DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim(s) 1, 8 and 15 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Claim 1 (similarly claims 8 and 15) recite: (copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory”.  The examiner is unclear from where the data is being sourced from for copying data from performing the privileged instruction to the first portion or where the data is copied to for performing the privileged instruction from the first portion of the guest memory.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over 
Shanbhogue et al. (Pub 20200310972) (hereafter Shan) in view of Colesa et al. (Pub 20160164880) (hereafter Colesa) and further in view of Leenstra et al. (Pub 20210232693) (hereafter Leenstra).

As per claim 1, Shan teaches:
A method comprising: 
initializing, by a firmware module associated with a virtual machine running on a host computer system, an exclusion range register associated with the virtual machine with a value specifying a first portion of guest memory, wherein the first portion of the guest memory comprises an exclusion range marked as reserved; ([Paragraph 33], coordinate the above-explained protections, a trust domain resource manager (TDRM) is a VMM software extension that may be deployed for management and support of TDX operation. [Paragraph 44], The processor 112 may execute a virtual machine monitor (VMM) 140, which may be extended with a TD resource manager (TDRM) 142. The VMM 140 may control one or more virtual machines (VMs) 155. The TDRM 142 may provide resource assignments to the VMs 155 and, via the SEAM, to one or more TDs 150A, 150B, and 150C.  [Paragraph 73], The ACM are processor-authenticated firmware modules that execute out of a protected environment created in the caches 118A of the processor core(s) 114. The ACM technology was introduced as part of Intel® Trusted Execution Technology (TXT). The SEAMLDR is a new type of ACM which is launched using the GETSEC[ENTERACCS] instruction. The MCHECK firmware 162 may tell hardware that the reserved range 136 of memory is verified and can be used by the ACM 170 and the SEAM module 137.  [Paragraph 97], In order to perform that translation, the VMM may need to first determine paging and segmentation including examining a segmentation state of the virtual machine (VM) 155. The VMM may also determine a paging mode of the VM 155 at the time of instruction invocation, including examining page tables set up by the VM and examining the control registers 134 and MSRs programmed by the VM 155.  [Paragraph 37], A key used to verify the manifest signature may be embedded in hardware of the processor core. The SEAMLDR also uses the manifest signature to authenticate the SEAM module loaded into the reserved range of the memory. The SEAMLDR may then record the measurements and identity of the SEAM module into a set of hardware measurement registers. In implementations, these measurement registers are writeable only by the SEAMLDR, thus generating a measured environment to ensure tamper-free execution. Once the SEAM has been deployed into and set up within the reserved range of the memory, the processor core may further restore a lock to the reserved range of the memory by restoring a lock to the hardware register.  [Paragraph 80], In implementations, the BIOS allocates the base address and the mask defining the reserved range 136 of the memory and sets the lock bit on the range register 116, associated with this reserved range 136 of the memory, of each processor core 114)
encrypting, by the firmware using an ephemeral encryption key, a second portion of the guest memory;
booting, by a hypervisor of the host computer system, the virtual machine; and 
 ([Paragraph 82], In implementations, the physical memory range programmed into the SEAM range register 116 (e.g., SEAMRR) is to have a key ID of zero (“0”), which may be enforced by the MCHECK firmware 162. The ephemeral key used for SEAMRR accesses is not the same as the key addressed by key ID zero by the VMM for legacy VMs. Instead, accesses to the reserved range 136 of the memory are encrypted and integrity protected using a platform-reserved encryption key that is also used for encryption and integrity protection of the reserved range stored in the PRMRR. This platform-reserved encryption key may be programmed into the MK-TME engine 126 by the MCHECK firmware 126. This platform key may be randomly regenerated on every boot. So, even if an attacker were to capture encrypted memory of the computing system 100, the attacker would not be able to inject into range on a subsequent power up.)
However, Shan does not explicitly disclose booting, by a hypervisor of the host computer system, the virtual machine; and 
responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: 
copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.
