DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
Response to Amendment
This office action is in response to the amendment filed on 05/02/2022. 
Claims 1, 6, 8-14, 17 and 19 are amended.
Claims 1-20 are pending in the application.
The 112(b) rejections against claims 13-14 are withdrawn because the claims have been amended which overcome the rejections (please see response to applicant’s arguments section below).
Response to Applicant’s Arguments
Applicant’s Remarks filed on 05/02/2022.
35 USC § 112	In the office action dated 12/30/2021, claims 13-14 were rejected under 35 U.S.C. 112(b), limitation “a memory page” of claim 13 was rejected.  The amended claim which overcomes the rejection.	The claim 13 was also rejected for limitation “a host page”.  However, upon further consideration, the limitation “a host page for a trust domain virtual machine control structure (TDVMCS)” is different than “a host page for a TD extended page table (EPT)”.  As a result, the Examiner withdrawn the rejection regarding this limitation.		The limitation “the state of the host page” of claim 14 was rejected for indefiniteness.  The limitation is amended, which overcome the rejection. As a result, the Examiner withdrawn the rejection regarding this limitation.
35 USC § 103	In the office action dated 12/30/2021, claims 1-5, 9-11 and 15-16 were rejected under 35 U.S.C. 103 as being unpatentable over Intel (NPL U: “Intel® Architecture Memory Encryption Technologies Specification”, dated December 1, 2017, hereinafter Intel) in view of Moriguchi et al. (US 20130208892 A1, hereinafter Moriguchi) and further in view of Victor Costan and Srinivas Devadas (NPL V: “SGX_2016-086, Intel SGX Explained”, dated Feb 7, 2016, page 1-118, downloaded on 12/09/2021 from the Internet URL: http://web.archive.org/web/20160301000000*/https://eprint.iacr.org/2016/086.pdf, hereinafter Costan); claims 6-8 were rejected under 35 U.S.C. 103 as being unpatentable over Intel in view of Moriguchi, Costan and further in view of Diestelhorst et al. (US 10445238 B1, hereinafter Diestelhorst); claims 12-14 were rejected under 35 U.S.C. 103 as being unpatentable over Intel in view of Moriguchi and Costan and further in view of Bennett et al. (US 8645665 B1, hereinafter Bennett); claims 17-20 were rejected under 35 U.S.C. 103 as being unpatentable over Costan in view of Intel and further in view of Diestelhorst et al. (US 10445238 B1, hereinafter Diestelhorst).	Starting near the middle of page 2 of the Remarks, the Applicant argues, “It is respectfully submitted that the cited art, alone or in combination (were such a combination to be made), as cited, fails to teach (or even suggest) the claimed combination of features such as set forth in claim 17, including for example, at least marking in a key ownership table (KOT), by the processing device executing the TDRM, a state of a host key ID (HKID) assigned to a one-time cryptographic key associated with the TD as available for assignment to other one-time cryptographic keys.”	The Applicant’s argument is fully considered.  Necessitated by the amendment, a new reference, BALTES; KEVIN M. et al. (US 20130111203 A1, hereinafter Baltes) is used in combination with Costan in view of Intel, to teach the dispute limitations.  Intel teaches in a key ownership table (KOT), by the processing device executing the TDRM, a host key ID (HKID) is assigned to a one-time cryptographic key associated with the TD in page 4 of Intel where a CPU generates an ephemeral key, and page 17 of Intel teaches a table with entries that have KeyId, encryption key and encryption mode.  Intel further teaches clear a key associated with the keyID in page 19, table 3, 3rd row.  Baltes teaches a key table with indicator of state of a key entry that is addressed by key index (see Baltes ¶30-¶31 and ¶33), where empty key slots are default to be invalid which is available (open) for key replacement (Baltes ¶30).  Baltes further discloses that the key table can be open up, which is making available for key assignment.  When combined with Intel’s teaching of clearing an entry, the combination teaches that by clearing an entry indicated by keyId taught by Intel, and set the flag back to available (when the entry is empty due to the clearance) taught by, the entry with the keyId would be marked with a flag to be available state.  In conclusion, the Applicant’s argument is moot with the new combination of teaching of Costan, Intel and Baltes, and the new combination teaches all the disputed limitations.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-11 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Intel (NPL U: “Intel® Architecture Memory Encryption Technologies Specification”, dated December 1, 2017, hereinafter Intel) in view of BALTES; KEVIN M. et al. (US 20130111203 A1, hereinafter Baltes) and further in view of Victor Costan and Srinivas Devadas (NPL V: “SGX_2016-086, Intel SGX Explained”, dated Feb 7, 2016, page 1-118, downloaded on 12/09/2021 from the Internet URL: http://web.archive.org/web/20160301000000*/https://eprint.iacr.org/2016/086.pdf, hereinafter Costan.
	Regarding claim 1, Intel teaches a processing device comprising:
a multi-key total memory encryption (MK-TME) circuit (page 4, para. 4, Multi-Key Total Memory Encryption (MKTME); page 6,

