Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This Office Action is in response to an amendment application received on 08/25/2022. In the amendment, applicant has amended claims 1, 10 and 17. Claims 2-9, 11-16 and 18-22 remain original. No new claim has been added. 
For this Office Action, claims 1-22 have been received for consideration and have been examined. 
Response to Arguments
Claim Rejections – 35 USC § 103
	Applicant’s remarks regarding rejection of claim under 35 USC § 103 have been reviewed by the examiner and summarized as follows:
By way of contrast, claim 1 recites "process trusted meta-data comprising an indication of a hardware component in a first trusted state utilized by a first application, the hardware component to be transitioned to a second trusted state and utilized by a second application, the first and second trusted states associated with secured keys for cryptography stored by the hardware component on a device." Consequently, at least this language of claim 1 is missing from the NPL. The other cited references fail to remedy the deficiencies of the NPL. Accordingly, claim 1 defines over all five cited references, whether taken alone or in combination. 

Examiner Response
	Applicant’s remarks regarding amended claim language have been reviewed by the examiner. Applicant mentions that amended language of claim 1 is missing from the NPL to which examiner respectfully disagrees. Examiner would like to note that primary reference of Hatakeyama discloses the concept of amended language where keys pertaining to processor(s) are stored in a secure memory of a device which are used to perform transition of processor(s) from one state to another state (Hatakeyama: [0009] & [0062]).
	Based on this, the amended language is still taught by the combination of the cited references and therefore the rejection has been maintained. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 6-10, 16-17 and 22 are rejected under 35 U.S.C. 103 as being unpatentable over Hatakeyama. (US20080282093A1) in view of Willman et al., (US20050033980A1) in view of Tian et al., (WO2016205976A1) and further in view of Caccamo et al., (US10649914B1).
Regarding claim 1, Hatakeyama discloses:
A system for managing access to hardware components comprising:
a processor: and a memory device comprising instructions that when executed by the processor cause the processor to:
process trusted meta-data (See FIG. 5 & [0088]; i.e. DMA command 120 containing Authorization Code for the processor trying to access the trusted storage location wherein Authorization Code containing management rights for the processor) comprising an indication of a hardware component (see FIG. 2 & FIG. 5; i.e. control circuit unit 132 in trusted data storage region 130) in a first processor [to be utilized by a first application], the hardware component to be transitioned to a second processor [to be utilized by a second application] ([0082] FIG. 5 is a block diagram of a data processing system 300 enabling access by a processor 102 in a first multiprocessor system 310 to a trusted data storage region 130 via an intervening second multiprocessor system 330 over a virtual private network (VPN) 340 in accordance with one or more embodiments of the present invention), 
the [trusted transition of] first and second trusted states associated with secured keys for cryptography stored by the hardware component on a device ([0009] & [0062] discloses the concept of amended language where keys pertaining to processor(s) are stored in a secure memory of a device which are used to perform transition of processor(s) from one state to another state),
detect a request to change a trust boundary (see FIG. 6; steps 404, 412 & 416; prepare & transmit DMA command to allow access to processor 302C and evaluate DMA command to determine authority to program Trusted Data Storage Location) associated with the hardware component from the first processor to the second processor ([0071] at actions 216 and 218, the DMA command 120 may be interrogated to determine whether the requesting processor 120 is authorized to access the specified trusted data storage location. In one or more embodiments, this may be achieved via the control circuit 132 evaluating the specific bits of the authorization code to determine that the processor 102 is in the secure mode of operation; [0088] At action 404, processor 102B preferably prepares a DMA command 120 for programming one or more trusted data storage locations … the DMA command 120 may include one or more authorization codes that may be used to set the operation of the trusted data storage location 134, such as to be one of: read-only, write-only, read/write, no access, limited access, and/or reset; [0089] At action 406, processor 102B preferably encrypts the DMA command 120 in accordance with VPN 340 and preferably sends the DMA command 120 over VPN 340 to processor 302C).
Hatakeyama fails to disclose:
	manage access [manage trust boundary between the application using trusted agents]  between a first application and a second application; save, responsive to the request, the first state of the first application accessing the processor, the first application to comprise a set of memory addresses associated with the first application, and the second application to comprise a set of memory addresses associated with the second application; [unload] remove the first trusted state from the hardware component, [load] initialize the second trusted state of the second application, load the second trusted state of the second application onto the hardware component, and execute the second application via the hardware component based on the second trusted state.
