DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .



Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 12/02/2022 has been entered.




Response to Amendments
This communication is in response to the amendments filed on 7 November 2022:
	Claims 1, 11 and 20 are amended.
	Claims 13-16, 23, 25 and 27 are canceled.
	Claims 1-12, 17-22, 24 and 26 are pending.





Response to Arguments
In response to Applicant’s remarks filed on 7 November 2022:
a.	On page 10 of Applicant’s remarks, Applicant argues that Cesare fails to disclose the amended features of “determine whether to authenticate the at least one software image using the at least one soft key or the at least one hard key based on a value indicating a key type included in the key information included in the at least one software image” has been fully considered but is deemed moot in view of the new grounds of rejection presented in this Office Action. 
b.	On page 11 of Applicant’s remarks, Applicant argues that Cesare does not disclose that the GID or UID, which the Examiner alleges to correspond with the “hard key” of claim 1, is used to “authenticate” the executable code image has been fully considered but is deemed not-persuasive. Applicant’s attention is directed to Cesare, FIG. 3C, where in step “355”, the system optionally verifies a decryption key and decrypts the payload of the object, which is being read as deciding on whether to authenticate the at least one software image using the at least one hard key based on key information included in the software image. The verification of the decryption key and decryption of the payload of the object, is performed before the payload is executed. The security processing engine of Cesare as disclosed in Paragraph [0050] states “the same security processing engine can “walk” through the chain of objects to authenticate and verify each object to ensure that each object is trusted before executing the executable code (e.g., payload) of the object. Therefore, since the decryption key, which is recovered from one of the tag using a UID/GID (hard key) is verified and used to decrypt the payload before it is executed, the decryption key can be interpreted as a hard key used to authenticate the executable code image as previously cited in the last Office Action. 
c.	On page 14 of Applicant’s remarks, Applicant argues that the Final Office Action fails to show how Miranda remedies the deficiencies of Cesare discussed above with regard to claim 1. Consequently, the Final Office Action fails to establish a proper prima facie case of obviousness for the rejection of independent claim 11 at least due to its similarities to independent claim 1 has been fully considered but is deemed not-persuasive. In the previous Office Action, Miranda was introduced to cure the deficiencies of Cesare with regards to techniques involving authenticating a second software image. Authenticating a second software image with respect to a first software image allows for better security management for software before it is loaded and/or updated, to make sure the software was not modified and/or the proper version is applied to the update. Each software image can correspond to a second or third software image, which are all used in authenticating the software component. This allows for multiple factors to be implemented with the authentication process in order to provide for a more accurate authentication result. Miranda is deemed as analogous art due to Miranda teaching the authenticating of a second software image by obtaining second key information with regards to the first software image. 




Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-10, 20-22, 24 and 26 are rejected under 35 U.S.C. 103 as being unpatentable over Cesare et al. (U.S. PGPub. 2012/0166781), hereinafter Cesare, in view of Ciudad et al. (U.S. PGPub. 2009/0271782), hereinafter Ciudad. 

