Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This communication is in response to the amendment filed on 11/02/2021. The Examiner acknowledges amended claims 1, 3-14, 16-18 and 20. Claims 2, 15, and 19 have been canceled. No claims have been added.  Claims 1, 3-14, 16-18 and 20 are pending and claims 1, 3-14, 16-18 and 20 are rejected.  Claims 1, 14, and 18 is/are independent. 

Applicant's arguments/amendments have been fully considered, but are unpersuasive and/or moot in view of the new grounds of rejection. Note that this action is made FINAL. See MPEP § 706.07(a).
	
	
Response to Arguments
Applicant's arguments filed 11/02/2021 have been fully considered but are unpersuasive and/or moot in view of the new grounds of rejection.  Applicant argues (e.g., page 8 of Applicant’s arguments) that;  
Applicant's claim 1, as amended, recites: 

initiating, by an operating system (OS) executing on a computing device comprising a processor device, a software package verification process in a trusted execution environment (TEE), the OS being part of an OS environment comprising a file system; 
determining, by a package installer executing outside of the TEE on the computing device, that a first software package in a software repository is to be installed into the OS environment; 


Applicant's claim 1, as amended, clarifies certain of the communications and 
responsibilities of the components executing on the recited computing device. In particular, a TEE includes a software package verification process, and a package installer executing outside of the TEE determines that a software package is to be installed into the OS environment. In contrast, Smith discloses that all of the components of the software update 


	However, a new reference Krishnamurthy et al. U.S. Publication 20140130151 (hereinafter “Krishnamurthy”), discloses a NFCC 145 which is executing outside the trusted execution environment (para. 68 “manufactured on a different substrate”). NFCC 145 determines to install the software package in response to the request from application processor 120 (para. 71) and NFCC 145 downloads a software package onto the NFCC 145 (para. 40). NFCC 145 installs the software package in response to receiving trusted confirmation from the secure element environment (para. 86 and 87 which shows that the secure element environment confirms the version being downloaded is higher than the previous version). In addition, Smith '496 et al. U.S. Publication 20170357496 (hereinafter “Smith '496” or simply “Smith” in these Response to Arguments) discloses the processes executing inside trusted execution environment for verifying software packages (para. 37, 34, figure 2)

Applicant further argues (e.g., pages 8-9 of Applicant’s arguments) that 

Applicant's claim 1 further recites: 
sending, by the OS to the software package verification process, first location information that identifies a location of the first software package; 
receiving, from the software package verification process, information that indicates that the first software package on the storage device is trusted; 

The Patent Office concedes that Smith fails to teach or suggest these features but asserts that a combination of Hjelm and Igotti disclose these features, and that it would be obvious to modify the teachings of Smith with those of Hjelm and Igotti (Office Action, pages 5-
The Patent Office parses the referenced limitations into the following elements: 
1) Hjelm allegedly discloses: 
sending, by the OS to the 

receiving, from the 

2) Igotti allegedly discloses: 

package; 

Preliminarily, Applicant notes that evaluating discrete elements in isolation, as the Patent Office has done here, is in conflict with the Patent Office's own rules. As noted in MPEP 2103: 

USPTO personnel may not dissect a claimed invention into discrete elements and then evaluate the elements in isolation. Instead, the claim as a whole must be considered. See, e.g., Diamond v. Diehr, 450 U.S. 175, 188-89, 209 USPQ 1, 9 (1981) ("In determining the eligibility of respondents' claimed process for patent protection under § 101, their claims must be considered as a whole. It is inappropriate to dissect the claims into old and new elements and then to ignore the presence of the old elements in the analysis. This is particularly true in a process claim because a new combination of steps in a process may be patentable even though all the constituents of the combination were well known and in common use before the combination was made."). (Emphasis added). 
 
Examiner respectfully disagrees. The analysis of claim limitations in the office action follows the rubric of Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), which requires ascertaining the differences between the prior art and the claims at issue.  Thus, it is entirely appropriate to determine which claim elements a particular reference discloses or suggests.
The office action did not dissect the claim into old and new elements. Indeed, the office action did not allege that there were any new elements in the claims. Rather, the entire claim set recites old elements. Hjelm et al. U.S. Patent No. 9722775 (hereinafter “Hjelm”) and Igotti et al. U.S. Patent No. 9536088 (hereinafter “Igotti”) references are cited for the exemplary techniques that they taught which are well known in the art. These well-known techniques would have been 
 
Applicant further argues (e.g., page 10 of Applicant’s arguments) that 

Regarding the first discrete element, the Patent Office asserts that Hjelm discloses the following: 
sending, by the OS to the 

receiving, from the 

Applicant notes that the words the Patent Office is examining differ from Applicant's recited limitations by both omitting certain words such as "software package" and by adding different words such as "request to verify information." Thus, even if Hjelm discloses the Patent Office's newly created limitations, it is not clear to Applicant how this is relevant to Applicant's recited limitations. Hjelm contains no disclosure regarding verification of a software release. Hjelm discloses that an applet 720 executing in a TEE 130 can verify a signature with a private key (Hjelm, col. 9, lines 28-42). In contrast, Applicant's claim 1 recites that information is sent to a "software package verification process." There is no "software package verification process" disclosed in Hjelm (or, as discussed below, in Igotti). Moreover, Applicant's claim 1 recites that "information that indicates that the first software package on the storage device is trusted." There is no “first software package on the storage device" disclosed in Hjelm. 

Examiner respectfully disagrees. Smith discloses verification of a software release. Smith discloses executing inside the trusted execution environment, the software package verification process, which is the software update module 246 + release integrity module 248+ root authentication module 242+ the integrity hash tree 208 from figure 2. Krishnamurthy discloses receiving, from a secure element environment which can be a trusted execution environment, verification of a correct firmware version which has been downloaded and stored on the storage device, which is important to avoid rollback attacks (para. 40, 58, 86).
Hjelm is cited because the combination of Smith and Krishnamurthy does not describe in detail how a process executing outside of the trusted execution environment (e.g., NFCC 1450) as taught by Krishnamurthy may communicate with the Smith trust verification process executing inside the Smith trusted execution environment. 
Hjelm is cited for teaching a well-known exemplary technique for an operating system to send a request to verify information to a verification process executing in a trusted execution environment and receiving the verification result indicating successful verification.  Thus, it is well within the skill of one of ordinary skill in the art to modify the teachings of Smith as modified by Krishnamurthy with the well-known technique for requesting and receiving verification from a process executing within a trusted execution environment as taught by Hjelm. 