However, Willman discloses:
	manage access [manage trust boundary between the application using trusted agents] between a first application and a second application ([0049] FIG. 3 shows a monitoring agent 390 that corresponds to application 305 and monitoring agent 395 that corresponds to application 310 (step 400 in FIG. 4). Each monitoring agent or angel protects its associated application; [0051] an angel may take corrective or preventive action if it detects an anomalous or suspicious activity in its associated application. For example, the angel may detect an attempt by its associated application to alter a key variable in memory deemed invariant by the application creator, and intercept the write to the variable. Such a write operation would likely indicate, at the least, corruption of the application code, if not outright subversion by malevolent, e.g., viral, code);
	save, responsive to the request, the state of the first application accessing the processor ([0075] An angel may “project” its protectee in at least the following ways (steps 430 and 450): a. It may lock or mark as read-only various elements of memory, possibly in coordination with protectee behavior, to prevent certain changes (e.g., virus attacks) to the protectee. b. It may perform some key operations for the protectee, within its trusted space).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama reference and include a system to protect state of application through monitoring agents associated with each application, as disclosed by Willman. 
	The motivation to protect state of application through monitoring agents associated with each application is to ensure trustworthiness of application state within the system.
The combination of Hatakeyama and Willman fails to disclose:
	the first application to comprise a set of memory addresses associated with the first application, and the second application to comprise a set of memory addresses associated with the second application; [unload] remove the first trusted state from the hardware component, [load] initialize the second trusted state of the second application, load the second trusted state of the second application onto the hardware component, and execute the second application via the hardware component based on the second trusted state.
However, Tian discloses:
	the first application (i.e., VM 1401 includes a graphics application 1403) to comprise a set of memory addresses associated with the first application (i.e., VM 1401 mapped to a local VM physical memory 1450), and the second application (i.e., VM 1402 includes a graphics application 1404) to comprise a set of memory addresses associated with the second application (i.e., VM 1402 mapped to a local VM physical memory 1451) (See FIG. 14; [0117] As illustrated, the source VM 1401 includes a virtual graphics memory 1430 mapped to a local VM physical memory 1450 using a first GPU page table 1440 and the destination VM [i.e., construed as second application] includes a virtual graphics memory 1431 mapped to a local VM memory 1451 using a second GPU page table 1441. In addition, in one embodiment, the GPU page tables 1440-1441 map the virtual graphics memories 1430-1431 to a system memory 1460 for sharing memory pages between the first VM 1401 and the second VM 1402; Also see FIG. 14; [0118] a hypervisor 1420 controls the GPU page tables 1440-1441, either from two physical GPUs (in GPU pass-through scenario) , or from two virtual GPUs (in GPU sharing scenario) , to map to the same pages in system memory 1460 as specified by the source VM and the destination VM. Then the shared system memory 1460, mapped to different graphics memory addresses in the two VMs 1401-1402, is directly used as the render output in the source VM 1401 and the render input in the destination VM 1402).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Hatakeyama and Willman references and include an apparatus and method to assign distinct memory addresses to separate applications in a shared system memory in the virtual machine (VM) environment, as disclosed by Tian.
	The motivation to assign distinct memory addresses to separate applications is to increase communication efficiency between virtual machines in the shared system memory.
The combination of Hatakeyama, Willman and Tian fails to disclose:
unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Caccamo discloses:
	unload [remove] the first trusted state of the first application from the processor (Col. 16, Line # 24-28: Block 908 may involve determining that execution of the first application has completed. Block 910 may involve, possibly in response to determining that execution of the first application has completed, instructing the DMA engine to unload the first application),  
load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor (Col. 16, Line # 18-23; Block 906 may involve, possibly in response to determining that the second logical partition of the application scratchpad memory is empty and the second application is scheduled to execute, instructing the DMA engine to load the second application from the main memory into the second logical partition), and 
execute the second application via the processor based on the second trusted state (Col. 16, Line # 30-31: instructing the application processor core to execute the second application from the second logical partition).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Hatakeyama, Willman and Tian and include a method of unloading first application from the main memory after execution and loading and executing the second application from the main memory, as disclosed by Caccamo.
The motivation to include the method of unloading the first application and loading the second application from the main memory is to allow high-level scheduling of accesses to main memory 108, ultimately achieving conflict-free execution of tasks from local memories. Second, performance benefits derived from the usage of fast scratchpad memories are exploited, ultimately combining better performance with higher temporal determinism.	

 Regarding claim 6, the combination of Hatakeyama, Willman, Tian & Caccamo discloses:
The system of claim 1, wherein the processor is to access a register deemed secure for the first application and the same register deemed non-secure for the second application via the security component (Hatakeyama: [0049] Reference is now made to FIG. 3, which is a flow diagram of a method for programming a trusted data storage location (e.g., location 134) within trusted data storage region 130 by a processor 102 … it is preferred that, while in the secure mode, the memory-mapped input-output registers of memory flow controller 114 are not accessible to entities external to processor 102; [0086] At action 400, processor 102B of multiprocessor 310 preferably enters a secure mode of operation. Again, so as to ensure even higher levels of security and functionality with respect to the trusted storage location 134 (and/or other trusted locations), it is preferred that, while in the secure mode, the memory-mapped input-output registers of the memory flow controller 114 of processor 102B are not accessible to entities external to processor 102. Examiner Note: securing of I/O registers of the memory of processor 102B which contains trusted data storage is equivalent to claimed a register deemed secure for the first application but not for the second application which in this case is processor 102A).
