DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Allowable Subject Matter
Claims 22-25 allowed.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-21 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Smith et al. (Smith)(Pub NO. US 2019/0042759)
Regarding claim 1 Smith discloses: A system, comprising: a memory that stores computer executable components; a processor that executes computer executable components stored in the memory, wherein the computer executable components comprise: [Figures 7 and 2: "Computing Device 100” with "Computing Engine 120”, “Memory 126" and "“Containers 212" [0014]… “a computing device 100 for trusted container execution”] 
a boot component that performs at least a portion of a trusted boot sequence to securely boot the system to a defined secure state [Figure 6; [0001]: “Trusted and secure boot systems...”; [0014]: "the computing device 100 performs a trusted boot process that measures platform components, extending into a container runtime.... [0040]: "... the container runtime component 216 of the computing device 100 boots the container 212 quest environment. The container 212 quest environment may perform a virtual trusted boot process. Similar to the physical trusted boot process described above in connection with blocks 304 to 310."]   wherein one or more types [Smith teaches a physical trusted boot process and subsequent virtual trusted boot process in Fig.3 and Fig.4. Since booting from modified kernel or loading additional kernel of the present application is impossible. So that these types of administrative access to the container memory are deactivated]
a core service component started as a part of the trusted boot sequence and that securely obtains one or more decryption keys for use with the container memory; [[0014], [0016], [0038]-[0039] Fig.4. ], the encryption keys in smith can be symmetric keys, so that they are also decryption keys.] and a runtime decryption component that uses the one or more decryption keys to perform runtime decryption [Fig.1. item 122 [0016], multi key total memory encryption (MKTME) support 122]   of one or more files accessed by an entrypoint process of a container associated with the container memory or a descendant of the entrypoint process. [[0034] and [0039], Every container comprises an entrypoint. process and possibly one or more descendant processes of this entrypoint process. [0039] only the process of the of the containerized application 218 and/or container component 220. i.e. the processor of the container ca access runtime decrypted container memory] 
Claims 9, 17 and 19 are having similar limitations to that of the apparatus of claim 1. Accordingly, claims 9, 17 and 19 are rejected under a similar rational as that of claim 1 above. 
Regarding claim 2 Smith discloses:  the one or more types of administrative access to the container memory which are deactivated include one or more of: administrative access to the container memory through booting from a modified kernel which is modified with respect to a trusted kernel associated with the trusted boot sequence; or administrative access to the container memory through loading additional kernel modules, in addition to kernel modules of the trusted kernel. [Smith teaches a physical trusted boot process and subsequent virtual trusted boot process in Fig.3 and Fig.4. Since booting from modified kernel or loading additional kernel of the present application is impossible. [[0030] and [0031]]
Regarding claim 3 Smith discloses: the one or more types of administrative access to the container memory which are deactivated include one or more of: administrative access to the container memory through one or more virtual memory management devices; or administrative access to the container memory through one or more runtime debugging functions.  [[0030] and [0031 use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]]
Regarding claim 4 Smith discloses: the one or more types of administrative access to the container memory which are deactivated include one or more of: administrative access to the container memory through pausing a running process to view a memory associated with the running process; or administrative access to the container memory through kernel memory swap operations.  [Smith teaches a physical trusted boot process and subsequent virtual trusted boot process in Fig.3 and Fig.4. Since booting from modified kernel or loading additional kernel of the present application is impossible. [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 5 Smith discloses: the trusted boot sequence includes measuring the core service component and storing a resulting core service component measurement in a Trusted Processing Module (TPM) Platform Configuration Register (PCR).  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 6 Smith discloses: the core service component securely obtains the one or more decryption keys using a Trusted Processing Module (TPM) remote attestation to a trusted third party service device.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 7 Smith discloses: the runtime decryption component passes through one or more requests for non-encrypted files, and wherein the runtime decryption component checks process identifiers (PIDs) of one or more processes requesting encrypted files to ensure the PIDs belong to the entrypoint process of the container, or a descendant process of the entrypoint process.  [[0034] and [0039], Every container comprises an entrypoint. process and possibly one or more descendant processes of this entrypoint process. [0039] only the process of the of the containerized application 218 and/or container component 220. i.e. the processor of the container ca access runtime decrypted container memory]