Applicant further argues (e.g., pages 10-11 of Applicant’s arguments) that 

Moreover, Applicant submits that the Patent Office has failed to make a prima facie case of obviousness because the Patent Office has failed to provide a reasoned explanation as to why a person having ordinary skill in the art (PHOSITA) would combine the teachings of Hjelm with those of Smith. In particular, on page 7 of the Office Action, the Patent Office asserts: 
One of ordinary skill in the art would have made this modification to 
improve the ability of the system to perform a verification function inside a trusted execution environment so that malicious processes 
executing in the operating system cannot tamper with the verification 
operation. The system (client computing device 104) of the Smith '496 
primary reference can be modified to send requests from the client 
environment 240, which may include an operating system (Para. [0041]) in execution, to release integrity module 248 to perform the verification 
operations. The release integrity module 248 is executing inside the 
trusted execution environment 256. 

Thus, the Patent Office argues it would be obvious to combine the teachings of Hjelm with those of Smith so that the system can "perform a verification function inside a trusted execution environment." However, Smith already discloses this feature. Smith discloses that the entire verification process occurs within the TEE 256 (Smith, Figure 2). There is no motivation to combine the teachings of one reference with another reference that already performs that function. See Ex parte Tessler, Appeal 2012-006616, Appl. No. 12/700,643; Decided: October 2, 2014). "Furthermore, we note that Kolk's system is already remotely controlled. See Kolk, Fig. 1. We thus find the Examiner's rejection insufficient to explain what in the prior art would have prompted a person having ordinary skill in the art to include Petite's remote system into Kolk's remote temperature regulating system." Similarly, in Ex parte Boger, Appeal No. 2017-001586 (PTAB August 29, 2017), the PTAB held "The articulated reason for modifying, as presented by the Examiner ("to minimize spring- back of the laminate from the tool"), was already achieved by the primary reference, according to the Board. So, one having skill in the art would not have sought to modify something so that the something could perform the same functionality." 



Examiner respectfully disagrees. Applicant’s arguments are moot in view of the new grounds of rejection. However, one of ordinary skill in the art would improve on the system of Smith to add a process, executing outside of the trusted execution environment, to determine to install and download software and install the software because of the limited resources within the trusted execution environment. The storage and execution resources are greater outside of the trusted execution environment and therefore such ordinary operations not subject to heightened security requirements such as downloading and installing should be performed outside of the trusted execution environment. 
The new reference Krishnamurthy discloses that a process may execute outside of the trust execution environment and request verification performed by the secure element environment which can be a trusted execution environment (para. 58, 86). The combination of Smith and Krishnamurthy does not disclose how the communication between the process executing outside the trusted execution environment and the process executing inside the trusted execution environment may be performed. 
Hjelm teaches how to request verification from a process executing inside a trusted execution environment and a technique for receiving that verification result from the process executing within the trusted execution environment. Thus, one of ordinary skill in the art would apply the technique taught by the Hjelm reference to the system of Smith as modified by Krishnamurthy’s teachings, in order to arrive at a modified Smith system where a process executing outside of the trusted execution environment would request verification from the software verification process executing inside the trusted execution environment of Smith.
This is applying a known technique to a known device ready for improvement to yield predictable results. One of ordinary skill in the art would have recognized that applying the 

Applicant further argues (e.g., pages 11-12 of Applicant’s arguments) that 

Regarding the second discrete element, the Patent Office asserts that Igotti discloses the following: 



The Patent Office further asserts "Igotti discloses sending information identifying location of that which is to be verified to a verifier" (Office Action, p. 7). Again, Applicant notes that the words the Patent Office is examining differ from Applicant's recited limitations. Applicant's claim 1 does not recite "sending information identifying location of that which is to be verified to a verifier." Applicant's claim 1 recites "sending ... first location information that identifies a location of the first software package." The Patent Office concedes above that Hjelm fails to disclose this recited feature, and the Patent Office appears to concede that Igotti fails to disclose this recited feature because the Patent Office asserts that Igotti discloses something different from this feature. Igotti contains no disclosure regarding a TEE. Igotti discloses that a "trusted program" can perform "integrity checking" on "one or more protected memory pages" (Igotti, col. 1, line 67 - col. 2, line 3). Thus, Igotti contains no disclosure regarding 1) a TEE, 2) a software package, or 3) a location of a software package, as recited in the referenced limitations. 
Thus, by the Patent Office's own analysis, neither Hjelm nor Igotti teach or suggest 
sending, by an OS to a software package verification process executing in a TEE, first location information that identifies a location of the first software package. Rather, Hjelm discloses to verify a signature in a TEE and Igotti to integrity check memory pages. Applicant submits that a reference that discloses to verify a signature in a TEE and another reference that discloses to perform an integrity check on memory pages fail to teach or suggest sending, by an OS to a software package verification process executing in a TEE, first location information that identifies a location of the first software package, as recited in Applicant's claim 1. 

Examiner respectfully disagrees. Igotti in combination with Hjelm fills in the gap in the disclosure of Smith and Krishnamurthy. That is, Smith does not describe in detail how the received software release (which is stored at some location on the client computing device’s data storage device disclosed at para. 148) may be referenced or otherwise provided for verification and verification result returned. Krishnamurthy also does not describe how to send location information identifying where the software to be verified is at, although Krishnamurthy discloses a location of the first software package (para. 40 “downloaded onto the NFCC 145”). 

The previous office action clearly states on page 7 and page 8 that the limitations sending, by the OS to the software package verification process, first location information that identifies a location of the first software package; and receiving, from the software package verification process, information that indicates that the first software package on the storage device is trusted of claim 1 are taught when the system of Smith is modified with the techniques taught in the Hjelm and Igotti references.
Thus, because Smith and Krishnamurthy do not provide details on how to communicate verification requests to the verification components executing in a trusted execution environment and receive the verification results, one of ordinary skill in the art would have applied the techniques taught in the Hjelm and Igotti references to modify the system of Smith as modified by the teachings of Krishnamurthy, to be able to communicate the location of the software to be verified to the process executing inside the trusted execution environment.

Applicant further argues (e.g., page 12 of Applicant’s arguments) that 

Applicant's claim 1, as amended, further recites: 
in response to the information that indicates that the first software package on the storage device is trusted, installing, by the package installer, the first software package into the OS environment. 

Thus, Applicant's claim 1 now clarifies an example wherein a "package installer" which executes "outside of the TEE" installs the first software package into the OS environment in response to the information from the "software package verification process" executing in the TEE that "indicates that the first software package on the storage device is trusted." While this exact limitation has not been examined by the Patent Office, Applicant notes that Smith, in contrast, discloses that a software update module 246, which executes in the TEE 256, installs a software release 254 (Smith, Figure 2). Nor do any of the other cited references teach or suggest a "package installer" that executes "outside of the TEE" and installs a first software package into an OS environment in response to information from a "software package verification process" executing in the TEE that "indicates that the first software package on the storage device is trusted." 