    PNG
    media_image1.png
    541
    417
    media_image1.png
    Greyscale
);
		an on-chip memory to store a key ownership table (KOT) (page 17, 

    PNG
    media_image2.png
    483
    834
    media_image2.png
    Greyscale
, The MKTME engine maintains an internal key table not accessible by software to store the information (key and encryption mode) associated with each KeyID; [Examiner remark: MKTME is an integrated circuit, an internal key table to MKTME corresponds to a hardware memory that is in MKTME, which is an equivalent to an on-chip memory store]); and
		a processing core to execute a trust domain resource manager (TDRM) (Intel page 6, VMM,

    PNG
    media_image3.png
    995
    590
    media_image3.png
    Greyscale

; page 7, we show one hypervisor/VMM and two VMs.; page 8, CPUs that enumerate TME and/or, MKTME capabilities, supported in the processor for MKTME are enumerated, CPU/SoC, the CPU; page 28, software needs be aware of this and must take appropriate steps to maintain correctness of operations and security, virtualization scenarios, the TME and MKTME architecture is applicable to both native OS and virtualized environments, and for DRAM and NVRAM types of memory; System software is responsible for carefully managing the caches in regard for usage of key identifiers (KeyIDs) and maintaining cache coherency when the KeyID or a Key associated with a physical page is changed by the software; see also page 18 , section 6.2.1.1 and page 29 on AddPage), wherein the TDRM is to: 
			initialize a trust domain control structure (TDCS) associated with a trust domain (TD) (Intel page 6, VM1, VM2 have keyID entries; see also page 17 Fig. 1);
			initialize a trust domain protected memory (TDPM) associated with the TD (Intel page 29 section 7.4, Make the page available to a new VM with the new KeyID set in the EPT page-table entry; [Examiner note: the EPT page-table associating to the new VM corresponds to the TDPM. The EPT page-table corresponding to the new VM must be set up first before a KeyID can be made available to it.  As a result, Intel teaches the limitation of initialize the TDPM.  The VM corresponds to TD]);			generate a one-time cryptographic key (Intel page 18, section 6.2.1.1, MKTME KEY PROGRAM leaf of PCONFIG is used by software to manage the key associated with a KeyID; page 19, The KEYID CTRL field carries two sub-fields used by software to control the behavior of a KeyID, CPU generates and assigns an ephemeral key for | use with a KeylD. Each time the instruction is: executed, the CPU generates a new key using hardware random number generator); 			assign, using the MK-TME circuit, one-time cryptographic key (Intel on page 19 table 3, CPU generates and assigns an ephemeral key for use with a KeylD, [Examiner note: Intel does not explicitly disclose the identifying of the available HKID key, please see below for the discussion of this limitation]); 			store the HKID in the TDCS (Intel page 19 table 3, CPU generates and assigns an ephemeral key for use with a KeylD; page 6, 
    PNG
    media_image4.png
    185
    525
    media_image4.png
    Greyscale
, [Examiner note: the KeyId row corresponds to data in the TDCS]);
		Although Intel teaches the HKID that corresponds to an encryption key stored in an entry in the KOT and the assigning/storing of the encryption key using the MK-TME circuit, Intel does not explicitly disclose:		identify an available host key identifier (HKID) stored in the KOT, wherein the KOT further stores an indication of a state of the HKID;
		On the other hand, Baltes teaches:		identify an available [key slot]  (Baltes ¶9, defining a key table in the bootloader memory segment that includes a number of vacant memory slots that are available to store replacement public keys; Baltes ¶32, locates the first available memory slot in the key table at box 100 that is available to accept the replacement public key; Baltes ¶33, the algorithm sets a key index to the last memory slot in the key table), wherein the KOT further stores an indication of a state of the (Baltes ¶9, Each memory slot in the key table includes a validity flag indicating whether the memory slot is loaded with a valid public key; Baltes ¶30, those slots in the key table 126 that are empty are "flagged" invalid, by the default erased memory state; Baltes ¶30, If the flashing process for writing the new key has been completed and that memory slot in the key table 126 is indicated as being valid; see also ¶31; Baltes ¶32, determines whether the replacement public key has been written to the ECU memory at decision diamond 106, and if so, marks the new key as valid).		It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Baltes, which teaches a key table and identifying an available slot in the table for writing a security key, into the teaching of Intel who teaches the HKID and KOT and the assigning of an ephemeral key to the available HKID to result in the limitations: identify an available host key identifier (HKID) stored in the KOT, wherein the KOT further stores an indication of a state of the HKID; assign, using the MK-TME circuit, the available HKID to the one-time cryptographic key.
		One of ordinary skilled would be motivated to do so as incorporating Baltes’ teaching would help provide a key ID that Intel discloses as needed for assign a new encryption key for a new VM (see Intel page 17, fig. 1 and page 18, section 6.2.1.1). In addition, both of the references (Intel and Baltes) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, encryption key, and key table. This close relation between both of the references highly suggests an expectation of success when combined.	
		While Intel in view of Baltes teaches virtual machines in page 6 of Intel, which must have an associated processor for it to run; and in page 29 section 7.4 of Intel, AddPage, to make a page available to a new VM in the EPT page-table entry, Intel in view of Baltes does not explicitly disclose the remaining below limitations.
