DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Interpretation
Examiner notes that Applicant has provided a limiting definition of the phrase “computer readable storage medium” at paragraph 87 of its specification that specifically excludes signals and other transitory media.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-7, 9, 11 and 14-20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Patent Application Publication No. 2015/0178504 by Nystrom et al. in view of U.S. Patent Application Publication No. 2016/0132345 by Bacher et al.
As to claims 1, 15 and 20, Nystrom discloses a computer-implemented method/product/system, comprising: 
obtaining, Nystrom: Page 4, Sec 47; hypervisor manages virtual machines (guests) in the system and Page 5, Sec 57-60, measurements taken by and stored in the TPM, for example a measurement of a boot loader for a specific VM stored in the TPM, these measurements are used as control to determine if the VM has permission to be executed by the hypervisor); 
intercepting, Nystrom: Fig 8; Page 8, Sec 212-125; 810 – key request received); 
determining, Nystrom: Fig 8; Page 8, Sec 212-125; 815 - evaluation of whether policy satisfied), the determining comprising:
checking, by the secure interface control, for the presence of one or more system settings in the computing system Nystrom: Fig 8; Page 8, Sec 212-125; 815 – evaluation of whether policy satisfied); 
and based on the checking determining the presence of the one or more system settings in the computing system (Nystrom: Fig 8; Page 8, Sec 212-125; 815 – evaluation of whether policy satisfied), enabling, by the secure interface control, initiation of the instance by the hypervisor, in the computing system, the enabling comprising: relaying, by the secure interface control, the command to the hypervisor (Nystrom: Fig 8; Page 8, Sec 212-125; 820 – virtual key provided to hypervisor if policy is satisfied and instance allowed).
Nystrom does not expressly disclose a secure interface control coupled to the hypervisor and performing all the stated functions.
Bacher discloses a secure interface control that controls the hypervisor (Bacher: 70 – Fig 3; Page 3, Sec 30-33; firmware acts as a secure controller for the hypervisor).
Nystrom and Bacher are analogous art because they are from the common area of hypervisor based VM systems.
It would have been obvious to one of ordinary skill in the art, at or before the effective filing date of the instant application, to use to firmware component of Bacher in the system of Nystrom.  The rationale would have been to provide a single point of access to the hypervisor (Bacher: 70 – Fig 3; Page 3, Sec 30-33).
As to claims 2 and 16, the modified Nystrom/Bacher reference further discloses further comprising: based on the checking determining no presence of the one or more system settings in the computing system, ignoring, by the secure interface control, the command (Nystrom: Fig 8; Page 8, Sec 212-125; 820; if policy not satisfied, key not provided and command effective ignored).
As to claims 3 and 17, the modified Nystrom/Bacher reference further discloses wherein obtaining the metadata further comprises: decrypting, by the secure interface control, a portion of the metadata linked to the image of the secure guest, wherein the metadata is integrity protected and the portion comprising a cryptographic measure of a boot image of the secure guest was encrypted by a key derived using a private key (Nystrom: Page 8, Sec 124).
As to claims 4 and 18, the modified Nystrom/Bacher reference further discloses wherein the encrypted portion of the metadata comprises the one or more controls (Nystrom: Page 4, Sec 45).
As to claims 5 and 19, the modified Nystrom/Bacher reference further discloses wherein each control of the one or more controls comprises an environmental constraint (Nystrom: Page 4, Sec 50-52). 
As to claim 6, the modified Nystrom/Bacher reference further discloses wherein the environmental constraints are selected from the group consisting of: systems configured to perform hardware measurements, and systems configured to use a non-system specific host key (Nystrom: Page 4, Sec 50-52).  
As to claim 7, the modified Nystrom/Bacher reference further discloses wherein the private key is owned by the secure interface control and used exclusively by the secure interface control (Nystrom: Page 8, Sec 120).
As to claim 9, the modified Nystrom/Bacher reference further discloses wherein the metadata comprises values derived from a boot image of the secure guest computed utilizing a collision resistant one-way function (Nystrom: Page 5, Sec 57).
As to claim 11, the modified Nystrom/Bacher reference further discloses wherein the metadata is inaccessible to the instance of the secure guest (Nystrom: Page 5, Sec 57-60, measurements taken by and stored in the TPM).
