DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to amendment filed on 03/16/2026.
Response to Amendment
By this amendment, claims 1, 9, and 16 are amended. Therefore, claims 1-20 are pending. Any objections and rejections not repeated below is withdrawn due to Applicant's amendment.
Response to Arguments
Applicant's arguments filed 03/16/2026 have been fully considered but they are not persuasive. Applicant argues in substance:
Independent claim 1 as amended recites that in response to the reception of the hypercall, compare an identifier of the second virtual machine to entries in a configuration table, and based on the comparison of the identifier to the entries in the configuration table, determine a configuration of the second virtual machine. None of the cited references disclose the features now recited in claim 1 and that claim therefore is allowable, as are claims 2-8 that depend from claim 1.
With regard to point (a), Examiner due to Applicant’s amendments, HONG et al. Pub. No. US 2018/0129525 Al (hereafter HONG) has been introduced to cure deficiencies. Therefore, the claims are still rejected for the reasons in this Office Action’s 103 rejection below. Argument has not been found to be persuasive.
Independent claims 9 and 16 as amended recite features similar to claim 1 and are allowable for the same reasons that claim 1 is allowable, as are claims 10-15 that depend from claim 9 and claims 17-20 that depend from claim 16.
With regard to point (b), Examiner due to Applicant’s amendments, HONG et al. Pub. No. US 2018/0129525 Al (hereafter HONG) has been introduced to cure deficiencies. Therefore, the claims are still rejected for the reasons in this Office Action’s 103 rejection below. Argument has not been found to be persuasive.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3-5, 7-9, 11-13, 15-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Dandekar et al. Pub. No. US 2011/0296488 Al (hereafter Dandekar) in view of Ali et al. Pub. No. US 2014/0298003 Al (hereafter Ali), and further in view of HONG et al. Pub. No. US 2018/0129525 Al (hereafter HONG).
Regarding claim 1, Dandekar teaches an information handling system comprising: a basic input/output system (BIOS) ([0026] “Information handling system 100 includes … Basic Input/Output System and Firmware (BIOS/PW) code 134…”) … and a second virtual machine configured based on a cloud policy ([0043] “…Virtual machines 560 and 570 each include I/O policy information 561 and 571, respectively…”, Note: I/O policy information is included in virtual machines) … receive a hypercall from the second virtual machine, wherein the hypercall includes a command having a command type ([0045] “…A CHV manager receives an I/O access request in block 331. For example, virtual machine 560 can attempt to initiate a file transfer over Ethernet NIC 521, or a USB device plugged into USB port 525 can attempt to enumerate itself to virtual machine 570, and CHV manager 520 can receive the transaction requests…”, Fig. 8, Note: The hardware that the virtual machine is requesting to access is the command type) … and in response to the command type matching the cloud policy, provide the command to a proper hardware component within the information handling system ([0045] “…A decision is made as to whether or not the requested I/O access is allowed in decision block 334. If so, the "YES" branch of decision block 334 is taken, the requested I/O access request is executed in block 335, and the method ends in block 336…”, Fig. 8, Note: The hardware that the virtual machine is requesting to access is the command type, and the command type matches an I/O policy when the virtual machine’s I/O policy information permits the request).
Dandekar fails to teach a first virtual machine configured to communicate with the BIOS and other hardware components within the information handling system … wherein the first virtual machine to … based on the configuration of the second virtual machine, determine whether the command type within the hypercall matches the cloud policy for the second virtual machine, wherein the cloud policy identifies the operations that the second virtual machine controls with respect to the BIOS and the other hardware components within the information handling system.