Regarding claim 8 Smith discloses: the runtime decryption component uses the one or more decryption keys to decrypt an encrypted container image to instantiate the container.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 10 Smith discloses: the one or more types of administrative access to the container memory which are deactivated include one or more of: administrative access to the container memory through booting from a modified kernel which is modified with respect to a trusted kernel associated with the trusted boot sequence; or administrative access to the container memory through loading additional kernel modules, in addition to kernel modules of the trusted kernel.  [Smith teaches a physical trusted boot process and subsequent virtual trusted boot process in Fig.3 and Fig.4. Since booting from modified kernel or loading additional kernel of the present application is impossible. [[0030] and [0031]]
Regarding claim 11 Smith discloses: the one or more types of administrative access to the container memory which are deactivated include one or more of: administrative access to the container memory through one or more virtual memory management devices; or administrative access to the container memory through one or more runtime debugging functions.  [[0030] and [0031 use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]]
Regarding claim 12 Smith discloses: the one or more types of administrative access to the container memory which are deactivated include one or more of: administrative access to the container memory through pausing a running process to view a memory associated with the running process; or administrative access to the container memory through kernel memory swap operations.  [Smith teaches a physical trusted boot process and subsequent virtual trusted boot process in Fig.3 and Fig.4. Since booting from modified kernel or loading additional kernel of the present application is impossible. [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 13 Smith discloses: the trusted boot sequence includes measuring the core service component and storing a resulting core service component measurement in a Trusted Processing Module (TPM) Platform Configuration Register (PCR), and wherein the securely obtaining the one or more decryption keys employs TPM remote attestation to a trusted third party service device.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 14 Smith discloses: the runtime decryption component operatively coupled to the processor, the one or more decryption keys to perform runtime decryption of one or more files accessed by a container associated with the container memory comprises: passing through, by the runtime decryption component, one or more requests for non- encrypted files; and checking, by the runtime decryption component, process identifiers (PIDs) of one or more processes requesting encrypted files to ensure the PIDs belong to an entrypoint process of the container, or a descendant process of the entrypoint process.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 15 Smith discloses: comprising employing, by the runtime decryption component, the one or more decryption keys to decrypt an encrypted container image to instantiate the container.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]

Regarding claim 16 Smith discloses: the computer-implemented method enhances security of the container at a container server by securing data associated with the container from the one or more types of administrative access to the container memory during instantiation and runtime of the container at the container server.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 18 Smith discloses: the program instructions are further executable by the processing component to cause the processing component to: manage one or more file accesses by the container at least in part by passing through one or more requests to access non-encrypted files, and check process identifiers (PIDs) of one or more processes requesting access to encrypted files to ensure the PIDs belong to an entrypoint process of the container or a descendant process of the entrypoint process.  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 20 Smith discloses: instantiating the one or more containers by the docker component comprises: instantiating, by the system, at least one first container daemon component operatively coupled to the processor; instantiating, by the system, the runtime decryption component; and instantiating, by the system, the at least one of the one or more containers.   [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]
Regarding claim 21 Smith discloses: the runtime decryption component employs a filesystem intermediary to check the PIDs of the one or more processes requesting access to encrypted files.  .  [[0030] and [0031] use of platform configuration register (PCR) of physical TPM 132 to ensure the secure boot sequence]

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZAHID CHOUDHURY whose telephone number is (571)270-5153. The examiner can normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kim Huynh can be reached on 571-272-4147. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/ZAHID CHOUDHURY/Primary Examiner, Art Unit 2186