DETAILED ACTION
CLAIMS 1-20 
are presented for examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1 and 8-12
 is/are rejected under 35 U.S.C. 103 as being unpatentable over Deierling et al., US WO2011019390A1, (“Deierling”) in view of Rudelic et al., US 2006/0149918 Al, (“Rudelic”).
Regarding Claim 1,
 Deierling teaches a boot Read-Only Memory (ROM) update method of an embedded system ([0030] “the exemplary embodiments describe update information that corresponds to field upgradeable unit ll0's bootloader 282.” Emphasis added. See also Fig. 2, element 110 and element 282.) including a memory, which includes … a boot ROM area that includes a first area and a second area, (Fig. 2, element 280 “Non-volatile Memory Device” ; See also Fig. 3, element 280 boot ROM area giving the claim the BRI --;
 element 305  “active portion” which stores a “bootloader”  – a first area giving the claim the BRI --;
 and element 310 “inactive portion” – a second area giving the claim the BRI.) 
and a ROM, (Fig. 2, element 282 “bootloader”; 
See also [0021] “updates of memory device 280 can be limited by a state machine 270. State machine 270 may prevent controller 210 from altering the contents of non-volatile memory 280. In this way, for example, state machine 270 may protect the non-volatile memory 280 so that updates may only be performed under particular conditions.” Emphasis added.;
See also [0023] “example, after field upgradeable unit 110 is reset, controller 210 may execute firmware stored in ROM 226 that updates the memory device's contents. The firmware may disable changes to memory device 280 before relinquishing controller 210 to execute the software.” Emphasis added.;
See also [0032] “Secure non-volatile memory device 280 may operate as a ‘read-only’ memory except in certain circumstances, such as when field upgradeable unit 110 is placed in an "update mode" and/or state machine 270 is in the ‘update state.’” Emphasis added.)
See also [0036] and [0046];
i.e. memory device may be configured to have writes/updates disabled – read only memory (ROM) giving the claim the BRI – after the bootloader has been updated.) which copies a first boot code from the boot ROM area during boot-up, .([0027] “bootloader 282 may load a secondary stage bootloader from memory device 280 if the secondary stage bootloader is properly signed.”; 
See also [0023] “bootloader 282 in non-volatile memory 280 … to be executed by the controller 210 whenever the controller 210 is in an initialization state, such as when the controller 210 is first powered up or is rebooted or otherwise reset.” ) 
the boot ROM update method comprising:
writing a second boot code to the second area (Fig. 3, element 320 as it relates to element 310 and the accompanying arrows indicating that element 320 is stored at element 315, then copied into element 310. See also [0031], [0044], and [0053]) in response to a first ROM update command, ([0024] “Firmware may trigger state machine 270 to enter the update state by storing a predetermined value, such as a specific command”; See also [0035]) the second boot code including a second boot ROM image and a second signature for the second boot ROM image; ([0044] “If all verifications pass, update module 284 copies Key 2, Key 3, and the update information (which, as discussed above, may be a new bootloader) into the inactive portion 310 of secure memory device 280 ….” Emphasis added;
See also [0031] “update object 320  …  may include update information that is formatted into a number of sections, including: update information (e.g., program instructions for a bootloader), Key 1, Key 2, Key 3, Signature 1, Signature 2, and Signature 3. In some embodiments, the update object 320 may have an associated update signature 321 that may be provided with (such as being appended to) the update object 320
See also [0041]) 
verifying validity of the second signature written to the second area; ([0042] “If the calculated value for hash 3 matches each of the hash values generated from the signatures, the update object 320 is verified.”) and
 if the second signature written to the second area is valid, swapping the first area and the second area, ([0044] “If all verifications pass, update module 284 copies Key 2, Key 3, and the update information (which, as discussed above, may be a new bootloader) into the inactive portion 310 of secure memory device 280. Another verification may be performed to make sure that all data was copied correctly. If there is no failure, update module 284 sends a command to swap between active portion 305 and inactive portion 310 ….” Emphasis added.; See also Fig. 3, indicating a swap between the inactive/active portions after the copy and verification of the update object.) 
wherein the first boot code is disposed in the first area and includes a first boot ROM image and a first signature for the first boot ROM image. (Fig. 3, element 305 “Boot-loader” “current Key” and “Next Key”) 

Deirling does not teach a memory, which includes a user data area and a boot ROM area …. Emphasis added. Note, Deirling goes on to teach a separate non-secure user area which is used for verifying the bootloader update. (Fig. 3, element 315; See also [0040) .
