When software is loaded into an operating system kernel and so has access the
same memory space as the operating system a problem occurs if the operating system
cannot determine in advance whether the operating system will afterwards be in
a suitably trusted state or not. By using a high availability cluster in which
each System Processing Unit (S1, S2) has a trusted device, it is
possible to gain more trust and a more flexible approach to trust whilst maintaining
the high availability properties of the cluster. Software can be loaded onto one
of at least two computing platforms (S1) of a computing system. Another
of the platforms (S2) performs integrity tests on the platform (S1)
carrying the new software to check whether the platform (S1) is still in
a trusted state. If the tests are passed, then the test results are signed and
sent to the platform (S1) with the new software and the new software is
copied onto the other computing platform (S2). If the tests are failed,
then the first platform (S1) can either be rebooted or returned to the state
of the testing platform (S2).