	Regarding claim 1, Cesare teaches A system comprising:
	a system memory configured to store at least one software image (Cesare, Paragraph [0008], see “an executable code image representing a software component is to be installed in an electronic device…The object is to be stored in a storage within the electronic device, such that the object can be subsequently authenticated and verified…”), the at least one software image comprising at least a keychain image associated with the at least one software image (Cesare, Paragraph [0008], see “an executable code image representing a software component is to be installed in an electronic device, wherein the software component is used to establish an operating environment of the electronic device. A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image…The signature, the certificate chain, and the executable code image are then embedded into an object signed by a leaf certificate of the certificate chain”, where “an executable code image representing a software component” is being read as at least one software image comprising at least a keychain image, where “executable code image” is being read as a keychain image, where “software component” is being read as at least one software image), the keychain image including at least one soft key associated with the at least one software image, the at least one soft key being a public key corresponding to the at least one software image (Cesare, Fig. 3A, which depicts data structure of a code image for secure booting, where “code image” is being read as comprising the keychain image, and where “certificate chain” is being read as comprising at least one soft key where the at least one soft key is a public key, due to Cesare disclosing in Paragraph [0041], see “A code image may include a sequence of one or more public key certificates as a certificate chain, such as certificate chain 307…Each certificate may embed a separate public key in a format based on, for example, X.509 standard…”); and
	processing circuitry including at least one hard key, the at least one hard key including a unique value associated with the processing circuitry (Cesare, Paragraph [0061], see “…Optionally, certain tags may be used to specify one or more chip IDs (e.g., GID or UID) or board ID (e.g., motherboard identifier) by which this object may trusted. If these tags exist, the one or more chip IDs and/or board ID much match the chip IDs and board IDs embedded within the secure ROM”, where “GID or UID” is being read as comprising at least one hard key, and where the at least one hard key includes a unique value associated with the processing circuitry due to a GID or UID including a unique value associated with the processing circuitry), the processing circuitry configured to,
	determine whether to authenticate the at least one software image using the at least one soft key or the at least one hard key  (Cesare, Fig. 3C, which depicts a process for verifying and loading a sequence of objects, where “352” and “353” show a process of evaluating the authenticity of the certificate chain associated with the object, which is being read as making a determination to authenticate the at least one software image using the at least one soft key, where “354” and “355” show a process of verifying whether the object can be trusted in view of the hardware configuration, where in step “355”, the system optionally verifies a decryption key and decrypts the payload of the object, which is being read as making a determination on whether to authenticate the at least one software image using the at least one hard key based on key information included in the at least one software image) (Cesare, Paragraph [0068], see “Optionally at block 355, if the payload of the object is encrypted, the decryption key is recovered from one of the tag using a UID/GID or a predetermined key. The decryption key is then used to decrypt the payload of the object and thereafter, the decrypted payload can be executed”, where “if the payload of the object is encrypted” is being read as making a determination based on key information, where “the decryption key is recovered from one of the tag using a UID/GID or a predetermined key” is being read as authenticating the at least one software image using the at least one hard key, where “UID/GID” is being read as comprising the hard key),
	obtain a desired soft key from the keychain image or a desired hard key from the processing circuitry based on the key information (Cesare, Fig. 3C, see “352”, which locates a next object and evaluating the authenticity of the certificate chain associated with the object, which is being read as obtaining a desired soft key from the keychain image and see “355”, which optionally verifies a decryption key and decrypts the payload of the object, which is being read as obtaining a desired hard key based on the key information as discussed above in Cesare, Paragraph [0068]), and
	authenticate the at least one software image based on the obtained soft key or the obtained hard key (Cesare, Fig. 3C, see “353” and “355”, which shows the at least one software image being authenticated based on the obtained soft key (using the certificate chain to evaluate the trust of the object) or the obtained hard key (optionally verifying a decryption key and decrypting the payload of the object)). 
	Cesare does not teach the following limitation(s) as taught by Ciudad: determine whether to authenticate the at least one software image using the at least one soft key or the at least one hard key based on a value indicating a key type included in key information included in the at least one software image (Ciudad, Paragraph [0023], see “…the authentication information includes at least one authentication key, which may be used to authenticate a file image of at least some files of a component or alternatively, to authenticate the component itself…the authentication key may include a checksum value and the authentication operations may include a checksum operation…the authentication information includes a pre-install authentication key and a post-install authentication key. The pre-install authentication key may be used to authenticate the pre-existing file corresponding to the file being installed. The post-install authentication key may be used to verify whether a particular file has already been installed…the pre-install and post-install authentication keys may be checksum values”, where “authentication information” is analogous to comprising key information (i.e., pre-install and post-install authentication keys), which is included in the at least one file image (i.e., software image)) (Ciudad, Paragraph [0045], see “If the installer 104 determines that the version of the existing component on the client system 101 is the pre-install version, the installer 104 may further perform the authentication on each of the sub-components described by the sub-component descriptors 112 to ensure that the sub-components have not been tampered with and are of the exact state required by the patch, using the pre-install authentication information”, where “sub-component descriptors 112” indicate the respective key value (i.e., pre-install or post-install authentication key) that is to be used for authentication) (Ciudad, Paragraph [0051], see “…Each of the files 207-208 may include a path 209 and 211 respectively to specify where the file will be installed and authentication keys 210 and 212 to provide authentication information; including pre-install and post-install authentication keys to the installer to perform authentication operations”, where “Each of the files 207-208 may include a path 209 and 211 respectively to specify where the file will be installed and authentication keys 210 and 212 to provide authentication information” is analogous to determining whether to authenticate the at least one software image (i.e., files) using a first key or a second key, based on a value indicating a key type included in key information in the at least one software image (i.e., file), where “authentication keys 210 and 212 to provide authentication information; including pre-install and post-install authentication keys” is analogous to key information comprising a value indicating a key type (i.e., pre-install or post-install)). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for single security model in booting a computing device, disclosed of Cesare, by implementing techniques for determining applicability of software packages for installation, comprising of determining whether to authenticate the at least one software image using a first key or a second key based on a value indicating a key type included in key information included in the software image, disclosed of Ciudad.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for authentication of software, comprising of determining whether to authenticate the at least one software image using a first key or a second key based on a value indicating a key type included in key information included in the software image. This allows for better security management by determining the respective authentication needed (i.e., with respect to multiple authentication keys) for the software image at the time of authentication. In cases where a software component is outdated, a pre-install authentication key can be used to properly authenticate the old version to the new version. In cases where the user wants to know if the software component requires an update, a post-install authentication key can be used to properly authenticate whether the latest version has already been installed. Ciudad is deemed as analogous art due to the art disclosing techniques for determining whether to authenticate the at least one software image using a first key or a second key based on a value indicating a key type included in key information included in the software image (Ciudad, Paragraph [0040]). 

	Regarding claim 2, Cesare as modified by Ciudad teaches The system of claim 1, wherein the processing circuitry comprises read-only memory configured to store the at least one hard key (Cesare, Paragraph [0061], see “…Optionally, certain tags may be used to specify one or more chip IDs (e.g., GID or UID) or board ID (e.g., motherboard identifier) by which this object may trusted. If these tags exist, the one or more chip IDs and/or board ID much match the chip IDs and board IDs embedded within the secure ROM”, where “secure ROM” is being read as read-only memory, which stores the chip IDs and board IDs (hard keys)). 

	Regarding claim 3, Cesare as modified by Ciudad teaches The system of claim 2, wherein the processing circuitry is configured to authenticate the keychain image based on the at least one hard key based on the key information (Cesare, Paragraph [0068], see “Optionally at block 355, if the payload of the object is encrypted, the decryption key is recovered from one of the tag using a UID/GID or a predetermined key. The decryption key is then used to decrypt the payload of the object and thereafter, the decrypted payload can be executed…the compromised payload can be verified whether it is trusted…”, where “if the payload of the object is encrypted” is being read as based on the key information, where “UID/GID” is being read as comprising at least one hard key, and where the UID/GID is used based on the key information to authenticate the keychain image). 