		On the other hand, Costan teaches:		associate a logical processor to the TD (page 62, The SGX implementation uses a Thread Control Structure (TCS) for each logical processor that executes an enclave’s code, TCS lay out the context switches (§2.6) performed by a logical processor; page 65, executing the code inside an enclave, a logical processor is said to be in enclave mode, an enclave’s host process uses the EENTER instruction, described in §5.4.1, to execute enclave code; page 66, EENTER takes the virtual address of a TCS as its input, and requires that the TCS is available, EENTER switches the logical processor to enclave mode);		add a memory page from an address space of the logical processor to the TDPM (Costan page 63, section 5.3, 1, ECREATE instruction, which turns a free EPC page into the SECS (§5.1.3) for the new enclave, ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software; [Examiner remark, see instant specification, ¶126- ¶132]);		transfer execution control to the logical processor to execute the TD (Costan page 65, EENTER performs a controlled jump into enclave code; page 66, EENTER switches the logical processor to enclave mode).		It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Costan, which teaches virtual machine security architecture, into the teaching of Intel in view of Baltes to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as incorporating Costan teaching would help provide the details that Intel refers to but not disclosing the details. In addition, both of the references (Intel and Costan) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, data encryption and virtual machine. This close relation between both of the references highly suggests an expectation of success when combined.
	Regarding claim 2, Intel in view of Baltes and Costan teaches the processing device of claim 1 (see discussion above), wherein associating a logical processor to the TD comprises:		allocating a memory page of the TDPM to a TD state save area (SSA) frame (Costan page 60, section 5.2.1 The Enclave Linear Address Range (ELRANGE), which is used to map the code and the sensitive data stored in the enclave’s EPC pages; page 62, the area used to store an enclave thread’s execution context while a hardware exception is handled is called a State Save Area (SSA); page 63, Each SSA starts at the beginning of an EPC page, and uses up the number of EPC pages, SSAs are stored in regular EPC pages; [Examiner remark: ELRANGE corresponds to TDPM, SAA is stored in EPC page which is within the ELRANGE; ELRANGE corresponds to the TDPM, see page 60, §5.2.1]; page 62, 5.2.4 The Thread Control Structure (TCS), a Thread Control Structure (TCS) for each logical processor that executes an enclave’s code, Each TCS is stored in a dedicated EPC page, [Examiner remarks: see the diagram of TCS in page 62 to see how the SSA is linked to a TCS]; page 64, 5.3.2 Loading ECREATE marks the newly created SECS as uninitialized.
While an enclave’s SECS is in this state, the system software can use EADD instructions to load the initial code and data into the enclave. EADD is used to create
both TCS pages and regular pages), wherein the TD SSA frame is bound to the logical processor (Costan top right of page 62, SGX implementation uses a Thread Control Structure (TCS) for each logical processor that executes an
enclave’s code; bottom right of page 62, each TCS references a contiguous sequence
of SSAs); and
		copying a state of the logical processor to the memory page (Costan page 62, section 5.2.4, architectural fields in the TCS lay out the context switches (§ 2.6) performed by a logical processor when it transitions between executing non-enclave and enclave code; page 11, section §2.6, multiplex each logical processor by context switching, namely saving the values of the registers that make up a thread’s execution context, and replacing them with another thread’s previously saved context; page 62, §5.2.5, the area used to store an enclave thread’s execution context while a hardware exception is handled is called a State Save Area (SSA); page 66, EENTER takes the virtual address of a TCS as its input, at least one State Save Area (SSA, x 5.2.5) is available in the TCS, and sets the instruction pointer (RIP) to the value indicated by the entry point offset (OENTRY) field in the TCS that it receives; page 67, EENTER also writes some information to the current SSA, which is only used if an AEX occurs. As shown in Figure 66, EENTER stores the stack pointer register RSP and the stack frame base pointer register RBP into the U_RSP and U_RBP fields in the current SSA).

	Regarding claim 3, Intel in view of Baltes and Costan teaches the processing device of claim 2 (see discussion above), wherein the TDRM is further to:		allocate a memory page of the TDPM to a trust domain virtual processing space (TDVPS) (Costan page 62, §5.2.3, virtual memory inside ELRANGE (see page 60, §5.2.1) is mapped to EPC pages, top right page 62, the SGX implementation uses a Thread Control Structure (TCS) for each logical processor that executes an enclave’s code, each TCS is stored in a dedicated EPC page);		bind the memory page to the TDCS (Costan page 62, Each TCS is stored in a dedicated EPC page whose EPCM (see page 59 §5.1.2 Enclave page cache map, EPCM) entry type is PT_TCS); and
		bind the memory page allocated to the TD SSA frame to the memory page allocated to the TDVPS (Costan page 62 bottom right, each TCS references a contiguous sequence of SSAs; page 63,

    PNG
    media_image5.png
    683
    541
    media_image5.png
    Greyscale

, [Examiner remarks: TCS 1 is referenced in the EPCM entry PT_TCS.  Each of the plural of the SAAs are inside the TCS 1]).

