DETAILED ACTION
	This action is responsive to application filed on 04/14/2020. Claims 1-21 are pending and being considered. Claims 1 and 21 are independent. Thus, the claims 1-21 are rejected.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
This application is continuation of U.S. Patent Application No. 15/486,367, filed on April 13, 2017, and further claims priority to German Patent Application Serial No. DE 10 2016 106 871.3, which was filed on April 13, 2016.

Abstract
The abstract, filed on 04/14/2020, has been reviewed and accepted.

Drawings
The drawings (Figs. 1-6), filed on 04/14/2020, has been reviewed and accepted.

Specification
The disclosure, filed on 04/14/2020, is objected to because of the following informalities: paragraph numbers of the instant disclosure are not enclosed within brackets “[]”, such as the instant disclosure reads the paragraph numbers [0002], [0004], [0005] as [00021, [00041, [00051, respectively, and so on. Examiner suggests to 
Appropriate correction is required.

Claim Objections
Claim 17 is objected to because of the following informalities:
Claim 17, line 2: the claim recites “to a detect fault” which should have been “to detect a fault or to detect fault”.
Correction is required.

Claim Interpretation

The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 
The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “wherein the security module is configured to process…”, “wherein the security module is configured to compare…”, “wherein the security module is configured to verify”, “wherein the security module comprises a memory encryption unit”, “wherein the security module comprises on or more…”, “wherein the security module is configured to secure a communication…” and “wherein the security module is configured to secure the communication by means of providing…”, in claims 1 (last limitation), 2, 3, 7, 8, 18 and 19, respectively.
Because these claim limitation(s) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
In claims 1-3, 7-8, 18 and 19, examiner finds that the limitations “wherein the security module is configured to process…”, “wherein the security module is configured to compare…”, “wherein the security module is configured to verify..”, “wherein the security module comprises a memory encryption unit”, “wherein the security module comprises one or more…”, “wherein the security module is configured to secure a communication…” and “wherein the security module is configured to secure the communication by means of providing…”,  has support in specification paragraph [0070] and is disclosed as “wherein the security module includes at least one processor and at least one memory”. Therefore the claims 1-3, 7-8, 18 and 19 only invokes 35 U.S.C. 112 (f) or sixth paragraph, and are not rejected under 35 U.S.C 112(b). 


If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) 

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-21 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,637,647 B2 in view of Frank; Juergen et al. (US 2016/0070934 A1), hereinafter (Frank), and Westerinen; William J. et al. (US 2008/0148065 A1), hereinafter (Westerinen).

Instant Application 16/847,666
U.S. Patent Application 10,637,647 B2
Claim 1: A control device, comprising: an application core comprising a processor, a memory and a direct memory access controller; and 
a security module coupled to the application core via a computer bus; 


wherein the direct memory access controller is configured to: read data from the memory, 
generate, in response to reading data from the memory, a hash value from the data read from the memory, and 
provide the hash value to the security module via the computer bus; and wherein the security module is configured to process the hash value.
Claim 2: wherein the security module is configured to compare the hash value with a reference hash value.







Claim 5: wherein the security module comprises an interface to connect to the 
Claim 1: A control device, comprising: an
application core comprising a processor, a
 memory, a bridge, and a direct memory
access controller; and 
a security module coupled to the
application core via a computer bus
 coupling the bridge of the application core

wherein the direct memory access
controller is configured to read data 
from the memory, 
generate a hash value for the data and


provide the hash value to the security
module via the computer bus; and


wherein the security module is
configured to compare the hash value,
obtained from the direct memory access
controller, with a reference hash value and
to provide a report of the comparison to the
application core via the computer bus;
wherein the application core is further
configured to transmit the report obtained
from the security module to a peripheral 
component via the bridge, 
wherein the security module comprises an
interface to connect to the computer bus