	Regarding claim 4, Cesare as modified by Ciudad teaches The system of claim 2, wherein the processing circuitry comprises a secure memory configured to store a plurality of hard keys, the plurality of hard keys including the at least one hard key (Cesare, Paragraph [0066], see “…processing logic parses one or more tags implemented within the object against the hardware configuration embedded within the secure ROM to determine whether the object is intended and allowed to run within an operating environment within the hardware of a device having those specific configuration obtained at block 351. For example, certain tags may be parsed to match the chip ID) (e.g., UID/GID), board ID, security domain, minimum epoch, etc.”, where “UID/GID, board ID…” is being read as storing a plurality of hard keys). 

	Regarding claim 5, Cesare as modified by Ciudad teaches The system of claim 2, wherein the processing circuitry is configured to obtain the at least one hard key from a second software image loaded in the system memory (Cesare, FIG. 3B, which depicts each object (image), where each object contains tags for version, status, domain, etc, where “version, status domain, etc.” is being read as comprising hard keys. Therefore, the processing circuitry is configured to obtain the at least one hard key from a second software image (object 2) loaded in the system memory.

	Regarding claim 6, Cesare as modified by Ciudad teaches The system of claim 2, wherein the processing circuitry is configured to:
	identify a desired hard key associated with the at least one software image, from among a plurality of hard keys, the plurality of hard keys including the at least one hard key, based on the key information (Cesare, Paragraph [0068], see “…if the payload of the object is encrypted, the decryption key is recovered from one of the tag using a UID/GID or a predetermined key. The decryption key is then used to decrypt the payload of the object and thereafter, the decrypted payload can be executed…”, where “the decryption key is recovered from one of the tag using a UID/GID or a predetermined key” is being read as identifying a desired hard key associated with the at least one software image, from among a plurality of hard keys, the plurality of hard keys including the at least one hard key, based on the key information, where “if the payload of the object is encrypted” is being read as based on the key information); and
	authenticate the at least one software image based on the desired hard key (Cesare, Paragraph [0068], see “…As a result, the compromised payload can be verified whether it is trusted. The above processes repeat until all of the objects have been processed”, which is being read as authenticating the at least one software image based on the desired hard key). 

	Regarding claim 7, Cesare as modified by Ciudad teaches The system of claim 1, wherein the processing circuitry is configured to authenticate the at least one software image by verifying a digital signature included in the at least one software image based on the obtained soft key (Cesare, Paragraph [0060], see “object 1 includes signature tag having a hash value representing a hash of certain portions of the header and tags of object 1. The hash value is then signed by a certificate obtained from a chain of certificate stored in certificate tag, which is derived from a root certificate embedded within the secure ROM…Once the certificate chain has been authenticated and verified, it can be used to recover the hash (e.g., signature) to verify certain portions of the object”). 

	Regarding claim 8, Cesare as modified by Ciudad teaches The system of claim 1, wherein the processing circuitry is configured to identify the desired soft key associated with the at least one software image in the keychain image based on a key index included in the key information (Cesare, Claim 1, see “in response to a software component received at a device, executing security code to verify the software component, wherein the device includes: one or more keys and one or more configurable settings; the execution of the security code comprising: determining if the software component is trusted via the keys”) (Cesare, Paragraph [0007], see “For each software component, a security code is executed to authenticate and verify an executable code image associated with each software component using one or more keys embedded within a secure ROM of the device…”).

	Regarding claim 9, Cesare as modified by Ciudad teaches The system of claim 1, wherein
	the system memory is configured to store a plurality of keychain images, the plurality of keychain images including a plurality of soft keys (Cesare, Paragraph [0041], see “A code image may include a sequence of one or more public key certificates as a certificate chain, such as certificate chain 307”, where “code image” is being read as comprising a keychain image, and where “certificate chain 307” is being read as comprising a plurality of soft keys); and
	the processing circuitry is configured to obtain the desired soft key from the plurality of soft keys based on the key information (Cesare, Paragraph [0041], see “A certificate in a chain may be applied to verify the validity of the next certificate in sequence along the chain”, wherein based on the sequence along the chain, the certificate obtains the desired soft key in order to validate the next sequence along the chain).

	Regarding claim 10, Cesare as modified by Ciudad teaches The system of claim 1, further comprising:
	a system storage device configured to store a plurality of software images, the plurality of software images including the at least one software image (Cesare, Paragraph [0008], see “The signature, the certificate chain, and the executable code imager are then embedded into an object signed by a leaf certificate of the certificate chain. The object is to be stored in a storage within the electronic device, such that the object can be subsequently authenticated and verified using the certificate chain before being loaded in order to establish an operating environment of the electronic device”), and
	wherein the processing circuitry is configured to load the at least one software image from the system storage device into the system memory (Cesare, Paragraph [0036], see “code image Kernelcache 223 may be loaded from storage 109 to memory 103 based on code image Kernelcache 233”).