Colesa teaches booting, by a hypervisor of the host computer system, the virtual machine; and 
responsive to intercepting, by the hypervisor, a privileged instruction executed by the virtual machine, performing at least one of: 
([Paragraph 46], In one example, secure VM launch module 60 may issue a particular function call (e.g., VMCALL on Intel® platforms), which triggers a processor event (e.g., VMExit on Intel® platforms) configured to suspend execution of client VM 50 and transfer control of processor 12 to hypervisor 40. Hypervisor 40 may include a handler routine, e.g., VM switch engine 64 in FIG. 4, configured to intercept the respective processor event, thus receiving notification from VM launch module 60. When processes executing within a virtual machine need to exchange data with hypervisor 40, such data may be placed in a pre-determined section of memory shared between the respective process (e.g., module 60) and hypervisor 40.  [Paragraph 49], When the evaluation indicates that client system 12 supports hardware virtualization and integrity attestation, server 14 may transmit a VM installation package to client system 12, the package configured to set up client system 12 for secure communication with server 14. In a step 214, client system 12 launches the respective installation package. The package installs and launches hypervisor 40 (step 216). In response, in a step 218, hypervisor 40 exposes client VM 50 and displaces the software previously executing on client system 12 (e.g., client OS 54 and applications 58-59 of FIG. 4) to client VM 50. In an alternative embodiment, steps 216-218 comprise a reboot of client system 12. Following such a reboot, hypervisor 40 may expose VMs 50-52, and re-launch applications previously executing on client system 12, configuring such applications to execute within client VM 50. In a step 220, hypervisor 40 may install secure VM launch module 60, configuring module 60 to communicate with hypervisor 40.  [Paragraph 37], In some embodiments of the present invention (e.g., FIG. 4), hypervisor 40 is configured to expose a client VM 50 and a secure VM 52. In some embodiments, hypervisor 40 further comprises a VM switch engine 64 configured to alternate execution between VM 50 and VM 52. Client VM 50 may be considered an insecure computing environment, in the sense that, in typical embodiments, client VM 50 executes software that is not specifically hardened or protected against internal or external malware attacks. For instance, client VM 50 may or may not include software explicitly configured to carry out secure transactions with server 14. In contrast, secure VM 52 includes components specifically designed to protect the user from malware attacks, and/or to ensure the security of transactions. The trustworthiness of security VM 52 is further enforced via integrity attestation by server 14, as shown in detail below.  [Paragraph 58], FIG. 6 illustrates an exemplary data exchange between client system 12 and service-providing server 14 during a secure transaction. In some embodiments of the present invention, client system 12 is configured to switch, during each transaction requiring security clearance, between executing client VM 50 and executing secure VM 52, so that a part of the data sent to server 14 during the respective transaction is sent from within client VM 50, while another part of the data is sent from within secure VM 52. The part sent from within client VM 50 includes, among others, an item indicator 67 and a transaction request 68.  [Paragraph 64], Switching client system 12 to executing secure VM 52 (step 252) comprises transferring control of processor 22 to VM 52. In some embodiments, switching to executing secure VM 52 comprises loading the VMSO associated with secure VM 52 onto the processor. Loading the VMSO results in processor 22 managing memory according to SLAT structures (e.g., extended page tables on Intel® platforms) configured for secure VM 52.  [Paragraph 55],  In a step 226, hypervisor 40 may perform a measurement of secure VM 52, to produce a reference value to be used for subsequent integrity verification of secure VM 52. Some embodiments verify the integrity of secure VM 52 before carrying out transactions with service-providing server 14 (as shown further below), to ensure that none of the components of secure VM 52 has been tampered with, for instance by malware infecting system 12. Several methods of integrity checking are known in the art. For instance, step 226 may compute a hash of the memory image of VM 52.  [Paragraph 56], Further enrollment data may include measurements/hashes that can be used to verify the integrity of hypervisor 40 and/or of firmware or hardware-specific code (e.g., BIOS, UEFI) of client system 12. Enrollment data may be signed using a cryptographic key specific to the respective client system (e.g., the endorsement key of PSM 30). In response to receiving the enrollment data, server 14 may save such data (e.g., the reference hash of VM 52, the server authentication token, etc.) in attestation database 17.)
