Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-21 are presented for examination.

Specification
The disclosure is objected to because of the following informalities:
Section [0039] recites “In this example, the separated HSM-dedicated networks 108, 112, 116 are depicted among different as a specialized case tailored to a specific situation allowing cost minimization and speed maximization of the particular network of this exemplary embodiment.”  This is interpreted as “In this example, the separated HSM-dedicated networks 108, 112, 116 are depicted among different tiers as a specialized case tailored to a specific situation allowing cost minimization and speed maximization of the particular network of this exemplary embodiment.”
Section [0051] recites “When the orchestrator 220 determines to initiate a workload, the orchestrator 220 may determine a host device 205 to host a VM 215 configured to initiate the workload by referencing the host database 230 to determine a host device 205 available to host the VM 215.” And should recite “When the orchestrator 220 determines to initiate a workload, the orchestrator 220 may determine a host device 205 to host a VM 215 configured to initiate the workload by referencing the host database 225 to determine a host device 205 available to host the VM 215.”
Section [0064] recites “At 350, the VM 315 may establish a secure association 345 with the HSM 310. In some cases, the secure association 345 with the HSM 310 may be based on the secure association 325 between the host device 305 and the HSM 310. The secure association 345 may be established based on the VM 315”  This is not clear, since step 345 is the indication of workload (see specification section [0063])  This is interpreted as “At 350, the VM 315 may establish a secure 350 with the HSM 310. In some cases, the secure association 350 with the HSM 310 may be based on the secure association 325 between the host device 305 and the HSM 310. The secure association 350 may be established based on the VM 315”
Section [0066] recites “In some cases, the VM 315 may include the private key within the request for the certificate transmitted from the to the HSM 310.”  It is interpreted as “In some cases, the VM 315 may include the private key within the request for the certificate transmitted from the VM 315 to the HSM 310”
Section [0070] has a typographical error, it recites : “FIG. 4 illustrates an example of a process flow 400 that supports enabling PKI in the generic could environment” and should recite “FIG. 4 illustrates an example of a process flow 400 that supports enabling PKI in the generic cloud environment”  
Appropriate correction is required.

Claim Objections
Claim 3 is objected to because of the following informalities: in line 5, the claim recites “one or more of the public key” and should recite one or more of the public keys”
Claim 17 is objected to because of the following informalities:  the claim has a typographical error, the word “And” is capitalized in line 5.  The claim recites “between the VM And the HSM” and should recite “between the VM and the HSM”
 Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1-4 and 7-8 are rejected under 35 U.S.C. 103 as being unpatentable over Vasil (2011/0131448) in view of Montagut (2009/0077376) in view of Asanghanwa (2020/0042675).

