Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

DETAILED ACTION
This office action has been issued in response to arguments/amendments filed on 12/13/2021. Claims 1-20 are presented for examination.


Response to Arguments
1.	Applicant’s amendment with respect to claims 1, and 19-20 are sufficient to overcome the rejection under 35 USC § 112(b). Accordingly, the rejection is withdrawn.

2.	Applicant’s arguments/amendments regarding the rejection of claims 1-20, filed on 13/12/2021 as recited in pages 9-10, have been fully considered but arguments are moot because newly added limitation to the claim (s) requires a new ground of rejection necessitated by amendments.





3.         In response to applicant's argument regarding the rejection of claims -4, 6-8, and 10-20, as recited in page 9, “The Office Action fails to provide a valid reason to combine the cited references. In particular, the Office Action asserts that "it would have been obvious to one of ordinary skill in the art...to modify the invention of Boenisch by including generating a unique operating system identifier during initial booting taught by Kane for the advantage of efficiently maintains identification of co-located containers in hosts even if the hosts perform reboot operations at intermittent, unknown, or unscheduled times. However, the invention of Boenisch already appears to provide this advantage. Boenisch teaches using a boot device identifier associated with a boot device configured to boot the operating system. Thus, co-located containers would be associated with the same boot device identifier for the operating system on the host. Further, it appears that the boot device identifier would not change based on the host performing reboot operations, thus it would still maintain identification of co-located containers through reboots. Thus, one of ordinary skill in the art would not modify Boenisch using Kane for the advantage asserted in the Office Action. As conceded in the Office Action, Boenisch fails to teach or suggest in response to initial booting of an operating system instance in a container, generating a unique operating system identifier for the operating system instance. For at least these reasons, Applicant respectfully requests that the rejections of claims 1-4, 6-8, and 10-20 be withdrawn.”
      	Examiner respectfully points out to applicant that the secondary reference Kane is from the same field of endeavor as the primary reference Boenisch and further Kane was used to find the teaching for the missing limitation of “in response to initial booting efficiently maintains identification of co-located containers in hosts even if the hosts perform reboot operations at intermittent, unknown, or unscheduled times) in (para. [0043]). Further, Kane "does not criticize, discredit, or otherwise discourage” the method of allow access to an HSM by an instance of an operating system that had been running on the host server for a substantial time prior to needing to access the HSM.
Further, the “reason or motivation to modify the reference may often suggest what the inventor has done, but for a different purpose or to solve a different problem. It is not necessary that the prior art suggest the combination to achieve the same advantage or result discovered by applicant. In re Linter, 458 F.2d 1013, 173 USPQ 560 (CCPA 1972).
Further, the arguments of counsel cannot take the place of evidence in the record. In re Schulze, 346 F.2d 600, 602, 145 USPQ 716, 718 (CCPA 1965). Examples of attorney statements which are not evidence and which must be supported by an appropriate affidavit or declaration include statements regarding unexpected results, commercial success, solution of a long-felt need, inoperability of the prior art, invention before the date of the reference, and allegations that the author(s) of the prior art derived the disclosed subject matter from the applicant. 
Therefore, the motivation is correct and maintained.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.


4.	Claims 1-4, 6-8, and 10-20 rejected under 35 U.S.C. 103 as being unpatentable over Boenisch et al. (US Pub No. 2016/0092687, hereinafter “Boenisch”) in view of Kane et al. (US Pub No. 2019/0065214, hereinafter “Kane”).

Regarding claim 1, Boenisch does disclose, a method for sharing secret data among multiple containers, the method comprising: storing, by a grant authority, the unique operating system identifier in a reserved area of a secure storage device (Boenisch, (para. [0031] and claim 16), the HSM management console may also configure the HSM to store a boot device identifier associated with the guest OS's boot device; (para. [0030]), where the confidential information may be stored in a protected area of the HSM); in response to a request from the operating system instance to access secret data in the secure storage device, determining, by the grant authority, the unique operating system identifier is stored in the secure storage device; and granting the operating system instance access to secret data in a non-reserved Boenisch, (para. [0040, 0030]), the method 400 described as occurring during a boot of an operating system, … . For example, firmware may use steps of the method 400 to allow access to an HSM by an instance of an operating system that had been running on the host server for a substantial time prior to needing (or requesting) to access the HSM; (para. [0038, 0041]), where the firmware may query more than one HSM in an attempt to determine which of several HSM's is the one or more HSM's associated with the guest OS that is being booted. In such embodiments, the firmware may review several boot device identifiers received from the several HSM's in order to determine the proper HSM (e.g., the HSM that the guest OS has the right to access). For each HSM that does not have a boot device identifier matching the boot device of the guest OS, the guest OS is denied access to that HSM; (para. [0033]), where the HSM management console 303 may store (on the HSM 310) authorized boot device identifiers 312, which are associated with boot devices that are used to boot guest OS's authorized to access the HSM 310 in order to utilize confidential information 311. In an example, the authorized boot device identifier 312 may be a copy of a boot device identifier that is part of boot device 320, which is itself the boot device associated with the guest OS 340).  
Boenisch does not explicitly disclose but the analogous art Kane discloses, in response to initial booting of an operating system instance in a container, generating a unique operating system identifier for the operating system instance (Kane, (para. [0018, 0025]), the boot ID 114 is a value (e.g., hash) that uniquely identifies the boot session of the operating system 110. The operating system 110 may generate the boot ID 114 upon startup or in response to a request, and may store the boot ID as accessible data to the agent 112 and/or the component 108).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Boenisch by including generating a unique operating system identifier during initial booting taught by Kane for the advantage of efficiently maintains identification of co-located containers in hosts even if the hosts perform reboot operations at intermittent, unknown, or unscheduled times (Kane, (para. [0043])).

