DETAILED ACTION

1.	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
 
 2.	Applicant’s response filed on October 19, 2021 have been considered.  Claims 1, 2, 6-9, and 14-17 have been amended. Claims 3-5, 11-13, and 19-20 have been canceled.  Claims 1-2, 6-10, and 14-18 are pending. 

Drawings
3.	The replacement sheet for figure 4B has been considered and entered.

Claim Rejections - 35 USC § 103

4.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

5.	Claims 1-2, 6-10, and 14-18 are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (U.S. 10,218,711 B2), hereinafter “Smith”, in view of Gunti et al. (U.S. 2018/0032734 A1), hereinafter “Gunti”, in view of Bitauld et al. (U.S. 2020/0036519 A1), hereinafter “Bitauld”, further in view of Platenberg et al. (U.S. 2002/008316 A1), hereinafter “Platenberg”. 
Referring to claims 1, 9, 17:
	 	Smith teaches:
           A security verification method for a device, comprising (see Smith, fig. 1):
	before acquiring a target object to be security-verified in at least one security verification location, executing a power-up boot program by the device after the device is powered up (see Smith, col. 1, lines 57-66 ‘a launch of a software agent [i.e., location [i.e., a security verification location ], determine whether a given geofencing policy is in place and if so, to determine whether a requested access is allowed.  If the access is allowed the requested agent can be launched, and if not, a recovery agent can instead be accessed.’; col. 2, line 19 ‘launch may be a power up of the computer via a boot process [i.e., a power-up boot program ]’); 
           acquiring the target object to be security-verified in the at least one security verification location, wherein the security verification location is a node location to be security-verified after the device is powered up and where a system boot program is executed, and the target object is the system boot program carrying a signature (see Smith, col. 1, lines 57-66 ‘a launch of a software agent [i.e., the target object ] …a trusted mechanism can be used to identify the platform location, determine whether a given geofencing policy is in place [i.e., the node location to be security-verified ] and if so, to determine whether a requested access is allowed.  If the access is allowed the requested agent can be launched, and if not, a recovery agent can instead be accessed.’; col. 2, line 19 ‘launch may be a power up of the computer via a boot process [i.e., a power-up boot program ]’; col. 2, line 45 ‘Furthermore, enforcement of a given geofence policy may occur as part of a secure boot process.’; col. 9, line 48 ‘This environment establishes a root of trust that evaluates the computing platform, including measuring platform components in the boot and launch environment (such as BIOS [i.e., where BIOS corresponds to ‘the system boos program’ ], an operating system (OS) loader, virtual machine manager, and other components).’; col. 2, line 16 ‘the keys can be accessed during normal use when a given launch of a platform is desired.  Note that this launch may be a power up of the computer via a boot process or can be a launch of a given agent requested by a user during normal system operation.’); 
             performing a security verification on the target object, wherein the target object is allowed for use when the security verification succeeds, and the target object is prohibited from being used when the security verification fails, wherein performing the security verification on the target object comprises (see Smith, col. 9, line 48 ‘This environment establishes a root of trust that evaluates the computing platform, including measuring platform components in the boot and launch environment (such as BIOS 
                       acquiring a first public key authorized in the process of executing the power-up boot program (see Smith, col. 9, line 13 ‘The public key that verifies the signature is contained in the TPM or it may be embedded in the ACM that enforces the policy.’); and 
                       performing a signature verification on the system boot program carrying the signature according to the first public key (see Smith, col. 9, line 13 ‘The public key that verifies the signature is contained in the TPM or it may be embedded in the ACM that enforces the policy.’); 
            after performing the signature verification on the system boot program carrying the signature according to the first public key (see Smith, col. 9, line 48 ‘This environment establishes a root of trust that evaluates the computing platform, including measuring platform components in the boot and launch environment (such as BIOS [i.e., where BIOS corresponds to ‘the system boos program’ ], an operating system (OS) loader, virtual machine manager, and other components).’):
                         launching the system boot program (see Smith, col. 2, line 16 ‘the keys can be accessed during normal use when a given launch of a platform is desired.  Note that this launch may be a power up of the computer via a boot process or can be a launch of a given agent requested by a user during normal system operation.’);
                         determining whether to execute a kernel image (see Smith, col. 9, line 48 ‘This environment establishes a root of trust that evaluates the computing platform, including measuring platform components in the boot and launch environment (such as BIOS [i.e., where BIOS corresponds to ‘the system boos program’ ], an operating system (OS) loader [i.e., where operating system (OS) corresponds to ‘a kernel image’, virtual machine manager, and other components).’); and 
                         performing, by using the first public key, a signature verification on the kernel image carrying a signature and a plurality of designated images each carrying a signature when it is determined to execute the kernel image, wherein the kernel image is executed when both the kernel image carrying the signature and each of the plurality of designated images each carrying the signature succeed in the boot and launch environment (such as BIOS, an operating system (OS) loader [i.e., where operating system (OS) corresponds to ‘the kernel image’ ] , virtual machine manager, and other components [i.e., where virtual machine manager, and other components corresponds to ‘a plurality of designated images’ ]). This root also provides a trusted position to evaluate the integrity of any other component.  Once a basic root of trust and a secure basis for measurement and evaluation is established, other mechanisms can be used to seal and protect secrets in memory, as well as provide local or remote attestation of system configuration [i.e., where attestation of system configuration corresponds to ‘a plurality of designated images each carrying a signature’ ].’; col. 9, line 13 ‘The public key that verifies the signature is contained in the TPM or it may be embedded in the ACM that enforces the policy.’).
           However, Smith does not disclose using a second public key.   
	Smith discloses the device (see Smith, fig. 1).  However, Smith does not disclose a vehicle-mounted device.
	Smith does not disclose the boot parameter. 
           Gunti discloses verifying the system boot program with a first public key when the device is powered up, and verifying kernel image and one or more designated images with a second public key after verifying the system boot program (see Gunti, fig. 3;  abstract, ‘verifying using a second key’; [0013] ‘public key’).
	 It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Gunti into the system of Smith to use a first public key, a second public key.  Smith teaches "Embodiments relate to providing security to a platform based on geographic information.” (see Smith, col. 1, line 10).  Therefore, Gunti’s teaching could enhance the system of Smith,  because Gunti teaches “The process of securely booting computer system” (see Gunti, [0013]).  

