Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/09/2021 was filed after the mailing date of the Non-Final Office Action on 05/04/2021. The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
DETAILED ACTION
This Office Action is in response to an amendment application received on 08/04/2021. In the amendment, applicant has amended claims 1, 27, 40 and 42. Claims 13-26 and 28 remain cancelled. Claims 2, 4-12, 29, 31-39 and 41 remain original. Non additional claim has been cancelled and no new claim has been introduced. 
For this Office Action, claims 1-12, 27 and 29-43 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections under 35 U.S.C. § 112
	Applicant’s arguments and amendments with regards to claim rejections under 35 U.S.C. § 112(b) have been fully considered and are unpersuasive. Applicant’s amendments to independent claims still contains language which renders the claim indefinite for failing to particularly point and distinctly claim the subject matter. Therefore 112(b) rejection is maintained in this Office Action.
Claim Rejections under 35 U.S.C. § 103
Applicant’s arguments, see page # 12-20, filed 08/04/2021, with respect to the rejections of claims 1-12, 27 and 29-43 under 35 U.S.C. § 103 have been fully considered and are unpersuasive. After review Applicant’s remarks have been summarized as follows:
The combination of cited references of Baumann, Poornachandran and Ferguson do not teach or suggest processor(s) configured to “”facilitate selection of a template of an enclave, which is configured to run on a virtual machine”, as recited by independent claim 1 (See Page # 13-24). 
The combination of cited references of Baumann, Poornachandran and Ferguson do not teach or suggest “the trusted execution environment being launched from the template of the enclave, which is configured to run on the virtual machine, wherein the template of the enclave is associated with an operating system that is configured to execute on the platform and is selected via the client device from the gallery of the cloud device” (See Page # 15-17).
Examiner’s Response
	Regarding remark # 1, that the combination of cited references of Baumann, Poornachandran and Ferguson do not teach or suggest processor(s) configured to “”facilitate selection of a template of an enclave, which is configured to run on a virtual machine”, examiner respectfully disagrees. Third reference of Ferguson discloses ‘a cloud computing’ environment where a service provider offers [facilitate] a gallery of templates. These templates are provided by various entities such as service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Furthermore, the template(s) are located in Ferguson: [0095-0096]). 
	Regarding remark # 2, that cited references of Baumann, Poornachandran and Ferguson do not teach or suggest “the trusted execution environment being launched from the template of the enclave, which is configured to run on the virtual machine, wherein the template of the enclave is associated with an operating system that is configured to execute on the platform and is selected via the client device from the gallery of the cloud device”, examiner respectfully disagrees. 
	Primary reference of Baumann discloses executing application components in the secure execution environment within the protected memory area (See Baumann: FIG. 4; Steps 424-426-428). Third reference of Ferguson teaches providing [facilitating] gallery of templates from different entities such as service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Furthermore, the template(s) are located in a virtual machine and virtual machine contains Virtual Hard Drive which is construed as enclave. The templates in the Virtual Machine consists of secure and sensitive software or credentials and therefore it is protected through encryption. Ferguson further discloses executing the template(s) in Virtual machines (VMs) and ensuring that the templates have not been modified or have corrupted configurations (Ferguson: [0095-0096] & [0098]).
	Based on this, 35 U.S.C. § 103 rejection has been maintained with already cited references. 
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-12, 27, 29-39, 40-41 and 42-43 rejected under 35 U.S.C. 112(a), as failing to comply with the written description requirement. The claims contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, at the time the application was filed, had possession of the claimed invention. 
Independent claim 1, recites “facilitate selection of a template of an enclave”, however specification is silent with respect “how the facilitate” function/step is implemented. Specification discloses in paragraph [0037] “For instance, the customer may have commissioned a developer to create the template. In another example, the template may have been selected by the customer from a gallery that is provided by the cloud service”. 
However, specification is silent with respect to any algorithm or flowchart as to “how the facilitate” function/step is implemented.


The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


1-12, 27, 29-39, 40-41 and 42-43 are rejected under 35 U.S.C. 112(b), as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, regards as the invention.
Independent claims 1, 27, 40 and 42 first limitation recites “facilitate selection of a template of an enclave, which is configured to run a virtual machine, from a gallery of a cloud service”. Examiner notes that “facilitate selection” function/step does not ensure/positively recites, if ‘an act’ of selection of a template is positively occurring in this limitation. In other words “function of selecting” has not occurred in the first limitation. The word “facilitate” means is to “to make (something) easier OR to help cause (something)” which clearly means that it is assisting function in the act of selection of a template however does not actually performs the “step of selection/selecting of a template”. Therefore, without the recitation of the positive step of “selecting the template” it is unclear how the “the template of the enclave” is selected via the client device from a gallery of a cloud service in the last limitation. Related concern has been noticed in the other independent claims.