	Regarding claim 20, Cesare teaches A method of generating a signed software image to execute authentication of software in a system, the system including processing circuitry, the method comprising (Cesare, Paragraph [0008], see “A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image”…The object is to be stored in a storage within the electronic device, such that the object can be subsequently authenticated and verified using the certificate chain…”):
	generating a program image as the signed software image, the program image to be executed by the system (Cesare, Paragraph [0007], see “For each software component, a security code is executed to authenticate and verify an executable code image associated with each software component…In response to successfully authenticating and verifying the executable code image, the executable code image is then executed in a main memory of the device to launch the associated software component”); and
	generating a keychain image as the signed software image, the keychain image including key information and at least one soft key associated with the signed software image (Cesare, Paragraph [0008], see “A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image…The signature, the certificate chain, and the executable code image are then embedded into an object signed by a leaf certificate of the certificate chain”, where “executable code image” is being read as the keychain image and where “certificate chain” is being read as the keychain image including at least one soft key), (Cesare, Fig. 3A, which depicts data structure of a code image for secure booting, where “code image” is being read as comprising the keychain image, and where “certificate chain” is being read as comprising at least one soft key where the at least one soft key is a public key, due to Cesare disclosing in Paragraph [0041], see “A code image may include a sequence of one or more public key certificates as a certificate chain, such as certificate chain 307…Each certificate may embed a separate public key in a format based on, for example, X.509 standard…”), the generating the program image including,
	obtaining a first binary image, the first binary image including computer readable instructions (Cesare, Paragraph [0007], see “For each software component, a security code is executed to authenticate and verify an executable code image associated with each software component),
	generating a first signature, the first signature being verified based on a first soft key or a first hard key included in processing circuitry (Cesare, Paragraph [0008], see “A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image…The object is to be stored in a storage within the electronic device, such that the object can be subsequently authenticated and verified using the certificate chain before being loaded…”, where the generated signature is verified using the certificate chain comprising the soft key), the first hard key including a unique value associated with the processing circuitry (Cesare, Paragraph [0061], see “…Optionally, certain tags may be used to specify one or more chip IDs (e.g., GID or UID) or board ID (e.g., motherboard identifier) by which this object may trusted. If these tags exist, the one or more chip IDs and/or board ID much match the chip IDs and board IDs embedded within the secure ROM”, where “GID or UID” is being read as comprising at least one hard key, and where the at least one hard key includes a unique value associated with the processing circuitry due to a GID or UID including a unique value associated with the processing circuitry), and
	generating a first signed program image, the first signed program image including the first binary image and the first signature (Cesare, Paragraph [0008], see “The signature, the certificate chain, and the executable code image are then embedded into an object signed by a leaf certificate of the certificate chain”, wherein the object is generated, which contains the first signed program image including the first binary image and the first signature).  
	Cesare does not teach the following limitation(s) as taught by Ciudad: the key information including a value indicating a key type (Ciudad, Paragraph [0023], see “…the authentication information includes at least one authentication key, which may be used to authenticate a file image of at least some files of a component or alternatively, to authenticate the component itself…the authentication key may include a checksum value and the authentication operations may include a checksum operation…the authentication information includes a pre-install authentication key and a post-install authentication key. The pre-install authentication key may be used to authenticate the pre-existing file corresponding to the file being installed. The post-install authentication key may be used to verify whether a particular file has already been installed…the pre-install and post-install authentication keys may be checksum values”, where “authentication information” is analogous to comprising key information (i.e., pre-install and post-install authentication keys), which is included in the at least one file image (i.e., software image)) (Ciudad, Paragraph [0045], see “If the installer 104 determines that the version of the existing component on the client system 101 is the pre-install version, the installer 104 may further perform the authentication on each of the sub-components described by the sub-component descriptors 112 to ensure that the sub-components have not been tampered with and are of the exact state required by the patch, using the pre-install authentication information”, where “sub-component descriptors 112” indicate the respective key value (i.e., pre-install or post-install authentication key) that is to be used for authentication) (Ciudad, Paragraph [0051], see “…Each of the files 207-208 may include a path 209 and 211 respectively to specify where the file will be installed and authentication keys 210 and 212 to provide authentication information; including pre-install and post-install authentication keys to the installer to perform authentication operations”, where “Each of the files 207-208 may include a path 209 and 211 respectively to specify where the file will be installed and authentication keys 210 and 212 to provide authentication information” is analogous to determining whether to authenticate the at least one software image (i.e., files) using a first key or a second key, based on a value indicating a key type included in key information in the at least one software image (i.e., file), where “authentication keys 210 and 212 to provide authentication information; including pre-install and post-install authentication keys” is analogous to key information comprising a value indicating a key type (i.e., pre-install or post-install)). 
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for single security model in booting a computing device, disclosed of Cesare, by implementing techniques for determining applicability of software packages for installation, comprising of the key information including a value indicating a key type, disclosed of Ciudad.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for authentication of software, comprising of the key information including a value indicating a key type. This allows for better security management by determining the respective authentication needed (i.e., with respect to multiple authentication keys) for the software image at the time of authentication. In cases where a software component is outdated, a pre-install authentication key can be used to properly authenticate the old version to the new version. In cases where the user wants to know if the software component requires an update, a post-install authentication key can be used to properly authenticate whether the latest version has already been installed. Ciudad is deemed as analogous art due to the art disclosing techniques for determining whether to authenticate the at least one software image using a first key or a second key based on a value indicating a key type included in key information included in the software image (Ciudad, Paragraph [0040]). 