	Regarding claim 4, Intel in view of Baltes and Costan teaches the processing device of claim 1 (see discussion above), wherein transferring execution control to the logical processor to execute the TD comprises:
		identifying a memory page of the TDPM that is bound to the logical processor (Costan page 63, section 5.3.1, ECREATE instruction, which turns a free EPC page into the SECS (§5.1.3) for the new enclave);
		initializing the memory page as a host page for a trust domain virtual machine control structure (TDVMCS) (Costan page 63, §5.3.1 Creation, ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software. This page specifies the values for all the SECS fields defined in the SDM, such as BASEADDR and SIZE);
		activating the TDVMCS as a working virtual machine control structure (VMCS) (Costan page 64, §5.3.2, the system software can use EADD instructions to load the initial code and data into the enclave. EADD is used to create
both TCS pages (§5.2.4) and regular pages); and
		initializing the TDVMCS (Costan page 64, §5.3.3, After loading the initial code and data pages into the enclave, the system software must use a Launch Enclave (LE) to obtain an EINIT Token Structure, the token is then provided to the EINIT instruction, which marks the enclave’s SECS as initialized).

	Regarding claim 5, Intel in view of Baltes and Costan teaches the processing device of claim 1, wherein adding a memory page from an address space of the logical processor to the TDPM comprises:
		encrypting, using the one-time cryptographic key, the memory page (Intel page 4, encrypt all the data on external memory buses of an SOC using NIST standard AES-XTS algorithm with 128-bit keys. The encryption key used for TME uses hardware random number generator implemented in Intel SOC, Multi-Key Total Memory Encryption (MKTME) builds on TME and adds support for multiple encryption keys. The SOC implementation will support a fixed number of encryption keys, and software can configure SOC to use a subset of available keys. Software manages the use of keys and can use each of the available key for encrypting any page of the memory; Intel page 5, all the memory data entering and/or leaving SOC on memory buses is encrypted using AES XTS);
		identifying a target page of the TDPM (Costan page 63, section 5.3, 1, ECREATE instruction, which turns a free EPC page into the SECS (§5.1.3) for the new enclave, ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software); and
		copying the memory page to the target page of the TDPM (Costan page 63, section 5.3, 1, ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software; [Examiner remark: this is consistence with the instant specification para. 126 - para. 132]).
	Regarding claim 6, Intel in view of Baltes and Costan teaches the processing device of claim 1, wherein the TDRM is further to:
		stop the TD executing on the logical processor (Costan page 27, 2.11.5, address translation results are cached in the translation look-aside buffer (TLB); page 70, First, when a logical processor exits an enclave, either via EEXIT (§5.4.2) or via an AEX (§5.4.3), its TLBs are flushed. Second, when an EPC (Enclave Page Cache) page is deallocated from an enclave, all logical processors executing that enclave’s code must be directed to exit the enclave. This is sufficient to guarantee the removal of any TLB entry targeting the deallocated EPC);
		flush a cache entry of a cache associated with the logical processor, wherein the cache entry stores contents of a memory page of the TDPM (Costan page 27, §2.11.5, when an EPC (Enclave Page Cache) page is deallocated from an enclave, all logical processors executing that enclave’s code must be directed to exit the enclave; page 70, before marking an EPC page’s EPCM entry as free, the SGX implementation must ensure that the OS kernel has flushed all the TLBs that might contain translations for the page);
		remove the memory page from the TDPM (Costan page 65, 5.3.4 Teardown, After the enclave has done the computation it was designed to perform, the system software executes the EREMOVE instruction to deallocate the EPC pages used by the enclave).
	The combination of Intel in view of Baltes and Costan teaches the aforementioned claimed limitations.
	Although Intel discloses the clearing of a key (Intel page 19, table 3, 3rd entry, Clear the (software programmed) key associated with the KeyID. On execution of this command, the KeyID gets TME behavior), the combination thus far does not explicitly disclose mark, in the KOT, the state of the HKID assigned to the one-time cryptographic key as available for assignment to other one-time cryptographic keys;	Baltes further teaches when the key table is full, an entire of a boot loader can be re-written to open up the key table (Baltes ¶31, If all the memory slots in the key table 126 are filled with keys, then the entire bootloader needs to be rewritten in order to replace the public key and again open up the key table 126), open slots in the table are available for subsequent key replacements (Baltes ¶30, The original public key will be stored in the first slot 128 in the key table 126 and the remaining slots in the key table 126 will be left open for subsequent replacement keys. The empty key slots default to an invalid key entry); and empty slots corresponds to invalid key state, and erased slots corresponds to open/available for key replacement (Baltes ¶30, the empty key slots default to an invalid key entry, Those slots in the key table 126 that are empty are "flagged" invalid, by the default erased memory state; Baltes ¶31, The default erased state of the flash memory used to store the keys would have the effect that the key would be considered invalid).	As Baltes teaches that erased slots are considered in invalid states and erased slots are also open for key replacement, and invalid slots corresponds to un-assigned key slot. 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Baltes, which teaches erasing of table slots to set the flag into invalid state for further key replacement into the prior discussed teaching of Intel in view of Baltes and Costan which teaches to clear an entry in the KOT table, to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Baltes’ teaching would help making slots available for uses with limited number of slots in the table (Baltes ¶31). In addition, both of the references (Intel and Baltes) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, encryption key, and key table. This close relation between both of the references highly suggests an expectation of success when combined.	
	
