Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 are presented for examination.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on 1/15/2020, 1/16/2020 and 4/6/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Drawings
The drawings are objected to because of a typographical error.  Figs 5A and 6B recite “using the encription path” and should recite “using the  encryption path”
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
Claim 8 is objected to because of the following informalities:  the claim recites “The system claim 7” and should recite “The system of claim 7”.  Appropriate correction is required.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claims 1-5, 10-14, and 15-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Debout (2014/0101459).

Regarding claim 1, Debout teaches
a system, comprising: 
a processor core; and 
a memory controller comprising an encryption path and a bypass path, wherein the encryption path comprises an encryption engine for encrypting and decrypting data, wherein the memory controller is configured to: (Debout, [0020] Various embodiments of the present invention are related to integrated circuits for processing data at a microcontroller interface, and more particularly to systems, devices and methods of programming a data path at the microcontroller interface by selecting at least one of a plurality of data processing modes to process (e.g., encrypt, decrypt, format, etc.) data in the data path. [0030] The mode generator determines a data processing mode, and generates a mode control signal according to the logic address and the write/read control. The mode control signal is further used by the multi-mode data processing unit 304 to generate processed data according to at least one data processing method.)
receive a first write request to write first data into a memory, the first write request comprising a first indicator indicating that the encryption path should be used; (Debout, [0034] During a memory write cycle, the demultiplexer 402 provides the input data to at least one of the plurality of data processing units (DPU) 412, 414 and 416. The data processing unit generates processed data (i.e., encrypted or formatted payload data), at least one of which is selected by the multiplexer 404 as an output to the memory controller 210.)
encrypt the first data using the encryption engine before storing the first data in the memory; (Debout, [0037] In one embodiment, the data processing unit encrypts input data to payload data using a data encryption method based on a key, a logic address or the write/read mode.  [0025] During a memory write cycle, input data is preprocessed prior to being transmitted to and stored in the memory 240.)
receive a second write request to write second data into the memory, the second write request comprising a second indicator indicating that the bypass path should be used; and (Debout [0030] The mode control signal is further used by the multi-mode data processing unit 304 to generate processed data according to at least one data processing method.)
store the second data in the memory using the bypass path, wherein the bypass path bypasses the encryption engine (Debout, [0035] In one embodiment, the data processing unit is based on a bypass method where a direct data path is formed between the CPU core 202 and the memory 240. Input data of its original format (i.e., in plain text) are directly stored in or retrieved from the memory.)

Regarding claim 2, Debout teaches
the system of claim 1, wherein the memory controller is configured to, after performing the first write request: (Debout, [0031] In particular, during the memory write or read processes, the mode control signal configures the multi-mode data processing unit to encrypt/format the data from the host side or to decrypt/reformat the encrypted/formatted payload data from the interface side, respectively. Hence, the mode control signal generated by the mode generator 318 effectively selects a data path which can be either direction between the host side and the interface side.)
receive a first read request to read the first data from the memory, the first read request comprising the second indicator indicating that the bypass path should be used; and (Debout, [0034] During a memory read cycle, the demultiplexer 408 is coupled to receive a plurality of input data (i.e., encrypted/formatted payload data) stored in the memory, and provide the payload data to at least one of the plurality of data processing units 418, 420 and 422.)
retrieve the first data from the memory using the bypass path so that the first data remains encrypted (Debout, [0035] In one embodiment, the data processing unit is based on a bypass method where a direct data path is formed between the CPU core 202 and the memory 240. Input data of its original format (i.e., in plain text) are directly stored in or retrieved from the memory.)

Regarding claim 3, Debout teaches
the system of claim 2, wherein the memory controller is configured to, after performing the first read request: 
receive a third write request to write the first data to the memory, the second write request comprising the second indicator indicating that the bypass path should be used, and 
wherein the first data is encrypted; and store the first data in the memory using the bypass path (Debout, [0035] In one embodiment, the data processing unit is based on a bypass method where a direct data path is formed between the CPU core 202 and the memory 240. Input data of its original format (i.e., in plain text) are directly stored in or retrieved from the memory.) (Examiner Note: Original format can be data in any format, e.g. that has been previously encrypted.)

Regarding claim 4, Debout teaches
the system of claim 3, wherein the memory controller is configured to, after performing the third write request: 
receive a second read request to read the first data from the memory, the first read request comprising the first indicator indicating that the encryption path should be used; and (Debout, [0034] During a memory read cycle, the demultiplexer 408 is coupled to receive a plurality of input data (i.e., encrypted/formatted payload data) stored in the memory, and provide the payload data to at least one of the plurality of data processing units 418, 420 and 422.  [0026] During a memory read cycle, payload data (i.e., input data) is post-processed after being extracted from the memory 240)
decrypt the first data using the encryption engine in the encryption path (Debout [0032] A data stream may comprise a sequence of input data associated with different data processing modes, and therefore, input data in the sequence may be associated with different data paths.)  (Examiner Note: the mode control signal, [0030]-[0031], for data processing is not stateful (that is, it does not depend on past events) similar to the claim’s first and second read which use independent modes — the first read uses encryption the second read uses bypass) 

Regarding claim 5, Debout teaches
the system of claim 3, wherein, when performing the first and third write requests, the first data is written into the memory using a same physical address as specified in the first and third write requests (Debout [0030] In accordance with the write/read control, input data may be data from a host side (e.g., the CPU core 206) or payload data from an interface side (e.g., the memory 240). The system 300 comprises of a mode generator 318, an address translator 302, and a multi-mode data processing unit 304. The address translator directly translates the logic address to at least one physical address. The mode generator determines a data processing mode, and generates a mode control signal according to the logic address and the write/read control.  [0025]  The memory controller 210 stores the payload data as specified in the physical address in the memory 240.  [0041] A physical address may be associated with more than one logical address, and thus, different data processing methods are applicable to the content at the physical address.)

