DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Amendment
This office action is in response to the Application filed on 01/25/2022.  
Claims 1-10, 12-16, and 18-20 are presented for examination. 
Response to Argument
Applicant’s remarks have been fully considered but they are unpersuasive.
Remark 1: Applicant argues that the office action fails to explain which features Tsirkin is alleged to disclose, which features are not disclosed in Tsirkin, which features are disclosed in Wei, and a motivation to combine.
Examiner respectfully disagrees.
Tsirkin teaches the guest operating system requesting that the range of memory utilized by the executable module on the guest operating system to be a particular executable mode, e.g., read-execute-only ([0043], kernel 204 detects the loading of application 202-1 {initiating an executable module} and a range of guest physical memory addresses {a range of memory} that should be executable by the application. Guest 111 may invoke a hypercall {request} enabling passing the guest physical memory addresses at which the memory pages storing the kernel executable code are stored, requesting permission to execute these memory pages; [0033], guest 111 {guest operating system} invokes a hypercall {request} that causes hypervisor 108 to set permissions of a set of memory pages {a range of memory} corresponding to memory allocated to the guest to a particular access mode). 
Because Tsirkin does not explicitly teach the access permission as "execute-only”, Wei [0029] is relied upon that teaches write-protecting a range of memory pages containing program code, those memory pages can be marked "execute-only”.
The motivation of combining Tsirkin and Wei would be for the benefits of protecting kernel pages from being modified by untrusted execution module because the range of memory is protected by settings permission to kernel pages (Wei, [0040]; Tsirkin, [0037]-[0038]).
Remark 2: Applicant argues that Wei merely discloses that the portion of program code comprising the guest OS may be execute-only, not that the executable module initiated by the guest OS is execute-only
Examiner respectfully disagrees.
First, Wei teaches in [0029] the OS memory 214 stores program code (kernel code) comprising guest OS 216, Wei does not teach the OS memory 214 stores only guest OS 216 nor the program code (kernel code) includes only guest OS 216.
Second, Wei teaches the physical memory pages associated with VM are write protected before the VM can be deemed ready for operation as shown in [0029], the hypervisor can mark the physical memory pages of physical memory 208 that are associated with VM and which contain the guest OS program code (kernel pages) as being read- and execute-only. In some embodiments, those kernel pages can be marked execute-only. At this point, the VM can be deemed ready for operation. Note that, not only the guest OS 216 is write protected, Wei teaches the physical memory pages of physical memory 208 that are associated with VM are write protected before the VM 204 can be deemed ready for operation. Thus, Wei teaches write protecting the OS memory address space for the benefits of enforcing security policies to ensure security of the system and its information as shown in [0017]. 
Furthermore, the range of memory utilized by the executable module on the guest operating system to be a particular executable mode has been taught by Tsirkin ([0043], [0033]).
Tsirkin teaches the guest operating system requesting that the range of memory utilized by the executable module on the guest operating system to be a particular executable mode. Examples of access permissions are read-only, read-execute-only, etc. Wei [0029] is relied upon that teaches write-protecting a range of memory pages containing program code, those memory pages can be marked "execute-only”. 
Tsirkin further teaches guest operating system invoking a hypercall to set permission of a range of memory pages to a particular access mode as shown in [0033], and setting permission of a range of memory pages to a particular access mode upon initiation of an executable module as shown in [0043]. 
Remark 3: Applicant argues that the combination of Tsirkin and Wei fails to teach “receiving, from the guest operating system, upon termination by the guest operating system of the executable module from the range of memory, a request to identify the range of memory as not being limited to execute-only access”.  
Examiner respectfully submits that upon the broadest reasonable interpretation, (1) terminating the executable module from the range of guest physical memory pages is not novel because the capacity of guest physical memory pages is limited, therefore, it is obvious that the executable module would be terminated and removed from the guest physical memory when the execution of the executable module is no longer needed; for example, Wei in [0026] teaches deleting executable code;
(2) marking the physical page of memory as not being execute-only upon termination of the executable module from the range of memory is also not novel because the range of guest physical memory pages was marked as being execute-only for the reason of detecting the loading the executable module, therefore, it is obvious to mark the physical page of memory as not being execute-only upon termination of the executable module from the range of physical memory pages. 