Regarding claim 7, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The system of claim 1, wherein the processor is to detect a transition from a first trust boundary of the first application to a second trust boundary of the second application and detect a transition from the second trust boundary of the second application to the first trust boundary of the first application (Caccama: Col. 16, Line # 18-23; Block 906 may involve, possibly in response to determining that the second logical partition of the application scratchpad memory is empty and the second application is scheduled to execute, instructing the DMA engine to load the second application from the main memory into the second logical partition; Col. 16, Line # 24-28: Block 908 may involve determining that execution of the first application has completed. Block 910 may involve, possibly in response to determining that execution of the first application has completed, instructing the DMA engine to unload the first application).
Regarding claim 8, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The system of claim 1, wherein the trusted meta-data is hardware enforced or software enforced (Willman: [0056] monitor the loader, the cache manager, page fault handler, etc. to ensure that the correct bits are correctly loaded into a user mode process (or any other module loaded in the system), or properly signed, perhaps listed in a list of hashes kept within a table known by the archangel; [0058] The archangel 380 also supports per-process (restricted access) projection to angels ).
Regarding claim 9, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The system of claim 1, wherein the trusted meta-data defines a plurality of trusted states and rights management associated with each application (Willman: [0073] The angel can be restricted by declarative enforcement. For example, the nexus and/or the archangel may constrain the angel to project on only those processes which contain executables that match the executables declared in the manifest for the angel; [0074] The archangel 380 may enforce the above restrictions (blocks 440 and 450). For this purpose the archangel may be given extensive access to the LHS and, in which case it is subject to a level of scrutiny similar to that of the nexus (i.e., intense scrutiny); Examiner Note: enforcement by the angel is construed as defining trusted state of the application and right management associated with each application).
Regarding claim 10, Hatakeyama discloses:
A method for managing access to hardware components with a secure technique comprising:
processing trusted meta-data (See FIG. 5; i.e. DMA command 120) comprising an indication of a hardware component (see FIG. 5; i.e. trusted data storage region 130) in a first processor [to be utilized by a first application], the hardware component to be transitioned to a second processor [to be utilized by a second application] ([0082] FIG. 5 is a block diagram of a data processing system 300 enabling access by a processor 102 in a first multiprocessor system 310 to a trusted data storage region 130 via an intervening second multiprocessor system 330 over a virtual private network (VPN) 340 in accordance with one or more embodiments of the present invention),
the [trusted transition of] first and second trusted states associated with secured keys for cryptography stored by the hardware component on a device ([0009] & [0062] discloses the concept of amended language where keys pertaining to processor(s) are stored in a secure memory of a device which is used to perform transition of processor(s) from one state to another state),
detecting a request to change a trust boundary (see FIG. 6; steps 404; prepare & transmit DMA command to allow access to processor 302C) associated with the hardware component from the first processor to the second processor ([00171] at actions 216 and 218, the DMA command 120 may be interrogated to determine whether the requesting processor 120 is authorized to access the specified trusted data storage location. In one or more embodiments, this may be achieved via the control circuit 132 evaluating the specific bits of the authorization code to determine that the processor 102 is in the secure mode of operation; [0088] At action 404, processor 102B preferably prepares a DMA command 120 for programming one or more trusted data storage locations … the DMA command 120 may include one or more authorization codes that may be used to set the operation of the trusted data storage location 134, such as to be one of: read-only, write-only, read/write, no access, limited access, and/or reset; [0089] At action 406, processor 102B preferably encrypts the DMA command 120 in accordance with VPN 340 and preferably sends the DMA command 120 over VPN 340 to processor 302C).
Hatakeyama fails to disclose:
manage access [manage trust boundary between the application using trusted agents]  between a first application and a second application; save, responsive to the request, the first state of the first application accessing the processor, the first application to comprise a set of memory addresses associated with the first application, and the second application to comprise a set of memory addresses associated with the second application; unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Willman discloses:
	manage access [manage trust boundary between the application using trusted agents] between a first application and a second application ([0049] FIG. 3 shows a monitoring agent 390 that corresponds to application 305 and monitoring agent 395 that corresponds to application 310 (step 400 in FIG. 4). Each monitoring agent or angel protects its associated application; [0051] an angel may take corrective or preventive action if it detects an anomalous or suspicious activity in its associated application. For example, the angel may detect an attempt by its associated application to alter a key variable in memory deemed invariant by the application creator, and intercept the write to the variable. Such a write operation would likely indicate, at the least, corruption of the application code, if not outright subversion by malevolent, e.g., viral, code);
	save, responsive to the request, the state of the first application accessing the processor ([0075] An angel may “project” its protectee in at least the following ways (steps 430 and 450): a. It may lock or mark as read-only various elements of memory, possibly in coordination with protectee behavior, to prevent certain changes (e.g., virus attacks) to the protectee. b. It may perform some key operations for the protectee, within its trusted space).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama reference and include a system to protect state of application through monitoring agents associated with each application, as disclosed by Willman. 
