Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Arguments
Applicant's arguments filed 10/20/21 have been fully considered but they are not persuasive. 
Applicant states: “… This cited portion of Zhu states that the INVVPID descriptor 130 may include “a linear address and VPID.” /d. (emphasis added). Applicant, by comparison, is claiming that the first generated key “defines an individual relationship between a first virtual machine and the first virtual processor identifier.” (Emphasis added). Respectfully, “a linear address” as disclosed by Zhu is not analogous to “a first virtual machine” as claimed.”
Examiner states: Examiner respectfully disagrees. The limitation, as written, recites “an individual relationship between a first virtual machine and the first virtual processor identifier”. The limitation does not seem to require a direct relationship between solely a VM and a virtual processor identifier. Therefore, because Zhu teaches a descriptor comprising a linear address of a VM mapped to a respective virtual processor identifier, Zhu sufficiently meets the limitation of a relationship (i.e. VM linear address of descriptor) between a VM and a virtual processor.  
Applicant states: As clarified by Applicant’s prior claim amendments, Applicant is not merely claiming correlation or association between addresses and virtual processor identifiers. Rather, Applicant is affirmatively claiming that the host hypervisor is “generating. .. a first generated key” that is subsequently stored. This first generated key “defines an individual relationship between a first virtual machine and the first virtual processor identifier.”  For example, “the host hypervisor will generate keys, defining associations between virtual machines including the nested virtual processors and respective virtual processor identifiers, and store these keys.”  Jd. In this way, “if invalidations of nested virtual processors are required, the host hypervisor only invalidates the mappings associated with the virtual processor identifiers for the correct nested virtual processors.” The claimed “individual relationship” is defined by the first generated key. Because Zhu fails to disclose, teach, or suggest that INVVPID descriptor 130 “defines an individual relationship between a first virtual machine and 
Examiner states: Examiner respectfully disagrees. In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., ") are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). Therefore, for the reasons cited above and provided via the rejection below, Examiner maintains rejection the combination teaches a hypervisor generator a key (i.e. descriptor as provided via the teachings of Zhu and Tkacik).

Claim Rejections - 35 USC §103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 10, 14, 18, 20 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu (Pub. No. US 2019/0155630) in view of Tkacik (Pub. No. US 2014/0006804).
Claim 1, Zhu teaches  “a method comprising: requesting, by a first nested hypervisor, a first virtual processor identifier, which identifies a first virtual processor ([0038] “Thus, when Level-1 VMM 118 running under the non-root mode changes the memory address mapping (e.g., the linear mapping or the combined mapping) for a Level-2 guest supported by the Level-1 VMM, the VMM 118 may need to issue the INVVPID instruction to request Level-0 VMM running under the root mode to invalidate the memory address mappings and flush the TLB 112 associated with the current context.” [0057] Level-0 VMM 302 assigns unique VPID values to Level-1 virtualization applications. Since the Level-2 virtualization applications are assigned by Level-1 VMMs 304, Level-1 VMMs 304 may assign VPIDs duplicating the existing VPIDs set by Level-0 VMM 302. Embodiments of the present disclosure provide solutions to avoid duplicating VPIDs. The solutions may provide mechanism for Level-1 VMMs 304 to notify Level-0 VMM 302 each time Level-1 VMMs 304 generates a VPID for its guest VMs 306, 308. Responsive to receiving the VPID generated by Level-1 VMMs 304, the Level-0 VMM 302 may compare the VPID with existing VPIDs known to the Level-0 VMM 302 to determine whether the newly generated VPID is a duplicate of an existing VPID.); responsive to requesting the first virtual processor identifier, triggering a first exit to a host hypervisor ([0027, 0028] Therefore, there are two kinds of VMX transitions: transitions into a VMX non -root operation (referred to as a VM entry event) from root operations, and transitions to VMX root operation (referred to as a VM exit event) from a VMX non -root operation. Thus, Level-1 VMM runs under the non-root mode, and the Level-0 VMM runs under the root mode. [0058] If Level-0 