Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-8,11-15 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by US 20130013905 A1 (Held).
Regarding claim 1, Held teaches
	A computing device comprising: a main processor(fig 1:122; par 14 “One example system (computing platform) includes a processor complex that includes a processor and off-die nonvolatile memory, coupled to the processor.”); 
a firmware subsystem(fig 1:124; par 14 “The processor initialization module includes an initialization firmware verification module and the processor complex includes initialization firmware. The initialization firmware may be written in the Instruction Set Architecture (ISA) of the processor and may be stored in the off-die non-volatile memory.”);
a controller to control operation of the firmware subsystem of the computing device, wherein the controller is separate from the main processor of the computing device(fig 1:106,112; par 29 “In this embodiment, the microprocessor subsystem 112 is coupled to the processor complex 102 via the Platform Controller Hub (PCH) 106 and to the network 120 and remote agent 118 via the network port 116. The microprocessor subsystem 112 is configured to provide out-of-band communication. The out-of-band communication may be between microprocessor subsystem 112 and processor complex 102 and/or between system 100 and remote agent 118. For example, if verification of BIOS 134 fails, the microprocessor subsystem 112 ( and manageability engine firmware 138) may be configured to communicate OOB with remote agent 118 to retrieve an updated, verified BIOS from remote agent 118. Advantageously, this may allow remotely updating and/or authenticating the BIOS stored in a flash memory that has been attacked without requiring actual on-site physical access to the flash memory 114.”);
memory to store subsystem data that is useable by the controller, the subsystem data including recovery information executable by the controller to initiate recovery of the subsystem(fig 1:114; par 29 “Advantageously, this may allow remotely updating and/or authenticating the BIOS stored in a flash memory that has been attacked without requiring actual on-site physical access to the flash memory 114.”); and
recovery coordination instructions to:
determine integrity of the recovery information as stored on the memory(fig 3:315; par 31 “Whether initialization firmware verifies (i.e., passes verification) may be determined at operation 315.”); and,
in response to determining that the recovery information lacks integrity(fig 3:355; par 33 “If the initialization firmware does not verify and/or the BIOS does not verify (i.e., fails verification), one or more response(s) may be initiated at operation 355.”):
initiate recovery of the firmware subsystem using a backup of the recovery information(fig 3:370; par 35 “A recovery process may be initiated at operation 370. Operation 370 may include maintaining a cross-reset state configured to allow an initial retry that includes a reset, rolling over to a backup copy of the initialization firmware and/or BIOS, rolling back to a prior image of the initialization firmware and/ or BI OS and/ or updating the initialization firmware and/or BIOS. Whether a backup copy of the initialization firmware is present may depend on properties associated with non-volatile memory.”); and
perform recovery of the firmware subsystem using an update to the firmware subsystem(fig 3:370,375; par 35 “A recovery process may be initiated at operation 370. Operation 370 may include maintaining a cross-reset state configured to allow an initial retry that includes a reset, rolling over to a backup copy of the initialization firmware and/or BIOS, rolling back to a prior image of the initialization firmware and/ or BIOS and/ or updating the initialization firmware and/or BIOS.”).

Regarding claim 2, Held teaches
The computing device of claim 1, 
Held further teaches,
wherein the main processor is to control operation of the computing device(fig 1:122; par 19 “The processor complex 102 may include a processor (CPU) 122 and off-die non-volatile memory 124. For example, the off-die non-volatile memory 124 may be included in a processor complex package that includes the processor 122 and the off-die non-volatile memory 124.”), the computing device comprises a secure memory isolated from the main processor to store the backup of the recovery information and the recovery coordination instructions(fig 1:114,134; par 35 “Operation 370 may include maintaining a cross-reset state configured to allow an initial retry that includes a reset, rolling over to a backup copy of the initialization firmware and/or BIOS, rolling back to a prior image of the initialization firmware and/or BIOS and/or updating the initialization firmware and/or BIOS. Whether a backup copy of the initialization firmware is present may depend on properties associated with non-volatile memory.”; par 28 “In another example, the EEPROM 114 may include a duplicate of BIOS 134 stored in a separate region of EEPROM 114 (or another, distinct EEPROM) that may be accessed (decoded) in response to detection of a compromised system. In other words, system 100 may include a "backup" BIOS configured to be executed if verification of BIOS 134 fails. The backup BIOS may be stored in EEPROM 114 and/or another EEPROM.”), and the computing device comprises an endpoint security controller(fig 1:108; par 41 “For example, in systems that include TPM 108, operation 410 may include confirming the integrity of the signed manifest by comparing a hash of the manifest to a stored hash value in an NV data register of TPM 108.”) to execute the recovery coordination instructions(fig 1:106,112; par 36 “The microprocessor subsystem 112 may be further configured to reprogram the flash memory 114 with the retrieved BIOS. A reset may then be initiated at operation 375.” Par 18 “Although shown as a separate block, in some embodiments, TPM 108 may be included in microprocessor subsystem 112.”).