It would have been obvious to a person with ordinary skill in the art, before the effective filing date of the invention, to combine the teaching of Shan wherein an exclusion range register is initialized by a firmware module, a first portion of guest memory is marked as reserved, an ephemeral encryption key is used for encryption of second portion of guest memory and ephemeral encryption key is generated on every boot, into teachings of Colsea wherein a VM is booted/rebooted and hypervisor re-launches applications/VMs and hypervisor intercepts events (i.e. privilege instruction), because this would enhance the teachings of Shan wherein by rebooting/restarting the VM(s) allows the VM(s) with secure VM launch module can be initialized during the reboot thus enabling VMs (i.e. secure and non-secure) to be switched and isolating memory locations associated with privilege instruction (secure VM privilege instruction) during the switching process, therefore, integrity/security is attested.
However, Shan and Colesa do not explicitly disclose copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory.
Leenstra also teaches first and second portion of the guest memory reserved (i.e. initialized) by a firmware; encrypting a second portion of the guest memory; ([Paragraph 5], In one aspect, the invention relates to a method comprising providing a computer readable storage media, wherein a first memory component of the computer readable storage media is configured for access by an OS, secure and non-secure applications and a firmware, and wherein a second memory component of the computer readable storage media is configured for access by the firmware and the secure application and not by the OS and not by the non-secure applications, providing a data processing unit that is configured to operate in a first mode of operation that executes a non-secure application using the OS, and configuring the data processing unit to operate in a second mode of operation that executes the secure application using the firmware, thereby executing an application code of the secure application using the second memory component.  [Paragraph 28], the firmware is configured for: receiving a system call (e.g. named ‘scan’ for clarity of the description) from a process, the system call indicating the secure application being stored in encrypted format in the first memory component (the first memory component stores an encrypted secure application), upon receiving the system call, configuring the data processing unit to operate in the second mode of operation, copying or moving the encrypted secure application in the second memory component and decrypting in the second memory component the copied or moved secure application, setting up an address translation structure for enabling access to data in the second memory component and the first memory component by the decrypted secure application, executing the decrypted secure application, the executing comprising accessing the second memory component using the address translation structure.)
Leenstra teaches copying data for performing the privileged instruction to the first portion of the guest memory or copying data for performing the privileged instruction from the first portion of the guest memory. ([Paragraph 28], the firmware is configured for: receiving a system call (e.g. named ‘scan’ for clarity of the description) from a process, the system call indicating the secure application being stored in encrypted format in the first memory component (the first memory component stores an encrypted secure application), upon receiving the system call, configuring the data processing unit to operate in the second mode of operation, copying or moving the encrypted secure application in the second memory component and decrypting in the second memory component the copied or moved secure application, setting up an address translation structure for enabling access to data in the second memory component and the first memory component by the decrypted secure application, executing the decrypted secure application, the executing comprising accessing the second memory component using the address translation structure.  [Paragraph 29], The firmware may copy the integrity protected code part and a cryptographically protected code part to the second memory component. Decryption and integrity checking may be done in the second memory component. If those checks pass (or are successful), the code of the secure application may be executed as a secure process. In another example, the secure application may be part of a secure container, wherein the process sending the scall may be part of the secure container. For example, the system call scall may be sent by a library OS of the secure container. In a further example, the process sending the scall may be part of a secure VM, (SVM). The secure application process may directly point to the decrypted and integrity checked code in the second memory component. [Paragraph 49], FIG. 1A is a block diagram of a process-based virtualization system 100, in accordance with an example of the present subject matter. Process-based virtualization system 100 includes host operating system (hypervisor) 110, firmware 120, hardware 130, secure virtual machine (SVM) 140, and VM 150. The hardware 130 may for example comprise a data processing unit (e.g. processor core) in accordance with an example of the present subject matter. [Paragraph 56], The SVM may enable a secure execution of applications running inside the SVM. For that, the SVM trusts a given OS (e.g., guest OS 160) but not the hypervisor. However, applications running inside normal VMs may need to be secured if OS is not trusted. That is, the secure application does not trust both the OS and the hypervisor 110, if present. The present subject matter may enable to secure such applications.)
