DETAILED ACTION
The following claims are pending in this office action: 1-20
The following claims are amended:  1, 11-13, 15-16, 18, and 20
The following claims are new: -
The following claims are cancelled: -
Claims 1-20 are rejected. This rejection is FINAL.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Previous Objections and Rejections Withdrawn
The 35 § USC 112(f) interpretations to claims 11-13, 15-16 and 18 in light of applicant’s persuasive arguments.  
The 35 USC § 112(b) rejection to claim 20 is withdrawn in light of the amendments.  
The 35 USC § 101 rejection to claim 20 is withdrawn in light of the amendments.  
RESPONSE TO ARGUMENTS
Applicant’s arguments filed in the amendment filed 06/29/2022 have been fully considered but are moot in view of new grounds of rejection necessitated by amendment. 
Applicant remarks: Independent claim 1 is amended to recite an method that minimizes the trusted computing base by “accessing a set of programmable fuses on a die of the processing device, the computer system comprising the processing device as a root of trust for a secure boot process” and “deriving, by the processing device, an encryption key using a value encoded by the set of programmable fuses on the die of the processing device”  This amended limitation is disclosed by Diamant et al. (US Patent No. 10,565,382) as explained below.   
Independent claims 12 and 20 are amended in a similar way to claim 1 and the amended limitations are disclosed by Diamant et al. (US Patent No. 10,565,382) as explained below.  
Dependent claims 2-11 and 13-19 depend on independent claims 1 and 12.  The amended elements in the independent claims are disclosed by Diamant et al. (US Patent No. 10,565,382) as explained below, and so any additional features to the dependent claims are rejected accordingly.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 7, 9-10, 12-13, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Diamant et al. (US Patent No. 10,565,382) (hereinafter “Diamant”) in view of Dover (US Pub. 2018/0307867) (hereinafter “Dover”).

As per claim 1, Diamant teaches a computer-implemented method of performing a secure boot of a processing device of a computer system, the method comprising: accessing a set of programmable fuses on a die of the processing device, ([Diamant, Fig. 1; col. 3, ln. 58-59] “the TPM [processing device] is provided as part of the integrated circuit [a die]”; [col. 3, ln. 15-19] “the [integrated circuit] includes various types of embedded memory 125 including boot ROM 127 … programmed using fuses; [col. 6, ln. 11-16] “by measuring [accessing] a first portion of executable code stored in boot ROM [fuses] … a first measurement value is produced”) the computer system comprising the processing device as a root of trust for a secure boot process ([col. 3, ln. 37-40] “The TPM can provide a root of trust”; [col. 7, ln 65-67] “the computer 110 [the computer system comprising the TPM – see Fig. 1] described … used to perform the illustrated method of secure boot”) and a non-volatile memory ([col. 4, ln. 2-4] “executable boot code can be stored in one or more of the storage devices coupled to the computer 110”; “The boot ROM 127 [memory] … cannot be readily altered after CPU 120 is manufactured [non-volatile]) storing a basic input/output system (BIOS) for the secure boot process; ([col. 7, ln. 36-42] “authenticate a third portion of boot code used to continue the boot process [secure boot process] … by authenticating system BIOS”; [col. 5, ln. 60-61] “executable code stored in the CPU boot ROM 127”)
deriving, by the processing device, an encryption key, ([Diamant, col. 6, ln. 59-65] “a key stored in non-volatile memory of the TPM [an encryption key - see col. 6, ln. 1-2: “the key is encrypted and stored in memory using the measurement data as an encryption key”] is unsealed [derived]… The unsealing operation combines the second measurement value stored in the TPM PCR with the key stored in immutable storage and produces a key that is an output of the TPM [by the processing device]”) using a value encoded by the set of programmable fuses on the die of the processing device; and ([col. 6, ln. 48-52] “in order to recreate the measurement values, the previous set of first values [value encoded] are used to generate a measurement that is then used as a starting point for producing a second set of measurement data for the second set of values”; [col. 6, ln. 11-16] “by measuring [using] a first portion of executable code stored in boot ROM [set of programmable fuses on the die] … a first measurement value [value encoded] is produced”)
authenticating, by the processing device, ([Diamant, col. 7, ln. 46-47] “authenticating code executed by the processor to perform the measuring”) the BIOS to perform the secure boot process.  ([Col. 7, ln. 36-42] “the second portion of software can, for example, authenticate a third portion of boot code used to continue the boot process [secure boot] …by authenticating system BIOS”) 
Diamant does not clearly teach perform the secure boot process using a key derivation algorithm based on the encryption key.
However, Dover teaches perform the secure boot process ([para. 0025] the verification process authenticates initial boot code to ensure secure operation of the computing device [a secure boot process]) using a key derivation algorithm based on the encryption key. ([para. 0026] the derived secret generator hashes the device secret [the encryption key] and the data to generate a derived secret [the key used to authenticate the boot code])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant with the teachings of Dover to include perform the secure boot process using a key derivation algorithm based on the encryption key.  One of ordinary skill in the art would have been motivated to make this modification because the verification process may be implemented securely, and the implementation can remove the risk that a compromised bootloader could expose the device secret.  (Dover, para. 0020)

