DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 8-11, 17, and 22 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Abraham et al. (US Patent No. 8954788), hereinafter referred to as Abraham.
Referring to claim 1, Abraham discloses a device (physical device 210, fig. 2) comprising: a device interface (VFs/PF, control block, control unit,  fig. 2) to facilitate assignment of the device to a virtual machine (VM) (VMs 224, fig. 2) managed by a hypervisor (VMM 222, fig. 2; VMM assigns one or more VFs to a VM, col. 2, line 6) of a computing platform (physical computing system 220, fig. 2) coupled to the device by a computer bus (fig. 2, bus connections between 210 and 220), access of the device by the VM (providing VMs 124 direct access to the VFs 114 of I/O device; col. 1, lines 64-65), or removal of the device from being assigned to the VM (NOTE: VFs are assigned by mapping configuration space registers, which become unavailable in the instance of reboot, see col. 2, lines 5-30; the PF facilitates the reboot and therein the removal, see col. 6, lines 50-60); wherein the device interface includes logic in support of a device management protocol to place the device interface in an unlocked state as a default state of the device (Register 500 can be manipulated by any virtual machine, unless the lock bit is set, col. 6, lines 5-10; NOTE: the “unless” language implies a default state), a locked state to prevent changes to be made to the device interface (lock bit is set, col. 6, lines 5-10), an operational state to enable access to device registers of the device by the VM (Using register 500, VMs may write commands or queries that can be read by an I/O device; col. 6, lines 1-5) control unit may use the state field of register 500 to indicate the state of the command...states are..."fault,", col. 6, lines 20-25).

As to claim 8, Abraham discloses the device interface includes a physical function (PF 212, fig. 2), a virtual function (VFs 214, fig. 2), or an assignable device interface (VMM assigns one or more VFs to a VM, col. 2, line 6).

As to claim 9, Abraham discloses the computer bus to couple the device and the computing platform includes col. 2, lines 35-45), 

As to claim 10, Abraham discloses the device includes a mouse, a disk, a keyboard, a memory device, or an input/output controller (I/O devices 706 (including but not limited to keyboards...pointing devices...I/O controllers; col. 7, lines 25-35).

Referring to claim 11, Abraham discloses at least one or more non-transitory computer-readable media having instructions (col. 2, lines 55-60) thereon that in response to execution of the instructions by one or more hardware processors of a computing platform, provide a virtual machine (VM) on the computing platform (Physical computing system 220 implements one or more processors and memories in order to operate VMs 224, col. 3, lines 50-55), including: a device driver (PF driver 223, fig. 2) to facilitate assignment of a device interface for a device to the VM managed by a hypervisor (VMM 222, fig. 2; VMM assigns one or more VFs to a VM, col. 2, line 6) of the computing platform, access of the device by the VM (providing VMs 124 direct access to the VFs 114 of I/O device; col. 1, lines 64-65), or removal of the device from being assigned to the VM (NOTE: VFs are assigned by mapping configuration space registers, which become unavailable in the instance of reboot, see col. 2, lines 5-30; the PF facilitates the reboot and therein the removal, see col. 6, lines 50-60), wherein the device is coupled to the computing platform by a computer bus (fig. 2, bus connections between 210 and 220); and wherein the device driver includes support of a device management protocol to cause the device interface to be placed in a default unlocked state (Register 500 can be manipulated by any virtual machine, unless the lock bit is set, col. 6, lines 5-10; NOTE: the “unless” language implies a default state), a locked state to prevent changes to be made to the device interface (lock bit is set, col. 6, lines 5-10), an operational state to enable access to device registers of the device by the VM (Using register 500, VMs may write commands or queries that can be read by an I/O device; col. 6, lines 1-5) or control unit may use the state field of register 500 to indicate the state of the command...states are..."fault,", col. 6, lines 20-25).

