DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
2.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 5/24/2022 has been entered.
 

Claim Rejections - 35 USC § 103
3.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4.	Claims 1,3,4,9-14,15,17,18,20 are rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin (US 20180060245 pub Mar 2018) and in view of Tsirkin (US 20180136868), and further in view of Craddock (US 20110321158)

Claim 1.    Tsirkin245 discloses A system (e.g., In computer systems executing a guest virtual machine, para 0010) comprising:
a host including  a memory, a processor, and a device with access to a plurality of device memory addresses (DMAs)(e.g., a device of the host operating system (host OS) 186 (or host device) may refer to CPU 120, 
MD 130, a software device, and/or hardware device, para 0016 Fig. 1; the device (e.g., 
CPU 120, MD 130, an input/output device, a software device, a hardware device) accesses the first portion 205 (e.g., the reserved portion) of guest memory 195 to locate a command.  For example, the command may include the guest physical address 210, para 0025) a supervisor e.g., executing a software layer (e.g., hypervisor 180)); and

a guest with access to a plurality of guest memory addresses (GMAs)(e.g., guest virtual machine using a guest address, 0010), configured to execute on the processor to initialize a first driver for the device (e.g., guest memory 195 may include a driver 181B, 0021 Fig 1), 

wherein the supervisor is configured to execute on the processor to: map a first subset of GMAs to a first subset of DMAs, wherein the device is configured to communicate with the guest via the first subset of DMAs (e.g., he hypervisor 180 controls and limits access to memory allocated to the guest operating system 196 of the guest virtual machine 170 (e.g., guest memory 195 allocated to guest operating system 196).  Access to these memory pages is controlled and limited by the hypervisor 180.  For example, mappings to memory are managed by the hypervisor 180.  Through these mappings, the memory itself can be accessed, para 0020),

map a plurality of supervisor memory addresses (SMAs) to a second subset of DMAs, wherein the second subset of DMAs is located in a reserved range of addresses (e.g., a first portion 205 of guest memory 195 has been reserved by the hypervisor 180.  For example, the hypervisor 180 has selected a range of guest memory 195 (e.g., the first portion 205) for hypervisor translation bypass, para 0022 Fig. 2B-2C),

initialize a second driver for the device with access to the plurality of SMAs, wherein the device is configured to communicate with the supervisor via the plurality of SMAs (e.g., hypervisor 560 reserves a first portion of guest memory 565 (e.g., a range of guest physical addresses in guest memory 540). the first portion of guest memory 565 is reserved by guest firmware.  the first portion of guest memory 565 is protected from virtual machine access, para 0034; driver 181A, 0021)( Tsirkin discloses the method 400 may be performed by a hypervisor 180 interacting with guest virtual machine 170, a host input-output memory management unit 188, and a device 401  (0026).  hypervisor may configure a host input-output memory management unit to translate addresses and handle device access requests (0012).  The hypervisor 180 controls and limits access to memory (e.g., memory allocated to the guest virtual machine 170), mappings to memory are managed by the hypervisor 180 (0020). Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180 (0020).  The hypervisor 180 has selected a range of guest memory 195 (e.g., the first portion 205) for hypervisor translation bypass (0022). first portion 205 of guest memory 195 is protected from guest virtual machine access (0022 Fig. 2).  Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180, in the input-output memory management unit 188 (IOMMU)(0020).  hypervisor may configure a host input-output memory management unit to translate addresses and handle device access requests, for example, so the hypervisor does not have to translate addresses and handle device access requests (0012).),

intercept a request from the first driver to the device, wherein the request is associated with at least one memory address (e.g., hypervisor 180, hypervisor memory 182, includes the device request buffer 183.  Storing the device request buffer 183 in hypervisor memory 182 access request received from devices.  access requests (e.g., requests to access addresses) are stored in the device request buffer 183, 0021 Fig. 1A-2C).