	The motivation to protect state of application through monitoring agents associated with each application is to ensure trustworthiness of application state within the system.
The combination of Hatakeyama and Willman fails to disclose:
	the first application to comprise a set of memory addresses associated with the first application, and the second application to comprise a set of memory addresses associated with the second application; unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Tian discloses:
	the first application (i.e., VM 1401 includes a graphics application 1403) to comprise a set of memory addresses associated with the first application (i.e., VM 1401 mapped to a local VM physical memory 1450), and the second application (i.e., VM 1402 includes a graphics application 1404) to comprise a set of memory addresses associated with the second application (i.e., VM 1402 mapped to a local VM physical memory 1451) (See FIG. 14; [0117] As illustrated, the source VM 1401 includes a virtual graphics memory 1430 mapped to a local VM physical memory 1450 using a first GPU page table 1440 and the destination VM [i.e., construed as second application] includes a virtual graphics memory 1431 mapped to a local VM memory 1451 using a second GPU page table 1441. In addition, in one embodiment, the GPU page tables 1440-1441 map the virtual graphics memories 1430-1431 to a system memory 1460 for sharing memory pages between the first VM 1401 and the second VM 1402; Also see FIG. 14; [0118] a hypervisor 1420 controls the GPU page tables 1440-1441, either from two physical GPUs (in GPU pass-through scenario) , or from two virtual GPUs (in GPU sharing scenario) , to map to the same pages in system memory 1460 as specified by the source VM and the destination VM. Then the shared system memory 1460, mapped to different graphics memory addresses in the two VMs 1401-1402, is directly used as the render output in the source VM 1401 and the render input in the destination VM 1402).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Hatakeyama and Willman references and include an apparatus and method to assign distinct memory addresses to separate applications in a shared system memory in the virtual machine (VM) environment, as disclosed by Tian.
	The motivation to assign distinct memory addresses to separate applications is to increase communication efficiency between virtual machines in the shared system memory.
The combination of Hatakeyama, Willman and Tian fails to disclose:
unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Caccamo discloses:
	unload [remove] the first trusted state of the first application from the processor (Col. 16, Line # 24-28: Block 908 may involve determining that execution of the first application has completed. Block 910 may involve, possibly in response to determining that execution of the first application has completed, instructing the DMA engine to unload the first application),  
load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor (Col. 16, Line # 18-23; Block 906 may involve, possibly in response to determining that the second logical partition of the application scratchpad memory is empty and the second application is scheduled to execute, instructing the DMA engine to load the second application from the main memory into the second logical partition), and 
execute the second application via the processor based on the second trusted state (Col. 16, Line # 30-31: instructing the application processor core to execute the second application from the second logical partition).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Hatakeyama, Willman and Tian and include a method of unloading first application from the main memory after execution and loading and executing the second application from the main memory, as disclosed by Caccamo.
The motivation to include the method of unloading the first application and loading the second application from the main memory is to allow high-level scheduling of accesses to main memory 108, ultimately achieving conflict-free execution of tasks from local memories. Second, performance benefits derived from the usage of fast scratchpad memories are exploited, ultimately combining better performance with higher temporal determinism.
Regarding claim 15, the combination of Hatakeyama, Willman, Tian & Caccomo discloses:
The method of claim 10, comprising accessing a register deemed secure for the first application and the register, deemed non-secure for the second application via the hardware component (Willman: [0097]).
Regarding claim 16, the combination of Hatakeyama, Willman, Tian & Caccamo discloses:
The method of claim 10, comprising detecting a transition from a first trust boundary of the first application to a second trust boundary of the second application (Willman: [0016] & [0051]).