Independent claim 1 is directed to a client device, as claim recites “A client device comprising: memory; and one or more processors coupled to the memory, the one or more processors configured to perform operations comprising”. Claim further recites in first limitation “a template of an enclave which is configured to run on a virtual machine …”; recites in last limitation “which is configured to run on the virtual machine, wherein the template of the enclave is associated with an operating system that is configured to execute on the platform and is selected via the client device from the gallery of the cloud service”. 
the platform” which executes the operating system is not part of the claimed client device. In re Zletz, 893 F.2d 319, 13USPQ2d 1320 (Fed. Cir. 1989), MPEP 2173.02 (III)(B)) which states “Examiners should bear in mind that "[a]n essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed, as much as possible, during the administrative process”.
Independent claim 27 is directed to a method of a client device as claim recites “A method performed using at least one processor of a client device, the method comprising”. Claim further recites in first limitation “a template of an enclave which is configured to run on a virtual machine …”; recites in last limitation “which is configured to run on the virtual machine, wherein the template of the enclave is associated with an operating system that is configured to execute on the platform and is selected via the client device from the gallery of the cloud service”. 
However, the scope of the claim is unclear with respect to these limitations because a template of the enclave and the “the platform” which executes the operating system is not part of the claimed client device. In re Zletz, 893 F.2d 319, 13USPQ2d 1320 (Fed. Cir. 1989), MPEP 2173.02 (III)(B)) which states “Examiners should bear in mind that "[a]n essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed, as much as possible, during the administrative process”.
40 is directed to “A computer program product comprising a computer-readable device having instructions recorded thereon for enabling a processor-based system to perform steps, the steps comprising”. Claim further recites in first limitation “a template of an enclave which is configured to run on a virtual machine …”; recites in last limitation “which is configured to run on the virtual machine, wherein the template of the enclave is associated with an operating system that is configured to execute on the platform and is selected via the client device from the gallery of the cloud service”. 
However, the scope of the claim is unclear with respect to these limitations because a template of the enclave and the “the platform” which executes the operating system is not part of the claimed client device. In re Zletz, 893 F.2d 319, 13USPQ2d 1320 (Fed. Cir. 1989), MPEP 2173.02 (III)(B)) which states “Examiners should bear in mind that "[a]n essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed, as much as possible, during the administrative process”.
Independent claim 42 is directed to “A client device”. Claim further recites in first limitation “a template of an enclave which is configured to run on a virtual machine …”; recites in last limitation “which is configured to run on the virtual machine, wherein the template of the enclave is associated with an operating system that is configured to execute on the platform and is selected via the client device from the gallery of the cloud service”. 
However, the scope of the claim is unclear with respect to these limitations because a template of the enclave and the “the platform” which executes the operating system is not part of the claimed client device. In re Zletz, 893 F.2d 319, 13USPQ2d 1320 (Fed. Cir. 1989), MPEP Examiners should bear in mind that "[a]n essential purpose of patent examination is to fashion claims that are precise, clear, correct, and unambiguous. Only in this way can uncertainties of claim scope be removed, as much as possible, during the administrative process”.
 The dependent claims of the independent claims included in the statement of rejection but not specifically addressed in the body of the rejection, have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, dependent claims are also rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1-12, 27 and 29-43 are rejected under 35 U.S.C. 103 as being unpatentable over Baumann et al., (US20130151846A1) in view of Poornachandran et al., (US20160350534A1) and further in view of Ferguson et al., (US20150319160A1).
Regarding claim 1, Baumann discloses:
A client device (See FIG. 2; i.e. computing system 200) comprising: 
memory; and one or more processors coupled to the memory, the one or more processors configured to perform operations comprising: 
establish a chain of trust (see [0043-0044] i.e. attestation certificate) from a trusted execution environment (see [0043-0044] i.e. a request from the client system 112) to a platform (see [0043-0044] i.e. secure execution environment) based at least in part on receipt of measurements (see [0048] i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (See [0028-0029] i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
See [0090] i.e. one or more application components to be executed), which is associated with an operating system  that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:
provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment; and client device selecting the virtual machine template from a gallery of a cloud service.
However, Poornachandran discloses:
	provision the trusted execution environment with information in absence of a secure channel (See [0026] i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
	facilitate selection of a template of an enclave, which is configured to run on a virtual machine, from a gallery of a cloud service; client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
	facilitate selection of a template (See [0095] i.e. offers a gallery of templates) of an enclave (i.e. Virtual Hard Drive (VHD) in the shielded Virtual Machine (VM) construed as enclave which contains templates; See [0050] & [0098]), which is configured to run on a virtual machine (i.e. see [0095] VM), from a gallery of a cloud service ([0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements and not yet provisioned with account identification, administrator passwords, software or other sensitive data; [0098] In the process of validating the template resources and creating a shielded VM, or of decrypting and re-encrypting the template VHD to create a VM VHD);
client device selecting the virtual machine template from a gallery of a cloud service ([0096] It is useful for the tenant to be able to create shielded VMs from such a template. When doing this, it is useful for the tenant to be able to verify the integrity of the template, such as verifying that the template has not be tampered with by a service provider staff member inserting malware or configurations that would allow subsequent attack on the VM).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran references and select virtual machine template from service provider gallery, as disclosed by Ferguson. 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claim 2, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to establish the chain of trust from the trusted execution environment to the platform by using a public key that corresponds to the platform signing key to verify that the measurements are signed with (Baumann: [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112).