interface and further components of the
security module.
Claim 3: wherein the security module is configured to verify an integrity of the data based on the hash value.
Claim 2: wherein the security module is configured to verify an integrity of the data based on the comparison of the hash value with the reference hash value and further configured to report to the processor via the computer bus, a result of the verification.
Claim 4: wherein the direct memory access controller is configured to provide the hash value to the security module via a private channel.
Claim 3: wherein the direct memory access controller is configured to provide the hash value to the security module via a private channel.
Claim 6: wherein the security module comprises at least one processor and at least one memory.
Claim 4: wherein the security module comprises at least one processor and at least one memory.
Claim 7: wherein the security module comprises a memory encryption unit.
Claim 5: wherein the security module comprises a memory encryption unit.
Claim 8: wherein the security module comprises one or more cryptographic accelerators.
Claim 6: wherein the security module comprises one or more cryptographic accelerators.
Claim 9: wherein the control device is a vehicle electronic control unit.
Claim 7: wherein the control device is a vehicle electronic control unit.
Claim 10: wherein the control device is configured to control a component of a vehicle.
Claim 8: wherein the control device is configured to control a component of a vehicle.
Claim 11: wherein the data are vehicle component control data.
Claim 9: wherein the data are vehicle component control data.
Claim 12: wherein the data are data to be sent to another control device connected to the control device by a second computer bus.




Claim 13: wherein the control device comprises a bridge to connect to the second computer bus.
Claim 16: wherein the computer bus is a
first computer bus and wherein the
application core further comprises a
second computer bus, wherein the
processor, memory, direct memory 
access controller and the bridge are directly coupled to the second bus of the application core, and wherein the
application core is configured to transmit
the data to a peripheral component via the
bridge and the first computer bus in
response to the report indicating

security module.
Claim 14: wherein the second computer bus is an in-vehicle bus.
Claim 17: wherein the first computer bus is an in-vehicle bus.
Claim 15: wherein the security module is a hardware security module.
Claim 10: wherein the security module is a hardware security module.
Claim 16: wherein the security module comprises a countermeasure against a physical attack.
Claim 11: wherein the security module comprises a countermeasure against a physical attack.
Claim 17: wherein the countermeasure is an active sensor to a detect fault and glitching attacks.
Claim 12: wherein the countermeasure is an active sensor to a detect fault and glitching attacks.
Claim 18: wherein the security module is configured to secure a communication between the memory and the direct memory access controller.
Claim 13: wherein the security module is configured to secure a communication between the memory and the direct memory access controller.
Claim 19: wherein the security module is configured to secure the communication by means of providing at least one cryptographic key for encrypting data exchanged between the memory and the direct memory access controller.
Claim 14: wherein the security module is configured to secure the communication by means of providing at least one cryptographic key for encrypting data exchanged between the memory and the direct memory access controller.
Claim 20: further comprising: a chip comprising the application core and the security module.
Claim 15: further comprising: a chip comprising the application core and the security module.
Claim 21: A method for securing data, the method comprising: 
reading, by a direct memory access controller, data from a memory of an application core which comprises the memory, the direct memory access controller and a processor; 
generating, by the direct memory access controller in response to reading data from the memory, a hash value from the data read from the memory; and providing the hash value to a security module via a computer bus coupling the application core and the security module.
Claim 18: A method for securing data, the
method comprising:
reading, by a direct memory access
controller, data from a memory of an
application core which comprises the
memory, the direct memory access
controller, a bridge, and a processor;
generating, by the direct memory access
controller, 
a hash value for the data; 
		
providing the hash value to a security
module via a computer bus coupling the
bridge of the application core and the
security module; comparing, by the
security module, the hash value with a
reference hash value; providing, by the 
security module, a report of the
comparison to the application core
via the computer bus; and transmitting

application core to a peripheral component
via the bridge, wherein the security
module comprises an interface to connect 
to the computer bus and a firewall
arranged between the interface and
further components of the security
module.