	Regarding claim 21, Cesare as modified by Ciudad teaches The method of claim 20, wherein the generating of the first signed program image comprises generating the key information including a first key type value indicating use of a soft key or a hard key for authentication, and a first key index identifying the first soft key from a plurality of soft keys (Cesare, Paragraph [0008], see “A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image…The signature, the certificate chain, and the executable code image are then embedded into an object signed by a leaf certificate of the certificate chain”, where “certificate chain” is being read as the keychain image including at least one soft key) (Cesare, Paragraph [0044], see “FIG. 3B is a block diagram illustrating an example of data structure representing a layout of an Image3 object according to one embodiment…A code builder may construct an Image3 object including headers and tags according to at least the following:”) (Cesare, Paragraph [0045], see “The builder encrypts a payload (e.g. DATA tag) with an encryption key”) (Cesare, Paragraph [0046], see “The builder constructs a key bag tag (e.g. KGAG tag) by storing the encryption key wrapped by a UID or GID”) (Cesare, Paragraph [0048], see “The builder constructs a signature tag (SHSH tag) by performing a hash operation on at least a part of the header (e.g. type of the image code), and one or more constructed tags as specified in the header (e.g. size of signed portion of the Image3 object). The signature tag stores the signed hash”) (Cesare, Paragraph [0049], see “The builder constructs a certificate chain tag (CERT tag) which stores the certificate chain used to sign the hash stored in the signature tag”). The cited portions of Cesare as seen above teach the concept of tagging (key index), wherein the key information in any given object can be used for identifying the key from a different object (image)).

	Regarding claim 22, Cesare as modified by Ciudad teaches The method of claim 20, wherein the generating of the keychain image comprises:
	obtaining the first hard key included in the processing circuitry (Cesare, FIG. 3C, see “351” where the system initializes hardware and obtains hardware configuration (e.g., chip ID, board ID, epoch, security domain, etc., which is being read as obtaining a hard key included in the system);
	obtaining a first keychain, the first keychain including the first soft key (Cesare, FIG. 3C, see “352” where the system locates a next object and evaluates the authenticity of the certificate chain associated with the object, where the “certificate chain” comprises the soft key and where the “object” comprises the first keychain); 
	generating a second signature, the second signature being verified based on the hard key (Cesare, Paragraph [0059], see “an object includes a tag having a hash value representing a signature of the object, where the signature may be signed by a certificate as a part of a certificate chain derived from a root certificate that matches a fingerprint (e.g., including the root certificate, a UID and/or GID) embedded within the secure ROM”, where a second signature is added to the certificate chain which is verified based on the hard key (fingerprint)); and
	generating a first signed keychain image, the first signed keychain image including the first keychain and the second signature (Cesare, Paragraph [0008], see “The signature, the certificate chain, and the executable code image are then embedded into an object signed by a leaf certificate of the certificate chain. The object is to be stored in a storage within the electronic device, such that the object can be subsequently authenticated and verified using the certificate chain before being loaded…”, where the signed keychain image includes the first keychain and the second signature added to the certificate chain). 

	Regarding claim 24, Cesare as modified by Ciudad teaches The method of claim 20, wherein the generating of the program image further comprises:
	obtaining the first hard key included in the processing circuitry;
	obtaining a second binary image, the second binary image including computer readable instructions;
	generating a third signature, the third signature being verified based on the hard key; and
	generating a second signed program image, the second signed program image including the second binary image and the third signature (Cesare, FIG. 3B, which depicts the system authenticating and verifying multiple different software images (objects)) (Cesare, Paragraph [0044], see “FIG. 3B is a block diagram illustrating an example of data structure representing a layout of an Image3 object according to one embodiment. In this example, there are multiple objects, each representing a software component to be installed and/or executed in an attempt to establish an operating environment of the system…”) (Cesare, Paragraph [0050], see “each object includes a header having information identifying a type of the object. The header may further include an offset pointing to a next object in the storage. For example, the header of object 1 may include an offset or pointer pointing to object 2, which as a pointer pointing to object3, etc. As a result, the same security processing engine can “walk” through the chain of objects to authenticate and verify each object to ensure that each object is trusted before executing the executable code (e.g., payload) of the object”) (Cesare, Paragraph [0051], see “data of each object is implemented in one or more tags which are used by the processing engine to verify the object in view of certain information embedded within the secure ROM as described above. Similar to the header, each tag includes an offset or pointer pointing to a next tag in the object so that the same processing logic can again “walk” through all tags as a part of authentication and verification process. For example, a loader in a device may perform at least the following to walk through all tags in an Image3 object”) (Cesare, Paragraph [0052], see “The loader recovers a certificate chain and evaluates the authenticity of the certificate chain and its authority to be used according to the device configurations”) (Cesare, Paragraph [0054], see “The loader evaluates a trust for a buffer of the Image3 object including one or more tags based on a hash value recovered from a signature tag using the authorized certificate chain”) (Cesare, Paragraph [0055], see “The loader recovers one or more tags and verifies the Image3 object is allowed to be trusted according to the device configurations”). The cited portions of Cesare as seen above, teach the concept of a certificate chain, which allows the next certificate in the chain to obtain key information, and successfully sign and generate the next object (image) including the code image and respective chain certificates.

