DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
1.	Claims 11, 19 are objected to because of the following informalities:  an “ioctl” operation are in abbreviation , it needed to  spell the words out.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
2.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

2.	Claim(s) 1-21 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Abgrall et al. (Pub. No. US2003/0037237)
	As per claim 1, Abgrall discloses a system comprising at least one processing unit (fig.1, i.e., 12) , wherein: the system further comprises at least one tangible non-transitory computer-readable storage medium (fig.1, i.e., 11)  comprising first processor-executable instructions and second processor-(fig.1, paragraph 55-56, i.e., The protected non-volatile memory 11 is used to store the secret master key.  The BIOS system initialization module 12 is responsible for securely transferring the secret master key from non-volatile memory 11 into SMRAM 13, a protected memory region that is only addressable from System Management Mode accessed from the normal mode of operation of the system via a System Management Interrupt (SMI).)
the first processor-executable instructions are executable by the at least one processing unit to cause the at least one processing unit to perform first operations comprising: (paragraph 11, i.e., a system initialization process that reads the master key from the non-volatile storage during a system initialization process, writes a sensitive value derived from the master key to a hidden storage location, and disables access to the non-volatile storage by any program running in the system until the next start of system initialization process.)
instantiating an interface associated with a service routine;  (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)
receiving, by the service routine, a verification message;  and (paragraph 158, i.e., verify that 
the server signed a message, since the server is the only one who knows the matching private key.  The secret master keys are unique to each device and known only to that device and the server. )
sending, in response, a confirmation message via the interface;  and (paragraph 470, i.e., it verifies the application has been authorized and save the application information in the registered application table the OSD maintains. requests an AppKey from the application registration module and store it, creates an AppContainer and send to Client device, provides a user interface (UI) to manipulate AppContainers (Create, Edit, Seal and Unseal) through a UI as further cited in paragraph 70)
(paragraph 447, i.e., the operating system driver's interface with the system kernel and interface with the security BIOS. The user-mode applications can call to get OSD security services.)
locating the interface;  (paragraph 448, i.e., the system I/O manager makes an I/O request to a 
device driver by creating an I/O Request Packet (IRP) and sending it down to the device driver.  OSD security services can be invoked by sending DEVICE_IO_CONTROL IRP.  Each handler routine for a Device_I/O_Control code provides a specific function.)
opening a handle to the interface;  (paragraph 448-449, i.e., The handler routine registers the 
application with the operating system driver and calls BIOS routines.)
sending the verification message via the handle, the verification message identifying at least an interface type or a version (paragraph 19, 148-149,  i.e., sending identifying information and at least a portion of the resealed AppContainer to the authentication server, and wherein at least part of the resealing operation takes place during an SMI on the same CPU that executes the code of the application.  All containers have a common 4-byte header that includes an opcode byte (command or message type), a format byte, and a length word (16-bit) of the following content.  The format byte indicates which of the four types of containers is present so the low-level routines know what kind of cryptographic operations needs to be performed.);  and 
receiving, via the handle, the confirmation message associated with the verification message. (paragraph 448-456, i.e., The handler routine verifies the RAS digital signature of a data block. The handler routine verifies if a container is really signed by an authorized server and calls BIOS routines.)
 

determining that the command is a valid command based at least in part on stored command data associated with the interface;  and (paragraph 182, i.e., All containers have a common 4-byte header that includes an opcode byte (command or message type), a format byte, and a length word (16-bit) of the following content.  The format byte indicates which of the four types of containers is present so the low-level routines know what kind of cryptographic operations needs to be performed.)
sending, via the interface, a response to the command;  and (paragraph 470, i.e., it verifies the application has been authorized and save the application information in the registered application table the OSD maintains.)
the second operations further comprise: sending, via the handle, the command;  and receiving, via the handle, the response to the command. (paragraph 19, i.e., sending identifying information and at least a portion of the resealed AppContainer to the authentication server, and wherein at least part of the resealing operation takes place during an SMI on the same CPU that executes the code of the application.)
 
As per claim 3, Abgrall discloses the second operations further comprising: 
determining that the interface is not available;  and subsequently, awaiting availability of the interface. (paragraph 182, i.e., A method for authenticating an identified application on an identified device, or for providing a second factor for identifying a user of the identified device to another computing machine comprising a PASS server.  The method comprises an application that a) performs an enrollment method involving communication with a device authority and an authentication server to 
 
As per claim 4, Abgrall discloses wherein: the first processor-executable instructions are associated with a first driver;  the second processor-executable instructions are associated with a second driver;  and at least one of the first driver and the second driver is a Plug and Play (PnP) driver. (fig.1, paragraph 55-56, i.e., The protected non-volatile memory 11 is used to store the secret master key.  The BIOS system initialization module 12 is responsible for securely transferring the secret master key from non-volatile memory 11 into SMRAM 13, a protected memory region that is only addressable from System Management Mode accessed from the normal mode of operation of the system via a System Management Interrupt (SMI).)
 