Regarding claim 1, Vasil teaches 
a method, comprising:  
receiving, at a host device from an orchestrator of a computer network environment, (Vasil [0028] The workflow management server 24 includes a design and compilation stage 50, storage 52, a distributed workflow controller 54, and tools 56.) an indication of a workload to be executed by a virtual machine (VM) hosted on the host device, the indication comprising an identifier of the workload;  (Vasil [0027] In yet other arrangements, the task servers 22 include both physical machine task servers implemented as physical machines, and virtual machine task servers implemented as virtual machines running on a set of host devices. Here, the physical machine task servers and the virtual machine task servers cooperatively operate to carry out the dependency-related predefined activities 58 of the workflow 60 [0047] The task server processes 42 then claim the task identifiers 88 from the scheduling queue 86 (i.e., a ready queue) and perform the tasks identified by the claimed task identifiers 88. )  (Examiner Note: Workflow Management Server satisfies orchestrator; Task server satisfies host)
Vasil teaches virtual machine task servers with particular resources but does not teach determining, at the VM, a private key associated with the workload based at least in part on the identifier of the workload.
However Montagut teaches determining, … a private key associated with the workload based at least in part on the identifier of the workload; and (Montagut, [0038] In another aspect, there is each vertex is assigned a vertex key pair including a vertex private key and a vertex public key, wherein an i'th server as at least one server which is to be determined at runtime of the workflow in accord with the execution pattern to perform one of the vertices of the workflow, … [0039] receiving the first onion structure being built up of a number of onion layers representing the execution pattern with a most upper layer including the i'th vertex private key and being encrypted with the i'th policy public key [0013] Further, each vertex denotes a set of workflow tasks to be executed in accord with the execution pattern and is assigned a vertex key pair including a vertex private key and a vertex public key. [0045] Thereby, an i'th server as at least one server of one of the groups of servers which is to be determined at runtime of the workflow in accord with the execution pattern to perform one of the vertices of the workflow,) (Examiner Note: Montagut teaches a server running a vertex as part of the workflow) 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Montagut’s workflow management with public/private keys with Vasil’s workload schedule because doing so improves the integrity/security of workflow execution by reducing misrepresentation (Montagut [0005] The proposed mechanisms assure the integrity of the distributed execution of workflows and prevent servers from being involved in a workflow instance forged by a malicious peer.)
Vasil does not teach
generating a secure execution environment for the VM within a trusted platform module (TPM) of the host device based at least in part on receiving the identifier of the workload;  
transmitting, to a hardware security module (HSM), a request for a certificate to authenticate communication associated with the workload, wherein the request comprises a public key associated with the workload, the private key, and the identifier of the workload.  
	However Asanghanwa teaches
generating a secure execution environment for the software module within a trusted platform module (TPM) of the host device based at least in part on receiving … the workload;  (Asanghanwa, [0017] The following, with reference to FIGS. 1A and 1B, describes a system whereby trust that is rooted in tamper resistant secure hardware is transitioned into a software module. [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the description of FIG. 1B. [0023] Software modules can be implemented on the hardware device 102  [0024] The hardware device 102 includes a hardware secure module (HSM) 106.  [0025] The HSM 106 may be implemented using, for example, a so called Trusted Execution Environment.) (Examiner Note: software module runs in a virtual machine1 and therefore teaches the limitation VM)
transmitting, to a hardware security module (HSM), a request for a certificate to (Asanghanwa [0017] This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., certificate 116 for the Module Management Agent (MMA) software module 104. A certificate generally comprises a signature and public key. [0018] However, it should be appreciated that embodiments may be implemented where any software modules can have certificates created using the hardware key 112 and hardware compute elements 107) authenticate communication associated with the workload, (Asanghanwa, [0048] The wherein the request comprises a public key associated with the workload, the private key, and the identifier of the workload (Asanghanwa, [0049] In the example illustrated in FIG. 1B, the creator (hereinafter, for this example, the MMA software module 104) requests that a public/private keypair be created and stored in a secret store 118 of the HSM 106 for a given module. For example, as illustrated in FIG. 1B, the HSM 106, at the request of the MMA software module 104, creates the public/private keypair 138 for the software module 136, and stores the public/private keypair 138 in the secret store 118.  ) (Examiner Note: software module is a task and reads on workload identifier)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Asanghanwa’s hardware security with Vasil’s workload scheduler because doing so improves determining that operating software communication is verified and has not been tampered with (Asanghanwa [0002] In computing systems, there may be a desire to verify software modules. This verification can take a number of different forms. For example, it may be desirable for a software module to have a verifiable identity so that the software module can be verified when it communicates with other local software modules, or other entities external to the system on which the software module is operating. Further, when it comes time to execute a software module, it may be desirable to ensure that the software module has not been tampered with.  [0003] The identities of software modules are often based on keys often stored with the modules themselves. In many platforms, especially autonomous devices, these identities are subject to cloning and or impersonation.)


Regarding claim 2, Vasil, Montagut and Asanghanwa teach
the method of claim 1, further comprising: receiving, from the HSM, the requested certificate comprising the public key associated with the workload (Asanghanwa, [0033] certificate can be created public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module,  [0018] However, it should be appreciated that embodiments may be implemented where any software modules can have certificates created using the hardware key 112 and hardware compute elements 107)
Asanghanwa is combined with Vasil-Montagut for the same reasons as claim 1.

