CIRCUITRY AND METHODS FOR SUPPORTING ENCRYPTED REMOTE DIRECT MEMORY ACCESS (ERDMA) FOR LIVE MIGRATION OF A VIRTUAL MACHINE

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Claims 1 – 24 are pending for examination. Claims 1, 4 – 9, 12 – 14, 17, 20 – 22 are amended. References were cited in previous office action. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 12/23/25 has been entered. Examiner’s Note The prior art rejection below cites particular paragraphs, columns, and/or line numbers in the references for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1 – 2, 4, 6 – 10, 12, 14 – 18, 20, and 22 - 24 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra et al., (US PUB 2018/0191491 hereinafter Chhabra) in view of Powell et al., (US PUB 2017/0277898 hereinafter Powell). As to claim 1, Chhabra teaches an apparatus comprising: an encryption circuit (“…encryption engine…” abstract, element 104 of figure 1 and para. 0011 - 0014) [in] a hardware processor (“…processor component 304 and system agent 310 may be included in TEE 102 and provide various resources and/or functionality to encryption engine 104…” para. 0030) of a first computer system to encrypt data; a memory controller circuit, of the first computer system (“…first encryption environment 110 may include memory controller 314…” figure 3 and para. 0025), comprising a port (“The system bus 808 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures. Interface adapters may connect to the system bus 808 via a slot architecture. Example slot architectures may include without limitation Accelerated Graphics Port (AGP)…” para. 0056) and (“… These and other input devices are often connected to the processing unit 804 through an input device interface 842 that is coupled to the system bus 808, but can be connected by other interfaces such as a parallel port, IEEE 994 serial port, a game port, a USB port, an IR interface, and so forth.” Para. 0060) to couple to a network interface controller circuit (“…wireless communication network interface or adaptor 856…” figure 8 and para. 0063); a direct memory access engine circuit of the first computer system to access a memory in the first computer system (“…direct memory access (DMA)…” para. 0012) and (“…a DMA between memory 108 and memory 112 and, in response, support the movement of information between the memories 108, 112 by converting information between the first and second encrypted environments 106, 110…” para. 0020) and the hardware processor to, for a request to perform a live migration of a virtual machine from the first computer system to a second computer system via the network interface controller circuit (“…a memory operation request ….” Para. 0014) and (“…In some instances, the encryption engine can allow more efficient and faster memory operations, such as in paging or virtual machine migration, providing useful applications for both client and server platforms…” para. 0013. Note: live migration is just migration) and (“…For example, when an application or virtual machine pages being migrated can get loaded at different physical addresses on remote machines and encryption engine 104 may support the migration by providing cipher system translations…” para. 0020) and (“…determine the memory operation request includes communication of the target information from a first encryption environment to a second encryption environment, the first encryption environment to utilize a first cipher system and the second encryption environment to utilize a second cipher system…” para. 0073): decrypt currently encrypted code and data of the virtual machine from the memory with a current encryption [key] by the encryption circuit of the hardware processor (“...In some such embodiments, for a read from memory, the bit may indicate to encryption engine 104 that the memory block was stored in encrypted memory. For instance, in response to identifying a protected read, encryption engine 104 may fetch the target information (i.e., memory object, e.g., data line, page, block as ciphertext 210) from memory 108, decrypt it using position dependent cipher and re-encrypt it using a position independent cipher to allow the target information to be stored in memory...” para. 0034 – 0036. Note: decrypted and then re-crypted is decrypted currently encrypted code) and (The encryption engine can allow more efficient and faster memory operations, such as in paging or virtual machine migration…” para. 0013) and (“...In some embodiments, encryption engine 104 may identify DMA between memory 108 and memory 112 and, in response, support the movement of information between the memories 108, 112 by converting information between the first and second encrypted environments 106, 110. In various embodiments, the movement of information may be part of one or more of paging or migration operations. For example, when an application or virtual machine pages being migrated can get loaded at different physical addresses on remote machines and encryption engine 104 may support the migration by providing cipher system translations...” para. 0020), encrypt the decrypted code and data of the virtual machine from the memory with an encryption (“…For instance, in response to identifying a protected read, encryption engine 104 may fetch the target information (i.e., memory object, e.g., data line, page, block as ciphertext 210) from memory 108, decrypt it using position dependent cipher and re-encrypt it using a position independent cipher to allow the target information to be stored in memory...” para. 0034 – 0036) and (“...Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems…” para. 0011. Note: cipher is code) and (The encryption engine can allow more efficient and faster memory operations, such as in paging or virtual machine migration…” para. 0013) and (“…For example, encryption engine 104 may identify a memory operation request associated with target information or data and determine the memory operation request includes communication of the target information from memory 108 of the first encryption environment 106 to memory 112 of the second encryption environment 110…” para. 0018) [key] for the live migration by the encryption circuit of the hardware processor (“…For example, when an application or virtual machine pages being migrated can get loaded at different physical addresses on remote machines and encryption engine 104 may support the migration by providing cipher system translations…” para. 0020. Note: live migration is just migration), store the encrypted code and data of the virtual machine within a migration buffer of the memory of the first computer system by the direct memory access engine circuit (“…In some such embodiments, data located within the encryption environment, such as stored in memory 108 or 112 may be encrypted according to the associated cipher system…’” para. 0021. Note: memory 108 is of first encryption environment as shown in figures ) and (“…In the illustrated embodiment, TEE 102 may include processor component 304 and system agent 310 in addition to encryption engine 104, first encryption environment 110 may include memory controller 314 and memory 108 comprising main memory 316, and second encryption environment 110 may include storage controller 318 and memory 112 comprising secondary memory 320…” para. 0025) To support memory operations, such as DMAs, between first and second encryption environments 106, 110, encryption engine 104 may need to identify or receive indication of the memory operations between main memory 316 and secondary memory 320 that require translations between different cipher systems…” para. 0027. Note: main memory is memory of the first system) and (“…In some embodiments, translation 210 may include the encryption engine 104 receiving ciphertext 204 from memory 108 of the first encryption environment 106, converting it from cipher system 202 to cipher system 206 to generate ciphertext 208, and passing ciphertext 208 to memory 112 of the second encryption environment 110…” para. 0023) and (“…be protected with encryption in one or more memories, such as memory 108 or 112. In various embodiments, this may utilize an additional bit of the physical address space, one or indicate whether a page needs to be protected and the other to indicate DMA to/from a storage device…” para. 0029), and cause the network interface controller circuit to send the encrypted code and data of the virtual machine from the migration buffer to the second computer system (“…In various embodiments, the movement of information may be part of one or more of paging or migration operations. For example, when an application or virtual machine pages being migrated can get loaded at different physical addresses on remote machines and encryption engine 104 may support the migration by providing cipher system translations. In some embodiments, the conversion between the first and second encryption environments 106, 110 may occur transparently to software…” para. 0020) and (“…In some embodiments, translation 210 may include the encryption engine 104 receiving ciphertext 204 from memory 108 of the first encryption environment 106, converting it from cipher system 202 to cipher system 206 to generate ciphertext 208, and passing ciphertext 208 to memory 112 of the second encryption environment 110…” para. 0023) and (“…or instance, moving pages to/from secondary memory 320 may be achieved by programming storage controller 318 to DMA data from/to main memory 316. In some embodiments, on paging out a page from main memory 316 to secondary memory 320, storage controller 318 may issue read requests to main memory 316. Similarly, on paging in a page, storage controller 318 may read the page from secondary memory 320 and write the page to main memory 316…” para. 0028) via the network interface controller circuit (“…The computer 802 may operate in a networked environment using logical connections via wire and/or wireless communications to one or more remote computers, such as a remote computer 848. In various embodiments, one or more migrations may occur via the networked environment…” para. 0062). Chhabra does not but Powell teaches encryption in processor and encryption key (“…processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software…” abstract) and (“FIGS. 1-10 illustrate techniques for supporting address security operations at a processing system by employing a processor with a security module, wherein the security module manages authentication and encryption keys for the processor…” para. 0016). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention was made to modify Chhabra by apply the teaching of Powell because Powell’s processor would use encryption keys to encrypt virtual machine for migration (para. 0021) to prevent unauthorized access (abstract). As to claim 2, Chhabra modified by Powell teaches the apparatus of claim 1, Chhabra teaches wherein the hardware processor is to cause the network interface controller circuit to send the encrypted code and data of the virtual machine from the migration buffer to the second computer system without the network interface controller circuit performing an additional encryption (“…network interfaces arranged to accept, communicate, and connect to a communications network…” para. 0069. Note: Network interface only connect communication and not encrypt). As to claim 4, Chhabra modified by Powell teaches the apparatus of claim 1, Chhabra teaches wherein the encrypted code and data of the virtual machine is multiple pages of the memory of the first computer system, and the migration buffer comprises a plurality of migration buffers for sending a respective plurality of the multiple pages to the second computer system (“...For example, on assigning pages to a page swapping software to move to/from secondary memory 320, the OS may use a physical address to indicate a page belonging to the page swapping software that will be swapped in/out to/from main memory 316...” para. 0027 - 0028). As to claim 6, Chhabra modified by Powell teaches the apparatus of claim 1, Chhabra teaches wherein the hardware processor is to cause the encryption circuit to perform an address dependent decryption of the currently encrypted code and data of the virtual machine from the memory, and an address independent encryption of the decrypted code and data of the virtual machine from the memory for the live migration (“…In various embodiments encryption engine 104 may include hardware that implements the translation between the different cipher systems, such as a position dependent cipher system and a position independent cipher system…” para. 0018). As to claim 7, Chhabra modified by Powell teaches the apparatus of claim 1, Chhabra teaches wherein the encryption circuit [in the hardware processor] is to encrypt the decrypted code and data of the virtual machine from the memory with an offset provided from the second computer system (“…this may utilize an additional bit of the physical address space, one or indicate whether a page needs to be protected and the other to indicate DMA to/from a storage device…” para. 0029) and (“…encryption engine 104 may inspect an indicator bit included in a memory operation request. In various such embodiments, storage controller 318 may set the bit when requesting a read operation or a write operation, such as via a DMA, to indicate the need for translation between different cipher systems. For example, the indicator bit may include a bit in the physical address, which may be set by the OS for only pages moved by the page swapping software between main memory 316 and secondary memory 320…” para. 0042) [and the encryption key]. Chhabra does not but Powell teaches in the hardware processor and encryption key (“…processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software…” abstract) and (“FIGS. 1-10 illustrate techniques for supporting address security operations at a processing system by employing a processor with a security module, wherein the security module manages authentication and encryption keys for the processor…” para. 0016). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention was made to modify Chhabra by apply the teaching of Powell because Powell’s processor would implement the processor with encryption as a design choice (para. 0011 and 0016). As to claim 8, Chhabra modified by Powell teaches the apparatus of claim 1, Chhabra teaches wherein the encryption circuit [in the hardware processor] is to encrypt the decrypted code and data of the virtual machine from the memory [with the encryption key] provided from the second computer system (“…Some embodiments are particularly directed to an encryption engine that supports memory operations between two or more encryption environments. Each encryption environment can use different cipher systems while the encryption engine can translate ciphertext between the different cipher systems…” para. 0011. Note: cipher is code) and (The encryption engine can allow more efficient and faster memory operations, such as in paging or virtual machine migration…” para. 0013) and (“…For example, encryption engine 104 may identify a memory operation request associated with target information or data and determine the memory operation request includes communication of the target information from memory 108 of the first encryption environment 106 to memory 112 of the second encryption environment 110…” para. 0018). Chhabra does not but Powell teaches in the hardware processor and encryption key (“…processing systems providing software to be executed at the processor, can generate keys for encrypting address spaces for the provided software…” abstract) and (“FIGS. 1-10 illustrate techniques for supporting address security operations at a processing system by employing a processor with a security module, wherein the security module manages authentication and encryption keys for the processor…” para. 0016). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention was made to modify Chhabra by apply the teaching of Powell because Powell’s processor would implement the processor with encryption as a design choice (para. 0011 an d0016). As to claim 9, this is a method claim of claim 1. See rejection for claim 1 above. As to claims 10, 12, 14 - 16, see rejection for claims 2, 4, 6 – 8 above. As to claim 17, this is a non-transitory machine readable medium claim of claim 1. See rejection for claim 1 above. Further, Chhabra teaches a non-transitory machine readable medium that stores program code that when executed by a machine causes the machine to perform a method (“…Storage medium 700 may comprise any non-transitory computer-readable storage medium…” para. 0051 and figure 7). As to claims 18, 20, 22 - 24, see rejection for claims 2, 4, 6 – 8 above. Claims 3, 11, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Chhabra in view of Powell, as applied to claim 1, and further in view of Lu, (US PUB 2015/0309839). As to claim 3, Chhabra modified by Powell teaches the apparatus of claim 1, Chhabra teaches wherein the hardware processor is to cause the network interface controller circuit to send (“…In various embodiments, processor component 304 may implement or realize TEE 104 by only executing instructions stored in internal memory 308…”) and (“…The computer 802 may operate in a networked environment using logical connections via wire and/or wireless communications to one or more remote computers, such as a remote computer 848. In various embodiments, one or more migrations may occur via the networked environment…” para. 0062) and (“…network interfaces arranged to accept, communicate, and connect to a communications network…” para. 0069) the encrypted code and data of the virtual machine from the migration buffer to the second computer system (“…In various embodiments, the movement of information may be part of one or more of paging or migration operations. For example, when an application or virtual machine pages being migrated can get loaded at different physical addresses on remote machines and encryption engine 104 may support the migration by providing cipher system translations. In some embodiments, the conversion between the first and second encryption environments 106, 110 may occur transparently to software…” para. 0020) [via a remote direct memory access engine circuit of the network interface controller circuit]. While Chhabra teaches direct memory access and network interface providing communication as cited above. Chhabra and Powell do not but Lu teaches via a remote direct memory access engine circuit of the network interface controller circuit (“…when a first virtual machine (the source virtual machine) needs to be migrated to a second virtual machine (the destination virtual machine), a physical network interface card reads and writes data in a memory of each virtual machine in a direct memory access manner, and the first virtual machine or a manager of the first virtual machine is not required for reading and writing data in a memory of the first virtual machine…” para. 0113). It would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention was made to modify Chhabra and Powell by apply the teaching of Lu because Lu’s network interface would directly manage virtual machine migration in a direct memory access manner (para. 0113). Chhabra would apply and implement details communications of the network interface to direct virtual machine migration. As to claims 11 and 19, see rejection for claim 3 above. Allowable Subject Matter Claims 5, 13 and 21 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. As to claim 5, Chhabra and Powell do not teach “The apparatus of claim 1, wherein the encrypted code and data of the virtual machine is a single page of the memory of the first computer system, and the hardware processor of the first computer system is to reuse the migration buffer for a second page of encrypted code and data of the virtual machine for the live migration in response to completion of the send of the encrypted code and data for the single page of the virtual machine from the migration buffer to the second computer system”, when read in a context as a whole. As to claims 13 and 21, they recite similar scope of claim 5. They are objected for the same reason of claim 5. Response to Arguments Claim Rejections -35 U.S.C. § 103 Applicant's arguments have been fully considered but they are not persuasive (pages 8 – 10 of remark). Applicant argued that “The cited portions of the references do not appear to teach or suggest the Applicant's claims. For example, the cited portions of the references do not appear to teach or suggest: 1. An apparatus comprising: an encryption circuit in a hardware processor of a first computer system to encrypt data; a memory controller circuit, of the first computer system, comprising a port to couple to a network interface controller circuit; a direct memory access engine circuit of the first computer system to access a memory in the first computer system; and the hardware processor to, for a request to perform a live migration of a virtual machine from the first computer system to a second computer system via the network interface controller circuit: decrypt currently encrypted code and data of the virtual machine from the memory with a current encryption key by the encryption circuit of the hardware processor, encrypt