NON-FINAL REJECTION
DETAILED ACTION
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on April 13, 2021 has been entered.

Response to Amendment
	The Amendment filed April 13, 2021 has been entered. Claims 1, 3, and 5-11 remain pending in the application. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Status of Claims
Claims 1, 3, and 5-11 are rejected under 35 U.S.C. 102(a)(1) and 35 U.S.C. 102(a)(2) as being unpatentable.
		
	Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3, and 5-11 are rejected under 35 U.S.C. 102(a)(1) and 35 U.S.C. 102(a)(2) as being anticipated by Hellwig et al. (US 2018/0113816).
Regarding claim 1, Hellwig et al. disclose: 
A data processing apparatus comprising: 
a memory protection setting storage ([0014] the physical memory, e.g., of a processor as a memory address space 11…The protected memory address space 11 is any region for storing data. In an embodiment, the memory address space refers to a memory as such and refers in a different embodiment to a register) storing a plurality of entries (FIG. 1 protected memory address space 11; [0016] The addresses of the memory address space 11 are associated with different address ranges 20), wherein each of the plurality of entries stores setting information for memory protection ([0033] A complete set of access permissions defined for the whole address space used, is called e.g. a protection set; FIG. 7 data register 7; [0046] Address ranges (defined at least by upper and lower boundaries) of the memory address space are mapped to access protection groups associated with different privilege levels (e.g. hypervisor, virtual machine, user0)), wherein the setting information for memory protection is set by 1) a virtual ([0037] an I/O privilege mode (Hypervisor); [0038]-[0040]) or 2) a virtual machine ([0040] A Level 1 (abbreviated as L1) controlled by the virtual machine (VM) task), wherein a sum of a number of entries storing the setting information for memory protection set by the virtual machine monitor and a number of entries storing the setting information for memory protection set by the virtual machine equates to a total number of the plurality of entries in the memory protection setting storage ([0052] address ranges with allowed interactions and mapped to access protection groups. The access protection groups are in one embodiment associated with different privilege levels like e.g. Hypervisor, Level 0 and Level 1 or Supervisor, User 1 and User 0. The access protection groups in the following are numbered, i.e. Group 0, Group 1, . . . Group x; FIG. 4 Ranges assigned to L0 and Ranges assigned to L1), and wherein the number of entries storing the setting information for memory protection set by the virtual machine monitor and the number of entries storing the setting information for memory protection set by the virtual machine are configured to dynamically change ([0046] the assignment is configurable); 
a plurality of first determination circuits provided for the entries in the memory protection setting storage, respectively, wherein each of the first determination circuits provisionally determines whether an access request is permitted based on the setting information for memory protection stored in one of the entries in the memory protection setting storage, wherein the one of the entries corresponds to an access destination address of the access request (FIG. 2 address evaluator 2; [0053] … the address evaluator 2 comprises a plurality of comparators that are configured to decide whether an address parameter refers to a address range or not; FIG. 3; [0060] The sequence starts with step 1001 by receiving an access request having address parameter and interaction parameter. In step 1002 the address parameter are compared with the address ranges of the set of address ranges. Thus, active address ranges are identified. In step 1003 the interaction parameter is compared with the kind of interaction associated with the active address ranges. The results of step 1002 and 1003, thus, indicate to which address range the access request 100 refers and whether the interaction intended by the access request 100 is allowed for these address ranges); and 
a second determination circuit that determines whether the access request is permitted based on 1) a result of provisional determination by each of the first determination circuits (FIG. 6 Valid Signals), 2) an access source information indicating the access request is an access by the virtual machine monitor (FIG. 6 Group0) or the virtual machine (FIG. 6 Group1), and 3) entry boundary information (FIG. 6 MPU Ranges) indicating the number of entries storing the setting information for memory protection set by the virtual machine monitor (FIG. 6 Group0) and the number of entries storing the setting information for memory protection set by the virtual machine (FIG. 6 Group1) in the memory protection setting storage (FIG. 6) (FIG. 2 address results combiner 3; [0060] In step 1004 the results concerning the different address ranges are combined with regard to the access protection groups to which the active address ranges are mapped. The results of address ranges belonging to the same access protection group are OR combined. In the following step 1005 the results of step 1004 are combined using an AND combination by combining the results concerning the active but different access protection groups. On the AND combination, the access grant result 101 is based indicating whether access is either granted or denied; [0083]-[0089]), 