Regarding claim 3, Held teaches
The computing device of claim 1, 
Held further teaches,
wherein the recovery coordination instructions are further to capture the backup of the recovery information at end of manufacture of the computer device.(par 21 “The initialization firmware verification module 128 and initialization firmware 130 may typically be generated by a processor manufacturer, and stored during the manufacturing process.” Par 19 “The particular response(s) may be selected at manufacturing and/or may be selected by updating the processor configuration and/or initialization firmware, as described herein.”)

Regarding claim 4, Held teaches
The computing device of claim 1, 
Held further teaches,
wherein the recovery coordination instructions are to determine integrity of the recovery information before the computing device is reset(fig 4:455,460,465; par 44 “If there is a UEFI firmware update, the update may be authenticated using UEFI firmware validation at operation 455. Operation 460 includes setting a model specific register IN_ UPDATE_MSR, updating the UEFI firmware in the flash memory and clearing the model specific register IN_UPDATE_ MSR. A reset may then be initiated at operation 465.” The authentication step 455 happens before the reset.)

Regarding claim 5, Held teaches
The computing device of claim 1, 
Held further teaches,
wherein the recovery coordination instructions are further to update the backup of the recovery information(fig 3:370; Par 36 “The microprocessor subsystem 112 may be further configured to reprogram the flash memory 114 with the retrieved BIOS.”) when the subsystem data is updated(fig 3:370; par 36 “Operation 370 may include updating the initialization firmware and/or BIOS via Out Of Band (OOB) communications.” …” For example, the updated BIOS may have a higher monotonic revision than the failed BIOS (e.g., to avoid roll-back attacks to earlier, possibly errant BIOS's).”);

Regarding claim 6, Held teaches
The computing device of claim 1, 
Held further teaches,
wherein the subsystem data comprises a set of subsystem instructions and data that are useable by the controller and unusable by the main processor of the computing device.(fig 1:138; par 29 “The microprocessor subsystem 112 is configured to execute manageability engine firmware 138 stored in flash memory 114.”)

Regarding claims 7,8, they are the computer readable medium containing instructions to perform the method that the system of claims 1,3 implements, and are rejected for the same reasons.

Regarding claim 11, Held teaches
The non-transitory computer-readable medium of claim 7, 
Held further teaches,
wherein the instructions are further to, prior to performing recovery of the firmware subsystem using the update to the firmware subsystem, authenticate the update(fig 4:420; par 42 “Operation 420 may further include verifying the signed manifest ( digital signature) with a remote certificate authority (CA).”).

Regarding claim 12, Held teaches
	The non-transitory computer-readable medium of claim 7, 
Held further teaches,
wherein the instructions are further to determine integrity of the recovery information(fig 3:370; par 36 “Operation 370 may include updating the initialization firmware and/or BIOS via Out Of Band (OOB) communications. For example, the microprocessor subsystem 112 of FIG. 1 may be configured to communicate over network 120 to remote agent 118 via OOB communication to retrieve an updated, uncompromised BIOS.”) before the computing device is reset, shut down, or hibernated(fig 3:370; par 36 “Operation 370 may include updating the initialization firmware and/or BIOS via Out Of Band (OOB) communications. For example, the microprocessor subsystem 112 of FIG. 1 may be configured to communicate over network 120 to remote agent 118 via OOB communication to retrieve an updated, uncompromised BIOS.”).

