Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response an amendment application received on 02/14/2022. In the amendment, applicant has amended independent claims 1, 9 and 15. Claims 3, 11 and 17 remain cancelled. Claims 2, 4-10, 12-16 and 18-23 remain original. 
For this office action, claims 1-2, 4-10, 12-16 and 18-23 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections – 35 U.S.C. § 103
Applicant’s arguments, filed 02/14/2022, with respect to the rejections of claims under 35 U.S.C. § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn. However, upon further consideration, a new grounds of rejection is made in view of new amendments to the independent claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4, 6-7, 9-10, 12-13, 15-16 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of NPL Document “POWER8/9 Deep Dive” dated Nov 11, 2016, hereinafter referred as NPL#1 in view of Mummidi et al., (US20180088804A1) and further in view of Golomb et al., (US8756695B1).
Regarding claim 1, Bunch discloses:
A computer-implemented process for secure memory sharing between enclaves and virtual input/output adapters, the computer-implemented process comprising:
providing a system for performing a computer-implemented process for secure memory sharing between enclaves and virtual input/output adapters, wherein the system comprises a host (See FIG. 2; 200/See FIG. 7B; 706), an enclave (See FIG. 2; 208) and  wherein the host comprises a processor and a memory in communication with the processor to perform the computer-implemented process (See FIG. 7B; Computing platform 706 depicts CPU and memory in [0085-0086]);
Enclave: Controller VM / a second virtualized computer (i.e. FIG. 2; 206)
Managed memory space: user VM / a first virtualized computer (i.e. FIG.2; 208)
Virtual I/O adapter: iSCSI adapter (i.e. FIG. 2; vDisk iSCSI Adapter 222)
See FIG. 2 which depicts vDisk iSCSI Adapter attached to Controller VM 206; also see [0043]);
ii) creating (i.e. instantiate) a managed memory space (See FIG. 2; [0032] The hypervisor 204 is configured to support/instantiate one or more virtual machines, such as user VM 208 and controller VM 206);
iii) having a key by a memory encryption engine (i.e. DEK 224) for the virtual input/output adapter for use by only the virtual input/output adapter (See FIG. 2; [0038] As illustrated in FIG. 2, in some embodiments, the DEK 224 is stored within a vDisk iSCSI adapter 222);
iv) in response to a request to obtain data, exchanging the key with the managed memory space (See FIG. 2; discloses an exchange of Key encryption key (KEK) and Decryption key (DEK) for communication between the controller VM and User VM; see [0036] for details; also see FIG. 4 a; [0052] Referring to FIG. 4a , at 402 a, a first virtualized computer, such as a user VM, may initiate an IPsec session with a second virtualized computer, such as a controller VM. At 404, the first virtualized computer sends a network communication (such as an iSCSI request) including an authentication key, e.g., a KEK via the IPsec session);
v) in response to receiving the key, decrypting data of only the managed memory space associated with the virtual input/output adapter to obtain the data (FIG. 4 a; [0053] At 410, the second virtualized computer may authenticate the KEK, for example, by trying to decrypt the second key, the DEK, using the KEK; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation); and
FIG. 4 a; [0053] At 414 a, if the KEK is valid, then the KEK may be used to decrypt the DEK. The DEK may be used to encrypt/decrypt the network communication; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation).
Because Bunch’s managed memory spaces are implemented as VMs (as opposed to isolated memory spaces comprising only data), and the VMs are the entity issuing the write/read requests,
Bunch does not disclose:
	an interrupt virtualization engine, in response to receipt of an interrupt from within the system by the interrupt virtualization engine, routing the interrupt directly to the enclave, wherein the routing bypasses the processor; creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of the managed memory space is within memory; wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter.
However, NPL Document discloses:
	an interrupt virtualization engine (See Figure in NPL Page # 18 discloses External Interrupt Virtualization Engine (XIVE)), 
See NPL Page # 18 depicting External Interrupt Virtualization Engine (XIVE) hardware processing system interrupts and directing system interrupts directly to target guest Operating system. NPL also discloses that XIVE hardware eliminates [bypass/evade] host processor overhead while routing interrupts directly to the target guest OS).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch reference and include External Interrupt Virtualization Engine (XIVE) hardware for controlling and directing system interrupts away from the main processor and directly to guest operating system, as disclosed by NPL document. 