Regarding claim 2, the combination of Boenisch-Kane does disclose, the method according to claim 1, further comprising: in response to a request to remove the assignment of a second operating system instance from the secure storage device, deleting, by the grant authority, the unique identifier for the second operating system from the reserved area in the secure storage device while maintaining at least one other unique identifier in the reserved area of the secure storage device (Boenisch, (para. [0021]), where confidential information stored on an HSM is wiped clean before the HSM is reassigned from an old user to a new user where reassigned user id will be remained while the old id is wiped clean).  

Regarding claim 3, the combination of Boenisch-Kane does disclose, the method according to claim 1, wherein the multiple containers include a plurality of virtual machines, wherein at least one virtual machine of the plurality is managed by a hypervisor (Boenisch, (para. [0024] and figure 6), Servers within cloud computing environment 100 may host logical partitions (LPAR's) including, for example, virtual machines; (para. [0042]), where this system may include two LPAR's 601 and 602 that are managed by a hypervisor 603).  

Regarding claim 4, the combination of Boenisch-Kane does disclose, the method according to claim 1, wherein the secure storage device includes a hardware security module with a memory (Boenisch, (para. [0032]), the HSM 310 may be bound to the guest OS 340 when the system image of the guest OS 340 is copied onto the internal memory of the HSM 310).  

Regarding claim 6, the combination of Boenisch-Kane does disclose, the method according to claim 4, further comprising: in response to a request to remove the assignment of the operating system instance from a domain on the hardware security module, deleting, by the grant authority, the unique identifier for the operating system from the reserved area in the domain (Boenisch, (para. [0021]), where confidential information stored on an HSM is wiped clean before the HSM is reassigned from an old user to a new user).  

Regarding claim 7, the combination of Boenisch-Kane does disclose, the method according to claim 4, wherein a domain on the hardware security module is marked as shared by: setting a trusted key entry flag to an "add" state (Boenisch, (para. [0029]), HSM management console may include a trusted key entry console); and marking the domain as shared in a shared domain mask (Boenisch, (para. [0044]), where the crypto co-processor 604 comprises a shared HSM (e.g., an HSM that may be configurable to be used with different LPAR's, for example, at different times); (para. [0002]), where an HSM may be a hardware adapter or a partition within a self-virtualizing adapter (e.g., a cryptographic domain in a crypto adapter)).  

Regarding claim 8, the combination of Boenisch-Kane does disclose, the method according to claim 4, further comprising: creating secure binding data together with the unique operating system identifier in the reserved area in a domain on the hardware security module; and setting a shared flag for the domain (Boenisch, (para. [0024]), the binding of HSM's to guest OS's is discussed).  

Regarding claim 10, the combination of Boenisch-Kane does disclose, the method according to claim 8, wherein a firmware of a computer system provides secure binding data to the hardware security module for verification (Boenisch, (para. [0035]), firmware of the host server may detect the boot device identifier of the boot device. In some embodiments, the firmware may be trusted firmware that is configured to prevent tampering by customers (e.g., users). Tampering prevention may be implemented, for example, using hardware of the host server and may be verifiable using specific technologies). 
 
Regarding claim 11, the combination of Boenisch-Kane does disclose, the method according to claim 8, further comprising: removing the assignment of the operating system instance from a domain on the hardware security module by: deleting secure binding data from the reserved area; verifying that the secret data has only been Boenisch, (para. [0021]), where confidential information stored on an HSM is wiped clean before the HSM is reassigned from an old user to a new user). 
 