 Tsirkin245 does not disclose, but Tsirkin868 discloses
	physical device (e.g., address range 531 is a range of the physical memory 510 , 0047);
	validate that each of the at least one memory address  in the request is outside of the reserved range of addresses of the physical device, such that each memory address included in the request are not overlapping with the reserved range of addresses of the physical device to protect the physical device (e.g., access request 220 is stored in the device request buffer 215, which is stored in the host IOMMU mapped physical bus address range, but outside of the VIOMMU mapped allowed address range, 0026-0027, Fig. 2C), and 
	after validating that each of the at least one memory address associated with the request is outside of the reserved range of addresses of the physical device, send the request to the physical device via the second driver (e.g., storing the access request 220 outside of the allowed address range 210, devices (e.g., CPU 120A-C, MD 130A-C, I/O 140A-B, a software device, and/or hardware device 150A-B) may access the access request 220, but may not access the allowed address range 210, thus protecting the guest virtual machine 170A and VIOMMU 191A from malicious device access., 0027).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, providing the benefit  to improve security associated with access requests; Advantageously, storing access request 220 outside of the allowed address range 210 exposes devices to additional memory (e.g., memory mapped to physical bus address range 205 that is outside of allowed address range 210)(see Tsirkin868, 0026).


 Tsirkin245 in view of Tsirkin868 does not disclose, but Craddock discloses
	length (e.g., field specifies the offset within the specified address space from which the data is to be loaded; [0173] Length field 1116: This field specifies the length of the load operation (e.g., the number of bytes to be loaded); bytes loaded from the adapter function are to be contained within an integral boundary in the adapter function's designated PCI address space, 0169-0175 Fig. 11A-11B).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, with Craddock, providing the benefit of Address translation and protection unit 118 accesses information used for the DMA or MSI request (see Craddock, 0058) An operating system or application program running in a virtual machine appears to have access to a full and complete system, but in reality, only a portion of it is available (0061) Some of main storage includes permanently assigned storage locations (0252).


Claim 3.    Tsirkin245 discloses wherein the device lacks access to the plurality of SMAs prior to being granted access to the plurality of SMAs by the supervisor, wherein the devices is granted access to the plurality of the SMAs when the supervisor maps the plurality of SMAs to corresponding DMAs in an IOMMU page table (e.g., the first portion 205 of guest memory 195 is protected from guest virtual machine 170 access.  For example, guest virtual machine 170 is unable to access any of guest memory 195 within the range defined by the first portion 205, para 0028; FIG. 4B, the device 401 sends a request to access the command (e.g., the guest physical address 210), such that the request to access the command (e.g., the guest physical address 210) is received by the host input-output memory management unit 188 (blocks 430 and 431)., para 0030).

Claim 4.    Tsirkin245 discloses wherein the device is incompatible with the first driver (e.g., other applications run on a second guest virtual machine are incompatible with the underlying hardware and/or OS 186, para 0018), and the second driver converts the request into a format compatible with the device prior to sending the request to the device (e.g., drivers 181A-B enable applications (e.g., applications 198A-B) to interact with 
devices (e.g., CPU 120, MD 130, an input/output device, a software device, a hardware device, etc.).  the driver 181A is a device specific driver (e.g., a driver specific to any of a CPU 120, MD 130, an input/output device, a software device, a hardware device, etc.), para 0021).

Claim 9.    Tsirkin245 discloses wherein the reserved range of addresses is protected against at least one of access and modification by the guest (e.g., the first portion 205 of guest memory 195 is protected from guest virtual machine access (e.g., access by guest virtual machine 170), para 0022).

Claim 10.    Tsirkin245 discloses wherein the first driver is configured to assign a second subset of GMAs as one of a transmission buffer and a reception buffer for shared access with the device (e.g., hypervisor 180 may include hypervisor memory 182, which may additionally include the device request buffer 183, para 0021).


