DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
Applicant’s amendment filed 20 December 2021 amends claims 17, 18, 21, 22, 24, 26, and 30-33. Claim 34 has been added. Applicant’s amendment has been fully considered and entered.
Response to Arguments
Applicant argues, “Independent claim 17 is amended to recite ‘load and run a secure program into a secure memory, wherein the secure program comprises an image of a secure operating system, the image of the secure operating system is divided into at least one system image resident segment and at least one system image dynamic loading segment based on whether code segments or data segments of the image of the secure operating system correspond to required functions of non-required functions when the secure operating system runs, and the at least one system image resident segment resides in the secure memory when the processor runs the secure operating system.’ These features are not disclosed in Hashimoto.” This argument has been fully considered and is persuasive. Therefore, the rejection has been withdrawn.  However, upon further consideration, a new grounds of rejection is made in view of Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 17-19, 26-29 are rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429. Referring to claim 17, Hashimoto discloses a memory management system wherein a boot image is divided into partial boot images ([0085] & [0161]: Examiner notes that the claimed content of the secure program, i.e., system image resident segment and system image dynamic loading segment, are not functionally utilized in the claims outside of being divided. Therefore, the names of the secure program content are not given patentable weight. See MPEP 2111.04-2111.05), which meets the limitation of divide the at least on system image dynamic loading segment into a plurality of pages, wherein each of the plurality of pages comprises content of the corresponding system image dynamic loading segment. Signatures are generated for each partial boot image .
Hashimoto does not disclose that the boot image is divided into partial boot images based data/code from the boot image being prioritized in some manner. Kudo discloses that a boot image is divided into parts based on a priority level of the data in the boot image ([0043]: assigns a priority level to each of the parts into which the boot image was divided…set the priority level of a part, based on information about the contents of the part…the type of function…the type of data…), which meets the limitation of the image of the secure operating system is divided into at least one system image resident segment and at least one system image dynamic loading segment based on whether code segments or data segments of the image of the secure operating system corresponding to required functions or non-required functions when the secure operating system runs. Examiner notes that the limitations that specify “required”  and “non-required” functions represent non-functional descriptive material that is not given patentable weight because the limitations do not define structure nor do the limitations require positive steps to be performed. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the boot images of Hashimoto to have been dividing using the priority level model of Kudo in order to provide faster boot image verification while preserving security as suggested by Kudo ([0009]-[0011] & [0043]).
Referring to claim 18, Hashimoto discloses that a cipher based MAC is calculated for each page ([0252]-[0253]), which meets the limitation of wherein performing security processing on each of the plurality of pages comprises performing encryption, and generating a message authentication code (MAC). The CMAC calculation utilizes a key Ek that is generated based on a secret key k ([0250] & [0252]: Ek generated from secret key k will have the ability to be different) for pages at addresses ([0253]) that correspond with a translatable virtual address ([0218]), which meets the limitation of wherein a respective encryption key for each of the plurality of pages is associated with a respective virtual address of a respective page of the plurality of pages, and encryption keys for different pages of the plurality of pages are different. 
Referring to claim 19, Hashimoto discloses that the CMAC calculation can be performed on a plurality of pages beginning at an address ([0253]-[0254]: CMAC calculation includes encryption), which meets the limitation of encrypting a plurality of MACs for the plurality of pages as a whole.
Referring to claim 26, Hashimoto discloses a memory management system wherein a boot image is divided into partial boot images ([0085] & [0161]: Examiner notes that the claimed content of the secure program, i.e., application program resident segment and application program dynamic loading segment, are not functionally utilized in the claims outside of being divided. Therefore, the names of the secure program content are not given patentable weight. See MPEP 2111.04-2111.05), which meets the limitation of divide the application program dynamic loading segment into a second plurality of pages, wherein each of the second plurality of pages comprises content of the application program dynamic loading segment. Signatures are generated for each partial boot image ([0088]), which meets the limitation of perform the security processing on each of the second plurality of pages to obtain a second plurality of security-processed pages. Signature information is included in the headers of the boot image ([0457]) such that the boot images, along with the signature information in the header, is stored in an external memory ([0483] & [0493]), which meets the limitation of migrate each of the second plurality of security-processed pages to an external storage.
Referring to claim 27, Hashimoto discloses a memory management system wherein a boot image is divided into partial boot images ([0085] & [0161]: Examiner notes that the claimed content of the secure program, i.e., secure application program, is not functionally utilized in the claims outside of being divided. Therefore, the names of the secure program content are not given patentable weight. See MPEP 2111.04-2111.05), which meets the limitation of divide the secure application program into a third plurality of pages, wherein each of the third plurality of pages comprises content of the secure application program. Signatures are generated for each partial boot image ([0088]), which meets the limitation of perform the security processing on each of the third plurality of pages to obtain a third plurality of security-processed pages. Signature information is included in the headers of the boot image ([0457]) such that the boot images, along with the signature information in the header, is stored in an external memory ([0483] & [0493]), which meets the limitation of migrate each of the third plurality of security-processed pages to the external storage.
