DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is responsive to communication filed 2/26/2020.
Claims 1-20 are presented for examination.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 2/26/2020.  The submissions are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner. 

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Nolan R. Hubbard (Reg. NO# 62327) on 6/15/2022.

Please amend the following claims:
1. A method comprising: 
receiving, at an application node of a cloud computing environment, a request to create a virtual machine at the application node, the request containing encryption parameters for use in encrypting the virtual machine;
creating, at the application node, the virtual machine, the virtual machine including an associated memory for use during execution of the virtual machine;
encrypting the memory;
generating an attestation based on the encryption parameters and a public key associated with the virtual machine to indicate the virtual machine has been created and encrypted at least in part; 
transmitting the attestation to a security coordinator, wherein the security coordinator generates and transmits a first encryption key to the application node in response to receiving and verifying the attestation by the security coordinator;
receiving, at the application node, [[a]] the first encryption key;
receiving an encrypted container image at the application node, wherein the encrypted container image is encrypted using the first encryption key;
mounting the encrypted container image within the virtual machine; and
executing the encrypted container image within the virtual machine.

4 (canceled).

5. The method of claim [[4]] 1, wherein the security coordinator further transmits the first encryption key to a secure registry for use in encrypting the encrypted container image.

8 (canceled).

10. The method of claim 9, wherein the request is received by [[a]] the security coordinator configured to generate the encryption parameters before transmitting the request including the encryption parameters to the application node.

14. A system comprising: 
a processor; and
a first memory storing instructions which, when executed by the processor, cause the processor to:
transmit, to an application node of a cloud computing environment, a request to create a virtual machine at the application node, the request containing encryption parameters for use in encrypting the virtual machine;
receive, at a security coordinator from the application node, an attestation indicating that the virtual machine has been created and encrypted at least in part;
validate the attestation at the security coordinator; 
generate a first encryption key at the security coordinator in response to validating the attestation;
transmit the first encryption key to the application node; and
transmit, to the virtual machine, an encrypted container image which is encrypted by the first encryption key for execution within the virtual machine.

17. The system of claim 16, wherein the encryption parameters include a certificate uniquely associated with [[a]] the security coordinator from which the request is transmitted to the application node.

20. A non-transitory, computer-readable medium storing instructions which, when executed by a processor, cause the processor to:
transmit, to an application node of a cloud computing environment, a request to create a virtual machine at the application node, the request containing encryption parameters for use in encrypting the virtual machine;
receive, at a security coordinator from the application node, an attestation indicating that the virtual machine has been created and encrypted at least in part;
validate the attestation at the security coordinator;
generate a first encryption key at the security coordinator in response to validating the attestation;
transmit the first encryption key to the application node; and
transmit, to the virtual machine, an encrypted container image which is encrypted by the first encryption key for execution within the virtual machine.

REASONS FOR ALLOWANCE
The following is an examiner’s statement of reasons for allowance:

Claims 1-3, 5-7 and 9-20 are allowable over the prior art of record because the Examiner found neither prior art cited in its entirety, nor based on the prior art, found any motivation to combine any of the said prior arts.

As per independent Claims 1, 14 and 20, the primary reason for allowance is “generating an attestation based on the encryption parameters and a public key associated with the virtual machine to indicate the virtual machine has been created and encrypted at least in part; transmitting the attestation to a security coordinator, wherein the security coordinator generates and transmits a first encryption key to the application node in response to receiving and verifying the attestation by the security coordinator” in conjunction with the rest of the limitations at claims.

The followings are some related prior art references. 
Patil et al. (US 20210247994 A1, hereafter Patil) discloses: a master node of a cloud computing environment in response to a user through user interface of a device to submit a job to the master node to select a worker node to deploy and launch a secure VM at the worker node based on VM configuration parameters, wherein such secure VM is utilized to run a container which is executing requested workload and the VM configuration parameters are based on workload’s requirements (see Figs. 1, 3, 5, [0023]-[0024], [0039]-[0040] and [0042]-[0043]). The secure virtual machine also downloads and mounts an encrypted container image from a container registry and then executes the required workload via decrypting the encrypted container image by a received encryption key that is used to encrypt the encrypted container image (see Figs. 1, 3, 5, [0017] and [0044]). However, Patil does not disclose how the encryption key used to encrypt the container image before transmitting the container image to the worker node for execution and decrypt the received container image at the worker node for execution is generated; just encryption key just exists at the system of Patil. 
 
Rodriguez et al. (US 20200403784 A1) discloses: upon creation of a worker node in a cluster, the worker node generates a data encryption key for encrypting sensitive application data running in a secure enclave of the worker node (see [0050]).

Kwak et al. (US 20210173950 A1, hereafter Kwak) discloses: a management software generates data encryption key and performs remote attestation on the processing device to which the generated data encryption key is to be transmitted (see [0052]-[0054] and [0071]). There is no specific descriptions from Kwak actually state that the encryption key is generated in response the remote attestation is successfully completed, it only describes that generating the encryption key and the generated encryption key will transmitted to the device/location that is remoted attested.

Korthny et al. (US 9009471 B2, hereafter Korthny) discloses: a sensitive data control monitor of a virtual appliance machine generates an encryption keys for each guest virtual machines which are sent to the local sensitive data control agents and used to encrypt data locally on a protected guest virtual machine (lines 30-40 of col. 1), wherein the encryption key for a guest virtual machine is generated after the guest virtual machine transmits a certification that uniquely identifies the guest virtual machine to the virtual appliance machine (see lines 20-26 and lines 34-37 of col. 8). The encryption key from Korthny is only generated based on certification that indicates the guest virtual machine is activated without indicating the guest virtual machine is encrypted; in addition, this encryption key is used to encrypt and decrypt the local data of the guest virtual machine instead of decrypting the remote data/image that received by the guest virtual machine only.

Chaturvedi et al. (US 20110246767 A1) discloses: a secured VM can be a encrypted VM that encrypting the memory of the VM via an encryption key (see [0004] and [0018]).
Kaplan et al. (US 20180285140 A1) discloses: one or more allocated memory pages of a virtual machine are encrypted via a encryption key (see [0033] and [0036]).

None of the references above alone or in combination would disclose feature of “generating an attestation based on the encryption parameters and a public key associated with the virtual machine to indicate the virtual machine has been created and encrypted at least in part; transmitting the attestation to a security coordinator, wherein the security coordinator generates and transmits a first encryption key to the application node in response to receiving and verifying the attestation by the security coordinator”.

The remaining claims, not specifically mentioned, are allowed because they are dependent upon the claims mentioned above.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHI CHEN whose telephone number is (571)272-0805.  The examiner can normally be reached on Monday-Friday 9:30AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emerson Puente can be reached on (571)272-3652.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/Zhi Chen/
Patent Examiner, AU2196

/EMERSON C PUENTE/Supervisory Patent Examiner, Art Unit 2196