	Regarding claim 7, Intel in view of Baltes and Costan teaches the processing device of claim 6 (see discussion above), wherein each entry of a translation lookaside buffer (TLB) associated with the logical processor is flushed (Costan page 27, §2.11.5, address translation results are cached in the translation look-aside buffer (TLB); page 70, First, when a logical processor exits an enclave, either via EEXIT (§5.4.2) or via an AEX (§5.4.3), its TLBs are flushed).	Regarding claims 9-11, and 15, the claims are rejected for the same reasons as that of claims 1-3, and 5 respectively.

	Regarding claim 16 Intel in view of Baltes and Costan teaches the method of claim 15 (see discussion above).		The combination thus far does not yet teach further comprising measuring, by the processing device executing the TDRM, the memory page by extending a TD measurement by a content of the memory page.		Costan further teaches measuring, by the processing device executing the TDRM, the memory page by extending a TD measurement by a content of the memory page (Costan page 75, §5.6.1 Measuring ECREATE; Costan page 76, §5.6.4 Measuring EEXTEND, measuring data loaded inside the enclave’s EPC pages, extends the enclave’s measurement hash with the five 64-byte blocks in Table 18).		It would have been obvious to a person of ordinary skill in the art before the effective filing date to further incorporate the teachings of Costan, which teaches extends a virtual machine measurement, into the current teaching of Intel in view of Baltes and Costan to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as incorporating Costan teaching would help improving the integrity and security of the virtual platform. In addition, both of the references (Intel and Costan) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, data encryption and virtual machine. This close relation between both of the references highly suggests an expectation of success when combined.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Intel in view of Baltes, Costan and further in view of Diestelhorst et al. (US 10445238 B1, hereinafter Diestelhorst).
	Regarding claim 8, Intel in view of Baltes, and Costan teaches the processing device of claim 6 (see discussion above), wherein marking the HKID assigned to the one-time cryptographic key as available comprises:	marking, in the KOT, the state of the HKID as reclaimed (Intel page 19, table 3, 3rd row, clear key, Baltes ¶31, the default erased state of the flash memory used to store the keys would have the effect that the key would be considered invalid);
	Although Intel teaches KOT and HKID, and Intel and Baltes teaches the marking of an entry in the KOT table as available for assignment, and the state flag indicating the state of the entry with the key ID, Intel in view of Baltes and Costan does not explicitly disclose the following limitations that Diestelhorst teaches:	determining whether each cache entry of the cache associated with the logical processor has been flushed (Diestelhorst col. 9 lines 19-40, when all cache lines associated with the transaction have been evicted from the cache and written back to the persistent memory).
	responsive to determining each cache entry of the cache has been flushed, changing the state of the entry to available (Diestelhorst col. 9 lines 19-40, transition 1014, the log transitions from the ‘pending’ state 1006 back to the ‘free’ state 1002 when all cache lines associated with the transaction have been evicted from the cache and written back to the persistent memory).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Diestelhorst, which teaches changing state from in-use to pending state when a transaction is complete and to available state after all cache lines associated with a transaction have been evicted into the teaching of Intel in view of Baltes and Costan to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Diestelhorst’s teaching would help teaching the details of making available encryption entry for use with limited number of entries (Baltes ¶31). In addition, both of the references (Diestelhorst and Intel) teach features that are directed to analogous art, such as, memory and cache management. This close relation between both of the references highly suggests an expectation of success when combined.