Referring to claim 28, Hashimoto discloses that the device is implemented using a semiconductor chip ([0121] & [0237]) that includes a processor (Figure 2, 502) and external storage (Figure 2, 7), which meets the limitation of the device is comprised in a semiconductor chip, and the semiconductor chip further comprises a central processing unit coupled to the device and the external storage. 
Referring to claim 29, Hashimoto discloses an information processing device implemented using a semiconductor chip ([0121] & [0237] & Figure 2, 500), which meets the limitation of wherein the device is comprised in a terminal device. The information processing device is connected to an external memory (Figure 2, 7) using an external bus ([0106]), which meets the limitation of the terminal device further comprises the external storage, wherein the device and the external storage are disposed in different semiconductor chips.
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, and further in view of Buer, U.S. Publication No. 2016/0026783. Referring to claim 20, Hashimoto discloses that the CMAC calculation utilizes a key Ek that is generated based on a secret key k ([0250] & [0252]). Hashimoto, as modified in view of Kudo, does not disclose that the keys utilized for the CMAC calculation are stored in a one-time programmable chip. Buer discloses the utilization of one-time programmable memory devices to store secret keys that are utilized to generate MACs ([0042]: key would read on the claimed count value. Examiner notes that the claimed count value is not functionally and therefore the name of the value does not receive patentable weight. See MPEP 2111.04-2111.05), which meets the limitation of a one-time programmable chip, wherein a respective MAC for each of the plurality of pages is associated with a count value of the OTP chip. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the keys of Hashimoto to have been stored in a one-time programmable memory device in order to protect against or detect the occurrence of a replay attack as suggested by Buer ([0039]).
Claim 22 is rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, and further in view of B, U.S. Publication No. 2017/0160981. Referring to claim 22, Hashimoto, as modified in view of Kudo, does not disclose how the pages are stored with respect to page frames. B discloses that when pages can be compressed such that multiple pages can be stored in a single frame and pages can be decompressed such that only a single page can be stored in a single frame ([0021]: when decompressed the number of pages stored in the frame would be 1, which would be less the total number of pages in a plurality of pages), which meets the limitation of configure at least one page frame in the secure memory, wherein each of the at least one page frame stores at least one page of the plurality of pages, and a quantity of pages comprised in the at least one page frame is less than a quantity of pages comprised in the plurality of pages. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the pages of Hashimoto to have been stored in page frames in the manner described in B in order to provide increased effectiveness with respect to the processor’s use of system storage as suggested by B ([0021]). 
Claim 23 is rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, in view of B, U.S. Publication No. 2017/0160981, and further in view of Hildesheim, U.S. Publication No. 2018/0060250. Referring to claim 23, Hashimoto, as modified in view of Kudo and B, does not specify allowing read and write access to page frames when the processor is in privileged mode. Hildesheim discloses access permission flags to allow read/write access to memory frames when under the supervisor mode ([0107]), which meets the limitation of configure the at least one page frame to allow read and write when the processor is in a privileged mode. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the page frames of the modified Hashimoto to have specified read/write access when the processor is in a privileged mode in order to ensure that applications that do not require access to the specific frames are not granted access to those frames as suggested by Hildesheim ([0021]).
Claims 24, 25 are rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, in view of B, U.S. Publication No. 2017/0160981, and further in view of Takemori, U.S. Publication No. 2019/0222423. Referring to claims 24, 25, Hashimoto discloses the ability to verify the CMAC values for the pages ([0252]-[0262]) as the pages of the boot image are read into the memory management device in order to execute the operating system ([0085]-[0092]), which meets the limitation of when running the secure operating system, load at least one security-processed page to the secure memory, and perform security verification on the at least one page, wherein the performing security verification on the at least one page [is an inverse operation of performing security processing on each of the plurality of pages].
Hashimoto does not explain how the CMAC values are validated. Takemori discloses the verification of CMAC values by decrypting the CMAC values and verifying the decrypted data ([0075]-[0077]), which meets the limitation of wherein performing security verification on the at least one page is an inverse operation of performing security processing on each of the plurality of pages, when the security processing on each of the plurality of pages comprises encryption and message authentication (MAC) generation, performing security verification on the at least one page comprises decryption and MAC verification. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for CMAC values of Hashimoto to have been validated in the manner described in Takemori in order to enable the comparison of the codes as suggested by Takemori ([0077]).