Regarding claim 17, Hatakeyama discloses:
A non-transitory computer readable media for managing access to hardware components comprising a plurality of instructions that, in response to execution by a processor, cause the processor to:
process trusted meta-data (See FIG. 5; i.e. DMA command 120) comprising an indication of a hardware component (see FIG. 5; i.e. trusted data storage region 130) in a first processor [to be utilized by a first application], the hardware component to be transitioned to a second processor [to be utilized by a second application] ([0082] FIG. 5 is a block diagram of a data processing system 300 enabling access by a processor 102 in a first multiprocessor system 310 to a trusted data storage region 130 via an intervening second multiprocessor system 330 over a virtual private network (VPN) 340 in accordance with one or more embodiments of the present invention),
the [trusted transition of] first and second trusted states associated with secured keys for cryptography stored by the hardware component on a device ([0009] & [0062] discloses the concept of amended language where keys pertaining to processor(s) are stored in a secure memory of a device which is used to perform transition of processor(s) from one state to another state),
detect a request to change a trust boundary (see FIG. 6; steps 404; prepare & transmit DMA command to allow access to processor 302C) associated with the hardware component from the first processor to the second processor ([00171] at actions 216 and 218, the DMA command 120 may be interrogated to determine whether the requesting processor 120 is authorized to access the specified trusted data storage location. In one or more embodiments, this may be achieved via the control circuit 132 evaluating the specific bits of the authorization code to determine that the processor 102 is in the secure mode of operation; [0088] At action 404, processor 102B preferably prepares a DMA command 120 for programming one or more trusted data storage locations … the DMA command 120 may include one or more authorization codes that may be used to set the operation of the trusted data storage location 134, such as to be one of: read-only, write-only, read/write, no access, limited access, and/or reset; [0089] At action 406, processor 102B preferably encrypts the DMA command 120 in accordance with VPN 340 and preferably sends the DMA command 120 over VPN 340 to processor 302C).
Hatakeyama fails to disclose:
manage access [manage trust boundary between the application using trusted agents]  between a first application and a second application; save, responsive to the request, the first state of the first application accessing the processor, the first application to comprise a set of memory addresses associated with the first application, and the second application to comprise a set of memory addresses associated with the second application; unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Willman discloses:
	manage access [manage trust boundary between the application using trusted agents] between a first application and a second application ([0049] FIG. 3 shows a monitoring agent 390 that corresponds to application 305 and monitoring agent 395 that corresponds to application 310 (step 400 in FIG. 4). Each monitoring agent or angel protects its associated application; [0051] an angel may take corrective or preventive action if it detects an anomalous or suspicious activity in its associated application. For example, the angel may detect an attempt by its associated application to alter a key variable in memory deemed invariant by the application creator, and intercept the write to the variable. Such a write operation would likely indicate, at the least, corruption of the application code, if not outright subversion by malevolent, e.g., viral, code);
	save, responsive to the request, the state of the first application accessing the processor ([0075] An angel may “project” its protectee in at least the following ways (steps 430 and 450): a. It may lock or mark as read-only various elements of memory, possibly in coordination with protectee behavior, to prevent certain changes (e.g., virus attacks) to the protectee. b. It may perform some key operations for the protectee, within its trusted space).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama reference and include a system to protect state of application through monitoring agents associated with each application, as disclosed by Willman. 
	The motivation to protect state of application through monitoring agents associated with each application is to ensure trustworthiness of application state within the system.
The combination of Hatakeyama and Willman fails to disclose:
	the first application to comprise a set of memory addresses associated with the first application, and the second application to comprise a set of memory addresses associated with the second application; unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Tian discloses:
	the first application (i.e., VM 1401 includes a graphics application 1403) to comprise a set of memory addresses associated with the first application (i.e., VM 1401 mapped to a local VM physical memory 1450), and the second application (i.e., VM 1402 includes a graphics application 1404) to comprise a set of memory addresses associated with the second application (i.e., VM 1402 mapped to a local VM physical memory 1451) (See FIG. 14; [0117] As illustrated, the source VM 1401 includes a virtual graphics memory 1430 mapped to a local VM physical memory 1450 using a first GPU page table 1440 and the destination VM [i.e., construed as second application] includes a virtual graphics memory 1431 mapped to a local VM memory 1451 using a second GPU page table 1441. In addition, in one embodiment, the GPU page tables 1440-1441 map the virtual graphics memories 1430-1431 to a system memory 1460 for sharing memory pages between the first VM 1401 and the second VM 1402; Also see FIG. 14; [0118] a hypervisor 1420 controls the GPU page tables 1440-1441, either from two physical GPUs (in GPU pass-through scenario) , or from two virtual GPUs (in GPU sharing scenario) , to map to the same pages in system memory 1460 as specified by the source VM and the destination VM. Then the shared system memory 1460, mapped to different graphics memory addresses in the two VMs 1401-1402, is directly used as the render output in the source VM 1401 and the render input in the destination VM 1402).
	It would have been obvious to an ordinary skill in the art before the effective filing date of the claimed invention to modify the Hatakeyama and Willman references and include an apparatus and method to assign distinct memory addresses to separate applications in a shared system memory in the virtual machine (VM) environment, as disclosed by Tian.
	The motivation to assign distinct memory addresses to separate applications is to increase communication efficiency between virtual machines in the shared system memory.
The combination of Hatakeyama, Willman and Tian fails to disclose:
unload [remove] the first trusted state of the first application from the processor, load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor, and execute the second application via the processor based on the second trusted state.