Claim 12.    Tsirkin245 discloses wherein the second driver is configured to initialize a connection between the first driver and the device (e.g., drivers 181A-B enable applications (e.g., applications 198A-B) to interact with devices (e.g., CPU 120, MD 130, an input/output device, a software device, a hardware device, etc.), para 0021).

Claim 13.    Tsirkin245 discloses wherein the device is one of a network interface and a storage device (e.g., Host memory 184 may also be referred to as host physical memory 184, para 0020).

Claim 14.    Tsirkin245 discloses wherein the supervisor is one of a hypervisor and a host operating system (e.g., hypervisor 180, host operating system 186, para 0017).

Claim 15.    Tsirkin245 discloses A method (e.g., In computer systems executing a guest virtual machine, para 0010) comprising:
mapping a first subset of guest memory addresses (GMAs) to a first subset of device memory addresses (DMAs), wherein a device is configured to communicate with a guest via the first subset of DMAs (e.g., he hypervisor 180 controls and limits access to memory allocated to the guest operating system 196 of the guest virtual machine 170 (e.g., guest memory 195 allocated to guest operating system 196).  Access to these memory pages is controlled and limited by the hypervisor 180.  For example, mappings to memory are managed by the hypervisor 180.  Through these mappings, the memory itself can be accessed, para 0020),

mapping a plurality of supervisor memory addresses (SMAs) to a second subset of DMAs, wherein the second subset of DMAs is located in a reserved range of addresses (e.g., a first portion 205 of guest memory 195 has been reserved by the hypervisor 180.  For example, the hypervisor 180 has selected a range of guest memory 195 (e.g., the first portion 205) for hypervisor translation bypass, para 0022 Fig. 2B-2C),

initialize a second driver for the device with access to the plurality of SMAs, wherein the device is configured to communicate with the supervisor via the plurality of SMAs (e.g., hypervisor 560 reserves a first portion of guest memory 565 (e.g., a range of guest physical addresses in guest memory 540). the first portion of guest memory 565 is reserved by guest firmware.  the first portion of guest memory 565 is protected from virtual machine access, para 0034; driver 181A, 0021) ( Tsirkin discloses the method 400 may be performed by a hypervisor 180 interacting with guest virtual machine 170, a host input-output memory management unit 188, and a device 401  (0026).  hypervisor may configure a host input-output memory management unit to translate addresses and handle device access requests (0012).  The hypervisor 180 controls and limits access to memory (e.g., memory allocated to the guest virtual machine 170), mappings to memory are managed by the hypervisor 180 (0020). Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180 (0020).  The hypervisor 180 has selected a range of guest memory 195 (e.g., the first portion 205) for hypervisor translation bypass (0022). first portion 205 of guest memory 195 is protected from guest virtual machine access (0022 Fig. 2).  Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180, in the input-output memory management unit 188 (IOMMU)(0020).  hypervisor may configure a host input-output memory management unit to translate addresses and handle device access requests, for example, so the hypervisor does not have to translate addresses and handle device access requests (0012).),

	intercepting, by the supervisor, a request from the first driver to the device, wherein the request is associated with at least one memory address (e.g., hypervisor 180, hypervisor memory 182, includes the device request buffer 183.  Storing the device request buffer 183 in hypervisor memory 182 access request received from devices.  access requests (e.g., requests to access addresses) are stored in the device request buffer 183, 0021 Fig. 1A-2C).

 Tsirkin245 does not disclose, but Tsirkin868 discloses
	physical device (e.g., address range 531 is a range of the physical memory 510 , 0047);
	validate that each of the at least one memory address  in the request is outside of the reserved range of addresses of the physical device, such that each memory address included in the request are not overlapping with the reserved range of addresses of the physical device to protect the physical device (e.g., access request 220 is stored in the device request buffer 215, which is stored in the host IOMMU mapped physical bus address range, but outside of the VIOMMU mapped allowed address range, 0026-0027, Fig. 2C), and 
	after validating that each of the at least one memory address associated with the request is outside of the reserved range of addresses of the physical device, send the request to the physical device via the second driver (e.g., storing the access request 220 outside of the allowed address range 210, devices (e.g., CPU 120A-C, MD 130A-C, I/O 140A-B, a software device, and/or hardware device 150A-B) may access the access request 220, but may not access the allowed address range 210, thus protecting the guest virtual machine 170A and VIOMMU 191A from malicious device access., 0027).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, providing the benefit  to improve security associated with access requests; Advantageously, storing access request 220 outside of the allowed address range 210 exposes devices to additional memory (e.g., memory mapped to physical bus address range 205 that is outside of allowed address range 210)(see Tsirkin868, 0026).

