DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a Final Office action in response to communications received on 11/23/2021. 

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/25/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Response to Amendment
Claims 1, 19, 26 and 36 have been amended.
Claim 38 has been cancelled. Claims 1-11, 19-23, 26-37 and 39 have been examined. 
Examiner’s objection of claim 26 is withdrawn in light of the applicant’s amendments to the claim. 
Examiner’s rejection of claims 36 and 38 under 35 U.S.C 112 is withdrawn in light of the applicant’s amendment of claim 36 and cancellation of claim 38.
Applicant’s arguments with respect to claims 1, 9 and 26 regarding the new limitations: “maintain a trust domain control structure (TDCS) for managing metadata of the TD, wherein the TDRM is to cause creation of the TD using an instruction, wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction”, have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1, 3, 7, 8, 10, 11, 19, 21, 23, 26, 28, 32 and 33 are rejected under 35 U.S.C. 103 as being unpatentable over prior art of record US 20180129611 to Parker et al (hereinafter Parker) and US 20160078212 to Bish et al (hereinafter Bish).
As per claim 1, Parker teaches:
A processing device comprising: 
a memory ownership table (MOT) to store security attributes for a host physical memory page (Parker: [0048]: A page ownership table (POT) 50 is stored in memory 34 tracking which BD (if any) is the owner BD for each physical page of memory. For example, the owner BD can set attributes in the page ownership table 50 which control whether other BDs are allowed to access the page); and 
a processing core(Parker: [0040], [0042]) that is to: 
execute a trust domain resource manager (TDRM) to manage a trust domain (TD) (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4. Each VM 4 may manage one or more applications 6. For example the hypervisor 2 may control which regions of an address space are allocated to each virtual machine 4 and control switching between the virtual machines 4. [0042]: Each of the processes 2, 4, 6, 10, 12, 14 of FIG. 1 may be referred to as a "blind domain" (BD)); 
maintain a trust domain control structure (TDCS) for managing metadata of the TD, wherein the TDRM is to cause creation of the TD using an instruction, wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction (Parker: [0043]-[0047]: A blind domain descriptor table (BDDT) 42 is provided within the memory 34 to track the state of each BD 2, 4, 6, 10, 12, 14. For example, for each BDID, the BDDT 42 may specify a state of the blind domain. For example, the BDDT 42 may specify a 2-bit state field for each BDID to identify the state of the corresponding blind domain. [0123] The hypervisor receives the request to initiate the guest execution environment creates a new virtual machine (VM) and allocates with the physical memory address space the pages to be used by the guest execution environment as well as setting up other parameters associated with the guest execution environment, as is normal in the action of a hypervisor. The hypervisor then forwards to the security controller the request for initialization of the guest execution environment, the encrypted executable code, page identifiers indicating the pages of physical memory address space that have been allocated by the hypervisor to the guest execution environment and a blind domain identifier to be used by the guest execution environment. Also, [0142]); 
maintain an execution state of the TD in a trust domain thread control structure (TD-TCS) that is referenced by the TDCS and is access- controlled against software access from at least one of the TDRM, a virtual machine manager (VMM), or the other TDs (Parker: [0139]: This context switching may be performed by protected exception handling. The state data of the processor, or wider system, at the time the change of context occurs may include many state parameters, e.g. register contents, configuration variables, program status values, etc. This state data is context data and may represent private information that it is desired not to allow to be available to other guest execution environments, or the hypervisor itself. [0140]: State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. As an example, the restart data may include general purpose register contents. Also, [0141]. [0142]: The page descriptor entry also includes pointer (handle) to a location within the context data memory 814 to which context data for the process concerned is to be saved (and from which it is restored) when the process concerned is switched out. This pointer indicates a region of memory which is owned by the process concerned. The page descriptor entry also includes a current process status. [0144] At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. The execution context data may also include state data such as the general purpose register contents at the time the process was exited. Also, [0145]); and 
reference the MOT to obtain at least one key identifier (ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key (Parker: [0069]: The encryption circuitry 56 selects the appropriate encryption key for the owner BD indicated in the BDID 54 field of that POT entry 52, and encrypts the data using the key and the specified level of encryption, before writing the encrypted data to memory 34. Similarly, on a read access, the encryption circuitry 56 checks the POT entry 52 for the corresponding page to determine the level of decryption required and which owner BD's key should be used for the decryption, decrypts the data read from memory 34 and then outputs the decrypted data over the bus 30 to the master that requested the data (i.e., the BDID identifies the key to be used in encrypting or decrypting the data, i.e., the BDID is the key identifier)), wherein the key ID is to be stored in the TDCS (parker: [0043]: For example, for each BDID, the BDDT 42 may specify a state of the blind domain as one of the following: [0044]-[0047]: For example, the BDDT 42 may specify a 2-bit state field for each BDID to identify the state of the corresponding blind domain, i.e., the BDDT stores the BDID of each blind domain. [0066]: The encryption circuitry 56 may maintain a number of secret encryption keys and each BDID may have its own key. [0068]: The encryption circuitry 56 selects the appropriate encryption key for the owner BD indicated in the BDID 54 field of that POT entry 52, and encrypts the data using the key and the specified level of encryption, before writing the encrypted data to memory 34, i.e., the BDID identifies the key to be used in encrypting the data, i.e., the BDDT stores the key ID); 
wherein the MOT security attributes comprise: a TD identifier assigning the host physical memory page to the TD (Parker: [0049]: Each entry 52 of the POT 50 includes the following information: [0050] an owner BDID field 54 which specifies the BDID of the BD which owns the corresponding physical page), and 
an expected guest physical address used in the TD for the TDRM to perform memory mapping of the host physical memory page (Parker: [0049]: As shown in FIG. 2, the page ownership table (POT) 50 includes a number of entries 52 each corresponding to a different page of the physical address space. The POT 50 is indexed by physical address. Each entry 52 of the POT 50 includes the following information: [0052] an address field 58: for pages whose owner BD uses virtual addresses or intermediate physical addresses (e.g. applications 6, 12, or virtual machines 4), the address field 58 specifies the VA or IPA which mapped to the physical address of the corresponding physical page at the time the page was claimed by the owner BD, i.e., the POT includes the virtual or intermediate physical addresses of the BD that will be mapped to the physical address of the corresponding physical page).
Parker teaches an instruction comprising the physical memory address space allocated to the guest execution environment but does not teach: wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction. However, Bish teaches:
wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction (Bish: [0034] A hypervisor is a virtual machine monitor which may create and/or run VMs. [0041] VMs used in the various embodiments described herein are preferably created such that each has a data structure (TDCS) which includes information about the respective VM. In preferred approaches, the data structure includes metadata unique to the VM. Thus, a data structure of a given VM may include parameters such as a size, an operational overview, security level, etc. of that VM. Moreover, the data structure may be in the form of a header according to some approaches, which is also referred to herein as a special header. [0048] Data stored on VMs are usually, but not always, protected by encrypted data. A protected VM file may include a small amount of unencrypted data (e.g., which may be header data) that contains the VM digital signature, i.e., the data structure storing the metadata is stored in the same region of memory as the VM).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bish in the invention of Parker to include the above limitations. The motivation to do so would be to improve protection in hypervisors and VMs (Bish: [0018]).