	Regarding claim 26, Cesare as modified by Ciudad teaches The method of claim 20, wherein the generating of the keychain image comprises:
	obtaining a second soft key;
	obtaining a second keychain, the second keychain including the second soft key;
	generating a fourth signature, the fourth signature being verified based on the second soft key; and
	generating a second signed keychain image, the second signed keychain image including the second keychain and the fourth signature (Cesare, FIG. 3B, which depicts the system authenticating and verifying multiple different software images (objects)) (Cesare, Paragraph [0044], see “FIG. 3B is a block diagram illustrating an example of data structure representing a layout of an Image3 object according to one embodiment. In this example, there are multiple objects, each representing a software component to be installed and/or executed in an attempt to establish an operating environment of the system…”) (Cesare, Paragraph [0050], see “each object includes a header having information identifying a type of the object. The header may further include an offset pointing to a next object in the storage. For example, the header of object 1 may include an offset or pointer pointing to object 2, which as a pointer pointing to object3, etc. As a result, the same security processing engine can “walk” through the chain of objects to authenticate and verify each object to ensure that each object is trusted before executing the executable code (e.g., payload) of the object”) (Cesare, Paragraph [0051], see “data of each object is implemented in one or more tags which are used by the processing engine to verify the object in view of certain information embedded within the secure ROM as described above. Similar to the header, each tag includes an offset or pointer pointing to a next tag in the object so that the same processing logic can again “walk” through all tags as a part of authentication and verification process. For example, a loader in a device may perform at least the following to walk through all tags in an Image3 object”) (Cesare, Paragraph [0052], see “The loader recovers a certificate chain and evaluates the authenticity of the certificate chain and its authority to be used according to the device configurations”) (Cesare, Paragraph [0054], see “The loader evaluates a trust for a buffer of the Image3 object including one or more tags based on a hash value recovered from a signature tag using the authorized certificate chain”) (Cesare, Paragraph [0055], see “The loader recovers one or more tags and verifies the Image3 object is allowed to be trusted according to the device configurations”). The cited portions of Cesare as seen above, teach the concept of a certificate chain, which allows the next certificate in the chain to obtain key information, and successfully sign and generate the next object (image) including the code image and respective chain certificates.


Claims 11-12 and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Cesare, in view of Ciudad, in further view of Miranda et al. (U.S. PGPub. 2017/0286665), hereinafter Miranda.

	Regarding claim 11, Cesare teaches A method of authenticating software images loaded in a system memory, wherein the method is performed by processing circuitry (Cesare, Abstract, see “a security code is executed to authenticate and verify an executable code image associated with each software component…”), the processing circuitry including at least one hard key, the at least one hard key including a unique value associated with the processing circuitry (Cesare, Paragraph [0061], see “…Optionally, certain tags may be used to specify one or more chip IDs (e.g., GID or UID) or board ID (e.g., motherboard identifier) by which this object may trusted. If these tags exist, the one or more chip IDs and/or board ID much match the chip IDs and board IDs embedded within the secure ROM”, where “GID or UID” is being read as comprising at least one hard key, and where the at least one hard key includes a unique value associated with the processing circuitry due to a GID or UID including a unique value associated with the processing circuitry), the method comprising:
	authenticating a first software image, the first software image including first key information and at least one soft key associated with the first software image (Cesare, Paragraph [0008], see “an executable code image representing a software component is to be installed in an electronic device, wherein the software component is used to establish an operating environment of the electronic device. A signature generation process, such as a hash operation, is performed on at least a portion of the executable code image to generate a signature for the executable code image”, where “software component” is being read as at least a program image and where “certificate chain” is being read as comprising at least one soft key), the at least one soft key being a public key corresponding to the first software image (Cesare, Fig. 3A, which depicts data structure of a code image for secure booting, where “code image” is being read as comprising the keychain image, and where “certificate chain” is being read as comprising at least one soft key where the at least one soft key is a public key, due to Cesare disclosing in Paragraph [0041], see “A code image may include a sequence of one or more public key certificates as a certificate chain, such as certificate chain 307…Each certificate may embed a separate public key in a format based on, for example, X.509 standard…”); 
	
	
	
	
	Cesare does not teach the following limitation(s) as taught by Ciudad: 
	
	obtaining a first soft key from the authenticated first software image or a first hard key from the processing circuitry based a value indicating a key type included in the second key information (Ciudad, Paragraph [0023], see “…the authentication information includes at least one authentication key, which may be used to authenticate a file image of at least some files of a component or alternatively, to authenticate the component itself…the authentication key may include a checksum value and the authentication operations may include a checksum operation…the authentication information includes a pre-install authentication key and a post-install authentication key. The pre-install authentication key may be used to authenticate the pre-existing file corresponding to the file being installed. The post-install authentication key may be used to verify whether a particular file has already been installed…the pre-install and post-install authentication keys may be checksum values”, where “authentication information” is analogous to comprising key information (i.e., pre-install and post-install authentication keys), which is included in the at least one file image (i.e., software image)) (Ciudad, Paragraph [0045], see “If the installer 104 determines that the version of the existing component on the client system 101 is the pre-install version, the installer 104 may further perform the authentication on each of the sub-components described by the sub-component descriptors 112 to ensure that the sub-components have not been tampered with and are of the exact state required by the patch, using the pre-install authentication information”, where “sub-component descriptors 112” indicate the respective key value (i.e., pre-install or post-install authentication key) that is to be used for authentication) (Ciudad, Paragraph [0051], see “…Each of the files 207-208 may include a path 209 and 211 respectively to specify where the file will be installed and authentication keys 210 and 212 to provide authentication information; including pre-install and post-install authentication keys to the installer to perform authentication operations”, where “Each of the files 207-208 may include a path 209 and 211 respectively to specify where the file will be installed and authentication keys 210 and 212 to provide authentication information” is analogous to determining whether to authenticate the at least one software image (i.e., files) using a first key or a second key, based on a value indicating a key type included in key information in the at least one software image (i.e., file), where “authentication keys 210 and 212 to provide authentication information; including pre-install and post-install authentication keys” is analogous to key information comprising a value indicating a key type (i.e., pre-install or post-install)), 
	
