DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is responsive to the application filed 26 June 2020.
Claims 1-20 are pending and have been presented for examination.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-5, 8-12 and 15-19 is/are rejected under 35 U.S.C. 103 as being unpatentable over BHANDARI (U.S. Patent Application Publication #2019/0087368) in view of DURHAM (U.S. Patent Application Publication #2022/0019698).

1. BHANDARI discloses A method comprising: receiving, by a processing device from a first virtual machine, a memory access request comprising a first memory address (see [0052]-[0055]: a request from a virtual machine executing on the intermediate hypervisor); translating the first memory address to a second memory address using a first page table associated with the first virtual machine (see [0041]-[0044]: in a nested virtualization system, the request that is sent to the intermediate hypervisor is translated using the stage 2 page table), the first page table indicating whether memory of the first virtual machine is encrypted (see DURHAM below); determining, by the processing device, that the first virtual machine is nested within a second virtual machine (see [0044]: intermediate hypervisor {2} is subject to and commanded by the primary hypervisor {1}); and in response to determining that the first virtual machine is nested within the second virtual machine, translating, by the processing device, the second memory address to a third memory address using a second page table associated with the second virtual machine (see [0041]-[0044]: the address translation result from the stage 2 page table is used in the stage 1 page table; [0053]: the translation obtained from the stage 2 page table is used in a subsequent stage of translation), the second page table indicating whether memory of the second virtual machine is encrypted (see DURHAM below).
DURHAM discloses the following elements that are not disclosed by BHANDARI: the first page table indicating whether memory of the first virtual machine is encrypted (see [0186]-[0191]: unused physical address bits can be used to select between different key domains, the k-bit can be set to indicate whether data being accessed by the translation is encrypted or not) and the second page table indicating whether memory of the second virtual machine is encrypted (see [0186]-[0191]: unused physical address bits can be used to select between different key domains, the k-bit can be set to indicate whether data being accessed by the translation is encrypted or not).  The use of memory encryption protects guest VM workloads from attacks (see [0069]).  Additionally, DURHAM discloses the use of a VM agent to operate within the key domain of a guest VM.  This is analogous to nesting, as one VM is operating inside another VM.  Since DURHAM also discloses a nested virtualization environment, the use of key domains and encryption indicators disclosed by DURHAM would be able to be integrated into BHANDARI by one of ordinary skill in the art.
	It would have been obvious, before the effective filing date of the claimed invention, to a person having ordinary skill in the art to which said subject matter pertains to modify BHANDARI to provide an indication that memory of a virtual machine is encrypted, as disclosed by DURHAM.  One of ordinary skill in the art would have been motivated to make such a modification to protect guest VM workloads from attack, as taught by DURHAM.  BHANDARI and DURHAM are analogous/in the same field of endeavor as both references are directed to virtual machines and associated memory management.

2. The method of claim 1, wherein determining that the first virtual machine is nested within the second virtual machine comprises determining that a context of the first virtual machine comprises a parent context pointer for the second virtual machine (see BHANDARI [0044]: hypervisor 2 operates under the control of hypervisor 1, this is interpreted as a parent-child relationship).

3. The method of claim 1, further comprising: obtaining a first encryption key associated with the first virtual machine for encryption of a page of memory associated with the second memory address in view of the first page table indicating that the second memory address is encrypted (see DURHAM [0187]: the unused address bits identify a key domain, the key domain has an associated encryption key for the address range).

4. The method of claim I, further comprising: obtaining an encryption key associated with the second virtual machine in view of the first page table indicating that the second memory address is not encrypted and the second page table indicating that the third memory address is encrypted (see DURHAM [0187]: the unused address bits identify a key domain, the key domain has an associated encryption key for the address range).

5. The method of claim 1, further comprising: receiving a page fault associated with translating the second memory address to the third memory address; in response to receiving the page fault, switching to a context of the second virtual machine; and updating the second page table with a mapping of the second memory address to the third memory address (see BHANDARI [0054]-[0056]: page table walk is the result of a miss in the translation structure; the hypervisor {1} manages a system page table, this system page table translates the output of the stage 1 page table to a system physical address {third address}).

