DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 2/26/2020. Claims 1-20 are pending.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/27/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.

Claim Objections
Claims 1, 9, 12 and 20 are objected to because of the following informalities: 
Claims 1, 12 and 20 recite “outside the control of a TEE instance owner”. Here “the control” needs to be changed to avoid possible antecedent issue.
Claim 9 recites “wherein at least one of application TEE instance and the escrow TEE instance is an encrypted virtual machine”, which should be “wherein at least one of the application TEE instance and the escrow TEE instance is an encrypted virtual machine”.
Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because claim 1 recites “A system comprising: an application trusted execution environment (“TEE”) instance; an escrow TEE instance that is hosted alongside the application TEE instance and outside the control of a TEE instance owner; and a server…”, which is considered software per se. Under broadest reasonable interpretation, TEE is considered software because “trusted execution environments, such as trusted virtual machine may be used to emulate all or a portion of a computer system” (¶1 of specification). Paragraph 25 of the specification only provides examples of components of a server, which are not claimed and also not defined as hardware only. Applicant can amend the claim to specify server being hardware by reciting server device, server machine, or server computer. Otherwise applicant can recite server comprising memory in the claim, which is considered hardware in security art. The dependent claims inherit the deficiencies of the claim upon which they ultimate claim and are rejected as well.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-8, 10-14, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 20190140846 A1).

Regarding claim 1, Moore in one example ([0006] a second example approach) teaches a system comprising:
an application trusted execution environment (“TEE”) instance; ([0006] first TEE)
an escrow TEE instance that is hosted alongside the application TEE instance and outside the control of a TEE instance owner; and ([0006] second TEE, which is hosted by a distributed computing system that hosts the first TEE.) As shown in FIG. 2, Trusted Execution Environment (TEE) 206 is outside the control of a TEE instance owner (client device 202).
a server configured to: (FIG. 2: platform 204/operating system 208)
receive a request to start the application TEE instance, and ([0049] In activity 212, client device 202 generates a request for a TEE. For example, client device 202 may be owned or controlled by a customer of a cloud service. Client device 202 may generate the request based on instructions that are 
launch the escrow TEE instance, ([0050] In activity 214, operating system 208, which runs on platform 204, launches the TEE from a template. The template is executable code. For instance, the template may be a piece of executable code that has not been customized with regard to a client device or customer associated therewith. The template represents a known starting point for customizing the TEE.) wherein the escrow TEE instance is validated by the TEE instance owner, ([0065, 0057] Any one or more of activities 216, 218, 220, 222, 224, and/or 226 may be used to establish a chain of trust from TEE 206 to platform 204. In activity 226, TEE 206 forwards the signed, updated report to client device 202.) Here the validation of escrow TEE instance (TEE 206) by the TEE instance owner (client device 202) is achieved through signed/updated report establishing chain of trust.
wherein the escrow TEE instance is configured to:
obtain a key for the application TEE instance, ([0065] Any one or more of activities 228, 230, 232, 234, and/or 236 may be used to provision TEE 206 with information for purposes of customizing TEE 206 with the information. For example, any of activities 228, 230, and/or 232 may be used to provision TEE 206 with rules. In another example, any of activities 234 and/or 236 may be used to provision TEE 206 with secret information.) Here Moore discloses secret information being keys (¶61).

Moore in one example teaches to obtain a key for the application TEE instance, but does not explicitly teach to validate the application TEE instance, and provide the key to the application TEE instance. This aspect of the claim is identified as a difference.
another example ([0007] a third example approach) explicitly teaches
validate the application TEE instance, and provide the key to the application TEE instance. ([0007] a first trusted execution environment obtains a secret key from a second trusted execution environment (e.g., in response to measurements of the first trusted execution environment that are provided to the second trusted execution environment by the first trusted execution environment being verified by the second trusted execution environment).) Here Moore in another example discloses the first trusted execution environment (analogous to claim limitation “application TEE instance”) being validated through measurements of the first trusted execution environment, and recites details “First TEE 1016A may also provide the measurement information 1066 to second TEE 1016B via message passing facility 1044. In further accordance with this implementation, first TEE 1016A receives a responder quote 1056 from second TEE 1016B in response to the originator quote 1054. For instance, first TEE 1016A may receive the responder quote 1056 in response to second TEE 1016B verifying the measurement information 1066. The responder quote 1056 includes the secret key 1064” in ¶134.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “second example approach” of Moore in one example, and the “third example approach” of Moore in another example. One of ordinary skill in the art would have been motivated to perform such a modification to increase security of a distributed computing system by verifying TEE measurement information before providing the secret key. Accordingly, TEE may provide end-to-end security by enforcing protected execution of authenticated code, confidentiality, authenticity, privacy, system integrity, and data access rights (Moore [0134, 0030]).
Further in [0301] of “CONCLUSION” section, Moore explicitly teaches that “Although the subject matter has been described in language specific to structural features and/or acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features 

