DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of Claims
Claims 1-20 are pending.

Claim Objections
Claims 6, 15, 19 are objected to because of the following informalities:  
Claim 6 contains the word “programing”.
Claim 15 contains the following: “configured to re-enable, by, access…”.  This should be “configured to re-enable access…”.
Claim 19 contains the following: “The system of claim 15, the secure root of trust…”.  This should be “The system of claim 15, in which the secure root of trust…” or similar.
Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:


The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: “an access protection unit configured to prevent access…” in claim 15.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim 

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1-2, 5-6, 8-9, 12-13, 15-16, 19 is/are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Case et al (PGPUB 2010/0199077).

Regarding Claim 8:
Case teaches a non-transitory computer-readable medium having program code recorded thereon for external access control to protect system-on-chip (SoC) subsystems and stored subsystem assets (paragraph 10, customer configures an integrated circuit (IC) device with sensitive information, such as a key or a serial number, and then configures the IC device to disable access to the debug interface of the IC device; access to the debug interface can be prevented by, for example, blowing a fuse in the IC device so as to configure the debug interface to enter a secure and inaccessible state; paragraph 23, memory storing software), the program code executed by a processor (paragraph 23, processor) and comprising: 
program code to sense, during a cold boot of an SoC hardware system, a debug fuse vector for access to SoC subsystems of an SoC owner and/or third-party subsystems of an SoC hardware architecture (paragraph 30, security controller configured to enact particular security/access level based on signaling received from authenticated debug controller; authenticated debug controller initially directs security level based on states of fuses; paragraph 35-37, security monitor and boot program cooperate during boot sequence; security monitor sets state based on access level; access level therefore determined during boot; decoder configured to provide decode value representative of debug state or configuration to be enacted; decoder generates decode value responsive to states of debug related fuses, including blown/non-blown state of disable debug fuse and challenge required fuse; paragraph 41, state of challenge required fuse determined, and boot program responds by generating random number challenge); 
program code to disable access to each SoC subsystem with a blown fuse in the debug fuse vector (paragraph 27, configuration block 218 further can include one or more fuses that can be selectively blown by the customer so as to control the debug access features of the IC device; these fuses can include, for example, a debug disable fuse 254, a challenge required fuse 256, and a permanent debug fuse 258; the debug disable fuse 254 controls whether the debug interface 216 is accessible in any situation; thus, the customer can blow the debug disable fuse 254 should the customer desire to permanently and irrevocably close the debug interface 216; the challenge required fuse 256 controls whether the challenge/response process is required to authenticate the customer for software debugging access to the IC device 202); and 
program code to re-enable, by a secure root of trust, access to an SoC subsystem and/or a third- party subsystem for an external debugger when authentication of one or more debug certificates of a third-party owner of the external debugger is successful (paragraph 31, 36, 41, code signing server 230 (i.e. third-party owner of external debugger), in one embodiment, is configured to sign a command file and provide the signed command file to the IC device 202 for execution following the initial secure boot up, whereupon the command file includes a command to direct the IC device 202 to initiate the process of opening the debug interface 216 using the challenge/response process; code signing server 230 signs the command file using a private key corresponding to the root key value 219 stored at the IC device 202; the IC device 202 can authenticate the source of the command file and thus authorize its execution and the storage of the associated public key information by verifying the signed command file using the root key value 219; rather than using the root key value 219 directly, the private keys can be verified using a chain of one or more certificates linking back to the root key value 219; if the state of the challenge required fuse 256 indicates the challenge/response process is required, the IC device 202 initiates a challenge/response process to authenticate the customer for access; paragraph 23, IC device comprising secure storage for root key value, i.e. “secure root of trust”).

Regarding Claim 9:
Case teaches the non-transitory computer-readable medium of claim 8.  In addition, Case teaches the medium further comprising program code to program an access protection unit according to the debug fuse vector to prevent access to each SoC subsystem with the blown fuse in the debug fuse vector (paragraph 30, security controller enacts particular security level at IC device based on signaling received from state of fuses by way of authenticated debug controller; paragraph 27, fuses include debug disable fuse and challenge required fuse, controlling whether debug interface (i.e. SoC subsystem) is closed or open).