As to claim 14, the modified Nystrom/Bacher reference further discloses wherein intercepting the command by the hypervisor to initiate the instance of the secure guest from the image of the secure guest further comprises: performing, by secure interface control, an integrity check on the metadata; and based on successfully completing the integrity check, reading, by the secure interface control, the one or more controls in the metadata (Nystrom: Page 3, Sec 34).  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 11,443,040. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims of the instant application represent a reorganization and broadening of the claims of the ‘040 Patent and on that basis, the claims of the ‘040 Patent anticipate the claims of the instant application.
As to claim 1, the ‘040 Patent discloses a computer-implemented method, comprising (Claim 1: A computer-implemented method, comprising): 
obtaining, by a secure interface control in a computing system, metadata linked to an image of a secure guest of an owner and managed by a hypervisor communicatively coupled to the secure interface control (Claim 1: obtaining, by a secure interface control in a computing system, wherein the secure interface control is communicatively coupled to a hypervisor, wherein the hypervisor manages one or more guests, metadata linked to an image of a secure guest of an owner and managed by the hypervisor), wherein the metadata comprises one or more controls, wherein each control of the one or more controls indicates to the secure interface control that the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on presence of one or more system settings in the computing system (Claim 1: wherein the metadata comprises one or more controls, wherein each control of the one or more controls indicates to the secure interface control whether the hypervisor is permitted to execute an instance of a secure guest generated with the image in the computing system based on a presence or absence of one or more system settings in the computing system); 
intercepting, by the secure interface control, a command by the hypervisor to initiate the instance of the secure guest from the image of the secure guest (Claim 1:  intercepting, by the secure interface control, a command by the hypervisor to initiate the instance of the secure guest from the image of the secure guest); 
determining, by the secure interface control, if the hypervisor is permitted to execute the instance (Claim 1: determining, by the secure interface control, based on the one or more controls and the presence or the absence of the one or more system settings, if the hypervisor is permitted to execute the instance), the determining comprising: 
checking, by the secure interface control, for the presence of one or more system settings in the computing system (Claim 1: determining, by the secure interface control, the presence or the absence of the one or more system settings in the computing system); and 
based on the checking determining the presence of the one or more system settings in the computing system, enabling, by the secure interface control, initiation of the instance by the hypervisor, in the computing system (Claim 1: based on determining that the hypervisor is permitted to execute the instance: enabling, by the secure interface control, initiation of the instance by the hypervisor, in the computing system), the enabling comprising: 
relaying, by the secure interface control, the command to the hypervisor (Claim 1:  based on relaying the intercepted command to the hypervisor).  
As to claim 2, the ‘040 Patent discloses a computer-implemented method of claim 1, further comprising: based on the checking determining no presence of the one or more system settings in the computing system, ignoring, by the secure interface control, the command (Claim 1:based on determining that the hypervisor is not permitted to execute the instance: ignoring, by the secure interface control, the command).
As to claim 3, the ‘040 Patent discloses the computer-implemented method of claim 1, wherein obtaining the metadata further comprises: decrypting, by the secure interface control, a portion of the metadata linked to the image of the secure guest, wherein the metadata is integrity protected and the portion comprising a cryptographic measure of a boot image of the secure guest was encrypted by a key derived using a private key (Claim 2: The computer-implemented method of claim 1, wherein obtaining the metadata further comprises: decrypting, by the secure interface control, a portion of the metadata linked to the image of the secure guest, wherein the metadata is integrity protected and the portion comprising a cryptographic measure of a boot image of the secure guest was encrypted by a key derived using a private key).
 As to claim 4, the ‘040 Patent discloses the computer-implemented method of claim 3, wherein the encrypted portion of the metadata comprises the one or more controls (Claim 3: The computer-implemented method of claim 2, wherein the encrypted portion of the metadata comprises the one or more controls).
As to claim 5, the ‘040 Patent discloses the computer-implemented method of claim 1, wherein each control of the one or more controls comprises an environmental constraint (Clam 6: The computer-implemented method of claim 1, wherein each control of the one or more controls comprises an environmental constraint).
As to claim 6, the ‘040 Patent discloses the computer-implemented method of claim 5, wherein the environmental constraints are selected from the group consisting of. systems configured to perform hardware measurements, and systems configured to use a non-system specific host key (Claim 7: The computer-implemented method of claim 6, wherein the environmental constraints are selected from the group consisting of: systems configured to perform hardware measurements, and systems configured to use a non-system specific host key).