Claims 30, 31 are rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, and further in view of Varadhan, U.S. Publication No. 2017/0230185. Referring to claim 30, Hashimoto discloses a memory management system wherein a boot image is divided into partial boot images ([0085] & [0161]: Examiner notes that the claimed content of the secure program, i.e., system image resident segment and system image dynamic loading segment, are not functionally utilized in the claims outside of being divided. Therefore, the names of the secure program content are not given patentable weight. See MPEP 2111.04-2111.05), which meets the limitation of divide an image of a secure operating system into a system image resident segment and a system image dynamic loading segment. Signatures are generated for each partial boot image ([0088]: Examiner notes that the claims only require a single signature for the claimed system image dynamic loading segment despite the fact that the claims reference that signature as a “second” signature), which meets the limitation of generate a first signature for the at least one system image resident segment, generate a second signature for the at least one system image dynamic loading segment. The boot image is an operating system boot image that is executed by the device ([0085] & [0108] & [0158]: claim does not define the structure or functionality of the claimed secure element. Therefore, any element of the device that runs the OS, such as the processor core 505 would read on the claimed secure element), which meets the limitation of wherein the secure operating system is an operating system run by a secure element disposed in a terminal device. The system includes a processor (Figure 2, 501) and an secure memory ([0237]-[0238]), which meets the limitation of a processor and a secure memory configured to provide a storage space for running of the processor. 
Hashimoto does not disclose that the boot image is divided into partial boot images based data/code from the boot image being prioritized in some manner. Kudo discloses that a boot image is divided into parts based on a priority level of the data in the boot image ([0043]: assigns a priority level to each of the parts into which the boot image was divided…set the priority level of a part, based on information about the contents of the part…the type of function…the type of data…), which meets the limitation of the divide an image of the secure operating system into at least one system image resident segment and at least one system image dynamic loading segment based on whether code segments or data segments of the image of the secure operating system corresponding to required functions or non-required functions when the secure operating system runs. Examiner notes that the limitations that specify “required”  and “non-required” functions represent non-functional descriptive material that is not given patentable weight because the limitations do not define structure nor do the limitations require positive steps to be performed. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the boot images of Hashimoto to have been dividing using the priority level model of Kudo in order to provide faster boot image verification while preserving security as suggested by Kudo ([0009]-[0011] & [0043]).
Hashimoto, as modified in view of Kudo, does not disclose generating a second signature for the partial boot images that includes digitally signing the partial boot images again, and the first signature. Varadhan discloses software images that have been digitally signed (Figure 7, 707 & [0041[) such that a second digital signature is generated for the image that is generated using the image object and the first signature (Figure 7, 775 & [0043]: signature 775 is created from object 705 that includes the first signature 707), which meets the limitation of generate a second signature for a group comprising the at least one system image resident segment, the first signature. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the memory management system of Hashimoto to have digitally signed the partial boot images a second time in the manner described in Hashimoto in order to improve the confidence in installed software by requiring software to be validated twice prior to the installation of software as suggested by Varadhan ([0017]).
Referring to claim 31, Hashimoto discloses that the signature information is included in the headers of the boot image ([0457]) such that the boot images, along with the signature information in the header, is stored in an external memory ([0483] & [0493]), which meets the limitation of wherein the processor is further configured to control the device to send the at least one system image resident segment, the first signature, the at least one system image dynamic segment, and the [second] signature to the terminal device. 
Hashimoto does not disclose generating a second signature for the partial boot images that includes digitally signing the partial boot images again, and the first signature. Varadhan discloses software images that have been digitally signed (Figure 7, 707 & [0041[) such that a second digital signature is generated for the image that is generated using the image object and the first signature (Figure 7, 775 & [0043]: signature 775 is created from object 705 that includes the first signature 707), which meets the limitation of the second signature. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the memory management system of Hashimoto to have digitally signed the partial boot images a second time in the manner described in Hashimoto in order to improve the confidence in installed software by requiring software to be validated twice prior to the installation of software as suggested by Varadhan ([0017]).