All the limitations of independent claims 1 and 21 are taught by the patent application except for the underlined limitation(s) such as “generate, in response to reading data from the memory, a hash value from the data read from the memory,” and “wherein the security module is configured to process the hash value”, which are taught by Frank and Westerinen, respectively. Such as,
Frank teaches to generate, in response to reading data from the memory, a hash value from the data read from the memory (see Frank, Fig. 2b and Para. [0023], wherein a HASH engine 32, within memory controller 10, is used to calculate the HASH value CH representative for the data in the non-volatile flash memory 17),
Westerinen teaches the limitation wherein the security module is configured to process the hash value (Westerinen, Fig. 4 and Para. [0029], discloses a block diagram view of a security module (SM) 400. In which a smart chip 412 may be part of the SM 400 and may be connected to the multi-function chip 402 via an interface 414, such as an ISO 7816 interface, known in the art. The smart chip 412 may include a 
Furthermore, all the limitations of dependent claims 2-11 and 13-20 are taught by the patent application except for the limitation “wherein the data are data to be sent to another control device connected to the control device by a second computer bus.” of dependent claim 12, which is further disclosed in Frank (Para. [0019, 0023 and 0027]). See rejection below.

Claim Rejections - 35 U.S.C. 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or non-obviousness.

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious 

Claims 1- 4, 6-12, 15- 16 and 18- 21 are rejected under 35 U.S.C. 103 as being unpatentable over Westerinen; William J. et al. (US 2008/0148065 A1), hereinafter (Westerinen), in view of Frank; Juergen et al. (US 2016/0070934 A1), hereinafter (Frank).

As per claim 1, Westerinen teaches a control device, comprising: an application core comprising a processor, a memory and a direct memory access controller (Westerinen, Para. [0003], discloses a computer or electronic device adapted for metered use uses a security module to provide storage for the system BIOS, and see also Fig. 3, illustrates a processor 302, memory/graphic interface 304 and an I/O interface 310 which may include a direct memory access (DMA) controller 312 of an application as disclosed in Para. [0026]); and 
a security module coupled to the application core via a computer bus (Westerinen, Fig. 3 and Para. [0026], discloses that a security module (SM) 320 is shown coupled to the I/O controller 310 via a first interface 322. The SM 320 may also have a direct connection to the DMA controller 312 via a second interface 324, as shown in fig. 3, (where the interface can be a system bus i.e., , ISA bus, MCA bus, EISA bus, VESA bus, SPI bus, etc., as disclosed in Para. [0016]). In other embodiments, the SM 320 may be coupled directly to the processor 302, but access to the memory 306 or DMA controller without processor intervention, while not essential, may increase the security of the application, or see also Para. [0029], discloses a multifunction circuit 402 ); 
wherein the direct memory access controller is configured to: read data from the memory (Westerinen, Para. [0004], discloses that the security module may use its access to the DMA controller to write a pattern into the restricted memory and later read back the pattern to ensure that the memory is not in use by other, unauthorized programs (In other words, DMA can read and write data from the memory)), 
wherein the security module is configured to process the hash value (Westerinen, Fig. 4 and Para. [0029], discloses a block diagram view of a security module (SM) 400. In which a smart chip 412 may be part of the SM 400 and may be connected to the multi-function chip 402 via an interface 414, such as an ISO 7816 interface, known in the art. The smart chip 412 may include a cryptographic engine 416 for performing cryptographic functions as well as secure storage for cryptographic keys 418 and intermediate results, such as hash values and digital signatures 420).
However Westerinen fails to explicitly disclose but Frank from the same field of technology teaches generate, in response to reading data from the memory, a hash value for the data read from the memory, and provide the hash value to the security module via the computer bus (Frank, Fig. 2b and Para. [0023], discloses that a HASH engine 32, within memory controller 10, is used to calculate the HASH ); and 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation to generate, in response to reading data from the memory, a hash value for the data read from the memory, and provide the hash value to the security module via the computer bus, as taught by Frank, in order to provide a secure functioning of the electronic system, among other electronic units, by controlling, verifying and protecting the data of the memory unit from unauthorized access or manipulation; Frank, Para. [0001-0003].

