Traditionally, secure computing platforms may exist under a single level of security causing an entire platform (e.g., aircraft, ground vehicle, or other) to become designated at the highest security level. This becomes problematic for several reasons for both missions and operations. For example, a military aircraft supporting radios for both military datalink (e.g., LINK 16) and civil communications may have systems purely designed for civil communications. However, since the civil communications systems are installed on the military aircraft, the civil systems are classified at the same level of security as the onboard military sensitive systems.
Also, an exemplary aircraft configured with an upgraded sensor either defined as 1) a different level of security as the remaining onboard systems or 2) is required to change security levels based on mission profile may be required to remain at the highest level of security classification of the upgraded sensor. Further, an aircraft designated at top secret security level may require all personnel servicing the aircraft to have a top secret security clearance.
Isolation of the levels of security may be one requirement of a certification entity. For example, an onboard sensor may be classified as a top secret component of hardware, whereas a fuel system monitor may remain unclassified. Each of these systems must remain isolated from the other in order to be certified for simultaneous use. However, both systems use similar processing resources to accomplish their individual task. Traditionally, Multiple Independent Levels of Security requires dedicated equipment, wiring, and growth provisions to maintain physical security separation.
A data guard (e. g., Data Diode) may be employed to enable data to traverse security levels by restricting unintentional data migration from one security level to another. These data guards may be limited by bandwidth and require additional processing resources to properly function.
Traditionally, in order to move processing capability from a first security level to a second security level, an operator may have been required to physically move the processing resource (blade) and associated software from a first location in a processing unit to a second location or physically separate processing unit. This cumbersome physical movement of processing resources requires increased labor and time to accomplish the mission and is often logistically unfeasible.
A more accepted approach is to move software to reserve processing elements in the newly designated security level and rewiring the platform to reassign associated payloads. This fixed association of processing power to security level required redundant elements to be installed on the platform and also increased weight and cost associated to growth provisions for processing elements that are unused during certain operations. Also, in order for equipment to be certified for use on a platform with physical separation of security levels, two (or more) sets of wires may be installed on the platform from the processing board to a remote station to physically connect with the operational hardware (e.g., a wing pylon mounted operational sensor). The additional wiring increases weight of the platform, and causes additional maintenance when one or more of the wires must be replaced.
Recent architecture for implementing Multiple Levels of Security (MLS) has taken the approach of segregating security levels to separate cores inside a single multi-core central processing unit (CPU). This approach may be referred to as MLS on a single device. This approach reduces redundancy of individual entire systems devoted to a single task and security level. While there are applications such as the above mentioned data guards that sometimes may function within the MLS architecture on a single device, this MLS approach carries certification risk, requires an expensive Operating System (OS), and often locks the certification to a specific non-reconfigurable implementation. Even minor changes to the software or hardware may potently impact a previous certification and may also incur significant expense to recertify.
With differing mission requirements, a platform may be required to use a specific (e.g., top secret) sensor during one mission and a differently classed (e.g., secret) sensor during a second mission. With operating systems and processing resources permanently tasked to a specific sensor, processing power may be inefficiently deployed.
Cluster computing has traditionally been accomplished by interconnecting processing resources (elements) over Ethernet and peripherals have been dedicated to a processing resource by Peripheral Component Interconnect (PCI) bus. However, the PCI framework may limit bandwidth where it may be most needed: for immediate processing power available for a current task.
Therefore a need remains for a system architecture and apparatus offering reconfigurable multiple single levels of security (MSL) within a single platform assigning a user defined security level to both a processing resource and attached payload on device power-up. A desirable system may offer immediate processing resources available to a variety of security classifications of the mission and task without changing certification, aircraft wiring, revising hardware, and without the potential excess resources of a static implementation.