Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
1.	Claims 1 and 20 have been amended. Claims 14 and 16-19 have been canceled. Claims 1-13, 15 and 20 have been examined.

2.	Applicant's arguments filed 03/29/2022 have been fully considered but they are not persuasive.

Claim Interpretation
3.	For claim 10, the phrase “at least one of” has been given the broadest, reasonable interpretation of only requiring a single element from the given list in order to satisfy the requirements of the limitation.

4.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

5.	The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.


Claim Rejections - 35 USC § 103
6.	Claims 1-2, 5, 7-8, 11-12, 15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra (U.S. Patent 10,601,590), and further in view of Costa (U.S. Patent Application Publication 2018/0212966).

	For claim 1, Chhabra teaches an apparatus comprising:
	secure enclave circuitry (note column 2, lines 46-53 and 62-67, trusted execution environment (TEE), i.e. secure enclave, may comprise an embedded processor);
	processing circuitry (note column 9, lines 64-66, processing device) to execute computer program instructions (note column 10, lines 9-11 and 31-34, processing device executes instructions for storing secrets in HSM for use in protected function in TEE), wherein:
		the computer program instructions correspond to an operation comprising:
	accessing a cryptographic key stored in a hardware security module (note column 3, lines 33-38, hardware security module (HSM) stores secret key which is accessed for use by TEE); and
		wherein executing the computer program instructions comprises transmitting, to the secure enclave circuitry, computer program instructions corresponding to said operation (note column 7, lines 32-45, processing logic receives an invocation command requesting execution of a protected function in the TEE; column 2, lines 62-65, protected function includes code written and stored in TEE),
	the secure enclave circuitry being configured to:
	initiate communication with the hardware security module (note column 7, line 66 through column 8, line 4, TEE requests secret from HSM);
	perform, with the hardware security module, an attestation process with respect to said operation (note column 6, lines 37-42 and 50-67, attestation process for protected function is performed with HSM resulting in credentials; column 7, lines 51-67, TEE includes credentials with request for secret stored in HSM);
	execute said operation (note column 8, lines 10-14, TEE executes protected function using secret from HSM).

	Chhabra differs from the claimed invention in that they fail to teach:
	the secure enclave circuitry is configured to:
	block external transmission, to entities other than the hardware security module, of secure data associated with said operation.

	Costa teaches:
	the secure enclave circuitry is configured to:
	block external transmission, to entities other than the hardware security module, of secure data associated with said operation (note paragraph [0180], [0220] and [0222], a key stored inside of enclave is never released to any client outside the key vault enclave; received key use policy restricts use to requests from requestors that are authenticated via attestation).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the attestation of TEE operations by a HSM of Chhabra and key use key vault policy of Costa. It would have been obvious because combining prior art elements would yield the predictable results of the TEE sending an attestation response to a HSM to access a stored secret (Chhabra) where the key use policy restricts the TEE from releasing the key or derived key to any entities other than the key vault enclave, i.e. HSM (Costa).


	For claim 20, the combination of Chhabra and Costa teaches a method comprising:
	initiating communication between a hardware security module and a secure enclave of a processing device (note column 7, line 66 through column 8, line 4 of Chhabra, TEE requests secret from HSM);
	performing, by the secure enclave and the hardware security module, an attestation process with respect to an operation to be performed by the secure enclave, said operation comprising accessing a cryptographic key stored in the hardware security module (note column 6, lines 37-42 and 50-67 of Chhabra, attestation process for protected function is performed with HSM resulting in credentials; column 7, lines 51-67 of Chhabra, TEE includes credentials with request for secret stored in HSM); and
	responsive to a successful outcome of the attestation process, performing said operation by the secure enclave, wherein the hardware security module facilitates performance of said operation (note column 8, lines 4-14 of Chhabra, if HSM is able to successfully verify credentials, HSM sends secret to TEE to use in executing the protected function);
	wherein the secure enclave circuitry blocks external transmission, to entities other than the hardware security module, of secure data associated with said operation (note paragraph [0180], [0220] and [0222] of Costa, a key stored inside of enclave is never released to any client outside the key vault enclave; received key use policy restricts use to requests from requestors that are authenticated via attestation).


