1. Field
The present disclosure relates generally to verifying the integrity of devices, such as maintenance devices, connected to data processing systems on aircraft. Still more particularly, the present disclosure relates to verifying the integrity of such devices based on the configuration of the software on the devices, and where the configuration is not known by the data processing systems on the aircraft.
2. Background
Modern aircraft are extremely complex. For example, an aircraft may have many types of electronic systems on-board. These systems are often in the form of line-replaceable units (LRUs). A line-replaceable unit is an item that can be removed and replaced from an aircraft. A line-replaceable unit is designed to be easily replaceable.
A line-replaceable unit may take on various forms. A line-replaceable unit on an aircraft may be, for example, without limitation, a flight management system, an autopilot, an in-flight entertainment system, a communications system, a navigation system, a flight controller, a flight recorder, a collision avoidance system, a system to support maintenance functions, or a system to support crew processes. The various line-replaceable units on an aircraft may be parts of an aircraft network data processing system.
Line-replaceable units may use software or programming to provide the logic or control for various operations and functions. Typically, all software on an aircraft is treated as a separate part, or is combined with a hardware part and is unchangeable without changing the hardware part number. Aircraft software that is treated as an aircraft part may be referred to as a loadable software aircraft part or a software aircraft part. Software aircraft parts are parts of an aircraft's configuration.
Aircraft operators are entities that operate aircraft. Aircraft operators also may be responsible for the maintenance and repair of aircraft. Examples of aircraft operators include airlines and military units. When an aircraft operator receives an aircraft, software aircraft parts may be already installed in the line-replaceable units on the aircraft.
An aircraft operator may also receive copies of loaded software aircraft parts in case the parts need to be reinstalled or reloaded into the line-replaceable units on the aircraft. Reloading of software aircraft parts may be required, for example, if a line-replaceable unit in which the software is used is replaced or repaired. Further, the aircraft operator also may receive updates to the software aircraft parts from time to time. These updates may include additional features not present in the currently-installed software aircraft parts and may be considered upgrades to one or more line-replaceable units. Specified procedures may be followed during loading of a software aircraft part on an aircraft so that the current configuration of the aircraft, including all of the software aircraft parts loaded on the aircraft, is known.
An aircraft operator or other aircraft maintenance entity may perform maintenance operations on an aircraft. Some maintenance operations may be performed by connecting a maintenance device to the aircraft network data processing system. For example, the maintenance device may be a portable computing device, such as a laptop computer.
The maintenance device may include software stored on the device that is used to perform various maintenance operations on the aircraft. The maintenance device also may include other software stored on the device. It is desired that only maintenance devices from approved maintenance entities, including only approved software from trusted software suppliers, be allowed to access the aircraft network data processing system. For example, unapproved software on a maintenance device may include software that is corrupted, software that is infected with a virus, or other unapproved software. Unapproved software may affect the operation of the aircraft network data processing system in undesired ways if a maintenance device containing such software is allowed to access the aircraft network data processing system.
Systems and methods for providing network access control to ground-based computer networks are known. One solution that enables network operators to determine whether to grant access to a requested network infrastructure is defined by the architecture and standards for Trusted Network Connect (TNC) developed by the Trusted Computing Group (TCG). One aspect of the Trusted Network Connect solution for network access control is the use of a Trusted Platform Module (TPM). The Trusted Platform Module is a hardware security component that is currently included in many laptop and desktop computers. In the Trusted Network Connect architecture, the Trusted Platform Module is primarily used for remote attestation. During the boot sequence of a device to be connected to a network, the software and firmware components of the device are measured. Additional measurements may be made after the device is booted. The measurements may be made using a number of hash functions. The measurements are stored securely in the Trusted Platform Module. During a Trusted Network Connect handshake, these measurements are sent to a Trusted Network Connect server, where they are compared against the values for proper configurations. If the values do not match, the device may be infected and may be refused access to the network or quarantined.
Current systems and methods for network access control to entirely ground-based computer networks may not be applied effectively to mobile systems, such as aircraft. The particular environment in which network data processing systems on aircraft are operated and maintained makes it difficult or impossible to use such current network access control systems and methods for verifying the integrity of maintenance devices or other devices connected to an aircraft network data processing system. This is due partly to the fact that aircraft are often disconnected from back office networks and partly to the conventions for aircraft configuration control that are followed in aircraft maintenance operations.
Accordingly, it would be advantageous to have a method and apparatus that takes into account one or more of the issues discussed above, as well as possibly other issues.