这可能是全中国最让人叹为观止的公众号了,运
百度 据介绍,今年属地村委会、公安、林场等各部门围绕森林防火、铁路运行等方面,管理好各自负责的区域。Luna HSM firmware 7.9.0 was released in July 2025. It includes bug fixes and improvements.
>Download Luna HSM Firmware 7.9.0 for Luna Network HSM 7
NOTE This package requires minimum Luna Appliance Software 7.9.0.
New Features and Enhancements
Luna HSM firmware 7.9.0 includes the following new features and enhancements:
ML-KEM and ML-DSA Mechanisms for Post Quantum Cryptography
This release includes support for post-quantum algorithms ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) and ML-DSA (Module-Lattice based Digital Signature Algorithm). Refer to:
>New PKCS extension descriptions:
?ML-DSA Programming Guide for Luna HSM
>New cryptographic mechanisms:
This feature also requires Luna HSM Client 10.9.0 or newer.
ML-KEM Cloning Ciphers
The following post-quantum cipher suites are now included for cloning between application partitions:
>ECDH-P521-ML-KEM1024-SHA2-512
>ECDH-BP512-ML-KEM1024-SHA2-512
>ECDH-P521-ML-KEM1024-SHA3-512
>ECDH-BP512-ML-KEM1024-SHA3-512
Refer to Enabling and Disabling CPv4 Cipher Suites for instructions on customizing cipher suites.
This feature also requires Luna HSM Client 10.9.0 or newer.
Valid Update Paths
You can update the Luna HSM firmware to version 7.9.0 from the following previous versions:
>7.0.1, 7.0.2, 7.0.3, 7.1.0, 7.2.0, 7.3.0, 7.3.3, 7.4.0, 7.4.1
Advisory Notes
This section highlights important issues you should be aware of before deploying HSM firmware 7.9.0.
FIPS Changes in Luna HSM Firmware 7.9.0 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
RSA Key Pair Generation Mechanisms for FIPS 186-3 Allow 6144- and 8192-Bit Keys
Using the following mechanisms, you can now generate 6144-bit and 8192-bit RSA keypairs in FIPS approved configuration:
>CKM_RSA_FIPS_186_3_AUX_PRIME_KEY_PAIR_GEN
>CKM_RSA_FIPS_186_3_PRIME_KEY_PAIR_GEN
New Partition Policy Allows Signature Verification with ECDSA and RSA
A new partition policy 45: Allow ECDSA/RSA Prehash SigVer enables a prehash operation that allows mechanisms that do not have a hash function to perform verification. With this policy enabled, the following mechanisms are now permitted to perform verification in FIPS approved configuration:
ML-DSA and ML-KEM Keys Not Wrapable
For this release, wrapping-off of ML-DSA and ML-KEM keys is not supported.
FIPS Changes in Luna HSM Firmware 7.8.9 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
Mechanisms that are now available in FIPS 140 approved configuration
The following mechanisms are now available for use in FIPS 140 approved configuration (formerly FIPS mode):
Mechanisms no longer available in FIPS 140 approved configuration
The following mechanism is now restricted from use in FIPS 140 approved configuration (formerly FIPS mode):
>CKM_EC_MONTGOMERY_KEY_PAIR_GEN
Mechanisms now check for approved EC curves in FIPS 140 approved configuration
The following mechanisms now verify that the specified EC curve is FIPS-approved, and reject operations that specify non-approved curves:
>CKM_EC_KEY_PAIR_GEN_W_EXTRA_BITS
Allowed Elliptic Curves
| Curve Name | Mechanisms | Curve Field Type | Security Strength | Permitted Operations | ||
|---|---|---|---|---|---|---|
| Sign | Verify | Derive | ||||
| B-233 |
ECDSA, EC key Thales terminology |
Binary Field – GF(2m) | 112-bits | X | X | X |
| B-283 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 128-bits | X | X | X |
| B-409 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 192-bits | X | X | X |
| B-571 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 256-bits | X | X | X |
| K-233 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 112-bits | X | X | X |
| K-283 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 128-bits | X | X | X |
| K-409 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 192-bits | X | X | X |
| K-571 | ECDSA, EC key establishment |
Binary Field – GF(2m) | 256-bits | X | X | X |
| P-244 | ECDSA, EC key establishment |
Prime field – GF(p) | 112-bits | X | X | X |
| P-256 | ECDSA, EC key establishment |
Prime field – GF(p) | 128-bits | X | X | X |
| P-384 | ECDSA, EC key establishment |
Prime field – GF(p) | 192-bits | X | X | X |
| P-521 | ECDSA, EC key establishment |
Prime field – GF(p) | 256-bits | X | X | X |
| Edwards448 | EdDSA |
Prime field – GF(p) | 224-bits | X | X | X |
| Edwards25519 | EdDSA |
Prime field – GF(p) | 128-bits | X | X | X |