Rudelic teaches a memory, which includes a user data area and a boot ROM area ….
([0020] “memory controllers 116 and 118 partition memory into secure partitions and non-secure partitions. For example, on chip memory controller 118 may partition on-chip memory 120 into secure memory partition 122 and non-secure memory partition 124, where the partitions are shown separated at boundary 126.” Emphasis added.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of  Rudelic with the teaching of  Deirling as both references are directed to conducting secure transactions within a computing system. Moreover, Rudelic improves on Deirling’s teaching of providing for separate secure and non-secure memories (Deirling Fig. 3, elements 280 and element 315.) by teaching a technique which allows for a single memory to be configured to provide for secure and non-secure partitions (Rudelic [0020]), allowing a single memory to be used where two might have been used before, thus improving cost and efficiency in the system.
Claim(s) 11
 is/are directed to the same scope as the method set forth in claim(s) 1. Therefore claim(s) 11 is/are rejected under the same reasoning set forth above over Dierling in view of Rudelic.
Regarding claims 8-10 and 12, 
Deirling teaches these claims according to the reasoning set forth in the previous office action.
Claim(s) 2-7 and 16-20
 is/are rejected under 35 U.S.C. 103 as being unpatentable over Deierling et al., US WO2011019390A1, (“Deierling”) in view of Rudelic et al., US 2006/0149918 Al, (“Rudelic”) in further view of Shah et al., US 2011/0087872, (“Shah”).
Deirling and Shah were cited as prior art in the previous office action. As such, their relevant teachings are hereby incorporated by reference to the extent applicable to the newly amended claims.
Regarding claims 2-7, 
Deirling and Shah teach these claims according to the reasoning set forth in the previous office action.
Regarding Claim 16,
 Deirling teaches a boot-up method of an embedded system, comprising: 
executing, by a Read-Only Memory (ROM), (Fig. 2, element 282 “bootloader”; 
See also [0021] “updates of memory device 280 can be limited by a state machine 270. State machine 270 may prevent controller 210 from altering the contents of non-volatile memory 280. In this way, for example, state machine 270 may protect the non-volatile memory 280 so that updates may only be performed under particular conditions.” Emphasis added.;
See also [0023] “example, after field upgradeable unit 110 is reset, controller 210 may execute firmware stored in ROM 226 that updates the memory device's contents. The firmware may disable changes to memory device 280 before relinquishing controller 210 to execute the software.” Emphasis added.;
See also [0032] “Secure non-volatile memory device 280 may operate as a ‘read-only’ memory except in certain circumstances, such as when field upgradeable unit 110 is placed in an "update mode" and/or state machine 270 is in the ‘update state.’” Emphasis added.)
See also [0046];
i.e. memory device may be configured to have writes/updates disabled – read only memory (ROM) giving the claim the BRI – after the bootloader has been updated.)
a boot ROM loader; loading, by the boot ROM loader, a first boot code from a memory, .([0027] “bootloader 282 may load a secondary stage bootloader from memory device 280 if the secondary stage bootloader is properly signed.”; 
See also [0023] “bootloader 282 in non-volatile memory 280 … to be executed by the controller 210 whenever the controller 210 is in an initialization state, such as when the controller 210 is first powered up or is rebooted or otherwise reset.” )
and a boot ROM area with restricted access; [0023] “example, after field upgradeable unit 110 is reset, controller 210 may execute firmware stored in ROM 226 that updates the memory device's contents. The firmware may disable changes to memory device 280 before relinquishing controller 210 to execute the software.”
executing, by the ROM, a boot loader by verifying integrity of the boot loader; ([0042] – [0044] “If the calculated value for hash 3 matches each of the hash values generated from the signatures, the update object 320 is verified … If there is no failure, update module 284 sends a command to swap between active portion 305 and inactive portion 310 ….”; See also Fig. 3, indicating a swap between the inactive/active portions after the copy and verification of the update object.)

