DETAILED ACTION

Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

The present office action is responsive to communications received on 5/23/2022. Claims 1-20 are pending.

Response to Arguments
The arguments/remarks filed by the applicant on 5/23/2022 have been fully considered and are responded in the following.

Applicant's amendments to claims have overcome the Claim Objections and Claim Rejections - 35 USC § 101 previously set forth in the Non-Final Office Action mailed 1/21/2022. All previous objections and 35 USC § 101 rejections have been withdrawn. However, a new grounds of objections – as necessitated by amendment – is made in this Office action.

Applicant’s arguments, ‘Applicant respectfully submits that the prior art as cited does not disclose at least "provide the key to the application TEE instance, wherein the key is used to secure the application TEE instance," as recited in amended independent claim 1 and similarly recited in amended independent claims 12 and 20’, see p. 6, ¶5, filed 5/23/2022, with respect to the amended claims overcoming the cited prior art references of the rejection of claims 1, 12, and 20 under 35 USC § 103 have been fully considered and are persuasive. Therefore, the rejection has been withdrawn; however, upon further search and consideration, a new grounds of rejection – as necessitated by amendment – is made in view of previous cited prior art Moore. Please refer to "Claim Rejections - 35 USC § 103" section below for detail analysis. Examiner suggested to include specifics on how the key is used to secure the application TEE instance to distinguish over the prior art and expedite prosecution.

Claim Objections
Claim 1 is objected to because of the following informalities: 
Claim 1 recites “A system comprising: at least one processor; at least one memory storing instructions which, when executed by the processor, cause the at least one processor to implement:”. Here “the processor” needs to be changed to “the at least one processor” to avoid possible antecedent issue.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 6-8, 10-14, 17-18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 20190140846 A1).

Regarding claim 1, Moore in one example ([0006] a second example approach) teaches a system comprising:
at least one processor; ([0046] one or more of a processor)
at least one memory storing instructions which, when executed by the processor, cause the at least one processor to implement: ([0046] memory)
an application trusted execution environment (“TEE”) instance; and ([0006] first TEE)
an escrow TEE instance that is hosted alongside the application TEE instance and outside control of a TEE instance owner; and ([0006] second TEE, which is hosted by a distributed computing system that hosts the first TEE.) As shown in FIG. 2, Trusted Execution Environment (TEE) 206 is outside the control of a TEE instance owner (client device 202).
a server configured to: (FIG. 2: platform 204/operating system 208)
receive a request to start the application TEE instance, and ([0049] In activity 212, client device 202 generates a request for a TEE. For example, client device 202 may be owned or controlled by a customer of a cloud service. Client device 202 may generate the request based on instructions that are received from the customer. The instructions from the customer may indicate that the customer wishes to set up a web service, attestation service, database, machine learning system, etc. Client device 202 may generate the request for the TEE for purposes of setting up the web service, attestation service, database, machine learning system, etc.)
launch the escrow TEE instance, ([0050] In activity 214, operating system 208, which runs on platform 204, launches the TEE from a template. The template is executable code. For instance, the template may be a piece of executable code that has not been customized with regard to a client device or customer associated therewith. The template represents a known starting point for customizing the TEE.) wherein the escrow TEE instance is validated by the TEE instance owner, ([0065, 0057] Any one or more of activities 216, 218, 220, 222, 224, and/or 226 may be used to establish a chain of trust from TEE 206 to platform 204. In activity 226, TEE 206 forwards the signed, updated report to client device 202.) Here the validation of escrow TEE instance (TEE 206) by the TEE instance owner (client device 202) is achieved through signed/updated report establishing chain of trust.
wherein the escrow TEE instance is configured to:
obtain a key for the application TEE instance, ([0065] Any one or more of activities 228, 230, 232, 234, and/or 236 may be used to provision TEE 206 with information for purposes of customizing TEE 206 with the information. For example, any of activities 228, 230, and/or 232 may be used to provision TEE 206 with rules. In another example, any of activities 234 and/or 236 may be used to provision TEE 206 with secret information.) Here Moore discloses secret information being keys (¶61).
wherein the key is used to secure the application TEE instance. ([0032] example techniques may increase security of TEE(s) in the distributed computing system and information with which the TEE(s) are provisioned. The example techniques may be capable of provisioning a TEE with any suitable information (e.g., a customer's policies, keys, data, and/or code) in an untrusted environment based on trust in a platform on which an operating system that launches the TEE runs.)