| Brainpool P512r1 | ECDSA, EC key establishment |
Prime field – GF(p) | 256-bits | X | X | X |
| Brainpool P512t1 | ECDSA, EC key establishment |
Prime field – GF(p) | 256-bits | X | X | X |
| Brainpool P-384r1 | ECDSA, EC key establishment |
Prime field – GF(p) | 192-bits | X | X | X |
| Brainpool P-384t1 | ECDSA, EC key establishment |
Prime field – GF(p) | 192-bits | X | X | X |
| Brainpool P320r1 | ECDSA, EC key establishment |
Prime field – GF(p) | 160-bits | X | X | X |
| Brainpool P320t1 | ECDSA, EC key establishment |
Prime field – GF(p) | 160-bits | X | X | X |
| secp256k1 | Blockchain | Prime field – GF(p) | 128-bits | X | X | X |
| Brainpool P-256r1 | ECDSA, EC key establishment |
Prime field – GF(p) | 128-bits | X | X | X |
| Brainpool P-256t1 | ECDSA, EC key establishment |
Prime field – GF(p) | 128-bits | X | X | X |
| Brainpool P-224r1 | ECDSA, EC key establishment |
Prime field – GF(p) | 112-bits | X | X | X |
| Brainpool P-224t1 | ECDSA, EC key establishment |
Prime field – GF(p) | 112-bits | X | X | X |
The above table applies to Luna PCIe HSM 7, Luna Network HSM 7, and Luna USB HSM 7 firmware 7.8.9 and newer, and 7.7.3 and newer, respectively.
FIPS Changes in Luna HSM Firmware 7.8.7 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
Mechanisms no longer available in FIPS mode
The following mechanisms are now restricted from use in FIPS mode:
Mechanisms not permitted to sign objects in FIPS mode
The following mechanisms are not permitted to sign objects in FIPS mode:
Do Not Update Directly From Luna HSM Firmware 7.7.2
Luna HSM Firmware 7.7.2 must not be updated directly to Luna HSM Firmware 7.8.4 or newer, or unexpected problems may occur. If you are updating from Luna HSM Firmware 7.7.2, you must first install
>Luna HSM Firmware 7.8.2 (included with Luna Appliance Software 7.8.3)
Performance Issue With REST API and CCC Requires Patch
Using Luna HSM Firmware 7.8.4 and newer, using REST API calls to administer partitions can significantly reduce the performance of cryptographic operations over time. This issue can also affect customers using Crypto Command Center (CCC). This requires a patch to the Luna REST API. Install the correct patch for your appliance software version:
>Luna Network HSM 7.8.5-20 Appliance REST API Patch
>Luna Network HSM 7.8.4-350 Appliance REST API Patch
Luna HSM Firmware 7.8.4 or Newer Requires Luna HSM Client 10.3.0 or Newer
Changes in Luna HSM Firmware 7.8.4 and newer require update to
One-Step NTLS Connections Require Update to Luna HSM Client 10.7.0 Components
Luna HSM Firmware 7.9.0 and newer includes changes that require an update to the pscp and plink utilities. If you plan to use the One-Step NTLS Connection Procedure to establish client connections to your appliance, either update the client software to Luna HSM Client 10.7.0 or newer, or replace the pscp and plink utilities in your older client installation with the versions included with Luna HSM Client 10.7.0 or newer.
STC Connections Require Update to Luna HSM Client 10.7.0 or Newer
Luna HSM Firmware 7.9.0 and newer includes changes that require an update to the client software for some functions. If you are using Secure Trusted Channel connections to access your partitions, update your client software to Luna HSM Client 10.7.0 or newer before updating to Luna HSM Firmware 7.9.0 or newer.
FIPS Changes in Luna HSM Firmware 7.8.4 and Newer
New restrictions have been added to some mechanisms when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
Mechanisms not permitted to encrypt objects in FIPS mode
The following mechanisms are not permitted to encrypt objects in FIPS mode:
Mechanisms no longer available in FIPS approved configuration
The following encryption mechanisms are no longer available in FIPS approved configuration:
DES3 encryption not permitted using ECIES mechanisms
DES3 encryption is now blocked using the following ECIES mechanisms:
HMAC mechanisms not permitted to sign using DES3 keys
The following HMAC mechanisms are blocked from using a DES3 key for signing:
Mechanisms not permitted to sign objects
The following mechanisms are not permitted to sign objects:
CKM_RSA_PKCS not permitted to decrypt/unwrap objects
To comply with FIPS 140-3 requirements, RSA-based key transport schemes that use only PKCS#1-v1.5 padding are disallowed. Therefore, CKM_RSA_PKCS is now restricted from performing decrypt/unwrap operations.
