SECURE BOOT ASSIST FOR DEVICES, AND RELATED SYSTEMS, METHODS AND DEVICES

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 16 March 2026 has been entered. Response to Arguments The Examiner acknowledges Applicant’s amendments and remarks filed on 16 March 2026. They have been fully considered but they are not persuasive. Applicant’s arguments on pp. 9-10: Chang's data path does not route through a CPU interface. Chang's serial boot hardware communicates directly with external serial PROM 26 over serial data bus 32 using the SPI standard (Chang, [0021]-[0022]). The retrieved data is converted from serial to parallel format and written to system memory 15 through a DMA module and memory controller (Chang, Fig. 4, steps 110-116; [0029]: "Serial boot hardware 18 retrieves (108) a first portion of the program block from the first serial PROM," then "converts (110) the program block data retrieved from the first serial PROM into parallel data," and "transmits (112) the parallel data to the DMA module"). At no point does data flow through a CPU interface or a CPU control unit. The serial boot hardware, the SPI bus, and the DMA module are peripheral circuits that operate while the CPU is completely inert. Chang does not access a program memory integrated in the device via an interface. Chang's PROM 26 is an external component connected to system 10 via serial data bus 32 (Chang, Fig. 1; [0021]: "Serial boot hardware 18 communicates with serial PROM 26 using, for example, the Serial Peripheral Interface (SPI) serial data bus standard on serial data bus 32"). Even if PROM 26 were considered "integrated in the device" under a broad construction, the serial boot hardware's access to PROM 26 is over a peripheral serial bus-not via an interface that provides functional control of the CPU. The SPI bus connects the serial boot hardware to the PROM; it does not connect to or pass through any CPU interface. Chang's CPU has no involvement in the copy operation. The Office Action mapped Chang's serial boot hardware to the claimed "interface enabled to implement functional control" on the basis that the serial boot hardware holds and releases the CPU from reset (Final OA, Rejection of Claim 1). However, the serial boot hardware's reset control of the CPU and its data-retrieval path from the PROM are two entirely separate circuits performing entirely separate functions. The reset line is a single-bit signal that gates the CPU's operational state. The SPI data path is a multi-wire serial bus that transfers data from the PROM. These do not converge-the serial boot hardware does not use its ability to control the CPU's state as a means of accessing the program memory. The claims, as amended, recite precisely this convergence: the code must be accessed via the same interface that provides functional control of the CPU. The Examiner respectfully disagrees. Chang teaches: [0005] A serial boot hardware holds the CPU in the reset condition, retrieves the information about the system memory configuration and the boot program, retrieves the first portion of the boot program, writes the boot program to the system memory, and releases the CPU from the reset condition. The serial boot hardware can be internal to the system. Writing the first portion of the boot program into the system memory further can include converting the first portion from a serial data format to a parallel data format. The method can include transferring the first portion in the parallel data format across a system bus to the DMA module that writes the first portion to the memory controller using direct memory access (DMA) and then transferring the first portion from the memory controller to the system memory. [0006] According to another aspect of the invention, a system includes a serial boot hardware, a memory controller that controls a system memory, a Data Memory Access (DMA) module with access to the memory controller, a system bus connecting the serial boot hardware and the DMA module, a SCC with access to the memory controller, a CPU contained in the SCC, a reset line connecting the serial boot hardware and the CPU, and a first PROM. The system also includes a serial data bus connecting the first PROM and the serial boot hardware. The serial boot hardware is configured, at a beginning of a power up state, to hold the CPU in a reset condition and retrieve, over the serial data bus using a serial communications protocol, information about a system memory configuration and a boot program from a first section of the first PROM. The serial boot hardware is further configured to use the information about the system memory configuration and the boot program to retrieve, over the serial data bus using a serial communications protocol, a first portion of the boot program from a second section of the first PROM and transfer the first portion to the DMA module that writes the first portion into the system memory. The serial boot hardware is further configured to release the CPU from the reset condition which enables the system to boot by reading the system memory. [0020] Serial boot hardware 18 communicates with serial programmable read only memory (PROM) 26 using serial data bus 32. Serial boot hardware 18 cooperates with DMA module 16 to load a boot program into system memory 15 from serial PROM 26 that contains a boot program (not shown). This boot program can include instructions to begin executing an operating system as a "boot-up process" on system 10. The boot-up process executes upon system initiation or after a cold or warm start. After the boot-up process is complete, SCC 12 is ready to execute other instruction sets to satisfy a variety of computational tasks. Serial PROM 26 is divided into header block 28 that stores system memory configuration in addition to boot program information and program block 30 that stores the boot program. Boot program information enables correct reading of the boot program by serial boot hardware 18 and includes a total