Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/8/2019, 6/7/2019, 4/7/2020, 1/29/2021 and 1/8/2022 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to because Fig 4C has a typo.  Fig 4C recites “UNPACK CIMPLETED” and should recited “UNPACK COMPLETED”.  
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by 


Claim Objections
Claim 8 is objected to because of the following informalities:  Claim 8 recites “selected from the group consisting of hardware elements and firmware elements”.  The term “the group” has no antecedent basis, and is interpreted as “a group”
Claim 15 is objected to because of the following informalities:  Claim 15 recites “the secure interface control.”  The term “the secure interface control” has no antecedent basis, and is interpreted as “a secure interface control”
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 8-10, 11-13 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Durham (2018/0247082) in further view of Narendra (2014/0208109).

Regarding claim 1, Durham teaches
a computer system to facilitate secure processing within a computing environment, the computer system comprising: 
a memory; 
a processor coupled to the memory, wherein the computer system is configured to perform a method comprising: (Durham, [0425] In Example 1, an apparatus to securely execute a consumer workload in a public cloud environment without exposing data or secrets of the consumer includes a processor; and a memory coupled to the processor)
incrementally decrypting a secure operating system image, including for a page of a plurality of pages of the secure operating system image: (Durham [0142] Because the domain launch image is encrypted (and integrity checked) using a memory position-dependent “tweaked” cipher, an adversary cannot move parts of the domain launch image around in memory. The page tables map the domain launch image's programs and data to the correct physical memory addresses  [0149] In one embodiment, the domain launch image is encrypted using XEX-based tweaked codebook mode with ciphertext stealing (XTS). The consumer encrypts the domain launch image in memory position-dependent XTS mode using page address tweaks and the key domain key [0174] From “Execute Consumer's Domain Launch Image and Verify Entry Point” block 616, control proceeds to “Load Rest of Consumer's Domain Image into Memory” block 618. The key domain-capable server loads remaining portions of the consumer's domain image into memory) (Examiner Note: incremental is taught by page tables (multiple pages, one page at a time) and Load rest of image)
receiving a page address of the page and a tweak value used during encryption of the page; (Durham, [0167] At “Execute Consumer's Domain Launch Image and Verify Entry Point” block 616, the key domain-capable server's stack will execute the consumer's domain launch image at the expected entry point (as was provided via the 
determining that the tweak value … used during decryption of another page of the plurality of pages of the secure operating system image; and (Durham [0124] The illustrated ciphertext discussed herein may be decrypted to generate unencrypted data when the ciphertext is to be fetched from the memory 412 (e.g., read operation). The illustrated memory encryption engine 415 may further include a tweak function 445 to utilize a physical memory address as a tweak to a block cipher to bind unencrypted data with the physical memory address. The tweak function 445 may include, for example, XTS (XOR-encrypt-XOR)/XEX-based tweaked codebook mode with ciphertext stealing) algorithm, Liskov, Rivest, and Wagner (LRW) algorithm, and so on, or combinations thereof. The tweak function 445 may, for example, spread the original physical memory address, XOR the address with the unencrypted data, and run the result through the encryptor 441 with a key to bind the unencrypted data to the address.)
decrypting memory page content at the page address using an image encryption key used in encrypting the page and the tweak value to facilitate obtaining a decrypted secure operating system image; (Durham, [0142] The page tables map the Using Secret Keys Included in Domain Launch Image” block 620, control proceeds to “Perform Secure Operations within Consumer Key Domain” block 624. Once the consumer domain (VM) image has been properly executed and the corresponding key domain has been switched, the domain manager can complete loading an operating system)
verifying integrity of the secure operating system image; and (Durham [0163] The cloud services provider can verify that the domain manager image is present within the consumer's domain launch image by constructing the domain manager image from the consumer's encrypted domain launch image in local memory. The cloud services provider can then perform the same verification function (i.e., hash function) that the HashKD instruction uses on the contents of the local memory locations for the constructed domain manager image. If the verification function (hash) values of the contents of the local memory locations match results of the hash KD instruction, the cloud services provider can be assured that the provider's domain manager image was correctly incorporated as part of the consumer's encrypted domain launch image.
[0164] In one embodiment, the HashKD instruction can provide a hash value for a cache line, or, in another embodiment, the HashKD instruction can provide a hash value for up to a page of memory at a time.)
based on verifying integrity of the secure operating system image, starting execution of the decrypted secure operating system image (Durham, [0174] From “Execute Consumer's Domain Launch Image and Verify Entry Point” block 616, control proceeds to “Load Rest of Consumer's Domain Image into Memory” block 618. The key domain-capable server loads remaining portions of the consumer's domain image into memory. The remaining portions of the consumer's domain image may include, for example, the rest of a domain image 2532 of FIG. 25, including operating system(s), application(s), scripts, or other code.  [0182] Once code included in the consumer's domain launch image begins to execute on behalf of the consumer within the key domain, the executing consumer's domain launch image code can take over and extend the consumer's domain image 710.)
Durham teaches page address tweaks but does not explicitly teach determining that the tweak value has not previously been used.
However Narendra teaches determining that the tweak value has not previously been used (Narendra, [0019] XTS-AES is a tweakable block cipher that acts on data units of 128 bits or more and uses the AES block cipher as a subroutine. The key for XTS-AES consists of a data encryption key (used by the AES block cipher) as well as a "tweak key" that is used to incorporate the logical position of the data block into the encryption. In one embodiment of the invention, the unique tweak key is derived based on counters and it shall be explained later.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Narendra’s unique tweak value with Durham’s tweak function for encryption because doing so improves collision avoidance (Narendra [0029] By ensuring that the tweak generated for each data write operation is unique, the probability of having a collision in a single power-on CPU life-cycle becomes void.)