Examiner respectfully disagrees. Applicant’s arguments are moot in view of the new grounds of rejection. The newly cited reference Krishnamurthy discloses NFCC 145 executing outside of the trusted execution environment to install a software package a firmware update in response to receiving verification from the secure element environment (which can be a trusted execution environment)  that the software update firmware update is to be trusted (para. 40, 58, 86, 92). Smith discloses a verification process executing in the trusted execution environment which can verify integrity of the downloaded software. Smith modified by Krishnamurthy discloses the limitations.
Accordingly, Applicant's argument is unpersuasive and/or moot in view of the new grounds of rejection..

Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	
	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1, 12, 14 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith '496 et al. U.S. Publication 20170357496 (hereinafter “Smith '496”), in view of Krishnamurthy et al. U.S. Publication 20140130151 (hereinafter “Krishnamurthy”), further in view of Hjelm et al. U.S. Patent No. 9722775 (hereinafter “Hjelm”), further in view of Igotti et al. U.S. Patent No. 9536088 (hereinafter “Igotti”).
As per claim 1, Smith ‘496 discloses 
a method comprising: 
initiating, by an operating system (OS) executing on a computing device comprising a processor device, a software package verification process in a trusted execution environment (TEE), the OS being part of an OS environment comprising a file system; 
(See Smith ‘496
[figure 7, flowchart, in particular elements 714, 716, 718 which shows a process (method)  for requesting release components from update server, receiving such components, and verifying the integrity of the components; the release components disclose software package
Smith ‘496 figure 1, processor 140 [processor device ] in client computing device 104
computing device= client computing device 104
Smith ‘496 figure 2, 
[software package verification process= software update module 246 + release integrity module 248+ root authentication module 242+ the integrity hash tree 208 from figure 2, which is the code plus data, all inside trusted execution environment 256; figure 2 illustrates the integrity hash tree 208 as part of the release integrity module 248]
Smith ‘496 [0032] ‘ FIG. 2….. a client computing device 104 establishes an environment 240 [OS environment ] during operation… environment 240 includes [initiating = establishes]……a release integrity module 248,.  ‘
[0037] ‘  trusted execution environment 256 may include ……. the release integrity module 248[initiating… a software package verification process ]…,…….. trusted execution environment 256 may store ….. the integrity hash tree 208,’
Smith ‘496 [0061]
files [indicates that there is a file system ]that are necessary to update the current client computing device 104’..
Smith ‘496 [0062]
‘ client computing device 104 receives….. files...’
Smith ‘496 [0034]
‘The release components may be installed to, for example, an installed software release 254 of the client computing device 104.’[OS environment comprising a file system = environment 240 which includes installed software release 254 in figure 2; software release 254 can disclose file system]
Smith ‘496 Para. [0041]
‘…, the software release 204 may be embodied as a particular version of an operating system, ‘[this is the client device operating system]).

See Smith ‘496 [figure 2, trusted execution environment 256, and with the release integrity module 248 executing and integrity hash tree 208; ]
 [OS environment = environment 240 ]
)

determining that a first software package in a software repository is to be installed into the OS environment;
(See Smith ‘496 [figure 2, trusted execution environment 256, and with the release integrity module 248 executing and integrity hash tree 208; ]
Smith ‘496 Para.[0061]
, ‘a software update agent of the client computing device 104 may determine one or more bundles, packages, and/or files that are necessary [determining that a first software package...... is to be installed ]to update the current client computing device 104...... The software repository = update server 102 ] may identify only the necessary release components,’
[OS environment = environment 240 ]
)

downloading the first software package to a storage device; 
(See Smith ‘496  [Para. [0062] discloses downloading the software package and a data storage device at [0024]]
)

However, Smith ‘496 does not expressly disclose 
determining, by a package installer executing outside of the TEE on the computing device, that a first software package in a software repository is to be installed into the OS environment; [Smith ‘496 does not disclose that the package installer is executing outside of the trusted execution environment]
sending, by the OS to the software package verification process, first location information that identifies a location of the first software package; 
receiving, from the software package verification process, information that indicates that the first software package on the storage device is trusted;
and in response to the information that indicates that the first software package on the storage device is trusted, installing, by the package installer, the first software package into the OS environment.





Krishnamurthy discloses
determining, by a package installer executing outside of the TEE on the computing device, that a first software package in a software repository is to be installed into the OS environment; 
(See Krishnamurthy Para. [0068] TEE can be manufactured on a different substrate than the NFCC 145] executing outside of the TEE]. 
[package installer = NFCC 145]
Krishnamurthy [0071]
A high level application or a controlling authority can request the firmware installation. The NFC module 140 can receive the firmware installation request from the application processor 120. Additionally, the NFCC 145 can directly receive the firmware installation request to update the NFCC firmware.[ determining, by a package installer executing outside of the TEE on the computing device, that a first software package in a software repository is to be installed into the OS environment; ]
Krishnamurthy [0115] The computer system 800 also can comprise software elements, shown as being currently located within the working memory 835, including an operating system 840 (e.g., high-level application),
Krishnamurthy [0106] firmware installation can represent a complete firmware image in its entirety, which replaces the currently loaded version…….[The firmware software installation would be an installation into the OS environment]]
Krishnamurthy [0091] In step 550, the NFCC 145 ….. ensure that the firmware is coming from a trusted source.[ software repository]
Krishnamurthy [0032] The NFC module 140 ……. be mounted in a mobile device 110.[ computing device]
).

downloading the first software package to a storage device; 
a location of the first software package; 
(See Krishnamurthy Para. [0040] ensure that the new firmware version being downloaded onto the NFCC 145[a location of the first software package] is higher than the previous version
[0010] ensure that the new firmware version being downloaded onto a device is higher than the previous version, in order to prevent a rollback attack.
). 