	It would have been obvious to a person with ordinary skill in the art, before the effective filing date of the invention, to combine the teachings of Shan and Colesa wherein an exclusion range register is initialized by a firmware module, a first portion of guest memory is marked as reserved, an ephemeral encryption key is used for encryption of second portion of guest memory, ephemeral encryption key is generated on every boot, a VM(s) is/are booted/rebooted, hypervisor re-launches applications/VMs and hypervisor intercepts events (i.e. privilege instruction), into teachings of Leenstra wherein data for performing the privileged instruction is copied/moved to another portion because this would enhance the teachings of Shan and Colesa wherein by copying/moving the data for performing the privileged instruction from the first location to the second location and decrying the data at the second location, allows data that is/are stored at the second location to be decrypted for use while preserving the integrity of the first location by allowing decryption of the second location data once integrity is validated.

As per claim 2, rejection of claim 1 is incorporated:
Shan teaches further comprising: sending a measurement reflecting a handler address, a control environment, and the exclusion range register to a guest owner. ([Paragraph 11-12], FIG. 7A is a block diagram illustrating translation of a guest virtual address to a guest physical address and of a guest physical address to a host physical address, according to an implementation.  FIG. 7B is a block diagram illustrating use of extended page tables (EPT) to translate the guest physical address to the host physical address, according to an implementation.  [Paragraph 15], FIG. 8C is a block diagram illustrating how the TD OS can specify whether the TD OS wants to access shared or private memory, and how that is translated using either a shared EPT or a secure EPT, respectively, according to implementations.  [Paragraph 18], FIG. 10 is a flow diagram of a method of using bootstrapping operation of a SEAM module out of a reserved range of memory and to which is transferred virtual root mode operational control upon invoking a SEAMCALL instruction according to an implementation.  [Paragraph 94], FIG. 6B is a block diagram of the SEAM configuration portion (SEAMCFG) 605 of the reserved range 136 of the memory to store, in part, virtual machine control structures (VMCSs), one per logical processor, according to an implementation. The SEAMCFG portion 605 may include a system information table 645 and a data array 650 in which to store a SEAM VMCS, which is a controlling VMCS to control transition into the SEAM, per logical processor of the processor core 114…)
Leenstra also teaches ([Paragraph 28], the system call indicating the secure application being stored in encrypted format in the first memory component (the first memory component stores an encrypted secure application), upon receiving the system call, configuring the data processing unit to operate in the second mode of operation, copying or moving the encrypted secure application in the second memory component and decrypting in the second memory component the copied or moved secure application, setting up an address translation structure for enabling access to data in the second memory component and the first memory component by the decrypted secure application, executing the decrypted secure application, the executing comprising accessing the second memory component using the address translation structure.   [Paragraph 32], According to one embodiment, the address translation structure comprises a partition table and a secure process table for secure processes, the partition table and secure process table being stored in the second memory component, wherein setting up the address translation structure comprises adding a partition entry in the partition table, the added partition entry pointing to the secure process table, and adding a process entry in the secure process table associated with a secure application process of the secure application, the added process entry pointing to a secure application address translation tree, the secure application address translation tree being configured for enabling translation of effective addresses to physical addresses of the second memory component.)