Regarding claim 2, Durham and Narendra teach
 the computer system of claim 1, 
wherein the incrementally decrypting and the verifying integrity are performed by a secure interface control of the computer system, 
the secure interface control being a trusted entity of the computer system, (Durham, [0064] To enable the host VMM to manage execution of guest VMs without directly modifying the control structures of the guest VMs, another type of guest VM, referred to herein as a “guest agent VM,” or simply, “agent,” is introduced. The host VMM launches an agent to operate within the protected key domain in which the guest VM executes, working with the guest VM to protect the guest VM from tampering. [0088] In one embodiment, the consumer creates an encrypted domain launch image in an attested SGX (Intel® Software Guard Extensions) enclave on the cloud services provider's server) (Examiner Note: Durham has multiple embodiments, guest agent and SGX enclave) and 
the page address and the tweak value are received by the secure interface control from a hypervisor (Durham [0320] Alternatively, when the protected memory region is an aliased memory encryption region, a secure enclave, such as provided by Intel®'s Software Guard Extensions (SGX), may load an already encrypted memory image into memory. [0073] The VMM layer's 120 software or firmware is provided by the cloud services provider and is part of the Trusted Computing Base (TCB) for each VM [0074] In the normal virtual machine environment 100 of FIG. 1, the VMM 122 provided by the cloud services provider is in the TCB of each of VMs VM1 130.sub.1, VM2 130.sub.2 and VM3 130.sub.3. [0309] In addition, the code for VMM 3522 is considered to be a part of the consumer VM's Trusted Code Base (TCB).) (Examiner Note: VMM is a hypervisor)


the computer system of claim 2, 
wherein page addresses of the plurality of pages are in a fixed order, and 
the incrementally decrypting the secure operating system image includes determining that the page address is different than any previous page address of previously decrypted pages of the plurality of pages of the secure operating system image (Durham, [0185] The consumer domain manager image is statically bound to the designated server and the designated server's memory addresses, which means that the consumer domain manager image must be installed and executed at a designated memory address of the designated server in order to function properly.  [0196] FIG. 9 represents the case where there is no aliasing; i.e., sufficient memory is available in the system such that the key domain selector address bits 974 are used together with the page address 976 and cache line selector 978 to select an actual physical memory location referenced by data line physical address 975. Here, each individual key domain will be located in a non-overlapping range of physical memory 920.  [0305] The software policy implements several host self-protection rules, such as disallowing a VMCS that can edit itself, disallowing a VMCS that can edit its own EPTs, disallowing overlap in EPTs, [0087] Finally, the consumer creates a domain launch image (including the domain manager image) that is memory position-dependent based on physical addresses,) (Examiner Note: static binding of designated memory address satisfies fixed order of pages (position dependence), and there is no aliasing, overlapping or duplication.)


Regarding claim 4, Durham and Narendra teach
the computer system of claim 3, 
wherein the incrementally decrypting the secure operating system image further includes determining that the tweak value is different than previous tweak values used during decryption of previously decrypted pages of the plurality of pages of the secure operating system image (Narendra [0018] The encryption/decryption algorithm includes, but is not limited to, an XEX [exclusive OR (XOR) followed by encryption followed by XOR] based tweaked mode with Cipher Text Stealing (XTS) mode of encryption to encrypt the Data-lines and Liskov, Rivest, and Wagner (LRW) Advanced Encryption Scheme (AES) (LRW-AES).
[0019] XTS-AES is a tweakable block cipher that acts on data units of 128 bits or more and uses the AES block cipher as a subroutine. The key for XTS-AES consists of a data encryption key (used by the AES block cipher) as well as a "tweak key" that is used to incorporate the logical position of the data block into the encryption. In one embodiment of the invention, the unique tweak key is derived based on counters and it shall be explained later.)
Narendra is combined with Durham for the same reasons as in claim 1.