VMM 302 determines that the VPID newly generated by Level-1 VMM 304 is the same as an existing VPID generated by Level-0 VMM 302, Level-0 VMM 302 may re-assign a new unique VPID to replace the existing VPID without changing the VPID generated by Level-1 VMMs 304. To achieve this, prior to re-assigning the new VPID, Level-0 VMM 302 may execute an INVVPID instruction to invalidate all memory address mappings tagged with the duplicated VPID.); identifying, by the host hypervisor, a first request including the first virtual processor identifier ([0058] In one embodiment, Level-0 VMM 302 may be responsible for setting a VMWRITE bitmap. The bitmap may include a set of bits. Each bit of the bitmap is associated with a corresponding VPID field of a VMCS. The processor may provide a control circuit to identify an attempt to change the VPID and, based on the attempt, change the corresponding bit in the bitmap. Thus, an attempt by a processor to write to a VPID to the VPID triggers a VM exit. Level-0 VMM 302 may, using the bitmap, trap the VMWRITE attempt to access the VPID field in the VMCS by non-root VMM 304 and determine the value of the newly generated VPID. In another embodiment, whenever Level-1 VMMs 304 launches a Level-2 guest VM (or Level-2 VMMs) using a VMRESUME (or VMLAUNCH) instruction, a VM exit event is triggered. Before executing VMRESUME (or VMLAUNCH), Level-0 VMM 302 may check the VPIDs of Level-2 guest VMs and Level-2 VMMs to determine if there is duplicated VPIDs.)… wherein the first generated key defines an individual relationship between a first virtual machine and the first virtual processor identifier ([0044] INVVPID instruction 126 may include a memory operand and a register operand. The memory operand may reference a memory location that stores an INVVPID descriptor 130. INVVPID descriptor 130 is a data entry of defined size (e.g., 128 bit. FIG. 13 shows an INVVPID descriptor 130 according to an embodiment of the present disclosure. As shown in FIG. 13, INVVPID descriptor 130 may include a linear address and VPID, thus specifying which linear address associated with VM is to be invalidated.)”.
However, Zhu may not explicitly teach how the descriptor is generated by a hypervisor.
Tkacik teaches “generating, by the host hypervisor, a first generated key… storing, by the host hypervisor, the first generated key ([0053] A descriptor can be converted to a trusted descriptor by adding integrity protection which specifies that the descriptor will run only upon passing of an integrity check. Thus the descriptor can be run only for applications for which the descriptor is intended. Otherwise, the descriptor cannot be run. A trusted descriptor (i.e. descriptor as taught by Zhu) can be created by using an assignment key to add a digital signature to the descriptor so that when the descriptor is created, the creator (e.g., a control operating system or hypervisor) causes a signature to be generated and appended to the descriptor. The trusted descriptor thus includes a program to run and an attached signature so that before the trusted descriptor is run, an integrity check which compares the signatures is executed over the descriptor, thereby verifying the signature. If the signature is incorrect, the descriptor cannot execute. If the signature is correct, the descriptor will execute and may have access to protected resource or resources that a normal descriptor cannot access. If access to a resource is not useful, for example if a user running descriptors on a device does not intend to use a trusted descriptor and no reason exists for such usage, access is not available. However if such access to a resource is desirable, a special key such as an encryption key can be stored to enable access to the key and a trusted descriptor can be run to grant access. If an attempt is made to access the key using a normal descriptor, access will fail and be thus disallowed. The trusted descriptor can only be run if unmodified and only run exactly as the creator of the trusted descriptor intended. The trusted descriptor is a program that can run and grant elevated access privileges, but only by passing the integrity check or signature check.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Tkacik with the teachings of Zhu in order to provide a system that teaches generation of secure descriptors. The motivation for applying Tkacik teaching with Zhu teaching is to provide a system that allows for secure usage of descriptors for increased security. Zhu, Tkacik are analogous art directed towards processing virtual resources. Zhu, Tkacik teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Tkacik with the teachings of Zhu by known methods and gained expected results. 