Deirling does not teach teach from a memory which includes a user data area that is freely accessible Emphasis added.

Rudelic teaches a memory which includes a user data area that is freely accessible Emphasis added. ([0020] “memory controllers 116 and 118 partition memory into secure partitions and non-secure partitions. For example, on chip memory controller 118 may partition on-chip memory 120 into secure memory partition 122 and non-secure memory partition 124, where the partitions are shown separated at boundary 126.” Emphasis added.)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of  Rudelic with the teaching of  Deirling as both references are directed to conducting secure transactions within a computing system. Moreover, Rudelic improves on Deirling’s teaching of providing for separate secure and non-secure memories (Deirling Fig. 3, elements 280 and element 315.) by teaching a technique which allows for a single memory to be configured to provide for secure and non-secure partitions (Rudelic [0020]), allowing a single memory to be used where two might have been used before, thus improving cost and efficiency in the system.
Deirling in view of Rudelic does not teach verifying, by the boot loader, integrity of a kernel; and
 verifying, by the kernel, integrity of a file system.
Note, however, that Deirling goes on to teach verifying bootloader intergrity as well as integrity of secondary bootloaders. (Deirling [0027]).
Naguib teaches verifying, by the boot loader, integrity of a kernel; (Shah [0060] “in a verified boot process implemented using the firmware 200, the kernel information signature 520 may be verified ….” See also [0072] – [0073] “verifying an encrypted signature corresponding with a first portion of an operating-system kernel. … verifying an encrypted signature corresponding with a second portion of the operating-system kernel ….” Emphasis added.; See also Fig. 6) and verifying, by the kernel, integrity of a file system. ([0077] “once control of a computing system is passed to a kernel, the kernel may include instructions that are used to verify a file system, data, objects, applications and/or other elements of the computing system using similar techniques to those described herein.” Emphasis added.) 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of  Shah with the teaching of Deirling as both references are directed to securely updating computing systems. Moreover, Shah improves on Deirling’s teaching of verifying updated bootloader integrity (Deirling [0042] – [0044]) by teaching a technique which further verifies the integrity of  updated operating system files (Shah [0030], [0072] – [0077]) thus improving security in the system. 
Regarding claims 17-20, 
Deirling teaches these claims according to the reasoning set forth in the previous office action.

Claim(s) 13-15
 is/are rejected under 35 U.S.C. 103 as being unpatentable over Deierling et al., US WO2011019390A1, (“Deierling”) in view of Rudelic et al., US 2006/0149918 Al, (“Rudelic”) in further view of Kotary et al., US 20170147356 , (“Kotary”).
Deirling and Kotary were cited as prior art in the previous office action. As such, their relevant teachings are hereby incorporated by reference to the extent applicable to the newly amended claims.
Regarding claims 13-15, 
Deirling and Kotary teach these claims according to the reasoning set forth in the previous office action.
Response to Arguments
Applicant's arguments filed 6/15/2022 (“Remarks”) have been fully considered but they are persuasive in part and not persuasive in part. Examiner will address the arguments in turn below.
Applicant first argues that “DEIERLING does not teach a “boot ROM area” In DEIERLING, the only ROM is the ROM 226 in the controller. Paragraph [0033] of DEIERLING also describes that the entirety of the non-volatile memory device 280 ‘may function as a read-only device’ (emphasis added), but this is not the same as being read-only memory (ROM) … the active portion 305 and the inactive portion 310 of DEIERLING do not disclose a boot ROM area at all, and are not particularly dedicated to booting at all.” Remarks at pp. 9-10. 