In analogous art Ali teaches a first virtual machine configured to communicate with the BIOS and other hardware components within the information handling system … wherein the first virtual machine to ([0022] “…Generally, a "privileged domain" refers to a domain that has predefined privilege(s) that allows an entity in the domain to perform functions in the electronic device that other entities (e.g. OS, application programs, etc.) are not allowed to perform…”, [0024] “Examples of a privileged domain include any or some combination of the following: domain 0 … a guest virtual machine that has predefined settings to provide the guest virtual machine with enhanced privileges and/or security…”, [0026] “The privileged domain 304 also includes the web-based interface 106 of FIG. 1. The BIOS function 306 in the privileged domain 304 can be accessed through the web-based interface 106.”, Note: The privileged domain virtual machine is the first virtual machine that can communicate with the BIOS through the interface and has other privileges/access to other hardware) … based on the configuration of the second virtual machine, determine whether the command type within the hypercall matches the cloud policy for the second virtual machine, wherein the cloud policy identifies the operations that the second virtual machine controls with respect to the BIOS and the other hardware components within the information handling system ([0024] “Examples of a privileged domain include any or some combination of the following: domain 0 … a guest virtual machine that has predefined settings to provide the guest virtual machine with enhanced privileges and/or security…”, [0035] “…In implementations where the privileged domain makes the determination (406) based on identifying the source of the request, then if the privileged domain 304 determines that the source of the request is authorized to access the requested BIOS function, the requested BIOS function is executed. On the other hand, in such implementations, if the privileged domain 304 determines that the source of the request is not authorized to access the requested BIOS function (such as in a scenario where malware has issued the request), then the privileged domain 304 can deny access of the requested BIOS function…”, [0009] “…a service to modify a setting of the BIOS; a service to modify a setting of a hardware component in the electronic device…”, Note: The privileged domain (first virtual machine) makes a determination of whether the source of the request (guest virtual machine) is authorized to perform the BIOS function (or other hardware components in the electronic device), wherein the authorization to perform the BIOS function for the source of request (guest virtual machine) is a cloud policy).
It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Dandekar to incorporate the teachings of Ali to simplify the design of a host executing virtual machines (Ali [0039] “Additionally, overall design of an electronic device can be simplified since security mechanisms traditionally used, such as locking of registers or portions of non-volatile memory, can be omitted, since it is the privileged domain that now controls whether a request to a BIOS function is allowed to proceed.”).
Dandekar and Ali fail to teach in response to the reception of the hypercall, compare an identifier of the second virtual machine to entries in a configuration table; based on the comparison of the identifier to the entries in the configuration table, determine a configuration of the second virtual machine.
In analogous art HONG teaches in response to the reception of the hypercall, compare an identifier of the second virtual machine to entries in a configuration table ([0063] “…a hypervisor 1050 that controls accesses for a hardware 1070 requested by the plurality of virtual machines 1010, 1020 and 1030…”, [0064] “Referring to FIG. 12, hardware firewall 1100 may include a programming interface module 1110, a plurality of access rule tables (ARTs) 1130, 1140 and 1150 respectively corresponding to the plurality of virtual machines 1010, 1020 and 1030 … In some example embodiments, a hardware privilege generator may append, to the access request, information indicating which one of the plurality of virtual machines 1010, 1020 and 1030 generates the access request. Hardware firewall 1100 may receive, from the hardware privilege generator, the access request to which the information is appended, and may refer to one of the plurality of access rule tables 1130, 1140 and 1150 corresponding to the virtual machine indicated by the appended information…”, Note: The appended information indicating which virtual machine generated an access request is interpreted as the identifier, and the firewall containing access rule tables is interpreted as the configuration table); based on the comparison of the identifier to the entries in the configuration table, determine a configuration of the second virtual machine ([0045] “Hardware firewall 400 may store normal access permission information of a normal virtual machine group for respective ones of a plurality of physical pages of a memory device … Hardware firewall 400 may selectively block the access request REQ based on at least one of the normal access permission information…”, [0064] “Referring to FIG. 12, hardware firewall 1100 may include a programming interface module 1110, a plurality of access rule tables (ARTs) 1130, 1140 and 1150 respectively corresponding to the plurality of virtual machines 1010, 1020 and 1030 … In some example embodiments, a hardware privilege generator may append, to the access request, information indicating which one of the plurality of virtual machines 1010, 1020 and 1030 generates the access request. Hardware firewall 1100 may receive, from the hardware privilege generator, the access request to which the information is appended, and may refer to one of the plurality of access rule tables 1130, 1140 and 1150 corresponding to the virtual machine indicated by the appended information…”, Note: The appended information indicating which virtual machine generated an access request is interpreted as the identifier, the firewall containing access rule tables is interpreted as the configuration table, and the access permissions of the virtual machine is interpreted as the virtual machine’s configuration).