	For claim 2, the combination of Chhabra and Costa teaches claim 1, wherein the attestation process is based on said computer program instructions corresponding to said operation (note column 6, lines 50-52 and 58-61 of Chhabra, attestation is based on function code measurement of protected function).

	For claim 5, the combination of Chhabra and Costa teaches claim 1, wherein the secure enclave circuitry is configured to, as part of the attestation process:
	receive an attestation challenge from the hardware security module (note column 6, lines 37-42 of Chhabra, TEE receives attestation challenge from HSM); and
	responsive to receiving said challenge, transmit an attestation response to the hardware security module (note column 7, lines 5-10 of Chhabra, TEE sends attestation result to HSM).

	For claim 7, the combination of Chhabra and Costa teaches claim 5, wherein the attestation response comprises data indicative of said operation (note column 6, lines 50-52 and 58-61 of Chhabra, attestation response is based on function code measurement of protected function).

	For claim 8, the combination of Chhabra and Costa teaches claim 7, wherein the data indicative of said operation comprises a cryptographic hash of at least a subset of said computer program instructions corresponding to said operation (note column 6, lines 50-52 and 58-61 of Chhabra, attestation operation includes hash on code of protected function).

	For claim 11, the combination of Chhabra and Costa teaches claim 1, wherein the secure enclave circuitry is configured to establish a secure communication channel for communicating with the hardware security module (note column 8, lines 48-55 of Chhabra, TEE sends attestation result with request to establish secure communication channel with HSM).

	For claim 12, the combination of Chhabra and Costa teaches claim 11, wherein the secure enclave circuitry is configured to perform said establishing of the secure communication channel as part of the attestation process (note column 6, lines 43-49 of Chhabra, TEE generates session key pair for secure communication channel as part of attestation process).

	For claim 15, the combination of Chhabra and Costa teaches claim 1, wherein the secure enclave circuitry is configured to transmit to the processing circuitry an output of said operation (note column 8, lines 15-17 of Chhabra, TEE provides result of operation of protected function to the requestor).


7.	Claims 3-4 are rejected under 35 U.S.C. 103 as being unpatentable over as the combination of Chhabra and Costa applied to claim 1 above, and further in view of Maor et al. (U.S. Patent Application Publication 2021/0200882; hereafter “Maor”).
	For claim 3, the combination of Chhabra and Costa differs from the claimed invention in that they fail to teach:
	wherein the secure enclave circuitry is configured to validate said operation.

	Maor teaches:
	wherein the secure enclave circuitry is configured to validate said operation (note paragraph [0032], policy manager of TEE verifies requested cryptographic operations against a TEE policy database).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the attestation of TEE operations by a HSM of Chhabra and the TEE verifying operations against a policy database of Maor. One of ordinary skill would have been motivated to combine Chhabra, Cota and Maor because it would allow the TEE to accept or reject cryptographic operations involving valuable data based on a policy (note paragraphs [0005]-[0006] of Maor) before the HSM verifies a received attestation that the protected function operations are valid.
	It would have been further obvious because combining prior art elements would yield the predictable results of the TEE verifying protected functions conform to a policy (Maor) before the HSM verifies that the attestation of the protected function is valid (Chhabra).


	For claim 4, the combination of Chhabra, Costa and Maor teaches claim 3, wherein the secure enclave circuitry is configured to perform said validating by confirming that said operation satisfies a security policy (note paragraph [0032] of Maor, policy manager of TEE verifies requested cryptographic operations against a TEE policy database).


8.	Claims 6 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Chhabra and Costa as applied to claims 1 and 5 above, and further in view of Sibert et al. (U.S. Patent Application Publication 2020/0159966; hereafter “Sibert”).
	For claim 6, the combination of Chhabra and Costa differs from the claimed invention in that they fail to teach:
	wherein the attestation challenge comprises random data generated by the hardware security module.