Regarding Claim 12:
Case teaches the non-transitory computer-readable medium of claim 8.  In addition, Case teaches the medium, further comprising: 
program code to determine a subsystem asset access control enable/disable state from the debug fuse vector (paragraph 34-36, decoder provides decode value representative of debug state responsive to states of debug-related fuses, including “disable debug” fuse and “challenge required” fuse); and 
program code to program, by a secure root of trust, an access domain configuration of a first access protection unit to enable/disable external debug access to on-chip subsystem assets based on the subsystem asset access control enable/disable state (paragraph 37, enable controller 312 interprets the decode value 332 and selectively configures one or more control signals 334 so as to implement the debug configuration represented by the decode value 332; these control signals 334 can include control signaling used to open access to the debug interface 216, control signaling to open access to hardware evaluation components (e.g., scan chains), control signaling to control access to the permanent debug fuse 258 (as well as enable signaling to internally blow the permanent debug fuse 258), control signaling to direct one of more multiplexers of the configuration block 218 to select between the customer configuration represented by the customer fuse bank 250 or the default configuration represented by the default configuration component 252 (e.g., another fuse bank or a group of set/reset flops), and the like; paragraph 41, if state of challenge required fuse indicates challenge/response process is required, IC device initiates challenge/response process to authenticate customer for access).

Regarding Claim 13:
Case teaches the non-transitory computer-readable medium of claim 12.  In addition, Case teaches in which the program code to program comprises program code to disable access of the external debugger to the on-chip subsystem assets when a subsystem asset access control disable state is detected (paragraph 34-36, decoder provides decode value representative of debug state responsive to states of debug-related fuses, including “disable debug” fuse and “challenge required” fuse; paragraph 27, debug disable fuse controls whether debug interface is accessible in any situation; customer can blow debug disable fuse should customer desire to permanently and irrevocably close the debug interface).

Regarding Claims 1-2, 5-6:
	These are the method claims corresponding to the non-transitory computer-readable medium of claims 8-9, 12-13 respectively, and are therefore rejected for corresponding reasons.

Regarding Claim 15:
Case teaches a system for external access control to protect system-on-chip (SoC) subsystems and stored subsystem assets (paragraph 10, customer configures an integrated circuit (IC) device with sensitive information, such as a key or a serial number, and then configures the IC device to disable access to the debug interface of the IC device; access to the debug interface can be prevented by, for example, blowing a fuse in the IC device so as to configure the debug interface to enter a secure and inaccessible state; paragraph 23, memory storing software), the system comprising: 
a debug fuse vector to define access to SoC subsystems of an SoC owner and/or third-party subsystems of an SoC hardware architecture (paragraph 30, security controller configured to enact particular security/access level based on signaling received from authenticated debug controller; authenticated debug controller initially directs security level based on states of fuses; paragraph 35-37, security monitor and boot program cooperate during boot sequence; security monitor sets state based on access level; access level therefore determined during boot; decoder configured to provide decode value representative of debug state or configuration to be enacted; decoder generates decode value responsive to states of debug related fuses, including blown/non-blown state of disable debug fuse and challenge required fuse; paragraph 41, state of challenge required fuse determined, and boot program responds by generating random number challenge); 
(paragraph 27, configuration block 218 further can include one or more fuses that can be selectively blown by the customer so as to control the debug access features of the IC device; these fuses can include, for example, a debug disable fuse 254, a challenge required fuse 256, and a permanent debug fuse 258; the debug disable fuse 254 controls whether the debug interface 216 is accessible in any situation; thus, the customer can blow the debug disable fuse 254 should the customer desire to permanently and irrevocably close the debug interface 216; the challenge required fuse 256 controls whether the challenge/response process is required to authenticate the customer for software debugging access to the IC device 202); and 
a secure root of trust configured to re-enable, by, access to an SoC subsystem and/or a third-party subsystem for an external debugger when authentication of one or more debug certificates of a third-party owner of the external debugger is successful (paragraph 31, 36, 41, code signing server 230 (i.e. third-party owner of external debugger), in one embodiment, is configured to sign a command file and provide the signed command file to the IC device 202 for execution following the initial secure boot up, whereupon the command file includes a command to direct the IC device 202 to initiate the process of opening the debug interface 216 using the challenge/response process; code signing server 230 signs the command file using a private key corresponding to the root key value 219 stored at the IC device 202; the IC device 202 can authenticate the source of the command file and thus authorize its execution and the storage of the associated public key information by verifying the signed command file using the root key value 219; rather than using the root key value 219 directly, the private keys can be verified using a chain of one or more certificates linking back to the root key value 219; if the state of the challenge required fuse 256 indicates the challenge/response process is required, the IC device 202 initiates a challenge/response process to authenticate the customer for access; paragraph 23, IC device comprising secure storage for root key value, i.e. “secure root of trust”).

