Detailed Action
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claim 1, 8 and 16, rejected on the ground of nonstatutory double patenting as being unpatentable over claim of U.S. Patent No. 9817675 (application number 15421291) and Patent number 10402206  (application number 15711535) and Although the claims at issue are not identical, they are not patentably distinct from each other because these patent anticipate the limitations of the instant application claim limitation. Similarly alternative dependent claims match with the dependent claims. Hence terminal disclaimer is requested to overcome double patenting.



16481726
Patent number []
Application number (15421291)

Patent number 10402206
Application (15711535)
1. A method for attaching one or more encrypted data partitions of a data storage device during a startup of an operating system of a computing system, the computing system comprising a processor, a memory and the data storage device, the method comprising:monitoring the startup of the operating system; after execution of a windows initialization process (wininit.exe) but prior to execution of a service control manager process (services.exe), pausing the startup of the operating system, and attaching the one or more 

+
4. (Original) The method of claim 1, wherein retrieving the one or more decryption keys from the key management server comprises:gaining access to a network that communicatively couples the computing system to the key management server; converting a domain name of the key management server into an Internet protocol (IP) address of the key management server; transmitting a request from the computing system to 



7

1+4+6

8+14

1
16

1
16

13
16

16



Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 15 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 15 recites “ he access control driver communicatively couples a file system driver of the operating system with the one or more user- mode processes”, coupling of the structure with the process does not provide clarity. Furthermore, it is confusing to know how a process couples to a structure, structure  couples to the structure, not to a process or method. Therefore, applicant needs to provide appropriate correction in the claim limitation. 


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1, 8, 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Shriver [20120151199], in view of Xing et al [02160283404]  


As to claim 1, 
Shriver [20120151199] teaches A method for a computing system, the computing system comprising a processor, a memory and a data storage device, the method comprising: loading, by a boot loader, an operating system of the computing system from a boot partition into the memory [0015: “Information handling system 100 includes one or more processors 110 coupled to processor interface bus 112. Processor interface bus 112 connects processors 110 to Northbridge 115, which is also known as the Memory Controller Hub (MCH). Northbridge 115 connects to system memory 120 and provides a means for processor(s) 110 to access the system memory” and 0019: “initial RAM disk 485 is used by the kernel until the disk encryption key is known. Initial RAM disk 485 is a RAM disk that is preloaded from a filesystem image that is provided when the kernel is booted”]; 
In this embodiment, the initial RAM disk is preloaded from a filesystem image that is provided when the system is booted”,  0029, lines 8-10 – “FIG. 5 executes from initial RAM disk 485 until the kernel can decrypt encrypted partition 340 using the disk encryption key” – these process are during pre-boot and system control manger process is .exe. file execution mode which occurs after the booting process is completed.. 0029, lines 8-10- "The boot sequence shown in FIG. 5 executes from initial RAM disk 485 until the kernel can decrypt encrypted partition 340 using the disk encryption key."  –the preloaded part is used and the further execution waits until the system gets decryption key. 0030,lines 2-14 – “the kernel requests the secret value from Trusted Platform Module (TPM) 195 and receives a response at step 515”-  and when the request is made which is an entry point when system waits for the key to unlock the encrypted portion ];  including: (i) retrieving from a network-attached key management server one or more of a decryption key corresponding to an encrypted file, a decryption key corresponding to an encrypted folder, a decryption key corresponding to an encrypted data partition, or an access control policy, the retrieval of one or more of the decryption key or the access control policy from the network-attached key management server utilizing network services other than that initialized by the service control manager FIG. 5 executes from initial RAM disk 485 until the kernel can decrypt encrypted partition 340 using the disk encryption key” – attaching is done by retrieving one or more decryption keys which is also performed here  by decryption key to decrypt the encrypted partition and  [0022, lines 24-30 -“Some of the information handling systems shown in FIG. 2 depicts separate nonvolatile data stores (server 260 utilizes nonvolatile data store 265,…). The nonvolatile data store can be a component that is external to the various information handling systems or can be internal to one of the information handling systems.” – the data can be received from external device. Service control management process is execution of .exe. file execution time after booting, hence the preboot process run before the completion of booting, and execution of ] and (ii) if the decryption key corresponding to the encrypted file is retrieved, transmitting the decryption key corresponding to the encrypted file to an access control driver of the operating system, if the decryption key corresponding to the encrypted folder is retrieved, transmitting the decryption key corresponding to the encrypted folder to the access control driver, if the decryption key corresponding to the encrypted data partition is retrieved, transmitting the decryption key corresponding to the encrypted data partition to a disk filter driver of the operating system, and if the access control policy is retrieved, transmitting the access control policy to the access control driver [0030,lines 2-14 – “the kernel requests the secret value from Trusted Platform Module (TPM) 195 and receives a response at step 515…………If the secret value is released by the TPM, then decision 520 branches to the "yes" branch whereupon, at step 525, the kernel boot process uses the secret value to unlock (decrypt) a primary copy of the disk encryption key stored in metadata 335.” – It is inherent that disk filter is resided in the kernel which uses them to access the key. Furthermore 0023, lines 9-12- "crypto process metadata 345 that includes encrypted copies of a disk encryption key, and encrypted partition 340 which includes encrypted data that is accessed by the crypto process using the disk encryption key. "]; and 
resuming the user-mode startup of the operating system with at least one of the encrypted file, the encrypted folder, the encrypted data partition or the access control policy accessible to the operating system [ 0029, lines 10-14- “When the encrypted partition is available (after the disk encryption key is found by the kernel boot process as described below), the boot process is able to jump from executing code on the initial RAM disk to executing code residing on encrypted partition340”- which resumes the execution, the encrypted partition has to be accessed to the operating system for boot up otherwise system fails ].
But do not explicitly teach user mode startup. 
However, Xing et al [02160283404] teaches user mode startup [0021: “the control routine 131, the processor component 110 provides user mode support for a kernel mode application 200 so the kernel mode application 200 may interact with the secure enclave 300” and 0024: “the processor component 110 may additionally switch to user mode operation and process the confidential information 132 in the secure enclave 300 on behalf of the kernel mode application 200”] 
It would have been obvious to person of ordinary skill in the art before the effective filing date of the claimed invention to combine teaching of Shriver and Xing et al because 

