DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 06/17/2022 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1, 3, 6-7, 9, 11-12, 14-15 and 20 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Axnix et al., US-9432183-B1 (hereinafter “Axnix ‘183”).
Per claim 1 (independent):
Axnix ‘183 discloses: A computer-implemented method comprising:
an interface selectively providing access to a memory region for a work request over a network from an entity by providing selective access to a cryptographic key for use by a memory controller to access the memory region
(FIG. 2, [Col. 3], ll.50 – [Col. 4], ll.15, two computer systems 10, 12 according to an embodiment of the invention using RDMA for storing encrypted data 54 (a work request) of one of the computer systems 12 (an entity) to the remote memory 60 (a memory region) of the other computer system 10. The computer systems 10, 12 comprise processing units 20, 22 running operating systems 90, 92. The processing units 20,22 are connected to memories 60, 61 … The processing units 20, 22 comprise input/output (I/O) adapters 24, 26 being connected via the network 14 (over a network) to each other … For encryption/decryption of data the processing units 20, 22 are equipped with the memory encryption key 42 (a cryptographic key), being exchanged by the network encryption key 40.).

Per claim 3 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 discloses: The method of claim 1, wherein the interface selectively providing access to a memory region for a work request from an entity comprises permitting the entity to perform in the memory region one or more of: create, read, update, delete, write, or notify (FIG. 2, [Col. 4], ll.32-41, the encrypted data 54, encrypted (a work request) with the network encryption key 40 used as the memory encryption key 42 by the processing unit 22 (the entity), are transferred in a remote direct memory access process (RDMA) from the processing unit 22 via the I/O adapter 26 via the network 14 … to the memory 60 (the memory region).).

Per claim 6 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 discloses: The method of claim 1, wherein the memory region comprises a page or sub-page sized region (FIG. 2, [Col. 4], ll.16-41, encrypted data 54 of the computer system 12 are written as new pages (a page) to the memory 60 of the computer system 10 … the encrypted data 54 … are transferred in a remote direct memory access process (RDMA) from the processing unit 22 via the I/O adapter 26 via the network 14 … to the memory 60, using the corresponding segment table 82 and page table 84, respectively.).

Per claim 7 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 discloses: The method of claim 1, wherein the interface selectively provides access to at least one sub-region of the memory region for the work request by providing selective access to at least one cryptographic key for use by the memory controller to access the at least one sub-region (FIG. 2, [Col. 4], ll.16-41, The memory segment table 82 thus comprises the segment number 74 (indicated in the table as 1, 2; sub-regions) … the segment key 44 (e.g. 0x1234 in the table) and the pointer 88 (e.g. ptr1), respectively, if a memory segment is to be referenced on a page granularity. For this purpose the pointer 88 is pointing to the page table 84. The page table 84 comprises the page address 34 (indicated in the table e.g. as 0x4567, 0x7890; to access the at least one sub-region), the memory encryption key 42 (indicated in the table e.g. as 0x2345, or a segment key like a default key 0x1111) (cryptographic keys).).

Per claim 9 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 discloses: The method of claim 1, wherein the work request comprises a write request and the work request is associated with received content and the memory controller is to apply the cryptographic key to encrypt content to write in the memory region (FIG. 2, [Col. 4], ll.32-41, the encrypted data 54, encrypted (encrypt content) with the network encryption key 40 used as the memory encryption key 42 (the cryptographic key) by the processing unit 22, are transferred in a remote direct memory access process (RDMA) from the processing unit 22 via the I/O adapter 26 via the network 14 … to the memory 60 (write in the memory region).).

Per claim 11 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 discloses: The method of claim 1, comprising providing remote memory access using one or more of:  remote direct memory access (RDMA), InfiniBand, Internet Wide Area RDMA Protocol (iWARP), or RDMA over Converged Ethernet (RoCE) (FIG. 2, [Col. 3], ll.50 – [Col. 4], ll.15, two computer systems 10, 12 according to an embodiment of the invention using RDMA (RDMA) for storing encrypted data 54 of one of the computer systems 12 to the remote memory 60 of the other computer system 10).