Regarding claim 8, Durham and Narendra teach
the computer system of claim 2, 
wherein the secure interface control comprises one or more elements of the computer system, 
the one or more elements being selected from the group consisting of hardware elements and firmware elements, and (Durham, [0071] Running on the server hardware 110 is a Virtual Machine Monitor (VMM) layer 120. In the typical virtual machine environment 100 shown, the VMM layer 120 is computer software or firmware that creates and runs virtual machines (VMs), such as VM1 130.sub.1, VM2 130.sub.2, and VM3 130.sub.3, on the cloud services provider's server hardware 110) (Examiner Note: selection occurs when executing a particular VM) 
the secure operating system image is to be run as a secure guest operating system within the computing environment (Durham, [0064] To enable the host VMM to manage execution of guest VMs without directly modifying the control structures of the guest VMs, another type of guest VM, referred to herein as a “guest agent VM,” or simply, “agent,” is introduced. The host VMM launches an agent to operate within the protected key domain in which the guest VM executes, working with the guest VM to protect the guest VM from tampering.) (Examiner Note: a VM has a guest agent in the VM protected domain) 


Regarding claim 9, Durham and Narendra teach
the computer system of claim 8, 
wherein a private-public key pair is associated with the computer system, 
the private key being known only to the secure interface control, and not accessible by software running on the computer system, and  (Durham [0226] In one embodiment, initialization of a key domain is one of the actions performed by a Create Key Domain (CreateKD) instruction. References to a Create Key Domain (CreateKD)  [0227] Control proceeds to “Decrypt Encrypted Key Domain Key Using Server's Private Key, and Decrypt Optional Configuration Policy” block 1720, where the encrypted key domain key is decrypted using the server's private key, a secret key that is unknown/unexposed to the cloud services provider.) 
wherein the public key (Durham [0214] The consumer 1301 encrypts the consumer's key domain key with the cloud services provider's key domain-capable server's public key corresponding to the key domain-capable server's certificate.) is used by an owner of the secure operating system image to generate key agreement data to securely communicate the image encryption key used for encrypting the secure operating system image with the secure interface control and store the key agreement data in a metadata structure (Durham [0195] an “address space identifier (ASID)” may be any number, code, or other notation which identifies one or more address spaces with which the ASID is associated. ASIDs and [0082] In one embodiment, a key domain is defined using unused physical address bits (or other metadata passed through a cache [0228] Control then proceeds to “Assign ASID Tag for New Key Domain Identifier and Resume” block 1760, where a new address space identifier (ASID) tag is assigned for the new key domain identifier,).  (Examiner Note: key domain satisfies key agreement, ASID tag satisfies metadata)

Regarding claim 10, Durham and Narendra teach
the computer system of claim 9, 
further comprising receiving by the secure interface control the metadata structure with a call from the hypervisor, the metadata structure further comprising integrity hash values used in the verifying integrity of the secure operating system image (Durham ]0225] A memory manager 1640 of the key domain-capable server can initialize the new key domain 1650 by issuing an Initialize Key Domain (InitKD) command to the domain manager (VMMlet) 1622.)

Claims 11-13 are program product claims for the system claims 1, 3, and 4 and are rejected for the same reasons as claims 1, 3 and 4.

Claims 18-19 are method claims for the system claims 1 and 2, and are rejected for the same reasons as claims 1 and 2.

Claim 20 is a method claim for the system claims 3 and 4, and is rejected for the same reasons as claims 3 and 4.

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Durham (2018/0247082) in further view of Narendra (20140208109) in view of Petersen1 (2021/0075623) in view of Troia (2019/0370114).

