once the Security World is created, the module should be moved to the operational mode.
Read the Status of the Security World
The status information related to the existing Security World and attached module(s) can be viewed
using the nfkminfo utility. Refer to the nShield Edge and Solo User Guide for Windows for more
information.
To use this and most of the commands listed in the sections below, the module must be in the operational
mode.
Figure 3-7 shows sample output of the nfkminfo utility.
This status information contains several important fields. The hknso and hkm fields allow the user to
uniquely identify the specific Security World.
Revision 1
15
Once a module is moved to the operational state, the module status read by nfkminfo should indicate
"usable" module state.
C:\Microsemi\Tools>nfkminfo
World
generation 2
state
0x1f250000 Initialised !Usable Recovery !PINRecovery !ExistingClient RTC NVRAM FTO !Alw
aysUseStrongPrimes SEEDebugForAll
n_modules
1
hknso
15d0780e37252b3a1d8bf339a9bd6d779d1991bc
hkm
e113ba16497e0576b99bd2f0150f126204426507 (type Rijndael)
hkmwk
1d572201be533ebc89f30fdd8f3fac6ca3395bf0
hkre
c59ca14ee277dca5497b2e4c5a113d238b613c0b
hkra
078ea5ba02d3300c462e9c84988e673a09896dcb
hkmc
4f18cdf70289ee823520bc252060ebf97eb61032
hkrtc
90c54dafcb5836ccec08d2cd75776cb5d53d6a6c
hknv
b8b80d9794b98588dddfedf650bfd59a7bed1765
hkdsee
6fc988762e441e44de4a5c1a6ba6b34a2fb47aa2
hkfto
3a70b6e939cc3ee779ddae9ce5fb79cb067c42c0
hkmnull
0100000000000000000000000000000000000000
ex.client
none
k-out-of-n 1/2
other quora m=1 r=1 nv=1 rtc=1 dsee=1 fto=1
createtime 2015-01-13 23:29:09
nso timeout 10 min
ciphersuite DLf1024s160mRijndael
Module #1
generation
state
flags
n_slots
esn
hkml
2
0xa InitMode
0x0 !ShareTarget
2
586F-B963-9146
ac4e6e3e02f27d7a7d0a182077546a62ec390513
Module #1 Slot
generation
phystype
slotlistflags
state
flags
shareno
shares
error
No Cardset
#0 IC 3
1
SmartCard
0x2 SupportsAuthentication
0x4 Admin
0x0
2
LTNSO LTM LTR LTNV LTRTC LTDSEE LTFTO
OK
Module #1 Slot
generation
phystype
slotlistflags
state
flags
shareno
shares
error
No Cardset
#1 IC 0
1
SoftToken
0x0
0x2 Empty
0x0
0
OK
No Pre-Loaded Objects
Figure 3-7 • Status of the Security World
Install the SEE Integ Key
The SEE Integ Key is a key used to link SEE firmware and keys used in SPPS (see the Secure
Production Programming Solution (SPPS) User Guide for details). It must be installed before any other
keys can be generated or exported.
The key is installed by simply copying its file key_seeinteg_userdata-signer located under the SEE folder
of the U -HSM server directory to the Security World data folder: %NFAST_KMDATA%\local.
Revision 1
16
Example: copy C:\Microsemi\SEE\key_seeinteg_userdata-signer %NFAST_KMDATA%\local
Proper installation of the SEE Signer Key can be confirmed using the "nfkminfo -k" command, as shown
in Figure 3-8.
C:\Program Files (x86)\nCipher\nfast\bin>nfkminfo -k
Key list - 1 key
AppName seeinteg
Ident userdata-signer
Figure 3-8 • Confirming correct installation of the SEE Signer key
Get Hash of the SEE Integ Key
The hash of the signer key is used for key identification and referencing key signer during various
operations such as creation of the HSM private/public key pairs.
The hash value of the key signer can be retrieved using nfkminfo:
nfkminfo -k seeinteg userdata-signer | find "hash"
See the example below:
hash
72ae19963f2f9a88e49babb09ffb039328c94f3a
Create NVRAM-based Storage in the HSM Module
This step uses the nvram-sw utility to create an internal flash-based storage file for ticket processing and
other tasks that must keep certain information inside the physical module (i.e., make them physically
uncloneable). The example in Figure 3-9 shows output during NVRAM creation.
To run this action:
•
The module must be in the operational mode.
•
The ACS (admin) card must be inserted into the card reader.
Enter the following command to create NRAM:
nvram-sw.exe -a -b 8096 -n udsigner -k seeinteg,userdata-signer
The -b parameter specifies memory size. The value of 8096 specifies partition size. This value is fixed in
the current version of the U-HSM server.
Note: The -k parameter must follow the exact format: comma separated values with no spaces.
C:\>nvram-sw.exe -a -b 8096 -n udsigner -k seeinteg,userdata-signer
Load Admin Card (for KNV):
Module 1 slot 0: `SEEOCS' #2
Module 1 slot 0: empty
Card reading complete.
Figure 3-9 • Creating ENVM storage inside the HSM module
Erase Already Created NVRAM
If NVRAM already exists in the module, it can be removed by entering the following command:
nvram-sw.exe -d -n udsigner
Note: Deletion of the existing NVRAM file erases all tickets (if loaded into the module).