Moore in one example teaches to obtain a key for the application TEE instance, but does not explicitly teach to validate the application TEE instance, and provide the key to the application TEE instance. This aspect of the claim is identified as a difference.
However, Moore in another example ([0007] a third example approach) explicitly teaches
validate the application TEE instance, and provide the key to the application TEE instance. ([0007] a first trusted execution environment obtains a secret key from a second trusted execution environment (e.g., in response to measurements of the first trusted execution environment that are provided to the second trusted execution environment by the first trusted execution environment being verified by the second trusted execution environment).) Here Moore in another example discloses the first trusted execution environment (analogous to claim limitation “application TEE instance”) being validated through measurements of the first trusted execution environment, and recites details “First TEE 1016A may also provide the measurement information 1066 to second TEE 1016B via message passing facility 1044. In further accordance with this implementation, first TEE 1016A receives a responder quote 1056 from second TEE 1016B in response to the originator quote 1054. For instance, first TEE 1016A may receive the responder quote 1056 in response to second TEE 1016B verifying the measurement information 1066. The responder quote 1056 includes the secret key 1064” in ¶134.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “second example approach” of Moore in one example, and the “third example approach” of Moore in another example. One of ordinary skill in the art would have been motivated to perform such a modification to increase security of a distributed computing system by verifying TEE measurement information before providing the secret key. Accordingly, TEE may provide end-to-end security by enforcing protected execution of authenticated code, confidentiality, authenticity, privacy, system integrity, and data access rights (Moore [0134, 0030]).
Further in [0301] of “CONCLUSION” section, Moore explicitly teaches that “Although the subject matter has been described in language specific to structural features and/or acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as examples of implementing the claims, and other equivalent features and acts are intended to be within the scope of the claims.” In addition, Moore recites repeatedly in “FURTHER DISCUSSION OF SOME EXAMPLE EMBODIMENTS” section that aspect of the example system may be implemented in combination with various aspects of the example system, though the example embodiments are not limited in this respect. Therefore, one of ordinary skill in the art would have realized the advantage of combining second example approach and third example approach.

Regarding claim 2, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the escrow TEE instance is configured to retrieve the key from the TEE instance owner. ([Moore in one example, 0061] In activity 234, TEE 206 provides a public portion of a secret import key (i.e., SIKpub) to client device 202, so that client device 202 may use the SIKpub to encrypt secret information (e.g., keys, data, and/or code) that is to be sent to TEE 206. The SIKpub corresponds to a private portion of the secret import key (i.e., SIKpri) that is usable by TEE 206 to decrypt the secret information. The secret information is capable of being decrypted only by TEE 206 because TEE 206 is the only entity in possession of the SIKpri.) Here TEE 206 (analogous to claim limitation “escrow TEE instance”) initiates retrieving the key from client device 202 (analogous to claim limitation “TEE instance owner”) by “providing SIKpub” (activity 234) to client device 202 first.

Regarding claim 3, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the escrow TEE instance is configured to receive the key from the TEE instance owner. ([Moore in one example, 0062] In activity 236, client device 202 provides the secret information, which is encrypted with the SIKpub, to TEE 206.) Here TEE 206 (analogous to claim limitation “escrow TEE instance”) receives the secret information/key from client device 202 (analogous to claim limitation “TEE instance owner”).

Regarding claim 6, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the escrow TEE instance is configured to take a measurement of the application TEE instance prior to validating the application TEE instance. ([Moore in another example, 0007] a first trusted execution environment obtains a secret key from a second trusted execution environment (e.g., in response to measurements of the first trusted execution environment that are provided to the second trusted execution environment by the first trusted execution environment being verified by the second trusted execution environment).) Here Moore in another example discloses the first trusted execution environment (analogous to claim limitation “application TEE instance”) being validated through measurements of the first trusted execution environment by second trusted execution environment (analogous to claim limitation “escrow TEE instance”).

Regarding claim 7, Moore in one example in view of another example teaches all the features with respect to claim 6, as outlined above. The combination further teaches wherein the measurement identifies characteristics of the application TEE instance including at least one of a type of the TEE instance, version of the TEE instance, and description of software components loaded into the TEE instance. ([Moore in one example, 0054] In activity 220, platform 204 provides the report to TEE 206. The report includes measurements of TEE 206. The measurements include the identification information. For instance, the measurements may indicate unforgeable attributes of TEE 206 (e.g., an author, publisher, security version number, code type, and/or compilation date of TEE 206 and/or a key used to sign the measurements of TEE 206).) Here Moore in another example discloses measurements of the first trusted execution environment (analogous to claim limitation “application TEE instance”). Moore in one example discloses these measurements identifying attributes/characteristics of TEE, such as version and code type. Therefore the combination discloses the entire limitation.

Regarding claim 8, Moore in one example in view of another example teaches all the features with respect to claim 6, as outlined above. The combination further teaches wherein the measurement further includes an integrity code to validate the measurement. ([Moore in one example, 0054-0055] It will be recognized that asymmetric and/or symmetric authentication techniques may be used to authenticate the measurements. For example, platform 204 may sign the measurements with a platform signing key (PSK) before providing the measurements to TEE 206. In another example, one or more symmetric key-based message authentication codes (MACs) may be used as proof-of-authenticity of a report. In activity 222, TEE 206 adds self-reported measurements to the report, resulting in an updated report. The self-reported measurements are measurements that TEE 206 gathers or generates about itself. For instance, the self-reported measurements may be a hash (e.g., having a fixed length value) of a structure that includes any of a variety of keys, policies, or other suitable information. In activity 222, TEE 206 may further request that platform 204 sign the updated report.) 