Regarding claim 3, Vasil, Montagut and Asanghanwa teach
the method of claim 2, further comprising: 
applying, at the VM, the certificate for communicating a message with a participant within the computer network environment, wherein an association between the message and the VM is verifiable according to the certificate, the identifier of the workload, and one or more of the public key associated with the workload or the private key associated with the workload (Asanghanwa [0048] The certificate 135 can be used to communicate with other entities, such as other modules in the hardware device 102, or entities external to the hardware device 102.)
Asanghanwa is combined with Vasil-Montagut for the same reasons as claim 1.


the method of claim 1, further comprising: 
generating, within the secure execution environment for the VM, the private key associated with the workload, wherein the determining the private key is based at least in part on the generating (Asanghanwa, [0049] In the example illustrated in FIG. 1B, the creator (hereinafter, for this example, the MMA software module 104) requests that a public/private keypair be created and stored in a secret store 118 of the HSM 106 for a given module. For example, as illustrated in FIG. 1B, the HSM 106, at the request of the MMA software module 104, creates the public/private keypair 138 for the software module 136, and stores the public/private keypair 138 in the secret store 118. [0050] The HSM 106 creates the software module public/private key pair 138, protectively stores the private key 140 in the secret store 118, and returns the public key 142 to the MMA software module 104.  [0052] The MMA software module 104 delivers the TBS digest 144 to the HSM 106 for the HSM to sign with its (i.e., the MMA software module's) private key 122, which returns the resulting signature 146.)
Asanghanwa is combined with Vasil-Montagut for the same reasons as claim 1.

Regarding claim 7, Vasil, Montagut and Asanghanwa teach
the method of claim 1, further comprising: 
establishing a secure association between the VM and the HSM based at least in part on a secure association between the TPM and the HSM, wherein transmitting the request for the certificate is based at least in part on establishing the secure associating between the VM and the HSM (Asanghanwa [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the 
Asanghanwa is combined with Vasil-Montagut for the same reasons as claim 1.


Regarding claim 8, Vasil, Montagut and Asanghanwa teach
the method of claim 7, further comprising: 
authenticating, by the VM, the HSM based at least in part on a public key associated with the HSM, wherein establishing the secure association with the HSM is based at least in part on the authenticating (Asanghanwa, [0037] In the example illustrated in FIG. 1A, the creator (hereinafter, for this example, the secure runtime agent 111) requests that a public/private keypair be created (and indeed, may create the public/private keypair itself, given its inclusion in the HSM 106) and stored in a secret store 118 of the HSM 106 for a given module. [0048] Referring now to FIG. 1B, an illustration of creation of a hardware key backed certificate 135 for the software module 136 is shown [0070] The MMA software module instantiates, validates, and provisions other software modules with strong X.509 (or other appropriate) identities. The MMA software module is equipped with information on how to obtain and validate respective software modules.)
Asanghanwa is combined with Vasil-Montagut for the same reasons as claim 1.

Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Vasil (2011/0131448) in view of Montagut (2009/0077376) in view of Asanghanwa (2020/0042675) in view of Karjala (2004/0268142).

Regarding claim 5, Vasil, Montagut and Asanghanwa teach
the method of claim 1, further comprising:  transmitting, to the HSM, one or more parameters corresponding to … the certificate requested by the VM (Asanghanwa, [0049] In the example illustrated in FIG. 1B, the creator (hereinafter, for this example, the MMA software module 104) requests that a public/private keypair be created and stored in a secret store 118 of the HSM 106 for a given module. [0052] The MMA software module 104 delivers the TBS digest 144 to the HSM 106 for the HSM to sign with its (i.e., the MMA software module's) private key 122, which returns the resulting signature 146. [0053] The MMA software module 104 uses the signature 146 and software module public key 142 to assemble a certificate 135 for the software module 136.)
Asanghanwa is combined with Vasil-Montagut for the same reasons as claim 1.
Vasil does not teach a type of the certificate requested.
However Karjala teaches transmitting, to the HSM, one or more parameters corresponding to a type of the certificate requested by the VM (Karjala [0026] For example, the certificate enrollment database supports properties such as certificate requests prepared using PKCS#10 (or other certificate request syntax) and entity name; the content database supports properties such as content ID and type  [0027] Search filters in a request targeting the certificate enrollment database can include three properties, an entity name, a request type and a PKCS#10 certificate request.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Karjala’s certificate with Vasil’s workload scheduler because doing so improves support for different clients (Karjala [0026] A configuration database allows clients to fetch client configuration packages from SSM server 20. A certificate enrollment database allows clients to enroll certificates with SSM server 20.)

