Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

2.	This action is in response to the applicant's communication filed on 12/01/2021. In virtue of this communication, claims 1-20 filed on 12/01/2021 are currently pending in the instant application. Claim 1, 2, 8, 16,19 and 20 are amended. Claims 2, 8 and 19 are independent claims. No new matter has been added by these amendments.

Examiner's Note:  The Examiner has pointed out particular references contained in the prior art of record within the body of this action for the convenience of the Applicant.  Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply.  Applicant, in preparing the response, should consider fully the entire reference as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner.

In view of this understanding, the argument made by the Applicant on 12/01/2021 concerning the Bachmutsky et al. in view of Belgaied et al. reference is not persuasive, because the limitation recited in each independent 

Note: Applicant's representative amended independent claims 1, 8 and 19 and added a limitation (see below for the underlined limitation) "...   transferring data from a host to an encryption offload engine using an interconnect fabric; encrypting the data from the host at the encryption offload engine to generate encrypted data; and transferring the encrypted data from the encryption offload engine to a storage device using a peer-to-peer connection in the interconnect fabric”.

Acknowledgement is made of response to the Office Action filed on 12/01/2021. 
A. 	On Applicant Arguments/Remarks, on page 9 Applicant argue “… Belgaied does not appear to disclose an interconnect fabric arranged to transfer data from a host to an encryption offload engine, and transfer the encrypted data from the encryption offload engine to a storage device through a peer-to-peer connection in the interconnect fabric as recited in claim 1”. Instead, Belgaied only appears to disclose (e.g., in Fig. 2) a cryptographic offload engine 205 that is located at a network interface card 105, connected to a host 100 in an undisclosed manner, and connected to alleged storage devices (SADB partitions) in an undisclosed manner.

 a function used in network interface cards (NIC) to offload processing of the entire TCP/IP stack to the network controller, to that effect, Para. 0022 of Belgaied teaches that the cryptographic offload engine and policy engine may be located in a network interface card (NIC) attached to a host, for example. 

B.	Applicant amendment in claim 1 the limitation reciting “… A method comprising: transferring data from a host to an encryption offload engine using an interconnect fabric; encrypting the data from the host at the encryption offload engine to generate encrypted data; and transferring the encrypted data from the encryption offload engine to a storage device using a peer-to-peer connection in the interconnect fabric…”.
 
In regards, to the amendments made to claims 1,8 and 19, fig. 1 of  Belgaied depicted receive rings (e.g., virtual NIC 1 (135), virtual NIC 2 (140), virtual NIC 3 (145)) and transmit rings (not shown) are implemented as ring 

C. 	Applicant substantially argue that Belgaied does not appear to disclose transferring encrypted data from an encryption offload engine to a storage device as recited in claim 1.

Examiner respectfully disagrees with the Applicant, because as discussed in previous Office Action, SADB cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine. Thus, SADB includes a storage device. Further Belgaied teaches encrypting, and/or decrypting packets associated with the packet destination are stored in the SA(s) of the corresponding SADB partition (e.g., SADB partition 1 (215), SADB partition n (220)) (see [0038]).  Therefore, the SA section of SADB designed to store encrypting, and/or decrypting packets.

Rejections – 35 USC §103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  


A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have w obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

3.	Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bachmutsky et al. (US Pub. No. US 2019/0317802 A1, hereinafter refers as “Doran”) in view of Belgaied et al.  (US Pub. No. US 2008/0240432 A1, hereinafter refer as “Belgaied”).

Bachmutsky provide work scheduler linked to various applications App1 to AppN and accelerator devices, such as copy engine (e.g., data movers/DMA-offload), crypto engine (e.g., encryption or decryption), policy enforcement engine 354, and parser engine via interconnects, a mesh, or a fabric.

Belgaied provide a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, and wherein the cryptographic offload engine is configured to receive a packet from a network connection, wherein the packet is encrypted 

As per claim 1, Bachmutsky a method comprising: transferring data from a host to an encryption offload engine using an interconnect fabric (fig. 3 shown work scheduler 300 is linked to various applications App1 to AppN and accelerator devices, such as copy engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), policy enforcement engine 354, and parser engine 356 via interconnects, a mesh, or a fabric, for example); encrypting the data from the host at the encryption offload engine (fig. 1A show the connection between the CPU cores 106-112, L3 cache 104, and QMD 100 may be a special dedicated interconnect or an existing shared interconnect, for example).

Bachmutsky failed to explicitly discloses generate encrypted data and 
encrypting the data from the host at the encryption offload engine and transferring the encrypted data from the encryption offload engine to a storage device using a peer-to-peer connection in the interconnect fabric.

