Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Examiner’s Amendment and Examiner’s Reasons for Allowance action is in response to the filing of 10/19/2021. Claims 7 and 15 have been cancelled and claims 1,9, and 17 have been amended. Therefore claims 1-6, 8-14, and 16-20 are presently pending in the application and have been considered as follows.

Response to Amendments
In light of applicant’s amendments, all previously raised rejections are hereby withdrawn.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Attorney Jason Chu (Reg. No. 63022) on November 2, 2021.
The application has been amended as follows:

IN THE CLAIMS

(Currently Amended) A computer-implemented method of performing a secure boot-up operation of executable code for operating an autonomous driving vehicle, comprising:
in response to [[a]] the secure boot-up operation, reading a first marker from a storage device of a sensor unit of the autonomous driving vehicle (ADV), the storage device including a plurality of partitions, each of the partitions storing an executable image of firmware, wherein the first marker includes a first unique identifier and a first authentication code, wherein the first unique identifier has , wherein the first authentication code includes a cyclic redundancy code;
determining whether the first marker is valid by using the first authentication code to determine if the first unique identifier has been corrupted, wherein the first marker is associated with a first of the partitions having a first executable image stored therein; 
executing the first executable image retrieved from the first partition in response to determining that the first marker is valid, wherein the first executable image, when executed, is configured to process sensor data obtained from one or more sensors mounted on the ADV utilized to perceive a driving environment surrounding the ADV during autonomous driving; and
examining a second marker to determine whether the second marker has been authenticated, wherein the second marker is examined and the second executable image is executed in response to a successful execution of the first executable image.

(Original) The method of claim 1, wherein each of the partitions includes a marker stored therein to indicate whether a respective executable image is valid for execution.

(Currently Amended) The method of claim 2, wherein each partition further includes [[an]] the authentication code stored therein to authenticate the respective executable image.

(Original) The method of claim 2, wherein each partition further includes a verifier code stored therein to verify an integrity of the respective executable image.

(Currently Amended) The method of claim 1, further comprising:
reading [[a]] the second marker from a second partition of the storage device, the second partition storing [[a]] the second executable image;

if the second marker is determined valid, executing the second executable image retrieved from the second partition.

(Original) The method of claim 5, wherein the second marker is examined and the second executable image is executed, in response to determining that the first marker is invalid, wherein the second executable image is a back-up version of the first executable image.

(Cancelled) 

(Original) The method of claim 1, further comprising:
in response to a request for updating a third executable image stored in a third partition, modifying a third marker associated with the third partition to indicate that the third executable image is invalid;
updating the third executable image in the third partition; and
restoring the third marker to indicate that the third executable image is valid again.

(Currently Amended) A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform operations, the operations comprising:
in response to a boot-up operation, reading a first marker from a storage device of a sensor unit of the autonomous driving vehicle (ADV), the storage device including a plurality of partitions, each of the partitions storing an executable image of firmware, wherein the first marker includes a first unique identifier and a first authentication code, wherein the first unique identifier has , wherein the first authentication code includes a cyclic redundancy code;
determining whether the first marker is valid by using the first authentication code to determine if the first unique identifier has been corrupted, wherein the first marker is associated with a first of the partitions having a first executable image stored therein; 
executing the first executable image retrieved from the first partition in response to determining that the first marker is valid, wherein the first executable image, when executed, is configured to process sensor data obtained from one or more sensors mounted on the ADV utilized to perceive a driving environment surrounding the ADV during autonomous driving; and
examining a second marker to determine whether the second marker has been authenticated, wherein the second marker is examined and a second executable image is executed in response to a successful execution of the first executable image.

(Original) The machine-readable medium of claim 9, wherein each of the partitions includes a marker stored therein to indicate whether a respective executable image is valid for execution.

(Currently Amended) The machine-readable medium of claim 10, wherein each partition further includes [[an]] the authentication code stored therein to authenticate the respective executable image.

(Original) The machine-readable medium of claim 10, wherein each partition further includes a verifier code stored therein to verify an integrity of the respective executable image.

(Currently Amended) The machine-readable medium of claim 9, wherein the operations further comprise:
reading [[a]] the second marker from a second partition of the storage device, the second partition storing [[a]] the second executable image;

if the second marker is determined valid, executing the second executable image retrieved from the second partition.

(Original) The machine-readable medium of claim 13, wherein the second marker is examined and the second executable image is executed, in response to determining that the first marker is invalid, wherein the second executable image is a back-up version of the first executable image.

(Cancelled) 

(Original) The machine-readable medium of claim 9, wherein the operations further comprise:
in response to a request for updating a third executable image stored in a third partition, modifying a third marker associated with the third partition to indicate that the third executable image is invalid;
updating the third executable image in the third partition; and
restoring the third marker to indicate that the third executable image is valid again.