receiving, from the secure element environment/trusted execution environment, information that indicates that the first software package on the storage device is trusted
(See 
Krishnamurthy Para. [0086]
the secure element environment can simply verify (i.e., true or false) that the FVN is the last firmware versionKrishnamurthy [0058]
….. the secure element environment can be …..a TEE (e.g., a hardware partitioned secure section of a chip). ….. NFCC 145 may interface with the secure element environment to obtain sensitive data.
)

and in response to the information that indicates that the first software package on the storage device is trusted, installing, by the package installer, the first software package into the OS environment.
(See 

the secure element environment can simply verify (i.e., true or false) that the FVN is the last firmware version.[ information that indicates that the first software package on the storage device is trusted; This teaches that the secure element environment/trusted execution environment can perform a software verification function]
Krishnamurthy [0092] At step 555, if the signature is verified to be valid, then the firmware installation is allowed and the firmware is updated.
Krishnamurthy [0087] At step 535, the NFCC 145 compares the FVN with the LAFVN, and if the LAFVN is not less than the FVN, then the NFCC 145 continues with the firmware installation. At step 540, the NFCC accepts the installation request from the mobile device 110.[This paragraph 87 in combination with paragraph 86 teaches continuing with the software installation when confirmation is received the software is to be trusted; see also para. 73,  74, 75  comparison results in the FVN being greater than the LAFVN, para. 83]
Krishnamurthy [0058]
….. the secure element environment can be …..a TEE (e.g., a hardware partitioned secure section of a chip). ….. NFCC 145 may interface with the secure element environment to obtain sensitive data.
Krishnamurthy [0106] firmware installation can represent a complete firmware image in its entirety, which replaces the currently loaded version…….[The firmware software installation would be an installation into the OS environment]]
)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Smith '496 with the technique for requesting confirmation that a software upgrade package is a trusted version from a trusted execution environment and installing the software package in response to the confirmation received of Krishnamurthy to include 
determining, by a package installer executing outside of the TEE on the computing device, that a first software package in a software repository is to be installed into the OS environment; 
a location of the first software package; 
receiving, from the secure element environment/trusted execution environment, information that indicates that the first software package on the storage device is trusted
and in response to the information that indicates that the first software package on the storage device is trusted, installing, by the package installer, the first software package into the OS environment.
One of ordinary skill in the art would have made this modification to improve the ability of the system to efficiently use resources for performing the software installation process outside of the trusted execution environment. One of ordinary skill in the art would recognize that for system performance reasons it is more resource efficient to minimize the work done inside trusted execution environment because of the limited resources within the trusted execution environment, while requesting confirmation from the process executing inside trusted execution environment for critical trust evaluation. The system of the primary reference can be modified by adding a component outside of the trusted execution environment to download the software outside the trusted execution environment, request confirmation from the trusted execution environment, receiving the trust confirmation from the trusted execution environment, and installing after receiving positive confirmation that the downloaded software is to be trusted.

	However, the combination of Smith '496 and Krishnamurthy does not expressly disclose 
sending, by the OS to the software package verification process, first location information that identifies a location of the first software package; and
receiving, from the software package verification process, information that indicates that the first software package on the storage device is trusted.

Hjelm discloses a technique for an operating system to send a request to verify information to a verification process executing inside trusted execution environment and
a technique for receiving response information from the verification process indicating that the information has been verified 
(
[although Smith describes the process executing inside a trusted execution environment, Krishnamurthy does not go so far as to describe a process executing inside the trusted execution environment (Krishnamurthy para. 86 only describes that the secure element environment simply verifies) or how to communicate with such a process. Hjelm teaches how to send a request to verify information to a verification process executing inside trusted execution environment ]
See Hjelm, [figure 7, element 730, where the operating system 107 facilitates the request of verification signature verification from an applet 720 executing inside the trusted execution environment; element 730 is a bidirectional arrow indicating the request is sent and the verification result is returned and received]
9:35-44 ‘ During voice session key negotiation 710, secure voice app 700 may receive a signature from the other device, and may pass the signature to PKI applet 720 [executing inside trusted execution environment ] via a secure API call(s) 730. Upon receipt of secure API call(s) 730, PKI applet 720 may retrieve the private key from secure memory 135 and perform a signature verification technique 735, using the private key, to verify the received signature from the other device. If the signature is verified[receiving, from the verification process, information that indicates that the information is trusted], secure voice app 700 can complete the voice session key negotiation process 710. 
).


sending, by the OS to the software package verification process, a request to verify that the first software package on the storage device is trusted.
receiving, from the software package verification process, information that indicates that the first software package on the storage device is trusted.
One of ordinary skill in the art would have made this modification to improve the ability of the system to communicate with a process executing inside a trusted execution environment. The system (client computing device 104) of the Smith ‘496 primary reference as modified by Krishnamurthy can be further modified to send requests from a component executing outside of the trusted execution environment but part of the operating system as taught by Krishnamurthy to release integrity module 248 executing inside the trusted execution environment of Smith to perform a verification operation and receive the verification result. 
This is applying a known technique to a known device ready for improvement to yield predictable results. One of ordinary skill in the art would have recognized that applying the known technique for sending verification request and receiving verification result disclosed in Hjelm would have yielded predictable results and resulted in an improved system.  The combination of the teachings of Hjelm and Igotti fills the gap in the disclosure of Smith.

	However, the combination of Smith '496, Krishnamurthy, and Hjelm does not expressly disclose a technique for sending location information
Igotti discloses a technique for sending information identifying location of that which is to be verified to a verifier 
(

See Igotti 1:67-2:4 ‘providing by the trusted program to the hypervisor addresses of 
one or more protected memory pages for integrity checking; and performing by 
the hypervisor a cyclic redundancy check of the protected memory pages.’
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496 and Hjelm with the technique for sending location information of that which is to be verified to a verifier of Igotti to include 
sending, by the OS to the software package verification process, first location information that identifies a location of the first software package; 
One of ordinary skill in the art would have made this modification to improve the ability of the system to verify the released software components. Sending an address is more efficient than sending the entire contents of the released software components, which is impractical due to the large transfer of data required. The modified system of the Smith ‘496 primary reference can be further modified so that the component executing outside of the trusted execution environment as taught by Krishnamurthy can send the address information of the software to be verified to the release integrity module 248 executing inside the trusted execution environment. 
Smith does not describe in detail how the received software release (which is stored at some location on the client computing device’s data storage device disclosed at para. 148) may be referenced or otherwise provided for verification and verification result returned. Krishnamurthy also does not describe how to send location information identifying where the software to be verified is at, although Krishnamurthy discloses a location of the first software package (para. 40 “downloaded onto the NFCC 145”). 
Therefore, one of ordinary skill in the art would have used the technique taught by Igotti, which is "sending information identifying location of that which is to be verified to a verifier" to 
Thus, because Smith and Krishnamurthy do not provide details on how to communicate verification requests to the verification components executing in a trusted execution environment and receive the verification results, one of ordinary skill in the art would have applied the techniques taught in the Hjelm and Igotti references to modify the system of Smith as modified by the teachings of Krishnamurthy, to be able to communicate the location of the software to be verified to the process executing inside the trusted execution environment.