(para. 0038 discloses encrypting, and/or decrypting packets associated with the packet destination are stored in the SA(s) of the corresponding SADB partition (e.g., SADB partition 1 (215), SADB partition n (220)). Therefore, the SA section of SADB designed to store encrypting, and/or decrypting packets, for example) and encrypting the data from the host at the encryption offload engine (para. 0036 discloses the cryptographic offload engine (205) may authenticate, encrypt, for example) and transferring the encrypted data from the encryption offload engine to a storage device using a peer-to-peer connection in the interconnect fabric (fig. 1 and furthermore para. 0013 discloses a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, and wherein the cryptographic offload engine is configured to receive a packet from a network connection, wherein the packet is encrypted using a security protocol, obtain, for example).

Bachmutsky and Belgaied are analogous art because they both are directed to Network traffic is transmitted over a network and one of ordinary skill in the art would have had a reasonable expectation of success to modify Bachmutsky with the specified features of Belgaied because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Belgaied with the teaching of Bachmutsky in order for receiving a packet from a network connection [Bachmutsky: para. 0012].

As per claim 2 as applied above, Bachmutsky as modified Belgaied discloses transferring the encrypted data from the storage device to the encryption offload engine using a peer-to-peer connection in the interconnect fabric (fig. 3 of Bachmutsky discloses engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), policy enforcement engine 354, for example); decrypting the encrypted data from the storage device at the encryption offload engine; and transferring the decrypted data to the host using the interconnect fabric (para. 0038 of Bachmutsky discloses A hardware accelerator device can be any non-core compute entity coupled to the work scheduler or a platform that is connected to the work scheduler via interconnects or fabrics such as Intel QuickPath Interconnect (QPI), Intel Ultra Path Interconnect (UPI), Intel On-Chip System Fabric (IOSF), Omnipath, Ethernet, Compute Express Link (CXL), HyperTransport, high-speed fabric, PCIe, NVLink, Advanced Microcontroller Bus Architecture (AMBA) interconnect, OpenCAPI, GenZ, CCIX,for example).

As per claim 3 as applied above, Bachmutsky as modified Belgaied discloses transferring the encrypted data from the storage device to the host; and verifying the encryption of the encrypted data at the host (para. 0139 of Bachmutsky discloses a request to process data, decrypt data, encrypt data, store data, transfer data, parse data, copy data, perform an inference using data, or transform data, for example).

As per claim 4 as applied above, Bachmutsky as modified Belgaied discloses wherein: the data from the host comprises a source address (para. 0044 of Bachmutsky discloses memory-mapped base address registers (BARs), for example); and the method further comprises mapping the source address to the encryption offload engine (fig. 3 of Bachmutsky discloses work scheduler 300 is linked to various applications App1 to AppN and accelerator devices, such as copy engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), policy enforcement engine 354, and parser engine 356 via interconnects, a mesh, or a fabric, for example).  

As per claim 5 as applied above, Bachmutsky as modified Belgaied discloses wherein: the storage device initiates a peer-to-peer transfer from the encryption offload engine to the storage device in response to a write command from the host (fig. 1 of Belgaied, for example); and the encryption offload engine fetches the data from the host using a mapping table (fig. 1 of Belgaied and furthermore para. 0013 of Belgaied discloses a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, and wherein the cryptographic offload engine is configured to receive a packet from a network connection, wherein the packet is encrypted using a security protocol, obtain, for example).
The same motivational statement applies as set forth above in claim 1. 


As per claim 6 as applied above in claim1, Bachmutsky as modified Belgaied discloses wherein: the data to be sent to the host has a destination address; and the method further comprises mapping the destination address to the encryption offload engine (para. 0036 of Belgaied discloses the cryptographic offload engine (205) may authenticate, encrypt, for example).
The same motivational statement applies as set forth above in claim 1. 

As per claim 7 as applied above, Bachmutsky as modified Belgaied discloses wherein: the storage device initiates a peer-to-peer transfer from the encryption offload engine to the storage device in response to a read command from the host (fig. 1 of Belgaied and furthermore para. 0013 of Belgaied discloses a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, and wherein the cryptographic offload engine is configured to receive a packet from a network connection, wherein the packet is encrypted using a security protocol, obtain, for example); and the encryption offload engine transfers the decrypted data to the host using a mapping table (para. 0036 of Belgaied discloses the cryptographic offload engine (205) may authenticate, encrypt, for example).
The same motivational statement applies as set forth above in claim 1. 

As per claim 8, Bachmutsky a system comprising: a host (para. 0035 discloses a host computing platform, for example); an encryption offload engine (para. 0100 discloses offload engine, for example); and an interconnect fabric arranged to interconnect the host (fig. 3 and furthermore para. 0049), the encryption offload engine (fig. 3 shown work scheduler 300 is linked to various applications App1 to AppN and accelerator devices, such as copy engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), policy enforcement engine 354, and parser engine 356 via interconnects, a mesh, or a fabric, for example), and one or more storage devices; wherein the encryption offload engine is configured to: receive data from the host (fig. 1A show the connection between the CPU cores 106-112, L3 cache 104, and QMD 100 may be a special dedicated interconnect or an existing shared interconnect, for example).