wherein, for the access information indicating that the access request is the access by the virtual machine monitor (FIG. 6 Group0, Access Valid Signals from Groups), the second determination circuit permits the access request (FIG. 6 Access Valid 101), when any provisional ([0083] The Valid Signals are OR combined by the indicated address results combiner 3 if the respective address ranges are associated with the same access protection group. For example, if two address ranges are associated with Group0, then the Valid signals of the two address ranges are OR combined), and 
wherein, for the access information indicating that the access request is an access by the virtual machine (FIG. 6 Group1, Access Valid Signals from Groups), the second determination circuit is configured to permit the access request (FIG. 6 Access Valid 101), when any provisional determination result indicates that the access destination address of the access request corresponds to the entry for memory protection set by the virtual machine ([0083] The Valid Signals are OR combined by the indicated address results combiner 3 if the respective address ranges are associated with the same access protection group. For example, if two address ranges are associated with Group0, then the Valid signals of the two address ranges are OR combined), and when any provisional determination result indicates that the access destination address of the access request corresponds to the entry for memory protection set by the virtual machine monitor ([0088] The valid signals from the different groups--i.e. the results of the OR combinations--are combined with an AND combination. The combination refers to valid signals which deal with address ranges affected by the access request 100. Hence, if the access request 100 aims at an address that is associated with two different access protection groups, than the Valid signals of these two groups are AND combined. The result of the AND combination gives information about whether access of the access request is valid or not. This information is output via the output 101).
Regarding claim 3, Hellwig et al. further disclose: 
The data processing apparatus according to claim 1, wherein the memory protection setting storage further stores attribute information which is information about an attribute of the access request in association with the corresponding entry, and 
wherein each of the first determination circuits provisionally determines whether the access request is permitted based on determining that the access destination address of the access request corresponds to the entry and that an attribute of the access request matches the attribute information ([0022]-[0027]; FIG. 6).
Regarding claim 5, Hellwig et al. further disclose: 
The data processing apparatus according to claim 1, further comprising a memory protection setting writing control circuit that controls writing to the memory protection setting storage based on an address specifying a writing target of the memory protection setting storage, the entry boundary information, and write source information indicating that the writing is performed by the virtual machine monitor ([0037]-[0040]; FIG. 6).
Regarding claim 6, Hellwig et al. further disclose: 
The data processing apparatus according to claim 1, further comprising: 
an entry boundary information storage storing the entry boundary information (FIG. 6); and 
an entry boundary information writing control circuit which controls writing to the entry boundary information storage based on an address specifying a writing target of the entry boundary information storage and write source information indicating whether or not the writing is performed by the virtual machine monitor ([0037]-[0040]; FIG. 6).
Regarding claim 7, Hellwig et al. further disclose: 
([0032]; FIG. 6).
Regarding claim 8, Hellwig et al. further disclose: 
The data processing apparatus according to claim 1, further comprising a sequencer which saves information stored in the memory protection setting storage to a memory and restores the information saved in the memory to the memory protection setting storage (FIG. 1 protected memory address space 11; [0014] The protected memory address space 11 is any region for storing data).
Regarding claim 9, Hellwig et al. further disclose:
The data processing apparatus according to claim 1, wherein each of the entries in the memory protection setting storage indicates an address section in which an access request is permitted ([0037]-[0040]).
Regarding claim 10, Hellwig et al. further disclose: 
The data processing apparatus according to claim 1, wherein each of the entries in the memory protection setting storage indicates an address section in which an access request is prohibited ([0037]-[0040]).