Regarding claim 10, the combination teaches the claim, wherein Tkacik teaches “the method of claim 1, wherein the first key is stored in a data structure ([0053] A descriptor can be converted to a trusted descriptor by adding integrity protection which specifies that the descriptor will run only upon passing of an integrity check. Thus the descriptor can be run only for applications for which the descriptor is intended. Otherwise, the descriptor cannot be run. A trusted descriptor (i.e. descriptor as taught by Zhu) can be created by using an assignment key to add a digital signature to the descriptor so that when the descriptor is created, the creator (e.g., a control operating system or hypervisor) causes a signature to be generated and appended to the descriptor.)”.
Rational to claim 1 is applied here.
Claim 14, “a system comprising: a memory; one or more processors, in communication with the memory; a host hypervisor, configured to execute on the one or more processors; a first virtual machine, configured to execute on the one or more processors, the first virtual machine including: a first virtual processor, and a first nested hypervisor, wherein the first nested hypervisor: requests a first virtual processor identifier, which identifies the first virtual processor, and responsive to requesting the first virtual processor identifier, triggers a first exit to the host hypervisor; wherein the host hypervisor is configured to: identify a first request including the first virtual processor identifier; generate a first generated key wherein the first generated key defines an individual relationship between the first virtual machine and the first virtual processor identifier; and store the first generated key” is similar to claim 1 and therefore rejected with the same references and citations.
Claim 18, “the system of claim 14, wherein the first generated key is stored in a data structure” is similar to claim 10 and therefore rejected with the same references and citations.
Claim 20, “a computer-readable non-transitory storage medium comprising executable instructions that, when executed, are configured to cause a host hypervisor to: identify a request including a first virtual processor identifier, which identifies a first virtual processor; generate a first generated key wherein the first generated key defines an individual relationship between a first virtual machine and the first virtual processor identifier; and store the first generated key” is similar to claim 1 and therefore rejected with the same references and citations.
Claims 2, 3, 5, 15, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in further view of Tsirkin (US Pub. No. 2015/0347169).
Claim 2, “the method of claim 1, further comprising: requesting, by the first nested hypervisor, a second virtual processor identifier, which identifies a second virtual processor; responsive to requesting the second virtual processor identifier, triggering a second exit to the host hypervisor; identifying, by the host hypervisor, a second request including the second virtual processor identifier; generating, by the host hypervisor, a second generated key; and storing, by the host hypervisor, the second generated key” is rejected using the same references and citations of claim 1.
However, the combination may not explicitly teach multiple VPIDs per VM.
Zhu does teach a VM may have one or more virtual processors [0020] “The VMM presents a virtual machine with an abstraction of one or more virtual processors and other platform resources.”.
Tsirkin teaches “wherein the second generated key defines an individual relationship between the first virtual machine and the second virtual processor identifier ([0024] Hypervisor 125 can use virtual processor mapping table 127 to store cross reference information regarding which of the virtual processors 131-1 through 131-N of VM 130 are associated with shared device 190. Hypervisor 125 may store a unique identifier that is associated with each of the virtual processors 131-1 through 131-N, along with an identifier for the shared memory location of the associated shared device 190 for use by polling manager 128. Virtual processor mapping table 127 may be a memory location within hypervisor 125. Alternatively, virtual processor mapping table 127 may be written to a location in storage device 180.).”
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Tsirkin with the teachings of Zhu, Tkacik in order to provide a system that teaches multiple VPIDs per VM. The motivation for applying Tsirkin teaching with Zhu, Tkacik teaching is to provide a system that teaches multiple resource management in a ZVM environment. Zhu, Tkacik, Tsirkin are analogous art directed towards processing virtual resources. Zhu, Tkacik, Tsirkin teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Tsirkin with the teachings of Zhu, Tkacik by known methods and gained expected results. 
Claim 3, “the method of claim 2, further comprising: requesting, by a second nested hypervisor, a third virtual processor identifier, which identifies a third virtual processor; responsive to requesting the third virtual processor identifier, triggering a third exit to the host hypervisor; identifying, by the host hypervisor, a third request including the third virtual processor identifier; generating, by the host hypervisor, a third generated key  wherein the third generated key defines an individual relationship between a second virtual machine and the third virtual processor identifier; and storing, by the host hypervisor, the third generated key” is similar to claim 2 and therefore rejected using the same references and citations.