Claim 8, 
Combination of Shriver and Xing teaches this claim according to the reasoning set forth in claim 1 supra


As to claim 15, 
Xing teaches  the access control driver communicatively couples a file system driver of the operating system with the one or more user- mode processes, and the disk filter driver communicatively couples the file system driver of the operating system with a disk driver of the operating system [0109: “kernel mode application is a full disk encryption application and the encrypted memory block includes the operating system loader, an operating system kernel, and/or an operating system boot driver”- boot drivers are associated with the operating system and 0031 : “the control routine 131 may include one or more of an operating system, device drivers and/or application-level routines……Where one or more device drivers are included, those device drivers may provide support for any of a variety of other components, whether hardware or software components of the computing device 100”- drivers are connected for the functionality] .


7, 14 and 16,   is/are rejected under 35 U.S.C. 103 as being unpatentable over Shriver [20120151199], in view of Xing et al [20160283404] , further in view of Ragyaan [20180204007]

As to claim 7,
Combination of Shriver and Xing teaches encryption of the data and decryption during boot up but do not explicitly teach receiving IP address from network. 

Howvever, Ragyaan [20180204007] teaches retrieval of the one or more decryption key corresponding to the encrypted file, the decryption key corresponding to the encrypted folder, the decryption key corresponding to the encrypted data partition, or the access control policy from the network-attached key management server comprises: determining an Internet Protocol (IP) address of a network interface of the computing system, wherein the IP address is either a static IP address that is retrieved from the operating system or is a dynamic IP address that is retrieved from a dynamic host configuration protocol (DHCP) server; initializing a transmission control protocol (TCP)/IP network stack with the IP address of the network interface; determining an IP address of the network-attached key management server, wherein the IP address of the network-attached key management server is either retrieved from a domain name system (DNS) server or is retrieved locally from the computing system; and retrieving, using the initialized TCP/IP network stack, the one or more of the decryption key corresponding to the encrypted file, the decryption key corresponding to the encrypted folder, the decryption key corresponding to the encrypted data partition or the access will activate the NIC and obtain an IP address, and using an embedded Ethernet Media Access Control (MAC) address of the PXE server”- activating is equivalent to initializing and NEC is network interface.  0024: “In an action 226, the processor(s) 122 execute the system BIOS 104 and transfer control to the PXE DHCP client 212 in the option ROM 210. In an action 228, the processor(s) 122 obtain the IP address and the PXE options file name and the next-server. In an action 230, the processor(s) 102 download the bootloader 220 to system memory 218” – when IP address is received and encryption keys are received network needs to be initialized first. and 0017: “The DHCP PXE options exchange can be reused for obtaining of the encryption key from the external key management server using Diffie Hellman key exchange. A bootloader can be downloaded from the PXE server that continues using the PXE client on the system being booted and sends further requests to the Key management server via the DHCP PXE options mechanism” and 0023: “The most commonly used options are A) the "filename" option, specified by the DHCP server 206 of the bootloader 220 file to download and B) the "next-server" option, indicating the server IP address to download the bootloader from.”  And [0034- 0037-: “Storing the remote server NIC Ethernet MAC address in the bootloader program or driver module. Using unicast Ethernet frames addressed only to the remote network server MAC address for the DHCP PXE option The decryption of encrypted boot volume or partition data including an OS kernel or OS bootloader program using the bootloader program or driver module. The execution and transfer of control by the bootloader program or driver module to the decrypted OS kernel or program”- after receiving decryption, kernel initializes and executes all the hardware/firmware/program along with network services of the decrypted Kernel] 