As per claim 12, the rejection of claim 1 is incorporated herein. 
Smith '496 discloses wherein sending, by the OS to the software package verification process, the first location information that identifies the location of the first software package comprises sending, by the OS to the software package verification process, the first location information that identifies the location of the first software package to be the software repository; and 
Smith '496 discloses the software package verification process, the first location information that identifies the location of the first software package to be the software repository
software package verification process= software update module 246 + release integrity module 248+ root authentication module 242+ the integrity hash tree 208 from figure 2, which is the code plus data, all inside trusted execution environment 256]
(See Smith '496 Para. [0034]
‘The software update module 246 is configured to [first location information is specified when configuring client computing device 104 to request ]request the update server 102[ a location of the first software package = update server 102]  for one or more release components of the software release 204..’
)

wherein downloading the first software package to the storage device comprises downloading, by the software package verification process from the software repository, the first software package to the storage device.
(See Smith '496 
Para. [0034] ‘The software update module 246 is further configured to receive, from the update server 102, one or more release components of the software release 204, [downloading, by the software package verification process from the software repository, the first software package to the storage device ]
Smith ‘496 [0024]
‘client computing device 104 includes ……, a data storage device 148, ‘
).

However, the combination of Smith '496 and Krishnamurthy does not expressly disclose wherein sending, by the OS to the software package verification process, the first location information that identifies the location of the first software package comprises sending, by the OS to the software package verification process, the first location information that identifies the location of the first software package to be the software repository; and
Hjelm discloses sending, by the OS to the verification process, a request to verify information; and
(See Hjelm, [figure 7, element 730, where the operating system 107 facilitates the request of verification signature verification from an applet 720 executing inside the trusted execution environment; element 730 is a bidirectional arrow indicating the request is sent and the verification result is returned and received]
9:35-44 ‘ During voice session key negotiation 710, secure voice app 700 may receive a signature from the other device, and may pass the signature to PKI applet 720[executing inside trusted execution environment] via a secure API call(s) 730. Upon receipt of secure API call(s) 730, PKI applet 720 may retrieve the private key from secure memory 135 and perform a signature verification technique 735, using the private key, to verify the received signature from the other device.’).
For the reasons discussed with respect to claim 1, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496 and Krishnamurthy with the technique for sending a request to perform a verification to a process executing within a trusted execution environment of Hjelm to include 
wherein sending, by the OS to the software package verification process, the first location information that identifies the location of the first software package comprises sending, by the OS to the software package verification process, the first location information that identifies the location of the first software package to be the software repository; and 
wherein downloading the first software package to the storage device comprises downloading, by the software package verification process from the software repository, the first software package to the storage device.

As per claim 14, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 1, and is/are rejected for the reasons detailed with respect to claim 1.  Claim 14 also recites A computing device, comprising: a memory; and a processor device coupled to the memory to:
Smith '496 discloses A computing device, comprising: a memory; and a processor device coupled to the memory to:
(See Smith '496 Para. [0056]
‘client computing device 104 may execute a method 700 for secure software updates. …. various instructions stored on a computer-readable media, which may be executed by the processor 140 …… to cause the client computing device 104 to perform the method 700. The computer-readable media may be …..the memory 146, ….,.’
)

As per claim 18, the claim(s) is/are directed to a computer program product stored on a non-transitory computer-readable storage medium with limitations which correspond to limitations of claim 1, and is/are rejected for the reasons detailed with respect to claim 1.  Claim 18 also recites A computer program product stored on a non-transitory computer- readable storage medium and including instructions to cause a processor device to: 
Smith '496 discloses A computer program product stored on a non-transitory computer- readable storage medium and including instructions to cause a processor device to:
(See Smith '496 Para. [0056]
‘client computing device 104 may execute a method 700 for secure software updates. …. various instructions stored on a computer-readable media, which may be executed by the processor 140 …… to cause the client computing device 104 to perform the method 700. The computer-readable media may be …..the memory 146, ….,.’
non-transitory machine-readable (e.g., computer-readable) storage media, which may be read and executed by one or more processors’
)

Claims 3-4, 16, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith ‘496 in view of Krishnamurthy, in view of Hjelm, in view of Igotti, further in view of Smith et al. U.S. Publication 20140096182 (hereinafter “Smith '182”). 
As per claim 3, the rejection of claim 1 is incorporated herein. 
[software package verification process= software update module 246 + release integrity module 248+ root authentication module 242+ the integrity hash tree 208 from figure 2, which is the code plus data, all inside trusted execution environment 256]
Smith '496 discloses 
initiating the software package verification process in the TEE
downloading, via a network, information into a trusted execution environment for software verification from a software package verification source.
(See
Smith ‘496 [0032] ‘ FIG. 2….. a client computing device 104 establishes an environment 240.. Includes…a release integrity module 248,.  ‘
[0037] ‘  trusted execution environment 256 may include ……. the release integrity module 248[initiating… a software package verification process ]
[0034] ‘software update module 246 is further configured to receive, from the update 
server 102[software package verification source], one or more release components of the software release 204, hash nodes of the integrity hash tree 208 that correspond to the release components, ‘
)
prior to initiating the software package verification process in the TEE, downloading, by the OS via a network, the software package verification process from a software package verification source.
Smith ‘182 discloses prior to initiating the software package verification process in the TEE, downloading, by the OS via a network, the software package verification process from a software package verification source.
(See Smith ‘182 [figure 4C elements 413-415, which shows the client provisioning the trusted task and associated code to the service provider element at 413 and the service provider executes the secure task in the trusted execution environment at 415 ]
Smith ‘182 Para. [0026]
‘a service provider to receive a trusted task request from a client, attest the service providers secure execution capabilities to the client, receive data and/or code to be operated on from the client, provision such data and/or code in a trusted execution environment ……….execute a trusted task on the data and/or code, …….’
Smith ‘182 [0102]
‘ service provider device's capability to execute a trusted task in a trusted execution environment (TEE); in response to receiving a second signal from a client device that contains at least one of data and code associated with the trusted task, instantiate at least one secure data compartment in the TEE that is populated with at least one of the data and code; execute the trusted task on at least one of the data and code within the at least one secure data compartment; …….’).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496, Krishnamurthy, Hjelm, and Igotti with the technique for downloading a task with associated code for execution in a trusted execution environment of Smith '182 to include prior to initiating the software package verification process in the TEE, downloading, by the OS via a network, the software package verification process from a software package verification source.
One of ordinary skill in the art would have made this modification to improve the ability of a computing system to instantiate and execute code in a trusted environment that cannot be tampered with by malicious 3rd parties. The system (operating system) of the Smith ‘496  primary reference can be modified to download software, such as the release integrity module 248, and instantiate the software for execution in a trusted execution environment. This would facilitate updating the release integrity module 248 software as new versions are made available.