Regarding claim 13, Held teaches,
A computing device comprising: a main processor(fig 1:122; par 14 “One example system (computing platform) includes a processor complex that includes a processor and off-die nonvolatile memory, coupled to the processor.”);
a firmware subsystem including a firmware controller and memory, wherein the firmware controller is separate from the main processor(fig 1:106,112; par 29 “In this embodiment, the microprocessor subsystem 112 is coupled to the processor complex 102 via the Platform Controller Hub (PCH) 106 and to the network 120 and remote agent 118 via the network port 116. …. For example, if verification of BIOS 134 fails, the microprocessor subsystem 112 ( and manageability engine firmware 138) may be configured to communicate OOB with remote agent 118 to retrieve an updated, verified BIOS from remote agent 118. Advantageously, this may allow remotely updating and/or authenticating the BIOS stored in a flash memory that has been attacked without requiring actual on-site physical access to the flash memory 114.”), wherein the memory is to store instructions and data of the firmware subsystem, wherein the instructions and data of the firmware subsystem are inaccessible to the main processor(fig 1:114; par 29 “Advantageously, this may allow remotely updating and/or authenticating the BIOS stored in a flash memory that has been attacked without requiring actual on-site physical access to the flash memory 114.”), wherein the firmware subsystem further includes recovery instructions to initiate recovery of the firmware subsystem(fig 1:106,112; par 29 “In this embodiment, the microprocessor subsystem 112 is coupled to the processor complex 102 via the Platform Controller Hub (PCH) 106 and to the network 120 and remote agent 118 via the network port 116. …. For example, if verification of BIOS 134 fails, the microprocessor subsystem 112 ( and manageability engine firmware 138) may be configured to communicate OOB with remote agent 118 to retrieve an updated, verified BIOS from remote agent 118. Advantageously, this may allow remotely updating and/or authenticating the BIOS stored in a flash memory that has been attacked without requiring actual on-site physical access to the flash memory 114.”);
a security controller to:
determine integrity of the recovery instructions(fig 3:315; par 31 “Whether initialization firmware verifies (i.e., passes verification) may be determined at operation 315.”); and
in response to determining that the recovery instructions lack integrity(fig 3:355; par 33 “If the initialization firmware does not verify and/or the BIOS does not verify (i.e., fails verification), one or more response(s) may be initiated at operation 355.”), initiate recovery of the firmware subsystem using a backup of the recovery instructions(fig 3:370; par 35 “A recovery process may be initiated at operation 370. Operation 370 may include maintaining a cross-reset state configured to allow an initial retry that includes a reset, rolling over to a backup copy of the initialization firmware and/or BIOS, rolling back to a prior image of the initialization firmware and/ or BI OS and/ or updating the initialization firmware and/or BIOS. Whether a backup copy of the initialization firmware is present may depend on properties associated with non-volatile memory.”), and perform recovery of the firmware subsystem using an update to the firmware subsystem(fig 3:370,375; par 35 “A recovery process may be initiated at operation 370. Operation 370 may include maintaining a cross-reset state configured to allow an initial retry that includes a reset, rolling over to a backup copy of the initialization firmware and/or BIOS, rolling back to a prior image of the initialization firmware and/ or BIOS and/ or updating the initialization firmware and/or BIOS.”).

Regarding claim 14, it adds the same limitation as claim 2 and is rejected for the same reasons.

Regarding claim 15, Held teaches
The computing device of claim 13, 
Held further teaches,
further comprising a hardware-initialization firmware subsystem including instructions stored in the memory and executable by the main processor.(fig 1: 134; par 28 “The BIOS 134 is configured to initialize and test the hardware and to load the OS 150.” )

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20130013905 A1 (Held) in view of US 20180088963 A1 (Arora).