Regarding claim 6, Vasil, Montagut, Asanghanwa and Karjala teach
the method of claim 5, further comprising: 
receiving, from the HSM in response to transmitting the request for the certificate, an error message based at least in part on the one or more parameters transmitted to the HSM (Karjala [0079] If the IPSec UI receives an error return code as a response to a certificate enrollment call, it shows a dialog advising the user that the enrollment failed)
Karjala is combined with Vasil-Montagut-Asanghanwa for the same reasons as claim 5.

Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Vasil (2011/0131448) in view of Montagut (2009/0077376) in view of Asanghanwa (2020/0042675) in view of Hussain (2016/0028551).

Regarding claim 9, Vasil, Montagut and Asanghanwa teach
the method of claim 8, further comprising: 
the public key associated with the HSM (Asanghanwa [0017] A certificate generally comprises a signature and public key.), 
Vasil does not teach a certificate authority to validate the HSM according, … wherein the authenticating the HSM is based at least in part on a response to transmitting the message
However Hussain teaches transmitting a message to the HSM comprising a certificate authority to validate the HSM according … wherein the authenticating the HSM is based at least in part on a response to transmitting the message (Hussain [0039] To ensure the secured communication, the secured communication server 120 adopts certificate-based mutual authentication between the HSM-VM 104 and the web service host and uses a restricted cipher set with the highest security. The secured communication channel is established by the secured communication server 120 using mutually authenticated SSL VPN. In some embodiments, RSA-based certificates are used for mutual authentication.  [0025] In some embodiments, each user/web service host who wants to login to and should provide the HSM service host 107 with a valid certificate in order to access the HSM service host, wherein the certificate is issued by a trusted certificate authority (CA) during the request to create the HSM service unit 107)
[0046] In the example of FIG. 1, the TPM 128 running on the HSM 102/HSM adapter 202 is configured to provide authenticity and integrity for the service hosts 107. The TPM 128 provides a pair of persistent (public and private) keys certified and installed during the production of the HSM adapter 202, wherein this key pair cannot be read, modified or zeroized by any other party. The TPM 128 is configured to utilize the key pair to develop the local certification authority (CA) 130 and its certificates to extend the authenticity and integrity to the HSM service units 107 including both the HSM-VM 104 and HSM partition 108 to mitigate the impersonation attacks to the system.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Hussain’s HSM certificate authority with Vasil’s workload scheduler because doing so improves authentication and crypto processing (Hussain [0005] Hardware security modules (HSMs) are physical computing devices that safeguard and manage keys for strong authentication and provide crypto processing capabilities.  …Therefore, there is a need for an improved system and method to provide secured key management for cloud-based web services hosted at a third party data center via HSMs.)


Claims 10, 11, 14, 15, 17, 18 and 21 are rejected under 35 U.S.C. 103 as being unpatentable over Vasil (2011/0131448) in view of Asanghanwa (2020/0042675).