Bachmutsky failed to explicitly discloses wherein the encryption offload engine is configured to: receive data from the host, encrypt the data received from the host; and send the encrypted data to at least one of the storage devices using a peer-to- peer connection in the interconnect fabric.

Belgaied discloses wherein the encryption offload engine is configured to (para. 0036 discloses the cryptographic offload engine (205) may authenticate, encrypt, for example): receive data from the host, encrypt the data received from the host generate encrypted data (para. 0038 discloses encrypting, and/or decrypting packets associated with the packet destination are stored in the SA(s) of the corresponding SADB partition (e.g., SADB partition 1 (215), SADB partition n (220)). Therefore, the SA section of SADB designed to store encrypting, and/or decrypting packets, for example); and send the encrypted data to at least one of the storage devices using a peer-to- peer connection in the interconnect fabric (fig. 1 and furthermore para. 0013 discloses a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, and wherein the cryptographic offload engine is configured to receive a packet from a network connection, wherein the packet is encrypted using a security protocol, obtain, for example).

Bachmutsky and Belgaied are analogous art because they both are directed to Network traffic is transmitted over a network and one of ordinary skill in the art would have had a reasonable expectation of success to modify Bachmutsky with the specified features of Belgaied because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Belgaied with the teaching of Bachmutsky in order for receiving a packet from a network connection [Bachmutsky: para. 0012].

As per claim 9 as applied above, Bachmutsky as modified Belgaied discloses wherein the host is configured to: read the encrypted data from the at least one storage device; and verify the encryption of the encrypted data (para. 0007 of Belgaied, for example). 
The same motivational statement applies as set forth above in claim 9. 

As per claim 10 as applied above, Bachmutsky as modified Belgaied discloses wherein the host is configured to read the encrypted data from the at least one storage device by bypassing a mapping table in the encryption offload engine (para. 0036 of Belgaied discloses the cryptographic offload engine (205) may authenticate, encrypt, for example).
The same motivational statement applies as set forth above in claim 9. 

As per claim 11 as applied above, Bachmutsky as modified Belgaied discloses wherein: the system further comprises a submission queue configured to hold a write command from the host; and the write command includes a source address for data to be written to the at least one storage device (para. 0147 of Bachmutsky discloses the work scheduler comprises a scheduler logic, ingress queues, egress queues, and a command translator, the work scheduler is to access a work descriptor from the memory based on content of the combined work descriptor and allocate the work descriptor to an ingress queue for execution by an accelerator, for example). 

As per claim 12 as applied above, Bachmutsky as modified Belgaied discloses wherein the host is configured to map the source address to the encryption offload engine (fig. 2 of Belgaied discloses the cryptographic offload engine (205) may authenticate, encrypt, and/or decrypt incoming and outgoing packets using SAs in the SADB partitions (e.g., SADB partition 1 (215), SADB partition n (220)), for example). 
The same motivational statement applies as set forth above in claim 9. 

As per claim 13 as applied above, Bachmutsky as modified Belgaied discloses wherein the encryption offload engine is configured to maintain a mapping table to map data for a peer-to-peer transfer with the at least one storage device to an address in the host (para. 0054 of Bachmutsky discloses a portion of a packet received at a network interface can be provided to the system via interface 360 (e.g., PCIe, Intel.RTM. Compute Express Link (CXL), Intel.RTM. Data Direct I/O, or other interconnect, fabric, or interface), for example).

As per claim 14 as applied above, Bachmutsky as modified Belgaied discloses wherein the peer-to-peer transfer is associated with a write command from the host (para. 0054 of Bachmutsky, for example). 

As per claim 15 as applied above, Bachmutsky as modified Belgaied discloses wherein: the at least one storage device is configured to initiate a peer-to-peer transfer from the encryption offload engine in response to the write command from the host (para. 0031 of Belgaied discloses a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, for example); and the encryption offload engine is configured to receive the data from the host, encrypt the data received from the host, and send the encrypted data to at the at least one storage device in response to the at least one storage device initiating the peer-to-peer transfer (para. 0030 of Belgaied discloses transport layer functionality corresponds to functionality to manage the transfer of packets on the network (e.g., functionality to support TCP, UDP, Stream Control Transmission Protocol (SCTP), etc.), for example). 
The same motivational statement applies as set forth above in claim 9. 