Configure the U-HSM Server and Tools
This section provides setup instructions for the U-HSM server. It assumes that the directory structure for
the U-HSM server was created in the default location C:\Microsemi.
Revision 1
17
Update Server and Tools Configuration
The U-HSMMaster.config file contains settings for the U-HSM server. Currently, there are two separate
config files with the same name and identical content. For the default installation location, the file path is:
C:\Microsemi\Server\U-HSMMaster.config
and
C:\Microsemi\Tools\U-HSMMaster.config
Change the following settings as shown:
1. DFK database location - confirm the location matches actual path:
<add key="G4HSMAPI.DFKDBPath" value="C:\Microsemi\DFKDB" />
2. Ticket database location - confirm the location matches actual path:
<add key="G4HSMAPI.JobTicketDBPath" value="C:\Microsemi\JobDB"/>
3. Ticket archive directory:
<add key="G4HSMAPI.JTPLogArchivePath" value="C:\Microsemi\JobDB\JobDBArchive"/>
4. U-HSM UUID 32 symbols long hex string obtained from Microsemi (00..01 in this example):
<add key="My_UUID" value=" 00000000000000000000000000000001"/>
5. SEEK Secret key: g4cu-seesk-<U_HSM_UUID> (00..01 in this example):
<addkey="G4HSMAPI.CSEEKey" value="g4cu-seesk- 00000000000000000000000000000001" />
Generate the ISK key (*g4see-isk)
The ISK key is a global system key used for internal system functions such as import of
M-HSM or sIHP public keys (seepk and seespk).
Generate the ISK key as follows:
1. Open the command prompt as an administrator and change directory to C:\Microsemi\Tools.
2. Execute the following script (see the sample output in Figure 3-10).
"%nfast_home%\python\bin\python.exe" C:\Microsemi\Tools\gensymmkey.py -u userdata-signer -i
g4see-isk.
C:\Microsemi\Tools>"%nfast_home%\python\bin\python.exe" C:\Microsemi\Tools\gensymmkey.py -u
userdata-signer -i g4see-isk
===========================================================
= Generating symmetric key with ExportAsPlain enabled
=
= KeyIdent:
simple/g4see-isk
= KeyHash:
7a7895eb 081498b9 0f05d9de 257ae43d 7896dacd
=
SEE App KeyIdent: seeinteg/userdata-signer
=
SEE APP KeyHash:
57827118 b0e20b11 2ff56be0 820a6020 7154b8a7
=
= Open group perms: DuplicateHandle|ReduceACL|GetACL
= SEE App perms:
ExportAsPlain|GetAppData
===========================================================
Success!
Generated key simple/g4see-isk
Figure 3-10 • Sample output from generation of the ISK key
Generate the U-HSM Master Key (g4mcu)
This is a symmetric encryption key that protects all internal project information such as keys, tickets,
security protocol data, etc. while processing inside the U-HSM.
Generate the U-HSM Master Key as follows:
1. Open the command prompt as an administrator and change directory to C:\Microsemi\Tools.
2. Execute the following command (see the sample output in Figure 3-11).
Revision 1
18
"%nfast_home%\python\bin\python.exe" C:\Microsemi\Tools\gensymmkey.py -u userdata-signer
-i g4mcu-< CU_MASTER_HSM_UUID >
CU_MASTER_HSM_UUID is a user-selected master key UUID. This UUID must be set in the settings of
the application using this HSM server. Length: 40 hex symbols. This key must be unique within the
Security World used by this HSM.
C:\Microsemi\DFKDB>"%nfast_home%\python\bin\python.exe" C:\Microsemi\Tools\gensymmkey.py -u
userdata-signer -i g4mcu-1000000000000000000000000000000000000002
===========================================================
= Generating symmetric key with ExportAsPlain enabled
=
= KeyIdent:
simple/g4mcu-1000000000000000000000000000000000000002
= KeyHash:
8b8de231 a7dc5a7c 4ae4484d c6c0d8a9 2816432a
=
SEE App KeyIdent: seeinteg/userdata-signer
=
SEE APP KeyHash:
72ae1996 3f2f9a88 e49babb0 9ffb0393 28c94f3a
=
= Open group perms: DuplicateHandle|ReduceACL|GetACL
= SEE App perms:
ExportAsPlain|GetAppData
===========================================================
Figure 3-11 • Generating U-HSM Master Key
Set Up the SEE Machine Firmware for Loading into the HSM Module
This step configures the system to load firmware into the HSM module. The loadsee-setup command
sets up paths to the SEE Machine files. See the sample output in Figure 3-12.
loadsee-setup --setup -m1 -M C:\Microsemi\SEE\U-HSMsee-edg.sar -U C:\Microsemi\SEE\userdata.sar -p
g4cusee --force
Module #1 has an existing configuration:
Module #1:
Machine file:
C:\Microsemi\SEE\U-HSMsee-edg.sar
Encryption key:
Signing key hash:
Userdata file:
C:\Microsemi\SEE\userdata.sar
WorldID published object: g4cusee
Postload helper:
Postload args:
Erase this configuration? (yes/no): yes
Module #1 new SEE configuration saved, new configuration follows:
Module #1:
Machine file:
C:\Microsemi\SEE\U-HSMsee-edg.sar
Encryption key:
Signing key hash:
Userdata file:
C:\Microsemi\SEE\userdata.sar
WorldID published object: g4cusee
Postload helper:
Postload args:
Figure 3-12 • Setting up SEE firmware loading
Different HSM module types require different firmware images. All images are located in the SEE folder
and have the extension sar. The userdata.sar file works with any module type.
