DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 2, 4, 9-12, 14, 17 and 19-20 are pending in this application.
Claims 1, 4, 11 and 14 are currently amended.
	Claims 3, 5-8, 13, 15, 15 and 18 are cancelled.
No new IDS has been submitted.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4, 9-12, 14, 17, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Mao et al. (Patent No.: US 8,176,336 B1) (hereinafter, “Mao”) in view of Bealkowski et al. (Pub. No.: US 2013/0151831 A1) (hereinafter, “Bealkowski”) in view of Hanna (Pub. No.: US 2010/0070800 A1).

As to claim 1, Mao discloses an apparatus for booting a virtual machine, comprising a processor configured to include: 
an access unit for accessing a virtual disk corresponding to a virtual machine that exists in a virtualization area and controlling input and output of data stored in the virtual disk (“The ATCB 80 may be, in the example configuration, a hypervisor operable for serving multiple users 14-N in a partitioned address space with a dedicated operating system (OS). The ATCB 80 includes a privileged area 93 in the system software stack having privileged registers accessible only to certain accesses from other processes running at a privileged, or kernel, level. In architectures that impose a so-called "layered" structure, the system software stack 93 is the next layer above the hardware, thus providing the most secure arrangement. This privileged area 93 therefore allows a trust level to be ascertained by the TPM 90 at bootstrapping time and ensured during ongoing servicing time (runtime) due to the access controls of the privileged area 93.” –e.g. see, col. 7, lines 1-11; herein a hypervisor is equivalent to an access unit which accesses partitioned address space (i.e. access virtual disk in a virtualization area)), 
an extraction unit for extracting data used for booting from the virtual disk, wherein the data used for booting includes a plurality of files used for booting the virtual machine and data about a sequence in which the plurality of files are loaded (“This includes recording a sequence of instructions executed by the TCB 70 during a boot sequence, as shown at step 301 Recording the sequence of instructions involves observing, from a trusted platform module 72 (TPM) in communication with a hardware bus 91 in the TCB 60, instructions sent over the hardware bus 91 during the boot sequence, as shown at step 302.” –e.g. see, col. 7, lines 61-67; herein boot sequence is executed (i.e. data for booting is extracted)); and 
a verification unit for extracting a trusted boot image from image storage, wherein the trusted boot image includes a plurality of files used for booting and data about a sequence in which the plurality of files are loaded, and verifying integrity of the data used for booting by comparing the plurality of files of the trusted boot image with the plurality of files of the data used for booting, and if the files of the data used for booting are identical to the files of the trusted image based on the comparison, then the integrity of the data is verfied (“The TPM 70 computes a hash value on the sequence of instructions executed during the boot sequence, as depicted at step 303. An uncorrupted boot sequence should repeatedly execute the same instruction sequence. Thus, gathering the values of the instructions by observing the bus 91 should result in the same value on each successive reboot. A deviation from this value indicates possible corruption. A hash 90 computed on the observed boot sequence is validated against a known uncorrupted hash to establish that a trusted (uncorrupted) boot sequence has been executed.” –e.g. see, col. 8, lines 1-10; herein the trusted boot sequence is equivalent to the “trusted boot image” which is compared with the observed boot sequence (i.e. compared with the data used for 
Mao may not explicitly disclose but Bealkowski discloses controlling input and output of data stored in the virtual disk using a trap generated by a trap generation unit (“the hypervisor 310 “traps” the firmware service API calls from the bare metal operating system 360. Any input/output operations that are necessary to perform the bootstrap operation for booting the bare metal operating system 360, as a consequence of the firmware services API calls from the bare metal operating system 360 which are intercepted by the hypervisor 310, are performed by the hypervisor device drivers in the hypervisor device driver stack 320.” –e.g. see, [0051], see also, [0052]), wherein the access unit accesses the virtual disk using an access privilege that has a higher level than an access privilege with which the virtual machine is allowed to access the virtual disk (Bealkowski: “..the hypervisor 102 may be responsible for both sharing of hardware resources and the enforcement of control rules based on the available hardware resources. In this example, the hypervisor 102 is a Type 1 hypervisor, and thus runs in supervisor mode or privileged mode on "bare metal".” –e.g. see, Bealkowski: [0039]);.
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the invention was made to modify the teaching of Mao as taught by Bealkowski in order to securely monitor input output calls and to provide a secure mechanism to access virtual disk through a virtual BIOS layer.
wherein the verification unit verifies the integrity by checking whether the data about the sequence in which the files are loaded is identical to data about a loading sequence, stored in the trusted boot image, through comparison (“Initially, TPM circuit 20 receives a notification that a boot sequence for device 2 has been initiated (200). TPM circuit 20 addresses the notification by initiating a process for verifying the integrity of the boot sequence components of device 2 (202). To begin the process, TPM circuit 20 identifies the next boot component in the boot sequence that is to be loaded into operating memory 36 by device 2 (204). TPM circuit 20 then performs a cryptographic hash of the identified component to produce a corresponding TPM value (206). In order to determine whether the boot component is corrupt, infection detection circuit 22 compares the computed TPM value with a set of trusted TPM values 26 (208).” –e.g. see, Hanna: [0068], see also, Fig. 5A, 5B, [0069], [0070]),
a boot image restoration unit for determining whether the data used for booting has been forged based on a result of verifying the integrity, and restoring the data used for booting using the trusted boot image stored in the image storage when it is determined that the data used for booting has been forged (“If, however, the TPM value is not found within the set of trusted TPM values 26, the boot component is corrupt and is replaced using a corresponding trusted boot component from a trusted repository (212). TPM circuit 20 obtains the trusted boot component from a trusted repository which, in the example of FIG. 5B, is either a dedicated memory or storage medium for device 2, such as trusted boot component storage 40, or a network device that configured to provide trusted boot components, such as trusted boot 
Therefore, it would have been obvious to one of ordinary skill in the art before the filling date of the invention was made to modify the teaching of Mao and Bealkowski as taught by Hanna in order to decrease the likelihood that the entire operating system of the device as well as other non-infected boot components will require reinstallation. 
The combination of Mao, Bealkowski and Hanna further disclose a memory for storing information associated with the access unit, the extraction unit, the verification unit, and the boot image restoration unit (Mao: Fig. 3, col. 2, lines 16-30; Hanna: Fig. 2), and 
a hardware processor for processing and executing the information associated with the access unit, the extraction unit, the verification unit, and the boot image restoration unit (Mao: Fig. 3, col. 2, lines 16-30; Hanna: Fig. 2).
Wherein at least the access unit, the trap generation unit, the extraction unit, and the verification unit form part of a hypervisor or virtualization host area (Bealkowski: [0039], Mao: Fig. 3, col. 2, lines 16-30; Hanna: Fig. 2).