The motivation to include External Interrupt Virtualization Engine (XIVE) hardware for controlling and directing system interrupts away from the main processor and directly to guest operating system is to improve performance and throughput of the main physical host system and guest operating system by not involving main physical host system processor for guest OS. 
The combination of Bunch and NPL document fails to disclose:
	creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of the managed memory space 
However, Mummidi discloses:
	creating the virtual I/O adapter (i.e., create virtual interface) in response to a request to create a virtual input/output adapter ([0014] For example, if peripheral device 120 is connected to host 110 via peripheral component interconnect express (PCIe), then a virtual interface may be created by utilizing single root input/output virtualization (SR-IOV) to create a virtual function that mirrors the interface that would be exposed by a controller for non-volatile storage devices 130);
wherein a managed memory space [storage partition] comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter ([0032] the control interface 410 for the peripheral device performs 412 the partitioning and formatting of the storage partition according to the configuration request 402 and then attaches or binds the storage partition to a virtual interface that has been launched/created/instantiated for the new storage partition (e.g., virtual interface 432 bound 440 to storage partition 422));
wherein a key is generated ([0034] encryption configuration request 406 may provide a key for one virtual interface, such as virtual interface 434);
wherein the request to obtain data from the enclave is by the virtual input/output adapter (Fig. 6; step 676, [0041] provides for the adapter requesting to read data from the storage device);
Fig 6; [0041] The I/O submission entry may indicate the request to read encrypted read data 642 from storage partition 660 in non-volatile storage device 650. The controller may then write 680 data 642 from storage partition 660 to a location in data buffer 635);
wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter (Fig 6, step 680; [0041] provides data is sent from storage partition 660 to virtual I/O adapter).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch and NPL#1 references and create encrypted virtual I/O adapter along with the creation of virtual machine instance, as disclosed by Mummidi.
The motivation to create encrypted virtual I/O adapter along with the creation of virtual machine instance is to provide encryption on per-virtual interface basis for each virtual machine instance. 
The combination of Bunch, NPL # 1, and Mummidi fails to explicitly disclose:
	wherein the data of the non-shareable micro-enclave comprises at least non-executable data segment, and wherein the at least one non-executable data segment comprises one of a portion of an object file and virtual address space of a program comprising one or more initialized static variable.
However, Golomb discloses:
	wherein the data of the non-shareable micro-enclave comprises at least non-executable data segment (Col. 5, Line # 51-54; Alternatively, data section 129 may be loaded into data segment 165 on a determination that data section 129 contains non-executable data such as constants and initialized and/or uninitialized variables), 
wherein the at least one non-executable data segment comprises one of a portion of an object file and virtual address space of a program comprising one or more initialized static variable (Col. 5, Line # 51-54; Alternatively, data section 129 may be loaded into data segment 165 on a determination that data section 129 contains non-executable data such as constants and initialized and/or uninitialized variables).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch, NPL#1 and Mummidi references and store any type of data including non-executable data in a protected memory region such as that found within and identified by the data segment of a common file disclosed in Golomb.
	The motivation to store and protect any data including non-executable data would be to protect all known types of data including non-executable data in the protected memory region. 
Regarding claim 2, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The computer-implemented process of claim 1, wherein the computer-implemented process is performed concurrently for a plurality of non-sharable micro-enclaves and a corresponding plurality of virtual input/output adapters (Mummidi: See FIG. 4; [0031-0032]).
Regarding claim 4, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The computer-implemented process of claim 1, wherein sending the data comprises using direct memory access (Mummidi: See [0037]).
Regarding claim 6, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
Mummidi: See [0014] & [0032]).
Regarding claim 7, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The computer-implemented process of claim 1, further comprising attaching the virtual input/output adapter to the enclave at a time when creating the virtual input/output adapter (Mummidi: See [0032]).