Specification
The lengthy specification has not been checked to the extent necessary to determine the presence of all possible minor errors. Applicant’s cooperation is requested in correcting any errors of which applicant may become aware in the specification.
Claim Rejections - 35 USC § 103
In the event a determination of the status of the application as subject to AIA  35 U.S.C. 102, 103, and 112 (or as subject to pre-AIA  35 U.S.C. 102, 103, and 112) is incorrect, any 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 6-10, 12-14, 16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin et al. (US 2017/0249173; hereinafter Tsirkin) in view of Wei et al. (US 2021/0026785; hereinafter Wei).
Regarding independent claim 1, Tsirkin teaches a method comprising:
initiating, by a hypervisor executing on a computing host comprising a processor device, a virtual machine comprising a guest operating system ([0002], The hypervisor allocates a certain amount of the host's resources, such as the host's underlying physical processors and memory devices, to each of the virtual machines, allowing the virtual machines to transparently access the host's resources; Fig. 1 & [0026], virtual machines 110 are platforms on which operating systems referred to as guest operating systems run. The guest operating systems may be referred to as “guests”);
receiving, by the hypervisor, upon initiation by the guest operating system of an executable module into a range of memory ([0043], kernel 204 detects the loading of application 202-1 {initiating an executable module} and a range of guest physical memory addresses that should be executable by the application), a request from the guest operating system requesting that the range of memory utilized by the executable module on the guest operating system be identified (
[0043], kernel 204 detects the loading of application 202-1 {initiating an executable module} and a range of guest physical memory addresses {a range of memory} that should be executable by the application. Guest 111 may invoke a hypercall {request} enabling passing the guest physical memory addresses at which the memory pages storing the kernel executable code are stored, requesting permission to execute these memory pages;
[0033], guest 111 {guest operating system} invokes a hypercall {request} that causes hypervisor 108 to set permissions of a set of memory pages {a range of memory} corresponding to memory allocated to the guest to a particular access mode); 
Tsirkin teaches the guest operating system invoking a hypercall to set permission of a range of memory pages to executable, or a particular access mode, as shown in [0033] (Examples of access permissions are read-only, read-execute-only, etc.), and setting permission of a range of memory pages to a particular access mode (e.g., executable-by-kernel, executable-by-user, executable-by-none) upon initiation of an executable module as shown in [0043]. 
Although Tsirkin does not explicitly teach whether the range of memory pages are write protected, that is, Tsirkin does not explicitly teach the range of memory utilized by the executable module identified as being execute-only access,
in an analogous art of virtualization, Wei teaches the range of memory utilized by the executable module on the guest operating system be identified as being execute-only access (Fig. 3 & [0029], At operation 312, the hypervisor 202 can write-protect the portion of OS memory 214 that stores the program code (kernel code) comprising the guest OS 216. In some embodiments, for example, the hypervisor 202 can mark the physical memory pages of physical memory 208 that are associated with VM 202 and which contain the guest OS program code (kernel pages) as being read- and execute-only. In some embodiments, those kernel pages can be marked execute-only;
Wei teaches the physical memory pages associated with VM are write protected before the VM can be deemed ready for operation as shown in [0029], the hypervisor can mark the physical memory pages of physical memory 208 that are associated with VM and which contain the guest OS program code (kernel pages) as being read- and execute-only. In some embodiments, those kernel pages can be marked execute-only. At this point, the VM can be deemed ready for operation. 
Note that, not only the guest OS 216 is write protected, Wei teaches the physical memory pages of physical memory 208 that are associated with VM are write protected before the VM can be deemed ready for operation. Thus, Wei teaches write protecting the OS memory address space for the benefits of enforcing security policies to ensure security of the system and its information as shown in [0017]).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention was made, with the teachings of Tsirkin and Wei before them, to improve Tsirkin’s guest OS sending request to hypervisor to set a range of physical memory pages to a desired permission upon initiation by the guest operating system of an executable module into a range of memory with Wei’s write protecting the physical memory pages of physical memory 208 that are associated with VM before the VM can be deemed ready for operation by marking the kernel pages containing the guest OS program code as being “execute-only” upon initiating an executable module into a range of memory. 
The motivation would be for the benefits of protecting kernel pages from being modified by untrusted execution module because the range of memory is protected by settings permission to kernel pages (Wei, [0040]; Tsirkin, [0037]-[0038]).