It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Dandekar and Ali to incorporate the teachings of HONG to enhance access security (HONG [0045] “…Since the selective blocking of the access request REQ is performed by hardware firewall 400 implemented as hardware, the security may be enhanced…”).
Regarding claim 3, Dandekar, Ali, and HONG teach the information handling system of claim 1, and Dandekar further teaches wherein in response to the command type not matching the cloud policy, the first virtual machine to deny an operation of the command, wherein the denying of the operation includes preventing the command from being provided to the proper hardware component ([0045] “…If the requested I/O access is not allowed, the "NO" branch of decision block 334 is taken, the requested I/O access request is denied in block 337, and the method ends in block 336. For example, CHV manager 520 can determine that virtual machine 570 is to be denied access to USB port 525 and can block the USB device from enumerating itself to virtual machine 570.”, Fig. 8, Note: The hardware that the virtual machine is requesting to access is the command type, and the command type matches an I/O policy when the virtual machine’s I/O policy information permits the request).
Regarding claim 4, Dandekar, Ali, and HONG teach the information handling system of claim 1, and Dandekar further teaches wherein the BIOS is configured to receive a configuration signal while the information handling system is in a bare metal state ([0026] “Information handling system 100 includes one or more application programs 132, and Basic Input/Output System and Firmware (BIOS/PW) code 134. BIOS/PW code 134 functions to initialize information handling system 100 on power up, to launch an operating system, and to manage input and output interactions between the operating system and the other elements of information handling system 100…”, Note: The power up is the configuration signal).
Regarding claim 5, Dandekar, Ali, and HONG teach the information handling system of claim 4, and Dandekar further teaches wherein the BIOS further to launch the first virtual machine in response to the configuration signal ([0028] “CHV manager operates from the platform level 292 to initialize CHV system 200 on power up, to launch virtual machines 260, 270, and 280, and to manage input and output interactions between virtual machines 260, 270, and 280 and client platform hardware 220. In this respect, CHV manager 240 functions similarly to a combination of a platform BIOS and a virtual machine manager or hypervisor…”, Note: CHV manager (firmware like the BIOS) functions similarly to the BIOS and launches the virtual machines).
Regarding claim 7, Dandekar, Ali, and HONG teach the information handling system of claim 4, and Dandekar further teaches wherein in response to the configuration signal, the BIOS to begin execution of a kernel in the information handling system ([0026] “Information handling system 100 includes one or more application programs 132, and Basic Input/Output System and Firmware (BIOS/PW) code 134. BIOS/PW code 134 functions to initialize information handling system 100 on power up, to launch an operating system, and to manage input and output interactions between the operating system and the other elements of information handling system 100…”, Note: The power up is the configuration signal).
Regarding claim 8, Dandekar, Ali, and HONG teach the information handling system of claim 1, and Dandekar further teaches further comprising: third and fourth virtual machines, wherein the second, third, and fourth virtual machines are configured differently based on different cloud policies ([0043] “…Virtual machines 560 and 570 each include I/O policy information 561 and 571, respectively…”, Fig. 7, Note: Different I/O policy information is included in virtual machines).