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for single security model in booting a computing device, disclosed of Cesare, by implementing techniques for determining applicability of software packages for installation, comprising of the key information including a value indicating a key type, disclosed of Ciudad.  
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for authentication of software, comprising of the key information including a value indicating a key type. This allows for better security management by determining the respective authentication needed (i.e., with respect to multiple authentication keys) for the software image at the time of authentication. In cases where a software component is outdated, a pre-install authentication key can be used to properly authenticate the old version to the new version. In cases where the user wants to know if the software component requires an update, a post-install authentication key can be used to properly authenticate whether the latest version has already been installed. Ciudad is deemed as analogous art due to the art disclosing techniques for determining whether to authenticate the at least one software image using a first key or a second key based on a value indicating a key type included in key information included in the software image (Ciudad, Paragraph [0040]). 
	Cesare as modified by Ciudad do not teach the following limitation(s) as taught by Miranda: authenticating a second software image, the second software image including second key information, the authenticating of the second software image including,
	obtaining the second key information from the second software image,
	obtaining a first soft key from the authenticated first software image or a first hard key from the processing circuitry based a value indicating a key type included in the second key information, and
	verifying a digital signature of the second software image based on the obtained first soft key or the obtained first hard key (Miranda, Paragraph [0050], see “a signed software image including a first software image packaged with a second software image can be loaded, and the secure processing circuit 208 can first authenticate the OEM signature of the second software image, such as by using the OEM public key 618 to authenticate the OEM signature. If the OEM signature of the second software image is authenticated, the secure processing circuit 208 can then authenticate the vendor signature for the first software image, such as by using the vendor public key 610 to authenticate the vendor signature. If the vendor signature is authenticated for the first software image, the secure processing circuit 208 can then authenticate the OEM signature associated with the first software image, such as by using the OEM public key 618 to authenticate the OEM signature. As noted above, the order of authentication for the first software image can be reversed…”).
Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified the techniques for single security model in booting a computing device, disclosed of Cesare, and techniques disclosed of Ciudad, by implementing techniques for facilitating software signing by more than one signing authority, comprising authenticating a second software image, disclosed of Miranda. 
One of ordinary skill in the art would have been motivated to make this modification in order to implement techniques for authentication of software, comprising authenticating a second software image. This allows for better security management for software before it is loaded and/or updated, to make sure the software was not modified and/or the proper version is applied to the update. Each software image can correspond to a second or third software image, which are all used in authenticating the software component. This allows for multiple factors to be implemented with the authentication process in order to provide for a more secure and accurate authentication procedure. Miranda is deemed as analogous art due to Miranda teaching the authenticating of a second software image by obtaining second key information (Miranda, Paragraph [0050]). 
  
	Regarding claim 12, Cesare as modified by Ciudad and further modified by Miranda teaches The method of claim 11, wherein the authenticating of the first software image comprises:
	obtaining the first key information from the first software image (Cesare, Paragraph [0051], see “data of each object is implemented in one or more tags which are used by the processing engine to verify the object in view of certain information embedded within the secure ROM as described above”) (Cesare, Paragraph [0059], see “an object includes a tag having a hash value representing a signature of the object, wherein the signature may be signed by a certificate as a part of a certificate chain derived from a root certificate that matches a fingerprint embedded within the secure ROM”);
	obtaining the first hard key included in the processing circuitry based on the first key information (Cesare, Paragraph [0059], see “an object includes a tag having a hash value representing a signature of the object, wherein the signature may be signed by a certificate as a part of a certificate chain derived from a root certificate that matches a fingerprint (e.g., including the root certificate, a UID and/or GID) embedded within the secure ROM”, where based on the tag, the system obtains a hard key (UID/GID)); and
	verifying a digital signature of the first software image based on the obtained first hard key (Cesare, Paragraph [0060], see “object 1 includes signature tag having a hash value representing a hash of certain portions of the header and tags of object 1. The hash value is then signed by a certificate obtained from a chain of certificate stored in a certificate tag, which is derived from a root certificate embedded within the secure ROM…the loader executed from the secure ROM can authenticate and/or verify the chain of certificates using the root certificate since the chain of certificates is derived from the root certificate”, where “root certificate” is being read as a hard key). 

