Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 8, 9 are rejected under 35 U.S.C. 103 as being unpatentable over Hodge (U.S Patent Application Publication 2016/0055113; hereinafter “Hodge”)  in view of Liguori et.al. (U.S Patent Application Publication2018/0165455; hereinafter “Liguori” )

Regarding claim 1,  Hodge discloses, An autonomous driving system having dual secure boot, comprising:
a control system[ “computing system 100 that includes an embedded controller 102, a primary non-volatile memory 104, a processor 106, and a secondary non-volatile memory 116.”, 0013; “A switch logic 108 is also provided to selectively connect one of the primary non-volatile memory 104 and secondary non-volatile memory 116 to a shared bus 120. ..”, 0015; i.e the embedded controller, a primary non-volatile memory , a secondary non-volatile memory , a switch logic together is the control system); comprising: 
a microcontroller[ “an embedded controller 102”, 0013; Fig.1]; 
a first flash memory [“primary non-volatile memory 104”, 0043;”.. non-volatile memory, such as a flash memory or any other persistent memory..”, 0010;  Fig. 3], configured to store first embedded-controller firmware[ “EC firmware 307”, 0043; Fig.3] and a first application image file[ “The primary non-volatile memory 104 can store a primary version of system firmware (referred to as “primary system firmware” 107), which can include BIOS code”, 0013] ;
 a second flash memory[“secondary non-volatile memory 116”, 0043; 0010; Fig.3], configured to store second embedded-controller 7firmware[ “EC firmware 309.”, 0043; Fig.3] and a second application image file[“..The secondary non-volatile memory 106 can store a redundant version of the system firmware (referred to as “redundant system firmware” 114), The redundant system firmware 114 may be an identical copy of the primary system firmware 107, or alternatively, the redundant system firmware 114 may be different from the primary system firmware 107..”, 0013]; 
a host[ “ Processor 106”, 0013; Fig.3]; and 
a baseboard management controller (BMC), coupled between the control system and the host[ “..The computing system 100 of FIG. 3 includes an input/output (I/O) controller 302, which is connected between the processor 106 and the shared bus 120. In some examples, the I/O controller 302 can be a Platform Controller Hub (PCH) ..”, 0041]; 
wherein when the autonomous driving system is turned on, the microcontroller executes a dual secure boot procedure to execute the first embedded-controller firmware or the second embedded-controller firmware [ “ The embedded controller 102 further includes a read-only memory (ROM) 314, which can be used to store a boot loader 316 and an encryption key 318. The encryption key 318 can be the key (public key or private key) used to perform verification of the EC firmware (307 or 309). During system startup, the boot loader 316 is loaded from the ROM 314 to execute in the embedded controller 102 to retrieve EC firmware from the primary or secondary non-volatile memory 104 or 116 into a random access memory (RAM) 319 of the embedded controller 102. The boot loader 316 can take steps to ensure that no other entity except the embedded controller 102 has access he shared bus 120 during the EC firmware load operation.”, 0045; “The verification of the EC firmware retrieved from a non-volatile memory (104 or 116) can be performed during an initialization procedure of the embedded controller 102. An initialization procedure of the embedded controller 102 refers to a procedure that is performed when the embedded controller 102 first starts after the embedded controller 102 has been reset or after a power cycle of the embedded controller 102 (where power is removed from and then re-applied to the embedded controller 102).”, 0048; 0050-0051]
wherein in response to the microcontroller successfully executing the first embedded-controller firmware or the second embedded-controller firmware, the microcontroller authenticates the first application image file or the second application image file[ 0048; “The verifying of the system firmware can be performed by the embedded controller 102 prior to each instance of restarted execution of the system firmware (from the primary or secondary non-volatile memory) by the processor 106, such as due to a cold reset of the computing system 100, a resume from a low power state of the computing system 100, an operating system restart, and so forth…”, 0036“ Once the EC firmware is verified and loaded for execution on the embedded controller 102, the EC firmware can verify system firmware (107 or 114 prior to each restarted execution of the system firmware by the processor 106.”, 0049].
 However Hodge does not expressly disclose 18wherein in response to the BMC executing the authenticated first application 19image file or the authentication second application image file, the host 20executes a boot procedure.  
In the same field of endeavor (e.g. maintaining a secure execution environment on a server by implementing  a security logic can verify the firmware in the non-volatile memory while holding the processor and/or a baseboard management controller (BMC) in power reset, release the processor and the BMC from reset to boot the processor and the BMC after the firmware is verified), Liguori teaches 
wherein in response to the BMC executing the authenticated first application 19image file or the authentication second application image file, the host 20executes a boot procedure.  [“ server 200 may include a second processor, such as a baseboard management controller (BMC) 240 for managing the operation of server 200 ..”, 0035; Non-volatile memory may include firmware for BMC and embedded controllers..”, 0038; 
“At operation 830, after the verification and/or update of the firmware in the non-volatile memory, the programmable security logic may release BMC 520 from power reset using, for example, reset signals from reset controller 550 of FIG. 5, to enable booting BMC 520 using corresponding verified firmware in the non-volatile memory. In one example, the programmable security logic may de-assert the reset signal to release the BMC from reset.”, 0090 ; At operation 840, the programmable security logic may release processor(s) 510 from power reset using, for example, reset signals from reset controller 550 of FIG. 5, to enable booting processor(s) 510 using corresponding verified firmware in the non-volatile memory..”, 0091; “the processor and/or BMC may access the non-volatile memory under the control of the programmable security logic and boot a customer's operating system or virtualization system..”, 0094; ( i.e the processor is released from reset to boot to an operating system after the BMC executes the verified firmware. Hence in response to the BMC  executing the verified  firmware the host/ processor executes a boot procedure ) ].
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Liguori with Hodge.   Liguori’s teaching of holding the BMC, processor in reset state during the firmware verification process will substantially improve Hodge’s system to  prevent unauthorized users from accessing client data and other resources on server 500 through, for example, network interface 590 and BMC 520[0060].
Regarding claim 8, Liguori  teaches, when the microcontroller is executing the dual secure boot procedure, the microcontroller transmits a reset signal to the BMC and the host to suspend operations of the BMC and the host[0064; 0090-0091] 
Regarding claim 9 , Hodge discloses,1Regarding  wherein after the 2microcontroller successfully executes the 3first embedded-controller firmware or the second embedded-controller firmware[0048-0049]