Regarding claim 3, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the distributed computing system provides the cloud service; and
wherein the one or more processors are configured to perform the operations further comprising:
use cryptographic communications to exclude entities other than the client device from knowing the information and to exclude the other entities from manipulating the information, the other entities including a provider of the cloud service (Baumann: [0005] Embodiments of the present disclosure enable an application hosting service to cryptographically certify that it provides a secure execution environment that is resistant to snooping and tampering such that it includes, for example, only the user's trusted code and data. In order to service a request from a client system to establish a secure execution environment, a protected memory area is instantiated by a security-enabled processor. The hosted computing system goes through an attestation protocol to provide verifiable facts about the security-enabled processor and the software and data in the secure execution environment, such as the manufacturer and model of the security-enabled processor and the vendor or code identity of the software. Upon successful completion of the attestation protocol, a cryptographically protected communication channel is established between the client system and the secure execution environment, and one or more applications are executed within the secure execution environment).
Regarding claim 4, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations comprising:
securely provision the trusted execution environment with the information (Baumann: [0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location). Obtaining one or more application components may include retrieving the one or more application components from the client system, such as via a cryptographically protected communication channel).	
Regarding claim 5, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations comprising:
provision the trusted execution environment with at least one policy in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust (Poornachandran: [0030] Next at block 240 quotes of the isolated environment and the virtual trusted execution environment can be provided to the remote attestation service. In an embodiment, the application within the isolated environment may request measurement quotes, which it may receive from the secure enclave (which in turn obtains the measurement from the measurement enclave) and the virtual TEE).
Regarding claim 6, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 5, wherein the one or more processors are configured to perform the operations comprising: provide an update regarding the at least one policy to the trusted execution environment; and wherein the update is signed with a policy update key, which corresponds to a public key that is usable by the trusted execution environment to verify that the update is provided by the client device (Poornachandran: [0058] Still with reference to FIG. 6, TEE 640 includes a logic 645. Note that TEE 640 may be a second or third TEE implemented as an IP block of a SoC, which is a secure microcontroller or co-processor. The methods described above for TEE-TEE secure session key establishment with attestation may be applied to block 640 in conjunction with any of the other TEE environments described. In one example, logic 645 may be a secure DRM clear (SDRCLR) logic 645. Such logic may be adapted to detect a rooting of system 600 and perform one or more enforcement mechanisms with regard to secure content according to one or more security policies. As further illustrated, TEE 640 includes a secure storage 648. In various embodiments, secure storage 648 may securely store content licenses and/or keys associated with secure content).
Regarding claim 7, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations comprising:
provision the trusted execution environment with secret information in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust, the secret information including at least one of data, software code, or one or more keys (Poornachandran: [0026] SGX and TPMs provide certain locality assurances, software measurement, quoting and sealed storage capabilities. A quote providing verifiable evidence about the launched MemCore VMM may originate from the TPM; and a quote about the SGX enclave may originate from its respective quoting mechanism. MemCore isolations of the SGX components prevent man-in-the-middle attacks and are used with the SGX and TPM quote properties to ensure locality on the platform. The TPM quote for MemCore and the SGX quote may be bundled and sent to a remote verifying service. If verified, MemCore and SGX are then mutually authenticated to one another and they establish a shared secret K which can be used on subsequent boots without requiring network access or the verifying service. Once MemCore and this first SGX enclave are mutually authenticated, other SGX enclaves, as needed, can be whitelisted and authenticated to MemCore via SGX local attestation and communications).
Regarding claim 8, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 7, wherein the one or more processors are configured to perform the operations comprising:
encrypt the secret information with a secret import key that is received from the trusted execution environment, the secret import key corresponding to a private key that is usable by the trusted execution environment to decrypt the secret information (Poornachandran: [0028] Next, control passes to block 220 where a secret may be sealed to this TPM state using the virtual trusted execution environment. In an embodiment, the secret, which may be a cryptographically generated secret value such as a key, credential or other signature, may be stored in an appropriate storage such as a trusted storage associated with the TEE; [0044] Next, an example remote attestation is described. Here, a backend attestation service can verify the quotes and distribute the shared secret. The target application creates an SSL session with the backend attestation/verifying server. This step may be completed earlier, if a liveliness nonce is included as part of the measurement quotes. The backend attestation server verifies the two quotes and provides a successful response to the enclave and the MemCore environment. The response also includes the shared secret K. The response is distributed to the target enclave. After verifying the response, the target enclave now also has the shared secret K).