As per claim 16 as applied above, Bachmutsky as modified Belgaied discloses wherein the encryption offload engine (para. 0036 of Belgaied discloses the cryptographic offload engine (205) may authenticate, encrypt, for example) is further configured to: receive encrypted data from at least one of the storage devices using the peer-to-peer connection in the interconnect fabric; decrypt the encrypted data received from the at least one storage device; and send the decrypted data to the host (fig. 3 of Bachmutsky shown work scheduler 300 is linked to various applications App1 to AppN and accelerator devices, such as copy engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), policy enforcement engine 354, and parser engine 356 via interconnects, a mesh, or a fabric, for example);

As per claim 17 as applied above, Bachmutsky as modified Belgaied discloses wherein: the system further comprises a submission queue configured to hold a read command from the host; and the read command includes a destination address for the decrypted data from the at least one storage device (para. 0147 of Bachmutsky discloses the work scheduler comprises a scheduler logic, ingress queues, egress queues, and a command translator, the work scheduler is to access a work descriptor from the memory based on content of the combined work descriptor and allocate the work descriptor to an ingress queue for execution by an accelerator, for example).

As per claim 18 as applied above, Bachmutsky as modified Belgaied discloses wherein the host is configured to map the destination address to the encryption offload engine (para. 0030 of Belgaied discloses network layer functionality corresponds to functionality to manage packet addressing and delivery on a network (e.g., functionality to support IP, Address Resolution Protocol (ARP), Internet Control Message Protocol, etc. and para. 0036 of Belgaied discloses the cryptographic offload engine (205) may authenticate, encrypt, for example).
The same motivational statement applies as set forth above in claim 9. 

As per claim 19, Bachmutsky an encryption device (fig. 3 show engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), for example) comprising: receive data from a host using the interface(fig. 1A show the connection between the CPU cores 106-112, L3 cache 104, and QMD 100 may be a special dedicated interconnect or an existing shared interconnect, for example); encrypt the data received from the host; and send the encrypted data to a storage device using the interface (para. 0054 discloses a portion of a packet received at a network interface can be provided to the system via interface 360 (e.g., PCIe, Intel.RTM. Compute Express Link (CXL), Intel.RTM. Data Direct I/O, or other interconnect, fabric, or interface), for example).

Bachmutsky failed to explicitly discloses generate encrypted data and an interface configured to couple the encryption device to an interconnect system having peer-to-peer capabilities; and a controller coupled to the interface.

Belgaied discloses generate encrypted data (para. 0038 discloses encrypting, and/or decrypting packets associated with the packet destination are stored in the SA(s) of the corresponding SADB partition (e.g., SADB partition 1 (215), SADB partition n (220)). Therefore, the SA section of SADB designed to store encrypting, and/or decrypting packets, for example) and an interface configured to couple the encryption device (para. 0036 discloses the cryptographic offload engine (205) may authenticate, encrypt, for example): to an interconnect system having peer-to-peer capabilities; and a controller coupled to the interface (fig. 1 and furthermore para. 0013 discloses a network interface card, comprising a cryptographic offload engine and a plurality of security association database (SADB) partitions associated with the cryptographic offload engine, wherein each of the plurality of SADB partitions is associated with one of a plurality of packet destinations, and wherein the cryptographic offload engine is configured to receive a packet from a network connection, wherein the packet is encrypted using a security protocol, obtain, for example).

Bachmutsky and Belgaied are analogous art because they both are directed to Network traffic is transmitted over a network and one of ordinary skill in the art would have had a reasonable expectation of success to modify Bachmutsky with the specified features of Belgaied because they are from the same field of endeavor.

Therefore, it would have been obvious to one ordinary skilled in the art before the effective filing date of applicant’s claimed invention to combine the teachings of Belgaied with the teaching of Bachmutsky in order for receiving a packet from a network connection [Bachmutsky: para. 0012].

As per claim 20 as applied above, Bachmutsky as modified Belgaied discloses wherein the controller is further configured to: receive encrypted data from the storage device using the interface (fig. 1A of Bachmutsky show the connection between the CPU cores 106-112, L3 cache 104, and QMD 100 may be a special dedicated interconnect or an existing shared interconnect, for example); decrypt the encrypted the data received from the storage device to generate decrypted data (para. 0038); and send the decrypted data to the host using the interface (fig. 1A of Bachmutsky show the connection between the CPU cores 106-112, L3 cache 104, and QMD 100 may be a special dedicated interconnect or an existing shared interconnect, for example and furthermore, fig. 3 show engine 350 (e.g., data movers/DMA-offload), crypto engine 352 (e.g., encryption or decryption), for example).

Conclusion
4.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In 

5.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABIY GETACHEW whose telephone number is (571)272-6932. The examiner can normally be reached Mon.-Fri. 9:00 AM - 5:30 PM.

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit 





A.G.
March 3, 2022
/ABIY GETACHEW/Primary Examiner, Art Unit 2434