Regarding claim 9, Ali further teaches receiving, at a first virtual machine of an information handling system, a plurality of cloud policies including first and second cloud policies ([0024] “Examples of a privileged domain include any or some combination of the following: domain 0 … a guest virtual machine that has predefined settings to provide the guest virtual machine with enhanced privileges and/or security…”, [0035] “…In implementations where the privileged domain makes the determination (406) based on identifying the source of the request, then if the privileged domain 304 determines that the source of the request is authorized to access the requested BIOS function, the requested BIOS function is executed. On the other hand, in such implementations, if the privileged domain 304 determines that the source of the request is not authorized to access the requested BIOS function (such as in a scenario where malware has issued the request), then the privileged domain 304 can deny access of the requested BIOS function…”, Note: The privileged domain (first virtual machine) makes a determination of whether the source of the request (guest virtual machine) is authorized to perform the BIOS function. Therefore, the authorization to perform the BIOS functions for each source of request is a distinct cloud policy); providing, by the first virtual machine ([0027] “In some examples, the privileged domain 304 is domain 0, which is an administrative domain started by the VMM 302 upon system startup, and which has enhanced privileges and security mechanisms. Examples of tasks performed by domain 0 include creating and configuring guest domains. Each of domain 0 and guest domains is considered a corresponding virtual machine.”, Note: Domain 0 virtual machine configures guest virtual machines), and Dandekar further teaches the first cloud policy to a second virtual machine of the information handling system ([0043] “…Virtual machines 560 and 570 each include I/O policy information 561 and 571, respectively…”, Fig. 7, Note: I/O policy information must be sent to virtual machines). The other limitations are substantially the same as those of claim 1. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 11, it is a process claim whose limitations are substantially the same as those of claim 3. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 12, it is a process claim whose limitations are substantially the same as those of claim 4. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 13, it is a process claim whose limitations are substantially the same as those of claim 5. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 15, it is a process claim whose limitations are substantially the same as those of claim 7. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 16, Dandekar further teaches an information handling system comprising: a basic input/output system (BIOS) configured to launch a virtual machine in response to reception of a configuration signal ([0028] “CHV manager operates from the platform level 292 to initialize CHV system 200 on power up, to launch virtual machines 260, 270, and 280, and to manage input and output interactions between virtual machines 260, 270, and 280 and client platform hardware 220. In this respect, CHV manager 240 functions similarly to a combination of a platform BIOS and a virtual machine manager or hypervisor…”, Note: CHV manager (firmware like the BIOS) functions similarly to the BIOS and launches the virtual machines) … otherwise deny an operation of the command, wherein the denying of the operation includes preventing the command from being provided to the proper hardware component ([0045] “…If the requested I/O access is not allowed, the "NO" branch of decision block 334 is taken, the requested I/O access request is denied in block 337, and the method ends in block 336. For example, CHV manager 520 can determine that virtual machine 570 is to be denied access to USB port 525 and can block the USB device from enumerating itself to virtual machine 570.”, Fig. 8, Note: The hardware that the virtual machine is requesting to access is the command type, and the command type matches an I/O policy when the virtual machine’s I/O policy information permits the request). The other limitations are substantially the same as those of claim 1. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 17, it is a machine claim whose limitations are substantially the same as those of claim 3. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 19, it is a machine claim whose limitations are substantially the same as those of claim 8. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 20, it is a machine claim whose limitations are substantially the same as those of claim 7. Accordingly, it is rejected for substantially the same reasons.
Claims 2, 10, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Dandekar et al. Pub. No. US 2011/0296488 Al (hereafter Dandekar) in view of Ali et al. Pub. No. US 2014/0298003 Al (hereafter Ali), further in view of HONG et al. Pub. No. US 2018/0129525 Al (hereafter HONG) as applied to claims 1, 3-5, 7-9, 11-13, 15-17, and 19-20 above, and further in view of HIRA et al. Pub. No. US 2019/0238509 Al (hereafter HIRA).
Regarding claim 2, Dandekar, Ali, and HONG teach the information handling system of claim 1.
Dandekar, Ali, and HONG fail to teach wherein the first virtual machine further to receive the cloud policy from a cloud server.
In analogous art HIRA teaches wherein the first virtual machine further to receive the cloud policy from a cloud server ([0041] “As described above with reference to Flow Diagram 200 of FIG. 2, in some embodiments, all of the workloads of a logical network (e.g., workloads of virtual machines 140-142 and of virtual machines 143-145) connect to a shared proxy control plane (e.g., proxy control plane 121) in a control virtual private cloud, instead of locally to a proxy control plane within a workload virtual machine's (or workload container's) respective virtual private cloud, to receive policy rules from SDN controller 102.”).