the decrypted code and data of the virtual machine from the memory with an encryption key for the live migration by the encryption circuit of the hardware processor, store the encrypted code and data of the virtual machine within a migration buffer of the memory of the first computer system by the direct memory access engine circuit, and cause the network interface controller circuit to send the encrypted code and data of the virtual machine from the migration buffer to the second computer system via the network interface controller circuit. (Emphasis added.) as in Applicant's amended independent claim 1, or: 9. A method comprising: executing a virtual machine on a first computer system; sending an indication from the first computer system to a second computer system of a live migration of the virtual machine from the first computer system to the second computer system via a network interface controller circuit of the first computer system; decrypting currently encrypted code and data of the virtual machine from a memory of the first computer system with a current encryption key by an encryption circuit in a hardware processor of the first computer system; encrypting the decrypted code and data of the virtual machine from the memory of the first computer system with an encryption key for the live migration by the encryption circuit in the hardware processor of the first computer system; storing the encrypted code and data of the virtual machine within a migration buffer of the memory of the first computer system by a direct memory access engine circuit of the first computer system; and sending the encrypted code and data of the virtual machine from the migration buffer to the second computer system via the network interface controller circuit. (Emphasis added.) as in Applicant's amended independent claim 9, or: 17. A non-transitory machine readable medium that stores program code that when executed by a machine causes the machine to perform a method comprising: executing a virtual machine on a first computer system; sending an indication from the first computer system to a second computer system of a live migration of the virtual machine from the first computer system to the second computer system via a network interface controller circuit of the first computer system; decrypting currently encrypted code and data of the virtual machine from a memory of the first computer system with a current encryption key by an encryption circuit in a hardware processor of the first computer system; encrypting the decrypted code and data of the virtual machine from the memory of the first computer system with an encryption key for the live migration by the encryption circuit in the hardware processor of the first computer system; storing the encrypted code and data of the virtual machine within a migration buffer of the memory of the first computer system by a direct memory access engine circuit of the first computer system; and sending the encrypted code and data of the virtual machine from the migration buffer to the second computer system via the network interface controller circuit. (Emphasis added.) as in Applicant's amended independent claim 17” (pages 8 - 11 of remark). In response, Chhabra and Powell, in combination, not any alone, teaches amended claims 1, 9, and 17. See rejection above. Dependent Claims Applicant argued that “Because the Applicant has demonstrated the patentability of all pending independent claims, the Applicant respectfully submits that all pending claims are allowable. The Applicant's silence with respect to the dependent claims should not be construed as an admission by the Applicant that the Applicant is complicit with the Examiner's rejection of these19/21 claims. Because the Applicant has demonstrated the patentability of the independent claims, the Applicant need not substantively address the theories of rejection applied to the dependent claims. In light of the comments above, the Applicant respectfully requests the allowance of all claims.” (page 10 of remark). In response, All dependent claims are rejected as their rejected independent claims. Conclusion The prior art made record but not relied upon request is considered to be pertinent to applicant’s disclosure. Van Riel, (US PUB 2019/0179558), discloses a method of migrating memory pages with encrypted data associated with virtual machine (title, abstract and figures 1 – 6). Patel, (US PUB 2021/0019172), discloses a method of migrating secure virtual machine using encrypted memory technologies, wherein migrating the memory pages of the virtual machine via an unsecured communication channel to the second host system for storing in the second cryptographically protected execution environment (title, abstract and figures 1 – 8). Tsirkin, (US PAT 11,144,216), discloses a method of migrating virtual machine page for encrypted storage blocks of memory in secured manner (title, abstract and figures 1 – 6). Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHUONG N HOANG whose telephone number is (571)272-3763. The examiner can normally be reached 9:5-30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KEVIN YOUNG can be reached on 571-270-3180. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /PHUONG N HOANG/Examiner, Art Unit 2194 /KEVIN L YOUNG/Supervisory Patent Examiner, Art Unit 2194