Module Type
Firmware File
nShield Edge
U-HSMsee-edg.sar
nShield Solo
U-HSMsee-ppc.sar
Revision 1
19
The next step is to confirm that the SEE Machine firmware has loaded successfully. Use the
GetLoadingSEEName.bat script in the Utils folder, as shown in Figure 3-13. The SEE Machine firmware
is loaded when the -MemAllocUser variable reads a non-zero value.
Note: Actual loading of the SEE firmware after setting it up with the loadsee-setup command may take a
few minutes for the slower Edge module. During that period, -MemAllocUser remains 0.
C:\Microsemi\Tools>C:\Microsemi\Utils\GetLoadingSEEName.bat
WorldID = 'g4cmsee'
-MemAllocUser
933888
If MemAllocUser is 0, SEE is not loaded
Figure 3-13 • Confirming loading of the SEE firmware
If the module cannot load firmware, check the correctness of the parameters specified during the
loadsee-setup step and repeat the attempt, making sure the proper module type is selected.
Generate the SEE Private/Public Encryption and Signing Keys
The SEE Key pairs are created to provide secured exchange of information between U-, M- , and MFGHSM servers. One pair of keys is used for encryption and decryption and the other pair is used for
creating and verifying digital signatures.
Obtain the Customer UUID from Microsemi
Customer UUID (U_UUID) is a 32-symbol hex string identifier that is assigned by Microsemi via the
Microsemi Portal (see the Secure Production Programming Solution (SPPS) User Guide for details).
Example of the Customer UUID: "00000000000000000000000000000001"
Note: UUID must have all lower case characters.
Private/Public SEE keys must use the Customer UUID assigned by Microsemi.
Once the UUID value is available, update the tag in both U-HSMMaster.config files, under the server and
tools directories, as explained in "Update Server and Tools Configuration" on page 18.
Generate the U-HSM Private Keys
1. Open the command prompt as an administrator and change directory to C:\Microsemi\Tools.
2. Create the SEE Key for encryption using the U-HSMGenImp utility:
U-HSMGenImp -p g4cusee -g -c <key_signer_hash> -n g4cu-seesk-<U_HSM_UUID>
U_HSM_UUID: Microsemi-assigned customer UUID.
The "-c" flag must be used as shown in this example. It corresponds to the userdata-signer key installed
during the installation of the SEE Integ key (see "Install the SEE Integ Key" on page 16.
See the sample in Figure 3-14.
C:\Microsemi\Tools>U-HSMGenImp -p g4cusee -g -c 72ae19963f2f9a88e49babb09ffb039328c94f3a -n g4cuseesk-00000000000000000000000000000001
Starting to generate SEE RSA key...
SEE RSA key: g4cu-seesk-00000000000000000000000000000001...generated
Figure 3-14 • Creating SEE Key for encryption and decryption
The created key is stored in the Security World directory as follows (with the highlighted part
corresponding to the customer UUID):
key_simple_g4cu-seesk-00000000000000000000000000000001
Once the key is generated, it needs to be set up in both U-HSMMaster.config files, in the Server and
Tools directories, as described in "Update Server and Tools Configuration" on page 18.
3. Create the SEE Key for signing using the U-HSMGenImp utility:
U-HSMGenImp -p g4cusee -g -c <key_signer_hash> -n g4cu-seessk-<U_HSM_UUID> -S
Revision 1
20
All of the parameters are same as in step 2 with the exception of name (i.e., seessk vs seesk) and a flag.
The "-S" flag corresponds to generating the key for the signing operation instead of for encryption.
See the sample in Figure 3-15.
C:\Microsemi\Tools>U-HSMGenImp -p g4cusee -g -c 72ae19963f2f9a88e49babb09ffb039328c94f3a -n g4cuseessk-00000000000000000000000000000001 -S
Starting to generate SEE RSA key...
SEE RSA key: g4cu-seessk-00000000000000000000000000000001...generated
Figure 3-15 • Creating SEE Key for signing and verify
The created key is stored in the Security World directory as follows (with the highlighted part
corresponding to the customer UUID):
key_simple_g4cu-seessk-00000000000000000000000000000001
Export the U-HSM Public Keys
This step exports the public component of the U-HSM SEE keys for importing it into other HSM machines
for secure information exchange. One public key is used by HSM servers to encrypt data that is to be
sent back to this U-HSM server and the other public key is used to verify the signature of data sent out
from this U-HSM server.
Set Up the Warrant File
Before starting the key export, make sure to copy the HSM module warrant file from Thales into the Tools
directory. This file contains a cryptogram that identifies the origin of the HSM module. The file name
follows the format "warrant-[ESN].txt", where ESN is the module serial number that can be printed using
the nfkminfo utility. The following is an example of the warrant file copied into the Tools directory:
C:\Microsemi\Tools\warrant-586F-B963-9146.txt
Export Public Key for Encryption
Enter the following command to export:
ExportSeeKey.bat g4cu-seesk-<U_UUID>
This file is placed in the current directory (Tools, in this case). See the sample output in Figure 3-16.