Regarding claim 11, Hellwig et al. disclose: 
A memory protection method comprising: 
storing, in a memory protection setting storage ([0014] the physical memory, e.g., of a processor as a memory address space 11…The protected memory address space 11 is any region for storing data. In an embodiment, the memory address space refers to a memory as such and refers in a different embodiment to a register), a plurality of entries, wherein each of the plurality ([0033] A complete set of access permissions defined for the whole address space used, is called e.g. a protection set; FIG. 7 data register 7; [0046] Address ranges (defined at least by upper and lower boundaries) of the memory address space are mapped to access protection groups associated with different privilege levels (e.g. hypervisor, virtual machine, user0)), wherein the setting information for memory protection is set by 1) a virtual machine monitor ([0037] an I/O privilege mode (Hypervisor); [0038]-[0040]) or 2) a virtual machine ([0040] A Level 1 (abbreviated as L1) controlled by the virtual machine (VM) task), wherein a sum of a number of entries storing the setting information for memory protection set by the virtual machine monitor and a number of entries storing the setting information for memory protection set by the virtual machine equates to a total number of the plurality of entries in the memory protection setting storage ([0052] address ranges with allowed interactions and mapped to access protection groups. The access protection groups are in one embodiment associated with different privilege levels like e.g. Hypervisor, Level 0 and Level 1 or Supervisor, User 1 and User 0. The access protection groups in the following are numbered, i.e. Group 0, Group 1, . . . Group x; FIG. 4 Ranges assigned to L0 and Ranges assigned to L1), and wherein the number of entries storing the setting information for memory protection set by the virtual machine monitor and the number of entries storing the setting information for memory protection set by the virtual machine are configured to dynamically change ([0046] the assignment is configurable); 
provisionally determining whether an access request is permitted based on the setting information for memory protection stored in one of the entries in the memory protection setting storage, wherein the one of the entries corresponds to an access destination address of the access request (FIG. 2 address evaluator 2; [0053] … the address evaluator 2 comprises a plurality of comparators that are configured to decide whether an address parameter refers to a address range or not; FIG. 3; [0060] The sequence starts with step 1001 by receiving an access request having address parameter and interaction parameter. In step 1002 the address parameter are compared with the address ranges of the set of address ranges. Thus, active address ranges are identified. In step 1003 the interaction parameter is compared with the kind of interaction associated with the active address ranges. The results of step 1002 and 1003, thus, indicate to which address range the access request 100 refers and whether the interaction intended by the access request 100 is allowed for these address ranges);; and 
determining whether the access request is permitted based on 1)_a result of the provisional determination (FIG. 6 Valid Signals), 2) an access source information indicating the access request is an access by the virtual machine monitor (FIG. 6 Group0) or the virtual machine (FIG. 6 Group1), and 3) entry boundary information (FIG. 6 MPU Ranges) indicating the number of entries storing the setting information for memory protection set by the virtual machine monitor and the number of entries storing the setting information for memory protection set by the virtual machine in the memory protection setting storage (FIG. 6) (FIG. 2 address results combiner 3; [0060] In step 1004 the results concerning the different address ranges are combined with regard to the access protection groups to which the active address ranges are mapped. The results of address ranges belonging to the same access protection group are OR combined. In the following step 1005 the results of step 1004 are combined using an AND combination by combining the results concerning the active but different access protection groups. On the AND combination, the access grant result 101 is based indicating whether access is either granted or denied; [0083]-[0089]), 
(FIG. 6 Group0, Access Valid Signals from Groups), the access request is permitted (FIG. 6 Access Valid 101), when any provisional determination result indicates that the access destination address of the access request corresponds to the entry for memory protection set by the virtual machine monitor ([0083] The Valid Signals are OR combined by the indicated address results combiner 3 if the respective address ranges are associated with the same access protection group. For example, if two address ranges are associated with Group0, then the Valid signals of the two address ranges are OR combined), and 
wherein, for the access information indicating that the access request is an access by the virtual machine (FIG. 6 Group1, Access Valid Signals from Groups), the access request is permitted (FIG. 6 Access Valid 101), when any provisional determination result indicates that the access destination address of the access request corresponds to the entry for memory protection set by the virtual machine ([0083] The Valid Signals are OR combined by the indicated address results combiner 3 if the respective address ranges are associated with the same access protection group. For example, if two address ranges are associated with Group0, then the Valid signals of the two address ranges are OR combined), and when any provisional determination result indicates that the access destination address of the access request corresponds to the entry for memory protection set by the virtual machine monitor ([0088] The valid signals from the different groups--i.e. the results of the OR combinations--are combined with an AND combination. The combination refers to valid signals which deal with address ranges affected by the access request 100. Hence, if the access request 100 aims at an address that is associated with two different access protection groups, than the Valid signals of these two groups are AND combined. The result of the AND combination gives information about whether access of the access request is valid or not. This information is output via the output 101).

Response to Arguments
Applicant's arguments filed April 13, 2021 have been fully considered but they are not persuasive. 
Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
Applicant's arguments do not comply with 37 CFR 1.111(c) because they do not clearly point out the patentable novelty which he or she thinks the claims present in view of the state of the art disclosed by the references cited or the objections made. Further, they do not show how the amendments avoid such references or objections.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRACY A WARREN whose telephone number is (571)270-7288.  The examiner can normally be reached on M-Th 7:30am-5pm, Alternate F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRACY A WARREN/Primary Examiner, Art Unit 2137