Referring to claim 17, Abraham discloses a computing platform, comprising: one or more processors (Physical computing system 220 implements one or more processors and memories in order to operate VMs 224, col. 3, lines 50-55); and a hypervisor (VMM 222, fig. 2) arranged to operate on the one or more processors, wherein the hypervisor is arranged to: manage operations of a virtual machine (VM) (VMs 224, fig. 2; col. 1, lines 25-45); and facilitate assignment of a device interface of a device to the VM (VMM 222, fig. 2; VMM assigns one or more VFs to a VM, col. 2, line 6), access of the device by the VM (providing VMs 124 direct access to the VFs 114 of I/O device; col. 1, lines 64-65), or removal of the device from being assigned to the VM (NOTE: VFs are assigned by mapping configuration space registers, which become unavailable in the instance of reboot, see col. 2, lines 5-30; the PF driver in communication with the PF facilitates the reboot and therein the removal, see col. 6, lines 50-60); wherein the device is coupled to the computing platform by a computer bus (fig. 2, bus connections between 210 and 220), and wherein the device interface includes logic in support of a device management protocol to place the device interface in an unlocked state as a default state of the device (Register 500 can be manipulated by any virtual machine, unless the lock bit is set, col. 6, lines 5-10; NOTE: the “unless” language implies a default state), a locked state to prevent changes to be made to the device interface (lock bit is set, col. 6, lines 5-10), an operational state to enable access to device registers of the device by the VM (Using register 500, VMs may write commands or queries that can be read by an I/O device; col. 6, lines 1-5) or control unit may use the state field of register 500 to indicate the state of the command...states are..."fault,", col. 6, lines 20-25).

Referring to claim 22, Abraham discloses at least one or more non-transitory computer-readable media (col. 2, lines 55-60) having instructions thereon that in response to execution of the instructions by one or more hardware processors of a computing platform (Physical computing system 220 implements one or more processors and memories in order to operate VMs 224, col. 3, lines 50-55), provide a resource arbitration module arranged to be operated by a hypervisor (VMM assigns one or more VFs to a VM by mapping configuration space registers of the VFs to the configuration space presented to the VM by the VMM, col. 2, lines 5-10; NOTE: the limitation “a resource arbitration module” merely labels the functionality, and therefore is equated to the software/elements of system 200 which perform the functional limitations) on the computing platform, to: manage assignment of a device interface for a device to a virtual machine (VM) managed by the hypervisor (VMM assigns one or more VFs to a VM, col. 2, line 6), access of the device by the VM (providing VMs 124 direct access to the VFs 114 of I/O device; col. 1, lines 64-65), or removal of the device from being assigned to the VM (NOTE: VFs are assigned by mapping configuration space registers, which become unavailable in the instance of reboot, see col. 2, lines 5-30; the PF driver in communication with the PF facilitates the reboot and therein the removal, see col. 6, lines 50-60), wherein the device is coupled to the computing platform by a computer bus (fig. 2, bus connections between 210 and 220); and wherein the resource arbitration module includes support of a device management protocol to cause the device interface to be placed in a default unlocked state (Register 500 can be manipulated by any virtual machine, unless the lock bit is set, col. 6, lines 5-10; NOTE: the “unless” language implies a default state), a locked state to prevent changes to be made to the device interface (lock bit is set, col. 6, lines 5-10), or an operational state to enable access to device registers of the device by the VM (Using register 500, VMs may write commands or queries that can be read by an I/O device; col. 6, lines 1-5) .

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 3, 13, and 24-25 are rejected under 35 U.S.C. 103 as being unpatentable over Abraham in view of Lal et al. US Pub. No. 2019/0311123), hereinafter referred to as Lal.
As to claims 3, 13, and 24, while Abraham teaches other VMs managed by the hypervisor (col. 1, lines 30-45), memory contents and central processing unit (CPU) (col. 3, lines 50-55), and the logic in support of the device management protocol is to place the device interface in the unlocked state, the locked state (Register 500 can be manipulated by any virtual machine, unless the lock bit is set, col. 6, lines 5-10), or the operational state (states are "done," "free," "in progress," "fault," col. 6, lines 20-25), Abraham does not appear to explicitly disclose the VM is a trusted VM which memory contents and central processing unit (CPU) states are kept confidential from the hypervisor and other VMs and the device interface is placed into a state “in a secure manner”.
However, Lal discloses the VM is a trusted VM (TEEs 208 may be embodied as a trust domain, virtual machine, [0040]) which memory contents and central processing unit (CPU) states are kept confidential from the hypervisor and other VMs (Each of the TEEs 208 may be embodied as a trust domain, virtual machine, virtual network function (VNF), guest operating system, or other trusted environment of the computing device 100. Each TEE 208 is isolated or otherwise protected from the VMM 214, host partition 202, and other TEEs 208 with hardware support of the computing device; [0040]) and the device interface is placed into a state “in a secure manner” (register may indicate that the TIO-capable device 1024 provides a secure device configuration interface to host software, including that the TIO device 1024 is capable of authentication and secure communication with the trusted agent 1008, is capable of locking configuration of one or more partitions of the TIO device 1024, and is capable of securely and accurately reporting its configuration and state to the trusted agent; [0104]).
Abraham and Lal are analogous art because they are from the same field of endeavor, managing virtual machine environments.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, having the teachings of Abraham and Lal before him or her, to modify the virtualize system of Abraham to include the trusted architecture of Lal in order to secure configuration and I/O within the virtualized system.  
The suggestion/motivation for doing so would have been provide trusted communication between the system components (Lal: [0024]).
Therefore, it would have been obvious to combine Abraham and Lal to obtain the invention as specified in the instant claim.