As per claim 3, Parker in view of Bish teaches:
The processing device of claim 1, wherein the TD-TCS references the TDCS, wherein the TDCS is to maintain a count of one or more TD-TCSs corresponding to a logical processor of the TD, and wherein the TD-TCS to store a supervisor execution state and a user execution state of the TD (Parker: [0139]: This context switching may be performed by protected exception handling. The state data of the processor, or wider system, at the time the change of context occurs may include many state parameters, e.g. register contents, configuration variables, program status values, etc. This state data is context data and may represent private information that it is desired not to allow to be available to other guest execution environments, or the hypervisor itself. [0140]: State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. As an example, the restart data may include general purpose register contents. Also, [0141]. [0142]: The page descriptor entry also includes pointer (handle) to a location within the context data memory 814 to which context data for the process concerned is to be saved (and from which it is restored) when the process concerned is switched out. This pointer indicates a region of memory which is owned by the process concerned. The page descriptor entry also includes a current process status. [0144] At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. The execution context data may also include state data such as the general purpose register contents at the time the process was exited).

As per claim 7, Parker in view of Bish teaches:
The processing device of claim 1, wherein the TD comprises at least one of an operating system (OS) to manage one or more applications or the VMM to manage one or more virtual machines (VMs), and wherein a TD enter operation to transition an operating context of the processing core from at least one of the VMM to the OS of the TD or from the TDRM to the VMM of the TD (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4. Each VM 4 may manage one or more applications 6. For example the hypervisor 2 may control which regions of an address space are allocated to each virtual machine 4 and control switching between the virtual machines 4. [0141]: If the process to be started is not in the "ready state", then step 108 serves to restore its restart data from the pages of memory which it owns within the context data memory 814. [0144]: At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. Included within this state data is an indication of whether or not the process concern has already undergone some execution. If the process has not been executed already, then it is marked in this example as "new" (see "ready" state previously discussed). The execution context data may also include state data such as the general purpose register contents at the time the process was exited. These register contents may be restored when the process is re-entered. Also, [0122]-[0128]).

As per claim 8, Parker in view of Bish teaches:
The processing device of claim 1, wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD (Parker: [0039] The present application introduces the concept of a "blind hypervisor" which still manages the virtual machines 4 and controls which portions of the address space they can access, but which cannot necessarily see all the data associated with a given virtual machine 4).

As per claim 10, Parker in view of Bish teaches:
The processing device of claim 1, wherein the processing core is further to maintain measurement state of the TD in the TDCS that is access-controlled against software accesses from software comprising at least the TDRM, the VMM, or the other TDs executed by the processing device (Parker: [0140]: State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. This restart data may, in some example embodiments, be state data sufficient to restart the interrupted process. As an example, the restart data may include general purpose register contents. Following the saving of the restart data into portions of the context data memory 814 owned by the process being interrupted at step 1002, step 1004 serves to destructively overwrite state data which is dependent upon the current process and that would be accessible to any other process following the switch to another process).