 Tsirkin245 in view of Tsirkin868 does not disclose, but Craddock discloses
	length (e.g., field specifies the offset within the specified address space from which the data is to be loaded; [0173] Length field 1116: This field specifies the length of the load operation (e.g., the number of bytes to be loaded); bytes loaded from the adapter function are to be contained within an integral boundary in the adapter function's designated PCI address space, 0169-0175 Fig. 11A-11B).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, with Craddock, providing the benefit of Address translation and protection unit 118 accesses information used for the DMA or MSI request (see Craddock, 0058) An operating system or application program running in a virtual machine appears to have access to a full and complete system, but in reality, only a portion of it is available (0061) Some of main storage includes permanently assigned storage locations (0252).

Claim 17 is rejected for reasons similar to claim 3 above.
Claim 18 is rejected for reasons similar to claim 4 above.

Claim 20.    Tsirkin245 discloses A non-transitory machine-readable medium storing code, which when executed by a processor, is configured to (e.g., In computer systems executing a guest virtual machine, para 0010) comprising:
map a first subset of guest memory addresses (GMAs) to a first subset of device memory addresses (DMAs), wherein a device is configured to communicate with a guest via the first subset of DMAs (e.g., he hypervisor 180 controls and limits access to memory allocated to the guest operating system 196 of the guest virtual machine 170 (e.g., guest memory 195 allocated to guest operating system 196).  Access to these memory pages is controlled and limited by the hypervisor 180.  For example, mappings to memory are managed by the hypervisor 180.  Through these mappings, the memory itself can be accessed, para 0020),

map a plurality of supervisor memory addresses (SMAs) to a second subset of DMAs, wherein the second subset of DMAs is located in a reserved range of addresses (e.g., a first portion 205 of guest memory 195 has been reserved by the hypervisor 180.  For example, the hypervisor 180 has selected a range of guest memory 195 (e.g., the first portion 205) for hypervisor translation bypass, para 0022 Fig. 2B-2C),

initialize a first driver for the device with access to the plurality of SMAs, wherein the device is initialized with a second driver, and the device is configured to communicate with a supervisor via the plurality of SMAs (e.g., hypervisor 560 reserves a first portion of guest memory 565 (e.g., a range of guest physical addresses in guest memory 540). the first portion of guest memory 565 is reserved by guest firmware.  the first portion of guest memory 565 is protected from virtual machine access, para 0034; driver 181A, 0021) ( Tsirkin discloses the method 400 may be performed by a hypervisor 180 interacting with guest virtual machine 170, a host input-output memory management unit 188, and a device 401  (0026).  hypervisor may configure a host input-output memory management unit to translate addresses and handle device access requests (0012).  The hypervisor 180 controls and limits access to memory (e.g., memory allocated to the guest virtual machine 170), mappings to memory are managed by the hypervisor 180 (0020). Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180 (0020).  The hypervisor 180 has selected a range of guest memory 195 (e.g., the first portion 205) for hypervisor translation bypass (0022). first portion 205 of guest memory 195 is protected from guest virtual machine access (0022 Fig. 2).  Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180, in the input-output memory management unit 188 (IOMMU)(0020).  hypervisor may configure a host input-output memory management unit to translate addresses and handle device access requests, for example, so the hypervisor does not have to translate addresses and handle device access requests (0012).),

intercept a request from the first driver to the device, wherein the request is associated with at least one memory address (e.g., hypervisor 180, hypervisor memory 182, includes the device request buffer 183.  Storing the device request buffer 183 in hypervisor memory 182 access request received from devices.  access requests (e.g., requests to access addresses) are stored in the device request buffer 183, 0021 Fig. 1A-2C).