As to claim 11, it is rejected using the similar rationale as for the rejection of claim 1.
the hypervisor 310 “traps” the firmware service API calls from the bare metal operating system 360. Any input/output operations that are necessary to perform the bootstrap operation for booting the bare metal operating system 360, as a consequence of the firmware services API calls from the bare metal operating system 360 which are intercepted by the hypervisor 310, are performed by the hypervisor device drivers in the hypervisor device driver stack 320.” –e.g. see, Bealkowski: [0051], see also, [0052]). 
As to claim 12, the combination of Mao and Bealkowski disclose wherein accessing the virtual disk is configured to: generate the trap when the virtual machine boots; and interrupt an operation of the virtual machine using the trap and access the virtual disk (Bealkowski: “the hypervisor 310 “traps” the firmware service API calls from the bare metal operating system 360. Any input/output operations that are necessary to perform the bootstrap operation for booting the bare metal operating system 360, as a consequence of the firmware services API calls from the bare metal operating system 360 which are intercepted by the hypervisor 310, are performed by the hypervisor device drivers in the hypervisor device driver stack 320.” –e.g. see, Bealkowski: [0051], see also, [0052]). 
As to claim 4, the combination of Mao and Bealkowski disclose wherein the access unit accesses the virtual disk using an access privilege that is used by any one of a hypervisor corresponding to the virtual machine and a virtualization host the hypervisor 102 is a Type 1 hypervisor, and thus runs in supervisor mode or privileged mode on "bare metal".” –e.g. see, Bealkowski: [0039]). 
As to claim 14, it is rejected using the similar rationale as for the rejection of claim 4.
As to claim 17, the combination of Mao, Bealkowski and Hanna disclose wherein verifying the integrity is configured to verify the integrity by checking whether the data about the sequence in which the files are loaded is identical to data about a loading sequence, stored in the trusted boot image, through comparison (Hanna: Fig. 5A, 5B, [0068] –[0071]).