As per claim 2, Diamant in view of Dover teaches claim 1.  
Diamant in view of Dover does not clearly teach using the encryption key to provision a public key for the processing device and a private key for the processing device.
However, Dover teaches using the encryption key to provision a public key for the processing device and a private key for the processing device. ([Dover, Fig. 2, para. 0032] system uses a processor [see para. 0048] to generate a public-private key pair for the host system processor based on the device secret [encryption key])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant with the teachings of Dover to include using the encryption key to provision a public key for the processing device and a private key for the processing device.  One of ordinary skill in the art would have been motivated to make this modification because creating the public private key allows the computer device to send a message to verify that the boot code has not changed either due to an error or an attack.  (Dover, para. 0032)

As per claim 7, Diamant in view of Dover teaches claim 2.
Diamant in view of Dover does not clearly teach cross-authenticating the public key for the processing device with one or more public keys for each of one or more computing devices of the computer system, to determine whether a subset of the one or more public keys for each of the one or more computing devices has been altered, wherein the one or more computing devices of the computer system include a secure system management device and a server.
However, Dover teaches cross-authenticating the public key for the processing device with one or more public keys for each of one or more computing devices of the computer system, to determine whether a subset of the one or more public keys for each of the one or more computing devices has been altered, ([Dover, Fig. 2; Fig. 6; para. 0032; para. 0056] using the private key of each device, the public-private key pair is authenticated by the message sent from the device [cross-authentication the public key for the processing device – see para. 0048] with each public key in a public key repository [one or more public keys] to determine if one of the computer devices [a subset] corresponding to the public key repository is not in an expected state [has been altered]) wherein the one or more computing devices of the computer system include a secure system management device and a server.  ([Para. 0015; para. 0057-0058] the computing devices includes servers and secure memory devices)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Diamant and Dover for the same reasons as disclosed above.  

As per claim 9, Diamant in view of Dover teaches claim 1
Diamant also teaches determining whether a hash of data ([Diamant, col. 2, ln. 11-14] “the measurement values can be generated by performing a sequence of hash operations”) written to a particular address of a first memory storage unit of the computer system matches ([col. 4, ln. 65-67] “the measurement data … is compared [matches] to a value stored in the non-volatile memory 137 [a particular address of a first memory storage unit]; [col. 8, ln. 9-11] the validating can include comparing [matches] the resulting … value [second measurement value – see col. 8, ln. 16-29] to an expected measurement value [value stored in the non-volatile memory 137 – see col. 2, ln. 42-44]”) a hash of data read from a second memory storage unit of an I/O device of the computer system.  ([col. 6, ln. 41-42] “a second set of values stored in memory coupled to the CPU [second memory: see col. 3, ln. 60 – “the CPU 120 is further coupled to an I/O and memory interface 140 that controls access and provides data to and from a number of memory”] are measured”)