As per claim 5, Abgrall discloses a computer-implemented method comprising: 
locating an interface;  (paragraph 448, i.e., the system I/O manager makes an I/O request to a device driver by creating an I/O Request Packet (IRP) and sending it down to the device driver.  OSD security services can be invoked by sending DEVICE_IO_CONTROL IRP.  Each handler routine for a Device_I/O_Control code provides a specific function.)
opening a handle to the interface;  (paragraph 448-449, i.e., The handler routine registers the 
application with the operating system driver and calls BIOS routines.)
sending a verification message via the handle, the verification message comprising at least an interface type or a version;  and (paragraph 19, 148-149,  i.e., sending identifying information and at least a portion of the resealed AppContainer to the authentication server, and wherein at least part of the resealing operation takes place during an SMI on the same CPU that executes the code of the application.  All containers have a common 4-byte header that includes an opcode byte (command or 
receiving, via the handle, a confirmation message associated with the verification message. (paragraph 448-456, i.e., The handler routine verifies the RAS digital signature of a data block. The handler routine verifies if a container is really signed by an authorized server and calls BIOS routines.)
 
As per claim 6, Abgrall discloses the locating comprising: determining that the interface is not available;  and subsequently, awaiting availability of the interface. (paragraph 182, i.e., A method for authenticating an identified application on an identified device, or for providing a second factor for identifying a user of the identified device to another computing machine comprising a PASS server.  The method comprises an application that a) performs an enrollment method involving communication with a device authority and an authentication server to create an AppContainer on the device, wherein the AppContainer is a data structure that is cryptographically associated with the application as further cited in paragraph 19)

As per claim 7, Abgrall discloses the awaiting comprising at least: awaiting, in a user mode, a WM DEVICECHANGE message;  or awaiting, in a kernel mode, a call to a registered notification callback. (paragraph 431-434, i.e., The operating system driver (OSD) is one of the core components of the system 10.  It is a kernel mode driver that is dynamically loaded into the system.  Its upper edge provides the security services to the security application.  Its lower edge interfaces with the security BIOS that provides the low-level security functionalities.)
 

 
As per claim 9, Abgrall discloses wherein: 
the locating is performed by an interaction thread;  (paragraph 98-99, i.e., The authentication server presents two user interfaces (AppKeys log and AppContainers) that allow the user to perform various tasks.) 
the interaction thread runs in a mode selected from the group consisting of a user mode and a kernel mode;  and (paragraph 431-434, i.e., The operating system driver (OSD) is one of the core components of the system 10.  It is a kernel mode driver that is dynamically loaded into the system.  Its upper edge provides the security services to the security application.  Its lower edge interfaces with the security BIOS that provides the low-level security functionalities.)
the locating comprises enumerating active device instances associated with a predetermined interface identifier at least partly by calling an enumeration routine associated with the mode of the interaction thread. (paragraph 98-99, i.e., The authentication server presents two user interfaces (AppKeys log and AppContainers) that allow the user to perform various tasks.)
 

 
As per claim 11, Abgrall discloses  wherein: the interface supports an ioctl operation;  and the method further comprises sending the verification message via the ioctl operation. (paragraph 448, i.e., the system I/O manager makes an I/O request to a device driver by creating an I/O Request Packet (IRP) and sending it down to the device driver.  OSD security services can be invoked by sending DEVICE_IO_CONTROL IRP.  Each handler routine for a Device_I/O_Control code provides a specific function.)

 
As per claim 12, Abgrall discloses  wherein: the sending is performed by an interaction thread running in a kernel mode; (paragraph 431-434, i.e., The operating system driver (OSD) is one of the core components of the system 10.  It is a kernel mode driver that is dynamically loaded into the system.  Its upper edge provides the security services to the security application.  Its lower edge interfaces with the security BIOS that provides the low-level security functionalities.) the interface supports a query-functions operation;  (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)the method comprises retrieving from the interface, using the query-functions operation, a reference to a routine;  and the method further comprises sending the verification message by invoking the routine. (paragraph 448-456, i.e., The handler routine verifies the RAS digital signature of a data block. The handler routine verifies if a container is really signed by an authorized server and calls BIOS routines.)
 
As per claim 13, Abgrall discloses   The computer-implemented method further comprising: opening a system-local communications interface using a predetermined name of the system-local communications interface;  (paragraph 148-149, i.e., A SignedContainer holds data that is digitally signed by a private key (from the signing Key-pair) and can be verified with the matching public key (on the clients the public key is stored in ROM/flash).  These are used to send authenticated data from the device authority server to the client machines and to authorize software modules to use the device authority client services.) and sending the verification message via the system-local communications 
 