Thus, the combination of Tsirkin and Wei teaches receiving, by the hypervisor, upon initiation by the guest operating system of an executable module into a range of memory, a request from the guest operating system requesting that the range of memory utilized by the executable module on the guest operating system be identified as being execute-only access.
The combination of Tsirkin and Wei further teaches
marking, by the hypervisor, at least one physical page of memory that includes the range of memory as being execute-only access (Tsirkin, [0044], Hypervisor 108 receives the request and enables execution by modifying the permissions in hypervisor page tables 220. Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions. The hypercall may be used by application code protector 210 to manipulate the permissions in hypervisor page tables 220;
Wei, Fig. 3 & [0029], At operation 312, the hypervisor 202 can write-protect the portion of OS memory 214 that stores the program code (kernel code) comprising the guest OS 216. In some embodiments, for example, the hypervisor 202 can mark the physical memory pages of physical memory 208 that are associated with VM 202 and which contain the guest OS program code (kernel pages) … those kernel pages can be marked execute-only).
receiving, from the guest operating system, upon termination by the guest operating system of the executable module from the range of memory, a request to identify the range of memory as not being limited to execute-only access; and marking the at least one physical page of memory as not being execute-only access (
upon the broadest reasonable interpretation, (1) terminating the executable module from the range of guest physical memory pages is not novel because the capacity of guest physical memory pages is limited, therefore, it is obvious that the executable module would be terminated and removed from the guest physical memory when the execution of the executable module is no longer needed; for example, Wei in [0026] teaches deleting executable code;
(2) marking the physical page of memory as not being execute-only upon termination of the executable module from the range of memory is also not novel because the range of guest physical memory pages was marked as being execute-only for the reason of detecting the loading the executable module, therefore, it is obvious to mark the physical page of memory as not being execute-only upon termination of the executable module from the range of physical memory pages. 
 
Tsirkin, [0038]-[0039], Hypervisor 108 sets permissions on the guest physical addresses by, for example, setting a set of physical memory pages stored at the guest physical memory addresses in accordance with the desired permissions in hypervisor page tables 220… Examples of access permissions are read-only, write-only, read-execute-only {not being execute-only access};
Tsirkin, [0043], kernel 204 detects the loading of application 202-1 {initiating an executable module} and a range of guest physical memory addresses {a range of memory} that should be executable by the application. Guest 111 may invoke a hypercall {request} enabling passing the guest physical memory addresses at which the memory pages storing the kernel executable code are stored, requesting permission to execute these memory pages; [0044], Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions. The hypercall may be used by application code protector 210 to manipulate the permissions in hypervisor page tables 220; 
Wei, Fig. 6 & [0039]-[0040], At operation 610, the TCB entry point module 506 can enable write operations to the kernel pages, namely pages in physical memory 208 associated with the VM 202 that contain the kernel code of guest OS 216. This reverses the write-protection applied to the kernel pages at operation 312 in FIG. 3 performed as part of bringing up the VM 202. In some embodiments, the memory pages can be marked with protection bits (e.g., read, write, execute), which can be set to enable write operations).
Regarding independent claim 14, Tsirkin teaches a computing device, comprising:
a memory; and a processor device coupled to the memory ([0031] & Fig. 2, processor 104, memory 106, & [0023]-[0024]) to: … 
(Claim recites substantially the same limitations as in claim 1, and is therefore rejected for the same reasons set forth in the analysis of claim 1).
Additionally, in view of Wei, Tsirkin further teaches initiate a hypervisor ([0002], A host machine, such as a server computer may concurrently run one or more virtual machines using software that is referred to as a hypervisor. [0007] & [0024], The software may include an operating system, a hypervisor 108. Upon the broadest reasonable interpretation, the hypervisor software is initiated by the host machine. Note relied upon, Ramakrishnan Nair is cited to show the state of art: hypervisor software is initiated by the host; Ramakrishnan Nair, [0127]-[0128], When the host (i.e., device hypervisor) is initialized, the host calls SETDHBASE to allow the system to store the base address of its page table).
