| 摘要 |
When software is loaded into an operating system kernel and so has access the same memory space as the operating system a problem occurs if the operating system cannot determine in advance whether the operating system will afterwards be in a suitably trusted state or not. By using a high availability cluster in which each System Processing Unit (S 1 , S 2 ) has a trusted device, it is possible to gain more trust and a more flexible approach to trust whilst maintaining the high availability properties of the cluster. Software can be loaded onto one of at least two computing platforms (S 1 ) of a computing system. Another of the platforms (S 2 ) performs integrity tests on the platform (S 1 ) carrying the new software to check whether the platform (S 1 ) is still in a trusted state. If the tests are passed, then the test results are signed and sent to the platform (S 1 ) with the new software and the new software is copied onto the other computing platform (S 2 ). If the tests are failed, then the first platform (S 1 ) can either be rebooted or returned to the state of the testing platform (S 2 ). |
