Detailed Action

The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This is in response to Application with case number 16/454,476, filed on 6/27/2019 in which claims 1-20 are presented for examination.
Status of Claims
	Claims 1-20 are pending, of which claims 1, 13 and 17 are in independent form.
Specification
The examiner notes that the Specification does not include any URL links and Trademark terms requiring capitalization.
The examiner notes that the abstract is in narrative form and is limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The examiner also notes that Abstract includes no legal phraseology.
Claim 13 directed to an integrated circuit, comprising a memory encryption engine module comprising circuitry and thus meets the requirements of 35 USC section 101. The circuitry is a hardware component.
Claim 17 directed to a microprocessor, comprising one or more cores and thus meets the requirements of 35 USC section 101. The core is a hardware component.
The examiner notes no claims invokes 35 USC § 112 6th paragraph.
Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:



Claims 2 and 3 recite(s) the limitation "the MEE logic" in the first line of each claim.  There is insufficient antecedent basis for this limitation in the claim.
Claim 15 recites the limitation, “the interconnect," in the second line of the claim.  There is insufficient antecedent basis for this limitation in the claim.
Claim 16 recites the limitation “n" in the first line of claim 16.  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 2, 3, 8, 13 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Chhabra et al. (US 2019/0044729 A1) Chhabra.
As to claim 1, Chhabra teaches a computing system, comprising:
a processor (see Fig. 2, processor 210 and para. [0031]); 
a memory (see main memory 220 in Fig. 2 and para. [0033]); and
see Fig. 2, MEE 250 and para. [0033]) comprising circuitry and logic to: 
allocate a protected isolated memory region (IMR) (see para. [0035] “…cache lines of data in pages of memory within the protected region 225 may be allocated for use in connection with secure enclaves implemented using a computing system equipped with functionality such as introduced in the example of FIG. 2.”) and [0068] “…protected memory regions may be allocated for use by secure enclaves governed using MEE hardware.”); 
encrypt the protected IMR (see para. [0033] “In one embodiment, the MEE 250 is located between the last level cache 265 and the memory controller 230 to perform encryption, decryption and authentication of the data lines moving in and out of a protected region 225 of the main memory 220.”, [0040] “…the entirety of the MEE region may be referred to as the protected or secured memory region. Read/write requests to the protected region may be routed by the memory controller 230 to the MEE 250, which encrypts (or decrypts) the data before sending (fetching) it to (from) the DRAM.” and [0057] “…an MEE may employ encryption to the MEE region.”);
set an access control policy to allow access to the IMR by a device identified by a device identifier (see para. [0034] “The MEE 250 performs counter mode encryption in which the encryption seed (or "version" value) is unique to a data line both temporally and spatially. As described before, spatial uniqueness can be achieved by using the address of the data line to be accessed, while temporal uniqueness can be achieved by using a counter that serves as the version of the data line. In one embodiment, the MEE 250 also protects the data lines in the protected region 225 of the main memory 220 using a counter tree structure (also referred to herein as "replay integrity tree", "replay tree", and "integrity tree"). The MEE may also preserve integrity of protected data (and lines of the counter tree structure) through message integrity codes, such as message authentication codes (MACS). The versions of the data lines are part of this counter tree structure. An embodiment of the counter tree structure is described, for instance, in association with FIG. 4, as set forth below.” and [0036] “A set of CPU instructions may be provided with the platform, which are supported by a hardware-based access control mechanism to provide for loading application code and data from memory”); and
upon receiving a memory access request directed to the IMR, enforce the access control policy (see para. 0056] “The MEE hardware computes the addresses of all tree nodes for a particular access on admittance of the memory request to the MEE engine.”, [0066] “when processing a request involving a line of data from a protected memory page, the MEE may perform a tree walk of an integrity tree to validate security of the data. For instance, on admitting 805 a request, the MEE hardware may compute 810 the address of the indirection directory for the physical page on which the request resides. Using the indirection directory value (a pointer to the corresponding security metadata page), the MEE may retrieve 815 metadata (e.g., the MAC and VER) for the request that is not in fixed, stolen memory. For instance, the MEE may identify the address of the security metadata page from the indirection directory and extract the MAC and VER lines for the memory access.”).
As to claim 13, limitations of claim 13 are similar to claim 1 and thus claim 13 is rejected under the same rationale as claim 1.