Claim 5,  “the method of claim 1, wherein the first request includes a plurality of virtual processor identifiers including the first virtual processor identifier and a second virtual processor identifier that respectively identify a plurality of virtual processors, including the first virtual processor and a second virtual processor, further comprising: generating, by the host hypervisor, second generated key  wherein the second generated key defines an individual relationship between the first virtual machine and the second virtual processor identifier; and storing, by the host hypervisor, the second generated key” is similar to claim 2 and therefore rejected using the same references and citations.
Claim 15, “The system of claim 14, wherein the host hypervisor is further configured to: responsive to the first nested hypervisor requesting a second virtual processor identifier, which identifies a second virtual processor, and triggering a second exit to the host hypervisor, identify, a second request including the second virtual processor identifier; generate a second generated key wherein the second generated key defines an individual relationship between the first virtual machine and the second virtual processor identifier; and store the second generated key” is similar to claim 2 and therefore rejected using the same references and citations.
Claim 16, the system of claim 15, further comprising: a second virtual machine, configured to execute on the one or more processors, the second virtual machine including: a third virtual processor, and a second nested hypervisor, wherein the second nested hypervisor: requests a third virtual processor identifier, which identifies the third virtual processor, and responsive to requesting the third virtual processor identifier, triggers a third exit to the host hypervisor; wherein the host hypervisor is configured to: identify a third request including the third virtual processor identifier; generate a third generated key, wherein the third generated key defines an individual relationship between the second virtual machine and the third virtual processor identifier; and store the third generated key” is similar to claim 2 and therefore rejected using the same references and citations.
Claims 4 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Tsirkin in further view of Day.
Claim 4, the combination may not explicitly teach the limitations of the claim.
Day teaches “the method of claim 2, wherein the first virtual processor identifier and the second virtual processor identifier are monotonically increasing virtual processor identifiers ([0026] The processor 102 stores an index variable 116, such as within a register of the processor 102. In one embodiment, the value of the index variable 116 can be incremented by any hypervisor 112, but just the root hypervisor 112A can decrement the value the value of the index variable 116.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Day with the teachings of Zhu, Tkacik, Tsirkin in order to provide a system that teaches increasing value of VPIDs. The motivation for applying Day teaching with Zhu, Tkacik, Tsirkin teaching is to provide a system that teaches unique identifiers. Zhu, Tkacik, Tsirkin, Day are analogous art directed towards processing virtual resources. Zhu, Tkacik, Tsirkin teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Day with the teachings of Zhu, Tkacik by known methods and gained expected results. 
Claims 8 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Day .
Claim 8, the combination may not explicitly teach the limitations of the claim.
Day teach the method of claim 1, wherein the first key is generated using an incrementing counter ([0026] The processor 102 stores an index variable 116, such as within a register of the processor 102. In one embodiment, the value of the index variable 116 can be incremented by any hypervisor 112, but just the root hypervisor 112A can decrement the value the value of the index variable 116. EN: Day teaches incrementing)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Day with the teachings of Zhu, Tkacik, in order to provide a system that teaches increasing value of VPIDs. The motivation for applying Day teaching with Zhu, Tkacik, teaching is to provide a system that teaches unique identifiers. Zhu, Tkacik, Day are analogous art directed towards processing virtual resources. Zhu, Tkacik, Day teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Day with the teachings of Zhu, Tkacik by known methods and gained expected results. 
Claims 9 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Scarlata.
Claim 9, the combination may not explicitly teach the limitations of the claim.