	Sibert teaches:
	wherein the attestation challenge comprises random data generated by the hardware security module (note paragraph [0036], attestation challenge includes random data).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the attestation of TEE operations by a HSM of Chhabra and attestation challenge including random data of Sibert. One ordinary skill would have been motivated to combine Chhabra, Costa and Sibert because including random data in an attestation challenge would prevent potential replay attack (note paragraph [0036] of Sibert)


	For claim 9, the combination of Chhabra, Costa and Sibert teaches claim 5, wherein the attestation response comprises data indicative of the attestation challenge (note paragraph [0054] of Sibert, attestation response includes signed attestation challenge).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the attestation of TEE operations by a HSM of Chhabra and attestation response including a signed attestation challenge of Sibert. It would have been obvious because combining prior art elements would yield the predictable results of the TEE sending an attestation response to a HSM to access a stored secret (Chhabra) where the attestation response includes a signed attestation challenge for verification (Sibert).


	For claim 10, the combination of Chhabra, Costa and Sibert teaches claim 1, wherein the secure enclave circuitry is configured to, as part of the attestation process, transmit to the hardware security module data indicative of at least one of a software identity and a software instance identity corresponding to said operation (note paragraph [0054] of Sibert, attestation response includes certificate including application identifier).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the attestation of TEE operations by a HSM of Chhabra and attestation response including a certificate of Sibert. 	It would have been obvious because combining prior art elements would yield the predictable results of the TEE sending an attestation response to a HSM to access a stored secret (Chhabra) where the attestation response includes a certificate of the protected function including an application identifier (Sibert).


9.	Claim 13 is rejected under 35 U.S.C. 103 as being unpatentable over the combination of Chhabra and Costa as applied to claim 11 above, and further in view of Chhabra et al. (U.S. Patent Application Publication 2016/0380985; hereafter ‘985).
	For claim 13, the combination of Chhabra and Costa, teaches claim 11, wherein:
	as part of establishing the secure communication channel, the secure enclave circuitry is configured to determine an ephemeral public key associated with the secure communication channel (note column 6, lines 43-49 of Chhabra, TEE generates session key pair for secure communication channel as part of attestation process including session public key);

	The combination of Chhabra and Costa differs from the claimed invention in that they fail to teach:
	the secure enclave circuitry is configured to terminate the secure communication channel responsive to conclusion of execution of said operation.

	‘985 teaches:
	the secure enclave circuitry is configured to terminate the secure communication channel responsive to conclusion of execution of said operation (note paragraphs [0052]-[0055], after subsequent enclave application output finishes, i.e. conclusion of execution of said operation, the encrypted channel session is torn down and terminated).

	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the attestation of TEE operations by a HSM of Chhabra and the tearing down of a secure channel after operation finishes of ‘985. 	It would have been obvious because combining prior art elements would yield the predictable results of the TEE and HSM communicated over a secure channel during protected function operation (Chhabra) where the secure channel is terminated when protected function operation finishes (‘985).


Response to Arguments
10.	For claims 1 and 20, Applicant argues, “the combination of Chhabra and Costa, even if it could be made for the sake of argument, fails to disclose or suggest multiple features recited in claim 1. Corresponding features are recited in independent claim 20. The obvious rejections based on Chhabra and Costa are improper and should be withdrawn” (note Remarks, pages 6-8).
	Examiner disagrees. As noted in the rejection above, Chhabra discloses a trusted execution environment (TEE), i.e. secure enclave, that executes a protected function using a secret received from a HSM (note Fig. 1 and column 2, lines 42-53). During processing, TEE possesses various keys and other “secure data associated with” the protected function (note column 3, lines 4-11 – permanent secrets and derived secrets; column 5, lines 57-67 – session key pair and derived keys).
	Costa discloses an enclave system that may include a TEE and a HSM (note paragraphs [0002]-[0003]). Costa further discloses a key use policy where in some embodiments, the enclave blocks external transmission of the keys to entities external to the enclave (note paragraph [0180] – “a vault-locked key, whereby a key stored inside a key vault is never released to any client outside the key vault, and in some cases the vault-locked key may only ever exist as stored inside (or possibly sealed to) the key vault enclave”; paragraph [0220] – “an example use of vault-locked key, whereby all key operations are performed with the key vault enclave and the key is never provided to a vault client. Further, the new key in this example may never exist outside the key vault enclave”; paragraph [0222] – “The received key use policy may restrict some or all uses of the new key to requests from requestors that are authenticated via software attestation”).
	A combination of Chhabra and Costa, would therefore disclose a system where a TEE generates session keys, receives a stored secret key, and derives other keys while performing operations (Chhabra) and a key use policy restricts the TEE from releasing the stored keys or derived keys to any entities other than the key vault enclave, i.e. entities other than HSM (Costa). It would have been obvious to one of ordinary skill before the effective filing date of the claimed invention to combine Chhabra and Costa because a TEE that enforces a key use policy for the keys it possesses would be a predictable result of the combination.
	Therefore, the combination of Chhabra and Costa teaches “wherein the secure enclave circuitry blocks external transmission, to entities other than the hardware security module, of secure data associated with said operation” as required by the claims.