Regarding claim 9, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 7, wherein the one or more processors are configured to perform the operations comprising: 
Poornachandran: [0026] SGX and TPMs provide certain locality assurances, software measurement, quoting and sealed storage capabilities. A quote providing verifiable evidence about the launched MemCore VMM may originate from the TPM; and a quote about the SGX enclave may originate from its respective quoting mechanism. MemCore isolations of the SGX components prevent man-in-the-middle attacks and are used with the SGX and TPM quote properties to ensure locality on the platform. The TPM quote for MemCore and the SGX quote may be bundled and sent to a remote verifying service. If verified, MemCore and SGX are then mutually authenticated to one another and they establish a shared secret K which can be used on subsequent boots without requiring network access or the verifying service. Once MemCore and this first SGX enclave are mutually authenticated, other SGX enclaves, as needed, can be whitelisted and authenticated to MemCore via SGX local attestation and communications); 
determine whether to provision the trusted execution environment with the secret information based at least in part on whether the client device receives confirmation from the trusted execution environment that the trusted execution environment has received the at least one policy from the client device (Baumann: [0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location). Obtaining one or more application components may include retrieving the one or more application components from the client system, such as via a cryptographically protected communication channel).
Regarding claim 10, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 9, wherein the confirmation includes the at least one policy (Poornachandran: [0058] Still with reference to FIG. 6, TEE 640 includes a logic 645. Note that TEE 640 may be a second or third TEE implemented as an IP block of a SoC, which is a secure microcontroller or co-processor. The methods described above for TEE-TEE secure session key establishment with attestation may be applied to block 640 in conjunction with any of the other TEE environments described. In one example, logic 645 may be a secure DRM clear (SDRCLR) logic 645. Such logic may be adapted to detect a rooting of system 600 and perform one or more enforcement mechanisms with regard to secure content according to one or more security policies. As further illustrated, TEE 640 includes a secure storage 648. In various embodiments, secure storage 648 may securely store content licenses and/or keys associated with secure content).
Regarding claim 11, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations comprising: 
request auditing information from the trusted execution environment, the auditing information indicating a detected state of the trusted execution environment (Baumann: [0032] The hosted computing system is also configured, in various embodiments, to certify to the client system that the security-enabled processor is physically secure, for example in one embodiment the hosted computing system is configured to transmit an auditor certificate, signed by an auditing entity's private key, declaring that the security-enabled processor has not been physically tampered with during a specific time period. Personnel from the auditing entity may periodically or continually monitor the hosted computing service to determine that the security-enabled processors are physically intact. The auditor certificate therefore provides the client system with additional degrees of confidence in the secure execution environment);
determine whether to provision the trusted execution environment with additional information based at least in part on whether the detected state and a reference state are same (Poornachandran:[0030] Next at block 240 quotes of the isolated environment and the virtual trusted execution environment can be provided to the remote attestation service. In an embodiment, the application within the isolated environment may request measurement quotes, which it may receive from the secure enclave (which in turn obtains the measurement from the measurement enclave) and the virtual TEE. Note that in different implementations, certain measurement information from these two different measurements may be concatenated in some manner to provide an overall measurement quote to the remote attestation service. In an embodiment, a simple combining of the two measurement quotes may be performed); and 
provision the trusted execution environment with the additional information in absence of the secure channel between the client device and the trusted execution environment to further customize the trusted execution environment with the additional information based at least in part on the detected state and the reference state being the same (Poornachandran: [0026] SGX and TPMs provide certain locality assurances, software measurement, quoting and sealed storage capabilities. A quote providing verifiable evidence about the launched MemCore VMM may originate from the TPM; and a quote about the SGX enclave may originate from its respective quoting mechanism. MemCore isolations of the SGX components prevent man-in-the-middle attacks and are used with the SGX and TPM quote properties to ensure locality on the platform. The TPM quote for MemCore and the SGX quote may be bundled and sent to a remote verifying service. If verified, MemCore and SGX are then mutually authenticated to one another and they establish a shared secret K which can be used on subsequent boots without requiring network access or the verifying service).
Regarding claim 12, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 1, wherein the one or more processors are configured to perform the operations further comprising: encrypt a public portion of a policy update key that is associated with the client device with a public portion of a provisioning encryption key, the policy update key having a private portion that is usable by the client device to sign an update regarding at least one policy that is to be provided to the trusted execution environment, the provisioning encryption key having a private portion that is associated with a plurality of trusted execution environments and that is usable by the trusted execution environment to decrypt the public portion of the policy update key, the plurality of trusted execution environments including the trusted execution environment (Poornachandran: [0044] an example remote attestation is described. Here, a backend attestation service can verify the quotes and distribute the shared secret. The target application creates an SSL session with the backend attestation/verifying server. This step may be completed earlier, if a liveliness nonce is included as part of the measurement quotes. The backend attestation server verifies the two quotes and provides a successful response to the enclave and the MemCore environment. The response also includes the shared secret K. The response is distributed to the target enclave. After verifying the response, the target enclave now also has the shared secret K. The enclave may encrypt the shared secret K using an enclave-specific encryption key and store it in a location that can be accessed in future communications. The response is also distributed to the MemCore driver, which now has confirmation that the SGX-to-MemCore binding protocol is complete; [0046] Next at block 440, communication may be performed with a trusted platform module and a remote attestation service to provision an attestation identity key (AIK). Thereafter, at block 450, a virtual TEE driver and a target application may be installed within the isolated environment. As one such example, the target application may be an authentication application provided by a remote attestation service to enable secure user authentications to the computing system).