Claim 32 is rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, and further in view of Chen, U.S. Patent No. 6,453,413. Referring to claim 32, Hashimoto discloses a memory management system wherein a boot image can be received from an external device ([0473]), which meets the limitation of receiving, by a terminal device, a secure program [from a server]. The boot image is divided into partial boot images ([0085] & [0161]: Examiner notes that the claimed content of the secure program, i.e., system image resident segment and system image dynamic loading segment, are not functionally utilized in the claims outside of being divided. Therefore, the names of the secure program content are not given patentable weight. See MPEP 2111.04-2111.05), which meets the limitation of dividing, by the terminal device, the at least one system image dynamic loading segment into a plurality of pages, wherein each of the plurality of pages comprises content of the corresponding system image dynamic loading segment. Signatures are generated for each partial boot image ([0088]), which meets the limitation of performing, by the terminal device, security processing on each of the plurality of pages to generate a plurality of security-processed pages. Signature information is included in the headers of the boot image ([0457]) such that the boot images, along with the signature information in the header, is stored in an external memory ([0483] & [0493]), which meets the limitation of migrating, by the terminal device, each of the plurality of security-processed pages to an external storage for the secure element. The system includes a processor (Figure 2, 501) and an secure memory ([0237]-[0238]), which meets the limitation of wherein the terminal device comprises a secure element, the secure element comprises a processor and a secure memory. The device is implemented using a semiconductor chip ([0121] & [0237]) that includes a processor (Figure 2, 502) and secure memory ([0237]-[0238]), which meets the limitation of the processor and the secure memory are integrated into a semiconductor chip. The secure memory including storage for a verification program ([0237]-[0238]) and the partial boot images ([0493]), which meets the limitation of the secure memory is configured to provide a storage space for the processor to load and run a secure program, the secure program comprises an image of a secure operating system, wherein the at least one system image resident segment resides in the secure memory when the processor runs the secure operating system.
Hashimoto does not disclose that the boot image is divided into partial boot images based data/code from the boot image being prioritized in some manner. Kudo discloses that a boot image is divided into parts based on a priority level of the data in the boot image ([0043]: assigns a priority level to each of the parts into which the boot image was divided…set the priority level of a part, based on information about the contents of the part…the type of function…the type of data…), which meets the limitation of the image of the secure operating system is divided into at least one system image resident segment and at least one system image dynamic loading segment based on whether code segments or data segments of the image of the secure operating system corresponding to required functions or non-required functions when the secure operating system runs. Examiner notes that the limitations that specify “required”  and “non-required” functions represent non-functional descriptive material that is not given patentable weight because the limitations do not define structure nor do the limitations require positive steps to be performed. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the boot images of Hashimoto to have been dividing using the priority level model of Kudo in order to provide faster boot image verification while preserving security as suggested by Kudo ([0009]-[0011] & [0043]).
Hashimoto, as modified by Kudo, does not specify that the external device is a server. Chen discloses the transmission of OS image files from a server to a workstation (Col. 2, lines 53-67), which meets the limitation of receiving, by a terminal device, a secure program from a server. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for OS image to have been received from a server in order to provide different combinations of operating systems as suggested by Chen (Col. 1, lines 44-57).
Claim 33 is rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, in view of Chen, U.S. Patent No. 6,453,413, and further in view of Takemori, U.S. Publication No. 2019/0222423. Referring to claim 33, Hashimoto discloses the ability to verify the CMAC values for the pages ([0252]-[0262]) as the pages of the boot image are read into the memory management device in order to execute the operating system ([0085]-[0092]), which meets the limitation of when running the secure operating system, loading, by the terminal device, at least one page of the plurality of security-processed pages to the secure memory, and performing security verification on the at least one page, wherein the performing security verification on the at least one page [is an inverse operation of performing security processing on each of the plurality of pages].
Hashimoto does not explain how the CMAC values are validated. Takemori discloses the verification of CMAC values by decrypting the CMAC values and verifying the decrypted data ([0075]-[0077]), which meets the limitation of wherein performing security verification on the at least one page is an inverse operation of performing security processing on each of the plurality of pages, when the security processing on each of the plurality of pages comprises encryption and message authentication (MAC) generation, performing security verification on the at least one page comprises decryption and MAC verification. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for CMAC values of Hashimoto to have been validated in the manner described in Takemori in order to enable the comparison of the codes as suggested by Takemori ([0077]).
Claim 34 is rejected under 35 U.S.C. 103 as being unpatentable over Hashimoto, U.S. Publication No. 2015/0370726, in view of Kudo, U.S. Publication No. 2006/0026429, in view of Chen, U.S. Patent No. 6,453,413, and further in view of Gasser, U.S. Patent No. 8,037,243. Referring to claim 34, Hashimoto, as modified by Kudo and Chen, does not specify that the boot image is deleting from memory once utilized to boot the OS. 
Gasser discloses that once the boot image is used in a boot processing, the boot image is erased from memory (Col. 6, line 24 - Col. 7, line 7: boot image residing in memory to perform boot procedure and subsequently being erased reads on the claimed image segments residing in memory only when a corresponding function is used), which meets the limitation of wherein at least one system image dynamic loading segment resides in the secure memory only when a corresponding non-required function is used when the processor runs the secure operating system. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention for the boot images of Hashimoto to have been deleted from memory once utilized to boot the OS in order to preserve memory space for other data while preventing improper use of licensed software as suggested by Gasser (Col. 6, lines 64-67).
Allowable Subject Matter
Claim 21 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BENJAMIN E LANIER whose telephone number is (571)272-3805. The examiner can normally be reached M-Th: 6:20-4:50.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on 5712724063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BENJAMIN E LANIER/Primary Examiner, Art Unit 2437