Regarding claim 9, Bunch discloses:
A computer program product for facilitating secure memory sharing between enclaves and virtual input/output adapters, the computer program product comprising:
a non-transitory storage medium readable by a processor of a host within a system, the system further comprising an enclave and an interrupt virtualization engine, the non-transitory storage medium storing instructions for performing a method of secure memory sharing between enclaves and virtual input/output adapters, the method comprising:
providing a system for performing a computer-implemented process for secure memory sharing between enclaves and virtual input/output adapters, wherein the system comprises a host (See FIG. 2; 200/See FIG. 7B; 706), an enclave (See FIG. 2; 208) and  wherein the host comprises a processor and a memory in communication with the processor to perform the computer-implemented process (See FIG. 7B; Computing platform 706 depicting CPU and memory in [0085-0086]);
Enclave: Controller VM / a second virtualized computer (i.e. FIG. 2; 206)
Managed memory space: user VM / a first virtualized computer (i.e. FIG.2; 208)
i.e. FIG. 2; vDisk iSCSI Adapter 222)
i) having a virtual input/output adapter associated with the enclave (See FIG. 2 which depicts vDisk iSCSI Adapter attached to Controller VM 206; also see [0043]);
ii) creating (i.e. instantiate) a managed memory space (See FIG. 2; [0032] The hypervisor 204 is configured to support/instantiate one or more virtual machines, such as user VM 208 and controller VM 206);
iii) having a key by a memory encryption engine (i.e. DEK 224) for the virtual input/output adapter for use by only the virtual input/output adapter (See FIG. 2; [0038] As illustrated in FIG. 2, in some embodiments, the DEK 224 is stored within a vDisk iSCSI adapter 222);
iv) in response to a request to obtain data, exchanging the key with the managed memory space (See FIG. 2; discloses an exchange of Key encryption key (KEK) and Decryption key (DEK) for communication between the controller VM and User VM; see [0036] for details; also see FIG. 4 a; [0052] Referring to FIG. 4a , at 402 a, a first virtualized computer, such as a user VM, may initiate an IPsec session with a second virtualized computer, such as a controller VM. At 404, the first virtualized computer sends a network communication (such as an iSCSI request) including an authentication key, e.g., a KEK via the IPsec session);
v) in response to receiving the key, decrypting data of only the managed memory space associated with the virtual input/output adapter to obtain the data (FIG. 4 a; [0053] At 410, the second virtualized computer may authenticate the KEK, for example, by trying to decrypt the second key, the DEK, using the KEK; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation); and
vi) sending the data to the virtual input/output adapter (FIG. 4 a; [0053] At 414 a, if the KEK is valid, then the KEK may be used to decrypt the DEK. The DEK may be used to encrypt/decrypt the network communication; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation).
Because Bunch’s managed memory spaces are implemented as VMs (as opposed to isolated memory spaces comprising only data), and the VMs are the entity issuing the write/read requests,
Bunch does not disclose:
	an interrupt virtualization engine, in response to receipt of an interrupt from within the system by the interrupt virtualization engine, routing the interrupt directly to the enclave, wherein the routing bypasses the processor; creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of the managed memory space is within memory; wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter.
However, NPL Document discloses:
	an interrupt virtualization engine (See Figure in NPL Page # 18), 
See NPL Page # 18 depicting External Interrupt Virtualization Engine (XIVE) hardware processing system interrupts and directing system interrupts directly to target guest Operating system. NPL also discloses that XIVE hardware also eliminates host processor overhead while routing interrupts to the target guest OD).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch reference and include External Interrupt Virtualization Engine (XIVE) hardware for controlling and directing system interrupts away from the main processor and directly to guest operating system, as disclosed by NPL document. 
The motivation to include External Interrupt Virtualization Engine (XIVE) hardware for controlling and directing system interrupts away from the main processor and directly to guest operating system is to improve performance and throughput of the main physical host system and guest operating system by not involving main physical host system processor. 
The combination of Bunch and NPL document fails to disclose:
	creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of the managed memory space 
However, Mummidi discloses:
	creating the virtual I/O adapter in response to a request to create a virtual input/output adapter ([0014] For example, if peripheral device 120 is connected to host 110 via peripheral component interconnect express (PCIe), then a virtual interface may be created by utilizing single root input/output virtualization (SR-IOV) to create a virtual function that mirrors the interface that would be exposed by a controller for non-volatile storage devices 130);
wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter ([0032] the control interface 410 for the peripheral device performs 412 the partitioning and formatting of the storage partition according to the configuration request 402 and then attaches or binds the storage partition to a virtual interface that has been launched/created/instantiated for the new storage partition (e.g., virtual interface 432 bound 440 to storage partition 422));
wherein a key is generated ([0034] encryption configuration request 406 may provide a key for one virtual interface, such as virtual interface 434);
wherein the request to obtain data from the enclave is by the virtual input/output adapter (Fig. 6; step 676, [0041] provides for the adapter requesting to read data from the storage device);
wherein the data of the managed memory space is within memory (Fig 6; [0041] The I/O submission entry may indicate the request to read encrypted read data 642 from storage partition 660 in non-volatile storage device 650. The controller may then write 680 data 642 from storage partition 660 to a location in data buffer 635);
wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter (Fig 6, step 680; [0041] provides data is sent from storage partition 660 to virtual I/O adapter).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch and NPL references and create encrypted virtual I/O adapter along with the creation of virtual machine instance, as disclosed by Mummidi.