In support of this argument, Applicant contrasts to Figs. 5 and 9 of the Instant Application with Deierling Figs. 2 and 3, as they pertain to claim1. Applicant further cites to the relevant portions of Deierling. Remarks at pp 9-8.
Examiner respectfully disagrees. As discussed in the previous action and above, Deirling reserves a portion of its memory to store the old and new bootloaders. (Fig. 3, element 280).  Once an updated bootloader has passed authentication/verification, the non-volatile memory containing the bootloaders is switched into a read-only mode. ([0036] and [0046]).  In this way the region in which the bootloaders is located functions as a read only memory (ROM), and thus is a “boot ROM area.”
Applicant next argues that “The non-secure memory 315 and the secure-memory device 280 in DEIERLING are separate, and do not disclose or correspond to a user area and a boot ROM area within one memory as in claim 1. As described in the instant application, the user area and boot ROM area are provided within one memory 155.” Remarks at p. 10.
Examiner respectfully agrees, and has provided new grounds of rejection above over Deirling in view of Rudelic. 
Next Applicant argues that “DEIERLING does not disclose “writing a second boot code to the second area” The second boot code (300) is written to the second area (157b) in claim 1. the cited teaching of DEIERLING actually specifies writing a predetermined value such as an update command to a predefined location 317 in the memory 315, and not anything related to writing in the inactive portion 310 let alone writing a second boot code in the inactive portion 310. Therefore, this assertion in the Office Action contradicts the assertion that the “inactive portion 310” teaches the second area of the boot ROM area.” Remarks at p. 11. 
As discussed above, Deirling teaches that the update object (which may be a bootloader) is first staged in a non-secure area of a memory, then authenticated/validated, and then copied into the inactive portion of the secure area. ([0044], [0031], [0053] See also Fig. 3, element 320 as it relates to element 310 and the accompanying arrows indicating that element 320 is stored at element 315, then copied into element 310.).  
Fourthly Applicant argues that “Additionally, the update object 320 is copied by the update module 284 from the memory 315 into the inactive portion 310 of the secure memory device 280 in DEIERLING. (See DEIERLING, paragraph [0044].) However, the update object 320 is not particularly any boot code as defined in claim 1.” Remarks at p. 11.
Here, too, Examiner respectfully disagrees. Throughout Deirling, the updating and execution of a bootloader is discussed. See, e.g. “A bootloader 282 in non-volatile memory 280 includes instructions that are to be executed by the controller 210 whenever the controller 210 is in an initialization state, such as when the controller 210 is first powered up or is rebooted or otherwise reset.” Deirling [0023], Emphasis added.
Further, Deirling teaches that “Update object 320 may include update information that is formatted into a number of sections, including: update information (e.g., program instructions for a bootloader) ….” Deirling [0031], Emphasis added.
Fifth, Applicant argues that “[Deirling [0035]] actually specifies writing a predetermined value such as an update command to a predefined location 317 in the memory 315, and not anything related to writing in the inactive portion 310 let alone writing a second boot code in the inactive portion 310. Therefore, this assertion in the Office Action contradicts the assertion that the “inactive portion 310” teaches the second area of the boot ROM area.” Remarks at p. 11.
Examiner respectfully disagrees. As discussed above, Deirling teaches that a command may trigger an update process ([0024] and [0035]). Subsequently, the update object is copied into non-secure memory, verified, and then copied into the inactive portion – second area giving the claim the BRI – of the secure memory. (See Fig. 3, element 320 as it relates to element 310 and the accompanying arrows indicating that element 320 is stored at element 315, then copied into element 310. See also [0031], [0044], and [0053]).
Continuing, Applicant argues that “the update object 320 is copied by the update module 284 from the memory 315 into the inactive portion 310 of the secure memory device 280 in DEIERLING. (See DEIERLING, paragraph [0044].) However, the update object 320 is not particularly any boot code as defined in claim 1. Moreover, as noted above, the inactive portion 310 of the secure memory device 280 is not a portion of any boot ROM area.” Remarks at p. 11.