As per claim 11, Parker in view of Bish teaches:
The processing device of claim 1, wherein the TDRM manages the TD and the other TDs (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4).

As per claim 19, Parker teaches:
A system comprising: a memory device to store one or more instructions; and a processing device operably coupled to the memory device (Parker: [0040], [0042]), the processing device to execute the one or more instructions to: 
execute a trust domain resource manager (TDRM) to manage a trust domain (TD), wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4. Each VM 4 may manage one or more applications 6. For example the hypervisor 2 may control which regions of an address space are allocated to each virtual machine 4 and control switching between the virtual machines 4. [0039] The present application introduces the concept of a "blind hypervisor" which still manages the virtual machines 4 and controls which portions of the address space they can access, but which cannot necessarily see all the data associated with a given virtual machine 4. [0042]: Each of the processes 2, 4, 6, 10, 12, 14 of FIG. 1 may be referred to as a "blind domain" (BD)); 
maintain a user execution state and a supervisor execution state of the TD in a trust domain thread control structure (TD-TCS) that is access-controlled against software accesses from at least one of the TDRM, a virtual machine manager (VMM), or other TDs executed by the processing device (Parker: [0139]: This context switching may be performed by protected exception handling. The state data of the processor, or wider system, at the time the change of context occurs may include many state parameters, e.g. register contents, configuration variables, program status values, etc. This state data is context data and may represent private information that it is desired not to allow to be available to other guest execution environments, or the hypervisor itself. [0140]: State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. As an example, the restart data may include general purpose register contents. Also, [0141], [0142]. [0144] At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. The execution context data may also include state data such as the general purpose register contents at the time the process was exited. Also, [0145]); and 
reference a memory ownership table (MOT) to obtain at least one key identifier (ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key identified via the key ID (Parker: [0069]: The encryption circuitry 56 selects the appropriate encryption key for the owner BD indicated in the BDID 54 field of that POT entry 52, and encrypts the data using the key and the specified level of encryption, before writing the encrypted data to memory 34. Similarly, on a read access, the encryption circuitry 56 checks the POT entry 52 for the corresponding page to determine the level of decryption required and which owner BD's key should be used for the decryption, decrypts the data read from memory 34 and then outputs the decrypted data over the bus 30 to the master that requested the data (i.e., the BDID identifies the key to be used in encrypting or decrypting the data, i.e., the BDID is the key identifier)), 
wherein the MOT is to store security attributes for a host physical memory page assigned to the TD (Parker: [0048]: A page ownership table (POT) 50 is stored in memory 34 tracking which BD (if any) is the owner BD for each physical page of memory. For example, the owner BD can set attributes in the page ownership table 50 which control whether other BDs are allowed to access the page), 
wherein a trust domain control structure (TDCS) is to manage metadata of the TD, and wherein the TDRM is to cause creation of the TD using an instruction, wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction (Parker: [0043]-[0047]: A blind domain descriptor table (BDDT) 42 is provided within the memory 34 to track the state of each BD 2, 4, 6, 10, 12, 14. For example, for each BDID, the BDDT 42 may specify a state of the blind domain. For example, the BDDT 42 may specify a 2-bit state field for each BDID to identify the state of the corresponding blind domain, i.e., the BDDT stores the BDID of each blind domain. [0123] The hypervisor receives the request to initiate the guest execution environment creates a new virtual machine (VM) and allocates with the physical memory address space the pages to be used by the guest execution environment as well as setting up other parameters associated with the guest execution environment, as is normal in the action of a hypervisor. The hypervisor then forwards to the security controller the request for initialization of the guest execution environment, the encrypted executable code, page identifiers indicating the pages of physical memory address space that have been allocated by the hypervisor to the guest execution environment and a blind domain identifier to be used by the guest execution environment. Also, [0142]); 
wherein the MOT security attributes comprise: 4/11a TD identifier assigning the host physical memory page to the TD (Parker: [0049]: Each entry 52 of the POT 50 includes the following information: [0050] an owner BDID field 54 which specifies the BDID of the BD which owns the corresponding physical page), and an expected guest physical address used in the TD for the TDRM to perform memory mapping of the host physical memory page (Parker: [0049]: As shown in FIG. 2, the page ownership table (POT) 50 includes a number of entries 52 each corresponding to a different page of the physical address space. The POT 50 is indexed by physical address. Each entry 52 of the POT 50 includes the following information: [0052] an address field 58: for pages whose owner BD uses virtual addresses or intermediate physical addresses (e.g. applications 6, 12, or virtual machines 4), the address field 58 specifies the VA or IPA which mapped to the physical address of the corresponding physical page at the time the page was claimed by the owner BD, i.e., the POT includes the virtual or intermediate physical addresses of the BD that will be mapped to the physical address of the corresponding physical page).
Parker teaches an instruction comprising the physical memory address space allocated to the guest execution environment but does not teach: wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction. However, Bish teaches:
wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction (Bish: [0034] A hypervisor is a virtual machine monitor which may create and/or run VMs. [0041] VMs used in the various embodiments described herein are preferably created such that each has a data structure (TDCS) which includes information about the respective VM. In preferred approaches, the data structure includes metadata unique to the VM. Thus, a data structure of a given VM may include parameters such as a size, an operational overview, security level, etc. of that VM. Moreover, the data structure may be in the form of a header according to some approaches, which is also referred to herein as a special header. [0048] Data stored on VMs are usually, but not always, protected by encrypted data. A protected VM file may include a small amount of unencrypted data (e.g., which may be header data) that contains the VM digital signature, i.e., the data structure storing the metadata is stored in the same region of memory as the VM).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bish in the invention of Parker to include the above limitations. The motivation to do so would be to improve protection in hypervisors and VMs (Bish: [0018]).