The motivation to create encrypted virtual I/O adapter along with the creation of virtual machine instance is to provide encryption on per-virtual interface basis for each virtual machine instance. 
The combination of Bunch, NPL # 1, and Mummidi fails to explicitly disclose:
	wherein the data of the non-shareable micro-enclave comprises at least non-executable data segment, and wherein the at least one non-executable data segment comprises one of a portion of an object file or virtual address space of a program comprising one or more initialized static variable.
However, Golomb discloses:
	wherein the data of the non-shareable micro-enclave comprises at least non-executable data segment (Col. 6, Line # 51-54; Alternatively, data section 129 may be loaded into data segment 165 on a determination that data section 129 contains non-executable data such as constants and initialized and/or uninitialized variables), 
non-executable data segment comprises one of a portion of an object file or virtual address space of a program comprising one or more initialized static variable (Col. 6, Line # 51-54; Alternatively, data section 129 may be loaded into data segment 165 on a determination that data section 129 contains non-executable data such as constants and initialized and/or uninitialized variables).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch, NPL#1 and Mummidi references and have a memory section which stores non-executable information in data segment, as disclosed by Golomb.
	The motivation have a memory section which stores non-executable information in data segment is to defend the non-executable information in the memory from malicious access. 
Regarding claim 10, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The computer program product of claim 9, wherein the method further comprises performing the method concurrently for a plurality of non-sharable micro-enclaves and a corresponding plurality of virtual input/output adapters (Mummidi: See FIG. 4; [0031-0032]).
Regarding claim 12, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The computer program product of claim 9, wherein sending the data comprises using at least one of direct memory access, remote direct memory access and single-root input/output virtualization (Mummidi: See [0014] & [0032]).
Regarding claim 13, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
Mummidi: See [0032]).
Regarding claim 15, Bunch discloses:
A system for secure memory sharing between enclaves and input/output adapters, the system comprising: 
the system for performing a computer-implemented process for secure memory sharing between enclaves and virtual input/output adapters, wherein the system comprises a host (See FIG. 2; 200/See FIG. 7B; 706), an enclave (See FIG. 2; 208) and  wherein the host comprises a processor and a memory in communication with the processor to perform the computer-implemented process (See FIG. 7B; Computing platform 706 depicting CPU and memory in [0085-0086]);
Enclave: Controller VM / a second virtualized computer (i.e. FIG. 2; 206)
Managed memory space: user VM / a first virtualized computer (i.e. FIG.2; 208)
Virtual I/O adapter: iSCSI adapter (i.e. FIG. 2; vDisk iSCSI Adapter 222)
i) having a virtual input/output adapter associated with the enclave (See FIG. 2 which depicts vDisk iSCSI Adapter attached to Controller VM 206; also see [0043]);
ii) creating (i.e. instantiate) a managed memory space (See FIG. 2; [0032] The hypervisor 204 is configured to support/instantiate one or more virtual machines, such as user VM 208 and controller VM 206);
iii) having a key by a memory encryption engine (i.e. DEK 224) for the virtual input/output adapter for use by only the virtual input/output adapter (See FIG. 2; [0038] As illustrated in FIG. 2, in some embodiments, the DEK 224 is stored within a vDisk iSCSI adapter 222);
iv) in response to a request to obtain data, exchanging the key with the managed memory space (See FIG. 2; discloses an exchange of Key encryption key (KEK) and Decryption key (DEK) for communication between the controller VM and User VM; see [0036] for details; also see FIG. 4 a; [0052] Referring to FIG. 4a , at 402 a, a first virtualized computer, such as a user VM, may initiate an IPsec session with a second virtualized computer, such as a controller VM. At 404, the first virtualized computer sends a network communication (such as an iSCSI request) including an authentication key, e.g., a KEK via the IPsec session);
v) in response to receiving the key, decrypting data of only the managed memory space associated with the virtual input/output adapter to obtain the data (FIG. 4 a; [0053] At 410, the second virtualized computer may authenticate the KEK, for example, by trying to decrypt the second key, the DEK, using the KEK; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation); and
vi) sending the data to the virtual input/output adapter (FIG. 4 a; [0053] At 414 a, if the KEK is valid, then the KEK may be used to decrypt the DEK. The DEK may be used to encrypt/decrypt the network communication; also see FIG. 4 b [0057-0058] for network communication between first virtualized computer and second virtualized computer iSCSI adapter KEK and DEK encryption operation).