Claims 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over Intel in view of Baltes and Costan and further in view of Bennett et al. (US 8645665 B1, hereinafter Bennett).
	Regarding claim 12, Intel in view of Baltes, and Costan teaches the method of claim 11 (see discussion above).		While Intel in view of Baltes, and Costan teaches virtual machines using EPT, (see Costan page 61, § 5.2.3), and the initializing of the EPT for VMCS (see Costan page 10 §2.5.2), Intel in view of Baltes, and Costan does not explicitly disclose the remaining below limitations.		On the other hand, Bennett teaches identifying a third memory page of the TDPM that is bound to the logical processor (Bennett col. 5 lines 46-64, the VMM 312 may include a physical memory management module 326 that provides values for fields associated with physical memory virtualization that may need to be provided before transition of control to the virtual machine 302 or 314. These fields are collectively referred to as EPT controls; col. 6 lines 7-15, the EPT tables 328 are stored in memory 320. Alternatively, the EPT tables 328 may reside in the processor 318, a combination of the memory 320 and the processor 318, or in any other storage location or locations. In one embodiment, separate EPT tables 328 are maintained for each of the virtual machines);		initializing the third memory page as a host page for a TD extended page table (EPT) (Bennett fig. 4b,
    PNG
    media_image6.png
    889
    1159
    media_image6.png
    Greyscale
element 328 EPT Tables, element 303; col. 8 lines 15-24, the VMM 312 which configures the EPT tables 328, the configuration of the EPT mechanism may be done by the VMM 312 as part of the operation of the physical memory management module 326). 		It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Bennett, which configure EPT memory by a VMM for a virtual machine into the teaching of Intel in view of Baltes, and Costan to result in the limitations of the claimed invention ([Examiner remark: Intel teaches memory of a VM is encrypted, it would have been obvious to combine Bennett’s teaching to allocate the memory for the EPT table within the VM’s protected memory area to get the benefit of memory encryption]).
		One of ordinary skilled would be motivated to do so as incorporating Bennett’s teaching would help making virtual machine performs faster due to the hardware and API provided by the EPT technology for virtual machine and providing the details to feature that Costan mentions but did not clearly disclose. In addition, both of the references (Bennett and Costan) teach features that are directed to analogous art, such as virtual machines and EPT. This close relation between both of the references highly suggests an expectation of success when combined.
	Regarding claim 13, Intel in view of Baltes, and Costan and Bennett teaches the method of claim 12, wherein transferring execution control to the logical processor to execute the TD further comprises:
	identifying a fourth memory page of the TDPM that is bound to the logical processor (Costan page 63, section 5.3.1, ECREATE instruction, which turns a free EPC page into the SECS (§5.1.3) for the new enclave);
	initializing the fourth memory page as a host page for a trust domain virtual machine control structure (TDVMCS) (Costan page 63, §5.3.1 Creation, ECREATE initializes the newly created SECS using the information in a non-EPC page owned by the system software. This page specifies the values for all the SECS fields defined in the SDM, such as BASEADDR and SIZE);
		activating the TDVMCS as a working virtual machine control structure (VMCS) (Costan page 64, §5.3.2, the system software can use EADD instructions to load the initial code and data into the enclave. EADD is used to create
both TCS pages (§5.2.4) and regular pages); and
		initializing the TDVMCS (Costan page 64, §5.3.3, After loading the initial code and data pages into the enclave, the system software must use a Launch Enclave (LE) to obtain an EINIT Token Structure, The token is then provided to the EINIT
instruction, which marks the enclave’s SECS as initialized).	Regarding claim 14, Intel in view of Baltes, Costan and Bennett teaches the method of claim 13, wherein initializing the TDVMCS comprises:
		setting a state of the host page for the TDVMCS (Bennet col. 6 lines 22-26, the VMM 312 configures the EPT tables 328 and EPT controls for each of the logical processors; [Examiner remark, the memory page used for the EPT table is updated as a result of the configuration of the EPT table]);
		setting a pointer to the TD EPT (Bennett col. 9, lines 24-43, FIG. 6, the appropriate bits 602 in the in an EPT base pointer (EPTP) 620 indicate the host-physical address of the base of the first-level EPT table 650); and
		setting a link from the TDVMCS to the memory page allocated for the TDVPS (Bennett col. 10 lines 33-51, the EPTP register in the processor is loaded from an EPTP field in the VMCS at the time of a virtual machine entry; [Examiner note: the memory page allocated as virtual space is mapped using EPT linked via the EPTP in the VMCS]).		It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Bennett, which configure EPT memory by a VMM for a virtual machine into the teaching of Intel in view of Baltes, Costan to result in the limitations of the claimed invention.
		One of ordinary skilled would be motivated to do so as incorporating Bennett’s teaching would help making virtual machine performs faster due to the hardware and API provided by the EPT technology for virtual machine. In addition, both of the references (Bennett and Intel) teach features that are directed to analogous art, such as virtual machines. This close relation between both of the references highly suggests an expectation of success when combined.