8. BHANDARI discloses A system comprising: a memory; and a processing device operatively coupled to the memory (see [0073]-[0074], [0077]: processing circuitry and system memory), the processing device to: receive, from a first virtual machine, a memory access request comprising a first memory address (see [0052]-[0055]: a request from a virtual machine executing on the intermediate hypervisor); translate the first memory address to a second memory address using a first page table associated with the first virtual machine (see [0041]-[0044]: in a nested virtualization system, the request that is sent to the intermediate hypervisor is translated using the stage 2 page table), the first page table indicating whether the memory of the first virtual machine is encrypted (see DURHAM below); determine that the first virtual machine is nested within a second virtual machine (see [0044]: intermediate hypervisor {2} is subject to and commanded by the primary hypervisor {1}); and in response to determining that the first virtual machine is nested within the second virtual machine, translate the second memory address to a third memory address using a second page table associated with the second virtual machine (see [0041]-[0044]: the address translation result from the stage 2 page table is used in the stage 1 page table; [0053]: the translation obtained from the stage 2 page table is used in a subsequent stage of translation), the second page table indicating whether the memory of the second virtual machine is encrypted (see DURHAM below).
DURHAM discloses the following elements that are not disclosed by BHANDARI: the first page table indicating whether memory of the first virtual machine is encrypted (see [0186]-[0191]: unused physical address bits can be used to select between different key domains, the k-bit can be set to indicate whether data being accessed by the translation is encrypted or not) and the second page table indicating whether memory of the second virtual machine is encrypted (see [0186]-[0191]: unused physical address bits can be used to select between different key domains, the k-bit can be set to indicate whether data being accessed by the translation is encrypted or not).  The use of memory encryption protects guest VM workloads from attacks (see [0069]).  Additionally, DURHAM discloses the use of a VM agent to operate within the key domain of a guest VM.  This is analogous to nesting, as one VM is operating inside another VM.  Since DURHAM also discloses a nested virtualization environment, the use of key domains and encryption indicators disclosed by DURHAM would be able to be integrated into BHANDARI by one of ordinary skill in the art.
	It would have been obvious, before the effective filing date of the claimed invention, to a person having ordinary skill in the art to which said subject matter pertains to modify BHANDARI to provide an indication that memory of a virtual machine is encrypted, as disclosed by DURHAM.  One of ordinary skill in the art would have been motivated to make such a modification to protect guest VM workloads from attack, as taught by DURHAM.  BHANDARI and DURHAM are analogous/in the same field of endeavor as both references are directed to virtual machines and associated memory management.

9. The system of claim 8, wherein to determine that the first virtual machine is nested within the second virtual machine the processing device is to determine that a context of the first virtual machine comprises a parent context pointer for the second virtual machine (see BHANDARI [0044]: hypervisor 2 operates under the control of hypervisor 1, this is interpreted as a parent-child relationship).

10. The system of claim 8, wherein the processing device is further to: obtain an encryption key associated with the first virtual machine for encryption of a page of memory associated with the second memory address in view of the first page table indicating that the second memory address is encrypted (see DURHAM [0187]: the unused address bits identify a key domain, the key domain has an associated encryption key for the address range).

11. The system of claim 8, wherein the processing device is further to: obtain an encryption key associated with the second virtual machine in view of the first page table indicating that the first memory address is not encrypted and the second page table indicating that the third memory address is encrypted (see DURHAM [0187]: the unused address bits identify a key domain, the key domain has an associated encryption key for the address range).

12. The system of claim 8, wherein the processing device is further to: receive a page fault associated with translating the second memory address to the third memory address: in response to receiving the page fault, switch to a context of the second virtual machine; and update the second page table with a mapping of the second memory address to the third memory address (see BHANDARI [0054]-[0056]: page table walk is the result of a miss in the translation structure; the hypervisor {1} manages a system page table, this system page table translates the output of the stage 1 page table to a system physical address {third address}).