C:\Microsemi\Tools> ExportSeeKey.bat g4cu-seesk-00000000000000000000000000000001
Package data for key 'simple/g4cu-seesk-00000000000000000000000000000001' written to file 'pkgg4cu-seepk-00000000000000000000000000000001-5a4a52b3'
Figure 3-16 • Export of the SEE public key for encryption
Export Public Key for Verifying Signature
Enter the following command to export:
ExportSeeKey.bat g4cu-seessk-<U_UUID>
This file is placed in the current directory (Tools, in this case). See the sample output in Figure 3-17.
C:\Microsemi\Tools> ExportSeeKey.bat g4cu-seessk-00000000000000000000000000000001
Package data for key 'simple/g4cu-seessk-00000000000000000000000000000001' written to file 'pkgg4cu-seespk-00000000000000000000000000000001-0754c1eb'
Figure 3-17 • Export of the SEE public key for verifying signature
Once exported, these files should be imported into the following HSMs, depending on your particular
flow:
•
This U-HSM server, to enable M-HSM function if M-HSM function is used
•
M-HSM(s) that are to execute jobs generated by this U-HSM server, if used
•
Microsemi Manufacturing (MFG) HSM - required. See "Key Exchange with Microsemi" on page
22.
•
Microsemi IHP, if used
Revision 1
21
Install the HSM Module License File
The license file is issued by Microsemi and binds the UUID used by Security World and one or more
HSM modules.
Once available, this file must be put in the Server and Tools directories of the current installation.
Open the Server Port
To make the U-HSM server accessible to the clients running outside the host operating system, the
firewall rules must be changed to open 8000.
Start Up the U-HSM Server
The U-HSM server executable is located in the Server directory, and the full path for the default
installation location is:
C:\Microsemi\Server\U-HSMServer.exe
The server must be started in "As Admin" mode. The session can be terminated by pressing the "Enter"
key. Sample output is shown in Figure 3-18.
C:\Microsemi\Server>U-HSMServer.exe
The service Running
Press <ENTER> to exit.
Figure 3-18 • Starting U-HSM Server
Tip: During the session, the server produces log output to the file located here:
C:\ProgramData\G4KMSServer\G4KMSHSMAPI.log
Key Exchange with Microsemi
Before the U-HSM server can receive data from the Microsemi HSM, both HSMs need to exchange the
public keys.
The Microsemi HSM needs to import the U-HSM public encryption key so that it can securely send
encrypted data to the U-HSM. See "Export the U-HSM Public Keys" on page 21, which explains how to
export this public encryption key.
The U-HSM needs to import the Microsemi HSM public verify key so that it can authenticate the digitally
signed files it receives from Microsemi. See "Import the Microsemi HSM Public Verify Key" on page 22,
which explains how to import the Microsemi HSM public key.
Refer to the Microsemi portal for all operations listed in this step.
Import the Microsemi HSM Public Verify Key
Once the customer receives the Microsemi HSM public verify key, they need to import it into the U-HSM.
Use the U-HSMGenImp utility for this type of import:
U-HSMGenImp -p g4cusee -i -n g4mf-seespk -a pkg-g4mf-seespk-<hex> -k g4see- isk
pkg-g4mf-seespk-<hex>: This is the file on the disk with the key to be imported for verifying signature.
Example: pkg-g4mf-seespk-121187e7
The resulting files are created in the Security World key folder. Information about these keys can be
viewed using the "nfkminfo -k" command.
Example of resulting key file: key_simple_g4mf-seespk
Revision 1
22
Sample output is shown in Figure 3-19.
C:\Microsemi\Tools>U-HSMGenImp -p g4cusee -i -n g4mf-seespk -a pkg-g4mf-seespk-121187e7 -k g4seeisk
RedeemTicket successful
Starting to import SEE public key...
Vimport successful
SEE public key, g4mf-seespk, imported successfully
Figure 3-19 • Starting U-HSM Server
Obtain the DFK Database from Microsemi
For each customer, Microsemi generates a database of the diversified factory keys (DFK DB) for all
devices they use. Those keys are stored in encrypted form. The key exchange step as mentioned in "Key
Exchange with Microsemi" on page 22 must be completed before the DFK database can be obtained.
Request the DFK Database
Send the DFK DB request to Microsemi. Refer to the Microsemi portal for information about how this can
be done.
The file with the DFK DB has the extension DFK DB. This database needs to be imported (merged into
the U-HSM server).
DFK DB file name example: DFKUPD- 00000000000000000000000000000001-20150115.DFKDB
Import (Merge) the DFKDB into the U-HSM Server
The import is done using U-HSMDFKDBMerger utility in the Tools folder. The "-f" flag must be used for
the first import. This creates a new database file.
For subsequent DFKDB imports, the "-f" flag should not be used. If a re-import of the DFK DB is
necessary, use the "-ForceMerged" flag.
The import must be executed in the DFKDB location specified in the configuration file (see "Update
Server and Tools Configuration" on page 18 for details).
Import the DFKDB as follows:
1. Go to the DFKDB directory as specified in the configuration file. For the default installation path:
cd C:\Microsemi\DFKDB.
2. For the first time import, this directory should be empty, because U-HSM DFK DB has not yet
been created.
3. Copy the DFK DB file received from Microsemi to C:\Microsemi\DFKDB.
Example of the file DFK DB file name:
DFKUPD- 00000000000000000000000000000001-20150115.DFKDB
4. Execute the merge as shown on the example below, specifying your DFK DB file name.
–
For the first time merge, use the "-f" flag.