Claims 17-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Costan in view of Intel and further in view of Baltes).
	Regarding claim 17, Costan teaches a method comprising:
		stopping, by a processing device executing a trust domain resource manager (TDRM), a trust domain (TD) from executing on a logical processor, wherein the TD comprises a trust domain protected memory (TDPM) (Costan page 27, 2.11.5, address translation results are cached in the translation look-aside buffer (TLB); page 70, First, when a logical processor exits an enclave, either via EEXIT (§5.4.2) or via an AEX (§5.4.3), its TLBs are flushed. Second, when an EPC (Enclave Page Cache) page is deallocated from an enclave, all logical processors executing that enclave’s code must be directed to exit the enclave. This is sufficient to guarantee the removal of any TLB entry targeting the deallocated EPC; page 67-68, when a hardware exception occurs in enclave mode, the SGX implementation performs a sequence of steps that takes the logical processor out of enclave mode and invokes the hardware exception handler in the system software. Conceptually, the SGX implementation first performs an AEX to take the logical processor out of enclave mode; see also page 67-68 §5.4.2 and §5.4.3; §5.2.1, each enclave designates an area in its virtual address
space, called the enclave linear address range (ELRANGE), which is used to map the code and the sensitive data stored in the enclave’s EPC pages);
		flushing, by the processing device executing the TDRM, a cache entry of a cache associated with the logical processor, wherein the cache entry stores contents of a memory page of the TDPM (Costan page 27, §2.11.5, when an EPC (Enclave Page Cache) page is deallocated from an enclave, all logical processors executing that enclave’s code must be directed to exit the enclave; page 70, before marking an EPC page’s EPCM entry as free, the SGX implementation must ensure that the OS kernel has flushed all the TLBs that might contain translations for the page);
		removing, by the processing device executing the TDRM, the memory page from the TDPM (Costan page 65, 5.3.4 Teardown, after the enclave has done the computation it was designed to perform, the system software executes the EREMOVE instruction to deallocate the EPC pages used by the enclave).
		The Costan does not explicitly disclose marking in a key ownership table (KOT), by the processing device executing the TDRM, a host key ID (HKID) assigned to a one-time cryptographic key associated with the TD as available for assignment to other one-time cryptographic keys.	On the other hand, Intel teaches: in a key ownership table (KOT), by the processing device executing the TDRM, a host key ID (HKID) is assigned to a one-time cryptographic key associated with the TD (Intel page 4, supporting CPU generated ephemeral key (not accessible by software or using external interfaces to SOC); Intel page 7, VM1 uses KeyID1 for its own private pages and VM2 is using KeyID 2 for its own private pages; page 17, 

    PNG
    media_image2.png
    483
    834
    media_image2.png
    Greyscale
, The MKTME engine maintains an internal key table not accessible by software to store the information (key and encryption mode) associated with each KeyID, Encryption using key specified; Intel page 5, the encryption key is generated by the CPU).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Intel, which teaches virtual machine security architecture, into the teaching of Costan to result in the limitation: in a key ownership table (KOT), by the processing device executing the TDRM, a host key ID (HKID) is assigned to a one-time cryptographic key associated with the TD.
	One of ordinary skilled would be motivated to do so as incorporating Intel teaching would help provide the details improve security to the system Costan teaches. In addition, both of the references (Intel and Costan) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, data encryption and virtual machine. This close relation between both of the references highly suggests an expectation of success when combined.	Although Costan in view of Intel teaches in a key ownership table (KOT), by the processing device executing the TDRM, a host key ID (HKID) is assigned to a one-time cryptographic key associated with the TD and Intel teaches clearing an entry in the KOT table (Intel page 19, table 3 3rd row, Clear the (software programmed) key associated with the KeyID), Costan in view of Intel does not explicitly disclose: marking in a key ownership table (KOT), by the processing device executing the TDRM, a state of a host key ID (HKID) assigned to a one-time cryptographic key associated with the TD as available for assignment to other one-time cryptographic keys.	On the other hand, Baltes teaches when the key table is full, an entire of a boot loader can be re-written to open up the key table (Baltes ¶31, If all the memory slots in the key table 126 are filled with keys, then the entire bootloader needs to be rewritten in order to replace the public key and again open up the key table 126); open slots in the table are available for subsequent key replacements (Baltes ¶30, The original public key will be stored in the first slot 128 in the key table 126 and the remaining slots in the key table 126 will be left open for subsequent replacement keys. The empty key slots default to an invalid key entry); and empty slots corresponds to invalid key state, and erased slots corresponds to open/available for key replacement (Baltes ¶30, the empty key slots default to an invalid key entry, Those slots in the key table 126 that are empty are "flagged" invalid, by the default erased memory state; Baltes ¶31, The default erased state of the flash memory used to store the keys would have the effect that the key would be considered invalid).	As Baltes teaches that erased slots are considered in invalid states and erased slots are also open for key replacement, and invalid slots corresponds to un-assigned key slot. 	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Baltes, which teaches erasing of table slots to set the flag into invalid state for further key replacement into the teaching of Costan in view of Intel which teaches to clear an entry in the KOT table, to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Baltes’ teaching would help making slots available for uses with limited number of slots in the table (Baltes ¶31). In addition, both of the references (Intel and Baltes) teach features that are directed to analogous art and they are directed to the same field of endeavor, such as, encryption key, and key table. This close relation between both of the references highly suggests an expectation of success when combined.