15. BHANDARI discloses A non-transitory computer-readable storage medium including instructions that, when executed by a processing device, cause the processing device to (see [0076]-[0077]: computer readable storage media; [0072]: program modules stored in system memory, which includes computer readable storage media): receive, by the processing device from a first virtual machine, a memory access request comprising a first memory address (see [0052]-[0055]: a request from a virtual machine executing on the intermediate hypervisor); translate the first memory address to a second memory address using a first page table associated with the first virtual machine (see [0041]-[0044]: in a nested virtualization system, the request that is sent to the intermediate hypervisor is translated using the stage 2 page table), the first page table indicating whether memory of the first virtual machine is encrypted (see DURHAM below); determine, by the processing device, that the first virtual machine is nested within a second virtual machine (see [0044]: intermediate hypervisor {2} is subject to and commanded by the primary hypervisor {1}); and in response to determining that the first virtual machine is nested within a second virtual machine, translate, by the processing device, the second memory address to a third memory address using a second page table associated with the second virtual machine (see [0041]-[0044]: the address translation result from the stage 2 page table is used in the stage 1 page table; [0053]: the translation obtained from the stage 2 page table is used in a subsequent stage of translation), the second page table indicating whether memory of the second virtual machine is encrypted (see DURHAM below).
DURHAM discloses the following elements that are not disclosed by BHANDARI: the first page table indicating whether memory of the first virtual machine is encrypted (see [0186]-[0191]: unused physical address bits can be used to select between different key domains, the k-bit can be set to indicate whether data being accessed by the translation is encrypted or not) and the second page table indicating whether memory of the second virtual machine is encrypted (see [0186]-[0191]: unused physical address bits can be used to select between different key domains, the k-bit can be set to indicate whether data being accessed by the translation is encrypted or not).  The use of memory encryption protects guest VM workloads from attacks (see [0069]).  Additionally, DURHAM discloses the use of a VM agent to operate within the key domain of a guest VM.  This is analogous to nesting, as one VM is operating inside another VM.  Since DURHAM also discloses a nested virtualization environment, the use of key domains and encryption indicators disclosed by DURHAM would be able to be integrated into BHANDARI by one of ordinary skill in the art.
	It would have been obvious, before the effective filing date of the claimed invention, to a person having ordinary skill in the art to which said subject matter pertains to modify BHANDARI to provide an indication that memory of a virtual machine is encrypted, as disclosed by DURHAM.  One of ordinary skill in the art would have been motivated to make such a modification to protect guest VM workloads from attack, as taught by DURHAM.  BHANDARI and DURHAM are analogous/in the same field of endeavor as both references are directed to virtual machines and associated memory management.

16. The non-transitory computer-readable storage medium of claim 15, wherein to determine that the first virtual machine is nested within the second virtual machine the processing device is to determine that a context of the first virtual machine comprises a parent context pointer for the second virtual machine (see BHANDARI [0044]: hypervisor 2 operates under the control of hypervisor 1, this is interpreted as a parent-child relationship).

17. The non-transitory computer-readable storage medium of claim 15, wherein the processing device is further to: obtain a first encryption key associated with the first virtual machine for encryption of a page of memory associated with the second memory address in view of the first page table indicating that the second memory address is encrypted (see DURHAM [0187]: the unused address bits identify a key domain, the key domain has an associated encryption key for the address range).

18. The non-transitory computer-readable storage medium of claim 15, wherein the processing device is further to: obtain an encryption key associated with the second virtual machine in view of the first page table indicating that the second memory address is not encrypted and the second page table indicating that the third memory address is encrypted (see DURHAM [0187]: the unused address bits identify a key domain, the key domain has an associated encryption key for the address range).

19. The non-transitory computer-readable storage medium of claim 15, wherein the processing device is further to: receive a page fault associated with translating the second memory address to the third memory address: in response to receiving the page fault, switch to a context of the second virtual machine; and update the second page table with a mapping of the second memory address to the third memory address (see BHANDARI [0054]-[0056]: page table walk is the result of a miss in the translation structure; the hypervisor {1} manages a system page table, this system page table translates the output of the stage 1 page table to a system physical address {third address}).

Allowable Subject Matter
Claims 6-7, 13-14 and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to EDWARD J DUDEK JR whose telephone number is (571)270-1030. The examiner can normally be reached Monday - Friday, 8:00A-4:00P.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Charles Rones can be reached on 571-272-4085. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/EDWARD J DUDEK  JR/Primary Examiner, Art Unit 2136