However, Caccamo discloses:
	unload [remove] the first trusted state of the first application from the processor (Col. 16, Line # 24-28: Block 908 may involve determining that execution of the first application has completed. Block 910 may involve, possibly in response to determining that execution of the first application has completed, instructing the DMA engine to unload the first application),  
load [initialize] the second trusted state of the second application, load the second trusted state of the second application onto the processor (Col. 16, Line # 18-23; Block 906 may involve, possibly in response to determining that the second logical partition of the application scratchpad memory is empty and the second application is scheduled to execute, instructing the DMA engine to load the second application from the main memory into the second logical partition), and 
execute the second application via the processor based on the second trusted state (Col. 16, Line # 30-31: instructing the application processor core to execute the second application from the second logical partition).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Hatakeyama, Willman and Tian and include a method of unloading first application from the main memory after execution and loading and executing the second application from the main memory, as disclosed by Caccamo.
The motivation to include the method of unloading the first application and loading the second application from the main memory is to allow high-level scheduling of accesses to main memory 108, ultimately achieving conflict-free execution of tasks from local memories. Second, performance benefits derived from the usage of fast scratchpad memories are exploited, ultimately combining better performance with higher temporal determinism.
Regarding claim 22, the combination of Hatakeyama, Willman, Tian & Caccamo discloses:
The non-transitory computer readable media of claim 17, wherein the plurality of instructions cause the processor to access a register deemed secure for the first application and the register, deemed non-secure for the second application via the hardware component (Hatakeyama: [0034] The programmable trusted area may be a memory (such as an SRAM, DRAM, etc.), one or more hardware registers, etc. Preferably, the trusted area is implemented using one or more memory mapped input/output registers, where the secure processor may: (i) program the trusted area, and (ii) write/read data to/from the trusted area, using direct memory (DMA) access techniques).

Claims 2, 3, 4, 11, 12, 13, 18, 19 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Hatakeyama. (US20080282093A1) in view of Willman et al., (US20050033980A1) in view of Tian et al., (WO2016205976A1) in view of Caccamo et al., (US10649914B1) and further in view of “Hardware-Based Trusted Computing Architectures for Isolation and Attestation” NPL document date of publication: 05 January 2017 hereinafter referred as “NPL” .  
Regarding claim 2, the combination of Hatakeyama, Willman, Tian & Caccamo fails to disclose:
The system of claim 1, wherein the first state comprises at least one secure key associated with the first application and secured data corresponding to the first application.
However, NPL discloses:
	wherein the system comprises at least one secure key associated with the first application (i.e. software module SM1 in FIG. 1 on page # 362; See NPL section 5.6, Page # 367) and secured data (i.e. protected data section SM1 in FIG 1 is interpreted as first application; See NPL section 5.6, Page # 367) corresponding to the first application (See Page # 367-368, Section 5.6 Sancus: This instruction also derives the node key KN,SP,SM and stores it together with the layout in a protected storage area, inaccessible from software).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama, Willman, Tian & Caccamo references and include a hardware-only protected module architectures (PMAs), as disclosed by NPL document. 
	The motivation to include a hardware-only protected module architectures (PMAs) is to run multiple applications/software modules side by side, along with unprotected application to ensure that the state of the software modules is protected from the any other software running on the system. (See NPL document’s FIG.1 description on page # 362).
Regarding claim 3, the combination of Hatakeyama, Willman, Tian, Caccamo & NPL disclose:
The system of claim 2, wherein the second state comprises at least one secure key (i.e. key of SM2; see section 5.6) associated with the second application (i.e. software module SM1 in FIG. 1; See NPL section 5.6, Page # 367) and non-secured data (i.e. unprotected data section SM2 in FIG. 1 interpreted as second application; See NPL section 5.6, Page # 367) corresponding to the second application (See NPL Section 5.6, Page # 367; When an SM uses functionality from another protected module, it can use caller authentication to ensure that the other module was not tampered with. To this end, SM1 stores a MAC with its own key KN,SP,SM1 of SM2’s identity in an unprotected section. It can issue a special instruction at runtime to verify the MAC. The hardware also enforces a single entry point. This single physical entry point is not a limitation, as it can be multiplexed to multiple logical ones).
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama, Willman, Tian & Caccamo references and include a hardware-only protected module architectures (PMAs), as disclosed by NPL document. 
	The motivation to include a hardware-only protected module architectures (PMAs) is to run multiple applications/software modules side by side, along with unprotected application to ensure that the state of the software modules is protected from the any other software running on the system. (See NPL document’s FIG.1 description on page # 362).
Regarding claim 4, the combination of Hatakeyama, Willman, Tian, Caccamo & NPL discloses:
The system of claim 3, wherein the component comprises a multiplexor that transitions accessing the at least one secure key or the secured data associated with the first application to the at least one secure key or the non-secured data associated with the second application (See Section 5.11, Page # 371: The Secure Storage task seals data by storing it encrypted in non-secure memory. It is encrypted with a task key that is derived from idt. Tasks communicate with the secure storage via secure IPC. Finally, a trusted Interrupt Multiplexor (Int Mux) task is used to securely save the context of an interrupted task to its stack and clear the CPU registers before control is passed to the interrupt handler).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama, Willman, Tian & Caccamo references and include a hardware-only protected module architectures (PMAs), as disclosed by NPL document. 