Per claim 12 (independent):
Axnix ‘183 discloses: An apparatus comprising: 
an interface comprising remote direct copy circuity configured to:
receive a work request associated with a remote direct memory access operation and 
based on the work request being allowed to access a memory region, provide a key to a memory controller to perform cryptographic operation on content in the memory region to carry out the work request
(FIG. 2, [Col. 3], ll.50 – [Col. 4], ll.15, two computer systems 10, 12 according to an embodiment of the invention using RDMA (a remote direct memory access operation) for storing encrypted data 54 (a work request) of one of the computer systems 12 (an entity) to the remote memory 60 (a memory region) of the other computer system 10. The computer systems 10, 12 comprise processing units 20, 22 running operating systems 90, 92. The processing units 20,22 are connected to memories 60, 61 … The processing units 20, 22 comprise input/output (I/O) adapters 24, 26 being connected via the network 14 to each other … For encryption/decryption of data the processing units 20, 22 are equipped with the memory encryption key 42 (a key), being exchanged by the network encryption key 40; [Col. 4], ll.32-41, the encrypted data 54, encrypted (perform cryptographic operation on content) with the network encryption key 40 used as the memory encryption key 42 (a key) by the processing unit 22, are transferred in a remote direct memory access process (RDMA) from the processing unit 22 via the I/O adapter 26 via the network 14 … to the memory 60.).

Per claim 14 (dependent on claim 12):
Axnix ‘183 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 3 and the claim(s) is/are rejected for the reasons detailed with respect to claim 3.

Per claim 15 (dependent on claim 12):
Axnix ‘183 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
Axnix ‘183 discloses: The apparatus of claim 12, wherein the memory region comprises at least one sub-region and the interface is to provide a key to the memory controller to perform a cryptographic operation on content in the at least one sub-region to carry out the work request (FIG. 2, [Col. 4], ll.32-41, the encrypted data 54, encrypted (perform a cryptographic operation) with the network encryption key 40 used as the memory encryption key 42 (the key) by the processing unit 22, are transferred in a remote direct memory access process (RDMA) from the processing unit 22 via the I/O adapter 26 via the network 14 … to the memory 60.; [Col. 4], ll.16-41, The memory segment table 82 thus comprises the segment number 74 (indicated in the table as 1, 2; at least one sub-regions) … the segment key 44 (e.g. 0x1234 in the table) and the pointer 88 (e.g. ptr1), respectively, if a memory segment is to be referenced on a page granularity. For this purpose the pointer 88 is pointing to the page table 84. The page table 84 comprises the page address 34 (indicated in the table e.g. as 0x4567, 0x7890), the memory encryption key 42 (indicated in the table e.g. as 0x2345, or a segment key like a default key 0x1111) (a key).).

Per claim 20 (dependent on claim 12):
Axnix ‘183 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
Axnix ‘183 discloses: The apparatus of claim 12, comprising one or more of: a server, data center, rack, computing node, an edge network element, or fog network element (FIG. 2, [Col. 3], ll.50 – [Col. 4], ll.15, two computer systems 10, 12 according to an embodiment of the invention using RDMA for storing encrypted data 54 of one of the computer systems 12 to the remote memory 60 of the other computer system 10; FIG. 15, [Col. 8], ll.8-29, there is a computer system/server 212 … suitable for use with computer system/server 212 include, but are not limited to … server computer systems … distributed cloud computing environments.).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 2, 4-5 and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Axnix ‘183 in view of Gibson et al., US-10691619-B1 (hereinafter “Gibson ‘619”).
Per claim 2 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 does not disclose but Gibson ‘619 discloses: The method of claim 1, wherein the interface selectively providing access to a memory region for a work request from an entity is based on one or more of:
validation of a certificate received with the work request and an identifier of the entity being associated with access to the memory region
(FIG. 4, [Col. 12], ll.11-45, receiving a RMA (remote memory access) read request message at a network interface that can access one of a plurality of application-specific registered memory regions of each of a plurality of hosts connected to the network interface (stage 405) … evaluating the authority of the source of the RMA read request message (validation of a certificate) to access the identified application-specific registered memory region (the memory region) using the host memory access request information (the certificate) included in the received RMA read request message (a work request) and the region key (an identifier of the entity) corresponding to the identified application-specific registered memory region stored by the network interface (stage 410).)
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Axnix ‘183 with the authorization of a RMA request via the host memory access request information and the region key as taught by Gibson ‘619 because it would prevent the requesting application from attempting to access other applications' data located in other registered memory regions within the host physical memory [Col. 11], ll.60-67. Additionally, Gibson ‘619 is analogous to the claimed invention because it teaches that applications running on hosts connected over the network may directly access each other's data via remote memory access (RMA) [Col. 3], ll.44-50.