As per claim 10, Diamant in view of Dover teaches claim 1.
Diamant also teaches an initialization patch in the BIOS.  ([Diamant, col. 1, ln. 61-62] “The first concept involves adding a new boot stage executable [patch]”; [col. 2, ln. 47-8] “This new boot stage can initialize the TPM” [an initialization patch]”; [col. 3, ln. 19-21] “The boot ROM 127 is typically the first code [includes the initialization patch] that is executed by the CPU 120 upon initiating execution on boot [in the BIOS as the boot/execution code includes the BIOS – see col. 7, ln. 36-42]”) 
a value encoded using the set of programmable fuses.  ([Diamant, col. 6, ln. 11-16] “by measuring [using] a first portion of executable code stored in boot ROM [set of programmable fuses on the die] … a first measurement value is produced [value encoded]”)
Diamant does not clearly teach wherein the key derivation algorithm is further based in part on a one-way hash of data, wherein the data is used to perform the key derivation algorithm based on a one-way hash of the value encoded in the processing device and the one-way hash of the data.
However, Dover teaches wherein the key derivation algorithm is further based in part on a one-way hash of the data, wherein the data is used to perform the key derivation algorithm ([Dover, para. 0026] the key derivation algorithm is the HMAC [one-way hash] of the data [boot code/BIOS code].  The BIOS code as an initiation patch is taught by Diamant above) based on a one-way hash of the value encoded in the processing device and the one-way hash of the initialization patch. ([Para. 0026; para. 0028] the derived secret is based on the HMAC [one-way hash] of both a secret value [a encryption key/value encoded in the processing device] and the HMAC of the data.  A value encoded using the set of programmable fuses was taught by Diamant above)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant with the teachings of Dover to include wherein the key derivation algorithm is further based in part on a one-way hash of data, wherein the data is used to perform the key derivation algorithm based on a one-way hash of the value encoded in the processing device and the one-way hash of the data.  One of ordinary skill in the art would have been motivated to make this modification because with this approach, it would be essentially impossible to regenerate the derived key without knowing the device secret due to the nature of the one-way hash function.  (Dover, para. 0028)

As per claim 12, Diamant teaches an apparatus, comprising at least one memory configured to store a basic input/output system (BIOS) for a secure boot process; and ([Diamant, col. 5, ln. 59-61] “executable code that is executed during boot [the BIOS] of the respective computer, for example, executable code stored in the CPU boot ROM 127 [at least one memory]”)
 a processing device comprising a set of programmable fuses on a die of the processing device and coupled to the at least one memory, ([Diamant, Fig. 1; col. 3, ln. 58-59] “the TPM [processing device] is provided as part of the integrated circuit [a die]”; [col. 3, ln. 15-19] “the [integrated circuit] includes various types of embedded memory 125 including boot ROM 127 … programmed using fuses) the processing device being configured as a root of trust for the secure boot process, ([col. 3, ln. 37-40] “The TPM can provide a root of trust”; [col. 7, ln 65-67] “the computer 110 [the computer system comprising the TPM – see Fig. 1] described … used to perform the illustrated method of secure boot”) the processing device being configured to execute one or more instructions of the secure boot process.  ([col. 4, ln. 6-8] “As shown, the TPM 130 [the processing device] includes a general purpose processor 131 that is used to supervise execution of operations [instructions] provided by the TPM”; [col. 1, ln. 51-53] “key stored in the TPM is unsealed and can be used to provide secure boot [the secure boot process]”)
The apparatus claim comprises instructions that performs the steps of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus is rejected with the same rational applied against claim 1.  

As per claim 13, the claim language is identical or substantially similar to that of claim 2. Therefore, it is rejected under the same rationale applied to claim 2.

As per claim 18, the claim language is identical or substantially similar to that of claim 7. Therefore, it is rejected under the same rationale applied to claim 7.

As per claim 20, Diamant teaches a computer-readable medium comprising at least one instruction. ([Diamant, col. 13, ln. 40-42] “Any of the disclosed methods can be implemented as computer-executable instructions stored on one or more computer-readable storage media”) 
The computer-readable medium claim causes a processing device to perform the steps of the method of claim 1, has language that is identical or substantially similar to the method of claim 1, and thus the computer-readable medium claim is rejected with the same rational applied against claim 1.  

Claims 3, 8, 14, and 19 are rejected under 35 U.S.C. 103 as being unpatentable Diamant in view of Dover and further in view of Mondello et al. (US Pub. 2020/0307401) (hereinafter “Mondello”)

As per claim 3, Diamant in view of Dover teaches claim 2.
Diamant in view of Dover does not clearly teach wherein the public key for the processing device and the private key for the processing device are provisioned using one or more random numbers generated by a random number generator of the processing device.
However, Mondello teaches wherein the public key for the processing device and the private key for the processing device are provisioned using one or more random numbers generated by a random number generator of the processing device.  ([Mondello, Fig. 9A; para. 0092] a key generator takes a random number generated by a random number generator and outputs a public key and private key.  [Para. 0030] the system includes a processing device that executes the method, and so the components are of and for the processing device)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant in view of Dover with the teachings of Mondello to include wherein the public key for the processing device and the private key for the processing device are provisioned using one or more random numbers generated by a random number generator of the processing device.  One of ordinary skill in the art would have been motivated to make this modification because a random number generator can create a deterministic public key which can be used to validate a component with the corresponding private key (Mondello, para. 0092; para. 0097)