Regarding claim 10, Vasil teaches 
a system, comprising: an orchestrator configured to transmit, (Vasil [0028] The workflow management server 24 includes a design and compilation stage 50, storage 52, a distributed workflow controller 54, and tools 56.) to a host device and …, an indication of a workload to be executed at a virtual machine 4(VM) linked to the host device, the indication comprising an identifier of the workload; (Vasil [0027] In yet other arrangements, the task servers 22 include both physical machine task servers implemented as physical machines, and virtual machine task servers implemented as virtual machines running on a set of host devices. Here, the physical machine task servers and the virtual machine task servers cooperatively operate to carry out the dependency-related predefined activities 58 of the workflow 60 [0047] The task server processes 42 then claim the task identifiers 88 from the scheduling queue 86 (i.e., a ready queue) and perform the tasks identified by the claimed task identifiers 88. )  (Examiner Note: Workflow Management Server satisfies orchestrator; Task server satisfies host) 
the host device comprising … platform and configured to allocate resources with the host for the VM based at least in part on receiving the identifier of the workload (Vasil, [0041] Moreover, the various tasks can be prioritized by dynamically filtering and sorting task identifiers based on priorities and resource allocation. [0059]  In some arrangements, the system 20 enables definition of particular resources, )
the VM operating at the host device (Vasil [0027], the task servers 22 include both physical machine task servers implemented as physical machines, and virtual machine task servers)
Vasil does not teach Hardware Security Module (HSM), host device comprising a trusted platform module (TPM), the HSM configured to communicate the certificate.
However Asanghanwa teaches Hardware Security Module (HSM) (Asanghanwa [0023] Software modules can be implemented on the hardware device 102  [0024] The hardware device 102 includes a hardware secure module (HSM) 106.)  host device comprising a trusted platform module (TPM). 
the software module configured to communicate a request for a certificate comprising the identifier of the workload; and (Asanghanwa [0065] Alternatively, or additionally, the secure runtime agent requests the HSM and/or the secret store to create X.509 certificate for the MMA software module.) (Examiner Note: software module runs in a virtual machine2 and therefore teaches the limitation VM)
the HSM configured to communicate the certificate to the software module based at least in part on receiving the identifier of the workload from the software module and the orchestrator (Asanghanwa [0017] This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., certificate 116 for the Module Management Agent (MMA) software module 104. A certificate generally comprises a signature and public key.  [0018] However, it should be appreciated that embodiments may be implemented where any software modules can have certificates created using the hardware key 112 and hardware compute elements 107.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Asanghanwa’s hardware security with Vasil’s workload scheduler because doing so improves determining that operating software communication is verified and has not been tampered with (Asanghawa [0002] In computing systems, there may be a desire to verify software modules. This verification can take a number of different forms. For example, it may be desirable for a software module to have a verifiable identity so that the software module can be verified when it communicates with other local software modules, or other entities external to the system on 

Regarding claim 11, Vasil and Asanghanwa teach 
the system of claim 10, wherein: 
the VM is further configured to transmit a parameter to the HSM indicating, to the HSM, to determine a private key associated with the workload; and 
the HSM is further configured to generate the private key associated with the workload based at least in part on the VM transmitting the parameter to the HSM (Asanghanwa, [0037] In the example illustrated in FIG. 1A, the creator (hereinafter, for this example, the secure runtime agent 111) requests that a public/private keypair be created (and indeed, may create the public/private keypair itself, given its inclusion in the HSM 106) and stored in a secret store 118 of the HSM 106 for a given module. 0050] The HSM 106 creates the software module public/private key pair 138, protectively stores the private key 140 in the secret store 118, and returns the public key 142 to the MMA software module 104.  [0052] The MMA software module 104 delivers the TBS digest 144 to the HSM 106 for the HSM to sign with its (i.e., the MMA software module's) private key 122, which returns the resulting signature 146)  (Examiner Note: HSM determines a private key when it creates the public/private keypair)
Asanghanwa is combined with Vasil for the same reasons as claim 10.


