Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This office action is in response to an amendment application received on 12/03/2020. In the amendment, applicant has amended dependent claims 3, 8, 14 and 20. Claims 1-2, 4-7, 9-13 and 15-19 remain original. No claim has been cancelled and no new claim has been introduced. 
	For this office action, claims 1-20 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejection under 35 U.S.C. § 103
Applicant’s arguments, filed 12/03/2020, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon review of the explanation of the claim language as per the submitted remarks, claims are rejected under a new grounds of rejection. Consequently, examiner is sending a 2nd Non-Final Rejection because applicant did not amend the independent claims.
 	

Notice Regarding Figure 5
Applicant is hereby provided notice that their Figure 5 and its description in applicant’s specification is utter technological non-sense and would have no understanding by a person of ordinary skill in the art.  Any incorporation by Figure 5, or its associated specification description, into any claim will result in a 112a rejection for being utter non-sense.  
Figure 5 depicts a “VM” noted as 508 as some magical entity outside of “Host” 510.  As notorious within the art, a “Host” in a virtual machine environment is the hardware that hosts the virtual machine.  It’s unclear what definition applicant is attempting to afford the concept of a “Host”.  Furthermore, applicant has combined CPU 514 in a block diagram of the “Host” with software-implemented constructs such as “hypervisor”, “application(s)”, and “OS”, which would necessarily be stored in memory such as RAM, or perhaps a CPU cache.  Then there is a random box labeled “Hardware” 506 that is apparently external to both the “Host” and “VM”.  Except, as a matter of fact, the Host comprises the hardware that stores and executes the virtual machine.  Is there some hardware within the physical computer that applicant is not considering the “Host”?  If so, the spec doesn’t afford any special definition to the term “host”.  Consistent with what is known in the art, applicant’s specification describes a “host” as:  “A computer on which a hypervisor manages/runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.”   (Applicant’s specification: [0045], [0061]); “a host computer 510” (Applicant’s specification: [0068]), “…which avoids routing the interrupt through the host computer 510” (0068).  The VM is necessarily stored in a memory of the host computing device, i.e., its hardware, and i.e., the claimed “enclave”) without routing the interrupt through the hardware that is hosting the virtual machine.  Applicant admits this in reference to Figure 6, which is not utter non-sense and, rather, completely sensical.  “In the context of an enclave/micro-enclave environment as disclosed herein, e.g., with respect to Fig. 1, the enclave and nested micro-enclave are a portion of memory 28 in the system of Fig. 6”.  Applicant states in their specification that the interrupt is routed directly to the enclave and “bypassing the CPU”.  The examiner recommends the applicant adopt this language (0049).  Furthermore, for purposes of further examination, the examiner will interpret “host” in the context of claim 3 as this.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claim 3 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.

Applicant fails to have possession of the claim limitation “further comprising routing an interrupt directly to the enclave, wherein the routing avoids routing the interrupt through at least one of a corresponding host …”.  The examiner finds that Applicant fails to have possession of routing an interrupt to a virtual machine stored in a host computer without routing the interrupt through the host computer.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4, 6-7, 9-10, 12-13, 15-16 and 18-19  rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of Mummidi et al., (US20180088804A1).
Regarding claims 1, 9 and 15, Mummidi discloses:
A computer-implemented process for secure memory sharing between enclaves and virtual input/output adapters, the computer-implemented process comprising:
Enclave: Controller VM / a second virtualized computer (i.e. FIG. 2; 206)
Managed memory space: user VM / a first virtualized computer (i.e. FIG.2; 208)
Virtual I/O adapter: iSCSI adapter (i.e. FIG. 2; vDisk iSCSI Adapter 222)
i) having a virtual input/output adapter associated with the enclave (See FIG. 2 which depicts vDisk iSCSI Adapter attached to Controller VM 206; also see [0043]);