NOTE When the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
3DES usage counter has been removed
The 3DES usage counter attribute (CKA_BYTES_REMAINING) has been removed in Luna HSM Firmware 7.8.4 and newer, to comply with FIPS 140-3 requirements. This attribute is now ignored on any keys where it is already set.
FIPS Changes in Luna HSM Firmware 7.8.0 and Newer
The following mechanism is now restricted from use when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
FIPS Changes in Luna HSM Firmware 7.7.2 and Newer
The following mechanisms have new operation restrictions when the HSM or partition is in FIPS approved configuration (HSM policy 12: Allow non-FIPS algorithms or partition policy 43: Allow non-FIPS algorithms set to
>CKM_RSA_PKCS: cannot encrypt | Cannot legacy decrypt | Cannot legacy unwrap
>CKM_RSA_PKCS_OAEP: Cannot legacy decrypt | Cannot legacy unwrap
NOTE This page lists FIPS-related changes made since the last FIPS-validated firmware release. For a comprehensive list of changes across all released versions of the Luna HSM firmware, see Changes to Mechanisms and Operations in FIPS 140 Approved Configuration by Firmware Version. Refer to this section if you are updating from a firmware version that is older than the last FIPS-validated version.
Minimum Password Length is Increased to 8 Characters
Luna HSM Firmware 7.7.2 and newer enforces minimum 8-character passwords and challenge secrets, to comply with FIPS requirements. The previous limit was 7 characters. If you were using a 7-character password prior to upgrading the firmware, that password continues to work. Future password changes will use the new 8-character minimum.
If you have an existing HA group whose member partitions use a 7-character password/challenge secret, you must change all members to use a minimum 8-character password before adding a new member that uses Luna HSM Firmware 7.7.2 or newer.
Partition policy to control the use of DigestKey is added
Partition capability/policy 9: Allow DigestKey is added with Luna HSM Firmware 7.8.0; it controls the possibility of final keys being derived outside of the HSM. The policy defaults to OFF, which is the more secure option. Previously, DigestKey was always allowed, and this new policy provides choice for those who do not need the option, as well as for those who do need it.
NOTE Partition Policy 9 is destructive when switched OFF-to-ON, so have any partition contents backed up before you update HSM firmware. After update from any firmware prior to version 7.8.0, if you require this ability, you can switch the policy ON and then restore your material to the partition and resume using your application.
RSA Keygen Mechanism Remapping on Luna 7.7.1 or Newer Partitions Requires Minimum Luna HSM Client 10.4.0
Luna HSM Firmware 7.7.1 or newer partitions that have been individually set to FIPS mode using the new partition policy 43 require Luna HSM Client 10.4.0 or newer to automatically remap older RSA mechanisms as described in RSA Mechanism Remap for FIPS Compliance.
Special Considerations for Luna HSM Firmware 7.7.0 and Newer
Luna HSM Firmware 7.7.0 introduces new capabilities, features, and other significant changes that affect the operation of the HSM. Due to some of these changes, you must be aware of some special considerations before updating to Luna HSM Firmware 7.7.0 or newer. For more information, refer to Special Considerations for Luna HSM Firmware 7.7.0 and Newer before proceeding with the update.
3DES Usage Counter
For Luna HSM Firmware 7.7.0 and newer, triple-DES keys have a usage counter that limits each key instance to encrypting a maximum of 2^16 8-byte blocks of data when the HSM is in FIPS mode (HSM policy 12: Allow non-FIPS algorithms is set to 0). When the counter runs out for a key instance, that key instance can no longer be used for encryption or wrapping or deriving or signing, but can still be used for decrypting and unwrapping and verifying pre-existing objects.
The CKA_BYTES_REMAINING attribute is available when HSM policy 12: Allow non-FIPS algorithms is set to 0, but cannot be viewed if that policy is set to 1.
The attribute is preserved during backup/restore using a Luna Backup HSM 7; restoring puts the counter back to whatever value it had before backup.
The attribute is not preserved through backup/restore using a Luna Backup HSM G5; restoring sets the counter to like-new state (no usage).