–
To force a merge again for the same file, use the "-ForceMerged" flag.
C:\Microsemi\Tools\U-HSMDFKDBMerger.exe -f DFKUPD- 0000000000000000000000000000000120150115.DFKDB
5. Confirm that the first time merge was successful. The DFKDB directory will show that a new file
has been created. The file name follows the example below (the highlighted field is the same as
your customer UUID):
DFK- 00000000000000000000000000000001.DFKDB
Revision 1
23
See the sample output in Figure 3-20.
C:\Microsemi\DFKDB>C:\Microsemi\Tools\U-HSMDFKDBMerger -f DFKUPD- 0000000000000000000000000000000120150115.DFKDB
G4DFKDBMerger Starting
DFKUpdate (DFKUPD-00000000000000000000000000000001-20150115.DFKDB) is merged into DFK00000000000000000000000000000001.DFKDB successfully
Figure 3-20 • First time import of the DFK Database into U-HSM
Import Manufacturing Keys from the DFK DB
This step imports device-type specific keys that are used for bitstream generation and other tasks. These
keys are part of the DFK DB. The U-HSMImportMFKeys utility is used for the key import in the following
format:
U-HSMImportMFKeys <import_key_file>
import_key_file: file with the DFK DB
Example: DFKUPD- 00000000000000000000000000000001 -20150115.DFKDB
C:\Microsemi\DFKDB>C:\Microsemi\Tools\U-HSMImportMFKey DFKUPD-0000000000000000000000000000000120150115.DFKDB
Imported MF 2 keys successfully
Figure 3-21 • Import for the MFG Keys
Import the U-HSM Server’s Public Keys to Enable the M-HSM
Function
The U-HSM server needs to import its public keys to execute its jobs or send jobs for execution to
another U-HSM server running the same Security World.
Use the U-HSMGenImp utility for this type of import:
U-HSMGenImp -p g4cusee -i -n g4cu-seepk-<U _UUID> -a pkg-g4cu-seepk--<U_UUID> -k g4seeisk
U-HSMGenImp -p g4cusee -i -n g4cu-seespk-<U _UUID> -a pkg-g4cu-seespk-<U_UUID> -k g4seeisk
U_UUID: 32 symbols long UUID of this U-HSM server
Example: "00000000000000000000000000000001"
This U_ UUID is used by the client application (JobManager) to refer to this key. Therefore, it needs to be
set up in the application settings.
pkg-g4cu-seepk-<U_UUID>: This is the prefix of the file on the disk with the key to be imported for
encryption.
Example: pkg-g4cu-seepk-00000000000000000000000000000001-8eb9680a
pkg-g4cu-seespk-<U_UUID>: This is prefix of the file on the disk with the key to be imported for verifying
signature.
Example: pkg-g4cu-seespk-00000000000000000000000000000001-0754c1eb
The resulting files are created in the Security World key folder.
Example of resulting key files: key_simple_g4cu-seepk-00000000000000000000000000000001 and
key_simple_g4cu-seespk-00000000000000000000000000000001
Information about these keys can be viewed using the "nfkminfo -k" command.
Revision 1
24
Sample output is shown in Figure 3-22.
C:\Microsemi\Tools> U-HSMGenImp -p g4cusee -i -n g4cu-seepk-00000000000000000000000000000001-a pkgg4cu-seepk-00000000000000000000000000000001-8eb9680a -k g4see-isk
RedeemTicket successful
Starting to import SEE public key...
Vimport successful
SEE public key, g4cu-seepk-00000000000000000000000000000001, imported successfully
C:\Microsemi\Tools> U-HSMGenImp -p g4cusee -i -n g4cu-seespk00000000000000000000000000000001-a pkg-g4cu-seespk-00000000000000000000000000000001-0754c1eb -k
g4see-isk
RedeemTicket successful
Starting to import SEE public key... Vimport successful
SEE public key, g4cu-seespk-00000000000000000000000000000001, imported successfully
Figure 3-22 • Importing U-HSM Public Keys
Import the M-HSM Public Keys
The U-HSM server needs public keys for every M-HSM, including the IHP that executes jobs from this UHSM server, to send information to it in a secured way and to verify the authenticity of the data.
Use the U-HSMGenImp utility for this type of import:
U-HSMGenImp -p g4cusee -i -n g4cm-seepk-<M_ UUID> -a pkg-g4cm-seepk-<M_UUID> -k g4seeisk
U-HSMGenImp -p g4cusee -i -n g4cm-seespk-<M_UUID> -a pkg-g4cm-seespk-<M_UUID> -k
g4see-isk
M_UUID: 40 hex characters long UUID for the imported M-HSM public key.
Example: "0000000000000000000000000000000000000002'"
The M_UUID is used by the client application (JobManager) to refer to this key. Therefore, it needs to be
set up in the application settings.
pkg-g4cm-seepk-<M_UUID>: This is the prefix of the file on the disk with the key to be imported for
encryption.
Example: pkg-g4cm-seepk- 0000000000000000000000000000000000000002-2db19054
pkg-g4cm-seespk-<M_UUID>: This is prefix of the file on the disk with the key to be imported for verifying
signature.
Example: pkg-g4cm-seespk- 0000000000000000000000000000000000000002- f5544785
The resulting files are created in the Security World key folder. Information about these keys can be
viewed using the "nfkminfo -k" command.