ii) creating (i.e. instantiate) a managed memory space (See FIG. 2; [0032] The hypervisor 204 is configured to support/instantiate one or more virtual machines, such as user VM 208 and controller VM 206);
iii) having a key by a memory encryption engine (i.e. DEK 224) for the virtual input/output adapter for use by only the virtual input/output adapter (See FIG. 2; [0038] As illustrated in FIG. 2, in some embodiments, the DEK 224 is stored within a vDisk iSCSI adapter 222);
iv) in response to a request to obtain data, exchanging the key with the managed memory space (See FIG. 2; discloses an exchange of Key encryption key (KEK) and Decryption key (DEK) for communication between the controller VM and User VM; see [0036] for details; also see FIG. 4 a; [0052] Referring to FIG. 4a , at 402 a, a first virtualized computer, such as a user VM, may initiate an IPsec session with a second virtualized computer, such as a controller VM. At 404, the first virtualized computer sends a network communication (such as an iSCSI request) including an authentication key, e.g., a KEK via the IPsec session);
v) in response to receiving the key, decrypting data of only the managed memory space associated with the virtual input/output adapter to obtain the data (FIG. 4 a; [0053] At 410, the second virtualized computer may authenticate the KEK, for example, by trying to decrypt the second key, the DEK, using the KEK; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation); and
vi) sending the data to the virtual input/output adapter (FIG. 4 a; [0053] At 414 a, if the KEK is valid, then the KEK may be used to decrypt the DEK. The DEK may be used to encrypt/decrypt the network communication; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation).
Because Bunch’s managed memory spaces are implemented as VMs (as opposed to isolated memory spaces comprising only data), and the VMs are the entity issuing the write/read requests,
Bunch does not disclose:
creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of 
However, Mummidi discloses:
	creating the virtual I/O adapter in response to a request to create a virtual input/output adapter ([0014] For example, if peripheral device 120 is connected to host 110 via peripheral component interconnect express (PCIe), then a virtual interface may be created by utilizing single root input/output virtualization (SR-IOV) to create a virtual function that mirrors the interface that would be exposed by a controller for non-volatile storage devices 130);
wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter ([0032] the control interface 410 for the peripheral device performs 412 the partitioning and formatting of the storage partition according to the configuration request 402 and then attaches or binds the storage partition to a virtual interface that has been launched/created/instantiated for the new storage partition (e.g., virtual interface 432 bound 440 to storage partition 422));
wherein a key is generated ([0034] encryption configuration request 406 may provide a key for one virtual interface, such as virtual interface 434);
wherein the request to obtain data from the enclave is by the virtual input/output adapter (Fig. 6; step 676, [0041] provides for the adapter requesting to read data from the storage device);
wherein the data of the managed memory space is within memory (Fig 6; [0041] The I/O submission entry may indicate the request to read encrypted read data 642 from storage partition 660 in non-volatile storage device 650. The controller may then write 680 data 642 from storage partition 660 to a location in data buffer 635);
wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter (Fig 6, step 680; [0041] provides data is sent from storage partition 660 to virtual I/O adapter).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch reference and create encrypted virtual I/O adapter along with the creation of virtual machine instance, as disclosed by Mummidi.
The motivation to create encrypted virtual I/O adapter along with the creation of virtual machine instance is to provide encryption on per-virtual interface basis for each virtual machine instance. 
Regarding claim 9, it is a non-transitory storage medium readable claim and recites the same concept as claim 1 and therefore rejected on same grounds. 
Regarding claim 15, it is a system claim and recites the same concept as claim 1 and therefore rejected on same grounds. 
Regarding claims 2, 10 and 16, the combination of Bunch and Mummidi discloses:
	The computer-implemented process of claim 1, wherein the computer-implemented process is performed concurrently for a plurality of non-sharable micro-enclaves and a corresponding plurality of virtual input/output adapters (Mummidi: See FIG. 4; [0031-0032]).
10, it is a non-transitory storage medium readable claim and recites the same concept as claim 2 and therefore rejected on same grounds. 
Regarding claim 16, it is a system claim and recites the same concept as claim 2 and therefore rejected on same grounds. 
Regarding claim 4, the combination of Bunch and Mummidi discloses:
The computer-implemented process of claim 1, wherein sending the data comprises using direct memory access (Mummidi: See [0037]).
Regarding claim 6, the combination of Bunch and Mummidi discloses:
The computer-implemented process of claim 1, wherein sending the data comprises using single-root input/output virtualization (Mummidi: See [0014] & [0032]).
Regarding claims 7, 13 and 19, the combination of Bunch and Mummidi discloses:
The computer-implemented process of claim 1, further comprising attaching the virtual input/output adapter to the enclave at a time when creating the virtual input/output adapter (Mummidi: See [0032]).
Regarding claim 13, it is a non-transitory storage medium readable claim and recites the same concept as claim 7 and therefore rejected on same grounds. 
Regarding claim 19, it is a system claim and recites the same concept as claim 7 and therefore rejected on same grounds. 
Regarding claims 12 and 18, the combination of Bunch and Mummidi discloses:
Mummidi: See [0014] & [0032]).
Regarding claim 18, it is a system claim and recites the same concept as claim 12 and therefore rejected on same grounds.