As to claim 9, the combination of Mao, Bealkowski and Hanna disclose wherein the image storage updates the trusted boot image using update information that includes a list of boot components updated in the virtual machine (Hanna: Fig. 5A, 5B, [0068] –[0071]). 
As to claim 19, it is rejected using the similar rationale as for the rejection of claim 9.

As to claim 20, it is rejected using the similar rationale as for the rejection of claim 10.

Response to Arguments
Applicant's arguments filed 01/08/2021 have been fully considered but they are not persuasive. 

Applicant argues in page 9 of the remark regarding independent claims that: “In contrast, amended claim 1 recites that the access unit that forms part of the hypervisor 
area has a privilege higher than the virtual disk area, which is separate than the hypervisor. The Mao reference, in contrast, teaches away from this privilege hierarchy by teaching that the hypervisor has the same privilege or access rights as the virtualization disk area. In further contrast, amended claim 1 recites that the access unit, trap generation unit, extraction unit and verification unit form part of the hypervisor. However, as noted above, Mao9 Application No.: 15/069,094 Docket No.: HY7-106RCE2specifically teaches providing the extraction unit and the verification unit in the TCB 70, which is separate than or from the hypervisor (ATCB 80).”
the hypervisor 310 “traps” the firmware service API calls from the bare metal operating system 360. Any input/output operations that are necessary to perform the bootstrap operation for booting the bare metal operating system 360, as a consequence of the firmware services API calls from the bare metal operating system 360 which are intercepted by the hypervisor 310, are performed by the hypervisor device drivers in the hypervisor device driver stack 320.” –e.g. see, [0051], see also, [0052]). Thus, Bealkowski can be combined with Mao to run a hypervisor on top of Mao’s invention to control input and output unit and verifying booting image at run time. Furthermore, Hanna discloses a separate TPM circuit which performs a trusted boot verification (e.g. see, Hanna: [0068]). 


	Applicant argues on page 10 of the remark that: “Mao does not teach providing a completely separate trusted boot image with a value that is then compared to subsequent booting sequence hashes. The Bealkowski reference suffers from similar deficiencies.”
	Examiner respectfully disagrees with the Applicant’s argument and would like to point out that Examiner has cited Hanna which teaches separate trusted boot image that is used to compare the boot components and sequence as part of TPM circuit 20 TPM circuit 20 receives a notification that a boot sequence for device 2 has been initiated (200). TPM circuit 20 addresses the notification by initiating a process for verifying the integrity of the boot sequence components of device 2 (202). To begin the process, TPM circuit 20 identifies the next boot component in the boot sequence that is to be loaded into operating memory 36 by device 2 (204). TPM circuit 20 then performs a cryptographic hash of the identified component to produce a corresponding TPM value (206). In order to determine whether the boot component is corrupt, infection detection circuit 22 compares the computed TPM value with a set of trusted TPM values 26 (208).” –e.g. see, [0068]). 


	Applicant argues on page 11 of the remark that: “In contrast, amended claim 1 recites that the trusted boot image includes a plurality of files used for booting and data about a sequence in which the plurality of files are loaded, and the verification unit verifies the integrity by checking whether the data about the sequence in which the plurality of files are loaded is identical to data about a loading sequence of the files, stored in the trusted boot image. Claim 1 recites that the sequence in the image is compared with the booting sequence being performed. Hanna, on the other hand, simply takes each boot component, hashes the single boot component, and then analyzes the single component to determine if an infection exists. Hanna does not employ the entire boot image to determine if an infection exists.”
TPM circuit 20 then performs a cryptographic hash of the identified component to produce a corresponding TPM value (206). In order to determine whether the boot component is corrupt, infection detection circuit 22 compares the computed TPM value with a set of trusted TPM values 26 (208).” –e.g. see, [0068]). Thus, reads on Applicant’s claimed invention. Furthermore, primary art, Mao teaches validating observed boot sequence against a known uncorrupted hash (Mao: col. 8, lines 1-10).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256.  The examiner can normally be reached on Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495           

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495