As to claim 2, in view of claim 1, Chhabra teaches wherein the MEE logic is further to deny access to any device not identified by the device identifier (see para. [0033] and [0034] “According to one embodiment of the invention, the MEE 250 includes logic implemented in hardware circuitry and/or firmware to process multiple memory read requests in parallel to improve the access latency to the protected region 225. The MEE 250 performs counter mode encryption in which the encryption seed (or "version" value) is unique to a data line both temporally and spatially. As described before, spatial uniqueness can be achieved by using the address of the data line to be accessed, while temporal uniqueness can be achieved by using a counter that serves as the version of the data line.”).
As to claim 3, in view of claim 1, Chhabra teaches wherein the MEE logic is further to receive a plurality of device identifiers for a plurality of devices, and permit access to the IMR only to the plurality of devices (see para. [0033] and [0034] “According to one embodiment of the invention, the MEE 250 includes logic implemented in hardware circuitry and/or firmware to process multiple memory read requests in parallel to improve the access latency to the protected region 225. The MEE 250 performs counter mode encryption in which the encryption seed (or "version" value) is unique to a data line both temporally and spatially. As described before, spatial uniqueness can be achieved by using the address of the data line to be accessed, while temporal uniqueness can be achieved by using a counter that serves as the version of the data line.”)
 As to claim 8, in view of claim 1, Chhabra teaches further comprising processor microcode to implement the SET_POLICY instruction (see para. [0065]).

Claim(s) 1, 5-7, 13, 14, 16-20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hunt (US 2019/0182040 A1) Hunt.
As to claim 17, Hunt teaches a microprocessor (see Fig. 1, Processor 102 or compute complex 108 and 110in Fig. 2), comprising: 
one or more cores (see Figs. 1 or 2, cores 112, 114, 116, 118 or 120, 122, 124, and 126); and
a register file (see compute complex interface 130 in Fig. 1) including one or more memory policy registers configured to hold a memory range for an encrypted memory region (see para. [0008] “Because there must always be a mapping within a compute complex for any line in the security key identifier map which maps to an encrypted address, an incoming probe which does not match any mappings in the security key identifier map can be responded to with a cache miss without any cache access/tag check.” – The examiner considers the security key identifier map as equivalent to the instant application’s register file or memory policy registers.), and at least one authorized device identifier authorized to access the encrypted memory region (see para. [0020] “in some embodiments the cache (not shown) stores, for each storage location of a given size (e.g., a cache line), entity tag information identifying a particular program or other entity (e.g., a VM) that is authorized to access the information at the storage location.” and para. [0021] “Each compute complex (e.g., compute complexes 108, 110) includes its own KeyID mapping table that tracks the KeyIDs active in a given compute complex at a given time. For example, as illustrated in FIG. 1, compute complex 108 includes a KeyID mapping table 142 at compute complex interface 130 that tracks the KeyIDs assigned to each guest OS/virtual processor executing at compute cores 112-118.”- The examiner notes that the keyID is associated with a certain memory region protected by encryption using an encryption key corresponding to the KeyID.; see also para. [0022] It is noted that memory controller 134 translates the system-level keyID into local real encryption key(s).); and
logic to program a memory encryption engine (MEE) (e.g., memory controller 134 equipped with keys 138 and encryption module 136 as shown in Fig. 1) with a memory access policy according to the range for the encrypted memory region and the at least one authorized device identifier (see para. [0017-[0020] and claim 6 “respond, based on a determination of whether a security key identifier map of the first compute complex includes a mapping of the system-level security key identifier to a local-level security key identifier, to the memory access request”]).
As to claim 18, in view of claim 17, Hunt teaches further comprising providing a memory policy set instruction, wherein the memory policy set instruction is to receive a range of the encrypted memory region and the at least one authorized device identifier (see para. [0017]-[0020]; It is noted that upon receiving a memory access request with access type with memory address, the compute complex interface 130 checks KEYID MAP to verify there is entry mapping the KEYID into an encryption key where the encryption key is assigned to an authorized entity with the corresponding KEYID that can access the encrypted memory region.) and to program the MEE according to the range of the encrypted memory and the at least one authorized device identifier (see para. [0020] “in some embodiments the cache (not shown) stores, for each storage location of a given size (e.g., a cache line), entity tag information identifying a particular program or other entity (e.g., a VM) that is authorized to access the information at the storage location.”).
As to claim 19, in view of claim 18, Hunt teaches wherein the memory policy set instruction is to receive a plurality of device identifiers authorized to access the range (see para. [0029], e.g., use/checking of KeyID Map 142 and 144).