 Tsirkin245 does not disclose, but Tsirkin868 discloses
	physical device (e.g., address range 531 is a range of the physical memory 510 , 0047);
	validate that each of the at least one memory address  in the request is outside of the reserved range of addresses of the physical device, such that each memory address included in the request are not overlapping with the reserved range of addresses of the physical device to protect the physical device (e.g., access request 220 is stored in the device request buffer 215, which is stored in the host IOMMU mapped physical bus address range, but outside of the VIOMMU mapped allowed address range, 0026-0027, Fig. 2C), and 
	after validating that each of the at least one memory address associated with the request is outside of the reserved range of addresses of the physical device, send the request to the physical device via the second driver (e.g., storing the access request 220 outside of the allowed address range 210, devices (e.g., CPU 120A-C, MD 130A-C, I/O 140A-B, a software device, and/or hardware device 150A-B) may access the access request 220, but may not access the allowed address range 210, thus protecting the guest virtual machine 170A and VIOMMU 191A from malicious device access., 0027).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, providing the benefit  to improve security associated with access requests; Advantageously, storing access request 220 outside of the allowed address range 210 exposes devices to additional memory (e.g., memory mapped to physical bus address range 205 that is outside of allowed address range 210)(see Tsirkin868, 0026).

 Tsirkin245 in view of Tsirkin868 does not disclose, but Craddock discloses
	length (e.g., field specifies the offset within the specified address space from which the data is to be loaded; [0173] Length field 1116: This field specifies the length of the load operation (e.g., the number of bytes to be loaded); bytes loaded from the adapter function are to be contained within an integral boundary in the adapter function's designated PCI address space, 0169-0175 Fig. 11A-11B).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, with Craddock, providing the benefit of Address translation and protection unit 118 accesses information used for the DMA or MSI request (see Craddock, 0058) An operating system or application program running in a virtual machine appears to have access to a full and complete system, but in reality, only a portion of it is available (0061) Some of main storage includes permanently assigned storage locations (0252).

5.	Claims 2, 16 are rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin (US 20180060245 pub Mar 2018) and in view of Tsirkin868 (cited above) Craddock (cited above) and  Aloni (US 20080133709) 

Claim 2.    Tsirkin245 discloses wherein the device is configured to access the memory via an input/output memory management unit (IOMMU)(e.g., Mappings between guest memory 195 (e.g., guest physical addresses) and host memory 184 (e.g., host physical addresses) are stored, by the hypervisor 180, in the input-output memory management unit 188 (IOMMU), para 0020), 

Tsirkin245 and Tsirkin868 and Craddock does not disclose, but Aloni discloses
and the plurality of DMAs are virtual memory addresses translated by an IOMMU page table (e.g., a page table entry in the IOMMU tables 314, para 0054 Fig. 3B).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, and Tsirkin868 and Craddock, with Aloni,  providing the benefit of allow address translation and mapping where all physically resident GOS memory may be mapped to the IOMMU tables 314 (see Aloni, 0058) and allow multiple hypervisor to enable multiple GOSs to access the hardware resources in a time-sharing manner (0009).

Claim 16 is rejected for reasons similar to claim 2 above.

6.	Claims 5, 8 are rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin (US 20180060245 pub Mar 2018) and in view of Tsirkin868 (cited above)  and Craddock (cited above) and  Tsirkin (US 20170031593) 

Claim 5.    Tsirkin245 and Tsirkin868 and Craddock does not disclose, but Tsirkin593 discloses
wherein the hypervisor rejects a second request from the first driver based on the second request being associated with a memory address in the reserved range (e.g., Responsive to determining that the memory page comprising the memory buffer is not present (i.e., has been swapped out), hypervisor 180 may determine that such access is forbidden., para 0028).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868 and Craddock, with Tsirkin593, providing the benefit of facilitating Direct Memory Access (DMA) operations (see TSirkin593, 0001), in order to allow high-priority tasks and interrupt service routines to use a guest I/O table (0012).