Regarding Claim 16:
Case teaches the system of claim 15.  In addition, Case teaches in which the secure root of trust is configured to sense, during a cold boot of an SoC hardware system, the debug fuse vector (paragraph 30, security controller configured to enact particular security/access level based on signaling received from authenticated debug controller; authenticated debug controller initially directs security level based on states of fuses; paragraph 35-37, security monitor and boot program cooperate during boot sequence; security monitor sets state based on access level; access level therefore determined during boot; decoder configured to provide decode value representative of debug state or configuration to be enacted; decoder generates decode value responsive to states of debug related fuses, including blown/non-blown state of disable debug fuse and challenge required fuse; paragraph 41, state of challenge required fuse determined, and boot program responds by generating random number challenge), and configured to program the access protection unit according to the debug fuse vector to prevent access to each SoC subsystem with the blown fuse in the debug fuse vector (paragraph 30, security controller enacts particular security level at IC device based on signaling received from state of fuses by way of authenticated debug controller; paragraph 27, fuses include debug disable fuse and challenge required fuse, controlling whether debug interface (i.e. SoC subsystem) is closed or open).

Regarding Claim 19:
Case teaches the system of claim 15.  In addition, Case teaches wherein the secure root of trust is configured to determine a subsystem asset access control enable/disable state from the debug fuse vector (paragraph 34-36, decoder provides decode value representative of debug state responsive to states of debug-related fuses, including “disable debug” fuse and “challenge required” fuse), configured to program an access domain configuration of the access protection unit to enable/disable external debug access to on-chip subsystem assets based on the subsystem asset access control enable/disable state (paragraph 37, enable controller 312 interprets the decode value 332 and selectively configures one or more control signals 334 so as to implement the debug configuration represented by the decode value 332; these control signals 334 can include control signaling used to open access to the debug interface 216, control signaling to open access to hardware evaluation components (e.g., scan chains), control signaling to control access to the permanent debug fuse 258 (as well as enable signaling to internally blow the permanent debug fuse 258), control signaling to direct one of more multiplexers of the configuration block 218 to select between the customer configuration represented by the customer fuse bank 250 or the default configuration represented by the default configuration component 252 (e.g., another fuse bank or a group of set/reset flops), and the like; paragraph 41, if state of challenge required fuse indicates challenge/response process is required, IC device initiates challenge/response process to authenticate customer for access), and configured to disable access of the external debugger to the on-chip subsystem assets when a subsystem asset access control disable state is detected (paragraph 34-36, decoder provides decode value representative of debug state responsive to states of debug-related fuses, including “disable debug” fuse and “challenge required” fuse; paragraph 27, debug disable fuse controls whether debug interface is accessible in any situation; customer can blow debug disable fuse should customer desire to permanently and irrevocably close the debug interface).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 3, 10, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Case, and further in view of Stevens, Jr. et al (PGPUB 2015/0381368), hereinafter Stevens.

Regarding Claim 10:
Case teaches the non-transitory computer-readable medium of claim 8.
Case does not explicitly teach the medium further comprising program code to program an access protection unit according to the debug fuse vector to prevent access to each third-party subsystem of the SoC hardware architecture with the blown fuse in the debug fuse vector.
However, Stevens teaches the concept of program code to program an access protection unit according to a debug fuse vector to prevent access to each third-party subsystem of an SoC hardware architecture with a blown fuse in the debug fuse vector (abstract, during assembly of a device by an original equipment manufacturer (OEM), converged security and manageability engine (CSME) is provided a list of hardware features to be activated; paragraph 1, hardware fuses blown to disable or enable hardware features; CSME configures in-field programmable fuses to enable requested features; paragraph 14-15, vendor, OEM (third-party), and customer; hardware features activated by OEM (i.e. third-party subsystems); paragraph 18, I/O subsystem includes feature configuration devices, such as in-field programmable fuses; fuse configured to selectively enable or disable hardware features of the I/O subsystem; IFPs included in SoC including processor).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the disabling third-party system access teachings of Stevens with the external debugger access control teachings of Case, in order to allow third-party distributors to 

Regarding Claim 3:
	This is the method claim corresponding to the non-transitory computer-readable medium of claim 10, and is therefore rejected for corresponding reasons.