	Claims 10-14 are method claims for the system claims 1-5 and are rejected for the same reasons as claims 1-5.

	Claims 15-19 are memory controller claims for the system claims 1-5 and are rejected for the same reasons as claims 1-5.

Regarding claim 20, Debout teaches
the memory controller of claim 15, wherein the first and second indicators correspond to different base address registers (BARs) (Debout [0030] The mode control signal is further used by the multi-mode data processing unit 304 to generate processed data according to at least one data processing method. In certain embodiment, one data processing mode may relate to more than one data processing method, and result in more than one processed data and more than one physical address.)


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 6 and 9 are rejected under 35 U.S.C. 103 as being unpatentable over Debout (2014/0101459) in view of Khosravi (2021/0200880).

Regarding claim 6, Debout teaches
the system of claim 1, wherein encrypting the first data (Debout, [0020] methods of programming a data path at the microcontroller interface by selecting at least one of a plurality of data processing modes to process (e.g., encrypt, decrypt, format, etc.))
Debout does not teach using an encryption key derived from a combination of a static portion and a dynamic portion.
However Khosravi teaches encryption engine is performed using an encryption key derived from a combination of a static portion and a dynamic portion (Khosravi [0049] But, if the range lookup 208 determines that KeyID 202 selects a derived key, then KeyID 202 is used as an indexes into selector 214 to select the correct Key Split, which, together with root key 210, is fed into a key derivation function, KDF 212, to derive the corresponding encryption key.) (Examiner Note: root key is static and the selector is dynamic, the combination is used to derive the encryption key)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have combined Khosravi’s key derivation function with Debout’s encryption key because doing so improves key storage (Khosravi [0036] Disclosed embodiments of the invention provide a method to derive the encryption keys required for MKTME dynamically/on-the-fly, rather than to store the keys in a cache. Disclosed embodiments thus provide an advantage of addressing this hardware cache/die size/cost issue, without sacrificing performance.)

Regarding claim 9, Debout and Khosravi teach
the system of claim 6, wherein the encryption key is stored in the processor and is not readable by any entity external to the processor.  Debout teaches key storage inside a secure microcontroller with the key storage not readable by external means. (Debout, see Fig 2. [0023] The secure microcontroller 220 comprises a CPU core 206, an encryption and integrity protection block 208, a memory controller 210, a key storage 212 and buses for data, addresses and keys.)  (Examiner Note: all use of the key occurs within the secure microcontroller, that is the encryption/decryption block is within the secure microcontroller and the block is addressed by the internal CPU, therefore no external entity can read the encryption key)  Khosravi’s teaches a protected domain for the key table (Khosravi [0067] A “platform configuration” (PCONFIG) instruction can be used to define and/or configure a protected domain by programming a new entry—or modifying an existing entry—in a domain key table of a memory protection controller (e.g., key tables, such as 204 and 206 of FIG. 2) 


Claims 7 and 8 are rejected under 35 U.S.C. 103 as being unpatentable over Debout (2014/0101459) in view of Khosravi (2021/0200880) in view of Mondello (2020/0313911).

Regarding claim 7, Debout and Khosravi teach
the system of claim 6.
Debout-Khosravi do not teach the static portion is an ID assigned to the processor during manufacturing.
However Mondello teaches the static portion is an ID assigned to the processor during manufacturing (Mondello [0289]  For example, the initial key is present in a chip due to being injected in a factory or other secure environment.)
Mondello teaches a key derivative function (KDF).  Khosravi teaches a key derivative function.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Khosravi’s key derivative function use of root key with Mondello’s factory key ID because doing so improves the unique identity which is used by the KDF for the encryption key (Mondello [0380] A unique identifier (UID) 2001 is stored in memory of computing device 141. For example, UID 2001 is injected at the factory.)

Regarding claim 8, Debout, Khosravi and Mondello teach
the system claim 7, wherein the dynamic portion is derived from a physical address specified in the first write request (Khosravi, [0056]  In some embodiments, as here, opcode 302 indicates the processor is to use the source location 306 (e.g., an address) to determine, for example by using range lookup 208, whether to use an explicit key, in which case the processor is to use keyID 308 to select a cryptographic key among the multiple full encryption keys, for example full-encryption-key storage 206 (FIG. 2)).
Khosravi is combined with Debout for the same reasons as claim 6, as part of the key derivation function used for making the encryption key.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Li, 2020/0402426, discloses methods for encrypting and decrypting data and a bypass flag.
Powell, 2017/0277898, teaches secure key management.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRUCE S ASHLEY whose telephone number is (571)270-0315. The examiner can normally be reached 9-5 PDT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jay Kim can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/BRUCE S ASHLEY/               Examiner, Art Unit 2494