Claim 8.    Tsirkin245 and Tsirkin868 and Craddock does not disclose, but Tsirkin593 discloses wherein at least one of (i) the guest is configured to access contents of the first subset of GMAs via direct memory access, and (ii) the device is configured to access contents of the first subset of DMAs via direct memory access (e.g., the host computer system may emulate Direct Memory Access (DMA) to allow virtual I/O devices to access the guest memory Directly, para 0011).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868 and Craddock with Tsirkin593, providing the benefit of facilitating Direct Memory Access (DMA) operations (see TSirkin593, 0001), in order to allow high-priority tasks and interrupt service routines to use a guest I/O table (0012).


6.	Claims 6, 7 are rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin (US 20180060245 pub Mar 2018) and in view of Tsirkin868 (cited above)  and Craddock (cited above) and  Tsirkin (US 20170031593) and Tsirkin (US 20170329618)

Claim 6.    Tsirkin245 and Tsirkin868 and Craddock and Tsirkin593 does not disclose, but Tsirkin618 discloses wherein the second request is associated with memory addresses both inside and outside of the reserved range (e.g., set of memory pages 124, which is in the writable mode in first set of hypervisor page tables 116-1 and in the write-protected mode in second set of hypervisor page tables 116-2, para 0065 Fig. 5).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868 and Craddock with Tsirkin593, with Tsirkinn618, providing the benefit of handling a request to modify write-protected memory (see Tsirkin618, 0001) where It may be desirable to modify memory that is write-protected for various Reasons (0016).

Claim 7.    Tsirkin245 and Tsirkin868 and Craddock and Tsirkin593 does not disclose, but Tsirkin618 discloses wherein at least one of an alert and an error is generated in response to the second request (e.g., Patching code 204 may send an error message in response to a determination that the request is not valid, para 0054; fault, 0026).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868 and Craddock with Tsirkin593, with Tsirkinn618, providing the benefit of handling a request to modify write-protected memory (see Tsirkin618, 0001) where It may be desirable to modify memory that is write-protected for various Reasons (0016).

5.	Claims 11 is rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin (US 20180060245 pub Mar 2018) and in view of Tsirkin868 (cited above) Craddock (cited above) and  Apfelbaum (US 20170249106) 

Claim 11.   Tsirkin245 discloses wherein the first driver assigns a first network address to the guest (e.g., device 401 may access guest memory 195 to locate the command (e.g., guest physical address 210) (blocks 440 and 441), para 0031 Fig. 4B).
 
 Tsirkin245 , with Tsirkin868 and Craddock does not disclose, but Apfelbaum discloses
	and the second driver translates the first network address into a second network address compatible with at least one of the device and a network connected to the device (e.g., access attempts (e.g., direct memory access attempts) by devices (e.g., first device 150A and second device 150B) will be channeled through respectively IOMMUs (e.g., first VIOMMU 171A and second VIOMMU 172A)., para 0042), 

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868 and Craddock with Apfelbaum, providing the benefit of multiple devices may access a guest virtual machine while optimizing both security and processing efficiency (see Apfelbaum, 0011), the host can maintain memory integrity by preventing a device from performing illegal transactions or accessing invalid addresses (0019) and provide elasticity and flexibility as devices are associated with IOMMUs and security designations (0044).