It would have been obvious to person of ordinary skill in the art before the effective filing date of the claimed invention to combine teaching of Shriver and Xing and Ragyaan because all are directed toward securely booting. Furthermore, Ragyaan teaches by receiving the encryption and decryption keys from networks such that if data is lost in the local device, the system can boot by being able to receive its data from network to smoothly run the system.


As to claim 14, 
Combination of Shriver and Xing teaches encryption of the data and decryption during boot up but do not explicitly teach receiving IP address from network. 
However Ragyaan [20180204007] teaches retrieval of the one or more decryption key corresponding to the encrypted file, the decryption key corresponding to the encrypted folder, the decryption key corresponding to the encrypted data partition, or the access control policy from the network-attached key management server comprises: determining an Internet Protocol (IP) address of a network interface of the computing network-attached key management server, wherein the IP address of the network-attached key management server is either retrieved from a domain name system (DNS) server or is retrieved locally from the computing system; and retrieving, using the initialized TCP/IP network stack, the one or more of the decryption key corresponding to the encrypted file, the decryption key corresponding to the encrypted folder, the decryption key corresponding to the encrypted data partition or the access control policy from the network-attached key management server using the IP address of the network- attached key management server [0028: 3-6-“the bootloader (e.g., MBR stage 1 bootloader 110 and stage 2 bootloader 112) and the bootloader driver module 502 are not encrypted, but the rest of the boot volume data is encrypted” and 0020: “This bootloader driver module will activate the NIC and obtain an IP address, and using an embedded Ethernet Media Access Control (MAC) address of the PXE server”- activating is equivalent to initializing and NEC is network interface.  0024: “In an action 226, the processor(s) 122 execute the system BIOS 104 and transfer control to the PXE DHCP client 212 in the option ROM 210. In an action 228, the processor(s) 122 obtain the IP address and the PXE options file name and the next-server. In an action 230, the processor(s) 102 download the bootloader 220 to system memory 218” – when IP address is received and encryption keys are received network needs to be initialized first. and 0017: “The DHCP PXE options exchange can be reused for obtaining of the encryption key from the external key management server using Diffie Hellman key exchange. A bootloader can be downloaded from the PXE server that continues using the PXE client on the system being booted and sends further requests to the Key management server via the DHCP PXE options mechanism” and 0023: “The most commonly used options are A) the "filename" option, specified by the DHCP server 206 of the bootloader 220 file to download and B) the "next-server" option, indicating the server IP address to download the bootloader from.”  And [0034- 0037-: “Storing the remote server NIC Ethernet MAC address in the bootloader program or driver module. Using unicast Ethernet frames addressed only to the remote network server MAC address for the DHCP PXE option negotiation. The decryption of encrypted boot volume or partition data including an OS kernel or OS bootloader program using the bootloader program or driver module. The execution and transfer of control by the bootloader program or driver module to the decrypted OS kernel or program”- after receiving decryption, kernel initializes and executes all the hardware/firmware/program along with network services of the decrypted Kernel] 

It would have been obvious to person of ordinary skill in the art before the effective filing date of the claimed invention to combine teaching of Shriver and Xing and Ragyaan because all are directed toward securely booting. Furthermore, Ragyaan teaches by receiving the encryption and decryption keys from networks such that if data is lost in the local device, the system can boot by being able to receive its data from network to smoothly run the system.