Per claim 4 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 does not disclose but Gibson ‘619 discloses: The method of claim 1, wherein the memory region is associated with a process and wherein the entity and the process are associated with a same tenant ([Col. 3], ll.34 -43, Multiple physical servers or hosts (a plurality of tenants) connected over a network may each execute one or more virtual machines or containers (collectively referred to herein as "virtualized computing instances" or VCIs … Each VCI is allocated a region of memory within its corresponding host's physical memory. Within the host memory region that is allocated to a VCI, each application (a process) hosted by that VCI is allocated a region of memory.); [Col. 7], ll.1-13, One or more applications may execute on each of the hosts 205. Each application (a process) executing on a corresponding one of the hosts 205 (a plurality of tenants) is allocated one or more regions of memory, such as an application memory region 215 (the memory region), within the physical memory of the corresponding host; Note that the application memory region 215 can be allocated to a certain application (the process) hosted by a certain VCI (the entity) running in a same host (a same tenant).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Axnix ‘183 with the allocation of an application memory region to the application hosted by a VM residing in each corresponding host as taught by Gibson ‘619 because it would prevent the requesting application from attempting access to memory regions of the VCIs in unauthorized hosts by further isolating the memory access.

Per claim 5 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 does not disclose but Gibson ‘619 discloses: The method of claim 1, wherein the memory region is associated with a process and wherein the entity and the process comprise virtual execution environments ([Col. 3], ll.34 -43, Multiple physical servers or hosts (a plurality of tenants) connected over a network may each execute one or more virtual machines or containers (collectively referred to herein as "virtualized computing instances" or VCIs (virtual execution environments) … Each VCI is allocated a region of memory within its corresponding host's physical memory. Within the host memory region that is allocated to a VCI, each application (a process) hosted by that VCI (the entity) is allocated a region of memory.); [Col. 7], ll.1-13, One or more applications may execute on each of the hosts 205. Each application (a process) executing on a corresponding one of the hosts 205 (a plurality of tenants) is allocated one or more regions of memory, such as an application memory region 215 (the memory region), within the physical memory of the corresponding host.).

Per claim 13 (dependent on claim 12):
Axnix ‘183 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
Axnix ‘183 does not disclose but Gibson ‘619 discloses: The apparatus of claim 12, wherein the work request is allowed to access a memory region based on one or more of: validation of a certificate received with the work request and the work request being associated with a process associated with the memory region (FIG. 4, [Col. 12], ll.11-45, receiving a RMA (remote memory access) read request message at a network interface that can access one of a plurality of application-specific registered memory regions of each of a plurality of hosts connected to the network interface (stage 405) … evaluating the authority of the source of the RMA read request message (validation of a certificate) to access the identified application-specific (a process) registered memory region (the memory region) using the host memory access request information (the certificate) included in the received RMA read request message (the work request) and the region key corresponding to the identified application-specific registered memory region stored by the network interface (stage 410).).

Claim(s) 8, 10 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over Axnix ‘183 in view of EVANS et al., US-20200401441-A1 (hereinafter “EVANS ‘441”).
Per claim 8 (dependent on claim 7):
Axnix ‘183 discloses the elements detailed in the rejection of claim 7 above, incorporated herein by reference.
Axnix ‘183 does not disclose but EVANS ‘441 discloses: The method of claim 7, wherein different access rights are associated with different sub-regions of the memory region, wherein the access rights comprise one or more of: create, read, update, delete, write, or notify (FIG. 24, [0154], The memory access request also specifies various attributes 256 (different access rights), such as attributes indicating whether the transaction is a read (R) or write (W) request, or indicating an exception level (X); [0155], On receipt of a memory access, the MMU 26 may determine based on the information from the stage 1 page tables whether the transaction attributes are valid. For example the stage 1 page tables could specify that only read transactions may be allowed for certain addresses (different sub-regions), or could permit both read and write accesses to a given address (some implementations may also permit write only regions (different sub-regions) of the address space to be defined).).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Axnix ‘183 with the various attributes associated with memory access requests such as read or write for each different region of the memory space as taught by EVANS ‘441 because it would ensure the security of the system by granting different memory access attributes based on memory addresses. Additionally, EVANS ‘441 is analogous to the claimed invention because it teaches the realm management units managing data serving to enforce ownership rights of the plurality of memory regions [0057].