Regarding independent claim 18, Tsirkin teaches a computer program product stored on a non-transitory computer-readable storage medium and including instructions configured to cause a processor device ([0007], a non-transitory machine-readable medium includes a plurality of machine-readable instructions that when executed by one or more processors are adapted to cause the one or more processors to perform a method) to: …
(Claim recites substantially the same limitations as in claims 1 & 14, and is therefore rejected for the same reasons set forth in the analysis of claims 1 & 14).
Regarding claim(s) 6, the combination of Tsirkin and Wei further teaches wherein receiving, by the hypervisor, the request from the guest operating system comprises receiving, from the guest operating system, a hypercall that includes a range of memory addresses (Tsirkin, [0033], guest 111 invokes a hypercall that causes hypervisor 108 to set permissions of a set of memory pages corresponding to memory allocated to the guest; [0043], kernel 204 detects the loading of application 202-1 and a range of guest physical memory addresses that should be executable by the application. Guest 111 may invoke a hypercall enabling passing the guest physical memory addresses at which the memory pages storing the kernel executable code are stored, requesting permission).
Regarding claim(s) 7, 16 and 20, the combination of Tsirkin and Wei further teaches wherein the request from the guest operating system comprises a range of guest operating system memory addresses (Tsirkin, [0033], [0043]) and further comprising: translating the guest operating system memory addresses to a range of physical memory addresses (Tsirkin, [0036], Kernel 204 maintains data structures that map {translating} the virtual memory of each application into the physical memory of the computer. The data structures may be page tables that establish an association between the virtual addresses of a user process and the physical memory of the system. For each application executing in host machine 102, kernel 204 may create a set of page tables to map virtual addresses assigned to the respective application to physical address in memory 106);
determining at least one physical page of memory that includes memory addressed by the range of physical memory addresses (Tsirkin, [0043], kernel 204 detects the loading of application 202-1 and a range of guest physical memory addresses that should be executable by the application. Guest 111 may invoke a hypercall enabling passing the guest physical memory addresses at which the memory pages storing the kernel executable code are stored, requesting permission to execute these memory pages);
accessing at least one page table entry of a page table, the at least one page table entry corresponding to the at least one physical page of memory (Tsirkin, [0036], Kernel 204 maintains data structures that map {translating} the virtual memory of each application into the physical memory of the computer. The data structures may be page tables that establish an association between the virtual addresses of a user process and the physical memory of the system;
[0044], Hypervisor 108 receives the request and enables execution by modifying the permissions in hypervisor page tables 220. Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions); and
modifying information in the at least one page table entry to identify the at least one physical page of memory as being execute-only access (Tsirkin, [0038], Setting a set of physical memory pages to a desired permission may refer to setting the physical memory addresses at which the physical memory pages are stored to the desired permission; [0044], Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions. Note that, Wei teaches memory page is “execute-only” as discussed above).
Regarding claim(s) 8, the combination of Tsirkin and Wei further teaches wherein the processor device determines access rights to physical pages of memory based on information in the page table (Tsirkin, [0044], Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions. The hypercall may be used by application code protector 210 to manipulate the permissions in hypervisor page tables 220; Wei teaches memory page is “execute-only” as discussed above).
Regarding claim(s) 9, the combination of Tsirkin and Wei further teaches initiating, by the guest operating system, a kernel module into the range of memory (Tsirkin, [0044], application code protector 210 detects that application 202-1 is being loaded and determines which guest physical memory pages {range of memory} allocated to the application should be executable; Wei, [0029], At operation 312, the hypervisor 202 can write-protect the portion of OS memory 214 that stores the program code (kernel code) comprising the guest OS 216… those kernel pages can be marked execute-only); and 
communicating, to the hypervisor, the request that the range of memory be identified as being execute-only access (Tsirkin, [0044], send a request for permission to execute the physical memory pages storing executable application code to hypervisor 108. The request may include the guest physical memory addresses of these memory pages. In some examples, application code protector 210 invokes a hypercall and passes the guest physical addresses of the physical memory pages, requesting permission to execute these pages. Hypervisor 108 receives the request and enables execution by modifying the permissions in hypervisor page tables 220. Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions; Wei teaches the range of memory is “execute-only” as discussed above).