As per claim 21, Parker in view of Bish teaches:
The system of claim 19, wherein the TD-TCS corresponds to a logical processor of the TD, the TD-TCS to store the user execution state and the supervisor execution state of the TD on a TD exit operation and load user and supervisor execution state of the TD on a TD enter operation, wherein the TD-TCS is access-controlled against software accesses from at least one of the TDRM, the VMM, or the other TDs executed by the processing device (Parker: [0140] At step 1000 processing waits until a context switching interrupt is received such as involuntary exit to a different process. State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. This restart data may, in some example embodiments, be state data sufficient to restart the interrupted process. Following the saving of the restart data into portions of the context data memory 814 owned by the process being interrupted at step 1002, step 1004 serves to destructively overwrite state data which is dependent upon the current process and that would be accessible to any other process following the switch to another process. [0141]: If the process is not in the ready state, then this indicates that it has already been scheduled for execution and executed at least once and accordingly will have its own context data which should be restored before its execution is re-started. If the process to be started is not in the "ready state", then step 108 serves to restore its restart data from the pages of memory which it owns within the context data memory 814. Also, Also, [0122]-[0128] and [0149]).

As per claim 23, Parker in view of Bish teaches:
The system of claim 19, wherein the VMM comprises the TDRM to manage the TD, wherein the TD comprises an operating system (OS) or a non-root VMM to manage one or more virtual machines (VMs), and wherein a TD enter operation transitions an operating context of the processing device from the TDRM to the non-root VMM of the TD (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4. Each VM 4 may manage one or more applications 6. For example the hypervisor 2 may control which regions of an address space are allocated to each virtual machine 4 and control switching between the virtual machines 4. [0141]: If the process to be started is not in the "ready state", then step 108 serves to restore its restart data from the pages of memory which it owns within the context data memory 814. [0144]: At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. Included within this state data is an indication of whether or not the process concern has already undergone some execution. If the process has not been executed already, then it is marked in this example as "new" (see "ready" state previously discussed). The execution context data may also include state data such as the general purpose register contents at the time the process was exited. These register contents may be restored when the process is re-entered. Also, [0122]-[0128]).