Examiner respectfully disagrees. As discussed above, the update object Deirling teaches “A bootloader 282 in non-volatile memory 280 includes instructions that are to be executed by the controller 210 whenever the controller 210 is in an initialization state, such as when the controller 210 is first powered up or is rebooted or otherwise reset.” Deirling [0023], Emphasis added. 
Deirling teaches further that “Update object 320 may include update information that is formatted into a number of sections, including: update information (e.g., program instructions for a bootloader) ….” Deirling [0031], Emphasis added.
Seventh, Applicant argues that “The update object 320 is first written to the non-secure memory 315 in DEIERLING. However, the memory (155) in claim 1 is a non-volatile memory, whereas the non-secure memory 315 in DEIERLING is a volatile memory. The non-secure memory 315 in DEIERLING cannot correspond to the memory (155) in claim 1.” Remarks at p. 11.
Examiner respectfully disagrees. In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., volatile versus non-volatile memory) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Examiner turns now to Applicant’s eight argument: “the update object 320 is then copied to the inactive portion 310 of the secure memory device 280 and then the active portion 305 and the inactive portion 310 are swapped in DEIERLING, but without an intervening verification. However, in the configuration in claim 1, the second boot code is written to the memory 155, then verified before the swapping. The order of actions is different.” Remarks at p. 11.
Examiner respectfully disagrees. As discussed above, Deirling teaches that  “If all verifications pass, update module 284 copies Key 2, Key 3, and the update information (which, as discussed above, may be a new bootloader) into the inactive portion 310 of secure memory device 280. Another verification may be performed to make sure that all data was copied correctly. If there is no failure, update module 284 sends a command to swap between active portion 305 and inactive portion 310 ….” [0044] Emphasis added.; 
Ninth, Applicant argues that
DEIERLING does not disclose that a second boot code includes ‘a second boot ROM image and a second signature for the second boot ROM image’
DEIERLING does not describe any boot ROM image anywhere therein, and does not use the word “image” in the context of this word in claim 1 … DEIERLING emphasizes that the update object described therein is not limited to updates for the bootloader 282 … the active portion 305 and the inactive portion 310 of DEIERLING are not portions of a boot ROM area. Moreover, the update object is not properly characterized as a boot code, and the update object does not contain at least any boot ROM image.
Remarks at pp. 11-12.
Examiner respectfully disagrees. As discussed above, Deirling teaches that the update object, which is copied into the inactive area for later verification and then use – may indeed be a bootloader. see e.g. “A bootloader 282 in non-volatile memory 280 includes instructions that are to be executed by the controller 210 whenever the controller 210 is in an initialization state, such as when the controller 210 is first powered up or is rebooted or otherwise reset.” Deirling [0023], Emphasis added.
See also “Update object 320 may include update information that is formatted into a number of sections, including: update information (e.g., program instructions for a bootloader) ….” Deirling [0031]. Emphasis added.
Finally, Applicant’s argues that the combination of Deirling and Naguib does not teach the subject matter of claim 16. Remarks at p. 13. In so doing, Applicant again alleges that Deierling “110. Update object 320 may include update information that is formatted into a number of sections, including: update information (e.g., program instructions for a bootloader … DEIERLING would not be properly modified to include a boot ROM loader, or using the boot ROM loader to load a first boot code from a memory, let alone the features acknowledged to be absent from DEIERLING.” Id.
Examiner respectfully disagrees and has addressed these arguments in the rejection and in the response to arguments above. 
To the extent that the argument applies to Naguib it is moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRIAN J CORCORAN whose telephone number is (571)270-0549. The examiner can normally be reached M-F 07:30 - 16:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jaweed Abbaszadeh can be reached on 571-270-1640. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Brian J Corcoran/Examiner, Art Unit 2187                                                                                                                                                                                                        
/JAWEED A ABBASZADEH/Supervisory Patent Examiner, Art Unit 2187