Regarding claim 27, Baumann discloses:
A method performed using at least one processor of a client device, the method comprising:
establishing a chain of trust (i.e. attestation certificate) from a trusted execution environment (i.e. a request from the client system 112) to a platform (i.e. secure execution environment) based at least in part on receipt of measurements (i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
customize the trusted execution environment with the information based at least in part on the chain of trust in response to the trusted execution environment being launched from a template (i.e. one or more application components to be executed), which is associated with an operating system that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:
provisioning the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment; and client device selecting the virtual machine template from a gallery of a cloud service.
However, Poornachandran discloses:
	provisioning the trusted execution environment with information in absence of a secure channel (i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
facilitate selection of a template of an enclave, which is configured to run on a virtual machine, from a gallery of a cloud service; client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
See [0095] i.e. offers a gallery of templates) of an enclave, which is configured to run on a virtual machine (i.e. see [0095] VM), from a gallery of a cloud service ([0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements and not yet provisioned with account identification, administrator passwords, software or other sensitive data);
client device selecting the virtual machine template from a gallery of a cloud service ([0096] It is useful for the tenant to be able to create shielded VMs from such a template. When doing this, it is useful for the tenant to be able to verify the integrity of the template, such as verifying that the template has not be tampered with by a service provider staff member inserting malware or configurations that would allow subsequent attack on the VM).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran references and select virtual machine template from service provider gallery, as disclosed by Ferguson. 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claim 29, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 27, wherein the one or more processors are configured to establish the chain of trust from the trusted execution environment to the platform by using a public key (Baumann: [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 … The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112).
Regarding claim 30, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 27, wherein the distributed computing system provides the cloud service; and
wherein the one or more processors are configured to perform the operations further comprising:
use cryptographic communications to exclude entities other than the client device from knowing the information and to exclude the other entities from manipulating the information, (Baumann: [0005] Embodiments of the present disclosure enable an application hosting service to cryptographically certify that it provides a secure execution environment that is resistant to snooping and tampering such that it includes, for example, only the user's trusted code and data. In order to service a request from a client system to establish a secure execution environment, a protected memory area is instantiated by a security-enabled processor. The hosted computing system goes through an attestation protocol to provide verifiable facts about the security-enabled processor and the software and data in the secure execution environment, such as the manufacturer and model of the security-enabled processor and the vendor or code identity of the software. Upon successful completion of the attestation protocol, a cryptographically protected communication channel is established between the client system and the secure execution environment, and one or more applications are executed within the secure execution environment).
Regarding claim 31, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 27, wherein provisioning the trusted execution environment comprises:
securely provision the trusted execution environment with the information (Baumann: [0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location). Obtaining one or more application components may include retrieving the one or more application components from the client system, such as via a cryptographically protected communication channel).
Regarding claim 32, the combination of Baumann, Poornachandran & Ferguson discloses:
	The method of claim 27, wherein provisioning the trusted execution environment comprises:
provisioning the trusted execution environment with at least one policy in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust (Poornachandran: [0030] Next at block 240 quotes of the isolated environment and the virtual trusted execution environment can be provided to the remote attestation service. In an embodiment, the application within the isolated environment may request measurement quotes, which it may receive from the secure enclave (which in turn obtains the measurement from the measurement enclave) and the virtual TEE).
Regarding claim 33, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 32, further comprising: providing an update regarding the at least one policy to the trusted execution environment; and wherein the update is signed with a policy update key, which corresponds to a public key that is usable by the trusted execution environment to verify that the update is provided by the client device (Poornachandran: [0058] Still with reference to FIG. 6, TEE 640 includes a logic 645. Note that TEE 640 may be a second or third TEE implemented as an IP block of a SoC, which is a secure microcontroller or co-processor. The methods described above for TEE-TEE secure session key establishment with attestation may be applied to block 640 in conjunction with any of the other TEE environments described. In one example, logic 645 may be a secure DRM clear (SDRCLR) logic 645. Such logic may be adapted to detect a rooting of system 600 and perform one or more enforcement mechanisms with regard to secure content according to one or more security policies. As further illustrated, TEE 640 includes a secure storage 648. In various embodiments, secure storage 648 may securely store content licenses and/or keys associated with secure content).
Regarding claim 34, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 27, wherein provisioning the trusted execution environment comprises: 
provisioning the trusted execution environment with secret information in absence of the secure channel between the client device and the trusted execution environment based at least in part on the chain of trust, the secret information including at least one of data, software code, or one or more keys (Poornachandran: [0026] SGX and TPMs provide certain locality assurances, software measurement, quoting and sealed storage capabilities. A quote providing verifiable evidence about the launched MemCore VMM may originate from the TPM; and a quote about the SGX enclave may originate from its respective quoting mechanism. MemCore isolations of the SGX components prevent man-in-the-middle attacks and are used with the SGX and TPM quote properties to ensure locality on the platform. The TPM quote for MemCore and the SGX quote may be bundled and sent to a remote verifying service. If verified, MemCore and SGX are then mutually authenticated to one another and they establish a shared secret K which can be used on subsequent boots without requiring network access or the verifying service. Once MemCore and this first SGX enclave are mutually authenticated, other SGX enclaves, as needed, can be whitelisted and authenticated to MemCore via SGX local attestation and communications).