As per claim 26, Parker teaches:
A method comprising: 
executing, by a processing device, a trust domain resource manager (TDRM) to manage a trust domain (TD), wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4. Each VM 4 may manage one or more applications 6. For example the hypervisor 2 may control which regions of an address space are allocated to each virtual machine 4 and control switching between the virtual machines 4. [0039] The present application introduces the concept of a "blind hypervisor" which still manages the virtual machines 4 and controls which portions of the address space they can access, but which cannot necessarily see all the data associated with a given virtual machine 4. [0042]: Each of the processes 2, 4, 6, 10, 12, 14 of FIG. 1 may be referred to as a "blind domain" (BD)); 
maintaining a user execution state and a supervisor execution state of the TD in a trust domain thread control structure (TD-TCS) that is access-controlled against software accesses from at least one of the TDRM, a virtual machine manager (VMM), or other TDs executed by the processing device (Parker: [0139]: This context switching may be performed by protected exception handling. The state data of the processor, or wider system, at the time the change of context occurs may include many state parameters, e.g. register contents, configuration variables, program status values, etc. This state data is context data and may represent private information that it is desired not to allow to be available to other guest execution environments, or the hypervisor itself. [0140]: State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. As an example, the restart data may include general purpose register contents. Also, [0141], [0142]. [0144] At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. The execution context data may also include state data such as the general purpose register contents at the time the process was exited. Also, [0145]); and 
referencing a memory ownership table (MOT) to obtain at least one encryption key identifier (ID) corresponding to an encryption key assigned to the TD, the key ID to allow the processing device to decrypt memory pages assigned to the TD responsive to the processing device executing in the context of the TD, the memory pages assigned to the TD encrypted with the encryption key identified via the encryption key ID (Parker: [0069]: The encryption circuitry 56 selects the appropriate encryption key for the owner BD indicated in the BDID 54 field of that POT entry 52, and encrypts the data using the key and the specified level of encryption, before writing the encrypted data to memory 34. Similarly, on a read access, the encryption circuitry 56 checks the POT entry 52 for the corresponding page to determine the level of decryption required and which owner BD's key should be used for the decryption, decrypts the data read from memory 34 and then outputs the decrypted data over the bus 30 to the master that requested the data (i.e., the BDID identifies the key to be used in encrypting or decrypting the data, i.e., the BDID is the key identifier)), 
wherein the MOT is to store security attributes for a host physical memory page assigned to the TD (Parker: [0048]: A page ownership table (POT) 50 is stored in memory 34 tracking which BD (if any) is the owner BD for each physical page of memory. For example, the owner BD can set attributes in the page ownership table 50 which control whether other BDs are allowed to access the page), 
wherein a trust domain control structure (TDCS) is to manage metadata of the TD and wherein the TDRM is to cause creation of the TD using an instruction, wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction (Parker: [0043]-[0047]: A blind domain descriptor table (BDDT) 42 is provided within the memory 34 to track the state of each BD 2, 4, 6, 10, 12, 14. For example, for each BDID, the BDDT 42 may specify a state of the blind domain. For example, the BDDT 42 may specify a 2-bit state field for each BDID to identify the state of the corresponding blind domain. [0123] The hypervisor receives the request to initiate the guest execution environment creates a new virtual machine (VM) and allocates with the physical memory address space the pages to be used by the guest execution environment as well as setting up other parameters associated with the guest execution environment, as is normal in the action of a hypervisor. The hypervisor then forwards to the security controller the request for initialization of the guest execution environment, the encrypted executable code, page identifiers indicating the pages of physical memory address space that have been allocated by the hypervisor to the guest execution environment and a blind domain identifier to be used by the guest execution environment. Also, [0142]); 
wherein the MOT security attributes for the host physical memory page, the security attributes comprise: a TD identifier assigning the host physical memory page to the TD (Parker: [0049]: Each entry 52 of the POT 50 includes the following information: [0050] an owner BDID field 54 which specifies the BDID of the BD which owns the corresponding physical page), and an expected guest physical address used in the TD for the TDRM to perform memory mapping of the host physical memory page (Parker: [0049]: As shown in FIG. 2, the page ownership table (POT) 50 includes a number of entries 52 each corresponding to a different page of the physical address space. The POT 50 is indexed by physical address. Each entry 52 of the POT 50 includes the following information: [0052] an address field 58: for pages whose owner BD uses virtual addresses or intermediate physical addresses (e.g. applications 6, 12, or virtual machines 4), the address field 58 specifies the VA or IPA which mapped to the physical address of the corresponding physical page at the time the page was claimed by the owner BD, i.e., the POT includes the virtual or intermediate physical addresses of the BD that will be mapped to the physical address of the corresponding physical page).
Parker teaches an instruction comprising the physical memory address space allocated to the guest execution environment but does not teach: wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction. However, Bish teaches:
wherein the instruction specifies a region of physical memory for the TDCS as a parameter of the instruction (Bish: [0034] A hypervisor is a virtual machine monitor which may create and/or run VMs. [0041] VMs used in the various embodiments described herein are preferably created such that each has a data structure (TDCS) which includes information about the respective VM. In preferred approaches, the data structure includes metadata unique to the VM. Thus, a data structure of a given VM may include parameters such as a size, an operational overview, security level, etc. of that VM. Moreover, the data structure may be in the form of a header according to some approaches, which is also referred to herein as a special header. [0048] Data stored on VMs are usually, but not always, protected by encrypted data. A protected VM file may include a small amount of unencrypted data (e.g., which may be header data) that contains the VM digital signature, i.e., the data structure storing the metadata is stored in the same region of memory as the VM).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bish in the invention of Parker to include the above limitations. The motivation to do so would be to improve protection in hypervisors and VMs (Bish: [0018]).

As per claim 28, Parker in view of Bish teaches:
The method of claim 26, wherein the TD-TCS references the TDCS, wherein the TDCS to maintain a count of one or more TD-TCSs corresponding to a logical processor of the TD, and wherein the TD-TCS to store a supervisor execution state and a user execution state of the TD (Parker: [0139]: This context switching may be performed by protected exception handling. The state data of the processor, or wider system, at the time the change of context occurs may include many state parameters, e.g. register contents, configuration variables, program status values, etc. This state data is context data and may represent private information that it is desired not to allow to be available to other guest execution environments, or the hypervisor itself. [0140]: State 1002 saves restart data to a portion of a context data memory 814 owned by the process (guest execution environment) that is subject to the interruption. As an example, the restart data may include general purpose register contents. Also, [0141]. [0142]: The page descriptor entry also includes pointer (handle) to a location within the context data memory 814 to which context data for the process concerned is to be saved (and from which it is restored) when the process concerned is switched out. This pointer indicates a region of memory which is owned by the process concerned. The page descriptor entry also includes a current process status. [0144] At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. The execution context data may also include state data such as the general purpose register contents at the time the process was exited. Also, [0145]).