	 	It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Bitauld into the system of Smith to apply the verification method to a vehicle-mounted device.  Smith teaches "Embodiments relate to providing security to a platform based on geographic information.” (see Smith, col. 1, line 10).  Therefore, Bitauld’s teaching could enhance the system of Smith,  because Bitauld teaches “method and apparatus for trusted computing” (see Bitauld, [0001]). 
           Platenberg discloses a boot parameter (see Platenberg, [0094] ‘boot parameters…verify the parameters’).   
            It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Platenberg into the system of Smith to verify the boot parameter.  Smith teaches "Embodiments relate to providing security to a platform based on geographic information.” (see Smith, col. 1, line 10).  Therefore, Platenberg’s teaching could enhance the system of Smith, because Planteberg teaches “method for providing boot procedure for optical transceiver nodes in 
a free-space optical communication network.” (see Platenberg, [0003])
Referring to claims 2, 10, 18:
		Smith, Gunti, Bitauld, and Platenberg further disclose:
		wherein key pairs used in the security verification in different security verification locations are different (see Smith, col. 2, line 4 ‘specific keys, e.g., asymmetric signing keys can be associated with specific geographies.’).
 Referring to claims 6, 14:
		Smith, Gunti, Bitauld, and Platenberg further disclose:
           performing a signature verification on a recovery image carrying a signature when it is determined not to execute the kernel image, executing the recovery image when the recovery image succeeds in the signature verification, and performing a signature verification on an image carrying a signature in an upgrade package in the process of executing the recovery image, wherein the executing the recovery image is terminated when any image in the upgrade package fails in the signature verification (see 
          prohibiting the recovery image from being executed and terminating the system boot program when the recovery image fails in the signature verification (see Smith, col. 12, line 32 ‘recovery image’. And, Gunti, [0017] ‘performs digital signature verification on …image… otherwise…terminates…’).
          It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Gunti into the system of Smith to verify a recover image.  Smith teaches "Embodiments relate to providing security to a platform based on geographic information.” (see Smith, col. 1, line 10).  Therefore, Gunti’s teaching could enhance the system of Smith, because Gunti teaches “The process of securely booting computer system” (see Gunti, [0013]). 
Referring to claims 7, 15:
		Smith, Gunti, Bitauld, and Platenberg further disclose:
                      wherein the security verification location is a node location where an application program is installed, and the target object is an application program carrying a signature, wherein the performing a security verification on the target object comprises: 
           acquiring a third public key authorized (see Gunti, abstract ‘The secure boot verifier is then executed to verify the remaining executable software modules to be loaded during boot using a third key’); and 
           performing a signature verification on the application program carrying the signature according to the third public key, wherein the application program is installed when the signature verification succeeds, and the application program is prohibited from being installed when the signature verification fails (see Gunti, [0011] ‘Computer system 100 shown in FIG. 1 is executing one or more applications 101 on top of system software 110.’).
          It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Gunti into the system of Smith to verify an application.  Smith teaches "Embodiments relate to providing security to a platform based on geographic information.” (see Smith, col. 1, line 10).  
Referring to claims 8, 16:
		Smith, Gunti, Bitauld, and Platenberg further disclose:
                      wherein the security verification location is a node location where a target application program is loaded for a first time, and the target object is an executable file carrying a signature of the target application program, wherein the performing a security verification on the target object comprises: 
           acquiring a fourth public key authorized (see Gunti, abstract ‘a fourth key’); and 
                      performing a signature verification on the executable file carrying the signature according to the fourth public key, wherein the executable file is extracted and is loaded into a memory when the signature verification succeeds, and the target application program is prohibited from being launched when the signature verification fails (see Gunti, abstract, ‘Verify the remaining executable software modules’).
          It would have been obvious to one of the ordinary skilled in the art, before the effective filing date of the claimed invention, to apply the teaching of Gunti into the system of Smith to verify an executable.  Smith teaches "Embodiments relate to providing security to a platform based on geographic information.” (see Smith, col. 1, line 10).  Therefore, Gunti’s teaching could enhance the system of Smith,  because Gunti teaches “The process of securely booting computer system” (see Gunti, [0013]).