As to claim 25, the combination of Abraham in view of Lal discloses the trusted VM is a first trusted VM (Lal: TEE 208a, fig. 2), the device interface is a first device interface (Abraham: VF 214, fig. 2), and the computing platform further includes a second trusted VM (Lal: TEE 208b, fig. 2) managed by the hypervisor (Lal: VMM 214 may be embodied as...hypervisor... responsible for managing hardware resources... and to launch the TEEs 208; [0033]), and wherein the resource arbitration module is further to assign a second device interface (Abraham: second VF 214, fig. 2) of the device to the second trusted VM (Lal: VMM 214 is configured to assign TIO devices 216 to particular TEEs 208; [0033]) to move the second device interface to the operational state (Lal: trusted agent verifies the identity of I/O devices capable of trusted I/O (TIO devices), provisions secrets to the TIO devices, locks, unlocks, and configures the TIO devices; [0024]). The suggestion/motivation to combine remains as indicated above.

Allowable Subject Matter
Claims 2, 4-7, 12, 14-16, 18-21, and 23 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Response to Arguments
Applicant's arguments filed 6/9/2022 have been fully considered but they are not persuasive.
Regarding independent claim 1, rejected under 35 U.S.C. 102(a)(1) as being anticipated by Abraham, on pg. 9-10 of the response, the Applicant asserts:
“...Abraham does not teach or suggest the various states of the device interface as recited in claim 1...
...it is unclear how the recited register (e.g., register 240 or 500) of Abraham can possibly be equated to the “device interface to facilitate assignment of the device to a virtual machine (VM) managed by a hypervisor of a computing platform coupled to the device by a computer bus, access of the device by the VM, or removal of the device from being assigned to the VM” as recited by claim 1. Simply put, the register 500 is not understood to be performing these functions, nor is it specifically alleged to be doing so in the Office Action.
...the register can not possibly be equated to the device interface at least because the register 500 of Abraham is not performing the functions of the device interface listed in claim 1. As such, the register 500, and the described various states of the register depicted in Figure 5 and described in Abraham at 6:5-60 can not reasonably be said to teach or suggest the various states of the device interface as recited in the second element of claim 1...”

The Examiner respectfully disagrees. The Applicant’s arguments indicating the claimed “device interface” as being equated to the register 240/500 of Abraham are an inaccurate representation of the mapping outlined in the rejection. In the rejection, the claimed “device interface” was not equated to the register 240/500 of Abraham, but rather the combination of VFs, PF, control block, and control unit of fig. 2 of Abraham, because the generic language of the claim, such as “device interface”, “to facilitate”, and “logic in support of”, lends the limitations to a reasonably broad interpretation.  Abraham teaches the VMM assigns VF(s) to a VM, and therefore the VF, in combination with the other indicated elements, functions “to facilitate" the assignment. Furthermore, the control unit uses the state field of the register to indicate states, and therefore “includes logic in support of” placing the element(s) equated to the device interface in particular states.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
The examiner has cited particular column, line, and/or paragraph numbers in the references as applied to the claims above for the convenience of the applicant.  Although the specified citations are representative of the teachings of the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant in preparing responses, to fully consider the references in its entirety as potentially teaching of all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.
The examiner requests, in response to this office action, support be shown for language added to any original claims on amendment and any new claims.  That is, indicate support for newly added claim language by specifically pointing to page(s) and line number(s) in the specification and/or drawing figure(s).  This will assist the examiner in prosecuting the application.  When responding to this office action, applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of art disclosed by the references cited or the objections made.  He or she must also show how the amendments avoid such references or objections.  See 37 C.F.R. 1.111(c).
Applicants seeking an interview with the examiner, including WebEx Video Conferencing, are encouraged to fill out the online Automated Interview Request (AIR) form (http://www.uspto.gov/patent/uspto-automated-interview-request-air-form.html). See MPEP §502.03, §713.01(11) and Interview Practice for additional details.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC T OBERLY whose telephone number is (571)272-6991.  The examiner can normally be reached on M-F 800am-430pm (MT).
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Dr. Henry Tsai can be reached on (571) 272-4176.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ERIC T OBERLY/             Primary Examiner, Art Unit 2184