As to claim 20, in view of claim 18, Hunt teaches wherein the memory policy set instruction is to receive a range of device identifiers authorized to access the range of encrypted memory (see para. [0020] “in some embodiments the cache (not shown) stores, for each storage location of a given size (e.g., a cache line), entity tag information identifying a particular program or other entity (e.g., a VM) that is authorized to access the information at the storage location”).
As to claim 1, limitations of claim 1 are similar to claim 17 and thus claim 1 is rejected under the same rationale as claim 17.
As to claim 5, in view of claim 1, Hunt teaches wherein the MEE is a partial scope MEE (see memory controller 134 with encryption module 136 that can take on one of the core 112…126).
As to claim 6, in view of claim 1, Hunt teaches wherein the processor comprises one or more access policy registers (see Fig. 1, KEYID MAP 142 and 144) and circuitry and logic to set the access control policy of the MEE according to the access policy registers (see para. [0020] and [0029]).
As to claim 7, in view of claim 1, Hunt teaches wherein the processor comprises logic to provide a SET_POLICY instruction, the SET_POLICY instruction to provide a software-accessible means for setting the access control policy (see para. [0021] “Accordingly, to reduce hardware overhead necessary for keeping track of KeyIDs, the processing system 100 implements security key remapping in which the KeyID mapping tables 142, 144 maps the KeyIDs used at the memory controller 134 (hereinafter referred to as "system-level KeyIDs") to a smaller, local-level KeyID (i.e., local to the compute complexes) requiring fewer bits.”).
As to claim 13, Hunt teaches an integrated circuit (see Fig. 1, processor 102 and para. [0010]), comprising:
a memory encryption engine (MEE) module comprising circuitry to encrypt all or a portion of a main memory (see encryption module 136 in Fig. 1 and para. [0016] and para. [0017] “The encryption module 136 employs the selected key to encrypt the information to be written and provides the write request, with the encrypted information, to the memory 104 for storage. In some embodiments, the encryption module 136 uses both the selected key and the physical address of the memory access request for encryption and decryption of the corresponding information thereby preventing block move attacks.”; see also para. [0019]), and to identify within the encrypted memory a range of memory as an isolated memory region (IMR) (see para. [0020]-[0023] and [0029] “The memory controller 134 attempts to locate a copy of the data targeted by that memory access request (which may be cached in a different compute complex) by issuing a cache probe to other compute complexes (i.e., compute complex 110 in FIG. 3) prior to retrieving the data from memory (e.g., memory 104 of FIG. 1). The cache probe to compute complex 110, which includes the 8-bit system-level KeyID and the address targeted by the memory access request, is received at the compute complex interface 132.”);
a memory policy set module comprising circuitry to receive an authorized device identifier (e.g., KeyID), and to associate the authorized device identifier with the IMR as a device authorized to access the IMR (see para. [0017-[0020] and claim 6 “respond, based on a determination of whether a security key identifier map of the first compute complex includes a mapping of the system-level security key identifier to a local-level security key identifier, to the memory access request”.); and
a memory policy enforcement module comprising circuitry to receive an access request directed to a memory location within the range of the IMR, including a requesting device identifier, and to allow the access request only if the requesting device identifier matches the authorized device identifier (see para. [0020] “in some embodiments the cache (not shown) stores, for each storage location of a given size (e.g., a cache line), entity tag information identifying a particular program or other entity (e.g., a VM) that is authorized to access the information at the storage location.” and [0029]
As to claim 14, in view of claim 13, Hunt teaches wherein the memory policy enforcement module further comprises circuitry to determine that the requesting device identifier does not match the authorized device identifier, and to drop the access request (see para. [0017]-[0020]; It is noted that upon receiving a memory access request with access type with memory address, the compute complex interface 130 checks KEYID MAP to verify there is entry mapping the KEYID into an encryption key where the encryption key is assigned to an authorized entity with the corresponding KEYID that can access the encrypted memory region.)
As to claim 16, in view of claim 13, Hunt teaches wherein n = 16 (see para. [0027] “In other embodiments, a system-level KeyID having more than 8-bits is used to support more than 256 unique KeyIDs for the processing system 100.”).
Allowable Subject Matter
Claims 4, 9-12, 15 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.







Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE K SONG whose telephone number is (571)270-3260. The examiner can normally be reached on M-F 9:00 am – 5:00 pm. 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867 .  The fax phone number for the organization where this application or proceeding is assigned is 571-273-7291.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/HEE K SONG/Examiner, Art Unit 2497