As per claim 2, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the security module is configured to compare the hash value with a reference hash value (Frank, Para. [0023], discloses that after receiving the calculated HASH value CH from the non-volatile flash memory 17 or the HASH engine 32 of the memory controller 10 and retrieving the pre-stored HASH value PH from the secure memory unit 20, the HSM 37 compares the calculated HASH value CH with the pre-stored HASH value PH).


As per claim 3, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the security module is configured to verify an integrity of the data based on the hash value (Frank, Para. [0021 and 0028], discloses that the HSM may usually include one or more processors dedicated for carrying out secure cryptographic operations with which data is protected against tampering and bus probing, such as by comparing the calculated hash value CV with the pre-stored value PV to verify the authenticity of data stored in a memory unit).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation the security module is configured to verify an integrity of the data based on the hash value, as taught by Frank, in order to provide a secure electronic system in which the calculated value is compared with the pre-stored value to verify the authenticity of the data stored in the memory unit; Frank, Abstract.

4, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen in Para. [0003 and 0026], discloses that the security module may communicate to a direct memory access (DMA) controller through a second communication port, allowing the security module to access memory without processor intervention, which may increase the security of the application but fails to teaches that the direct memory access controller is configured to provide the hash value to the security module via a private channel wherein Frank further teaches the direct memory access controller is configured to provide the hash value to the security module via a private channel (Frank, Fig. 2b and Para. [0023], discloses that the calculated HASH value CH is offered as a read-only value to the HSM 37. The read-only value of the calculated HASH value CH may be made available to the HSM 37 via a register interface (i.e., via a private channel) implemented in an integrated part of the memory controller 10 indicated in FIG. 2b with a dashed line embedding the non-volatile flash memory 17 with the HASH engine 32. The HSM 37 may communicate within the memory controller by means of the same crossbar switch XBAR or the suitable type of system bus).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation wherein the direct memory access controller is configured to provide the hash value to the security module via a private channel, as taught by Frank, in order to provide a secure functioning of the electronic system, among other electronic units, by controlling, verifying and protecting the data of the memory unit from unauthorized access or manipulation; Frank, Para. [0001-0003].

As per claim 6, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen further teaches the security module comprises at least one processor and at least one memory (Westerinen, Para. [0003], discloses that the security module may also contain a processor, secure storage, and cryptographic functions).

As per claim 7, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen further teaches the security module comprises a memory encryption unit (Westerinen, Fig. 4 and Para. [0029], discloses that a smart chip 412 may be part of the SM 400 and may be connected to the multi-function chip 402 via an interface 414, such as an ISO 7816 interface, known in the art. The smart chip 412 may include a cryptographic engine 416 for performing cryptographic functions (i.e., encryption and decryption) as well as secure storage for cryptographic keys 418 and intermediate results, such as hash values and digital signatures 420).

As per claim 8, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank teaches the security module comprises one or more cryptographic accelerators (Frank, Para. [0021], discloses that the HSM may usually include one or more processors (i.e., accelerators) dedicated for carrying out secure cryptographic operations with which data is protected against tampering and bus probing).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation wherein the security module comprises 

As per claim 9, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the control device is a vehicle electronic control unit (Frank, Para. [0019], discloses a larger system controlling a network of devices interacting with each other. For example the MCUs and transceivers controlling the electrical features in a vehicle such as switching on/off indoor or outdoor lights, lifting-up/sliding down electrical windows, etc.).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation wherein the control device is a vehicle electronic control unit, as taught by Frank, in order to provide a secure functioning of the vehicle safety system i.e., the safety system may be a vehicle’s electronic breaking system; Frank, Para. [0027].

As per claim 10, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the control device is configured to control a component of a vehicle (Frank, Para. [0019], discloses to control electrical features of a vehicle such as indoor or outdoor lights, electrical windows, etc.).