Regarding claim 35, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 34, further comprising: encrypting the secret information with a secret import key that is received from the trusted execution environment, the secret import key corresponding to a private key that is usable by the trusted execution environment to decrypt the secret information (Poornachandran: [0028] Next, control passes to block 220 where a secret may be sealed to this TPM state using the virtual trusted execution environment. In an embodiment, the secret, which may be a cryptographically generated secret value such as a key, credential or other signature, may be stored in an appropriate storage such as a trusted storage associated with the TEE; [0044] Next, an example remote attestation is described. Here, a backend attestation service can verify the quotes and distribute the shared secret. The target application creates an SSL session with the backend attestation/verifying server. This step may be completed earlier, if a liveliness nonce is included as part of the measurement quotes. The backend attestation server verifies the two quotes and provides a successful response to the enclave and the MemCore environment. The response also includes the shared secret K. The response is distributed to the target enclave. After verifying the response, the target enclave now also has the shared secret K).
Regarding claim 36, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 34, wherein provisioning the trusted execution environment comprises: 
Poornachandran: [0026] SGX and TPMs provide certain locality assurances, software measurement, quoting and sealed storage capabilities. A quote providing verifiable evidence about the launched MemCore VMM may originate from the TPM; and a quote about the SGX enclave may originate from its respective quoting mechanism. MemCore isolations of the SGX components prevent man-in-the-middle attacks and are used with the SGX and TPM quote properties to ensure locality on the platform. The TPM quote for MemCore and the SGX quote may be bundled and sent to a remote verifying service. If verified, MemCore and SGX are then mutually authenticated to one another and they establish a shared secret K which can be used on subsequent boots without requiring network access or the verifying service. Once MemCore and this first SGX enclave are mutually authenticated, other SGX enclaves, as needed, can be whitelisted and authenticated to MemCore via SGX local attestation and communications); 
determine whether to provision the trusted execution environment with the secret information based at least in part on whether the client device receives confirmation from the trusted execution environment that the trusted execution environment has received the at least one policy from the client device (Baumann: [0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location). Obtaining one or more application components may include retrieving the one or more application components from the client system, such as via a cryptographically protected communication channel).
Regarding claim 37, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 36, wherein the confirmation includes the at least one policy (Poornachandran: [0058] Still with reference to FIG. 6, TEE 640 includes a logic 645. Note that TEE 640 may be a second or third TEE implemented as an IP block of a SoC, which is a secure microcontroller or co-processor. The methods described above for TEE-TEE secure session key establishment with attestation may be applied to block 640 in conjunction with any of the other TEE environments described. In one example, logic 645 may be a secure DRM clear (SDRCLR) logic 645. Such logic may be adapted to detect a rooting of system 600 and perform one or more enforcement mechanisms with regard to secure content according to one or more security policies. As further illustrated, TEE 640 includes a secure storage 648. In various embodiments, secure storage 648 may securely store content licenses and/or keys associated with secure content). 
Regarding claim 38, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 27, further comprising: 
requesting auditing information from the trusted execution environment, the auditing information indicating a detected state of the trusted execution environment (Baumann: [0032] The hosted computing system is also configured, in various embodiments, to certify to the client system that the security-enabled processor is physically secure, for example in one embodiment the hosted computing system is configured to transmit an auditor certificate, signed by an auditing entity's private key, declaring that the security-enabled processor has not been physically tampered with during a specific time period. Personnel from the auditing entity may periodically or continually monitor the hosted computing service to determine that the security-enabled processors are physically intact. The auditor certificate therefore provides the client system with additional degrees of confidence in the secure execution environment);
determine whether to provision the trusted execution environment with additional information based at least in part on whether the detected state and a reference state are same (Poornachandran:[0030] Next at block 240 quotes of the isolated environment and the virtual trusted execution environment can be provided to the remote attestation service. In an embodiment, the application within the isolated environment may request measurement quotes, which it may receive from the secure enclave (which in turn obtains the measurement from the measurement enclave) and the virtual TEE. Note that in different implementations, certain measurement information from these two different measurements may be concatenated in some manner to provide an overall measurement quote to the remote attestation service. In an embodiment, a simple combining of the two measurement quotes may be performed); and 
provision the trusted execution environment with the additional information in absence of the secure channel between the client device and the trusted execution environment to further customize the trusted execution environment with the additional information based at least in part on the detected state and the reference state being the same (Poornachandran: [0026] SGX and TPMs provide certain locality assurances, software measurement, quoting and sealed storage capabilities. A quote providing verifiable evidence about the launched MemCore VMM may originate from the TPM; and a quote about the SGX enclave may originate from its respective quoting mechanism. MemCore isolations of the SGX components prevent man-in-the-middle attacks and are used with the SGX and TPM quote properties to ensure locality on the platform. The TPM quote for MemCore and the SGX quote may be bundled and sent to a remote verifying service. If verified, MemCore and SGX are then mutually authenticated to one another and they establish a shared secret K which can be used on subsequent boots without requiring network access or the verifying service).