Because Bunch’s managed memory spaces are implemented as VMs (as opposed to isolated memory spaces comprising only data), and the VMs are the entity issuing the write/read requests,
Bunch does not disclose:
	an interrupt virtualization engine, in response to receipt of an interrupt from within the system by the interrupt virtualization engine, routing the interrupt directly to the enclave, wherein the routing bypasses the processor; creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of the managed memory space is within memory; wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter.
However, NPL Document discloses:
	an interrupt virtualization engine (See Figure in NPL Page # 18), 
in response to receipt of an interrupt from within the system by the interrupt virtualization engine, routing the interrupt directly to the enclave, wherein the routing bypasses the processor (See NPL Page # 18 depicting External Interrupt Virtualization Engine (XIVE) hardware processing system interrupts and directing system interrupts directly to target guest Operating system. NPL also discloses that XIVE hardware also eliminates host processor overhead while routing interrupts to the target guest OD).

The motivation to include External Interrupt Virtualization Engine (XIVE) hardware for controlling and directing system interrupts away from the main processor and directly to guest operating system is to improve performance and throughput of the main physical host system and guest operating system by not involving main physical host system processor. 
The combination of Bunch and NPL document fails to disclose:
	creating the virtual I/O adapter in response to a request to create a virtual input/output adapter; wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter; wherein a key is generated; wherein the request to obtain data from the enclave is by the virtual input/output adapter; wherein the data of the managed memory space is within memory; wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter.
However, Mummidi discloses:
	creating the virtual I/O adapter in response to a request to create a virtual input/output adapter ([0014] For example, if peripheral device 120 is connected to host 110 via peripheral component interconnect express (PCIe), then a virtual interface may be created by utilizing single root input/output virtualization (SR-IOV) to create a virtual function that mirrors the interface that would be exposed by a controller for non-volatile storage devices 130);
wherein a managed memory space (storage partition) comprises a non-sharable micro-enclave, to contain only data, nested within the enclave to use with the virtual input/output adapter ([0032] the control interface 410 for the peripheral device performs 412 the partitioning and formatting of the storage partition according to the configuration request 402 and then attaches or binds the storage partition to a virtual interface that has been launched/created/instantiated for the new storage partition (e.g., virtual interface 432 bound 440 to storage partition 422));
wherein a key is generated ([0034] encryption configuration request 406 may provide a key for one virtual interface, such as virtual interface 434);
wherein the request to obtain data from the enclave is by the virtual input/output adapter (Fig. 6; step 676, [0041] provides for the adapter requesting to read data from the storage device);
wherein the data of the managed memory space is within memory (Fig 6; [0041] The I/O submission entry may indicate the request to read encrypted read data 642 from storage partition 660 in non-volatile storage device 650. The controller may then write 680 data 642 from storage partition 660 to a location in data buffer 635);
wherein the data is sent from the non-sharable micro-enclave nested within the enclave to the virtual I/O adapter (Fig 6, step 680; [0041] provides data is sent from storage partition 660 to virtual I/O adapter).

The motivation to create encrypted virtual I/O adapter along with the creation of virtual machine instance is to provide encryption on per-virtual interface basis for each virtual machine instance. 
The combination of Bunch, NPL # 1, and Mummidi fails to explicitly disclose:
	wherein the data of the non-shareable micro-enclave comprises at least non-executable data segment, and wherein the at least one non-executable data segment comprises one of a portion of an object file or virtual address space of a program comprising one or more initialized static variable.
However, Golomb discloses:
	wherein the data of the non-shareable micro-enclave comprises at least non-executable data segment (Col. 6, Line # 51-54; Alternatively, data section 129 may be loaded into data segment 165 on a determination that data section 129 contains non-executable data such as constants and initialized and/or uninitialized variables), 
wherein the at least one non-executable data segment comprises one of a portion of an object file or virtual address space of a program comprising one or more initialized static variable (Col. 6, Line # 51-54; Alternatively, data section 129 may be loaded into data segment 165 on a determination that data section 129 contains non-executable data such as constants and initialized and/or uninitialized variables).