Scarlata, teaches “the method of claim 1, wherein the first key is an input to a hash function ([0022] The certificate may not identify the key and the key may not be derivable from the certificate, however, signatures produced by the key may be identified as originating from a particular one of the host platforms or virtual machines for which a certificate is maintained based on the corresponding certificate. In this manner, a host device (e.g., 110, 115, 120, 125) or virtual machine can authenticate to the provisioning system 130 and be provided (by the provisioning system 130) with an attestation key that is securely associated with the host device or virtual machine. These attestation keys can then be used by secure enclaves on the corresponding host device (e.g., 110, 115, 120, 125) or virtual machine to perform attestation for one or more applications or enclaves present on the host device.  EN: signature reads on hash)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Scarlata with the teachings of Zhu, Tkacik, in order to provide a system that teaches increasing utilizing hash function. The motivation for applying Scarlata teaching with Zhu, Tkacik, teaching is to provide a system that teaches improvement of security. Zhu, Tkacik, Scarlata are analogous art directed towards processing virtual resources. Zhu, Tkacik, Scarlata teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Scarlata with the teachings of Zhu, Tkacik by known methods and gained expected results. 
Claims 6, 11, 19 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Hattori.
Regarding claim 6, the combination may not explicitly teach the limitations.
Hattori teaches “the method of claim 1, wherein the first generated key defines an association between the first virtual processor identifier, which identifies the first virtual processor on the first nested hypervisor, and a second virtual processor identifier, which identifies a second virtual processor on the host hypervisor (ori, [0100] FIG. 8 is a configuration diagram illustrating a format of the virtual CPU management table 440 constituting the resource management table 410. The virtual CPU management table 440 includes, in order to hold the usage form of the each virtual CPU 60, virtual machine numbers 441, virtual CPU numbers 442, and physical CPU numbers 421.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Hattori with the teachings of Zhu, Tkacik, in order to provide a system that teaches increasing VPID management. The motivation for applying Hattori teaching with Zhu, Tkacik, teaching is to provide a system that teaches improvement of management features. Zhu, Tkacik, Hattori are analogous art directed towards processing virtual resources. Zhu, Tkacik, Hattori teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Hattori with the teachings of Zhu, Tkacik by known methods and gained expected results. 
Regarding claim 11, the combination teaches “the method of claim 1, wherein teaches the first key is stored in a 4KB VMXON region of a memory 4KB is a design choice and would have been obvious to a person having ordinary skill in the art that memory can be allocated in a particular size”.
However, the combination may not explicitly teach further details.  
Hattori teaches VMXON region of a memory (Hattori, [0027] FIG. 8 illustrates the first and second embodiment of this invention, and is a configuration diagram illustrating a format of the virtual CPU management table 440 constituting the resource management table 410. [0119] The transition between the VMX root mode and the VMX non-root mode of the VMX mode is carried out as described in "Intel 64 and IA-32 Architectures Software Developer's Manual VOL 3B". Thus, only a brief description is now given thereof. Upon the transition from the normal operation mode to the VMX mode, the VMM 20 issues the VMXON instruction, thereby switching the operation mode of the physical CPU 60 to the VMX mode. Then, the VMM 20 which has switched to the VMX mode issues the VM-entry instruction (VMLAUNCH instruction or VMRESUME instruction), thereby switching the VMX root mode to the VMX non-root mode. This transition from the VMX root mode to the VMX non-root mode is referred to as VM-entry. EN: instruction reads on VMXON region).
It would have been obvious to a person having ordinary skill in the art at the time the invention was effectively filed to have combined Hattori’s VMXON memory usage with combination  because doing so reduces overhead ([0013] Due to advent of various types of assistance features, significant overheads have been reduced, and the overhead (5) has become dominant as an overhead accompanying the virtual machine. Thus, in order to further reduce the overheads, the reduction of the overhead caused by the interrupt delivery is an object for the x86-compatible machines.).
Claim 19 ”the system of claim 14, wherein the first generated key is stored in a 4KB VMXON region of the memory” is rejected for the same reasons as claim 11.
Claims 7, 17 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Tsirkin in view of Hattori in further view of Nicholas.
