Set a device-global option.
Set device-global options that affect general behavior. Each invocation of this command sets a single option, which is represented as a TAG-LENGTH-VALUE (TLV).
Turn off audit logging for Sign HMAC (command 53) and Verify HMAC (command 5c):
yubihsm> put option 0 command-audit 53005c00
Tc = 0x4f |
Lc = 3 + Lo |
Vc = TO |
To := The TLV encoding of the selected option
Lo := The option-specific length in bytes
The options currently supported are the following:
TAG is 1 byte
LENGTH is 2 bytes
VALUE is Lo bytes
Tags:
Force audit |
0x01 |
Command audit |
0x03 |
Algorithm toggle |
0x04 (>= 2.2.0) |
FIPS mode |
0x05 (>= 2.2.0) |
Values:
OFF |
0x00 |
Disabled |
ON |
0x01 |
Enabled |
FIX |
0x02 |
Enabled, only possible to turn off through factory reset |
The defined options are as follows:
With Force audit set, the device will refuse operations as long as
the Log Store is full. It takes a 1 byte
value option.
Command audit can be used to toggle whether a specific
command should be logged, this takes tuples of command number and option
value.
Algorithm toggle allows the user to selectively disable individual
algorithms for the whole device. This option can only be toggled on a
freshly reset device, i.e. one with only the default Authentication
Key. This takes a tuple of algorithm number and option value.
FIPS mode is only available on
FIPS
devices and can only be toggled on a freshly reset device, i.e. one
with only the default Authentication Key present. It disables
algorithms that are not allowed by FIPS 140. This step is required as
part of setting the device in the approved mode of operation, together
with deleting the default Authentication Key (see
Section
3.2 of the YubiHSM FIPS Security Policy).
Tr = 0xcf |
Lr = 0 |
Vr = Ø |