Response to Arguments
6.	Applicant's arguments filed on October 19, 2021 have been fully considered but they are not persuasive.
(a)	Applicant submits:
“To begin, Applicant respectfully submits that the above-cited references do not show or suggest a security verification method for a vehicle-mounted device comprising, “performing a signature verification on the system boot program,” and “after the performing of the signature verification on the system boot program, ... performing a signature verification on a boot parameter,” and “after the system boot program sets the 
Examiner maintains:
Smith discloses at col. 9, line 48 “This environment establishes a root of trust that evaluates the computing platform, including measuring platform components in the boot and launch environment (such as BIOS [i.e., where BIOS corresponds to ‘the system boos program’ ], an operating system (OS) loader [i.e., where operating system (OS) corresponds to ‘the kernel image’ ], virtual machine manager, and other components).”.
Therefore, Smith discloses or suggests the sequence of the security verification, e.g., verifying the system boot program, which may include boot parameters, prior to the verification of the kernel image.
Gunti further discloses verifying the system boot program with a first public key when the device is powered up, and verifying kernel image and one or more designated images with a second public key after verifying the system boot program (see Gunti, fig. 3;  abstract, ‘verifying using a second key’; [0013] ‘public key’).
Platenberg further discloses verifying boot parameters (see Platenberg, [0094] ‘boot parameters…verify the parameters’). 
Thus, the combination of references disclose or suggest the limitations, as claimed.  
(b)	Applicant submits:
“However, based on the foregoing description in Smith, Applicant respectfully submits that Smith does not disclose or render obvious a sequential performance of a signature verification on the system boot program, a signature verification on the boot parameter, and a signature verification on the kernel image, as recited in claim 1 as amended.” (see page 16, 3rd par)
Examiner maintains:
The combination of references disclose or suggest a sequential performance of a signature verification on the system boot program, on the boot parameter, and on the kernel image, as recited in claim 1 (see (a) above).   
(c)	Applicant submits:
rd par)
Examiner maintains:
Smith discloses at col. 9, line 48 ‘This environment establishes a root of trust that evaluates the computing platform, including measuring platform components in the boot and launch environment (such as BIOS, an operating system (OS) loader [i.e., where operating system (OS) corresponds to ‘the kernel image’ ] , virtual machine manager, and other components [i.e., where virtual machine manager, and other components corresponds to ‘a plurality of designated images’ ]). This root also provides a trusted position to evaluate the integrity of any other component.  Once a basic root of trust and a secure basis for measurement and evaluation is established, other mechanisms can be used to seal and protect secrets in memory, as well as provide local or remote attestation of system configuration [i.e., where attestation of system configuration corresponds to ‘a plurality of designated images each carrying a signature’ ].’; col. 9, line 13 ‘The public key that verifies the signature is contained in the TPM or it may be embedded in the ACM that enforces the policy.’
Gunti further discloses verifying the system boot program with a first public key when the device is powered up, and verifying kernel image and one or more designated images with a second public key after verifying the system boot program (see Gunti, fig. 3;  abstract, ‘verifying using a second key’; [0013] ‘public key’).
Therefore, the combination of references disclose or suggest “a plurality of designated images each carrying a signature,” and thus “performing, by using the second public key, a signature verification on the kernel image carrying a signature and  

Conclusion

7.	The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
(a)	 Roth; Gregory Branchek et al. (US 9288208 B1) disclose Cryptographic key escrow;
(b)	Ndu; Geoffrey et al. (US 20190278913 A1) disclose enclave launch and authentication;
(c)	Ohmori; Seiji et al. (US 20070061582 A1) disclose image processing method, image processing apparatus, and storage medium;
(d)	Yamazaki; Taeko et al. (US 20070055885 A1) disclose information processing apparatus, information processing method, and computer readable storage medium;
(e)	Helbig, Walter A. SR. (US 20020166062 A1) disclose Method and apparatus for enhancing computer system security;
(f)	CONDE MARQUES; Ricardo Nuno DE PINHO COELHO et al. (US 20120151223 A1) disclose method for securing a computing device with a trusted platform module-tpm;
(g)	Thornton; Timothy R. et al. (US 20200218984 A1) disclose methods, systems and apparatus for using session, device and/or user signatures.

 8.       Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See 
           A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
                      Any inquiry concerning this communication or earlier communications from the examiner should be directed to Peiliang Pan whose telephone number is (571) 272-5987.  The examiner can normally be reached on Monday-Friday 8:00 am - 5:00 pm EST.
            If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
            Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/PEILIANG PAN/
Examiner, Art Unit 2492

/SALEH NAJJAR/Supervisory Patent Examiner, Art Unit 2492