Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/30/2020 has been entered.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/15/2020 was filed after the mailing date of the Final Office action on 09/21/2020. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This office action is in response to a Request for Continued Examination (RCE) application received on 11/30/2020. In the RCE, applicant has amended claims 1, 3, 27, 30, 40 and 42-43. Claims 13-26 and 28 remain cancelled. Claims 2, 4-12, 29, 31-39 and 41 remain original. No additional claim has been cancelled and no new claim has been introduced.
For this office action, claims 1-12, 27 and 29-43 have been received for consideration and have been examined. 

Response to Arguments
Claim Rejections under 35 U.S.C. § 112
	Applicant’s amendments to independent claims in order to overcome the 112(b) rejection have been reviewed by the examiner and amendment appears to overcome the rejection. Therefore examiner has withdrawn this rejection. However, upon further consideration a different indefiniteness issue has been noticed by the examiner. See below office action for details.
Claim Rejections under 35 U.S.C. § 103
Applicant’s arguments, filed 11/30/2020, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of new amendments to the independent claims.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claims 1-12, 27, 29-39, 40-41 and 42-43 are rejected under 35 U.S.C. 112(b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention.
Independent claims 1, 27, 40 and 42 last limitation recites “… which is selected via the client device from a gallery of a cloud service”. Examiner would like to note that there is a missing prior step of “selecting a template” before the template is selected by the client device selecting the template” it is unclear how the template is selected via the client device from a gallery of a cloud service. Related concern has been noticed in the other independent claims.
The dependent claims of the independent claims included in the statement of rejection but not specifically addressed in the body of the rejection, have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, dependent claims are also rejected based on the same rationale as applied to their parent claims above.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) because the claim limitations recites sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation is: first limitation in independent claim 42
“means for establishing a chain of trust from a trusted execution environment to a platform based at least in part on receipt of measurements of the trusted execution …”.
Because this claim limitation is not being interpreted under 35 U.S.C. 112(f), it is not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-12, 27 and 29-43 are rejected under 35 U.S.C. 103 as being unpatentable over Baumann et al., (US20130151846A1) in view of Poornachandran et al., (US20160350534A1) and further in view of Ferguson et al., (US20150319160A1).
Regarding claim 1, Baumann discloses:
A client device (i.e. computing system 200) comprising: 

establish a chain of trust (i.e. attestation certificate) from a trusted execution environment (i.e. a request from the client system 112) to a platform (i.e. secure execution environment) based at least in part on receipt of measurements (i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
customize the trusted execution environment with the information based at least in part on the chain of trust in response to the trusted execution environment being launched from a template (i.e. one or more application components to be executed), which is associated with an operating system  that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:
provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment; and client device selecting the virtual machine template from a gallery of a cloud service.
However, Poornachandran discloses:
	provision the trusted execution environment with information in absence of a secure channel (i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).

The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
	client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
	client device selecting the virtual machine template from a gallery of a cloud service (See section “The Tenant Creating Shielded VMs Based on Templates”; [0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran references and select virtual machine template from service provider gallery, as disclosed by Ferguson. 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claims 2 and 29, the combination of Baumann, Poornachandran & Ferguson discloses:
	The client device of claim 1, wherein the one or more processors are configured to establish the chain of trust from the trusted execution environment to the platform by using a public key that corresponds to the platform signing key to verify that the measurements are signed with the platform signing key (Baumann: [0043-0044 & 0048-0049]).
Regarding claim 29, it is a method claim and recites the same concept as claim 2 and therefore rejected on same grounds.
Regarding claims 3 and 30, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the distributed computing system provides the cloud service; and
wherein the one or more processors are configured to perform the operations further comprising:
use cryptographic communications to exclude entities other than the client device from knowing the information and to exclude the other entities from manipulating the information, the other entities including a provider of the cloud service (Baumann: [0005]).
Regarding claim 30, it is a method claim and recites the same concept as claim 3 and therefore rejected on same grounds.
Regarding claims 4 and 31, the combination of Baumann, Poornachandran & Ferguson discloses:

securely provision the trusted execution environment with the information (Baumann: [0089-0090]).	
Regarding claim 31, it is a method claim and recites the same concept as claim 4 and therefore rejected on same grounds.
Regarding claims 5, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations comprising:
provision the trusted execution environment with at least one policy in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust (Poornachandran: [0030]).
Regarding claim 32, it is a method claim and recites the same concept as claim 5 and therefore rejected on same grounds.
Regarding claims 6 and 33, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 5, wherein the one or more processors are configured to perform the operations comprising: provide an update regarding the at least one policy to the trusted execution environment; and wherein the update is signed with a policy update key, which corresponds to a public key that is usable by the trusted execution environment to verify that the update is provided by the client device (Poornachandran: [0058]).
33, it is a method claim and recites the same concept as claim 6 and therefore rejected on same grounds.
Regarding claims 7, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations comprising:
provision the trusted execution environment with secret information in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust, the secret information including at least one of data, software code, or one or more keys (Poornachandran: [0026]).
Regarding claim 34, it is a method claim and recites the same concept as claim 7 and therefore rejected on same grounds.
Regarding claims 8 and 35, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 7, wherein the one or more processors are configured to perform the operations comprising:
encrypt the secret information with a secret import key that is received from the trusted execution environment, the secret import key corresponding to a private key that is usable by the trusted execution environment to decrypt the secret information (Poornachandran: [0028] & [0044]).
Regarding claim 35, it is a method claim and recites the same concept as claim 8 
Regarding claims 9 and 36, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 7, wherein the one or more processors are configured to perform the operations comprising: 
provision the trusted execution environment with at least one policy in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust (Poornachandran: [0026]); 
determine whether to provision the trusted execution environment with the secret information based at least in part on whether the client device receives confirmation from the trusted execution environment that the trusted execution environment has received the at least one policy from the client device (Baumann: [0089-0090]).
Regarding claim 36, it is a method claim and recites the same concept as claim 9 and therefore rejected on same grounds.
Regarding claims 10 and 37, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 9, wherein the confirmation includes the at least one policy (Poornachandran: [0058]).
Regarding claim 37, it is a method claim and recites the same concept as claim 10 and therefore rejected on same grounds.
Regarding claims 11 and 38, the combination of Baumann, Poornachandran & Ferguson discloses:

request auditing information from the trusted execution environment, the auditing information indicating a detected state of the trusted execution environment (Baumann: [0032 & 0057]); 
determine whether to provision the trusted execution environment with additional information based at least in part on whether the detected state and a reference state are same (Poornachandran:[0030]); and 
provision the trusted execution environment with the additional information in absence of the secure channel between the client device and the trusted execution environment to further customize the trusted execution environment with the additional information based at least in part on the detected state and the reference state being the same (Poornachandran: [0026]).
Regarding claim 38, it is a method claim and recites the same concept as claim 11 and therefore rejected on same grounds.
Regarding claims 12 and 39, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations further comprising: encrypt a public portion of a policy update key that is associated with the client device with a public portion of a provisioning encryption key, the policy update key having a private portion that is usable by the client device to sign an update regarding at least one policy that is to be provided to the trusted execution environment, the provisioning encryption key having a private portion that is associated with a plurality of trusted Poornachandran: [0044, 0046]).
Regarding claim 39, it is a method claim and recites the same concept as claim 12 and therefore rejected on same grounds.
Regarding claim 27, Baumann discloses:
A method performed using at least one processor of a client device, the method comprising:
establishing a chain of trust (i.e. attestation certificate) from a trusted execution environment (i.e. a request from the client system 112) to a platform (i.e. secure execution environment) based at least in part on receipt of measurements (i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
customize the trusted execution environment with the information based at least in part on the chain of trust in response to the trusted execution environment being launched i.e. one or more application components to be executed), which is associated with an operating system that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:
provisioning the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment; and client device selecting the virtual machine template from a gallery of a cloud service.
However, Poornachandran discloses:
i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
	client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
	client device selecting the virtual machine template from a gallery of a cloud service (See section “The Tenant Creating Shielded VMs Based on Templates”; [0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claim 40, Baumann discloses:
A computer program product comprising a computer-readable device having instructions recorded thereon for enabling a processor-based system to perform steps, the steps comprising:
establish a chain of trust (i.e. attestation certificate) from a trusted execution environment (i.e. a request from the client system 112) to a platform (i.e. secure execution environment) based at least in part on receipt of measurements (i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
i.e. one or more application components to be executed), which is associated with an operating system that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:
provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment; and client device selecting the virtual machine template from a gallery of a cloud service.
However, Poornachandran discloses:
	provision the trusted execution environment with information in absence of a secure channel (i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
	client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
	client device selecting the virtual machine template from a gallery of a cloud service (See section “The Tenant Creating Shielded VMs Based on Templates”; [0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claim 41, the combination of Baumann, Poornachandran & Ferguson discloses:
The computer program product of claim 40, wherein the steps comprise: provision the trusted execution environment with at least one policy in absence of the secure channel between the processor-based system and the trusted execution environment based at least in part on the chain of trust (Poornachandran: [0026]).
Regarding claim 42, Baumann discloses:
A client device comprising:
means for establishing a chain of trust (i.e. attestation certificate) from a trusted execution environment (i.e. a request from the client system 112) to a platform (i.e. secure execution environment) based at least in part on receipt of measurements (i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
customize the trusted execution environment with the information based at least in part on the chain of trust in response to the trusted execution environment being launched from a template (i.e. one or more application components to be executed), which is associated with an operating system that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:

However, Poornachandran discloses:
	means for provisioning the trusted execution environment with information in absence of a secure channel (i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
	client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
	client device selecting the virtual machine template from a gallery of a cloud service (See section “The Tenant Creating Shielded VMs Based on Templates”; [0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran references and select virtual machine template from service provider gallery, as disclosed by Ferguson. 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claim 43, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 42, wherein the distributed computing system provides the cloud service; and wherein the client device further comprises: means for using cryptographic communications to exclude entities other than the client device from knowing the information and to exclude the other entities from manipulating the information, the other entities including a provider of the cloud service (Baumann: [0005]).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018.  The examiner can normally be reached on 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432