As per claim 3, rejection of claim 2 is incorporated:
Shan teaches wherein the control environment comprises a page table. ([Paragraph 11-12], FIG. 7A is a block diagram illustrating translation of a guest virtual address to a guest physical address and of a guest physical address to a host physical address, according to an implementation.  FIG. 7B is a block diagram illustrating use of extended page tables (EPT) to translate the guest physical address to the host physical address, according to an implementation.)
Colesa also teaches ([Paragraph 64], Switching client system 12 to executing secure VM 52 (step 252) comprises transferring control of processor 22 to VM 52. In some embodiments, switching to executing secure VM 52 comprises loading the VMSO associated with secure VM 52 onto the processor. Loading the VMSO results in processor 22 managing memory according to SLAT structures (e.g., extended page tables on Intel® platforms) configured for secure VM 52.)
Leenstra also teaches ([Paragraph 33], The secure application translation tree may be a single level partition scoped radix translation tree, an example of which is numbered 624 in FIG. 6D. The added process entry may enable to locate page directories and page tables of the secure application address translation tree.)

As per claim 4, rejection of claim 2 is incorporated:
Colesa teaches wherein the measurement comprises a cryptographic hash of the handler address, contents of the control environment, an address of the exclusion range register, and contents of the exclusion range register. ([Paragraph 46], Hypervisor 40 may include a handler routine, e.g., VM switch engine 64 in FIG. 4, configured to intercept the respective processor event, thus receiving notification from VM launch module 60. When processes executing within a virtual machine need to exchange data with hypervisor 40, such data may be placed in a pre-determined section of memory shared between the respective process (e.g., module 60) and hypervisor 40.  [Paragraph 55], Some embodiments verify the integrity of secure VM 52 before carrying out transactions with service-providing server 14 (as shown further below), to ensure that none of the components of secure VM 52 has been tampered with, for instance by malware infecting system 12. Several methods of integrity checking are known in the art. For instance, step 226 may compute a hash of the memory image of VM 52. A step 228 may save the respective hash, herein termed reference hash of VM 52, to the writable memory of protected storage module 30  [Paragraph 56], Further enrollment data may include measurements/hashes that can be used to verify the integrity of hypervisor 40 and/or of firmware or hardware-specific code (e.g., BIOS, UEFI) of client system 12. Enrollment data may be signed using a cryptographic key specific to the respective client system (e.g., the endorsement key of PSM 30). In response to receiving the enrollment data, server 14 may save such data (e.g., the reference hash of VM 52, the server authentication token, etc.) in attestation database 17. Reference hashes allow server 14 to subsequently verify the integrity of secure VM 52 before carrying out transactions requiring security clearance. In a further step 232, hypervisor 40 may terminate secure VM 52. In some embodiments, step 230 further comprises pre-allocating a section of memory for a future instance of secure VM 52.  [Paragraph 59], Attestation package 72 may further include measurements/hashes usable to attest the integrity of hypervisor 40 and/or other critical software, such as firmware (e.g., BIOS, UEFI) executing on client system 12.)
Leenstra also teaches ([Paragraph 37], ccording to one embodiment, the unencrypted secure application is associated with a hash value indicative of the content of the secure application, the firmware being further configured for performing an integrity check of the unencrypted content of the secure application using the hash value. The decryption and copy is performed if the integrity check is successful. The integrity check may comprise determining whether the hash value is still representative of the current content of the secure application. [Paragraph 53], Furthermore, firmware 120 operating in ultravisor mode may move or copy the encrypted data into the second memory component and decrypt it. In another example, the hardware may do the encryption/decryption under the direction of firmware 120. Secure data in the second memory component may be encrypted and may have a secure hash added before being stored in hypervisor 110/VM 150 memory domain i.e. the first memory component. The encrypted data can thereafter be paged out by hypervisor 110 to disk storage. Accordingly, data and state information related to SVM 140 and secure containers may not be in a clear text format outside the second memory component and is integrity protected by the secure hash.)