As per claim 32, Parker in view of Bish teaches:
The method of claim 26, wherein the TD comprises at least one of an operating system (OS) to manage one or more applications or the VMM to manage one or more virtual machines (VMs), and wherein a TD enter operation to transition an operating context of the processing device from at least one of the VMM to the OS of the TD or from the TDRM to the VMM of the TD (Parker: [0034]: A hypervisor 2 may manage a number of virtual machines (VMs, also known as guest operating systems or guest OS) 4. Each VM 4 may manage one or more applications 6. For example the hypervisor 2 may control which regions of an address space are allocated to each virtual machine 4 and control switching between the virtual machines 4. [0141]: If the process to be started is not in the "ready state", then step 108 serves to restore its restart data from the pages of memory which it owns within the context data memory 814. [0144]: At least some example embodiments include a blind domain execution context (or frame) BDEC that may be used to store state data of a process when switching that process into and out of execution. Included within this state data is an indication of whether or not the process concern has already undergone some execution. If the process has not been executed already, then it is marked in this example as "new" (see "ready" state previously discussed). The execution context data may also include state data such as the general purpose register contents at the time the process was exited. These register contents may be restored when the process is re-entered. Also, [0122]-[0128]).

As per claim 33, Parker in view of Bish teaches:
The method of claim 26, wherein the TDRM is not comprised in a trusted computing base (TCB) of the TD (Parker: [0039] The present application introduces the concept of a "blind hypervisor" which still manages the virtual machines 4 and controls which portions of the address space they can access, but which cannot necessarily see all the data associated with a given virtual machine 4. [0042]: Each of the processes 2, 4, 6, 10, 12, 14 of FIG. 1 may be referred to as a "blind domain" (BD)).

Claims 2, 6, 20, 27 and 31 are rejected under 35 U.S.C. 103 as being unpatentable over Parker in view of Bish as applied to claims 1, 19 and 26 above, and further in view of prior art of record US 20080082772 to Savagaonkar et al (hereinafter Savagaonkar).
As per claims 2, 20 and 27, Parker in view of Bish does not explicitly teach: wherein the VMM comprises a TDRM component to provide memory management for at least one of the TD, the other TDs, or one or more virtual machines (VMs) via Extended Page Tables (EPTs). However, Savagaonkar teaches: 
wherein the VMM comprises a TDRM component to provide memory management for at least one of the TD, the other TDs, or one or more virtual machines (VMs) via Extended Page Tables (EPTs) (Savagaonkar: [0018]: For example, page tables 108 may include base and extended page tables, providing mappings of linear virtual addresses of virtual machine 106 to guest physical addresses of virtual machine 106, of the guest physical addresses to host physical addresses of the computing device 102, and as well as storing security domains for memory pages of the computing device 102).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Savagaonkar in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to protect software agents, in particular, critical software agents, in a VT environment more efficiently and effectively (Savagaonkar: [0009]).

As per claims 6 and 31, Parker in view of Bish and Savagaonkar teaches:
The processing device of claim 2, wherein the processing core to reference the MOT for host physical memory pages accessed as part of page walk operations to access a guest physical memory page mapped by the EPTs (Parker: [0049]: Each entry 52 of the POT 50 includes the following information: [0050] an owner BDID field 54 which specifies the BDID of the BD which owns the corresponding physical page. [0073]: If the S1TLB does not contain a corresponding entry for the VA 70 and ASID 73, a page table walk is performed to fetch the required entry from the S1 page tables 80. Once the required entry is in the S1TLB, the S1MMU 40-1 checks whether an access of the type specified by the read/write attribute 72 is permitted for the specified ASID 73 and virtual address 70. Savagaonkar: [0018]: For example, page tables 108 may include base and extended page tables).
The examiner provides the same rationale to combine prior arts Parker in view of Bish and Savagaonkar as in claims 2 and 27 above.

Claims 4, 5, 9, 22, 29, 30 and 34 are rejected under 35 U.S.C. 103 as being unpatentable over Parker in view of Bish as applied to claims 1, 19 and 26 above, and further in view of prior art of record US 20170277898 to Powell et al (hereinafter Powell).
As per claims 4 and 29, Parker in view of Bish teaches:
The processing device of claim 1, wherein the encryption key is generated by a multi-key total memory encryption (MK-TME) engine of the processing device (Parker: [0066]: The encryption circuitry 56 may maintain a number of secret encryption keys and each BDID may have its own key. The encryption circuitry 56 supports a number of different levels of encryption, ranging from no encryption at all (data is written to the memory in the clear), through successively stronger forms of encryption).
Parker in view of Bish teaches an encryption circuitry managing keys used for encryption but does not teach: wherein the encryption key is generated by a multi-key total memory encryption (MK-TME) engine of the processing device. However, Powell teaches: 
wherein the encryption key is generated by a multi-key total memory encryption (MK-TME) engine of the processing device (Powell: [0016]: In particular, the security module can authenticate itself to other processing systems, such as processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software. Also, [0017]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Powell in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to prevent unauthorized access to the keys by malicious software (Powell: [0016]).