Example of resulting key files: key_simple_g4cm-seepk0000000000000000000000000000000000000002 and key_simple_g4cm-seespk0000000000000000000000000000000000000002
Revision 1
25
Sample output is shown in Figure 3-23.
C:\Microsemi\Tools>U-HSMGenImp -p g4cusee -i -n g4cm-seepk-0000000000000000000000000000000000000002
-a pkg-g4cm-seepk-0000000000000000000000000000000000000002-2db19054 -k g4see-isk
RedeemTicket successful
Starting to import SEE public key...
Vimport successful
SEE public key, g4cm-seepk-0000000000000000000000000000000000000002, imported successfully
C:\Microsemi\Tools>U-HSMGenImp -p g4cusee -i -n g4cm-seespk0000000000000000000000000000000000000002 -a pkg-g4cm-seespk0000000000000000000000000000000000000002-f5544785 -k g4see-isk
RedeemTicket successful
Starting to import SEE public key... Vimport successful
SEE public key, g4cm-seespk-0000000000000000000000000000000000000002, imported successfully
Figure 3-23 • Importing U-HSM Public Key
Prepare and Send Device Data to the M-HSM
To execute programming jobs, the user needs to send device information to the manufacturer. This
information is sent in a DFK DB file. This file is specially prepared for the manufacturer (M-HSM). The
following information is included:
•
DFK DB with the ticket keys encrypted with the M-HSM public key
•
MFG keys exported by Microsemi MFG-HSM and encrypted with the M-HSM public key
The following steps show how to prepare the DFK DB for the M-HSM. This flow assumes the user
already has the DFK DB for the U-HSM server.
Step 1
Make a copy of the DFKDB folder (default location is C:\Microsemi\DKFDB) and save it.
Step 2
Prepare the MFG keys for the U-HSM server.
Make sure the M-HSM public key has been imported into Microsemi MFG-HSM. This is done via the
Microsemi Portal.
Request that Microsemi export manufacturing keys (MFG keys) for the M-HSM.
Step 3
Prepare the DFK DB for the M-HSM. This will rewrap DFK DB ticket keys with the M-HSM public key,
making DFK values accessible to the M-HSM and it will also include the MF keys for M-HSM.
Make sure the M-HSM public key has already been imported into the U-HSM server:
U-HSMExportDeviceData.bat <MF Keys file from Microsemi>.xml <M_UUID>
<MF Keys file> is the XML file with the MFG keys for your M-HSM that is obtained in Step 1.
<M_UUID> is a 40 hex symbol M-HSM UUID.
Step 4
Send the DFK DB inside the DFKDB folder to the M-HSM.
Step 5
Remove the DFKDB folder and replace it with original folder saved in Step 1.
Restart the HSM Server
Perform the following steps to restart the server and ensure that the U-HSM server loads the new
configuration properly:
1. Stop U-HSMServer.exe.
2. Run "nopclearfail -c -m1".
3. Wait until the SEE machine is loaded, as shown in Figure 3-13.
4. Start U-HSMServer.exe.
Revision 1
26
FTP Server Setup
An FTP server is required on the U-HSM server for the M-HSM function. It provides access to the job
status and job termination functions for the administrator on FlashProExpress. The server is used to
retrieve information from the ticket database located in the directory specified by G4CUMaster.config file
(see "Update Server and Tools Configuration" on page 18 for details).
The following example shows how to set up the FTP server using FileZilla.
The FTP port is set to 21. The home directory is set to C:\Microsemi\ftp, and the ticket DB (/JobDB) is set
to C:\Microsemi\JobDB.
1. Open the FileZilla Server application.
Revision 1
27
2. Go to Menu->Edit->Settings, make sure the default port is set to 21, and close the dialog box.
Revision 1
28
3. Open user settings: Menu->Edit->Users.
4. Click Add and enter the new user name as "hsm".
5. Click OK.
Revision 1
29
6. In the Users dialog box, select the Password check box and enter your password, for example
"hsm".
Revision 1
30
7. In the "Page" tree view, select the "Shared folders" option.
8. Click Add.
9. Navigate to the C:\Microsemi\ftp folder.
10. Click OK.
Revision 1
31
11. Set permissions for this directory to Read/Write/Delete.
12. Repeat this step and add the location of the ticket database.
13. Make sure the JobDB has Read/Write/Delete permissions.
Revision 1
32
14. Right-click the JobDB entry and select "Edit aliases".
15. Set alias as "/JobDB".
16. Confirm the home directory is set to the ftp folder and alias to the JobDB, as shown below.
Revision 1
33
17. Confirm that the FTP server functions as expected. Follow the example in Figure 3-24 below.
C:\Microsemi\DFKDB>ftp sjsocprgw7p1
Connected to sjsocprgw7p1.microsemi.net.
220-FileZilla Server version 0.9.48 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
User (sjsocprgw7p1.microsemi.net:(none)): hsm
331 Password required for hsm
Password:
230 Logged on
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/"
JobDB
226 Successfully transferred "/"
ftp> cd JobDB
250 CWD successful. "/JobDB" is current directory.
ftp> ls
200 Port command successful
150 Opening data channel for directory listing of "/JobDB"
226 Successfully transferred "/JobDB"
ftp>
Figure 3-24 • Checking setup of the FTP server
18. Similarly, create the /JobDBArchive FTP location at the same level as /JobDB and pointing to
C:\Microsemi\JobDB\JobDBArchive.