Regarding claim 14, Vasil and Asanghanwa teach
the system of claim 10, wherein: 
the host device  ... the VM .. receiving the identifier of the workload (Vasil [0027] In yet other arrangements, the task servers 22 include both physical machine task servers implemented as physical machines, and virtual machine task servers implemented as virtual machines running on a set of host devices. Here, the physical machine task servers and the virtual machine task servers cooperatively operate to carry out the dependency-related predefined activities 58 of the workflow 60 [0047] The task server processes 42 then claim the task identifiers 88 from the scheduling queue 86 (i.e., a ready queue) and perform the tasks identified by the claimed task identifiers 88.)
… generate a secure execution environment for the software module within the TPM of the host device based at least in part on receiving the identifier of the workload; and (Asanghanwa, [0017] The following, with reference to FIGS. 1A and 1B, describes a system whereby trust that is rooted in tamper resistant secure hardware is transitioned into a software module. [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the description of FIG. 1B. [0023] Software modules can be implemented on the hardware device 102  [0024] The hardware device 102 includes a hardware secure module (HSM) 106.  [0025] The HSM 106 may be implemented using, for example, a so called Trusted Execution Environment.)
the VM is further configured to determine, within the secure execution environment, a private key associated with the workload based at least in part on the identifier of the workload, wherein the request for the certificate further comprises the private key (Asanghanwa, [0049] In the example illustrated in FIG. 1B, the creator (hereinafter, for this example, the MMA software module 104) requests that a public/private keypair be created and stored in a secret store 118 of the HSM 106 for a given module. For example, as illustrated in FIG. 1B, the HSM 106, at the request of the MMA software module 104, creates the public/private keypair 138 for the software module 136, and stores grants use of software module keys stored in the HSM without revealing the confidentiality of the private keys.)
Asanghanwa is combined with Vasil for the same reasons as claim 10.


Regarding claim 15, Vasil and Asanghanwa teach
the system of claim 14, wherein the VM is further configured to generate, within the secure execution environment for the VM, the private key associated with the workload, wherein determining the private key is based at least in part on the generating (Asanghanwa, [0049] In the example illustrated in FIG. 1B, the creator (hereinafter, for this example, the MMA software module 104) requests that a public/private keypair be created and stored in a secret store 118 of the HSM 106 for a given module. For example, as illustrated in FIG. 1B, the HSM 106, at the request of the MMA software module 104, creates the public/private keypair 138 for the software module 136, and stores the public/private keypair 138 in the secret store 118.  [0077] Thus, as illustrated above, some embodiments are implemented where keys are generated inside tamper-resistant silicon, where private keys never leave. cryptographic methodologies are used to associate software modules to the keys and generate certificate identities from this association. A usage model is offered that grants use of software module keys stored in the HSM without revealing the confidentiality of the private keys)
Asanghanwa is combined with Vasil for the same reasons as claim 10.


the system of claim 10, wherein: 
the host device and the HSM are configured to establish a secure association between the TPM and the HSM based at least in part on a public key associated with the HSM and a private key associated with the HSM; and (Asanghanwa [0017] The following, with reference to FIGS. 1A and 1B, describes a system whereby trust that is rooted in tamper resistant secure hardware is transitioned into a software module.  This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., certificate 116 for the Module Management Agent (MMA) software module 104. A certificate generally comprises a signature and public key [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the description of FIG. 1B. [0023] Software modules can be implemented on the hardware device 102  [0024] The hardware device 102 includes a hardware secure module (HSM) 106.  [0025] The HSM 106 may be implemented using, for example, a so called Trusted Execution Environment.)
the VM is configured to establish a secure association between the VM and the HSM based at least in part on the secure association between the TPM and the HSM, (Asanghanwa [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A.) wherein communicating the request for the certificate is based at least in part on the secure association between the VM and the HSM.  (Asanghanwa [0017] This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., certificate 116 for the Module 
Asanghanwa is combined with Vasil for the same reasons as claim 10.