	Applicant notes, “The reliance on the Maor reference requires clarification since Maor is not included in the rejection of claim 14 or claim 1. Maor is cited only in the context of the rejection of claims 3 and 4 as allegedly being unpatentable over Chhabra view of Maor” (note Remarks, page 6).
	Maor was not relied upon in the rejection of claim 14 in the office action dated 12/29/2021. The recitation of the “Maor” in the rationale of the 35 USC 103 rejection was a typographical error resulting from copying and pasting some text from a prior rationale. The typographical error has been corrected in the current office action. The substance of the rationale remains the same: Chhabra discloses a TEE sending an attestation response to a HSM to access a stored secret and the combination of the TEE with a key use policy of Costa would yield a predictable result.


	Applicant argues, “The claimed secure enclave circuitry is configured to block external transmission of secure data to entities other than the hardware security module. In contrast, Costa's key use policy is policed by the key vault and not secure enclave circuitry which is separate from the key vault. Also, the OA maps Chhabra's trusted execution environment (TEE) 110 onto the claimed secure enclave which is separate from Chhabra's hardware security module 170” (note Remarks, page 6; emphasis added by Applicant).
	Examiner disagrees. Costa discloses an “enclave” that may include both a TEE and an HSM (note paragraphs [0002]-[0003]). As noted above, the TEE of Chhabra stores keys as part of performing a secure operation. Therefore, the TEE of Chhabra, i.e. secure enclave circuitry, when combined with a key vault enclave with a key use policy of Costa discloses a secure enclave configured to block external transmission to entities other than the HSM. Even though the TEE and HSM of Chhabra are separate elements, they are part of the same “enclave” in the context of Costa since the HSM stores a secret for the TEE and the TEE and HSM establish an authenticated session key for secure communication (note column 5, lines 59-67).


	Applicant further argues, “Accordingly, Costa discloses a key vault enclave that can be equated to the claimed hardware security module (HSM), and that the keys are securely held within that key vault enclave (HSM). The key is never provided to a vault client, where the vault client can be equated to the claimed secure enclave. Paragraph [0222] states that "decrypted data (in a decrypted data buffer) is sent to the vault client via the secure communications channel," however, there is no disclosure or suggestion that the vault client blocks external transmission, to entities other than the key vault enclave, of secure data associated with an operation executed at the vault client” (note Remarks, page 8).
	Examiner disagrees. Costa discloses an “enclave 176 may provide an isolated execution environment which may protect code or data” (note paragraph [0041]). This shows the “enclave” of Costa may be equated with the TEE of Chhabra which also is an isolated execution environment. As noted above, Costa discloses an “enclave” may include both a TEE and a HSM and a key use policy that blocks external transmission of keys to entities outside of the enclave. When the idea of a “key use policy” is applied to the TEE of Chhabra, the combination discloses a TEE with keys used in a secure operation (Chhabra) where the key use policy allows the TEE to send keys to other “enclave” components, i.e. HSM, and blocks external transmission of keys to any other entities (Costa).


Conclusion
11.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Smith et al. (U.S. Patent Application Publication 2016/0366141) teaches a key schedule and access control policy which sets key boundaries for outputs that may include a HSM and TEE (note paragraph [0048]).

12.	THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to DAVID J PEARSON whose telephone number is (571)272-0711. The examiner can normally be reached 6:00 - 5:30 pm; Monday through Thursday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi Arani can be reached on (571)272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/David J Pearson/Primary Examiner, Art Unit 2438