Revision 1
34
4 – U-HSM Reconfiguration and Post-Installation
Actions
This chapter provides instructions for the setup and maintenance actions that can be performed on an
installed and provisioned U-HSM.
HSM Module Replacement
Note: Only one module at a time can be connected to U-HSM.
Note: If the old module is removed from the U-HSM, unfinished programming jobs will not be able to
proceed.
For jobs in progress, certain ticket information is stored inside the NVRAM of the HW module, which
makes job tickets physically uncloneable.
Remove the Old HSM Module
Physically disconnect the old module. The U-HSM Security World contains a file with the module
information. While this file can co-exist with the files for other modules added to the system, the user can
choose to remove it for security reasons. The file is located in the Security World directory:
%NFAST_KMDATA%\local directory. The file name follows the pattern "module_<module_ESN>". If
needed, the user can also remove the licensing file from the Server and Tools directories:
<U_UUID>.g4sl.
Set Up a New HSM Module
After the module is installed on the system, it must be added to the Security World and set up to load
SEE Machine firmware per module type.
Module Installation
1. Install a new HSM module (see "HSM Hardware Module Installation" on page 10)
2. Install the Microsemi-issued HSM module license (see "Install the HSM Module License File" on
page 22)
3. Install the module warrant file (see "HSM Hardware Module Installation" on page 10)
Add the HSM Module to the Security World
The following steps require the Administrative Card Set (ACS). The number of required cards and their
respective passphrases depend on the settings specified during Security World creation (see "Create the
Security World" on page 14)
1. Set module to the pre-init state
2. Add the HSM module to the security world using the new-world command:
new-world --program --no-remoteshare-cert -m 1
3. Create a new NVRAM file (see "Create NVRAM-based Storage in the HSM Module" on page 17)
4. Set module to the operational state
5. Setup HSM module to load SEE Machine firmware: follow instructions in "Set Up the SEE
Machine Firmware for Loading into the HSM Module" on page 19.
Key Exchange with Microsemi
Follow the instructions in "Key Exchange with Microsemi" on page 22.
Revision 1
35
Import the Public Keys of the M-HSM
Follow the instructions in "Import the M-HSM Public Keys" on page 25.
Export the Public Keys for Sending to an M-HSM
Follow the instructions in "Export the U-HSM Public Keys" on page 21.
Create the DFK DB and Manufacturing Keys for the M-HSM
Follow the instructions in "Prepare and Send Device Data to the M-HSM" on page 26.
Upgrade the HSM Module Firmware
This step shows how to upgrade HSM module firmware (not to be confuse with the SEE Machine
firmware). The firmware upgrade may be necessary in following cases:
•
The HSM module has a firmware revision that is not supported by the JobManger and/or
FlashProExpress version used (see U-HSM release notes for the supported revisions)
•
User wants to switch to another revision of Microsemi-supported firmware
•
Microsemi issues a security advisory
Note: If the U-HSM has any active programming jobs (via M-HSM function of the U-HSM), they will be
disabled through the firmware upgrade. Also, firmware upgrade will erase NVRAM and any
information about module association with the World. Please follow the steps below to upgrade
firmware of the HSM module and restore HSM module on the U-HSM server:
1. Read the important notes in "Upgrade HSM Module Firmware" regarding the firmware upgrade
procedure and firmware revisions compatibilities:
Note: If the firmware upgrade is initiated by a Microsemi security advisory, the instructions in the
advisory shall supersede the instructions in this guide
2. Terminate any active job(s):
If M-HSM function of the U-HSM is used, and U-HSM has any unterminated jobs, the job should
be terminated from FlashProExpress tool using complete_prog_job command TCL command
(see the FlashPro Express User’s Guide)
3. Upgrade HSM module firmware
HSM module firmware upgrade instructions are provided in "Upgrade HSM Module Firmware" on
page 11.
4. Restore module association with the Security World.
Follow the instructions in "Add the HSM Module to the Security World".
5. Start U-HSM Server
Follow the instructions in "Start Up the U-HSM Server" on page 22 and confirm successful server
start
6. If M-HSM function of the U-HSM is used, re-submit new programming jobs, if needed
Revision 1
36
5 – U-HSM Server Replication
An existing U-HSM server can be replicated to one or more new U-HSM servers. As a result, the
replicated server gets a copy of the Security World, all HSM keys, imported public keys, the DFK DB and
manufacturing keys already existing on the source system.
Note: Programming jobs cannot be replicated, but they can be transferred. The overbuild protection does
not allow cloning of any job that may exist in the source system. Job tickets reside inside the
physical HSM module, and can only be transferred to the new system along with the physical
module.
The M-HSM function of the U-HSM can be used across physically separate U-HSMs if they run the same
Security World.
The following sections provide instructions for U-HSM server replication:
Install the Software
Follow the instructions in "Software Installation" on page 10 and install all required software packages.
Copy Over the Security World
Copy the content of the Security World directory from the source to the destination machine. The location
of the security world directory is: %NFAST_KMDATA%\local.