	The motivation have a memory section which stores non-executable information in data segment is to defend the non-executable information in the memory from malicious access.
Regarding claim 16, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The system of claim 15, wherein the method is performed concurrently for a plurality of non-sharable micro-enclaves and a corresponding plurality of virtual input/output adapters (Mummidi: See FIG. 4; [0031-0032])..
Regarding claim 18, the combination of Bunch, NPL#1, Mummidi and Golomb discloses:
The system of claim 15, wherein sending the data comprises using at least one of direct memory access, remote direct memory access and single-root input/output virtualization (Mummidi: See [0014] & [0032]).
Regarding claim 19, the combination of Bunch, NPL#1 and Mummidi discloses:
The system of claim 15, further comprising attaching the virtual input/output adapter to the enclave at a time when creating the virtual input/output adapter (Mummidi: See [0032]).

Claims 8, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of NPL Document “POWER8/9 Deep Dive” dated Nov 11, 2016, hereinafter referred as NPL#1 in view of Mummidi et al., (US20180088804A1) in view of dated 2007, 2009 hereinafter referred as NPL#2.
Regarding claim 8, the combination of Bunch, NPL#1, Mummidi and Golomb fails to disclose:
The computer-implemented process of claim 1, further comprising: 
attaching the virtual input/output adapter to the enclave dynamically using a hotplug operation, wherein the hotplug operation comprises performing the attaching while the system continues operating and avoids a restart of the system.
However, NPL#2 discloses:
	attaching the virtual input/output adapter to the enclave dynamically using a hotplug operation, wherein the hotplug operation comprises performing the attaching while the system continues operating and avoids a restart of the system (See Page # 144; “Installing or replacing a PCI adapter with the system power on in Virtual I/O Server”; Also see Page # 145; “Installing a PCI adapter” & “Replacing a PCI Adapter”).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Bunch, NPL#1, Mummidi and Golomb references and include hot plug operation for installing or replacing a PCI adapters, as disclosed by NPL Document.
	The motivation to include hot plug operation for installing or replacing a PCI adapters is to activate the PCI adapters without having to reboot the system.
Regarding claim 14, the combination of Bunch, NPL#1, Mummidi and Golomb fails to discloses:
The computer program product of claim 9, further comprising:
attaching the virtual input/output adapter to the enclave dynamically using a hotplug operation, wherein the hotplug operation comprises performing the attaching while the system continues operating and avoids a restart of the system.
However, NPL#2 discloses:
	attaching the virtual input/output adapter to the enclave dynamically using a hotplug operation, wherein the hotplug operation comprises performing the attaching while the system continues operating and avoids a restart of the system (See Page # 144; “Installing or replacing a PCI adapter with the system power on in Virtual I/O Server”; Also see Page # 145; “Installing a PCI adapter” & “Replacing a PCI Adapter”).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Bunch, NPL#1, Mummidi and Golomb references and include hot plug operation for installing or replacing a PCI adapters, as disclosed by NPL Document.
	The motivation to include hot plug operation for installing or replacing a PCI adapters is to activate the PCI adapters without having to reboot the system.
Regarding claim 20, the combination of Bunch, NPL#1, Mummidi and Golomb fails to discloses:

However, NPL#2 discloses:
	attaching the virtual input/output adapter to the enclave dynamically using a hotplug operation, wherein the hotplug operation comprises performing the attaching while the system continues operating and avoids a restart of the system (See Page # 144; “Installing or replacing a PCI adapter with the system power on in Virtual I/O Server”; Also see Page # 145; “Installing a PCI adapter” & “Replacing a PCI Adapter”).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify Bunch, NPL#1, Mummidi and Golomb references and include hot plug operation for installing or replacing a PCI adapters, as disclosed by NPL Document.
	The motivation to include hot plug operation for installing or replacing a PCI adapters is to activate the PCI adapters without having to reboot the system.

Claim 5 rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of NPL Document “POWER8/9 Deep Dive” dated Nov 11, 2016, hereinafter referred as NPL#1.
Regarding claim 5, the combination of Bunch, NPL#1, Mummidi and Golomb fails to disclose:
	The computer-implemented process of claim 1, wherein sending the data comprises using remote direct memory access.