Regarding claim(s) 10, the combination of Tsirkin and Wei further teaches initiating, by the guest operating system, a firmware module into the range of memory (Tsirkin, [0044], application code protector 210 detects that application 202-1 (e.g., a firmware module) is being loaded and determines which guest physical memory pages {range of memory} allocated to the application should be executable. Note that, it is well known in the art that a firmware module is an obvious choice of an application, which is executable and loadable into a range of memory); and 
communicating, to the hypervisor, the request that the range of memory be identified as being execute-only access (Tsirkin, [0044], send a request for permission to execute the physical memory pages storing executable application code to hypervisor 108. The request may include the guest physical memory addresses of these memory pages. In some examples, application code protector 210 invokes a hypercall and passes the guest physical addresses of the physical memory pages, requesting permission to execute these pages. Hypervisor 108 receives the request and enables execution by modifying the permissions in hypervisor page tables 220. Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions; Wei teaches memory page is “execute-only” as discussed above).
Regarding claim(s) 12, the combination of Tsirkin and Wei further teaches removing, by the guest operating system, a kernel module from the range of memory; and communicating the request to identify the range of memory as not being limited to execute-only access (
upon the broadest reasonable interpretation, (1) terminating/removing the executable module from the range of guest physical memory pages is not novel because the capacity of guest physical memory pages is limited, therefore, it is obvious that the executable module would be terminated and removed from the guest physical memory when the execution of the executable module is no longer needed; for example, Wei in [0026] teaches deleting executable code; (2) marking the physical page of memory as not being execute-only upon termination of the executable module from the range of memory is also not novel because the range of guest physical memory pages was marked as being execute-only for the reason of detecting the loading the executable module, therefore, it is obvious to mark the physical page of memory as not being execute-only upon termination of the executable module from the range of physical memory pages. 
Wei, Fig. 3 & [0029], At operation 312, the hypervisor 202 can write-protect the portion of OS memory 214 that stores the program code (kernel code) comprising the guest OS 216. In some embodiments, for example, the hypervisor 202 can mark the physical memory pages of physical memory 208 that are associated with VM 202 and which contain the guest OS program code (kernel pages) … those kernel pages can be marked execute-only
Tsirkin, [0044], application code protector 210 detects that application 202-1 (e.g., a kernel module) is being loaded and determines which guest physical memory pages {range of memory} allocated to the application should be executable.
Note that, when the executable code, e.g., kernel code, is unloaded from the range of memory, the “execute only” setting is not needed. Thus. the range of memory as not being limited to execute-only access would be obvious.
[0038]-[0039], Hypervisor 108 sets permissions on the guest physical addresses by, for example, setting a set of physical memory pages stored at the guest physical memory addresses in accordance with the desired permissions in hypervisor page tables 220).
Regarding claim(s) 13, the combination of Tsirkin and Wei further teaches determining, by the hypervisor, that a plurality of physical pages of memory encompasses the range of memory; and marking, by the hypervisor, the plurality of physical pages of memory as being execute-only access (Tsirkin, [0044], Application code protector 210 may send a request for permission to execute the physical memory pages storing executable application code to hypervisor 108. The request may include the guest physical memory addresses of these memory pages. In some examples, application code protector 210 invokes a hypercall and passes the guest physical addresses of the physical memory pages… Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions. The hypercall may be used by application code protector 210 to manipulate the permissions in hypervisor page tables 220; Wei teaches the range of memory is “execute-only” as discussed above).
Claims 2-5, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin et al. (US 2017/0249173; hereinafter Tsirkin) in view of Wei et al. (US 2021/0026785; hereinafter Wei), further in view of Ramakrishnan Nair (US 2014/0173600).
Regarding claim(s) 2, 15 and 19, the combination of Tsirkin and Wei teaches hypervisor modifying the permissions in hypervisor page tables to limit access to physical pages of memory to execute-only access (Tsirkin, [0044], Hypervisor 108 receives the request and enables execution by modifying the permissions in hypervisor page tables 220. Hypervisor 108 may set bits in hypervisor page tables 220 based on the requested access permissions. The hypercall may be used by application code protector 210 to manipulate the permissions in hypervisor page tables 220;
Wei, Fig. 3 & [0029], At operation 312, the hypervisor 202 can write-protect the portion of OS memory 214 that stores the program code (kernel code) comprising the guest OS 216. In some embodiments, for example, the hypervisor 202 can mark the physical memory pages of physical memory 208 that are associated with VM 202 and which contain the guest OS program code (kernel pages) … those kernel pages can be marked execute-only).