As per claims 5 and 30, Parker in view of Bish and Powell teaches:
The processing device of claim 4, wherein the MK-TME engine generates a plurality of encryption keys accessed via key IDs assigned to the TD for use in encrypting and decrypting the memory pages of the TD, and encrypting and decrypting memory pages corresponding to persistent memory assigned to the TD, and wherein the MOT to track the plurality of key IDs via one key ID associated with each entry in the MOT (Powell: [0017]: In response to requests from the hypervisor, the security module can generate authentication keys to authenticate the security module and encryption keys to encrypt data to be stored at the encrypted address space for the VM. [0020]: The encryption module employs the encryption key to encrypt an address space for the VM. [0040]: In some embodiments, the security module 130 identifies the key to be selected based on which entity is currently being executed at the processor 102. The encryption module 115 employs the selected key to encrypt the information to be written and provides the write request, with the encrypted information, to the memory 120 for storage. In some embodiments, the encryption module 115 uses both the selected key and the physical address of the memory access request for encryption and decryption of the corresponding information. Parker: [0069]: The encryption circuitry 56 selects the appropriate encryption key for the owner BD indicated in the BDID 54 field of that POT entry 52, and encrypts the data using the key and the specified level of encryption, before writing the encrypted data to memory 34. Similarly, on a read access, the encryption circuitry 56 checks the POT entry 52 for the corresponding page to determine the level of decryption required and which owner BD's key should be used for the decryption, decrypts the data read from memory 34 and then outputs the decrypted data over the bus 30 to the master that requested the data).

As per claims 9 and 34, Parker in view of Bish teaches that the TDCS comprises a signature structure (Bish: [0042], [0048]) but does not explicitly teach: wherein the TDCS comprises a signature structure that captures a cryptographic measurement of the TD, the cryptographic measurement signed by a hardware root of trust of the processing device, and wherein the signature structure is provided to an attestation party for verification of the cryptographic measurement. However, Powell teaches:
wherein the TDCS comprises a signature structure that captures a cryptographic measurement of the TD, the cryptographic measurement signed by a hardware root of trust of the processing device, and wherein the signature structure is provided to an attestation party for verification of the cryptographic measurement (Powell: [0016]: employing a processor with a security module, wherein the security module manages authentication and encryption keys for the processor. [0017]: In response to requests from the hypervisor, the security module can generate authentication keys to authenticate the security module and encryption keys to encrypt data to be stored at the encrypted address space for the VM. Thus, the keys for authentication of the security module and for encryption of corresponding address spaces are generated and maintained by the firmware of the security module in response to requests from the hypervisor. The authentication and encryption keys are therefore not accessible by the hypervisor. [0019] Second, the security module can perform an attestation function wherein it provides to the requestor proof of the integrity and proper initialization of the guest VM. For example, during launch of the guest VM at the processing system of the security module, the security module can record state information for the guest VM as it launches and create a signature based on the states using a generated launch integrity key. The security module provides the signed state information to the requestor, which authenticates the signature and compares the signed state information to expected state information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Powell in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to prevent a flawed or malicious hypervisor from accessing the keys and thereby reading information, at the encrypted address space, that the hypervisor is not authorized to read (Powell: [0017]).

As per claim 22, Parker in view of Bish teaches:
The system of claim 19, wherein the encryption key is generated by a multi- key total memory encryption (MK-TME) engine of the processing device, and wherein the MK- TME engine generates a plurality of encryption keys assigned to the TD via key IDs for use in encrypting ephemeral memory pages or persistent memory pages of the TD, and wherein the MOT to track the plurality of encryption key IDs via one key ID associated with each entry in the MOT (Parker: [0066]: The encryption circuitry 56 may maintain a number of secret encryption keys and each BDID may have its own key. The encryption circuitry 56 supports a number of different levels of encryption, ranging from no encryption at all (data is written to the memory in the clear), through successively stronger forms of encryption. [0069]: The encryption circuitry 56 selects the appropriate encryption key for the owner BD indicated in the BDID 54 field of that POT entry 52, and encrypts the data using the key and the specified level of encryption, before writing the encrypted data to memory 34. Similarly, on a read access, the encryption circuitry 56 checks the POT entry 52 for the corresponding page to determine the level of decryption required and which owner BD's key should be used for the decryption, decrypts the data read from memory 34 and then outputs the decrypted data over the bus 30 to the master that requested the data).
Parker in view of Bish teaches a secure processor managing keys used for encryption but does not teach: wherein the encryption key is generated by a multi- key total memory encryption (MK-TME) engine of the processing device, and wherein the MK- TME engine generates a plurality of encryption keys assigned to the TD via key IDs for use in encrypting ephemeral memory pages or persistent memory pages of the TD. However, Powell teaches:
wherein the encryption key is generated by a multi- key total memory encryption (MK-TME) engine of the processing device, and wherein the MK- TME engine generates a plurality of encryption keys assigned to the TD via key IDs for use in encrypting ephemeral memory pages or persistent memory pages of the TD (Powell: [0017]: In response to requests from the hypervisor, the security module can generate authentication keys to authenticate the security module and encryption keys to encrypt data to be stored at the encrypted address space for the VM. [0020]: The encryption module employs the encryption key to encrypt an address space for the VM. [0040]: In some embodiments, the security module 130 identifies the key to be selected based on which entity is currently being executed at the processor 102. The encryption module 115 employs the selected key to encrypt the information to be written and provides the write request, with the encrypted information, to the memory 120 for storage. In some embodiments, the encryption module 115 uses both the selected key and the physical address of the memory access request for encryption and decryption of the corresponding information).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Powell in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to prevent unauthorized access to the keys by malicious software (Powell: [0016]).