However, Axnix discloses:
	wherein sending the data comprises using remote direct memory access (See FIGS. 1-3; Col. 3; Line # 32-49).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch, NPL # 1, Mummidi and Golomb references and exchange data on the network through remote direct access memory (RDMA) technology, as disclosed by Axnix.
	The motivation to exchange data on the network through remote direct access memory (RDMA) technology is improve network throughput and performance by freeing up system resources. 
Claim 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Bunch et al., (US20160359622A1) in view of NPL Document “POWER8/9 Deep Dive” dated Nov 11, 2016, hereinafter referred as NPL#1 in view of Mummidi et al., (US20180088804A1) in view of Golomb et al., (US8756695B1) and further in view of Zeng et al., (US20150127866A1).
Regarding claim 21, the combination of Bunch, NPL#1, Mummidi and Golomb fails to disclose:

However, Zeng discloses:
wherein the interrupt includes a routing priority ([0005] An aspect method in which the interrupt direct assignment value further indicates a priority of the interrupt, in which routing the interrupt to the high level operating system guest virtual machine includes routing the interrupt as a virtual interrupt corresponding to a physical interrupt, the virtual interrupt having a virtual interrupt identification being the same as a physical interrupt identification of the corresponding physical interrupt, and in which routing the interrupt to the virtual machine monitor includes routing the interrupt as the physical interrupt. An aspect method in which the priority of the interrupt comprises a fast interrupt and a normal interrupt, and in which routing the interrupt to the high level operating system guest virtual machine further includes routing the interrupt to a first interrupt interface dedicated for fast virtual interrupts when the interrupt is the fast interrupt, and routing the interrupt to a second interrupt interface dedicated for normal virtual interrupts when the interrupt is the normal interrupt).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch, NPL#1, Mummidi and Golomb references and include a method of routing the interrupt based on priority of the interrupt, as disclosed by Zeng. 

Regarding claim 22, the combination of Bunch, NPL#1, Mummidi and Golomb fails to disclose:
The computer program product of claim 9, wherein the interrupt includes a routing priority.
However, Zeng discloses:
wherein the interrupt includes a routing priority ([0005] An aspect method in which the interrupt direct assignment value further indicates a priority of the interrupt, in which routing the interrupt to the high level operating system guest virtual machine includes routing the interrupt as a virtual interrupt corresponding to a physical interrupt, the virtual interrupt having a virtual interrupt identification being the same as a physical interrupt identification of the corresponding physical interrupt, and in which routing the interrupt to the virtual machine monitor includes routing the interrupt as the physical interrupt. An aspect method in which the priority of the interrupt comprises a fast interrupt and a normal interrupt, and in which routing the interrupt to the high level operating system guest virtual machine further includes routing the interrupt to a first interrupt interface dedicated for fast virtual interrupts when the interrupt is the fast interrupt, and routing the interrupt to a second interrupt interface dedicated for normal virtual interrupts when the interrupt is the normal interrupt).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Bunch, NPL#1, Mummidi and 
The motivation to include method of routing the interrupt based on priority of the interrupt is to ensure high priority interrupts get processed by the processor first than low priority interrupts to rapidly process high demand code in the CPU. 
Regarding claim 23, the combination of Bunch, NPL#1, Mummidi and Golomb fails to disclose:
The system of claim 15, wherein the interrupt includes a routing priority.
However, Zeng discloses:
wherein the interrupt includes a routing priority ([0005] An aspect method in which the interrupt direct assignment value further indicates a priority of the interrupt, in which routing the interrupt to the high level operating system guest virtual machine includes routing the interrupt as a virtual interrupt corresponding to a physical interrupt, the virtual interrupt having a virtual interrupt identification being the same as a physical interrupt identification of the corresponding physical interrupt, and in which routing the interrupt to the virtual machine monitor includes routing the interrupt as the physical interrupt. An aspect method in which the priority of the interrupt comprises a fast interrupt and a normal interrupt, and in which routing the interrupt to the high level operating system guest virtual machine further includes routing the interrupt to a first interrupt interface dedicated for fast virtual interrupts when the interrupt is the fast interrupt, and routing the interrupt to a second interrupt interface dedicated for normal virtual interrupts when the interrupt is the normal interrupt).

The motivation to include method of routing the interrupt based on priority of the interrupt is to ensure high priority interrupts get processed by the processor first than low priority interrupts to rapidly process high demand code in the CPU. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        

/S.M.A./Patent Examiner, Art Unit 2432