However, Tsirkin and Wei do not explicitly teach determining, by the hypervisor, that the processor device has a capability to limit access to physical pages of memory.
In an analogous art of virtual machine, Ramakrishnan Nair teaches determining, by the hypervisor, that the processor device has a capability to limit access to physical pages of memory to execute-only access ([0080], During the early phase of booting of the guest OS, a device manager client 541 performs a hypercall to the host to pull a list of virtual device configurations, and the corresponding virtual device drivers to be loaded on the guest OS; [0127]-[0128] & [0136], INTEL® VT-x extended page table (EPT) provides the capability to map pages as execute-only and read/write protected. This is enabled by setting the bit 0 of IA32_VMX_EPT_VPID_CAP MSR (i.e., index 48CH)).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention was made, with the teachings of Tsirkin, Wei and Ramakrishnan Nair before them, to improve Tsirkin and Wei’s hypervisor marking the range of memory as “execute only” in extended page table with Ramakrishnan Nair’s hypervisor determines EPT providing the capability to map pages as execute-only and read/write protected for the benefits of utilizing security feature that all sensitive information could be contained in the execute-only space that disables the memory permissions of Read and Write for each of the specified memory pages (Ramakrishnan Nair, [0095], page is maintained execute-only (i.e., read/write protected) by using the INTEL® VT feature of extended page table (EPT); [0099], all sensitive information used from the host are contained in the execute-only … thus no guest process can read or modify).
Regarding claim(s) 3, in view of Tsirkin and Wei, Ramakrishnan Nair further teaches wherein determining that the processor device has the capability to limit access to physical pages of memory to execute-only access comprises accessing a control register of the processor device that indicates whether the processor device is capable of limiting access to physical pages of memory to execute-only access ([0136], INTEL® VT-x extended page table (EPT) provides the capability to map pages as execute-only and read/write protected. This is enabled by setting the bit 0 of IA32_VMX_EPT_VPID_CAP MSR (i.e., index 48CH)).
Regarding claim(s) 4, Tsirkin and Wei do not explicitly teach, in an analogous art of virtual machine, Ramakrishnan Nair teaches modifying CPUID information of a virtual processor device that indicates the processor device has a capability to limit access to physical pages of memory to execute-only access ([0136], INTEL® VT-x extended page table (EPT) provides the capability to map pages as execute-only and read/write protected. This is enabled by setting {modifying} the bit 0 {CPUID information} of IA32_VMX_EPT_VPID_CAP MSR (i.e., index 48CH)).
It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention was made, with the teachings of Tsirkin, Wei and Ramakrishnan Nair before them, to improve Tsirkin and Wei’s hypervisor marking the range of memory as “execute only” in extended page table with Ramakrishnan Nair’s CPUID information of a virtual processor device that indicates the processor device has a capability to limit access to physical pages of memory to execute-only access for the benefits of utilizing security feature that all sensitive information could be contained in the execute-only space that disables the memory permissions of Read and Write for each of the specified memory pages (Ramakrishnan Nair, [0095], page is maintained execute-only (i.e., read/write protected) by using the INTEL® VT feature of extended page table (EPT); [0099], all sensitive information used from the host are contained in the execute-only … thus no guest process can read or modify).
Regarding claim(s) 5, in view of Tsirkin and Wei, Ramakrishnan Nair further teaches requesting, by the guest operating system, the CPUID information of the virtual processor device; and based on the CPUID information, determining that the processor device has the capability to limit access to physical pages of memory to execute-only access ([0080], During the early phase of booting of the guest OS, a device manager client 541 performs a hypercall to the host to pull a list of virtual device configurations, and the corresponding virtual device drivers to be loaded on the guest OS; [0127]-[0128] & [0136], INTEL® VT-x extended page table (EPT) provides the capability to map pages as execute-only and read/write protected. This is enabled by setting the bit 0 of IA32_VMX_EPT_VPID_CAP MSR (i.e., index 48CH)).
Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRACY C CHAN whose telephone number is (571)272-9992.  The examiner can normally be reached on Monday - Friday 10 AM to 6 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, TIM VO can be reached on (571)272-3642.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/TRACY C CHAN/            Primary Examiner, Art Unit 2138