Regarding claim 12, the combination of Boenisch-Kane does disclose, the method according to claim 4, wherein the grant authority allows sharing of domains by providing respective unique operating system identifiers of the domains (Boenisch, (para. [0036]), per block 406, once the firmware has both the boot device identifier from the boot device and the second boot device identifier from the HSM, the identifiers are compared. In some embodiments, this comparison may be made by an identifier comparison module within the firmware. Per decision block 407, a determination may be made as to whether the identifiers match. If the identifiers do match, then, per block 408, the boot device is authenticated, and the booted guest OS is granted access to the HSM).  

Regarding claim 13, the combination of Boenisch-Kane does disclose, the method according to claim 8, further comprising:  P201802739US01Page 29 of 33in response to the request for initial booting of the operating system in a virtual machine, checking the shared flag by verifying that secure binding data matches the unique identifier of the requesting operating system instance (Kane, (para. [0018, 0025]), the boot ID 114 is a value (e.g., hash) that uniquely identifies the boot session of the operating system 110. The operating system 110 may generate the boot ID 114 upon startup or in response to a request, and may store the boot ID as accessible data to the agent 112 and/or the component 108); and granting access to the secret data (Boenisch, (para. [0036]), per block 406, once the firmware has both the boot device identifier from the boot device and the second boot device identifier from the HSM, the identifiers are compared. In some embodiments, this comparison may be made by an identifier comparison module within the firmware. Per decision block 407, a determination may be made as to whether the identifiers match. If the identifiers do match, then, per block 408, the boot device is authenticated, and the booted guest OS is granted access to the HSM).  

Regarding claim 14, the combination of Boenisch-Kane does disclose, the method according to claim 10, wherein the firmware stores a set of unique operating system identifiers in a domain control block (Boenisch, (para. [0033]), the HSM management console 303 may store (on the HSM 310) authorized boot device identifiers 312, which are associated with boot devices that are used to boot guest OS's authorized to access the HSM 310 in order to utilize confidential information 311).  

Regarding claim 15, the combination of Boenisch-Kane does disclose, the method according to claim 13, wherein the firmware reads the set of unique operating system identifiers from the domain control block and routes replies from the hardware security module to the virtual machines, according to the set of unique operating system identifiers (Boenisch, (para. [0038]), the firmware may query more than one HSM in an attempt to determine which of several HSM's is the one or more HSM's associated with the guest OS that is being booted. In such embodiments, the firmware may review several boot device identifiers received from the several HSM's in order to determine the proper HSM (e.g., the HSM that the guest OS has the right to access). For each HSM that does not have a boot device identifier matching the boot device of the guest OS, the guest OS is denied access to that HSM).  

Regarding claim 16, the combination of Boenisch-Kane does disclose, the method according to claim 1, further comprising: generating a secure hash for the operating system instance based on the unique identifier of the operating system instance and domain specific cryptographic configuration data; and using the secure hash to determine whether to grant access to the secret data (Boenisch, (para. [0037]), the second boot device identifier stored on the HSM may be stored in the form of a hash value. In such embodiments, the boot device identifier detected on the boot device itself may first be hashed prior to being compared with the hashed copy from the HSM. This use of hash values may aid in determining whether tampering has taken place).  

Regarding claim 17, the combination of Boenisch-Kane does disclose, the method according to claim 16, wherein a system firmware key is used for generating the secure hash (Boenisch, (para. [0037]), the second boot device identifier stored on the HSM may be stored in the form of a hash value. In such embodiments, the boot device identifier detected on the boot device itself may first be hashed prior to being compared with the hashed copy from the HSM. This use of hash values may aid in determining whether tampering has taken place).  

Regarding claim 18, the combination of Boenisch-Kane does disclose, the method according to claim 16, wherein cryptographic configuration data of a virtual machine is stored as the secure hash in the domain of the hardware security module (Boenisch, (para. [0037]), the boot device identifier detected on the boot device itself may first be hashed prior to being compared with the hashed copy from the HSM. This use of hash values may aid in determining whether tampering has taken place; (para. [0024] and figure 6), where Servers within cloud computing environment 100 may host logical partitions (LPAR's) including, for example, virtual machines).  

Regarding claim 19, the substance of the claimed invention is similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.

Regarding claim 20, the substance of the claimed invention is similar to that of claim 1. Accordingly, this claim is rejected under the same rationale.

Allowable Subject Matter
Claims 5 and 9 are objected to as being dependent upon a rejected base claims, but would be allowable if rewritten or amended in independent form including all of the 


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MORSHED MEHEDI	whose telephone number is (571) 270-7640. The examiner can normally be reached on M - F, 8:00 am to 4:00 pm EST.    If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jeffrey L. Nickerson can be reach on (469) 295-9235. The fax number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent 

/MORSHED MEHEDI/Primary Examiner, Art Unit 2432