DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6, 8, 10-12, and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over Brutch et al. (hereinafter Brutch) (US 2009/0165117 A1).

As to claim 1, Brutch teaches a system (system features a hardware trusted platform module (TPM), and a virtual TPM (vTPM) manager) (Abstract) comprising: 
a storage medium (ROM 42, RAM 26, or Mass Storage 36) to store a plurality of information elements that relate to corresponding virtual trusted platform module (TPM) interfaces (vTPM Driver 87 or sTPM 56, etc.), wherein each respective information element (addresses or data from the ACPI TPM table) of the plurality of information elements corresponds to a respective virtual machine (VM) of a plurality of VMs (Fig. 1; [0023]; [0029]; [0032]-[0033]; [0040]; [0045]); 

a processor resource (Processor 22 or PU 30, or PU 32, etc.) to execute the plurality of VMs to use the information elements to access the corresponding virtual TPM interfaces to invoke the security operations (security services) of the virtual TPMs, wherein a first VM of the plurality of VMs is to access a first virtual TPM interface of the virtual TPM interfaces to request that a security operation of a respective virtual TPM be performed (Abstract; Fig. 1; [0059]).
Although Brutch does not literally use the term “interfaces” or “virtual trusted platform module (TPM) interfaces,” one of ordinary skill in the art before the effective date of the application would understand that either of Brutch’s TPM driver 57, TPM Driver 87, or sTPM 56, sTPM 66, etc., could satisfy the broadest reasonable interpretation of the claimed virtual TPM interface.  Having these drivers or interfaces for the trusted VMs would all have the same benefit of connecting the trusted VM(s) to the controller/vTPM 80/vTPM Mgr 88.      

As to claim 2, Brutch teaches wherein the information elements are included in Advanced Configuration and Power Interface (ACPI) tables ([0040]).

As to claim 3, Brutch teaches wherein the ACPI tables comprise ACPI TPM tables ([0040]).

As to claim 4, Brutch teaches wherein the information elements contain addresses (routing information, etc.) of the corresponding virtual TPM interfaces ([0026]-[0029]).

As to claim 5, Brutch teaches wherein the addresses of the corresponding virtual TPM interfaces are logical addresses to be mapped to physical memory addresses identifying the corresponding virtual TPM interfaces ([0026]-[0029]).

As to claim 6, Brutch teaches wherein each virtual TPM interface of the corresponding virtual TPM interfaces comprises a control area to which a command is writeable to request a TPM operation, and from which a result of the TPM operation is readable ([0029]; [0053]; claim 1).

As to claim 8, Brutch teaches wherein the virtual TPMs comprise virtual functions (VFs) (TPM Commands or functions for TPM) ([0006]; [0047]; [0053]).

As to claim 10, Brutch teaches further comprising a hypervisor (VMM 100 or hypervisor) to create the information elements for the plurality of VMs (Fig. 1; claim 13; [0002]; [0044]).

As to claim 11, Brutch teaches wherein the hypervisor (VMM) is to assign the virtual TPMs to the respective VMs (vTPM VM) ([0033]).

As to claim 12, Brutch teaches wherein the hypervisor is to: assign addresses for the virtual TPM interfaces, and include the addresses in the information elements ([0040]; [0042]; [0059]).

As to claim 14, it is rejected for the same reasons as stated in the rejection of claim 1.

As to claim 15, it is rejected for the same reasons as stated in the rejection of claim 3.

As to claim 16, it is rejected for the same reasons as stated in the rejection of claim 4.

As to claim 17, it is rejected for the same reasons as stated in the rejection of claim 6.

As to claim 18, it is rejected for the same reasons as stated in the rejection of claim 8.

As to claim 19, it is rejected for the same reasons as stated in the rejection of claim 1.

As to claim 20, it is rejected for the same reasons as stated in the rejection of claim 2.

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Brutch in view of Hall et al. (hereinafter Hall) (US 2019/0392143 A1).

As to claim 7, Brutch does not teach wherein the control area comprises a memory buffer and a register.  However, Hall teaches having a control area that comprises a memory buffer 216 and registers (Fig. 2; Abstract; [0036]-[0037]).  Brutch and Hall are analogous art with the instant application because they all are solving the same problem of improve security in the execution of virtual machines.  It would have been obvious to one of ordinary skill in the art Brutch’s virtualization system such that it would include a memory buffer and a register, as taught in Hall’s virtualization system.  The suggestion/motivation for doing so would have been to provide the predicted result of being able to detect security access violations (Hall – Abstract, etc.).   

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Brutch in view of Deval et al. (hereinafter Deval) (US 2019/0107965 A1).

As to claim 9, Brutch does not teach wherein the VFs comprise single root I/O virtualization (SR-IOV) VFs.  However, Deval teaches secure virtualization through isolated domains using an SR-IOV device ([0045]).  Deval’s teaching includes that a SR-IOV is a PCI-SIG defined specification for hardware-assisted I/O virtualization that defines a standard way for partitioning endpoint devices for direct sharing across multiple VMs or containers. An SR-IOV capable endpoint device may support one or more Physical Functions (PFs), each of which may support multiple Virtual Functions (VFs). The PF functions as the resource management entity for the device and is managed by a PF driver in the host OS. Each VF can be assigned to a VM or container for direct access ([0020]).  It would have been obvious to one of ordinary skill in the art before the effective date of the application to modify Brutch such that its virtual functions/commands comprise SR-IOV functions, as taught and suggested in Deval.  The suggestion/motivation for doing so would have been to provide the predicted result of having a standard way for partitioning endpoint devices for direct sharing across multiple VMs or containers (Deval.
Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over Brutch in view of Herdrich et al. (hereinafter Herdrich) (US 2017/0094377 A1).

As to claim 13, Brutch does not teach wherein the security operations of the virtual TPMs are executable without performing TPM emulation at the hypervisor.  However, Herdrich teaches supporting Trusted Platform Module execution without emulation/virtualization at the VMM/hypervisor ([0019]; [0023]; [0029]).  It would have been obvious to one of ordinary skill in the art before the effective date of the application to modify Brutch’s TPM modules such that it would include the feature of wherein the security operations of the virtual TPMs are executable without performing TPM emulation at the hypervisor, as taught and suggested in Herdrich.  The suggestion/motivation for doing so would have been to provide the predicted result of preventing overhead and latency, minimizing the consumption of compute cycles, and allowing/restricting traffic to match established SLAs (Herdrich – [0019]; [0029]).


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KENNETH TANG whose telephone number is (571)272-3772. The examiner can normally be reached Monday-Friday 7AM-3PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KENNETH TANG/Primary Examiner, Art Unit 2199