  As to claim 7, the ‘040 Patent discloses the computer-implemented method of claim 3, wherein the private key is owned by the secure interface control and used exclusively by the secure interface control (Clam 4: The computer-implemented method of claim 2, wherein the private key is owned by the secure interface control and used exclusively by the secure interface control). 
As to claim 8, the ‘040 Patent discloses the computer-implemented method of claim 7, wherein the key derived using the private key is shared between the secure interface control and the owner (Claim 5:  The computer-implemented method of claim 4, wherein the key derived using the private key is shared between the secure interface control and the owner).  
As to claim 9, the ‘040 Patent discloses the computer-implemented method of claim 1, wherein the metadata comprises values derived from a boot image of the secure guest computed utilizing a collision resistant one-way function (Claim 8: The computer-implemented method of claim 1, wherein the metadata comprises values derived from a boot image of the secure guest computed utilizing a collision resistant one-way function).
As to claim 10, the ‘040 Patent discloses the computer-implemented method of claim 1, wherein the one or more controls each comprise a positive designation or a negative designation for a given system setting, wherein the positive designation indicates that the instance of the secure guest is permitted to execute in the computing system comprising the given system setting and the negative designation indicates that the instance of the secure guest is not permitted to execute in the computing system comprising the given system setting (Claim 9: The computer-implemented method of claim 1, wherein the one or more controls each comprise a positive designation or a negative designation for a given system settings, wherein the positive designation indicates that the instance of the secure guest is permitted to execute in the computing system comprising the given system setting and the negative designation indicates that the instance of the secure guest is not permitted to execute in the computing system comprising the given system setting). 
As to claim 11, the ‘040 Patent discloses the computer-implemented method of claim 1, wherein the metadata is inaccessible to the instance of the secure guest (Clam 10: The computer-implemented method of claim 1, wherein the metadata is inaccessible to the instance of the secure guest). 
As to claim 12, the ‘040 Patent discloses the computer-implemented method of claim 1, further comprising: monitoring, by the secure interface control, the one or more system settings during runtime of the instance; determining, by the secure interface control, that at least one setting of the one or more settings changed during the runtime; identifying, by the secure interface control, a given control of the one or more controls relevant to the at least one setting; and determining, by the secure interface control, based on the at least one setting and the given control if the hypervisor is permitted to execute the instance (Claim 1: monitoring, by the secure interface control, the one or more system settings during runtime of the instance; determining, by the secure interface control, that at least one setting of the one or more settings changed during the runtime; identifying, by the secure interface control, a given control of the one or more controls relevant to the at least one setting; and determining, by the secure interface control, based on the at least one setting and the given control if the hypervisor is permitted to execute the instance).
  As to claim 13, the ‘040 Patent discloses the computer-implemented method of claim 12, further comprising: based on determining that the hypervisor is not permitted to execute the instance, terminating, by the secure interface control, via the hypervisor, the instance (Claim 12: The computer-implemented method of claim 1, further comprising: based on determining that the hypervisor is not permitted to execute the instance, terminating, by the secure interface control, via the hypervisor, the instance).
  As to claim 14, the ‘040 Patent discloses the computer-implemented method of claim 1, wherein intercepting the command by the hypervisor to initiate the instance of the secure guest from the image of the secure guest further comprises: performing, by secure interface control, an integrity check on the metadata; and based on successfully completing the integrity check, reading, by the secure interface control, the one or more controls in the metadata Claim 13: The computer-implemented method of claim 1, wherein intercepting the command by the hypervisor to initiate the instance of the secure guest from the image of the secure guest further comprises: performing, by secure interface control, an integrity check on the metadata; and based on successfully completing the integrity check, reading, by the secure interface control, the one or more controls in the metadata).  
Claims 15-19 recite a system commensurate in scope to the method of claims 1-5 and are thus rejected under a substantially similar rationale.
Claim 20 recites a computer program product commensurate in scope to the method of claim 1 and is thus rejected under a substantially similar rationale.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL S MCNALLY whose telephone number is (571)270-1599. The examiner can normally be reached Monday-Friday, 8:30 AM - 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469)295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

MICHAEL S. MCNALLY
Primary Examiner
Art Unit 2432



/Michael S McNally/Primary Examiner, Art Unit 2432