This step copies over the entire security environment:
•
Security World data
•
Created U-HSM keys
•
Imported public keys
•
Imported MFG keys
Copy Over the U-HSM Server
1. Copy HSM server software components from the source HSM to the destination folder of the new
server (the default location is C:\Microsemi)
2. On the destination machine, delete the ticket db files (job cannot be replicated):
–
C:\Microsemi\JobDB and
–
C:\Microsemi\JobDB\JobDBArchive
Install a New HSM Module
Follow the instructions in "Set Up a New HSM Module" on page 35.
Start the U-HSM Server
Follow the instructions in "Start Up the U-HSM Server" on page 22.
Set Up the FTP Server
Follow the instructions in "FTP Server Setup" on page 27.
Revision 1
37
A – Product Support
Microsemi SoC Products Group backs its products with various support services, including Customer
Service, Customer Technical Support Center, a website, electronic mail, and worldwide sales offices.
This appendix contains information about contacting Microsemi SoC Products Group and using these
support services.
Customer Service
Contact Customer Service for non-technical product support, such as product pricing, product upgrades,
update information, order status, and authorization.
From North America, call 800.262.1060
From the rest of the world, call 650.318.4460
Fax, from anywhere in the world, 650.318.8044
Customer Technical Support Center
Microsemi SoC Products Group staffs its Customer Technical Support Center with highly skilled
engineers who can help answer your hardware, software, and design questions about Microsemi SoC
Products. The Customer Technical Support Center spends a great deal of time creating application
notes, answers to common design cycle questions, documentation of known issues, and various FAQs.
So, before you contact us, please visit our online resources. It is very likely we have already answered
your questions.
Technical Support
For Microsemi SoC Products Support, visit http://www.microsemi.com/products/fpga-soc/design-support/
fpga-soc-support.
Website
You can browse a variety of technical and non-technical information on the Microsemi SoC Products
Group home page, at www.microsemi.com/soc.
Contacting the Customer Technical Support Center
Highly skilled engineers staff the Technical Support Center. The Technical Support Center can be
contacted by email or through the Microsemi SoC Products Group website.
Email
You can communicate your technical questions to our email address and receive answers back by email,
fax, or phone. Also, if you have design problems, you can email your design files to receive assistance.
We constantly monitor the email account throughout the day. When sending your request to us, please
be sure to include your full name, company name, and your contact information for efficient processing of
your request.
The technical support email address is soc_tech@microsemi.com.
Revision 1
38
My Cases
Microsemi SoC Products Group customers may submit and track technical cases online by going to My
Cases.
Outside the U.S.
Customers needing assistance outside the US time zones can either contact technical support via email
(soc_tech@microsemi.com) or contact a local sales office.
Visit About Us for sales office listings and corporate contacts.
Sales office listings can be found at www.microsemi.com/soc/company/contact/default.aspx.
ITAR Technical Support
For technical support on RH and RT FPGAs that are regulated by International Traffic in Arms Regulations
(ITAR), contact us via soc_tech_itar@microsemi.com. Alternatively, within My Cases, select Yes in the ITAR
drop-down list. For a complete list of ITAR-regulated Microsemi FPGAs, visit the ITAR web page.
Microsemi Corporate Headquarters
One Enterprise, Aliso Viejo,
CA 92656 USA
Within the USA: +1 (800) 713-4113
Outside the USA: +1 (949) 380-6100
Sales: +1 (949) 380-6136
Fax: +1 (949) 215-4996
E-mail: sales.support@microsemi.com
©2016 Microsemi Corporation. All rights
reserved. Microsemi and the Microsemi
logo are trademarks of Microsemi
Corporation. All other trademarks and
service marks are the property of their
respective owners.
About Microsemi
Microsemi Corporation (Nasdaq: MSCC) offers a comprehensive portfolio of semiconductor
and system solutions for communications, defense & security, aerospace and industrial
markets. Products include high-performance and radiation-hardened analog mixed-signal
integrated circuits, FPGAs, SoCs and ASICs; power management products; timing and
synchronization devices and precise time solutions, setting the world's standard for time; voice
processing devices; RF solutions; discrete components; Enterprise Storage and
Communication solutions, security technologies and scalable anti-tamper products; Ethernet
solutions; Power-over-Ethernet ICs and midspans; as well as custom design capabilities and
services. Microsemi is headquartered in Aliso Viejo, Calif. and has approximately 4,800
employees globally. Learn more at www.microsemi.com.
Microsemi makes no warranty, representation, or guarantee regarding the information contained herein or
the suitability of its products and services for any particular purpose, nor does Microsemi assume any
liability whatsoever arising out of the application or use of any product or circuit. The products sold
hereunder and any other products sold by Microsemi have been subject to limited testing and should not
be used in conjunction with mission-critical equipment or applications. Any performance specifications are
believed to be reliable but are not verified, and Buyer must conduct and complete all performance and
other testing of the products, alone and together with, or installed in, any end-products. Buyer shall not rely
on any data and performance specifications or parameters provided by Microsemi. It is the Buyer's
responsibility to independently determine suitability of any products and to test and verify the same. The
information provided by Microsemi hereunder is provided "as is, where is" and with all faults, and the entire
risk associated with such information is entirely with the Buyer. Microsemi does not grant, explicitly or
implicitly, to any party any patent rights, licenses, or any other IP rights, whether with regard to such
information itself or anything described by such information. Information provided in this document is
proprietary to Microsemi, and Microsemi reserves the right to make any changes to the information in this
document or to any products and services at any time without notice.
5-02-00706-1/10.16
Download PDF
Similar pages