Regarding claim 9, Held teaches
The non-transitory computer-readable medium of claim 7, 
Held further teaches,
wherein the instructions are further to, determine whether a new update to the firmware subsystem is available to be applied(par 29 “For example, if verification of BIOS 134 fails, the microprocessor subsystem 112 ( and manageability engine firmware 138) may be configured to communicate OOB with remote agent 118 to retrieve an updated, verified BIOS from remote agent 118. Advantageously, this may allow remotely updating and/or authenticating the BIOS stored in a flash memory that has been attacked without requiring actual on-site physical access to the flash memory 114.”), apply the new update, determine whether application of the new update was successful(fig 3:370; par 36 “Operation 370 may include updating the initialization firmware and/or BIOS via Out Of Band (OOB) communications.” …” For example, the updated BIOS may have a higher monotonic revision than the failed BIOS (e.g., to avoid roll-back attacks to earlier, possibly errant BIOS's).”), and where application of the new update was successful, flag that the new update is to be backed up to be used as the update to perform recovery of the firmware subsystem(fig 3:370; Par 36 “The microprocessor subsystem 112 may be further configured to reprogram the flash memory 114 with the retrieved BIOS.”).
However, Held does not specifically teach at boot up of the computing device.
On the other hand, Arora teaches 
 Instructions for an update service for updating platform software on a computing device(par 15 “According to an exemplary embodiment, an update service for updating platform software on a computing device is provided.”), 
wherein the instructions are further to, at boot up of the computing device, determine whether a new update to the firmware subsystem is available to be applied(fig 3C:322,326; par 48 “Also, during the boot-up process, storage and access controller 204 of updater 155 may determine whether an upgrade exists 326.”), apply the new update, determine whether application of the new update was successful(par 19 “According to an exemplary embodiment, when the update service determines that a successful write of the upgraded operating system to the second storage area has occurred, the update service will make the upgraded operating system available for use. However, when the update service determines that an error occurred, the computing device may, during a subsequent boot-up, execute the operating system stored in the first storage area.”), and where application of the new update was successful, flag that the new update is to be backed up to be used as the update to perform recovery of the firmware subsystem(fig 2B:237,242,247; par 43 “According to an exemplary implementation, during a boot-up process of device 150, first stage boot loader 237 uses the file as a basis for selecting the loading of the second stage boot loader. For example, based on the data included in the file, first stage boot loader 237 may load second stage boot loader 239 or upgraded second stage boot loader 242 or 247.”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Held to incorporate the at boot up timing of Arora.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Held -- a need for a solution for the issue of how to update firmware and other base level software(Held par 6 “However, BIOS updates and other legitimate modifications may be necessary that may be implemented only through physical access to the system and the ROM that stores the BIOS”) -- with Arora providing a known method to solve a similar problem. Arora provides “According to an exemplary embodiment, an update service for updating platform software on a computing device is provided.”(par 15)
Allowable Subject Matter
Claim 10 objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  The prior art does not teach or fairly suggest: wherein the instructions are further to, at reset of the computing device, determine whether a new update to the firmware subsystem was successfully applied on last boot, and upon determining that a new update to the firmware subsystem was successfully applied on last boot, back up the new update to be used as the update to perform recovery of the firmware subsystem. Outlined in claim 10. In particular, the particular sequence of applying an update, restarting, checking if the previous session before the restart had an update, and then backing up the update as the new backup if the update successfully applied on last boot, was not found in the prior art. Reference Held stores the backup after verification, not restart. References like Samuel and Astarabadi do restarts but do not actively store the update as a new backup on the condition that the update was successfully applied on last boot. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 20070169088 A1 - Lambert - Automatic Firmware Corruption Recovery And Update
US 20200201714 A1 - Montero - general firmware backup and update
US 20150277930 A1 - Sarangdhar – related to claim 3, Par 113 teaches code set during manufacturing.
US 20190286436 A1 - Liu - backup BIOS, but does not replace backups.
US 20190163497 A1 - Samuel - alternate boot flags.
US 9542195 B1 - Astarabadi – restart logic which verifies if the previous update was successful. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL XU whose telephone number is (571)272-5688. The examiner can normally be reached Monday-Friday 8:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on (571) 272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/M.X./Examiner, Art Unit 2113                                                                                                                                                                                                        /BRYCE P BONZO/Supervisory Patent Examiner, Art Unit 2113