Regarding claim 39, the combination of Baumann, Poornachandran & Ferguson discloses:
The method of claim 27, further comprising: 
encrypting a public portion of a policy update key that is associated with the client device with a public portion of a provisioning encryption key, the policy update key having a private portion that is usable by the client device to sign an update regarding at least one policy that is to be provided to the trusted execution environment, the provisioning encryption key having a private portion that is associated with a plurality of trusted execution environments and that is usable by the trusted execution environment to decrypt the public portion of the policy update key, the plurality of trusted execution environments including the trusted execution environment (Poornachandran: [0044] an example remote attestation is described. Here, a backend attestation service can verify the quotes and distribute the shared secret. The target application creates an SSL session with the backend attestation/verifying server. This step may be completed earlier, if a liveliness nonce is included as part of the measurement quotes. The backend attestation server verifies the two quotes and provides a successful response to the enclave and the MemCore environment. The response also includes the shared secret K. The response is distributed to the target enclave. After verifying the response, the target enclave now also has the shared secret K. The enclave may encrypt the shared secret K using an enclave-specific encryption key and store it in a location that can be accessed in future communications. The response is also distributed to the MemCore driver, which now has confirmation that the SGX-to-MemCore binding protocol is complete; [0046] Next at block 440, communication may be performed with a trusted platform module and a remote attestation service to provision an attestation identity key (AIK). Thereafter, at block 450, a virtual TEE driver and a target application may be installed within the isolated environment. As one such example, the target application may be an authentication application provided by a remote attestation service to enable secure user authentications to the computing system). 
Regarding claim 40, Baumann discloses:
A computer program product comprising a computer-readable device having instructions recorded thereon for enabling a processor-based system to perform steps, the steps comprising:
establish a chain of trust (see [0043-0044] i.e. attestation certificate) from a trusted execution environment (see [0043-0044] i.e. a request from the client system 112) to a platform (see [0043-0044] i.e. secure execution environment) based at least in part on receipt of measurements (see [0048] i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (See [0028-0029] i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
customize the trusted execution environment with the information based at least in part on the chain of trust in response to the trusted execution environment being launched from a template (See [0090] i.e. one or more application components to be executed), which is associated with an operating system  that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:
provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment; and client device selecting the virtual machine template from a gallery of a cloud service.
However, Poornachandran discloses:
	provision the trusted execution environment with information in absence of a secure channel (See [0026] i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:

However, Ferguson discloses:
	facilitate selection of a template (See [0095] i.e. offers a gallery of templates) of an enclave, which is configured to run on a virtual machine (i.e. see [0095] VM), from a gallery of a cloud service ([0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements and not yet provisioned with account identification, administrator passwords, software or other sensitive data);
client device selecting the virtual machine template from a gallery of a cloud service ([0096] It is useful for the tenant to be able to create shielded VMs from such a template. When doing this, it is useful for the tenant to be able to verify the integrity of the template, such as verifying that the template has not be tampered with by a service provider staff member inserting malware or configurations that would allow subsequent attack on the VM).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran references and select virtual machine template from service provider gallery, as disclosed by Ferguson. 

Regarding claim 41, the combination of Baumann, Poornachandran & Ferguson discloses:
The computer program product of claim 40, wherein the steps comprise: provision the trusted execution environment with at least one policy in absence of the secure channel between the processor-based system and the trusted execution environment based at least in part on the chain of trust (Poornachandran: [0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
Regarding claim 42, Baumann discloses:
A client device comprising:
means for establishing a chain of trust (i.e. attestation certificate) from a trusted execution environment (i.e. a request from the client system 112) to a platform (i.e. secure execution environment) based at least in part on receipt of measurements (i.e. an identifier for the loader module) of the trusted execution environment, which are signed with a platform signing key (i.e. a public key/private key of the security-enabled processor of the secure execution environment) of the platform, from the platform (See FIGS. 1 & 4; [0028] The identifier may include a digest, such as a hash, of the activation state of the protected memory area. The identifier may include a public key that the security-enabled processor used to decrypt the contents placed into the protected memory area in the activation state. The identifier may be some other identifier that identifies the activation state; [0029] The signed attestation certificate is transmitted to the client system and therefore enables the client system to verify, using a known public key of the security-enabled processor that corresponds to the private key of the security-enabled processor; [0043] The set-up module 110 receives a request from the client system 112, via network 114, to establish a secure execution environment on the application hosting service 102 …  The request is accompanied by an indication of a loader module 116 and one or more parameters 118. The indication of the loader module 116 may be an identifier for the loader module 116; [0044] The set-up module 110 causes, in response to receipt of the request, the security-enabled processor 106 to instantiate a protected memory area 120, which is a hardware-protected memory area, within memory 104; [0048] An instance of the loader module 116 executes on the security-enabled processor and causes the processor to create an attestation certificate 124 signed by a security-enabled processor (SEP) private key 126 … so long as the security-enabled processor 106 is physically intact, an entity receiving the attestation certificate 124 can have a high degree of confidence that the signed attestation certificate 124 is signed by the security-enabled processor 106; [0049] The attestation certificate 124 may include, among other things, the identifier 122. The loader module 116 then transmits the attestation certificate to the client system 112), 