Per claim 10 (dependent on claim 1):
Axnix ‘183 discloses the elements detailed in the rejection of claim 1 above, incorporated herein by reference.
Axnix ‘183 discloses: The method of claim 1, wherein the work request comprises a read request and the memory controller is to apply the cryptographic key to decrypt content in the memory region (FIG. 1, [Col. 3], ll. 33-49, When the processing unit 20 fetches the data 54 from the memory 60 (the memory region), i.e. reads the data 54 received from the network 14, the cache hardware 64 decrypts the data 54 (decrypt content), via e.g. a crypto unit 50, using the network encryption key 40 (the cryptographic key) stored in the memory key table 80 of the cache 64, so that it arrives in the processing unit 20 as unencrypted data 56).
Axnix ‘183 does not disclose but EVANS ‘441 discloses: provide the decrypted content for transmission using the interface to a second memory region accessible to the entity (FIG. 7, [0081], a page (memory region) import operation … Step 74 serves to obtain and clean an empty page (memory region) into which the data can be imported … step 78 serves to decrypt the encrypted data and step 80 serves to store that decrypted data into the memory page (a second memory region) which his obtained at step 74 … The page which was obtained and then filled is locked so as to be exclusively available (accessible) to the memory management circuitry (realm management unit 20, 22, 24; the entity) during the page importation process.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Axnix ‘183 with the import of decrypted data into an empty memory region for a memory page import operation as taught by EVANS ‘441 because it would provide additional security by providing exclusive access rights for some of memory regions, for example, used to store metadata describing characteristics of other memory regions, temporarily store memory regions being exported or imported [0069].

 Per claim 16 (dependent on claim 12):
Axnix ‘183 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 8 and the claim(s) is/are rejected for the reasons detailed with respect to claim 8.

Claim(s) 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Axnix ‘183 in view of Bshara et al., US-10901627-B1 (hereinafter “Bshara ‘627”).
Per claim 17 (dependent on claim 12):
Axnix ‘183 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
Axnix ‘183 does not disclose but Bshara ‘627 discloses: The apparatus of claim 12, comprising a computing node, wherein the computing node comprises at least one memory associated with the memory region and comprises the memory controller to perform read or writes to the memory region ([Col. 3], ll. 6-14, an encryption key and/or scrambling function specific to a virtual machine may be used to control the access to data on the memory page (the memory region) allocated to the virtual machine.; FIG. 2 and 12, [Col. 5], ll. 46-67, Computer system 200 may be implemented in, for example, a computing node (a computing node), a server, or a network device; [Col. 24], ll. 16-50, The node(s) of FIG. 12 may also represent one or more service provider computers. One or more service provider computers may provide a native application that is configured to run on the user device … provided as one or more virtual machines implemented in a hosted computing environment.).
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Axnix ‘183 with the computing node providing access to memory pages based on VMs with an encryption key as taught by Bshara ‘627 because computing resources would be rapidly provisioned and released in a secure way due to the virtualization and since a new virtual machine would not be able to access meaningful data on the memory pages previously used by other virtual machine [Col. 3], ll. 6-14, [Col. 24], ll. 16-50. Additionally, Bshara ‘627 is analogous to the claimed invention because it teaches a memory controller configured to generate and store cryptographic keys associated with different VMs in a table. [Col. 20], ll. 25-39.

Per claim 18 (dependent on claim 17):
Axnix ‘183 in view of Bshara ‘627 discloses the elements detailed in the rejection of claim 17 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 9 and the claim(s) is/are rejected for the reasons detailed with respect to claim 9.

Claim(s) 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Axnix ‘183 in view of Bshara ‘627 and EVANS ‘441.
Per claim 19 (dependent on claim 17):
Axnix ‘183 in view of Bshara ‘627 discloses the elements detailed in the rejection of claim 12 above, incorporated herein by reference.
The limitations of the claim(s) correspond(s) to features of claim 10 and the claim(s) is/are rejected for the reasons detailed with respect to claim 10.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANGSEOK PARK whose telephone number is (571)272-4332. The examiner can normally be reached Monday-Thursday 7:30-5:30 and Alternate Fridays 8:30-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA can be reached on (571)272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SANGSEOK PARK/Examiner, Art Unit 2499                                                                                                                                                                                                        /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499