Shan also teaches ([Paragraph 36], The processor may execute a get secure (GETSEC) leaf function referred to as a GETSEC[ENTERACCS] instruction to bootstrap the SEAM VMX root mode software (the SEAM module) into operation via launch of an authenticated code module (ACM) referred to herein as a SEAM loader (SEAMLDR). Upon execution of the GETSEC[ENTERACCS] instruction, the processor unlocks the hardware register on the logical processor from which the ACM is launched, which unlocks the reserved range of the memory in which to load the SEAM module. An ACM is a processor-authenticated firmware module that executes out of a protected environment created in the processor core caches. In implementations, the SEAMLDR is to store the SEAM module and a manifest in the reserved range of the memory. The manifest, which may be located in the header of the SEAMLDR, may be generated via a hash algorithm run on specific information associated with the SEAM, e.g., a combination of the SEAM module, a security version number (SVN) of the SEAM, and a SEAM identifier.)

As per claim 5, rejection of claim 1 is incorporated:
Leenstra teaches generating, by the hypervisor, the firmware module associated with the virtual machine. ([Paragraph 4], In one aspect, the invention relates to a process-based virtualization system comprising: a computer readable storage media (or machine-readable medium), wherein a first memory component of the computer readable storage media is configured for access by an operating system (OS), secure and non-secure applications and a firmware of the process-based virtualization system, and wherein a second memory component of the computer readable storage media is configured for access by the firmware and the secure application and not by the OS and not by the non-secure applications, the data processing unit being configured to operate in a first mode of operation that executes a non-secure application using the OS, and the data processing unit being configured to operate in a second mode of operation that executes the secure application using the firmware, thereby executing an application code of the secure application using the second memory component.  [Paragraph 25], For example, the address space is setup for a secure application, by the firmware instead of the OS. In addition, the firmware controls execution of the secure application instead of the OS. Untrusted applications may however run under control of the OS…  [Paragraph 49], Process-based virtualization system 100 includes host operating system (hypervisor) 110, firmware 120, hardware 130, secure virtual machine (SVM) 140, and VM 150…)
Shan also teaches ([Paragraph 36],  The processor may execute a get secure (GETSEC) leaf function referred to as a GETSEC[ENTERACCS] instruction to bootstrap the SEAM VMX root mode software (the SEAM module) into operation via launch of an authenticated code module (ACM) referred to herein as a SEAM loader (SEAMLDR). Upon execution of the GETSEC[ENTERACCS] instruction, the processor unlocks the hardware register on the logical processor from which the ACM is launched, which unlocks the reserved range of the memory in which to load the SEAM module. An ACM is a processor-authenticated firmware module that executes out of a protected environment created in the processor core caches. In implementations, the SEAMLDR is to store the SEAM module and a manifest in the reserved range of the memory. The manifest, which may be located in the header of the SEAMLDR, may be generated via a hash algorithm run on specific information associated with the SEAM, e.g., a combination of the SEAM module, a security version number (SVN) of the SEAM, and a SEAM identifier.)

As per claim 6, rejection of claim 1 is incorporated:
Leenstra teaches wherein the second portion comprises all guest memory except for the first portion. ([Paragraph 28], the firmware is configured for: receiving a system call (e.g. named ‘scan’ for clarity of the description) from a process, the system call indicating the secure application being stored in encrypted format in the first memory component (the first memory component stores an encrypted secure application), upon receiving the system call, configuring the data processing unit to operate in the second mode of operation, copying or moving the encrypted secure application in the second memory component and decrypting in the second memory component the copied or moved secure application, setting up an address translation structure for enabling access to data in the second memory component and the first memory component by the decrypted secure application, executing the decrypted secure application, the executing comprising accessing the second memory component using the address translation structure.  [Paragraph 89], At least one such embodiment includes receiving a system call from a process, wherein the system call indicates that the secure application is being stored in an encrypted format in the first memory component. At least one such embodiment includes responding to reception of the system call by modifying the data processing unit to operate in the second mode of operation. At least one such embodiment includes copying the encrypted secure application in the second memory component. At least one such embodiment includes decrypting the secure application in the second memory component. At least one such embodiment includes generating an address translation structure that provides access to data in the second memory component and the first memory component by the decrypted secure application. At least one such embodiment includes executing the decrypted secure application such that the second memory component is accessed using the address translation structure.)