As per claim 4, the rejection of claim 3 is incorporated herein. 
The combined teaching of Smith ‘496, Krishnamurthy, Hjelm, Igotti and Smith '182 discloses 
wherein the software package verification process includes a digital signature, and further comprising: 
obtaining, from a public key repository, a public key of an entity associated with the software package verification process; and 
verifying, using the public key, that the digital signature was signed by the entity associated with the software package verification process.
(See Smith '496 
[software package verification process= software update module 246 + release integrity module 248+ root authentication module 242+ the integrity hash tree 208 from figure 2, which is the code plus data, all inside trusted execution environment 256]
Smith '496 Para. [0062]
‘In block 716, the client computing device 104 receives the requested release components from the update server 102 [public key repository ]……. also receives data that may be used to verify the release components. …… receive …., the integrity hash tree 208 associated with the software release 204, and one or more signatures 216 of nodes of the integrity hash tree 208. As described above, the signatures 216 may include the one-time signature public keys[public key of an entity associated with the software package verification process; ] corresponding to the private keys used to sign the nodes of the integrity hash tree 208.’
Smith '496 [0064] ‘ client computing device 104 may, for example, verify a Lamport one-time signature associated with each relevant hash node using an associated public key [verifying, using the public key, that the digital signature was signed by the entity associated with the software package verification process.]. As described above, the public keys may be received from the update server 102 along with the release component, ‘
)

As per claim 16, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 3, and is/are rejected for the reasons detailed with respect to claim 3.  

As per claim 20, the claim(s) is/are directed to a computer program product stored on a non-transitory computer-readable storage medium with limitations which correspond to limitations of claim 3, and is/are rejected for the reasons detailed with respect to claim 3.

Claims 6-11 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith ‘496 in view of Krishnamurthy, in view of Hjelm, in view of Igotti, further in view of Smith '376 et al. U.S. Publication 20160065376 (hereinafter “Smith '376”).
As per claim 6, the rejection of claim 1 is incorporated herein. 
Smith '496 discloses 
comparing a calculated cryptographic hash value, which is based on the contents of the first software package, to a predetermined cryptographic hash value associated with the first software package; 
determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match; and 
in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, determining that the first software package on the storage device is trusted.
(See Smith '496 Para. [0063]
‘In block 718, the client computing device 104 verifies the integrity of the received release components [first software package ]and the release version number using the integrity hash tree 208. For example, the client computing device 104 may calculate hash values of the received release components and release version number and compare those calculated values to the corresponding nodes of the integrity hash tree 208. If the release components and/or version number have been altered (e.g., due to transmission error, malicious interference, or otherwise), then the calculated hash values [calculated cryptographic hash value ]will not match the integrity hash tree 208[predetermined cryptographic hash value]. In block 720, the client computing device 104 determines whether the integrity of the release components and the version number was successfully verified, If so, the method 700 advances to block 722….’
).

However, Smith '496 does not expressly disclose 
comparing, by the software package verification process, a calculated cryptographic hash value, which is based on the contents of the first software package, to a predetermined cryptographic hash value associated with the first software package; 
in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, sending, to the OS, the information that indicates that the first software package on the storage device is trusted.

Hjelm discloses performing verification by a process executing in a trusted execution environment and
sending, to the operating system, verification results
(See Hjelm 9:38-43 ‘Upon receipt of secure API call(s) 730, PKI applet 720 [executing in the [trusted execution environment 130] may retrieve the private key from secure memory 135 and perform a signature verification technique 735, using the private key, to verify the received signature from the other device. If the signature is verified, secure voice app 700 [executing in the rich operating system 107) can complete the voice session key negotiation process 710’).
For the reasons discussed with respect to claim 1, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496 and Krishnamurthy with the technique for performing verification in a process executing in a trusted execution environment and returning the verification results to an operating system of Hjelm to include 
comparing, by the verification process, a calculated cryptographic hash value, which is based on the contents of the first software package, to a predetermined cryptographic hash value associated with the first software package; 
in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, sending, to the OS, the information that indicates that the first software package on the storage device is trusted.


comparing, by the software package verification process, a calculated cryptographic hash value, which is based on the contents of the first software package, to a predetermined cryptographic hash value associated with the first software package; 

Smith '376 discloses comparing, by the software package verification process, a calculated cryptographic hash value, which is based on the contents of the first software package, to a predetermined cryptographic hash value associated with the first software package;
(See Smith '376 Para. [0030]
‘the security module 212 computes an attestation quote (e.g., a signed hash) of code executing in its own trusted execution environment 208 and compares that to the attestation quote provided by the remote computing device 106’
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti with the technique for computing hash for code by a module executing in the trusted execution environment and comparing the hash to a hash provided by a remote source of Smith '376 to include 
comparing, by the software package verification process, a calculated cryptographic hash value, which is based on the contents of the first software package, to a predetermined cryptographic hash value associated with the first software package.
One of ordinary skill in the art would have made this modification to improve the ability of the system to perform the hash comparison in the process executing in a trusted execution environment. The system of the Smith ‘496 primary reference can be modified so that a process 

As per claim 7, the rejection of claim 6 is incorporated herein. 
Smith '496 discloses the calculated cryptographic hash value from the OS.
(See Smith '496 Para. [0063]
‘In block 718, the client computing device 104 verifies the integrity of the received release components and the release version number using the integrity hash tree 208. For example, the client computing device 104 may calculate hash values[the calculated cryptographic hash value] of the received release components and release version number and compare those calculated values to the corresponding nodes of the integrity hash tree 208. If the release components and/or version number have been altered (e.g., due to transmission error, malicious interference, or otherwise), then the calculated hash values [calculated cryptographic hash value ]will not match the integrity hash tree 208. In block 720, the client computing device 104 determines whether the integrity of the release components and the version number was successfully verified. ’
).
	However, the combination of Smith '496 and Krishnamurthy does not expressly disclose receiving, by the software package verification process, the calculated cryptographic hash value from the OS.
Hjelm discloses that verification is performed by a process executing inside the trusted execution environment with received data for executing the verification process
(See Hjelm 9:38-43 ‘Upon receipt of secure API call(s) 730, PKI applet 720 [executing in the [trusted execution environment 130] may retrieve the private key from secure memory 135 and perform a signature verification technique 735, using the private key, to verify the received signature[data for performing the verification is received by the process executing 
For the reasons discussed with respect to claim 1, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496 and Krishnamurthy with the technique for receiving data to perform verification in a process executing in a trusted execution environment of Hjelm to include 
 receiving, by the software package verification process, the calculated cryptographic hash value from the OS.
 
As per claim 8, the rejection of claim 6 is incorporated herein. 
Smith '496 discloses 
accessing the first software package on the storage device; and 
calculating the calculated cryptographic hash value based on the contents of the first software package.
(See Smith
Smith ‘496 [0024]
‘client computing device 104 includes ……, a data storage device 148, ‘
'496 Para. [0063]
‘In block 718, the client computing device 104 verifies the integrity of the received release components and the release version number using the integrity hash tree 208. For example, the client computing device 104 may calculate hash values[calculating the calculated cryptographic hash value based on the contents of the first software package] of the received release components. ’
).