Regarding Claim 17:
Case teaches the system of claim 15.
Case does not explicitly teach in which the secure root of trust is configured to sense, during a cold boot of an SoC hardware system, the debug fuse vector, and configured to program the access protection unit according to the debug fuse vector to prevent access to each third-party subsystem of the SoC hardware architecture with the blown fuse in the debug fuse vector.
However, Stevens teaches the concept in which a secure root of trust is configured to sense, during a cold boot of an SoC hardware system, a debug fuse vector, and configured to program an access protection unit according to the debug fuse vector to prevent access to each third-party subsystem of the SoC hardware architecture with a blown fuse in the debug fuse vector (abstract, during assembly of a device by an original equipment manufacturer (OEM), converged security and manageability engine (CSME) is provided a list of hardware features to be activated; paragraph 1, hardware fuses blown to disable or enable hardware features; CSME configures in-field programmable fuses to enable requested features; paragraph 14-15, vendor, OEM (third-party), and customer; hardware features activated by OEM (i.e. third-party subsystems); paragraph 18, I/O subsystem includes feature configuration devices, such as in-field programmable fuses; fuse configured to selectively enable or disable hardware features of the I/O subsystem; IFPs included in SoC including processor).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the disabling third-party system access teachings of Stevens with the external debugger access control teachings of Case, in order to allow third-party distributors to determine which subsystems require protection from debug access, thereby allowing the system to meet the security needs of manufacturers, third-parties such as OEM distributors, and end-user customers.

Claims 4, 11, 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Case, and further in view of Shin et al (PGPUB 2015/0242606).

Regarding Claim 11:
Case teaches the non-transitory computer-readable medium of claim 8.  In addition, Case teaches in which the program code to re-enable comprises: 
program code to issue a first challenge to the external debugger based on an SoC owner signed debug entitlement certificate (paragraph 31, public keys authorized for use at IC device using private key corresponding to root key of IC device; IC stores public keys after authenticating using certificates linking back to root key value; paragraph 42-43, challenge/response process for debug access; code signing server signs challenge value with private key corresponding to public keys delivered to IC through certificate authentication process; signature authentication module of IC verifies response value using corresponding public key; challenge/response process therefore “based on” debug entitlement certificate); and
(paragraph 45, in the event that authentication is confirmed by challenge/response process, authenticated debug controller grants access according to access level at the IC device).
Case does not explicitly teach program code to issue a second challenge to the external debugger based on a third-party owner signed debug policy certificate when the first challenge is authenticated. 
However, Shin teaches the concept of program code to issue a second challenge to an external debugger based on a third-party owner signed debug policy certificate when a first challenge is authenticated (paragraph 8, method of debugging a device involving challenge/response authentication; paragraph 65, secure JTAG verifies request for initiating authentication from debugging device; paragraph 66, JTAG verifies request information by verifying certificate of public key stored at JTAG; paragraph 83-84, if request to initiate authentication is valid (i.e. first challenge), random number is transmitted to debugging device; debugging device transmits challenge to response server, and response server generates value according to challenge, device ID, access control information, and public key, e.g. digital signature; paragraph 85, authentication protocol controller of JTAG verifies whether response received from debugging device is issued from response server, i.e. digital signature verification).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the third-party certificate challenge authentication teachings of Shin with the external debugger access control teachings of Case, in order to provide additional security assurance through public-key certificate methods by verifying additional certificates, such as those provided by third-parties, before allowing debug access to protected SoC devices.

Regarding Claim 4:


Regarding Claim 18:
Case teaches the system of claim 15.  In addition, Case teaches in which the secure root of trust is configured to issue a first challenge to the external debugger based on an SoC owner signed debug entitlement certificate (paragraph 31, public keys authorized for use at IC device using private key corresponding to root key of IC device; IC stores public keys after authenticating using certificates linking back to root key value; paragraph 42-43, challenge/response process for debug access; code signing server signs challenge value with private key corresponding to public keys delivered to IC through certificate authentication process; signature authentication module of IC verifies response value using corresponding public key; challenge/response process therefore “based on” debug entitlement certificate), and configured to grant the third-party owner access, via the external debugger, to SoC subsystem assets (paragraph 45, in the event that authentication is confirmed by challenge/response process, authenticated debug controller grants access according to access level at the IC device).
Case does not explicitly teach the system configured to issue a second challenge to the external debugger based on a third-party owner signed debug policy certificate when the first challenge is authenticated.
However, Shin teaches the concept of a system configured to issue a second challenge to an external debugger based on a third-party owner signed debug policy certificate when a first challenge is authenticated (paragraph 8, method of debugging a device involving challenge/response authentication; paragraph 65, secure JTAG verifies request for initiating authentication from debugging device; paragraph 66, JTAG verifies request information by verifying certificate of public key stored at JTAG; paragraph 83-84, if request to initiate authentication is valid (i.e. first challenge), random number is transmitted to debugging device; debugging device transmits challenge to response server, and response server generates value according to challenge, device ID, access control information, and public key, e.g. digital signature; paragraph 85, authentication protocol controller of JTAG verifies whether response received from debugging device is issued from response server, i.e. digital signature verification).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the third-party certificate challenge authentication teachings of Shin with the external debugger access control teachings of Case, in order to provide additional security assurance through public-key certificate methods by verifying additional certificates, such as those provided by third-parties, before allowing debug access to protected SoC devices.

Claims 7, 14, 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Case, and further in view of Conti et al (PGPUB 2006/0021035).

Regarding Claim 14:
Case teaches the non-transitory computer-readable medium of claim 8.
Case does not explicitly teach the medium, further comprising: 
program code to detect an access attempt by the external debugger to access subsystem assets outside the SoC hardware architecture; 
program code to prevent, by an access protection unit, the access attempt by the external debugger; and 
program code to issue, by the access protection unit, an access violation notification to a secure root of trust.
(abstract, method of identifying and preventing security violations within a computing system; paragraph 29, security controller monitors for unauthorized test and debug activity; attempts at any of these activities that are detected are identified as a security violation); 
program code to prevent, by an access protection unit, the access attempt by the external debugger (paragraph 30, once a security violation has been detected, the core security controller initiates security response comprising blocking or stopping execution of the violating operation); and 
program code to issue, by the access protection unit, an access violation notification to a secure module (paragraph 33, security controller may also respond to a security violation by generating an interrupt to the processor; security controller asserts security abort interrupt signal, which is monitored by the interrupt controller); and
Case teaches wherein the secure module is a secure root of trust (paragraph 23, IC device comprising secure storage for root key value, i.e. “secure root of trust”).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the detecting unauthorized debug access teachings of Conti with the external debugger access control teachings of Case, in order to improve security by detecting security violations and providing a method of preventing the security violation from being executed, thereby protecting the device from invalid or malicious attempts to access secure chip elements using debuggers for the purposes of obtaining confidential information such as keys.

Regarding Claim 7:
	This is the method claim corresponding to the non-transitory computer-readable medium of claim 14, and is therefore rejected for corresponding reasons.

Regarding Claim 20:
Case teaches the system of claim 15.
Case does not explicitly teach the system in which the access protection unit is configured to detect an access attempt by the external debugger to access subsystem assets outside the SoC hardware architecture, configured to prevent the access attempt by the external debugger; and configured to issue an access violation notification to the secure root of trust.
However, Conti teaches the concept of a system in which an access protection unit is configured to detect an access attempt by an external debugger to access subsystem assets outside an SoC hardware architecture (abstract, method of identifying and preventing security violations within a computing system; paragraph 29, security controller monitors for unauthorized test and debug activity; attempts at any of these activities that are detected are identified as a security violation); 
configured to prevent the access attempt by the external debugger (paragraph 30, once a security violation has been detected, the core security controller initiates security response comprising blocking or stopping execution of the violating operation); and 
configured to issue an access violation notification to a secure module (paragraph 33, security controller may also respond to a security violation by generating an interrupt to the processor; security controller asserts security abort interrupt signal, which is monitored by the interrupt controller); and
Case teaches wherein the secure module is a secure root of trust (paragraph 23, IC device comprising secure storage for root key value, i.e. “secure root of trust”).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to combine the detecting unauthorized debug access teachings of Conti with the external debugger access control teachings of Case, in order to improve security by detecting security 

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to FORREST L CAREY whose telephone number is (571)270-7814. The examiner can normally be reached 9:00AM-5:30PM M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 5712723972. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








/ASHOKKUMAR B PATEL/Supervisory Patent Examiner, Art Unit 2491