Most data processing systems contain sensitive data and sensitive operations that need to be protected. The data and operations need to be protected from illegitimate modification and disclosure, and the data processing systems need to be able to reliably identify themselves to other data processing systems. An operator of a given data processing system may employ hardware security mechanisms such as security tokens and biometric sensor devices, and may also employ software security mechanisms such as various authentication and authorization schemes to protect the data processing systems.
The essence of data processing security is trust. A data processing system should accept data and operations from another system only if the other system can establish a level of trust with respect to particular data items or particular operations. Thus, the ability to protect a data processing system is limited by the manner in which trust is created within the data processing system.
To address the issues of protecting data processing systems, a consortium of companies has formed the Trusted Computing Group (TCG) to develop and to promulgate open standards and specifications for trusted computing. According to TCG specifications, trust within a given data processing system or trust between a data processing system and another entity is based on a hardware or software component within the data processing system that has been termed the Trusted Platform Module (TPM).
A TPM enables an entity to determine the state of the software environment in the TPM and to seal data to a particular software environment in the TPM. The entity deduces whether the state of the computing environment in the TPM is acceptable before performing a transaction with the TPM. To enable this, the TPM provides to the entity, integrity metrics (also known as integrity measurements) that reflect the integrity of the software state of the TPM. The integrity measurements require a root of trust within the computing platform. In order for a system to be a TPM, the integrity measurements must be taken from the Core Root of Trust for Measurements and must extend through the Initial Program Load (IPL) process up to the point at which the operating system is initialized.
A single hardware TPM is designed to provide support for a single, non-partitionable computer system. Thus, existing systems utilize a single hardware TPM to provide trust for an entire single system. A problem arises when a single hardware TPM providing trust for an entire system fails to perform properly. When the single hardware TPM malfunctions, services can be severally damaged or impacted in the system until the malfunctioning hardware TPM is serviced or replaced. In some instances, no trust services can be provided in the system. An additional problem arises regarding the provision of trust support for multiple computer systems when configured to operate together, for example, as a highly available cluster. TCG specifications support only the manual migration of cryptographic keys from one platform to another on a case-by-case basis. Highly available clusters have special needs for robust distributed processing, coordination, replication, failover, and the like not specified in TCG specifications.
It would be advantageous to have a system, method, and computing node which overcomes the disadvantages of the prior art. The present invention provides such a system, method, and computing node.