As per claim 11, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the data are vehicle component control data (Frank, Para. [0019], discloses the instructions for the operations of these devices may be related for example to switching on/off indoor or outdoor lights, lifting-up/sliding down electrical windows, etc. The data DATA in the first memory unit 15 may consist of said instructions for the operations of the devices in the network).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation wherein the data are vehicle component control data, as taught by Frank, in order to provide a secure functioning of the electronic system, among other electronic units, by controlling, verifying and protecting the data of the memory unit from unauthorized access or manipulation; Frank, Para. [0001-0003].

As per claim 12, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the data are data to be sent to another control device connected to the control device by a second computer bus (Frank, Para. [0019], discloses that the memory controller 10 of FIG. 1a may be part of a larger system controlling a network of devices interacting with each other and wherein the memory controller 10 gives instructions for operations and timing of operations to be performed by each of the devices in the network. In a context of automotive applications the memory controller 10 may be for example part of a MCU (Microcontroller Unit) and the devices in the network may be CAN (Control Area Network) or LIN (Local Interconnect Network) transceivers or other MCUs. These transceivers are controlling electrical features in a vehicle such as indoor or outdoor lights, electrical windows, etc. In this case the instructions for the operations of these devices may be related for example to switching on/off indoor or outdoor lights, lifting-up/sliding down electrical windows, etc. The data DATA in the first memory unit 15 may consist of said instructions for the operations of the devices in the network, and as disclosed in Para. [0027], the MCU 5 may be part of an automotive vehicle and in particular of a safety system embedded in the automotive vehicle. The safety system may include a plurality of MCU 5. The safety system may be for example a break system. The break system may receive a break command from a central node which may be another MCU 5, and as further disclosed in Para. [0023], wherein the MCU 5 may work with a slower clock or produce a large jitter on the crossbar switch XBAR or the suitable type of system bus (i.e., second computer bus)).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation to provide wherein the data are data to 

As per claim 15, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the security module is a hardware security module (Frank, Fig. 2b, illustrates a HSM 37).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation wherein the security module is a hardware security module, as taught by Frank, in order to provide a secure functioning of the electronic system, among other electronic units, by using a HSM in the second processing unit 35, security of the memory controller 10 and of the start-up of the memory controller 10 and the first memory unit 15 is further improved; Frank, Para. [0021].

As per claim 16, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen fails to explicitly disclose but Frank further teaches the security module comprises a countermeasure against a physical attack (Frank, Para. [0027], discloses that the MCU 5 may be part of an automotive vehicle and in particular of a safety system embedded in the automotive vehicle. The safety system may include a plurality of MCU 5. The safety system may be for example a break ).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation to wherein the security module comprises a countermeasure against a physical attack, as taught by Frank, in order to provide a secure functioning of the vehicle electronic system, among other electronic units, by using a HSM in the second processing unit 35, and wherein security of the memory controller 10 and of the start-up of the memory controller 10 and the first memory unit 15 is further improved. The HSM may usually include one or more processors dedicated for carrying out secure cryptographic operations with which data is protected against tampering and bus probing; Frank, Para. [0021].

As per claim 18, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen further teaches the security module is configured to secure a communication between the memory and the direct memory access controller (Westerinen, Para. [0004], discloses to enforce the restrictions on memory, the security module may use its access to the DMA controller to write a pattern into the restricted memory and later read back the pattern to ensure that the memory is not in .

As per claim 19, Westerinen as modified by Frank teaches the control device of claim 18, wherein Westerinen further teaches the security module is configured to secure the communication by means of providing at least one cryptographic key for encrypting data exchanged between the memory and the direct memory access controller (Westerinen, Para. [0004], discloses to enforce the restrictions on memory, the security module may use its access to the DMA controller to write a pattern into the restricted memory and later read back the pattern to ensure that the memory is not in use by other, unauthorized programs. Because a substantial amount of memory may be involved, a cryptographic algorithm may be used to generate the pattern or verify the original contents. The cryptographic algorithm allows use of a fast block cipher, such as the Advanced Encryption Standard (AES) algorithm, to generate patterns by address, or patterns from a known seed).

