DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement filed 01/31/2022 fails to comply with the provisions of 37 CFR 1.97, 1.98 and MPEP § 609 because Under NPL, items 2 and 6 do not have a date.  It has been placed in the application file, but the information referred to therein (related to items 2 and 6) has not been considered as to the merits.  Applicant is advised that the date of any re-submission of any item of information contained in this information disclosure statement or the submission of any missing element(s) will be the date of submission for purposes of determining compliance with the requirements based on the time of filing the statement, including all certification requirements for statements under 37 CFR 1.97(e).  See MPEP § 609.05(a).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 4, 7-12, 16 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yarvis et al., (US Publication No. 2015/0058629), hereinafter “Yarvis”, and further in view of Weiss et al., (US Publication No. 2020/0242267), hereinafter “Weiss”.

Regarding claims 1 and 12, Yarvis discloses
establishing, by a processor, a trusted execution environment in a first computing device [Yarvis, paragraph 27, The server can be protected either by requiring that the instructions be signed or that the instructions be interpreted in a sandbox (e.g. Java Virtual Machine), running in the trusted execution environment], 
loading executable code into the trusted execution environment, wherein the executable code controls access to protected content and wherein the protected content comprises executable image data [Yarvis, paragraph 27, the client delivers both data and  instructions for execution on the server. In this case, the client is able to control both access to data as well as the processing that occurs on the data. The processing instructions are transmitted along with the data in the block marked "private data" in FIG. 2 and "encrypted payload" in FIG. 3. The server can be protected either by requiring that the instructions be signed or that the instructions be interpreted in a sandbox (e.g. Java Virtual Machine), running in the trusted execution environment]; and 
causing the executable code to execute in the trusted execution environment to analyze data of a second computing device and to provide the second computing device access to the protected content [Yarvis, paragraph 27, the client delivers both data and  instructions for execution on the server. In this case, the client is able to control both access to data as well as the processing that occurs on the data. The processing instructions are transmitted along with the data in the block marked "private data" in FIG. 2 and "encrypted payload" in FIG. 3. The server can be protected either by requiring that the instructions be signed or that the instructions be interpreted in a sandbox (e.g. Java Virtual Machine), running in the trusted execution environment].  

Yarvis does not specifically disclose, however Weiss teaches
wherein the trusted execution environment comprises an encrypted memory area [Weiss, paragraph 42, data owners may leverage multitenant machines that provide trusted execution environments and encrypted memory regions in order to securely store sensitive data such as cryptographic data or services (e.g., by executing a key management service or other transactional service within a trusted execution environment)].
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to provide an encrypted memory area for the storage and processing of data in order to provide a secure area for the processing.

Regarding claim 4, Yarvis-Weiss further discloses 
receiving, by the processor of the first computing device, a request from a third computing device [Yarvis, paragraphs 17, 34, 35] to establish the trusted execution environment in the first computing device [Yarvis, paragraph 27]; performing, by the processor, a remote attestation of hardware and code of the first computing device to the third computing device [Yarvis, paragraph 27]; and configuring, by the processor, the encrypted memory area and an area of the processor for the trusted execution environment [Weiss, paragraph 42].  

Regarding claim 7, Yarvis-Weiss further discloses 
wherein the data of the second computing devices comprises identification data of the protected content, wherein the identification data comprises an identifier of a Virtual Machine (VM) image [Yarvis, paragraphs 17, 27, 34, 35].  

Regarding claim 8, Yarvis-Weiss further discloses 
wherein the trusted execution environment uses memory encryption to isolate the executable code in the trusted execution environment from being accessed by processes executing external to the trusted execution environment [Weiss, paragraph 42, data owners may leverage multitenant machines that provide trusted execution environments and encrypted memory regions in order to securely store sensitive data such as cryptographic data or services (e.g., by executing a key management service or other transactional service within a trusted execution environment)].  

Regarding claim 9, Yarvis-Weiss further discloses 
wherein the trusted execution environment comprises the processor using hardware level encryption to store data in the encrypted memory area, wherein the hardware level encryption [Weiss, paragraph 43, Hardware Security Modules] uses cryptographic keys that are accessible to the processor and are inaccessible to all computing processes executed by the processor [Yarvis, paragraph 30, keys].  

Regarding claim 10, Yarvis-Weiss further discloses 
wherein the first computing device executes the executable code in the trusted execution environment as one or more use space processes, and wherein the executable code in the trusted execution environment is accessible to the one or more user space processes and is inaccessible to a kernel managing the one or more use space processes [Yarvis, paragraphs 17, 27, 34, 35].  

Regarding claim 11, Yarvis-Weiss further discloses 
wherein providing the second computing device with access to the protected content comprises the trusted execution environment executing the executable code to transmit the executable image data to the second computing device [Yarvis, paragraphs 17, 27, 34, 35].  

Regarding claim 16, Yarvis-Weiss further discloses 
wherein the trusted execution environment uses memory encryption to isolate the executable code in the trusted execution environment from being accessed by processes executing external to the trusted execution environment [Weiss, paragraph 42, data owners may leverage multitenant machines that provide trusted execution environments and encrypted memory regions in order to securely store sensitive data such as cryptographic data or services (e.g., by executing a key management service or other transactional service within a trusted execution environment)].  