	The motivation to include a hardware-only protected module architectures (PMAs) is to run multiple applications/software modules side by side, along with unprotected application to ensure that the state of the software modules is protected from the any other software running on the system. (See NPL document’s FIG.1 description on page # 362).
Regarding claim 11, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The method of claim 10, wherein the first state comprises at least one secure key associated with the first application and secured data corresponding to the first application.
However, NPL discloses:
	wherein the system comprises at least one secure key associated with the first application (i.e. software module SM1 in FIG. 1 on page # 362; See NPL section 5.6, Page # 367) and secured data (i.e. protected data section SM1 in FIG 1 is interpreted as first application; See NPL section 5.6, Page # 367) corresponding to the first application (See Page # 367-368, Section 5.6 Sancus: This instruction also derives the node key KN,SP,SM and stores it together with the layout in a protected storage area, inaccessible from software).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama, Willman, Tian & Caccamo references and include a hardware-only protected module architectures (PMAs), as disclosed by NPL document. 
	The motivation to include a hardware-only protected module architectures (PMAs) is to run multiple applications/software modules side by side, along with unprotected application to ensure that the state of the software modules is protected from the any other software running on the system. (See NPL document’s FIG.1 description on page # 362).
Regarding claim 12, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The method of claim 11, wherein the second state comprises at least one secure key (i.e. key of SM2; see section 5.6) associated with the second application (i.e. software module SM1 in FIG. 1; See NPL section 5.6, Page # 367) and non-secured data (i.e. unprotected data section SM2 in FIG. 1 interpreted as second application; See NPL section 5.6, Page # 367) corresponding to the second application (See NPL Section 5.6, Page # 367; When an SM uses functionality from another protected module, it can use caller authentication to ensure that the other module was not tampered with. To this end, SM1 stores a MAC with its own key KN,SP,SM1 of SM2’s identity in an unprotected section. It can issue a special instruction at runtime to verify the MAC. The hardware also enforces a single entry point. This single physical entry point is not a limitation, as it can be multiplexed to multiple logical ones).
Regarding claim 13, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The method of claim 12, wherein the component comprises a multiplexor that transitions accessing the at least one secure key or the secured data associated with the first application to the at least one secure key or the non-secured data associated with the second application (See Section 5.11, Page # 371: The Secure Storage task seals data by storing it encrypted in non-secure memory. It is encrypted with a task key that is derived from idt. Tasks communicate with the secure storage via secure IPC. Finally, a trusted Interrupt Multiplexor (Int Mux) task is used to securely save the context of an interrupted task to its stack and clear the CPU registers before control is passed to the interrupt handler).
Regarding claim 18, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The non-transitory computer readable media of claim 17, wherein the first state comprises at least one secure key associated with the first application and secured data corresponding to the first application.
However, NPL discloses:
	wherein the system comprises at least one secure key associated with the first application (i.e. software module SM1 in FIG. 1 on page # 362; See NPL section 5.6, Page # 367) and secured data (i.e. protected data section SM1 in FIG 1 is interpreted as first application; See NPL section 5.6, Page # 367) corresponding to the first application (See Page # 367-368, Section 5.6 Sancus: This instruction also derives the node key KN,SP,SM and stores it together with the layout in a protected storage area, inaccessible from software).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama, Willman, Tian & Caccamo references and include a hardware-only protected module architectures (PMAs), as disclosed by NPL document. 
	The motivation to include a hardware-only protected module architectures (PMAs) is to run multiple applications/software modules side by side, along with unprotected application to ensure that the state of the software modules is protected from the any other software running on the system. (See NPL document’s FIG.1 description on page # 362).
Regarding claim 19, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The non-transitory computer readable media of claim 18, wherein the second state comprises at least one secure key (i.e. key of SM2; see section 5.6) associated with the second application (i.e. software module SM1 in FIG. 1; See NPL section 5.6, Page # 367) and non-secured data (i.e. unprotected data section SM2 in FIG. 1 interpreted as second application; See NPL section 5.6, Page # 367) corresponding to the second application (See NPL Section 5.6, Page # 367; When an SM uses functionality from another protected module, it can use caller authentication to ensure that the other module was not tampered with. To this end, SM1 stores a MAC with its own key KN,SP,SM1 of SM2’s identity in an unprotected section. It can issue a special instruction at runtime to verify the MAC. The hardware also enforces a single entry point. This single physical entry point is not a limitation, as it can be multiplexed to multiple logical ones).