Shan also teaches ([Paragraph 137], The implementations of providing co-existence of trust domain architecture with multi-key total memory encryption technology may be implemented in processing device…  [Paragraph 14], FIG. 8B illustrates encryption key ID space partitioning into TDX and multi-key total memory encryption (MK-TME) key identifiers (IDs) in one implementation.  [Paragraph 32], To achieve this confidential VM execution, the memory of the VM and the runtime processor state is to be kept confidential, integrity-protected, and reply protected to prevent data exfiltration or tamper-based attacks. The CSP system may deploy trust domain extensions (TDX) to meet these security objectives via use of memory encryption and integrity provided by a memory controller adapted to include a multi-key total memory encryption (MK-TME) engine. MK-TME technology refers to providing, to an operating system or VMM, the capability to use different unique encryption keys to encrypt pages of physical memory associated with different workloads, e.g., different tenants, different applications, different devices, and the like. To support TDX, the MK-TME engine may employ specific keys that can be only used for TDX.  [Paragraph 156], The implementations to provide co-existence of trust domain architecture with multi-key total memory encryption technology may be implemented in processing device 1470, processing device 1480, or both.)

As per claim 7, rejection of claim 1 is incorporated:
Shan teaches further comprising: receiving the ephemeral encryption key from a guest owner; supplying, by the firmware, the ephemeral encryption key to the virtual machine through the second portion of guest memory; and booting a guest operating system. ([Paragraph 82], In implementations, the physical memory range programmed into the SEAM range register 116 (e.g., SEAMRR) is to have a key ID of zero (“0”), which may be enforced by the MCHECK firmware 162. The ephemeral key used for SEAMRR accesses is not the same as the key addressed by key ID zero by the VMM for legacy VMs. Instead, accesses to the reserved range 136 of the memory are encrypted and integrity protected using a platform-reserved encryption key that is also used for encryption and integrity protection of the reserved range stored in the PRMRR. This platform-reserved encryption key may be programmed into the MK-TME engine 126 by the MCHECK firmware 126. This platform key may be randomly regenerated on every boot. So, even if an attacker were to capture encrypted memory of the computing system 100, the attacker would not be able to inject into range on a subsequent power up.  [Paragraph 32], o achieve this confidential VM execution, the memory of the VM and the runtime processor state is to be kept confidential, integrity-protected, and reply protected to prevent data exfiltration or tamper-based attacks. The CSP system may deploy trust domain extensions (TDX) to meet these security objectives via use of memory encryption and integrity provided by a memory controller adapted to include a multi-key total memory encryption (MK-TME) engine. MK-TME technology refers to providing, to an operating system or VMM, the capability to use different unique encryption keys to encrypt pages of physical memory associated with different workloads, e.g., different tenants, different applications, different devices, and the like. To support TDX, the MK-TME engine may employ specific keys that can be only used for TDX.)

As per claims 8-14, these are system claims corresponding to the method claims 1-7.  Therefore, rejected based on similar rationale.

As per claims 15-20, these are non-transitory machine-readable storage medium claims corresponding to the method claims 1, 2 and 4-7.  Therefore, rejected based on similar rationale.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DONG U KIM whose telephone number is (571)270-1313. The examiner can normally be reached 9:00am - 5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Emerson Puente can be reached on 5712723652. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/DONG U KIM/Primary Examiner, Art Unit 2196