Regarding claim 7, the combination teaches the claim, wherein Hattori teaches “the method of claim 6, further comprising: requesting, by the first nested hypervisor, to … the first virtual processor identifier; responsive to a second request to … the first virtual processor identifier, triggering a second exit to the host hypervisor; (Hattori, [0120] Conversely, the transition from the VMX non-root mode to the VMX root mode is referred to as VM-exit. Upon the VM-exit due to a predetermined reason such as an issue of a privileged instruction of the guest, the physical CPU 60 notifies the VMM 20 of the VM-exit) identifying, by the host hypervisor, the second request to … the first virtual processor identifier; identifying, by the host hypervisor using the first key, the second virtual processor identifier, which identifies the second virtual processor on the host hypervisor; and …, by the host hypervisor, mappings of the second virtual processor identifier (Day, [0027] For instance, the virtual machine data structures 114 may be organized as an array, where the index variable 116 serves to index the array. Setting the index variable 116 to a first value selects the virtual machine data structure 114A for the virtual machines 110A within the first nested virtualization level 108A. Similarly, setting the index variable 116 to a second value selects the virtual machine data structure 114B for the virtual machines 110B within the second nested virtualization level 108A, [0026] The value of the index variable 116 indicates which of the virtual machine data structures 114 is currently operative. That is, the current value of the index variable 116 indicates the current virtual machine data structure 114, and thus the current nested virtualization level 108 including the virtual machine 110 that is currently being run)”.
Rational to claim 6 is applied here.
However, the combination may not explicitly teach the remaining limitations.
Nicholas teaches invalidate the first virtual processor identifier, invalidating, by the host hypervisor, mappings of the second virtual processor identifier ([0033] CPU service provider 404, which is described in detail in subsequent paragraphs, can be configured to add or remove virtual processors from virtual machines [0062] In response to such a determination, CPU service provider 404 can remove a virtual processor by sending a signal that includes the virtual processor identifier for the virtual processor that is being removed to the CPU service consumer running within the virtual machine. The CPU service consumer can send a signal to the virtual processor, which can send a signal to the guest operating system scheduler indicating that it is removing itself from the idle loop of the scheduler. After the virtual processor exits from the loop, CPU service consumer can send a signal to CPU service provider 404 indicating the same and CPU service provider 404 can remove the virtual processor from the virtual machine.)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Nicholas with the teachings of Zhu, Tkacik, Tsirkin, Hattori in order to provide a system that teaches VPID management. The motivation for applying Nicholas teaching with Zhu, Tkacik, Tsirkin, Hattori teaching is to provide a system that teaches maintaining resources in a virtual environment. Zhu, Tkacik, Tsirkin, Hattori, Nicholas are analogous art directed towards processing virtual resources. Zhu, Tkacik, Tsirkin, Hattori, Nicholas teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Nicholas with the teachings of Zhu, Tkacik, Tsirkin, Hattori by known methods and gained expected results. 
Claim 17, “the system of claim 14, wherein the host hypervisor is further configured to: responsive to the first nested hypervisor requesting to invalidate the first virtual processor identifier and triggering a second exit to the host hypervisor, identify a second request to invalidate the first virtual processor identifier; identify, using the first generated key, a second virtual processor identifier, the second virtual processor identifier identifying a second virtual processor on the host hypervisor; and invalidate mappings of the second virtual processor identifier” is similar to claim 7 and therefore rejected using the same references and citations.
Claims 12 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Hattori in further view of Scarlata.
Regarding claim 12, the combination may not explicitly teach the limitation.
Scarlata teaches “the method of claim 11, wherein the VMXON region of the memory is marked as read-only memory ([0034] Further the migration enclave 150 may possess read and write privileges (e.g., access not afforded to other software or enclaves of the platform) to a particular page of secure (e.g., encrypted) memory 255 embodying a control structure (e.g., secure enclave control structure (SECS)) 260 in which the virtual machine root key may be stored)”.
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to apply the teachings of Scarlata with the teachings of Zhu, Tkacik, Hattori in order to provide a system that teaches VPID management. The motivation for applying Scarlata teaching with Zhu, Tkacik, Hattori teaching is to provide a system that teaches maintaining resources in a virtual environment. Zhu, Tkacik, Hattori, Scarlata are analogous art directed towards processing virtual resources. Zhu, Tkacik, Hattori, Scarlata teach every limitation of the claimed invention. Since the teachings were analogous art known at the filing time of invention, one of ordinary skill could have applied the teachings of Scarlata with the teachings of Zhu, Tkacik, Hattori by known methods and gained expected results.