Regarding claim 18, Vasil and Asanghanwa teach
a method, comprising: 
receiving, at a host device from an orchestrator of a computer network 3environment, an indication a workload to be executed by a virtual machine (VM) hosted on the host device, the indication comprising an identifier of the workload; (Vasil [0027] In yet other arrangements, the task servers 22 include both physical machine task servers implemented as physical machines, and virtual machine task servers implemented as virtual machines running on a set of host devices. Here, the physical machine task servers and the virtual machine task servers cooperatively operate to carry out the dependency-related predefined activities 58 of the workflow 60 [0047] The task server processes 42 then claim the task identifiers 88 from the scheduling queue 86 (i.e., a ready queue) and perform the tasks identified by the claimed task identifiers 88. )  (Examiner Note: Workflow Management Server satisfies orchestrator; Task server satisfies host) 
establishing a secure association between a hardware security module (HSM) and the VM based at least in part on authenticating the HSM using a public key associated with the HSM and known by the host device; (Asanghanwa, [0017] The following, with reference to FIGS. 1A and 1B, describes a system whereby trust that is rooted in tamper resistant secure hardware is transitioned into a software module. [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the description of FIG. 1B. [0023] Software modules can be implemented on the hardware device 102  
transmitting, to the HSM, a request for a certificate to authenticate communication associated with the workload, wherein the request comprises the identifier of the workload; and  (Asanghanwa [0017] This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., certificate 116 for the Module Management Agent (MMA) software module 104. A certificate generally comprises a signature and public key.)
receiving, from the HSM, the requested certificate comprising a public key associated with the workload and a private key associated with the workload (Asanghanwa, [0033] certificate can be created by the secure runtime agent 111 using the secure hardware private key 112, or by the MMA software module 104 using certificates previously generated using the secure hardware private key 112. [0035] The following illustrates two examples of creation of strong certificates (in the current example, X.509 certificates) for software modules. … The second example, illustrated in FIG. 1B, is an example where the creator is the MMA software module 104, and the software module for which the certificate is being created is another software module. [0048] The certificate 135 can be used to communicate with other entities, such as other modules in the hardware device 102, or entities external to the hardware device 102.)
Asanghanwa is combined with Vasil for the same reasons as claim 10.

Regarding claim 21, Vasil and Asanghanwa teach
the method of claim 18, further comprising: 
establishing a secure association between the VM and the HSM based at least in part on a secure association between the TPM and the HSM, (Asanghanwa, [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the description of FIG. 1B. [0023] Software modules can be implemented on the hardware device 102  [0024] The hardware device 102 includes a hardware secure module (HSM) 106.  [0025] The HSM 106 may be implemented using, for example, a so called Trusted Execution Environment.)
 wherein transmitting the request for the certificate is based at least in part on establishing the secure associating between the VM and the HSM (Asanghanwa, [0049] In the example illustrated in FIG. 1B, the creator (hereinafter, for this example, the MMA software module 104) requests that a public/private keypair be created and stored in a secret store 118 of the HSM 106 for a given module. For example, as illustrated in FIG. 1B, the HSM 106, at the request of the MMA software module 104, creates the public/private keypair 138 for the software module 136, and stores the public/private keypair 138 in the secret store 118.) 
Asanghanwa is combined with Vasil for the same reasons as claim 10.


Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Vasil (2011/0131448) in in view of Asanghanwa (2020/0042675) in view of Karjala (2004/0268142).


Regarding claim 16, Vasil and Asanghanwa teach
the system of claim 14, wherein the HSM is further configured (Asanghanwa, [0049] For example, as illustrated in FIG. 1B, the HSM 106, at the request of the MMA software module 104)  message to the VM (Vasil, [0027], the task servers 22 include both physical machine task servers implemented as physical machines, and virtual machine task servers implemented as virtual machines running on a set of host devices. [0047] The task server processes 42 then claim the task identifiers 88 from the scheduling queue 86 (i.e., a ready queue) and perform the tasks identified by the claimed task identifiers 88.)  
Asanghanwa is combined with Vasil for the same reasons as claim 10.
Vasil does not teach transmit an error message to the VM in response to receiving the request for the certificate.
However Karjala teaches transmit an error message … in response to receiving the request for the certificate based at least in part on one or more parameters within the request for the certificate (Karjala [0079] If the IPSec UI receives an error return code as a response to a certificate enrollment call, it shows a dialog advising the user that the enrollment failed)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Karjala’s certificate message with Vasil’s workload scheduler because doing so improves error control and support for different client certificates (Karjala [0026] A configuration database allows clients to fetch client configuration packages from SSM server 20. A certificate enrollment database allows clients to enroll certificates with SSM server 20. [0085] The certificate validity requires that it is signed by a trusted CA, and that it not be expired or revoked.)

Claim 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Vasil (2011/0131448) in in view of Asanghanwa (2020/0042675) in view of Montagut (2009/0077376).