As per claim 20, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen further teaches: further comprising: a chip comprising the application core and the security module (Westerinen, Para. [0023], discloses that the security module 125 may be instantiated in more than one manner. When implemented by one or more discrete components, the isolated computing environment ).

As per claim 21, Westerinen teaches a method for securing data, the method comprising: reading, by a direct memory access controller, data from a memory of an application core which comprises the memory, the direct memory access controller and a processor (Westerinen, Para. [0004], discloses that the security module may use its access to the DMA controller to write a pattern into the restricted memory and later read back the pattern to ensure that the memory is not in use by other, unauthorized programs (In other words, DMA can read and write data from the memory), or see also Para. [0024], discloses that the DMA controller 312, in conjunction with the I/O controller may allow memory to be accessed with the intervention or involvement of the processor 312); 
However Westerinen fails to explicitly disclose but Frank from the same field of technology teaches generating, by the direct memory access controller in response to reading data from the memory, a hash value from the data read form the memory; and providing the hash value to a security module via a computer bus coupling the application core and the security module (Frank, Fig. 2b and Para. [0023], discloses that a HASH engine 32, within memory controller 10, is used to calculate the HASH value CH representative for the data in the non-volatile flash ).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Frank’ into the teachings of ‘Westerinen’, with a motivation for generating, by the direct memory access controller in response to reading data from the memory, a hash value from the data read form the memory, and providing the hash value to a security module via a computer bus coupling the application core and the security module, as taught by Frank, in order to provide a secure functioning of the electronic system, among other electronic units, by controlling, verifying and protecting the data of the memory unit from unauthorized access or manipulation; Frank, Para. [0001-0003].

Claims 5 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Westerinen in view of Frank, as applied above, and further in view of Chou et al. (US 2011/0191599 A1), hereinafter (Chou).

As per claim 5, Westerinen as modified by Frank teaches the control device of claim 1, wherein Westerinen further teaches the security module comprises an interface to connect to the computer bus (Westerinen, Para. [0029], discloses one or ) 
However Westerinen as modified by Frank fails to explicitly disclose but Chou from the same field of technology teaches wherein the security module comprises an interface to connect to the computer bus and a firewall arranged between the interface and further components of the security module (Chou, Fig. 1 and Para. [0021], discloses that the HSM 20 includes a security interface 24, and/or as disclosed in Para. [0036], for HSM 20 of FIG. 3, IPC/Msg RAM module 61 (i.e., operates as an interface, as disclosed in Para. [0035]) and bus 72 reside within the hardware boundary 50, but shown residing outside of secure zone 80 (i.e., hereinafter secure boundary or firewall, as disclosed in Para. [0028]), since IPC/Msg RAM module 61 is accessible by non-secure components outside of HSM 20 boundary. That is, all accesses in and out of HSM 20 are routed via IPC/Msg RAM module 61 when in the secure mode of operation, in order to control accesses to HSM 20 by non-secure components that reside outside of HSM 20. Thus, similar to security interface 24 of FIG. 1, IPC/Msg RAM module 61 controls the ingress and egress of instructions and/or data between components within HSM 20 and components outside of HSM 20. (In other words, the dashed-line box 80 shown in Fig. 3 represents the actual secure domain boundary which secures/separates the secure components included in HSM 20 such as HSM processor 51, HSM Boot ROM 52, HSM RAM 53, HSM watchdog and timers module 57, RNG (random number generator) 58, HSM configuration module 59, PKA (Public Key Accelerator) module 56, OTP (One Time Programmed memory) 54, KEK (Key-).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Chou’ into the teachings of ‘Westerinen’ as modified by ‘Frank’, with a motivation wherein the security module comprises an interface to connect to the computer bus and a firewall arranged between the interface and further components of the security module, as taught by Chou, in order to control accesses to HSM 20 by non-secure components that reside outside of HSM 20; Chou, Para. [0036].