length of the boot program, a size of serial PROM 26, and other pertinent boot information. System memory configuration enables correct writing of the boot program into system memory and includes system memory type, system memory chip organization, system memory timing, and DMA module configuration data. These elements of the system memory configuration and boot program information are stored in a fixed order in serial PROM 26 to facilitate easy reading by serial boot hardware 18. This system memory configuration and boot program information is important because system memory 15 and serial PROM 26 are external to the chip and system memory 15 as well as the contents of serial PROM 26 can be configured in different ways. In this way, the design of system memory 15 and the contents of serial PROM 26 are only limited by memory controller functions in system 10. Based on these paragraphs, Chang consistently teaches that serial boot hardware 18 holds CPU 13 in a reset state and copies boot code from PROM 26 to system memory 15. It is therefore readily apparent that Chang also teaches “copying, to a further device, code stored at a program memory integrated in the device by accessing the code stored at the program memory via an interface enabled to implement functional control of a central processing unit (CPU) integrated in the device”. Applicant’s arguments assume an interpretation of the claim language that is narrower than warranted by the broadest reasonable interpretation (BRI). The claim language does not require the CPU to be involved in the copy operation, so Chang’s disclosure of the CPU being “inert” is not relevant. Nor does the claim refer to the interface as a “CPU interface” as argued by Applicant. The additional details of how Applicant’s disclosure differs from Chang are also not relevant because they assume details that are not claimed. The rejection is therefore maintained. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-5, 7-13, 15, and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Chang, U.S. Patent Application Publication No. 2004/0250056, in view of Stewart et al., U.S. Patent Application Publication No. 2016/0300064. Regarding claim 1, Chang discloses a method [Fig. 4] comprising: placing and holding a device [Fig. 1: components are part of a single device such as an embedded computer, mobile phone, or digital camera; para. 0002, 0019] in a restricted mode of operation [Fig. 4, step 104: hold CPU in reset, which restricts operation of the device of Fig. 1], wherein independent initiation of execution of code at the device is disabled during the restricted mode of operation [para. 0018: “While in reset mode, CPU 13 does not execute any instructions in system memory 15.”]; while the device is in the restricted mode of operation [para. 0005: writing to system memory while CPU held in reset] copying, to a further device [Fig. 1: system memory 15], code stored at a program memory integrated in the device [PROM 26 coupled to system 10 via serial data bus 32, indicating that PROM resides within the same electronic device as system 10] by accessing the code stored at the program memory [PROM 26] via an interface [serial boot hardware 18] enabled to implement function control of a central processing (CPU) integrated in [CPU is part of embedded computer system, mobile phone, or digital camera as disclosed in para. 0002, 0019] the device [para. 0005: “ A serial boot hardware holds the CPU in the reset condition, retrieves the information about the system memory configuration and the boot program, retrieves the first portion of the boot program, writes the boot program to the system memory, and releases the CPU from the reset condition.”; para. 0020: “Serial boot hardware 18 cooperates with DMA module 16 to load a boot program into system memory 15 from serial PROM 26 that contains a boot program (not shown).”]. Chang does not disclose a step of verifying the copied code is secure. Stewart discloses a step of verifying copied code is secure [para. 0029: “…the SCPU 130 may compute a hash of the boot code using, for example, SHA256 or similar while the boot code resides in secure memory, and compare this against a reference hash or PKCS signing certificate. A successful comparison enables execution of decrypted and authenticated code. Failure results in failsafe mechanism, as described herein.”]. It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Chang and Stewart, by modifying Chang to performing the verification steps of Stewart. Both Chang and Stewart are directed to systems that performing loading of boot code from a non-volatile memory. Chang fails to explicitly disclose any security features, whereas Stewart discloses an authentication step for stored boot code. Stewart further teaches that boot code stored in external memory is vulnerable to tampering, and discloses the use of authentication steps to verify the integrity of the boot code [para. 0029: “As access to, or modification of, secure binary boot code in the Flash memory or other external storage location can leave the SoC 100 open to exploitation by an unauthorized entity, security measures are employed to prevent unauthorized access to the secure binary boot code and to prevent execution of modified secure binary boot code. Accordingly, at block 312 the initialization firmware manipulates the SCPU 130 to perform various security measures to verify the integrity of the secure binary boot code. One such measure is the performance of an authentication process by the SCPU 130 (alone or in conjunction with one or more of the cryptographic engines 114) to authenticate the secure binary boot code.”]