It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Dandekar, Ali, and HONG to incorporate the teachings of HIRA to reduce the amount of host computing resources required (HIRA [0042] “Utilizing a shared proxy control plane in a control virtual private cloud (operating as a central control gateway) to distribute policy rules to endpoints of the logical network reduces the amount of host computing resources required to operate the logical network…”).
Regarding claim 10, it is a process claim whose limitations are substantially the same as those of claim 2. Accordingly, it is rejected for substantially the same reasons.
Regarding claim 18, it is a machine claim whose limitations are substantially the same as those of claim 2. Accordingly, it is rejected for substantially the same reasons.
Claims 6 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Dandekar et al. Pub. No. US 2011/0296488 Al (hereafter Dandekar) in view of Ali et al. Pub. No. US 2014/0298003 Al (hereafter Ali), further in view of HONG et al. Pub. No. US 2018/0129525 Al (hereafter HONG) as applied to claims 1, 3-5, 7-9, 11-13, 15-17, and 19-20 above, and further in view of Grover et al. Pub. No. US 2017/0153907 Al (hereafter Grover).
Regarding claim 6, Dandekar, Ali, and HONG teach the information handling system of claim 4.
Dandekar, Ali, and HONG fail to teach wherein the configuration signal is an out-of-band communication signal.
In analogous art Grover teaches wherein the configuration signal is an out-of-band communication signal ([0003] “…Remote access can be had over a network, e.g., over an "in-band" network used by managed computers to communicate with each other, or over a dedicated "out-of-band" network. In the latter case, a managed computer can be outfitted with a management module dedicated to management over the out-of-band network.”, [0005] “The management module can have its own power supply, in which case, it may be referred to as a "lights-out module" (LOM). In the event of a host system failure, the host system can be shut down, event logs can be accessed to determine causes of failure, and the host system can be reconfigured and restarted, all through the management module.”, [0011] “…In addition, the provided out-of-band management of virtual machines allows virtual machines to be diagnosed and reconfigured in the event of a hardware, software, or network failure…”).
It would have been obvious to a person having ordinary skill in the art prior to the effective filing date of the claimed invention to have modified Dandekar, Ali, and HONG to incorporate the teachings of Grover to allow virtual machines to be diagnosed and reconfigured in the event of a hardware, software, or network failure (Grover [0011] “…In addition, the provided out-of-band management of virtual machines allows virtual machines to be diagnosed and reconfigured in the event of a hardware, software, or network failure that would prevent in-band management of the virtual machines (e.g., via a hypervisor).”).
Regarding claim 14, it is a process claim whose limitations are substantially the same as those of claim 6. Accordingly, it is rejected for substantially the same reasons.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. In particular, US 9,697,027 Bl is cited because it discloses a hypercall access control layer which intercepts hypercalls and determines if hypercall access rules are passed to allow hypercalls to execute. In addition, NPL “Shen, J., Zou, D., Jin, H., Yang, K., Yuan, B., & Li, W. (2016). A protective mechanism for the access control system in the virtual domain. China Communications, 13(11), 129-142.” is cited because it discloses utilizing a virtual privileged domain (Dom0) to verify if virtual unprivileged domains (DomUs) are allowed to continue operations based on respective policies.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Examiner respectfully requests, in response to this Office action, support be
shown for language added to any original claims on amendment and any new claims.
That is, indicate support for newly added claim language by specifically pointing to
page(s) and line number(s) in the specification and/or drawing figure(s). This will assist
Examiner in prosecuting the application.
When responding to this Office Action, Applicant is advised to clearly point out the patentable novelty which he or she thinks the claims present, in view of the state of the art disclosed by the references cited or the objections made. He or she must also show how the amendments avoid such references or objections. See 37 CFR 1.111 (c).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JUSTIN CHE-CHUN TONG whose telephone number is (703)756-1737. The examiner can normally be reached Monday-Thursday: 7:30 AM to 5:00 PM EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, April Y Blair can be reached on (571)270-1014. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/J.C.T./Examiner, Art Unit 2196
/APRIL Y BLAIR/Supervisory Patent Examiner, Art Unit 2196