Regarding claim 20, the combination of Hatakeyama, Willman, Tian and Caccamo discloses:
The non-transitory computer readable media of claim 19, wherein the component comprises a multiplexor that transitions accessing the at least one secure key or the secured data associated with the first application to the at least one secure key or the non-secured data associated with the second application (See Section 5.11, Page # 371: The Secure Storage task seals data by storing it encrypted in non-secure memory. It is encrypted with a task key that is derived from idt. Tasks communicate with the secure storage via secure IPC. Finally, a trusted Interrupt Multiplexor (Int Mux) task is used to securely save the context of an interrupted task to its stack and clear the CPU registers before control is passed to the interrupt handler).

Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Hatakeyama., (US20080282342A1) in view of Willman et al., (US20050033980A1) in view of Tian et al., (WO2016205976A1) in view of Caccamo et al., (US10649914B1) and further in view of Grohoski et al., (US7620821B1).
Regarding claim 5, the combination of Hatakeyama, Willman, Tian & Caccamo fails to disclose:
The system of claim 1, wherein the component comprises logic to calculate an intermediate SHA2 value to be stored with the first state of the first application. 
However, Grohoski discloses:
wherein the component comprises logic to calculate an intermediate SHA2 value to be stored with the first state of the first application (Col. 9, Line # 33-42; Stream processing unit 240 may be configured to implement one or more specific data processing algorithms in hardware. For example, SPU 240 may include logic configured to support encryption/decryption algorithms such as Advanced Encryption Standard (AES), Data Encryption Standard/Triple Data Encryption Standard (DES/3DES), or Ron's Code #4 (RC4). SPU 240 may also include logic to implement hash or checksum algorithms such as Secure Hash Algorithm (SHA-1, SHA-256), Message Digest 5 (MD5), or Cyclic Redundancy Checksum (CRC)). 
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Hatakeyama, Willman, Tian & Caccamo and include logic to implement hash algorithm such as Secure Hash Algorithm (SHA-1, SHA-256), as disclosed by Grohoski. 
The motivation to use Secure Hash Algorithm is to ensure communication between applications is encrypted and secure. 
Regarding claim 14, the combination of Hatakeyama, Willman, Tian & Caccamo fails to disclose:
The method of claim 10, comprising calculating an intermediate SHA2 value to be stored with the first state of the first application.
However, Grohoski discloses:
wherein the component comprises logic to calculate an intermediate SHA2 value to be stored with the first state of the first application (Col. 9, Line # 33-42; Stream processing unit 240 may be configured to implement one or more specific data processing algorithms in hardware. For example, SPU 240 may include logic configured to support encryption/decryption algorithms such as Advanced Encryption Standard (AES), Data Encryption Standard/Triple Data Encryption Standard (DES/3DES), or Ron's Code #4 (RC4). SPU 240 may also include logic to implement hash or checksum algorithms such as Secure Hash Algorithm (SHA-1, SHA-256), Message Digest 5 (MD5), or Cyclic Redundancy Checksum (CRC)). 
It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the references of Hatakeyama, Willman, Tian & Caccamo and include logic to implement hash algorithm such as Secure Hash Algorithm (SHA-1, SHA-256), as disclosed by Grohoski. 
The motivation to use Secure Hash Algorithm is to ensure communication between applications is encrypted and secure.
	
Claim 21 are rejected under 35 U.S.C. 103 as being unpatentable over Hatakeyama., (US20080282342A1) in view of Willman et al., (US20050033980A1) in view of Tian et al., (WO2016205976A1) in view of Caccamo et al., (US10649914B1) and further in view of Torigoe et al., (US20120036286A1).
Regarding claim 21, the combination of Hatakeyama, Willman, Tian & Caccamo fails to disclose:
The non-transitory computer readable media of claim 17, wherein the plurality of instructions cause the processor to calculate a direct memory access value to be stored with the first state of the first application.
However, Torigoe discloses:
wherein the plurality of instructions cause the processor to calculate a direct memory access value to be stored with the first state of the first application ([0018] When a setting of the transfer parameter is completed, the first DMA 1142 performs a data transfer of the K field data (S2916). At this point, the first DMA 1142 also calculates an assurance code for the K field on the basis of the value stored in S2913 (by taking over the value stored in S2913) and stores a value of the calculated code therein (S2917)).
	It would have been obvious to one of the ordinary person skilled in the art before the effective filing date of the claimed invention to modify the Hatakeyama, Willman, Tian & Caccamo references and calculate Direct Memory Access (DMA) values as disclosed by Torigoe.
The motivation to calculate Direct Memory Access (DMA) values is to ensure data transfers from memory to memory is verified using calculated DMA values.


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M AHSAN whose telephone number is (571)272-5018. The examiner can normally be reached 8:30 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffery L. Nickerson can be reached on 469-295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/S.M.A./Patent Examiner, Art Unit 2432                                                                                                                                                                                                        
/SYED A ZAIDI/Primary Examiner, Art Unit 2432