Regarding claim 5,
the computer system of claim 3, 
Durham teaches a memory content hash2 but does not teach a cumulative content hash.
However Petersen teaches wherein the verifying integrity includes employing, in part, a cumulative content hash obtained using … content of the plurality of pages (Petersen [0041] Each subsequent block 102 on the blockchain comprises data 106, a hash of the block's contents, and the hash of the previous block 104 in the blockchain. [0035] [0042] a hash of the contents of the current block, which is in turn referenced by the subsequent block, any modification of a single block will result in a different hash for every subsequent block on the chain. [0036])
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Petersen’s cumulative content hash with Durham’s secure image because doing so improves the immutability of the data (Petersen [0004] One advantage of the present disclosure is the ability to guarantee the immutability of the data through an immutable, .[0003])
Durham does not teach or a cumulative address hash.
However Troia teaches a cumulative address hash obtained using page addresses of the plurality of pages (Troia [0086] At a later time, application controller 152 reads the stored page from system memory 154 by providing the address above used to store the page.  Application controller 152 generates a second digest using the read page and the address as inputs to the hash function.  Then, application controller 152 compares the first digest and the second digest, and makes a determination based on this comparison whether the read page is corrupted. For example, the read page can be corrupted due to an error in the data that was stored in system memory 154, and/or due to an error in the addressing as provided to system memory 154.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Troia’s address validity with Durham’s secure image decryption because doing so improves data accuracy by detecting address errors (Troia [0039] Various embodiments described below can detect data corruption or addressing errors that occur anywhere along the data storage or transmission path to or from the controller and memory.  [0034] In some cases, errors can occur that affect address information provided by a controller to a memory device on a command/address bus (e.g., during address translation, during command/address bus operations, etc.). Such errors can cause a memory operation to be performed at a different physical address than is desired  [0037] Errors can also be caused by incorrect page decoding.) 

Claim 14 is a program product claim for the system claim 5 and is rejected for the same reasons as claim 5.

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Durham (2018/0247082) in further view of Narendra (20140208109) in view of Petersen (2021/0075623).

Regarding claim 15, Durham and Narendra teach
wherein the verifying integrity of the secure operating system image includes comparing the … content hash to an integrity content hash received by the secure interface control, (Durham [0232] When reading the contents of the memory location at the physical address, the memory encryption engine (TMEi) decrypts the contents using the key domain key. The memory encryption engine (TMEi) places the decrypted contents of the memory location at the physical address into cache, and the CPU of the key domain-capable server computes a hash value, a hash value, such as an SHA2/3 hash value, by hashing the decrypted contents in the cache. Control proceeds to “Return Hash Value for Memory Content” block 2050, where the hash value is returned to the issuer of the HashKD command. The issuer of the HashKD instruction can then determine whether to switch to the verified key domain.)
Durham teaches comparing hashed content values but does not teach a cumulative content hash.
However Petersen teaches cumulative content hash (Petersen [0041] Each subsequent block 102 on the blockchain comprises data 106, a hash of the block's contents, and the hash of the previous block 104 in the blockchain. [0035] [0042] a hash of the contents of the current block, which is in turn referenced by the subsequent block, any modification of a single block will result in a different hash for every subsequent block on the chain. [0036])
 to have combined Petersen’s cumulative content hash with Durham’s secure image because doing so improves the immutability of the data (Petersen [0004] One advantage of the present disclosure is the ability to guarantee the immutability of the data through an immutable, shared ledger of transactions (e.g. the blockchain). Transactions are stored on a sequence of blocks on the blockchain. A hashing function is used to generate a unique hash for the contents of each block, which can be stored on the block and a next block, thus linking the blocks via their hashes. An alteration to the contents of a particular block will result in a different hash produced using that same hash function. As a result, the immutability of data in a series of blocks can be verified through the hashing function.[0003])


Allowable Subject Matter
Claim 6 and 7 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  The prior art neither anticipates nor renders obvious the combination of limitations found in claim 6 with the limitations of comparing the cumulative address hash to an integrity address hash received by the secure interface control.  Specifically, the prior art does not teach the combination of limitations incremental decrypting a secure operating image, receiving a tweak value and decryption key and verifying integrity with cumulative memory content hash values and a cumulative address hash value.
Claim 7 depends on 6 which is objected to but allowable when conditions are met.

Claim 16-17 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim, any intervening claims and curing any claim objections.
Claim 16 is a program product claim for the system claim 6 and is allowed for the same reasons as claim 6.
Claim 17 depends on 16 which is objected to but allowable when conditions are met.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Durham (2020/0057664) discloses guest VMs in protected memory and encrypted.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit 





/BRUCE S ASHLEY/Examiner, Art Unit 2494                                                                                                                                                                                                        


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Petersen provisional 62/663,133 filing date is 4/26/2018.  Provisional reference numbers are shown in italics at the end of the mapped PG pub citation.
        2  Durham [0089] In one embodiment, the cloud services provider's server hardware provides a mechanism to measure (create a hash of) the domain manager portion of the consumer-encrypted domain launch image, so the cloud services provider can then attest that the domain manager image included in the consumer-encrypted domain launch image is the same as the domain manager image that the cloud services provider supplied (and is therefore is trusted by the cloud services provider). In one embodiment, the hash function measuring the domain manager image is position-dependent, so that the domain manager image must be loaded into the correct memory location of the cloud services provider server's memory to be decrypted properly. For example, even if the contents of two different memory locations are the same (for example, all zeroes), only the domain manager image loaded into the correct memory location will produce the expected position-dependent hash result.