	However, the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti does not expressly disclose 
accessing, by the software package verification process, the first software package on the storage device; and 
calculating, by the software package verification process, the calculated cryptographic hash value based on the contents of the first software package.
Smith '376 discloses accessing, by the software package verification process, the first software package on the storage device; and 
calculating, by the software package verification process, the calculated cryptographic hash value based on the contents of the first software package.
 [0017] ‘local computing device 102 includes ……, a data storage 118, ‘
(See Smith '376 [figure 2, which show security module 212 executing inside trusted execution environment 208 ]
Smith '376 Para. [0029]
‘ the security module 212 takes a measurement (e.g., a hash) of code executing [accessing, by the software package verification process, the first software package; calculating, by the software package verification process, the calculated cryptographic hash value ] (or for execution) in the trusted execution environment 208 to prove the integrity of the code executed in the trusted execution environment 208.
).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti with the technique for a process executing inside a trusted execution environment to compute hash of execution code of Smith '376 to include 
accessing, by the software package verification process, the first software package on the storage device; and 
calculating, by the software package verification process, the calculated cryptographic hash value based on the contents of the first software package.
One of ordinary skill in the art would have made this modification to improve the ability of the system to securely calculate the hash value by a process executing inside trusted execution environment. The system of the Smith ‘496 primary reference can be modified so that  release integrity module 248 executing inside the trusted execution environment can calculate the hash value of software to be installed.

As per claim 9, the rejection of claim 6 is incorporated herein. 
Smith '496 discloses obtaining the predetermined cryptographic hash value from the software repository.
(See Smith '496 Para.  [0034]
‘The software update module 246 is further configured to receive, from the update server 102[software repository = update server 102  ], …..hash nodes of the integrity hash tree 208 that correspond to the release component’. 
).

However, the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti does not expressly disclose obtaining, by the software package verification process, the predetermined cryptographic hash value from the software repository.
Smith '376 discloses obtaining, by the software package verification process, the predetermined cryptographic hash value
(See Smith '376 Para. [0030]
compares that to the attestation quote [predetermined cryptographic hash value ] provided by the remote computing device 106‘’
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti with the technique for a process executing in a trusted execution environment obtaining a previously computed hash value of Smith '376 to include 
obtaining, by the software package verification process, the predetermined cryptographic hash value from the software repository.

As per claim 10, the rejection of claim 6 is incorporated herein. 
Smith '496 discloses obtaining the predetermined cryptographic hash value from the first software package.
(See Smith '496 Para. [0062]
‘In block 716, the client computing device 104 receives the requested release components from the update server 102 (e.g., the requested bundles, packages, files, or other release components). The client computing device 104 also receives data that may be used to verify the release components. For example, the client computing device 104 may receive …….. the integrity hash tree 208 associated with the software release 204[the integrity hash tree corresponding to the requested bundles/packages is part of the received software files/packages/bundles].’
[0063]
‘In block 718, the client computing device 104 verifies the integrity of the received release components and the release version number using the integrity hash tree 208.’
)

However, the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti does not expressly disclose . 
obtaining, by the software package verification process, the predetermined cryptographic hash value from the first software package.
Smith '376 discloses obtaining, by the software package verification process, the predetermined cryptographic hash value 
(See Smith '376 Para. [0030]
‘the security module 212[executing in the trusted execution environment] computes an attestation quote (e.g., a signed hash) of code executing in its own trusted execution environment 208 and compares that to the attestation quote provided by the remote computing device 106’ [the predetermined cryptographic hash value = attestation quote provided by the remote computing device 106].
).
For the reasons discussed with respect to claim 6, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti with the technique for acquiring a precomputed hash value of Smith '376 to include obtaining, by the software package verification process, the predetermined cryptographic hash value from the first software package.

As per claim 11, the rejection of claim 6 is incorporated herein. 
Smith '496 discloses
wherein the first software package includes a digital signature, and further comprising:
obtaining, by the software package verification process, a public key of an entity associated with the first software package; 
verifying, using the public key, that the digital signature was signed by the entity associated with the first software package; and 
wherein in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, 
in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, and in response to verifying, using the public key, that the digital signature was signed by the entity associated with the first software package, 
[software package verification process= software update module 246 + release integrity module 248+ root authentication module 242+ the integrity hash tree 208 from figure 2, which is the code plus data, all inside trusted execution environment 256]
Smith '496 [0033]
‘The root authentication module 242[part of the software package verification process] is configured to receive the root public key [a public key ]of the Merkle signature scheme authentication tree 214 associated with a software release 204 and a signature of the root public key from the update server 102[an entity associated with the first software package =  update server 102]. The root authentication module 242 is further configured to verify the root public key with the signature of the root public key and the anchor public key 244 that is provisioned to the client computing device 104….., …..e root authentication module 242 is further configured to verify the authentication tree 214 with the root public key.’[ verifying, using the public key, that the digital signature was signed by the entity associated with the first software package]
Smith '496 [0034]
The software update module 246 is configured to request the update
Smith '496 Para. [0062]
716, the client computing device 104 receives the requested release components[software package; the received package includes the update release code and also signatures for the integrity hash tree 208; claim 11 does not specify what the signature is generated based on ] from the update server 102 [public key repository ]……. also receives data that may be used to verify the release components. …… receive …., the integrity hash tree 208 associated with the software release 204, and one or more signatures 216[the first software package includes a digital signature] of nodes of the integrity hash tree 208. As described above, the signatures 216 may include the one-time signature public keys[public key of an entity associated with the software package verification process; ] corresponding to the private keys used to sign the nodes of the integrity hash tree 208.’
Smith '496 [0063]
‘ client computing device 104 may calculate hash values of the received release components and release version number and compare those calculated values to the corresponding nodes of the integrity hash tree 208[in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match]. If the release components and/or version number have been altered (e.g., due to transmission error, malicious interference, or otherwise), then the calculated hash values will not match the integrity hash tree 208. ‘.
Smith '496 [0064] ‘ client computing device 104 may, for example, verify a Lamport one-time signature associated with each relevant hash node using an associated public key [verifying, using the public key, that the digital signature was signed by the entity associated with the first software package.]. As described above, the public keys may be received from the update server 102 along with the release component, 
)
However, the combination of Smith '496 and Krishnamurthy does not expressly disclose 
wherein in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, sending, to the OS, the information that indicates that the first software package on the storage device is trusted further comprises: 
in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, and in response to verifying, using the public key, that the digital signature was signed by the entity associated with the first software package, sending, to the OS, the information that indicates that the first software package on the storage device is trusted. 
Hjelm discloses  sending, to the operating system, verification results
 (See Hjelm 9:38-43 ‘Upon receipt of secure API call(s) 730, PKI applet 720 [executing in the trusted execution environment 130] may retrieve the private key from secure memory 135 and perform a signature verification technique 735, using the private key, to verify the received signature from the other device. If the signature is verified, secure voice app 700 [executing in the rich operating system 107) can complete the voice session key negotiation process 710’).
For the reasons discussed with respect to claim 1, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496 and Krishnamurthy with the technique for performing verification in a process executing in a trusted execution environment and returning the verification results to an operating system of Hjelm to include 
wherein in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, sending, to the OS, the information that indicates that the first software package on the storage device is trusted further comprises: 
in response to determining that the calculated cryptographic hash value and the predetermined cryptographic hash value match, and in response to verifying, using the public key, that the digital signature was signed by the entity associated with the first software package, sending, to the OS, the information that indicates that the first software package on the storage device is trusted. 