As per claim 8, Diamant in view of Dover teaches claim 1.
Diamant in view of Dover does not clearly teach wherein the encryption key is derived from a one-way hash of the value encoded by the set of programmable fuses in the processing device.
However, Mondello teaches wherein the encryption key is derived from a one-way hash of the value encoded by the set of programmable fuses in the processing device.  ([Mondello, para. 0019; para. 0088] the immutable loader [set of programmable fuses] generates a first key/fuse-derived secret FDS [encryption key] by performing a one-way hash of the immutable loader in the device [a processing device – see para. 0030])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant in view of Dover with the teachings of Mondello to include wherein the encryption key is derived from a one-way hash of the value encoded by the set of programmable fuses in the processing device.  One of ordinary skill in the art would have been motivated to make this modification because a hash of immutable loader/set of program fuses allows for layers of generated keys/hashes to verify the identity of the device which cannot be invalidly replaced by attackers and will allow the device to maintain its integrity.  (Mondello, para. 0019; para. 0022)

As per claim 14, the claim language is identical or substantially similar to that of claim 3. Therefore, it is rejected under the same rationale applied to claim 3.

As per claim 19, the claim language is identical or substantially similar to that of claim 8. Therefore, it is rejected under the same rationale applied to claim 8.

Claims 4-6 and 15-17 are rejected under 35 U.S.C. 103 as being unpatentable Diamant in view of Dover and further in view of Everson et al. (US Pub. 2020/0100108) (hereinafter “Everson”)

As per claim 4, Diamant in view of Dover teaches claim 2.
Diamant in view of Dover does not clearly teach wrapping the public key for the processing device with the encryption key; and encoding the wrapped public key in a key provisioning blob.
However, Everson teaches wrapping the public key for the processing device with the encryption key; and ([Everson, Fig. 15; para. 0184] a symmetric cryptographic key [encryption key] encrypts [wraps] a public key.  [Para. 0093] the method is performed by the processing device, and the disclosed components are for the processing device)
encoding the wrapped public key in a key provisioning blob.  ([Everson, Fig. 15; para. 0184] the public key is built [encoded] in a credential blob [key provisioning blob] which is encrypted [wrapped] by the symmetric key)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant in view of Dover with the teachings of Everson to include wrapping the public key for the processing device with the encryption key; and encoding the wrapped public key in a key provisioning blob.  One of ordinary skill in the art would have been motivated to make this modification because putting keys into a blob encrypted by an encryption key, as opposed to hashing which is one-way, allows the elements contained within to be transmitted as a large binary payload, and allows for incorporation of other elements into the payload, such as a nonce, to prevent replay attacks.  (Everson, para. 0184-0185)

As per claim 5, Diamant in view of Dover teaches claim 4.
Diamant does not clearly teach performing a second authentication of the BIOS using the public key for the processing device.  
However, Dover teaches performing a second authentication of the BIOS using the public key for the processing device.  ([Dover, para. 0032, Fig. 2] “a computer 250 uses a public-private key pair to perform the authentication” [a second authentication – a first authentication was described in para. 0031: “the derived secret KSD may be utilized by an identification and authorization process 135 to verify that the correct data 112 is present”]; “The signature of the derived secret KSD 130 may be independently verified by the third-party 220 using the public key [using the public key]”.  An identified public key is taught by Everson below)
Diamant in view of Dover does not clearly teach decoding the key provisioning blob to identify the wrapped public key; and unwrapping the wrapped public key to identify the public key for the processing device.
However, Everson teaches decoding the key provisioning blob to identify the wrapped public key; and ([Everson, Fig. 17; para. 0194] the credential blob is decrypted [decoding] using the symmetric key to generated a decrypted credential blob containing the key [wrapped public key])
unwrapping the wrapped public key to identify the public key for the processing device.  ([Everson, Fig. 17; para. 0194] the public key is extracted [unwrapped] from a decrypted credential blob, identifying the public key by the processing device [performed by the processor and so, for the processing device; see para. 0093])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Diamant, Dover and Everson for the same reasons as disclosed above.  