the measurements indicating attributes of the trusted execution environment, which is hosted by a distributed computing system coupled to the client device ([0047] The identifier may be, in various embodiments, a digest—such as a hash—of the contents of the protected memory area 120 in the activation state. The identifier may be a public key corresponding to a private key that was used to sign the software stored in the protected memory area 120; [0088] At 422, the loader module and/or the application hosting service transmits one or more trust certificates, such as TA certificate 132 and intermediate certificates 134 that collectively vouch for the identity of the security-enabled processor and/or indicate that the security-enabled processor is secure); and 
customize the trusted execution environment with the information based at least in part on the chain of trust in response to the trusted execution environment being launched from a template (i.e. one or more application components to be executed), which is associated with an operating system that is configured to execute on the platform ([0089] At 424, the loader module receives an authorization message from the client system; [0090] At 426, the loader module obtains one or more application components to be executed in the secure execution environment. Obtaining one or more application components may include retrieving the one or more application components from a persistent storage of the application hosting service, from a remote location (such as via a URI identified in the parameters of the initial activation state or the authorization message, or in some other location); [0091] The one or more application components are selected by the client system, either by transmitting a URI, URL, other identifier, or an application binary, application package, or file-system image. Transmission of the URI, URL, other identifier, application binary, application package, file-system image, and so forth may be done via the request received at 402; [0092] the one or more application components may have been obtained and loaded into the protected memory area as part of the initial activation state. At 428, the loader module causes the security-enabled application to execute the obtained one or more application components within the protected memory area).
Baumann fails to disclose:

However, Poornachandran discloses:
	means for provisioning the trusted execution environment with information in absence of a secure channel (i.e. without requiring network access) between the client device and the trusted execution environment ([0026] provision the trusted execution environment with information in absence of a secure channel between the client device and the trusted execution environment).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the reference of Baumann and include a system capability quoting mechanism for a trusted platform, as disclosed by Poornachandran.
The motivation to include quoting mechanism is to verify Trusted platform through local assurances and software measurements such as secret keys without requiring remote network access verification services. 
The combination of Baumann and Poornachandran does not disclose:
facilitate selection of a template of an enclave, which is configured to run on a virtual machine, from a gallery of a cloud service; client device selecting the virtual machine template from a gallery of a cloud service.
However, Ferguson discloses:
	facilitate selection of a template (See [0095] i.e. offers a gallery of templates) of an enclave, which is configured to run on a virtual machine (i.e. see [0095] VM), from a gallery of a [0095] In cloud computing it is common that the service provider offers a gallery of templates provided by the service provider, independent software vendors (ISVs), systems integrators or other third-party providers. Such a template is a complete or partial definition of a VM that is not yet tailored to the tenant's requirements and not yet provisioned with account identification, administrator passwords, software or other sensitive data);
client device selecting the virtual machine template from a gallery of a cloud service ([0096] It is useful for the tenant to be able to create shielded VMs from such a template. When doing this, it is useful for the tenant to be able to verify the integrity of the template, such as verifying that the template has not be tampered with by a service provider staff member inserting malware or configurations that would allow subsequent attack on the VM).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Baumann and Poornachandran references and select virtual machine template from service provider gallery, as disclosed by Ferguson. 
	The motivation to select virtual machine template from service provider gallery is to be able to verify the integrity of the template, such that the virtual machine template has not been compromised with malware.
Regarding claim 43, the combination of Baumann, Poornachandran & Ferguson discloses:
The client device of claim 42, wherein the distributed computing system provides the cloud service; and wherein the client device further comprises: means for using cryptographic communications to exclude entities other than the client device from knowing the information and to exclude the other entities from manipulating the information, the other entities (Baumann: [0005] Embodiments of the present disclosure enable an application hosting service to cryptographically certify that it provides a secure execution environment that is resistant to snooping and tampering such that it includes, for example, only the user's trusted code and data. In order to service a request from a client system to establish a secure execution environment, a protected memory area is instantiated by a security-enabled processor. The hosted computing system goes through an attestation protocol to provide verifiable facts about the security-enabled processor and the software and data in the secure execution environment, such as the manufacturer and model of the security-enabled processor and the vendor or code identity of the software. Upon successful completion of the attestation protocol, a cryptographically protected communication channel is established between the client system and the secure execution environment, and one or more applications are executed within the secure execution environment).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/Jeffrey Nickerson/                                                                                             Supervisory Patent Examiner, Art Unit 2432