As per claim 17, the claim(s) is/are directed to a computing device with limitations which correspond to limitations of claim 6, and is/are rejected for the reasons detailed with respect to claim 6.  

Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith ‘496 in view of Krishnamurthy, in view of Hjelm, in view of Igotti, further in view of Korkishko et al. U.S. Publication 20100287547 (hereinafter “Korkishko”).
As per claim 5, the rejection of claim 1 is incorporated herein. 
	However, the combination of Smith ‘496, Krishnamurthy, and Hjelm, and Igotti does not expressly disclose wherein determining that the first software package in the software repository is to be installed into the OS environment comprises receiving user input requesting that the first software package be installed into the OS environment.
Korkishko discloses receiving user input requesting that the first software package be installed into the OS environment.
(See Korkishko Para. 0061]
‘The user 21 may select whether to install the software package based on the integrity verification result …... If the mobile terminal 22 receives input of a request to install the software package from the user 21, the mobile 22 installs the software package.’
).

receiving user input requesting that the first software package be installed into the OS environment.
One of ordinary skill in the art would have made this modification to improve the ability of the system to provide the ability to allow the user to select software packages for installation. The system (operating system) of the Smith ‘496 primary reference can be modified to receive user input to install software packages.
Claim 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith ‘496 in view of Krishnamurthy, in view of Hjelm, in view of Igotti, further in view of Aissi et al. U.S. Publication 20140066015 (hereinafter “Aissi”).
As per claim 13, the rejection of claim 1 is incorporated herein. 
Smith '496 discloses 
determining that a second software package in the software repository is to be installed into the OS environment; 
(See
Smith ‘496 Para.[0061]
, ‘a software update agent of the client computing device 104 may determine one or more bundles, packages, and/or files that are necessary [determining…… is to be installed ]to update the current client computing device 104…… The request sent to the update server 102 [software repository = update server 102  ] may identify only the necessary release components,’.
[OS environment = environment 240 ]
[0016] ‘FIG. 1,..individual packages and/or bundles to 
be dynamically requested by a software update agent of a client computing 
device 104 as needed’ [multiple packages are requested, downloaded and installed ]
)
 
downloading the second software package to the storage device; 
(See Smith ‘496 
[0016] ‘FIG. 1,..individual packages and/or bundles 
Para. [0062]
downloading the second software package]
Smith ‘496 [0024]
‘client computing device 104 includes ……, a data storage device 148, ‘
).

second location information that identifies a location of the second software package;
(See Smith '496
[0016] ‘FIG. 1,..individual packages and/or bundles[second software package]
Para. [0034]
‘The software update module 246 is configured to [second location information is specified when configuring client computing device 104 to request ]request the update server 102[ a location of the second software package = update server 102]  for one or more release components of the software release 204..’
)

However, the combination of Smith '496 and Krishnamurthy does not expressly disclose 
sending, by the OS to the software package verification process, second location information that identifies a location of the second software package; 

Hjelm discloses sending, by the OS to the verification process, a request to verify information;
(See Hjelm, [figure 7, element 730, where the operating system 107 facilitates the request of verification signature verification from an applet 720 executing inside the trusted 
9:35-44 ‘ During voice session key negotiation 710, secure voice app 700 may receive a signature from the other device, and may pass the signature to PKI applet 720 [executing inside trusted execution environment ] via a secure API call(s) 730. Upon receipt of secure API call(s) 730, PKI applet 720 may retrieve the private key from secure memory 135 and perform a signature verification technique 735, using the private key, to verify the received signature from the other device. If the signature is verified, secure voice app 700 can complete the voice session key negotiation process 710. 
).
For the reasons discussed with respect to claim 1, it would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Smith ‘496 and Krishnamurthy with the technique for sending a request to perform a verification to a process executing within a trusted execution environment of Hjelm to include
sending, by the OS to the software package verification process, second location information that identifies a location of the second software package; 

However, the combination of Smith ‘496, Krishnamurthy, Hjelm, and Igotti does not expressly disclose 	
receiving, from the software package verification process, information that indicates that the second software package on the storage device is not to be trusted; and 
in response to the information that indicates that the second software package on the storage device is not to be trusted, not installing the second software package into the OS environment.
receiving, from the software package verification process, information that indicates that the second software package on the storage device is not to be trusted; and 
in response to the information that indicates that the second software package on the storage device is not to be trusted, not installing the second software package into the OS environment.
(See Aissi Para. 
[0060] ‘. Verification agent 270 [the software package verification process ]can be executed from inside a secure or trusted execution environment, such as a secure element. Verification agent 270 prevents application 265 from being installed on mobile device 200 until verification agent 270 has determined that application 265 can be trusted and that mobile device 200 is in a trusted state.’[not installing the second software package into the OS environment; not installing the second software package into the OS environment is disclosed since the agent would not request the installation of application 265 anywhere on the mobile device but instead prevents the installation]
Aissi [0070]
‘ The verification agent prevents the received application from being installed on mobile device 350 until the authenticity of the application and the integrity of the application and the mobile device can be determined.’
Aissi [0135] ‘The set of instructions or software code may be stored in a memory or 
other form of data storage element’ [second software package on the storage device ] which is accessed by the computing device]
Aissi [0032] An "operating system" (OS) [the OS environment.]may be a collection of software that manages computer hardware resources and provides common services for 
applications.
).


receiving, from the software package verification process, information that indicates that the second software package on the storage device is not to be trusted; and 
in response to the information that indicates that the second software package on the storage device is not to be trusted, not installing the second software package into the OS environment.
One of ordinary skill in the art would have made this modification to improve the ability of the system to ensure that only trusted applications are installed. The system of the Smith '496 primary reference can be modified so that software update module 246 informs the operating system not to install an untrusted application.



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is (571)272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR 






/HOWARD H. LOUIE/Examiner, Art Unit 2494              

/THEODORE C PARSONS/Primary Examiner, Art Unit 2494