Claim 35 is rejected under 35 U.S.C. 103 as being unpatentable over Parker in view of Bish as applied to claim 1 above, and further in view of prior art of record US 20150261576 to Gong et al (hereinafter Gong).
As per claim 35, Parker in view of Bish teaches that the blind domain descriptor table (BDDT) tracks the state of each BD using a 2-bit state field ([0047]) but does not teach: wherein the TDCS is to maintain a count of how many TD-TCSs associated with the TDCS are currently busy. However, Gong teaches:
wherein the TDCS is to maintain a count of how many TD-TCSs associated with the TDCS are currently busy (Gong: [0032]: The group management module 122 can receive data specifying the assignment of VMs to groups, e.g., from the provided user interface, and store the data in a group data index 124. The group data index 124 stores data identifying each group and, for each group, data identifying the VMs assigned to the group and the number of active VMs. An active VM is a VM that has been initialized by the virtualization layer 120 and is currently executing. For example, as shown in FIG. 1, Group 1 has three active VMs; Group 2 has no active VMs, and Group n has 2 active VMs. The group data index 124 may be a host configuration file stored in memory 116 or the local storage unit 118 of the hardware platform).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Gong in the invention of Parker in view of Bish to include the above limitations. The claim would have been obvious because a particular known technique was recognized as part of the ordinary capabilities of one skilled in the art (see KSR Int’l Co. v. Teleflex Inc. 550 U.S. ___, 82 USPQ2d 1385 (Supreme Court 2007) (KSR)).

Claim 36 is rejected under 35 U.S.C. 103 as being unpatentable over Parker in view of Bish as applied to claim 1 above, and further in view of prior art of record US 10353729 to Bell et al (hereinafter Bell).
As per claim 36, Parker in view of Bish does not teach: wherein the TDCS is to indicate a maximum number of logic processors allowable to be assigned to the TD. However, Bell teaches:
wherein the TDCS is to indicate a maximum number of logic processors allowable to be assigned to the TD (Bell: column 5, lines 31-55: The configuration file generally specifies a configuration for the virtual machine 142, which may include, for example, a number of virtual processors to allocate to virtual machine 142, an amount of random access memory (RAM) to allocate to virtual machine 142, a location of a virtual machine image from which virtual machine 142 executes, one or more files serving as a virtualized local storage for virtual machine 142, and the like).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Bell in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to instantiate a virtual machine container in which virtual machine executes based on the configuration file (Bell: column 5, lines 53-56). 

Claim 37 is rejected under 35 U.S.C. 103 as being unpatentable over Parker in view of Bish as applied to claim 1 above, and further in view of prior art of record US 20170132158 to Axnix et al (hereinafter Axnix).
As per claim 37, Parker in view of Bish does not teach: wherein the TDCS is to indicate whether the TD shares one encryption key with another TD. However, Axnix teaches:
wherein the TDCS is to indicate whether the TD shares one encryption key with another TD (Axnix: [0039] In FIG. 5 a look-up table 80 for the memory layout of FIG. 4 with an extended look-up table 84 according to an embodiment of the present invention is depicted. Further the look-up table 80 contains shared keys 33 (indicated in the table as sha, shb, shc, . . . ) for access to shared memory regions 64 between host and virtual machines like VMs 10, 12, 14 as well as shared keys 34 (indicated in the table as sg1b) for access to shared memory regions 64 between the virtual machines like VMs 10, 12, 14 among each other).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Axnix in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to perform communication between the virtual machines (Axnix: [0042]).

Claim 39 is rejected under 35 U.S.C. 103 as being unpatentable over Parker in view of Bish as applied to claim 1 above, and further in view of prior art of record US 20150058843 to Holler et al (hereinafter Holler).
As per claim 39, Parker in view of Bish does not teach: wherein the TD-TCS is to maintain an execution state of one or more virtual processors of the TD. However, Holler teaches:
wherein the TD-TCS is to maintain an execution state of one or more virtual processors of the TD (Holler: [0039]: Examples of resource-related metrics include statistics that indicate: CPU Usage metrics that indicate amount of actively used virtual CPU).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to employ the teachings of Holler in the invention of Parker in view of Bish to include the above limitations. The motivation to do so would be to determine whether a state of resource contention exists among the plurality of compute clusters for computing resources of the virtualized computing environment based on the received cluster-related metrics and resource-related metrics (Holler: [0040]).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
	
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MADHURI R HERZOG whose telephone number is (571)270-3359. The examiner can normally be reached 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MADHURI R. HERZOG
Primary Examiner
Art Unit 2438



/MADHURI R HERZOG/Primary Examiner, Art Unit 2438