As per claim 6, Diamant in view of Dover teaches claim 4.
Diamant in view of Dover does not clearly teach wherein the key provisioning blob includes an encrypted copy of an original equipment manufacturer (OEM) public key.
However, Everson teaches wherein the key provisioning blob includes an encrypted copy of an original equipment manufacturer (OEM) public key. ([Everson, Fig. 17; para. 0194] a public key is extracted from decrypted credential blob, and so, a copy of the public key is included with the blob.  The blob is encrypted with the symmetric key, and so, the copy of the public key included with the blob is an encrypted copy; [Para. 0101] “The credential ordering system processes orders of credentials placed by a customer such as … an original equipment manufacturer”; [Para. 0138] “the … credential 900 includes … public key(s) [an OEM public key as the key is ordered by the OEM])
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to combine the teachings of Diamant, Dover and Everson for the same reasons as disclosed above.  

As per claim 15, the claim language is identical or substantially similar to that of claim 4. Therefore, it is rejected under the same rationale applied to claim 4.

As per claim 16, the claim language is identical or substantially similar to that of claim 5. Therefore, it is rejected under the same rationale applied to claim 5.

As per claim 17, the claim language is identical or substantially similar to that of claim 6. Therefore, it is rejected under the same rationale applied to claim 6.

Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Diamant in view of Dover and further in view of Mundra et al. (US Pub. 2012/0008768) (hereinafter “Mundra”)

As per claim 11, Diamant in view of Dover teaches claim 1.
Diamant in view of Dover does not clearly teach wherein the processing device is further configured to access a secure hypervisor for memory traffic encryption with integrity and anti-replay by exposing a hardware encryption engine via a control register interface.
However, Mundra teaches wherein the processing device is further configured to access a secure hypervisor ([Mundra, para. 0249] “A hardware (HW) supported secure hypervisor runs at least on the SMP Core [processor core – a processing device]”) for memory traffic encryption with integrity ([para. 0060] “embodiments provide … packet engine to encrypt … data [memory traffic] … to provide integrity checks to protect host processor 100 from unwanted traffic”) and anti-replay ([para. 0051] “these embodiments can provide anti-replay protection”) by exposing a hardware encryption engine via a control register interface ([para. 0162] “MCE [a control register as “Mode Control Engine sequences… instructions to achieve {control} each desired encryption/authentication operational mode and leverage the … cores”; “MCE also has registers… to store the immediate result”, see para. 0074/Fig. 11, and an interface as the MCE is “a software controlled programmable engine”, see para. 0154/Fig. 11] … trigger [expose] multiple cryptographic engines and cores [the engines are hardware cores – see para. 0058]…  to achieve the confidential processing (encryption 310) [integrity/anti-replay protection]”)
It would have been obvious before the effective filing date of the claimed invention for one of ordinary skill in the art to have modified the elements disclosed by Diamant in view of Dover with the teachings of Mundra to include wherein the processing device is further configured to support memory traffic encryption with integrity and anti-replay using a secure hypervisor by exposing a hardware encryption engine via a control register interface.  One of ordinary skill in the art would have been motivated to make this modification because including such a component would promote a higher level of security and flexibility to various different encryption/decryption modes, and as encryption operation modes are developed, the software controlled programmable engine can be updated to support each new encryption operational mode.  (Mundra, para. 0154)
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Mathane et al. (US Pub. 2020/0213115) discloses a fuse bank with a root key on the same die as a processor, where an embedded controller (processing device) is established as a root of trust.
Nijhawan et al. (US Pub. 2019/0340365) discloses a BIOS storage 300 with a BIOS initial boot block (initiation patch in the BIOS).  Furthermore, security information 206b is stored in fuses of the processing system 206 which is associated with a public key to enable particular features in the system.  
Ruan et al. (US Pub. 2019/0220602) discloses secure fuses 202 on the same die as processor 200 where a CPU as an immutable root-of-trust for a system uses boot ROM 204 that is a BIOS extension.  
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ZHE LIU whose telephone number is (571) 272-3634.  The examiner can normally be reached on Monday - Friday: 8:30 AM to 5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/Z.L./Examiner, Art Unit 2493                                                                                                                                                                                                        
/CARL G COLIN/Supervisory Patent Examiner, Art Unit 2493