	Regaring claim 18, Costan in view of Intel and Baltes teaches the method of claim 17, wherein each entry of a translation lookaside buffer (TLB) associated with the logical processor is flushed (Costan, page 27, §2.11.5, address translation results are cached in the translation look-aside buffer (TLB); page 70, First, when a logical processor exits an enclave, either via EEXIT (§5.4.2) or via an AEX (§5.4.3), its TLBs are flushed).	Regarding claim 20, Costan in view of Intel and Baltes teaches the method of claim 17, further comprising removing from the TDPM, by the processing device executing the TDRM, at least one of:		a memory page bound to a TD save state area (SSA) allocated to a logical processor (Costan page 62, The offset of the SSA array (OSSA) field specifies the location of the first SSA in the enclave’s virtual address space; page 63, SSAs are stored in regular EPC pages; Costan page 70, section 5.5.1 Page Eviction and the TLBs; [Examiner note: see the next mapping for how the EPC pages are deallocated]), a memory page bound to a virtual processing space (VPS) (Costan page 70, section 5.5.1 Page Eviction and the TLBs, System software can cause a logical processor to exit an enclave by sending it an Inter-Processor Interrupt
(IPI, x 2.12), which will trigger an AEX when receive, when a logical processor exits an enclave, either via EEXIT (x 5.4.2) or via an AEX (x 5.4.3), its TLBs are flushed, performing IPIs and TLB flushes for each page eviction would add a significant overhead to a paging implementation, so the SGX design allows a batch of pages to be evicted using a single IPI / TLB flush sequence), and a memory page bound to a TD control structure (TDCS) allocated to the TD.

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Costan in view of Intel and Baltes and further in view of Diestelhorst et al. (US 10445238 B1, hereinafter Diestelhorst).

	Regarding claim 19, Costan in view of Intel and Baltes teaches the method of claim 17 (see discussion above), wherein marking the HKID assigned to the one-time cryptographic key as available comprises:	marking, in the KOT, the state of the HKID as reclaimed (Intel page 19, table 3, 3rd row, clear key, Baltes ¶31, the default erased state of the flash memory used to store the keys would have the effect that the key would be considered invalid);	Although Costan in view of Intel teaches KOT and HKID, and Intel and Baltes teaches the marking of an entry in the KOT table as available for assignment, and the state flag indicating the state of the entry with the key ID, Costan in view of Intel and Baltes does not explicitly disclose the following limitations that Diestelhorst teaches:
	determining whether each cache entry of the cache associated with the logical processor has been flushed (Diestelhorst col. 9 lines 19-40, when all cache lines associated with the transaction have been evicted from the cache and written back to the persistent memory); and
	responsive to determining each cache entry of the cache has been flushed, marking, in the KOT, the HKID as available for assignment to other one-time cryptographic keys (Diestelhorst col. 9 lines 19-40, transition 1014, the log transitions from the ‘pending’ state 1006 back to the ‘free’ state 1002 when all cache lines associated with the transaction have been evicted from the cache and written back to the persistent memory).	It would have been obvious to a person of ordinary skill in the art before the effective filing date to incorporate the teachings of Diestelhorst, which teaches changing state from in-use to pending state when a transaction is complete and to available state after all cache lines associated with a transaction have been evicted into the teaching of Costan in view of Intel and Baltes to result in the limitations of the claimed invention.
	One of ordinary skilled would be motivated to do so as incorporating Diestelhorst’s teaching would help teaching the details of making available encryption entry for use with limited number of entries (Baltes ¶31). In addition, both of the references (Diestelhorst and Intel) teach features that are directed to analogous art, such as, memory and cache management. This close relation between both of the references highly suggests an expectation of success when combined.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20140164723 A1 – The process for restoring a state of a virtual machine (VM) running in a physical machine from a checkpoint file that is maintained in persistent storage includes the steps of detecting access to a memory page of the virtual machine that has not been read into physical memory of the VM from the checkpoint file.
US 10404667 B2 - the memory stores ciphertext encrypted with different encryption keys such that entries 402 are encrypted and encoded with a first key ID 412 while entries 404 are encrypted and encoded with a different, second key ID.
US 9804871 B2 - private register space for an instance of guest software (loaded from the VMCS) includes an EPT page-table pointer-address that points to the EPT page-table hierarchy for address translations to be performed for the guest software that is running on the VM.
US 20170177377 A1 - an apparatus for computing may include a plurality of processor cores; and a plurality of OS modules of an OS. The OS modules may include a BSP module and an AP module. The BSP module may be configured to write into a storage area a start state of an AP of a VM, while the VM is being started up; and the AP module may be configured to start the AP at the start state.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Vy Huy Ho whose telephone number is (571) 272-3261.  The examiner can normally be reached on Monday - Friday 7:30 am-5:30 pm.
	Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
	If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A. Shiferaw can be reached on (571) 272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
	Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/V.H.H/
Examiner, Art Unit 2162


/IZUNNA OKEKE/Primary Examiner, Art Unit 2497