Liguori  teaches,  wherein after the 2microcontroller completes the dual secure boot procedure , the 4microcontroller de-asserts the reset signal to start the operation of the BMC[0090].  

Claims 2 , 3, 4 are  rejected under 35 U.S.C. 103 as being unpatentable over Hodge in view of Liguori as applied to claim 1 further in view of  (U.S Patent Application Publication 2016/0055113; hereinafter “Hodge”)  in view of Golov (U.S Patent Application Publication 2020/0401533)
 Regarding claim 2, Hodge discloses wherein the microcontroller includes a first read-only memory (ROM), and the first ROM stores a bootloader [ “The embedded controller 102 further includes a read-only memory (ROM) 314, which can be used to store a boot loader 316 and an encryption key 318..”, 0045] .
 However Hodge , Liguori does not expressly disclose , a one-time programmable 3(OTP) memory, and the first ROM stores a bootloader, and the OTP memory stores an 4 ECDH (Elliptic Curve Diffie-Hellman Key Exchange) private key, a first ECDSA 185 (Elliptic Curve Digital Signature Algorithm) public key, a second ECDSA public key, 6 and an RSA public-key hash value.  
In the same field of endeavor(e.g. preventing unauthorized access to memory devices by  utilizing a one-time programmable (OTP) memory added to both a memory device and a processing device), Golov teaches.
a one-time programmable (OTP) memory Each circuit (120a, 120b) includes an OTP memory (106a, 106b), authentication logic (108a, 108b), and a dedicated interface (110a, 110b). ..”, 0016] and the OTP memory stores an  ECDH (Elliptic Curve Diffie-Hellman Key Exchange) private key, a first ECDSA 185 (Elliptic Curve Digital Signature Algorithm) public key, a second ECDSA public key, 6 and an RSA public-key hash value[ “asymmetric keys can be generated using any public-key cryptography standard such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman,..”, 0022; “When using asymmetric cryptography (e.g., Diffie-Hellman), the method (200) writes the respective private keys to the OTP memory of the processing device and external memory. Additionally, the method (200) can write both public keys to each device. In general, the method (200) writes all keys needed to encrypt and decrypt data between the devices using the specified encryption standard. The specific keys written to OTP banks may vary depending on the specific encryption standard used and the embodiments are not limited to a single, specific encryption technique.”, 0023;(i.e. the OTP memory stores  all the private and public keys cryptography standard such as Rivest-Shamir-Adleman (RSA), Diffie-Hellman, that is need to encrypt  and decrypt data between the devices)

However Golov does not expressly disclose an  ECDH (Elliptic Curve Diffie-Hellman Key Exchange) private key, a first ECDSA 185 (Elliptic Curve Digital Signature Algorithm) public key, a second ECDSA public key, 6 and an RSA public-key hash value.
 It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the teachings of Golov  to store implement a first driver configured to generate a clock control signal, a second driver configured to generate a  power control signal, since it has been held to be within the general skill of a worker in the art to select the specific encryption/ decryption standard on the basis of its  suitability for the intended use as a matter of design choice.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of  Golov with Liguori  in view of Hodge.   Golov’s system of utilizing a one-time programmable (OTP) memory to store the keys generated using symmetric / asymmetric cryptography will substantially increase the security of Liguori  in view of Hodge’s system.

Regarding claim 3, Hodge , Liguori teaches the limitations outlined in claims 1, 2. 
Golov teaches  store an ECDH public key and a first ECDSA private key, store an RSA private key. [ “each device includes one or more keys stored in OTP memory that can be used in during future communications between the devices”, 0024; 0027 ; 0057;(i.e. it is apparent that the devices storing the keys required for encryption/ decryption corresponding to the keys stored in the OTP memory)]
Regarding  claim 4,  Hodge discloses wherein the first flash memory stores a first application configuration[0052]n and the second flash memory stores a second application configuration,[0052] 
Golov teaches  storing a second ECDSA private key[ 0024; 0027; 0057].

Allowable Subject Matter
Claims 5,6,7, 10  objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Conclusion
    The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Montero et al., U.S Patent Application Publication 2020/0202004, teaches Information Handling Systems (IHSs), and, more particularly, to systems and methods for securely initializing and operating IHSs. 
Kotary et al., U.S Patent Application Publication 2018/0095740, teaches a system on a chip can include an embedded controller and a security controller that can detect, during an initialization process, a request for embedded controller firmware stored in block storage from the embedded controller via a transmission link.


   Any inquiry concerning this communication or earlier communications from the examiner should be directed to GAYATHRI SAMPATH whose telephone number is (571)272-5489. The examiner can normally be reached 8:30AM-5PM EST M-F.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jaweed Abbaszadeh can be reached on 5712701640. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/GAYATHRI SAMPATH/Examiner, Art Unit 2187                   
/JAWEED A ABBASZADEH/Supervisory Patent Examiner, Art Unit 2187