Regarding claim 19, Vasil and Asanghanwa teach
the method of claim 18, further comprising: 
transmitting a parameter to the HSM indicating, to the HSM, (Asanghanwa [0017] This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., certificate 116 for the Module Management Agent (MMA) software module 104. A certificate generally comprises a signature and public key. [0049] For example, as illustrated in FIG. 1B, the HSM 106, [0018] However, it should be appreciated that embodiments may be implemented where any software modules can have certificates created using the hardware key 112 and hardware compute elements 107))
Asanghanwa is combined with Vasil for the same reasons as claim 10.
Vasil does not teach the private key associated with the workload.
However Montagut teaches the private key associated with the workload; wherein the private key associated with the workload is based at least in part on transmitting the parameter (Montagut, [0038] In another aspect, there is provided a system configured to be used for a secure execution of workflow tasks of a workflow to be executed according to a given execution pattern within a decentralized network system, the system including at least an initiator server and a plurality of servers, each server satisfying a policy of a vertex of the workflow, and thus, knowing a corresponding policy key pair including a policy private key and a policy public key, respectively, wherein each vertex is assigned a vertex key pair including a vertex private key and a vertex public key, wherein an i'th server as at least one server which is to be determined at runtime of the workflow in accord with the execution pattern to perform one of the vertices of the workflow, … [0039] receiving the first onion structure being built up of a number of onion layers representing the execution pattern with a most upper layer including the i'th vertex private key and being encrypted with the i'th policy public key [0013] Further, each vertex denotes a set of workflow tasks to be executed in accord with the execution pattern and is assigned a vertex key pair including a vertex private key and a vertex public key. [0045] Thereby, an i'th server as at 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Montagut’s workflow management with private keys with Vasil’s workload schedule because doing so improves the integrity of workflow execution by reducing misrepresentation (Montagut [0005] The proposed mechanisms assure the integrity of the distributed execution of workflows and prevent servers from being involved in a workflow instance forged by a malicious peer.)


Regarding claim 20, Vasil, Asanghanwa and Montgut teach
the method of claim 19, further comprising: 
generating a secure execution environment for the VM within a trusted platform module (TPM) of the host device based (Asanghanwa, [0018] The MMA software module 104 has trust based on the secure hardware key 112 and the secure hardware compute elements 107, as will be illustrated in the description of FIG. 1A. The MMA software module 104 transitions the trust to other software modules, as illustrated in the description of FIG. 1B. [0023] Software modules can be implemented on the hardware device 102  [0024] The hardware device 102 includes a hardware secure module (HSM) 106.  [0025] The HSM 106 may be implemented using, for example, a so called Trusted Execution Environment.)
at least in part on receiving the identifier of the workload and prior to transmitting the request for the certificate; and storing the private key associated with the workload at the secure execution environment (Asanghanwa [0017] This is done using a tamper resistant secure hardware key 112 (which in this case is a private key of a secure private key/public key pair) and tamper resistant hardware compute elements to create a secure certificate for a software module, e.g., 
Asanghanwa is combined with Vasil for the same reasons as claim 10.

Allowable Subject Matter
Claim 12 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims and curing the claim objection.
Claim 12 requires the HSM to be independent of the TPM of the host device.  This is different to Asanghanwa’s teachings where the HSM is part of the Trusted environment (Asanghanwa [0025]) and Hussain’s teachings where the TPM runs on the HSM (Hussain [0046].)  Thus claim 12 when seen in the entirety of its limitations and the base claims on which it depends is not anticipated or made obvious in the prior art.

Claim 13 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claim 13 requires the HSM to transmit the private key and the VM to store it in a secure environment.  Asanghanwa does not teach transmitting the private key outside of the HSM (Asanghanwa [0077]).  Thus claim 13 when seen in the entirety of its limitations and the base claims on which it depends is not anticipated or made obvious in the prior art.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Lattin (2018/0137261) teaches secure provision of devices with virtual machines and hardware security modules.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.








    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Asanghanwa [0013]  For example, a virtual machine, such as a container, may include application modules 
        2 Asanghanwa [0013]  For example, a virtual machine, such as a container, may include application modules