Regarding claim 2, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the escrow TEE instance is configured to retrieve the key from the TEE instance owner. ([Moore in one example, 0061] In activity 234, TEE 206 provides a public portion of a secret import key (i.e., SIKpub) to client device 202, so that client device 202 may use the SIKpub to encrypt secret information (e.g., keys, data, and/or code) that is to be sent to TEE 206. The SIKpub corresponds to a private portion of the secret import key (i.e., SIKpri) that is usable by TEE 206 to decrypt the secret information. The secret information is capable of being decrypted only by TEE 206 because TEE 206 is the only entity in possession of the SIKpri.) Here TEE 206 (analogous to claim limitation “escrow TEE instance”) initiates retrieving the key from client device 202 (analogous to claim limitation “TEE instance owner”) by “providing SIKpub” (activity 234) to client device 202 first.

Regarding claim 3, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the escrow TEE instance is configured to receive the key from the TEE instance owner. ([Moore in one example, 0062] client device 202 provides the secret information, which is encrypted with the SIKpub, to TEE 206.) Here TEE 206 (analogous to claim limitation “escrow TEE instance”) receives the secret information/key from client device 202 (analogous to claim limitation “TEE instance owner”).

Regarding claim 6, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the escrow TEE instance is configured to take a measurement of the application TEE instance prior to validating the application TEE instance. ([Moore in another example, 0007] a first trusted execution environment obtains a secret key from a second trusted execution environment (e.g., in response to measurements of the first trusted execution environment that are provided to the second trusted execution environment by the first trusted execution environment being verified by the second trusted execution environment).) Here Moore in another example discloses the first trusted execution environment (analogous to claim limitation “application TEE instance”) being validated through measurements of the first trusted execution environment by second trusted execution environment (analogous to claim limitation “escrow TEE instance”).

Regarding claim 7, Moore in one example in view of another example teaches all the features with respect to claim 6, as outlined above. The combination further teaches wherein the measurement identifies characteristics of the application TEE instance including at least one of a type of the TEE instance, version of the TEE instance, and description of software components loaded into the TEE instance. ([Moore in one example, 0054] In activity 220, platform 204 provides the report to TEE 206. The report includes measurements of TEE 206. The measurements include the identification information. For instance, the measurements may indicate unforgeable attributes of TEE 206 (e.g., an security version number, code type, and/or compilation date of TEE 206 and/or a key used to sign the measurements of TEE 206).) Here Moore in another example discloses measurements of the first trusted execution environment (analogous to claim limitation “application TEE instance”). Moore in one example discloses these measurements identifying attributes/characteristics of TEE, such as version and code type. Therefore the combination discloses the entire limitation.

Regarding claim 8, Moore in one example in view of another example teaches all the features with respect to claim 6, as outlined above. The combination further teaches wherein the measurement further includes an integrity code to validate the measurement. ([Moore in one example, 0054-0055] It will be recognized that asymmetric and/or symmetric authentication techniques may be used to authenticate the measurements. For example, platform 204 may sign the measurements with a platform signing key (PSK) before providing the measurements to TEE 206. In another example, one or more symmetric key-based message authentication codes (MACs) may be used as proof-of-authenticity of a report. In activity 222, TEE 206 adds self-reported measurements to the report, resulting in an updated report. The self-reported measurements are measurements that TEE 206 gathers or generates about itself. For instance, the self-reported measurements may be a hash (e.g., having a fixed length value) of a structure that includes any of a variety of keys, policies, or other suitable information. In activity 222, TEE 206 may further request that platform 204 sign the updated report.) 

Regarding claim 10, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the application TEE instance is a virtual machine and the escrow TEE instance is an enclave. ([Moore in one example, 0051] In an example embodiment, the TEE is an enclave, and the platform is a central processing unit virtual machine is the TEE.) It would have been obvious to one of ordinary skill in the art that first TEE/second TEE (¶6, analogous to claim limitation “application TEE instance/escrow TEE instance”) can be virtual machine/enclave.

Regarding claim 11, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the application TEE instance is an enclave and the escrow TEE instance is a virtual machine. ([Moore in one example, 0051] In an example embodiment, the TEE is an enclave, and the platform is a central processing unit (CPU). In another embodiment, a blind hypervisor is used, in which case the virtual machine is the TEE.) It would have been obvious to one of ordinary skill in the art that first TEE/second TEE (¶6, analogous to claim limitation “application TEE instance/escrow TEE instance”) can be enclave/virtual machine.

Regarding claims 12-14, 17-18 and 20, the scope of the claims are similar to that of claims 1-3 and 6-7, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 4-5 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 20190140846 A1) in view of Ko (US 20080307020 A1).