Claims 13 is rejected under 35 U.S.C. 103 as being unpatentable over Zhu  in view of Tkacik in view of Hattori in view of Scarlatta in further view of Dave.
Claim 13, the combination teaches the claim, wherein “the method of claim 11, further comprising: requesting, by the first nested hypervisor, to… a first plurality of virtual processor identifiers; responsive to a second request to … the first plurality of virtual processor identifiers, triggering a second exit to the host hypervisor; (Hattori, [0120] Conversely, the transition from the VMX non-root mode to the VMX root mode is referred to as VM-exit. Upon the VM-exit due to a predetermined reason such as an issue of a privileged instruction of the guest, the physical CPU 60 notifies the VMM 20 of the VM-exit)  identifying, by the host hypervisor, the second request to… the first plurality of virtual processor identifiers; (Scarlata, [0034] A migration enclave 150 may possess functionality to generate and register root keys for virtual machines generated using a VMM 215 of the host platform 120. Further the migration enclave 150 may possess read and write privileges (e.g., access not afforded to other software or enclaves of the platform) to a particular page of secure (e.g., encrypted) memory 255 embodying a control structure (e.g., secure enclave control structure (SECS)) 260 in which the virtual machine root key may be stored. Indeed, multiple virtual machines may be instantiated on a single host system 120 and the migration engine 250 may generate and write root key secrets for each respective virtual machine in a respective secure control structure 260 corresponding to the VM. [0026] The value of the index variable 116 indicates which of the virtual machine data structures 114 is currently operative. That is, the current value of the index variable 116 indicates the current virtual machine data structure 114, and thus the current nested virtualization level 108 including the virtual machine 110 that is currently being run) (Day, [0026] The value of the index variable 116 indicates which of the virtual machine data structures 114 is currently operative. That is, the current value of the index variable 116 indicates the current virtual machine data structure 114, and thus the current nested virtualization level 108 including the virtual machine 110 that is currently being run) identifying, by the host hypervisor using a bitmap stored in the VMXON region, (Day [0033] The privileges bit mask 202 corresponds to the privileges of the nested virtual machines 110 within the nested virtualization level 108 to which the virtual machine data structure 200 corresponds.  EN: reads on bitmap) a second plurality of virtual processor identifiers, which identify a plurality of virtual processors on the host hypervisor; and (Day, [0024] Therefore, the root hypervisor 112A virtualizes the hardware of the computing system 100 for and manages the virtual machines 110A within the nested virtualization level 108A, as well as the virtual machines 110B within the nested virtualization level 108B and the virtual machines 110C within the nested virtualization level 10C. The first nested virtualization level hypervisor 112B virtualizes the hardware of the computing system 100 (as has already been virtualized by the root hypervisor 112A for the virtual machines 110A) and manages the virtual machines 110B within the nested virtualization level 108B.) invalidating, by the host hypervisor, mappings of the second plurality of virtual processor identifiers  (Hattori, [0183] In S1650, the VMM 20 clears all the assignment information of the virtual machine 30 to be deactivated in the virtual CPU management table 440, and proceeds to S1660. EN: VM 30 has more than one processor includes VM-1…VM-N).”
Rational to claim 12 is applied here.
Dave teaches invalidate the first plurality of virtual processor identifiers; (Dave [0125] Global resource group configuration functionality is beneficial for a variety of reasons. One reason is relieving users from specifying virtual machine properties multiple times. Another reason is making management of virtual machines easier by enabling users to perform operations certain operations (e.g., create, power on, power off, reboot, and delete) at the resource group level instead of having to do it for each virtual machine of a resource group.)”.
It would have been obvious to a person having ordinary skill in the art at the time the invention was effectively filed to have combined Dave’s group control with prior art combination virtualization because doing so improves configuration (Dave [0125] Global resource group configuration functionality is beneficial for a variety of reasons. One reason is relieving users from specifying virtual machine properties multiple times.).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WYNUEL S AQUINO whose telephone number is (571)272-7478. The examiner can normally be reached 9AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/WYNUEL S AQUINO/Primary Examiner, Art Unit 2199