8.	Claims 19 is rejected under 35 U.S.C. 103 as being unpatentable over Tsirkin (US 20180060245 pub Mar 2018) and in view of Tsirkin868 (cited above) and  Craddock (cited above)  and Tsirkin (US 20170329618)

Claim 19.     Tsirkin245 discloses
	intercepting a second request from the second driver to the device (e.g., hypervisor 180, hypervisor memory 182, includes the device request buffer 183.  Storing the device request buffer 183 in hypervisor memory 182 access request received from devices.  access requests (e.g., requests to access addresses) are stored in the device request buffer 183, 0021 Fig. 1A-2C). 

Tsirkin245 and Tsirkin868 and Craddock does not disclose, but Tsirkin618 discloses wherein the second request is associated with memory addresses both inside and outside of the reserved range (e.g., set of memory pages 124, which is in the writable mode in first set of hypervisor page tables 116-1 and in the write-protected mode in second set of hypervisor page tables 116-2, para 0065 Fig. 5).
	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868 and Craddock, with Tsirkinn618, providing the benefit of handling a request to modify write-protected memory (see Tsirkin618, 0001) where It may be desirable to modify memory that is write-protected for various Reasons (0016).


Additional References:
1.  Asaro (US 20190228145)

Response to Arguments
Applicant's arguments filed 5/10/2022 (via RCE filed 5/24/2022) have been fully considered but they are not persuasive. 
For claim 1, 15, 20, Applicant argues that the cited references did not disclose the amended limitations.
The present OA rejects the amended limitations.

Specifically,  Tsirkin868 and Craddock in combination with Tsirkin245 discloses the amended limitations.

Tsirkin245 does not disclose, but Tsirkin868 discloses
	physical device (e.g., address range 531 is a range of the physical memory 510 , 0047);
	validate that each of the at least one memory address  in the request is outside of the reserved range of addresses of the physical device, such that each memory address included in the request are not overlapping with the reserved range of addresses of the physical device to protect the physical device (e.g., access request 220 is stored in the device request buffer 215, which is stored in the host IOMMU mapped physical bus address range, but outside of the VIOMMU mapped allowed address range, 0026-0027, Fig. 2C), and 
	after validating that each of the at least one memory address associated with the request is outside of the reserved range of addresses of the physical device, send the request to the physical device via the second driver (e.g., storing the access request 220 outside of the allowed address range 210, devices (e.g., CPU 120A-C, MD 130A-C, I/O 140A-B, a software device, and/or hardware device 150A-B) may access the access request 220, but may not access the allowed address range 210, thus protecting the guest virtual machine 170A and VIOMMU 191A from malicious device access., 0027).
	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, providing the benefit  to improve security associated with access requests; Advantageously, storing access request 220 outside of the allowed address range 210 exposes devices to additional memory (e.g., memory mapped to physical bus address range 205 that is outside of allowed address range 210)(see Tsirkin868, 0026).

 Tsirkin245 in view of Tsirkin868 does not disclose, but Craddock discloses
	length (e.g., field specifies the offset within the specified address space from which the data is to be loaded; [0173] Length field 1116: This field specifies the length of the load operation (e.g., the number of bytes to be loaded); bytes loaded from the adapter function are to be contained within an integral boundary in the adapter function's designated PCI address space, 0169-0175 Fig. 11A-11B).

	It would have been obvious to one of ordinary skill in the art prior to the filing date of the claimed invention to modify the computer systems executing a guest virtual machine, as disclosed by Tsirkin245, with Tsirkin868, with Craddock, providing the benefit of Address translation and protection unit 118 accesses information used for the DMA or MSI request (see Craddock, 0058) An operating system or application program running in a virtual machine appears to have access to a full and complete system, but in reality, only a portion of it is available (0061) Some of main storage includes permanently assigned storage locations (0252).

Claims 15 and 20 are rejected for reasons similar to claim 1.
Dependent claims 2-14 and 16-19 are rejected based on dependency from claims 1 and 15.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to GAUTAM SAIN whose telephone number is (571)270-3555. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sanjiv Shah can be reached on 571-272-4098. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GAUTAM SAIN/Primary Examiner, Art Unit 2135