As to claim 16, 
Combination of Shriver and Xing teaches this claim according to the reasoning set forth in claim 1 supra. Furthermore, Ragyaan [20180204007] teaches determining an Internet Protocol (IP) address of a network interface of the computing system, wherein the IP address is either a static IP address that is retrieved from the operating system or is a dynamic IP address that is retrieved from a dynamic host configuration protocol (DHCP) server; initializing a transmission control protocol (TCP)/IP network stack with the IP address of the network interface; determining an IP address of a key management server, wherein the IP address of the key management server is either retrieved from a domain name system (DNS) server or is retrieved locally from the computing system; and retrieving, using the initialized TCP/IP network stack, the one or more decryption keys from the key management server using the IP address of the key management server; and after retrieving the one or more decryption keys, performing an initialization of network services, wherein the initialization of network services is performed by an operating system service; and in response to data from at least one of an encrypted data partition, data folder or data file of the data storage device being requested by a user-mode process of the operating system, decrypting, using the one or more decryption keys, the data from at least one of the encrypted data partition, data folder or data file.   [[0028: 3-6-“the bootloader (e.g., MBR stage 1 bootloader 110 and stage 2 bootloader 112) and the bootloader driver module 502 are not encrypted, but the rest of the boot volume data is encrypted” and 0020: “This bootloader driver module will activate the NIC and obtain an IP address, and using an embedded Ethernet Media In an action 226, the processor(s) 122 execute the system BIOS 104 and transfer control to the PXE DHCP client 212 in the option ROM 210. In an action 228, the processor(s) 122 obtain the IP address and the PXE options file name and the next-server. In an action 230, the processor(s) 102 download the bootloader 220 to system memory 218” – when IP address is received and encryption keys are received network needs to be initialized first. and 0017: “The DHCP PXE options exchange can be reused for obtaining of the encryption key from the external key management server using Diffie Hellman key exchange. A bootloader can be downloaded from the PXE server that continues using the PXE client on the system being booted and sends further requests to the Key management server via the DHCP PXE options mechanism” and 0023: “The most commonly used options are A) the "filename" option, specified by the DHCP server 206 of the bootloader 220 file to download and B) the "next-server" option, indicating the server IP address to download the bootloader from.”  And [0034- 0037-: “Storing the remote server NIC Ethernet MAC address in the bootloader program or driver module. Using unicast Ethernet frames addressed only to the remote network server MAC address for the DHCP PXE option negotiation. The decryption of encrypted boot volume or partition data including an OS kernel or OS bootloader program using the bootloader program or driver module. The execution and transfer of control by the bootloader program or driver module to the decrypted OS kernel or program”- after receiving decryption, kernel initializes and executes all the hardware/firmware/program along with network services of the decrypted Kernel] 

It would have been obvious to person of ordinary skill in the art before the effective filing date of the claimed invention to combine teaching of Shriver and Xing and Ragyaan because all are directed toward securely booting. Furthermore, Ragyaan teaches by receiving the encryption and decryption keys from networks such that if data is lost in the local device, the system can boot by being able to receive its data from network to smoothly run the system.


As to claim 21, 
Ragyaan teaches the operating system service is a Windows dynamic host configuration protocol (DHCP) client [0017: “The DHCP PXE options exchange can be reused for obtaining of the encryption key from the external key management server using Diffie Hellman key exchange. A bootloader can be downloaded from the PXE server that continues using the PXE client on the system being booted and sends further requests to the Key management server via the DHCP PXE options mechanism” and 0023: “The most commonly used options are A) the "filename" option, specified by the DHCP server 206 of the bootloader 220 file to download and B) the "next-server" option, indicating the server IP address to download the bootloader from.”- DHCP configuration is used].



Allowable Subject Matter

Claim 2-6, 9-13, and 17-20 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. 

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to KESHAB R PANDEY whose telephone number is (571)270-0176.  The examiner can normally be reached on Monday-Friday 9:00-5:00(ET).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jaweed A Abbaszadeh can be reached on (571)270-1640.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  






/KESHAB R PANDEY/Primary Examiner, Art Unit 2187