As per claim 13, Westerinen as modified by Frank teaches the control device of claim 12, wherein Westerinen as modified by Frank fails to explicitly disclose but Chou from the same field of technology teaches the control device comprises a bridge to connect to the second computer bus (Chou, Fig. 1 and Para. [0020], disclsoes that aside from HSM 20, device 10 may have a variety of circuits, components and/or devices. FIG. 1 shows one example system 10 in which a number of components are shown. The shown device 10 includes a processor 11 (shown as a central processing unit or CPU), DMA (direct memory access) component 12, ROM (read-only-memory) 13, RAM (random-access-memory) 14, which are all coupled to bus 16. Other components, such as a memory controller, cache memory, bus controller and interfaces, bridges, etc. are not shown, but may be present in other embodiments which are all coupled to bus 16, as further disclosed in Fig. 3 and Para. [0033], although a single bus 41 is shown, other embodiments may use multiple or nested buses with bridge or interface units disposed between the buses).
.

Claims 14 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Westerinen in view of Frank, as applied above, and further in view of Hendrik Schweppe (Security and Privacy in Automotive On-Board Networks, Submitted on 27 May 2015), hereinafter (Hendrik).

As per claim 14, Westerinen as modified by Frank teaches the control device of claim 12, wherein Westerinen as modified by Frank fails to explicitly disclose but Hendrik further teaches the second computer bus is an in-vehicle bus (Hendrik, Page 10 & Figure 2.1 (b), discloses a CAN bus and electronic components of BMW F800 motorbike, and/or see also Hendrik, Page 79 & Figure 5.2, illustrates that the plurality of ECUs are connected through CGW using CAN bus (L) and CAN bus (H)).
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Hendrik’ into the teachings of ‘Westerinen’ as modified by ‘Frank’, with a motivation wherein the second computer bus is an in-vehicle bus, as taught by Hendrik, in order to provide a secure in-vehicle networks by using the in-vehicle buses such as the controller area 

As per claim 17, Westerinen as modified by Frank teaches the control device of claim 16, wherein Westerinen as modified by Frank fails to explicitly disclose but Hendrik further teaches the countermeasure is an active sensor to a detect fault and glitching attacks (Hendrik, Page 173- 175, discloses the intrusion detection sensors). 
Thus it would have been obvious to one ordinary skilled in the art before the effective filling date of the claimed invention to implement the teachings of ‘Hendrik’ into the teachings of ‘Westerinen’ as modified by ‘Frank’, with a motivation wherein the countermeasure is an active sensor to a detect fault and glitching attacks, as taught by Hendrik, in order to provide a security mechanisms for preventing and detecting attacks and intrusions, as well as approaches to intrusion response and containment; Hendrik, Page 20 (First Paragraph).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
1.	Chou; Paul et al. (US 20150052367 A1), the present invention relates generally to processing devices and, more particularly, to confining a security key or keys for authentication to a boundary established by hardware circuitry, in which traffic in and out of the boundary is only through a designated secure interface.

3.	Wang; Qiyan (US 9792440 B1), this invention relates to a secure boot for vehicular systems.
4.	Sharma; Aditya Pratap et al. (US 20160110297 A1), this disclosure relates to a storage module, host, and method for securing data with application information.
5.	Sahita; Ravi et al. (US 20080059811 A1), the present disclosure generally relates to the field of electronics. More particularly, an embodiment of the invention relates to techniques for provision of tamper resistant networking in a computing system.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose contact number is 571-272-1239. The examiner can normally be reached on Monday-Friday: 8:00AM – 4:00PM.
 If attempts to reach the examiner by telephone are unsuccessful, the examiner’s
supervisor, Jeffrey Pwu can be reached on 571-272-6798. The fax phone number for
the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent
Application Information Retrieval (PAIR) system. Status information for published
applications may be obtained from either Private PAIR or Public PAIR. Status

more information about the PAIR system, see http://pair-direct.uspto.gov. Should you
have questions on access to the Private PAIR system, contact the Electronic Business
Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO
Customer Service Representative or access to the automated information system, call
800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2433	

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498