	Regarding claim 17, Cesare as modified by Ciudad and further modified by Miranda teaches The method of claim 11, further comprising:
	authenticating a third software image, the third software image including third key information, the third key information being different from the second key information; and
	wherein the authenticating of the third software image includes,
		obtaining the third key information from the third software image,
		obtaining a second soft key from the first software image based on the third key information, the second soft key being different from the first soft key; and
		verifying a digital signature of the third software image based on the second soft key (Cesare, FIG. 3B, which depicts the system authenticating and verifying multiple different software images (objects)) (Cesare, Paragraph [0044], see “FIG. 3B is a block diagram illustrating an example of data structure representing a layout of an Image3 object according to one embodiment. In this example, there are multiple objects, each representing a software component to be installed and/or executed in an attempt to establish an operating environment of the system…”) (Cesare, Paragraph [0050], see “each object includes a header having information identifying a type of the object. The header may further include an offset pointing to a next object in the storage. For example, the header of object 1 may include an offset or pointer pointing to object 2, which as a pointer pointing to object3, etc. As a result, the same security processing engine can “walk” through the chain of objects to authenticate and verify each object to ensure that each object is trusted before executing the executable code (e.g., payload) of the object”) (Cesare, Paragraph [0051], see “data of each object is implemented in one or more tags which are used by the processing engine to verify the object in view of certain information embedded within the secure ROM as described above. Similar to the header, each tag includes an offset or pointer pointing to a next tag in the object so that the same processing logic can again “walk” through all tags as a part of authentication and verification process. For example, a loader in a device may perform at least the following to walk through all tags in an Image3 object”) (Cesare, Paragraph [0052], see “The loader recovers a certificate chain and evaluates the authenticity of the certificate chain and its authority to be used according to the device configurations”) (Cesare, Paragraph [0054], see “The loader evaluates a trust for a buffer of the Image3 object including one or more tags based on a hash value recovered from a signature tag using the authorized certificate chain”) (Cesare, Paragraph [0055], see “The loader recovers one or more tags and verifies the Image3 object is allowed to be trusted according to the device configurations”). The cited portions of Cesare as seen above, teach the concept of a certificate chain, which allows the next certificate in the chain to obtain key information from any other object (image) to perform verification of the digital signature. 

	Regarding claim 18, Cesare as modified by Ciudad and further modified by Miranda teaches The method of claim 11, further comprising:
	authenticating a fourth software image, the fourth software image including fourth key information; and
	wherein the authenticating of the fourth software image includes,
		obtaining the fourth key information from the fourth software image,
		obtaining a third soft key from the authenticated second software image based on the fourth key information, and
		verifying a digital signature of the fourth software image based on the third soft key (Cesare, FIG. 3B, which depicts the system authenticating and verifying multiple different software images (objects)) (Cesare, Paragraph [0044], see “FIG. 3B is a block diagram illustrating an example of data structure representing a layout of an Image3 object according to one embodiment. In this example, there are multiple objects, each representing a software component to be installed and/or executed in an attempt to establish an operating environment of the system…”) (Cesare, Paragraph [0050], see “each object includes a header having information identifying a type of the object. The header may further include an offset pointing to a next object in the storage. For example, the header of object 1 may include an offset or pointer pointing to object 2, which as a pointer pointing to object3, etc. As a result, the same security processing engine can “walk” through the chain of objects to authenticate and verify each object to ensure that each object is trusted before executing the executable code (e.g., payload) of the object”) (Cesare, Paragraph [0051], see “data of each object is implemented in one or more tags which are used by the processing engine to verify the object in view of certain information embedded within the secure ROM as described above. Similar to the header, each tag includes an offset or pointer pointing to a next tag in the object so that the same processing logic can again “walk” through all tags as a part of authentication and verification process. For example, a loader in a device may perform at least the following to walk through all tags in an Image3 object”) (Cesare, Paragraph [0052], see “The loader recovers a certificate chain and evaluates the authenticity of the certificate chain and its authority to be used according to the device configurations”) (Cesare, Paragraph [0054], see “The loader evaluates a trust for a buffer of the Image3 object including one or more tags based on a hash value recovered from a signature tag using the authorized certificate chain”) (Cesare, Paragraph [0055], see “The loader recovers one or more tags and verifies the Image3 object is allowed to be trusted according to the device configurations”). The cited portions of Cesare as seen above, teach the concept of a certificate chain, which allows the next certificate in the chain to obtain key information from any other object (image) to perform verification of the digital signature.

	Regarding claim 19, Cesare as modified by Ciudad and further modified by Miranda teaches The method of claim 11, wherein the second key information includes a key index for identifying the first soft key from the at least one soft key included in the first software image (Cesare, Paragraph [0044], see “FIG. 3B is a block diagram illustrating an example of data structure representing a layout of an Image3 object according to one embodiment…A code builder may construct an Image3 object including headers and tags according to at least the following:”) (Cesare, Paragraph [0045], see “The builder encrypts a payload (e.g. DATA tag) with an encryption key”) (Cesare, Paragraph [0046], see “The builder constructs a key bag tag (e.g. KGAG tag) by storing the encryption key wrapped by a UID or GID”) (Cesare, Paragraph [0048], see “The builder constructs a signature tag (SHSH tag) by performing a hash operation on at least a part of the header (e.g. type of the image code), and one or more constructed tags as specified in the header (e.g. size of signed portion of the Image3 object). The signature tag stores the signed hash”) (Cesare, Paragraph [0049], see “The builder constructs a certificate chain tag (CERT tag) which stores the certificate chain used to sign the hash stored in the signature tag”). The cited portions of Cesare as seen above teach the concept of tagging (key index), wherein the key information in any given object can be used for identifying the key from a different object (image)). 



Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RODMAN ALEXANDER MAHMOUDI whose telephone number is (571)272-8747.  The examiner can normally be reached on M-F 11:00am – 7:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on (571) 272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/RODMAN ALEXANDER MAHMOUDI/Examiner, Art Unit 2499