Regarding claim 10, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the application TEE instance is a virtual machine and the escrow TEE instance is an enclave. ([Moore in one example, 0051] In an example embodiment, the TEE is an enclave, and the platform is a central processing unit (CPU). In another embodiment, a blind hypervisor is used, in which case the virtual machine is the TEE.) It would have been obvious to one of ordinary skill in the art that first TEE/second TEE (¶6, analogous to claim limitation “application TEE instance/escrow TEE instance”) can be virtual machine/enclave.

Regarding claim 11, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. The combination further teaches wherein the application TEE instance is an enclave and the escrow TEE instance is a virtual machine. ([Moore in one example, 0051] In an example embodiment, the TEE is an enclave, and the platform is a central processing unit (CPU). In another embodiment, a blind hypervisor is used, in which case the virtual machine is the TEE.) It would have been obvious to one of ordinary skill in the art that first TEE/second TEE (¶6, analogous to claim limitation “application TEE instance/escrow TEE instance”) can be enclave/virtual machine.

Regarding claims 12-14, 17-18 and 20, the scope of the claims are similar to that of claims 1-3 and 6-7, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 4-5 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 20190140846 A1) in view of Ko (US 20080307020 A1).

Regarding claim 4, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein the key is provided on a disk image of the escrow TEE instance. This aspect of the claim is identified as a difference.
However, Ko in an analogous art explicitly teaches 
wherein the key is provided on a disk image of the escrow TEE instance. ([0010] The system includes a first device including an encrypted disk image, the encrypted disk image including data encrypted using a first encryption key, and a header including the first encryption key, the first encryption key being encrypted using one or more second encryption keys, each protected with a password. [0056-0058] FIG. 3B shows detail of the structure of the encrypted disk images 310. The encrypted disk images 310 include an example source encrypted disk image 306. The source encrypted disk image 306 includes data 312 that is encrypted using a particular encryption key. The source encrypted disk image 306 also includes one or more key encryptions 316 of the key used to encrypt the encrypted data 312. The key encryptions 316 can be stored, for example, in a header associated with the encrypted data 312. For example, the key encryptions 316 can include an encryption of the key that is associated with a system password and another encryption of the key that is associated with a user password.)
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “trusted execution environment” concept of Moore, and the “encrypted disk image with a first key” approach of Ko. One of ordinary skill in the art would have been motivated to perform such a modification for an efficient mechanism to provide the key by embedding the key in the disk image, while still maintain security by encrypted disk image as well as password protected the key itself (Ko [0010]).

Regarding claim 5, Moore in view of Ko teaches all the features with respect to claim 4, as outlined above. The combination further teaches wherein the disk image is encrypted with the key. ([Ko 0005, 0010] The encrypted disk image being encrypted with a first key. The system includes a first device including an encrypted disk image, the encrypted disk image including data encrypted using a first encryption key, and a header including the first encryption key, the first encryption key being encrypted using one or more second encryption keys, each protected with a password.)

Regarding claims 15-16, the scope of the claims are similar to that of claims 4-5, respectively. Accordingly, the claims are rejected using a similar rationale.

Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Moore (US 20190140846 A1) in view of Wei (US 20200167503 A1).

Regarding claim 9, Moore in one example in view of another example teaches all the features with respect to claim 1, as outlined above. But the combination does not teach wherein at least one of the application TEE instance and the escrow TEE instance is an encrypted virtual machine. This aspect of the claim is identified as a difference.
However, Wei in an analogous art explicitly teaches 
wherein at least one of the application TEE instance and the escrow TEE instance is an encrypted virtual machine. ([0123] taking the trusted execution environment being Intel SGX as an example, SGX provides an enclave, that is, an encrypted trusted execution area in the memory, in which data is protected by the CPU from theft. Taking the node device using a CPU that supports SGX as an example, the CPU can use the newly added processor instructions to allocate a part of the area EPC (Enclave Page Cache) in the memory, in which the data is encrypted by an encryption engine MEE (Memory Encryption Engine).) Here reference Moore in one example (¶51) discloses that the TEE is an enclave or virtual machine. Reference Wei discloses trusted execution area being encrypted. Therefore the combination discloses the entire limitation.
It would have been prima facie obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the “trusted execution environment” concept of Moore, and the “TEE technology” approach of Wei. One of ordinary skill in the art would have been motivated to perform such a modification to improve security. TEE technologies such as Intel's Software Protection Extension (SGX) isolate code execution, remote attestation, secure configuration, secure storage of data, and trusted paths for code execution. Applications running in TEE are secured and are almost impossible to be accessed by third parties (Wei [0122]).

Regarding claim 19, the scope of the claim is similar to that of claim 9, respectively. Accordingly, the claim is rejected using a similar rationale.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a).   Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAN YANG whose telephone number is (408)918-7638.  The examiner can normally be reached on Monday to Friday, 9:00-5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/H.Y./Examiner, Art Unit 2493

/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493