. Therefore, it would have been obvious to one of ordinary skill in the art to apply the teachings of Stewart of Chang’s invention based on Stewart’s teaching that authentication steps would enhance the security of stored boot code. Regarding claim 2, Stewart teaches that the verifying steps comprise: performing a hashing function on the copied code to obtain a first security data [para. 0029: “…the SCPU 130 may compute a hash of the boot code using, for example, SHA256…”]; and verifying the copied code is secure responsive to the first security data [para. 0029: “… and compare this against a reference hash or PKCS signing certificate. A successful comparison enables execution of decrypted and authenticated code.”]. Regarding claim 3, Stewart discloses that the verifying steps further comprise: comparing the first security data to second security data stored at the other device [para. 0029: reference hash]; and verifying the copied code responsive the comparing [para. 0029: “A successful comparison enables execution of decrypted and authenticated code. Failure results in failsafe mechanism, as described herein.”]. Regarding claim 4, Stewart discloses that verifying the copied code is secure responsive to the first security data comprises verifying the copied code by performing signature validation on the first security data [para. 0029: “para. 0029: “… and compare this against a reference hash or PKCS signing certificate.”]. Regarding claim 5, Stewart teaches: verifying the copied code is secure [para. 0029]. Chang teaches: instructing the device to execute code corresponding to the copied code upon exiting the restricted mode of operation [Fig. 4: step 122, boot up using boot program in system memory]; and releasing the device from the restricted mode of operation [step 118, release CPU from reset]. Regarding claim 7, Chang teaches copying code stored at the program memory integrated in the device comprises copying boot code stored at the program memory integrated in the device [Fig. 1, steps 108-116: program block from serial PROM copied and converted into boot program in system memory; para. 0029: “SCC 12 boots up by executing (122) the instructions in the program block data or boot program.”]. Regarding claim 8, Chang teaches: copying a portion of operating code stored at the program memory integrated in the device [para. 0029: “Serial boot hardware 18 retrieves (108) a first portion of the program block from the first serial PROM using a serial data bus.”], wherein the device is to execute the copied portion of the operating code upon a boot-up of the device or upon a reset condition of the device [Fig. 4, step 118-122: release from reset, boot using program data in system memory]. Regarding claims 9-13, 15, and 16, Chang and Stewart disclose the method of claims 1-5, 7, and 8, and also the apparatus that executes the claimed method. Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Chang and Stewart as applied to claims 2 and 10 above, and further in view of Lee, U.S. Patent Application Publication No. 2014/0164753. Regarding claim 6, Stewart teaches the method of claim 2 but does not specifically teach: determining the copied code is unsecure responsive to the first security data; and holding the device in the restricted mode of operation until verifying that code installed at the device is secure. Lee discloses steps of: determining the copied code is unsecure responsive to the first security data [Fig. 5, S570 and S595: decryption and authentication not successful; also Fig. 6, S645 and S660]; and holding the device in the restricted mode of operation until verifying that code installed at the device is secure [para. 0082: “If the authentication code is not effective or decryption fails (S570), the CPU 130 stops executing the program and falls in an infinite loop (S595).”; para. 0087: secure boot may be executed again upon reset]. It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Chang, Stewart, and Lee by further modifying Chang and Stewart to determine that authentication failed, and holding the device in the restricted mode until authentication is successful, as taught by Lee. Stewart teaches that an authentication step is carried out [Fig. 3, step 312], and also teaches that a “failsafe mechanism” may be carried out when authentication fails [para. 0029: “To illustrate, the SCPU 130 may compute a hash of the boot code using, for example, SHA256 or similar while the boot code resides in secure memory, and compare this against a reference hash or PKCS signing certificate. A successful comparison enables execution of decrypted and authenticated code. Failure results in failsafe mechanism, as described herein.”], but does not explicitly disclose the features of the failsafe mechanism for authentication failure. Lee discloses a firmware authentication process wherein an authentication failure results in an infinite loop, which presumably remains in effect until the system is reset, at which point the secure boot process may execute again [para. 0082, 0087]. It would therefore have been obvious to apply the teachings of Lee to Chang and Stewart based on Stewart’s broad teaching of a failsafe mechanism that addresses authentication failure and Lee’s teaching of specific steps that would address an authentication failure. Regarding claim 14, Chang, Stewart, and Lee disclose the method of claim 6 and also the apparatus that executes the claimed method. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Hsu et al., U.S. Patent Application Publication No. 2014/0258699, discloses an invention with a control unit that receives an alarm signal to stop a processor, download a copy of firmware through a serial port, and writes the copy of firmware to a memory, and restarts the processor [para. 0008]. Any inquiry concerning this communication or earlier communications from the examiner should be directed to JI H BAE whose telephone number is (571)272-7181. The examiner can normally be reached Tuesday to Friday and every other Monday, 9 am to 6 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jaweed Abbaszadeh can be reached at 571-270-1640. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /JI H BAE/Primary Examiner, Art Unit 2176 U.S. Patent and Trademark Office Phone: 571-272-7181 Fax: 571-273-7181 ji.bae@uspto.gov