Regarding claim 17, Yarvis-Weiss further discloses 
receiving a request to initiate a trusted execution environment from a management device [Yarvis, paragraph 29, The computation occurs in the third party trusted hardware and only an encrypted request and result data are transmitted through the untrusted service provider]; 
establishing a trusted execution environment in the data exchange device [Yarvis, paragraph 27, The server can be protected either by requiring that the instructions be signed or that the instructions be interpreted in a sandbox (e.g. Java Virtual Machine), running in the trusted execution environment], wherein the trusted execution environment comprises an encrypted memory area [Weiss, paragraph 42, data owners may leverage multitenant machines that provide trusted execution environments and encrypted memory regions in order to securely store sensitive data such as cryptographic data or services (e.g., by executing a key management service or other transactional service within a trusted execution environment)]; 
loading data into the trusted execution environment, the data comprising executable code that controls access to protected content [Yarvis, paragraph 27, the client delivers both data and  instructions for execution on the server. In this case, the client is able to control both access to data as well as the processing that occurs on the data. The processing instructions are transmitted along with the data in the block marked "private data" in FIG. 2 and "encrypted payload" in FIG. 3. The server can be protected either by requiring that the instructions be signed or that the instructions be interpreted in a sandbox (e.g. Java Virtual Machine), running in the trusted execution environment]; 
receiving a request to access the protected content from a computing device [Yarvis, paragraph 31, Thus, the enterprise client device 106 includes the enterprise data 108 and the client application 110 that communicates via path 116 within the enterprise 102 with the enterprise server 112. l11e enterprise server 112 has the security policy for cloud processing of data and the enterprise service 118 with public and private keys 120 and 122. The trusted execution environment 128 also includes public and private keys 130 and 132 within the cloud 104]; and 
causing the executable code to execute in the trusted execution environment to analyze data of the computing device and to provide the computing device access to the protected content [Yarvis, paragraph 27, the client delivers both data and  instructions for execution on the server. In this case, the client is able to control both access to data as well as the processing that occurs on the data. The processing instructions are transmitted along with the data in the block marked "private data" in FIG. 2 and "encrypted payload" in FIG. 3. The server can be protected either by requiring that the instructions be signed or that the instructions be interpreted in a sandbox (e.g. Java Virtual Machine), running in the trusted execution environment].  

Claim(s) 2, 3, 5, 6, 13, 14, 15 and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Yarvis-Weiss as applied to claim 1 above, and further in view of Oh et al., (US Publication No. 2018/0089438), hereinafter “Oh”.

Regarding claims 2, 13, 18, Yarvis-Weiss does not specifically disclose, however Oh teaches
wherein the executable image data comprises a network bootable image of an operating system and wherein the executable code executed in the trusted execution environment controls access to the network bootable image [Oh, paragraph 22, the virtual machine 120 may be built to provide network booting functionality, such as network booting according to the Preboot eXecution Environment (PXE) specification which utilizes DHCP and TFTP services].  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention include a network bootable image in order to provide a secure way of maintaining a bootable image on the network for use when needed.

Regarding claims 3, 14, 19, Yarvis-Weiss-Oh further discloses
wherein the first computing device comprises a server portion of a Preboot Execution Environment (PXE) and the second computing device comprises a client portion of the Preboot Execution Environment (PXE) [Oh, paragraph 22, the virtual machine 120 may be built to provide network booting functionality, such as network booting according to the Preboot eXecution Environment (PXE) specification which utilizes DHCP and TFTP services].  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention include a Server portion for running the Environment and a client portion for providing the specifications for the setup of the Execution environment.

Regarding claims 5, 15 and 20, Yarvis-Weiss-Oh further discloses
wherein the executable code executed in the trusted execution environment of the first computing device uses a Trivial File Transfer Protocol (TFTP) to retrieve the protected content from a third computing device and to transfer the protected content to the second computing device [Oh, paragraph 22, TFTP].  

Regarding claim 6, Yarvis-Weiss-Oh further discloses
retrieving, by the first computing device, the protected content from a third computing device [Yarvis, paragraphs 17, 27, 34, 35], wherein the protected content comprises the executable image data and comprises configuration data to enable the second computing device to execute the executable image data [Oh, paragraph 22, the virtual machine 120 may be built to provide network booting functionality, such as network booting according to the Preboot eXecution Environment (PXE) specification which utilizes DHCP and TFTP services] Yarvis, paragraphs 17, 34, 35]; storing the executable image data in a persistent data storage device [Yarvis, paragraphs 17, 27, 34, 35]; receiving, by the first computing device, a request from the second computing device for the executable image data [Yarvis, paragraphs 17, 27, 34, 35]; and providing the second computing device with access to the executable image data in the persistent data storage device [Yarvis, paragraphs 17, 27, 34, 35].  

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to WILLIAM J GOODCHILD whose telephone number is (571)270-1589. The examiner can normally be reached M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Pwu can be reached on 571-272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/William J. Goodchild/Primary Examiner, Art Unit 2433