As per claim 14, Abgrall discloses    At least one tangible non-transitory computer-readable storage medium comprising processor-executable instructions of a provider module, the processor-executable instructions executable by at least one processing unit to cause the at least one processing unit to perform operations comprising: (fig.1, paragraph 55-56, i.e., The protected non-volatile memory 11 is used to store the secret master key.  The BIOS system initialization module 12 is responsible for securely transferring the secret master key from non-volatile memory 11 into SMRAM 13, a protected memory region that is only addressable from System Management Mode accessed from the normal mode of operation of the system via a System Management Interrupt (SMI).)
instantiating an interface associated with the provider module; (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)
 receiving, by a service routine of the provider module, a verification message associated with the interface; (paragraph 158, i.e., verify that the server signed a message, since the server is the only one who knows the matching private key.  The secret master keys are unique to each device and known only to that device and the server. )
 sending, in response, a confirmation message via the interface;  (paragraph 470, i.e., it verifies the application has been authorized and save the application information in the registered application table the OSD maintains.)
subsequently, receiving, by the service routine, a command associated with the interface;  (paragraph 158, i.e., verify that the server signed a message, since the server is the only one who knows 
(on the clients the public key is stored in ROM/flash).  These are used to send authenticated data from the device authority server to the client machines and to authorize software modules to use the device authority client services.)
 sending, via the interface, a response to the command. and (paragraph 148-149, i.e., A SignedContainer holds data that is digitally signed by a private key (from the signing Key-pair) and can be verified with the matching public key (on the clients the public key is stored in ROM/flash).  These are used to send authenticated data from the device authority server to the client machines and to authorize software modules to use the device authority client services.)
 
As per claim 15,  Abgrall discloses the operations comprising: in response to loading of the provider module, binding the service routine to a driver object;  and instantiating the interface after binding the service routine, the interface associated with the driver object. (paragraph 148-149, i.e., A SignedContainer holds data that is digitally signed by a private key (from the signing Key-pair) and can be verified with the matching public key (on the clients the public key is stored in ROM/flash).  These are used to send authenticated data from the device authority server to the client machines and to authorize software modules to use the device authority client services.)
 
As per claim 16,  Abgrall discloses the operations comprising, before sending the confirmation message, extracting from the verification message at least one of an interface type or a version;  and determining that the at least one of the interface type or the version is supported by the interface based 
 
As per claim 17,  Abgrall discloses the operations further comprising: 
locating a handler for the command based at least in part on the stored command data;  (paragraph 448, i.e., the system I/O manager makes an I/O request to a device driver by creating an I/O Request Packet (IRP) and sending it down to the device driver.  OSD security services can be invoked by sending DEVICE_IO_CONTROL IRP.  Each handler routine for a Device_I/O_Control code provides a specific function.)
determining that the command is a valid command in response to the locating of the handler;  (paragraph 182, i.e., All containers have a common 4-byte header that includes an opcode byte (command or message type), a format byte, and a length word (16-bit) of the following content.  The format byte indicates which of the four types of containers is present so the low-level routines know what kind of cryptographic operations needs to be performed.)
invoking the handler; (paragraph 157, i.e., some of the BIOS code runs during POST to set up information in the System Managed Memory (SMM) that is used by routines invoked via System Management Interrupts (SMI).  The SMI routines perform RSA operations using public keys from the flash ROM, which are therefore very hard to tamper with.  The SMI routines also hide and manage the secret master key) 

determining the response comprising the response data. (paragraph 448-456, i.e., The handler routine verifies the RAS digital signature of a data block. The handler routine verifies if a container is really signed by an authorized server and calls BIOS routines.)
 
As per claim 18,  Abgrall discloses the operations further comprising instantiating the interface at least partly by passing a predetermined interface identifier of the interface to an operating-system (OS) routine. (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)
 
As per claim 19,  Abgrall discloses the operations comprising: instantiating the interface supporting an ioctl operation; (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)and 
at least: sending the confirmation message via the ioctl operation;  or(paragraph 148-149, i.e., A SignedContainer holds data that is digitally signed by a private key (from the signing Key-pair) and can be verified with the matching public key (on the clients the public key is stored in ROM/flash).  These are used to send authenticated data from the device authority server to the client machines and to authorize software modules to use the device authority client services.)

 
As per claim 20,  Abgrall discloses the operations comprising: instantiating the interface supporting a query-functions operation associated with the service routine;  (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)and in response to invocation by a caller of the query-functions operation, providing to the caller a reference to the service routine. )
 
As per claim 21,  Abgrall discloses the operations comprising instantiating the interface comprising a system-local communications interface associated with a predetermined name. (paragraph 465, i.e., on the low edge interface of the operating system driver,  the operating system driver calls the security BIOS interface routines to get security services provided by the low level BIOS.)and in response to invocation by a caller of the query-functions operation, providing to the caller a reference to the service routine. )

Conclusion
4.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to KIM T HUYNH whose telephone number is (571)272-3635  or via e-mail addressed to [kim.huynh3@uspto.gov].  The examiner can normally be reached on M-F 7.00AM- 4:00PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tim Vo  can be reached at (571)272-3642 or via e-mail addressed to [tim.vo@uspto.gov].
The fax phone numbers for the organization where this application or proceeding is assigned are (571)273-8300  for regular communications and After Final communications. Any inquiry of a general 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/K. T. H./
Examiner, Art Unit 2185

 
/TIM T VO/Supervisory Patent Examiner, Art Unit 2185