(Currently Amended) A data processing system, comprising:
a processor; and
a memory coupled to the processor to store instructions, which when executed by the processor, cause the processor to perform operations, the operations including:
in response to a boot-up operation, reading a first marker from a storage device of a sensor unit of the autonomous driving vehicle (ADV), the storage device including a plurality of partitions, each of the partitions storing an executable image of firmware, wherein the first marker includes a first unique identifier and a first authentication code, wherein the first unique identifier has  , wherein the first authentication code includes a cyclic redundancy code,
determining whether the first marker is valid by using the first authentication code to determine if the first unique identifier has been corrupted, wherein the first marker is associated with a first of the partitions having a first executable image stored therein, 
executing the first executable image retrieved from the first partition in response to determining that the first marker is valid, wherein the first executable image, when executed, is configured to process sensor data obtained from one or more sensors mounted on the ADV utilized to perceive a driving environment surrounding the ADV during autonomous driving, and
examining a second marker to determine whether the second marker has been authenticated, wherein the second marker is examined and a second executable image is executed in response to a successful execution of the first executable image.

(Original) The system of claim 17, wherein each of the partitions includes a marker stored therein to indicate whether a respective executable image is valid for execution.

(Currently Amended) The system of claim 18, wherein each partition further includes [[an]] the authentication code stored therein to authenticate the respective executable image.

(Original) The system of claim 18, wherein each partition further includes a verifier code stored therein to verify an integrity of the respective executable image.


Allowable Subject Matter
Claims 1-6, 8-14, and 16-20 are allowed over the prior art of record.  The following is an examiner's statement of reasons for allowance:

Prior art of record teaches the following:
Fava et al. (US 2019/0229913 A1) teaches the authenticity and/or integrity of data is determined based on cryptographic measurements. In some cases, the data is executable code of a computer program stored in system memory. In other cases, the data is firmware stored in a storage device or a boot device. In yet other cases, the data is executable code that is part of an update being received by an application controller. For example, the update may be a secure over-the-air (SOTA) update of software stored in firmware (e.g., on a storage device or a boot device).  
Floyd et al. (US 10,826,706 B1) teaches a computer system for verifying vehicle software configuration may be provided. The computer system may include a processor and a non-transitory, tangible, computer-readable storage medium having instructions stored thereon that, in response to execution by the processor, cause the processor to: (1) transmit, to a vehicle computing system, an authentication request including a hash algorithm specification; (2) receive, from the vehicle computing system, a current configuration hash value and a vehicle identifier; (3) retrieve a trusted data block from a memory based upon the vehicle identifier, the trusted data block including a stored configuration hash value and a smart contract code segment; (4) execute the smart contract code segment, the smart contract code segment including a failsafe code segment; and/or (5) transmit the authentication response to the vehicle computing system, and cause the vehicle computing system to execute the failsafe code segment.
Hu et al. (US 2009/0193211 A1) teaches a technique for authenticating software in a computer system is provided that can be used to prevent unauthorized users from accessing or using certain features or resources of the computer system. In accordance with the technique, a relatively small hash table is authenticated at system boot up and then used during run-time to authenticate selected portions of a software image. The technique advantageously permits software to be authenticated in a manner that does not impose significant delays upon the boot-up time associated with the computer system. The technique is applicable to both general-purpose and special-purpose computer systems, including embedded systems.
Floyd et al. (US 10,666,767 B1) teaches a computer system for verifying vehicle software configuration may be provided. The computer system may include a processor and a non-transitory, tangible, computer-readable storage medium having instructions stored thereon that, in response to execution by the processor, cause the processor to: (1) retrieve a trusted data block from a memory, the trusted data block including a stored configuration hash value, a smart contract code segment, and a failsafe code segment; (2) generate a current configuration hash value based on at least one software module by executing the smart contract code segment; (3) determine that the current configuration hash value is invalid based on the stored configuration hash value by executing the smart contract code segment; and/or (4) execute the failsafe code segment, in response to determining that the current configuration hash value is invalid. 
However, none of the prior art of record teach by themselves or in any combination nor would have anticipated nor render obvious by combination the claimed invention of the present invention at or before the time it was filed.  The prior art of record is silent on the execution of  a second executable image when the second marker from memory has been authenticated after the first executable image has been executed, indicating that the second executable image is dependent of the first executable image, as it is claimed in the emphasized limitations as follows; " in response to the secure boot-up operation, reading a first marker from a storage device of a sensor unit of the autonomous driving vehicle (ADV), the storage device including a plurality of partitions, each of the partitions storing an executable image of firmware, wherein the first marker includes a first unique identifier and a first authentication code, wherein the first unique identifier has a first unique pattern associated with a corresponding partition, wherein the first authentication code includes a cyclic redundancy code; determining whether the first marker is valid by using the first authentication code to determine if the first unique identifier has been corrupted, wherein the first marker is associated with a first of the partitions having a first executable image stored therein; and executing the first executable image retrieved from the first partition in response to determining that the first marker is valid, wherein the first executable image, when executed, is configured to process sensor data obtained from one or more sensors mounted on the ADV utilized to perceive a driving environment surrounding the ADV during autonomous driving; and examining a second marker to determine whether the second marker has been authenticated, wherein the second marker is examined and the second executable image is executed in response to a successful execution of the first executable image.", in combination with all other claim limitations, as it has been recited in independent claims 1, 9 and 17.  
All other dependent claims are allowable as they depend on an allowable independent claim.
	Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance”.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.  See form PTO-892 Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LIZBETH TORRES-DIAZ whose telephone number is (571)272-1787.  The examiner can normally be reached on 9:00a-4:30p.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr, can be reached on (571)272-3739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/LIZBETH TORRES-DIAZ/Examiner, Art Unit 2495                                                                                                                                                                                                        
/6 November 2021/
/ltd/