Regarding claim 4, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the key is provided on a disk image of the escrow TEE instance. This aspect of the claim is identified as a difference.
However, Ko in an analogous art explicitly teaches 
wherein the key is provided on a disk image of the escrow TEE instance. ([0010] The system includes a first device including an encrypted disk image, the encrypted disk image including data encrypted using a first encryption key, and a header including the first encryption key, the first encryption key being encrypted using one or more second encryption keys, each protected with a password. [0056-0058] FIG. 3B shows detail of the structure of the encrypted disk images 310. The encrypted disk images 310 include an example source encrypted disk image 306. The source encrypted disk image 306 includes data 312 that is encrypted using a particular encryption key. The source encrypted disk image 306 also includes one or more key encryptions 316 of the key used to encrypt the encrypted data 312. The key encryptions 316 can be stored, for example, in a header associated with the encrypted data 312. For example, the key encryptions 316 can include an encryption of the key that is associated with a system password and another encryption of the key that is associated with a user password.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “trusted execution environment” concept of Moore, and the “encrypted disk image with a first key” approach of Ko. One of ordinary skill in the art would have been motivated to perform such a modification for an efficient mechanism to provide the key by embedding the key in the disk image, while still maintain security by encrypted disk image as well as password protected the key itself (Ko [0010]).

Regarding claim 5, Moore in view of Ko teaches all the features with respect to claim 4, as outlined above. The combination further teaches wherein the disk image is encrypted with the key. ([Ko 0005, 0010] The encrypted disk image being encrypted with a first key. The system includes a first device including an encrypted disk image, the encrypted disk image including data encrypted using a first encryption key, and a header including the first encryption key, the first encryption key being 

Regarding claims 15-16, the scope of the claims are similar to that of claims 4-5, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 20190140846 A1) in view of Wei (US 20200167503 A1).

Regarding claim 9, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein at least one of application TEE instance and the escrow TEE instance is an encrypted virtual machine. This aspect of the claim is identified as a difference.
However, Wei in an analogous art explicitly teaches 
wherein at least one of application TEE instance and the escrow TEE instance is an encrypted virtual machine. ([0123] taking the trusted execution environment being Intel SGX as an example, SGX provides an enclave, that is, an encrypted trusted execution area in the memory, in which data is protected by the CPU from theft. Taking the node device using a CPU that supports SGX as an example, the CPU can use the newly added processor instructions to allocate a part of the area EPC (Enclave Page Cache) in the memory, in which the data is encrypted by an encryption engine MEE (Memory Encryption Engine).) Here reference Moore in one example (¶51) discloses that the TEE is an enclave or virtual machine. Reference Wei discloses trusted execution area being encrypted. Therefore the combination discloses the entire limitation.
(Wei [0122]).

Regarding claim 19, the scope of the claim is similar to that of claim 9, respectively. Accordingly, the claim is rejected using a similar rationale.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20210266148 A1, "Split security for trusted execution environments", by Tsirkin, teaches that a system includes a memory, an application TEE instance, an escrow TEE instance, and a server. The server is configured to receive a request to start the application TEE instance and launch the escrow TEE instance provisioned with a secret. The secret is initially accessible from a first location until the escrow TEE instance is provisioned and accessibility to the secret in the first location is restricted after provisioning the escrow TEE instance with the secret. The escrow TEE instance is configured to obtain a cryptographic measurement associated with the application TEE instance, validate the application TEE instance, and provide the secret from a second location to the application TEE instance.
US 20210303734 A1, "Elastic launch for trusted execution environments", by Tsirkin, teaches that a system includes a memory, a processor in communication with the memory, and a first TEE instance. The first TEE instance is configured to maintain an encrypted secret, obtain a cryptographic measurement associated with a second TEE instance, validate the cryptographic measurement, and provision the second TEE instance with the encrypted secret. Additionally, the first TEE instance and the second TEE instance are both configured to service at least a first type of request.
US 20210409199 A1, "Secure reliable trusted execution environments", by Tsirkin, teaches that a system includes an application TEE and a first cloud service of a trusted cloud provider. The first cloud service is configured to receive an encrypted disk image and to launch the application TEE. The system also includes a second cloud service of a first alternate cloud provider, which is configured to launch a first attestation service instance from an attestation disk image that includes a secret and to provide the secret to the application TEE instance. Additionally, the system includes a third cloud service of a second alternate cloud provider, which is configured to launch a second attestation service instance and to provide the secret to the application TEE instance when the second cloud service is unavailable.
US 20200257814 A1, "Disk encryption", by El-Moussa, teaches a security VM for the instantiation of an encrypted disk image.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/HAN YANG/Examiner, Art Unit 2493