Claims 3, 8, 11, 14, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of Mummidi et al., (US20180088804A1) and further in view of NPL Document “NPL_Doc_IBM-PowerSystems-Virtual-IO-Server” dated 2007, 2009 (https://www.ibm.com/support/knowledgecenter/POWER6/iphb1/iphb1.pdf?view=kc).
Regarding claim 3, 11 and 17, the combination of Bunch and Mummidi fails to disclose:
The computer-implemented process of claim 1, further comprising routing an interrupt directly to the one virtual I/O server (enclave), wherein the routing avoids routing the interrupt through at least one of a corresponding host (i.e. one virtual I/O server) and a corresponding hypervisor.
However, NPL Doc discloses:
	further comprising routing an interrupt directly to the one virtual I/O server (enclave), wherein the routing avoids routing the interrupt through at least one of a corresponding host (i.e. one virtual I/O server) and a corresponding hypervisor (See Page # 91-92 “Migrating the Virtual I/O Server” section ).

	The motivation to route Input/output interrupts without affecting the running host system is to prevent disruption in normal operation of the host system. 
Regarding claim 11, it is a non-transitory storage medium readable claim and recites the same concept as claim 3 and therefore rejected on same grounds. 
Regarding claim 17, it is a system claim and recites the same concept as claim 3 and therefore rejected on same grounds. 
Regarding claim 8, 14 and 20, the combination of Bunch and Mummidi discloses:
The computer-implemented process of claim 1, further comprising providing a system comprising a memory, the memory comprising the enclave (Mummidi: See [0016]).
The combination of Bunch and Mummidi fails to disclose:
attaching the virtual input/output adapter to the enclave dynamically using a hotplug operation, wherein the hotplug operation comprises performing the attaching while the system continues operating and avoids a restart of the system.
However, NPL Doc discloses:
See Page # 144; “Installing or replacing a PCI adapter with the system power on in Virtual I/O Server”; Also see Page # 145; “Installing a PCI adapter” & “Replacing a PCI Adapter”).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Bunch and Mummidi references and include hot plug operation for installing or replacing a PCI adapters, as disclosed by NPL Document.
	The motivation to include hot plug operation for installing or replacing a PCI adapters is to activate the PCI adapters without having to reboot the system.
	Regarding claim 14, it is a non-transitory storage medium readable claim and recites the same concept as claim 8 and therefore rejected on same grounds. 
Regarding claim 20, it is a system claim and recites the same concept as claim 8 and therefore rejected on same grounds.

Claim 5 rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of Mummidi et al., (US20180088804A1) and further in view of Axnix et al., (US9432183B1).
Regarding claim 5, the combination of Mummidi and Bunch fails to disclose:

However, Axnix discloses:
	wherein sending the data comprises using remote direct memory access (See FIGS. 1-3; Col. 3; Line # 32-49).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Mummidi and Bunch references and exchange data on the network through remote direct access memory (RDMA) technology, as disclosed by Axnix.
	The motivation to exchange data on the network through remote direct access memory (RDMA) technology is improve network throughput and performance by freeing up system resources. 

Conclusion                                                                                                                                                                                            Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018.  The examiner can normally be reached on 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Jeffrey Nickerson/
Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./
Patent Examiner, Art Unit 2432