TRANSFORMING CONTAINER IMAGES INTO CONFIDENTIAL WORKLOADS

DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02/04/2026 has been entered. Response to Arguments Applicant’s arguments, see pages 7-9, filed 02/04/2025, with respect to the rejection of claims 1-2, 4-5, 7-8, 10, 14-16, 18-19, 20, and 21-23 under 35 U.S.C. § 103 have been fully considered. The rejection of claims 1-2, 4-5, 7-8, 10, 14-16, 18-19, 20, and 21-23 under 35 U.S.C. § 103 has been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly discovered prior art. Since applicant does not give any further explanation as to how the previously cited art differentiates from the claimed invention other than repeating the amendments made to the claim, the examiner defers to the rejection below as a response to this argument. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claim(s) 1-2, 4-5, 7-8, 10, 14-16, 18-19, 20, and 21-23 are rejected under 35 U.S.C. 103 as being unpatentable over Pascual; Sergio Lopez (US Publication No. US 2021/0263759 A1), hereinafter Pascual, in view of Srivastava et. al. (US Publication No. US 2022/0191046 A1) hereinafter Srivastava, further in view of Sood et. al. (US Publication No. US 2018/0260570 A1) hereinafter Sood, further in view of Gao et. al. (US Publication No. US 2024/0012666 A1) hereinafter Gao. Regarding Claims 1 and 15: Claim 15. Pascual discloses a non-transitory computer-readable storage medium including instructions that, when executed by a processing device, cause the processing device to (Pascual Fig. 7; claim 20, [0103-0104]): receive, from a client device, a request to create a confidential container image (Pascual Fig. 1, [0018] system 100 receives requests from client device 102), the request comprising a container image (Pascual Fig. 1, [0018] system 100 receives requests from client device 102, [0026] initial code) … creating, based on the request, a disk image comprising a first partition and a second partition (Pascual [0031-0036] portions of the storage reserved explicitly disclosed); write attestation parameters into the first partition of the disk image (Pascual [0019] and [0032] “Once the application node 110 has created the virtual machine 138 and encrypted the portions of the memory 134 and/or storage 135 associated with the virtual machine, the application node 110 may generate an attestation 122. For example, the attestation 122 may be generated based on the encryption parameters 316 and a public key associated with the virtual machine 138. As a specific example, and as discussed further above, the attestation 122 may be generated according to one or more cryptographic certification protocols, such as the X.509 protocols.”); create an encrypted volume in the second partition of the disk image (Pascual [0026] “As depicted, the controller 302 stores encryption keys 304, 306, 308 for use in encrypting the contents of the memory 134. In particular, the encryption keys 304, 306, 308 may respectively be used to encrypt the containers 144, 140, 142. For example, the encryption keys 304, 306, 308 may be used to encrypt segments 310, 312, 314 of the memory 134 that correspond to the containers 144, 140, 142.”; [0031-0036]); copy a workload from the container image to the encrypted volume in the second partition of the disk image (Pascual [0026] the initial request may include encryption parameters and initial code/payload, of which is copied into the encrypted memory reserved for the various containers; [0031-0036] may encrypt portions of the storage); copy the disk image comprising the first partition and the second partition and a configuration file … into an empty container image to generate the confidential container image (Pascual [0031-0036] empty virtual machine may be created allocating portions of memory and/or storage and “may include initializing execution of the virtual machine (e.g., according to a virtualization protocol such as the Red Hat® Virtualization platform)” to configure it, includes encrypting a portion of the storage), … and the second partition including the encrypted volume (Pascual [0031-0036] portions of the storage reserved explicitly disclosed; [0019] and [0032-0036]); … and register, by the processing device, the confidential container image with an attestation server identified in the attestation parameters included in the first partition of the disk image in the confidential container image (Pascual [0019-0024] encryption registry contemplated, [0019] and [0032] attestation process, [0021-0024] encrypted registry and coordinator working in conjunction in the same environment). Pascual does not explicitly disclose [a container image] comprising a plurality of layers and Confidential Computing Trusted Execution Environment (TEE) parameters; … flattening the plurality of layers of the container image into a single layer within the encrypted volume; … [a configuration file] including the Confidential Computing TEE parameters … the disk image comprising the first partition including the attestation parameters … and the configuration file including the Confidential Computing TEE parameters. Srivastava teaches Confidential Computing Trusted Execution Environment (TEE) parameters (Srivastava [0024] AMD SEV provides an open source secure container environment); … [a configuration file] including the Confidential Computing TEE parameters (Srivastava [0024] AMD SEV provides an open source secure container environment) … and the configuration file including the Confidential Computing TEE parameters (Srivastava [0024] AMD SEV provides an open source secure container environment). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the management of containers discloses by Pascual with the secured execution environment provided for by Srivastava. The motivation for this combination would be to provide the necessary execution environment for the secure containers so that for example even the hypervisor of the operating system may not perform an unauthorized access as discussed in Srivastava [0014]. Srivastava does not explicitly teach [a container image] comprising a plurality of layers … flattening the plurality of layers of the container image into a single layer within the encrypted volume; … [a confidential image comprising:] the disk image comprising the first partition including the attestation parameters. The combination of Pascual and Srivastava teaches an attestation (Pascual [0019] and [0032] “Once the application node 110 has created the virtual machine 138 and encrypted the portions of the memory 134 and/or storage 135 associated with the virtual machine, the application node 110 may generate an attestation 122. For example, the attestation 122 may be generated based on the encryption parameters 316 and a public key associated with the virtual machine 138. As a specific example, and as discussed further above, the attestation 122 may be generated according to one or more cryptographic certification protocols, such as the X.509 protocols.”). Sood teaches a comparable technique of attestation keys and private direct anonymous attestation (DAA) keys being stored in a secure partition of memory (Sood [0031]). One of ordinary skill in the art before the time the invention was effectively filed would have recognized that applying the technique of choosing to store the attestation information inside of a partition of secure memory would have yielded predictable results in merely changing the storage location of the attestation information, and that the application would yield an improved system in view of Sood, “Of course, it should be appreciated that the secure memory 210 may store various other data depending on the particular embodiment (e.g., group names, device identifiers, whitelists, expected PIN values, etc.). In some embodiments, the provisioned data may be stored in read-only memory of the secure memory 210” (Sood [0031], emphasis added). The combination of Pascual, Srivastava, and Sood teaches receiving … a request to create a confidential container image … comprising a container image and teaches copying a workload from the container image to the encrypted volume (Pascual Fig. 1, [0018], [0026], [0031-0036]). Gao teaches a comparable technique of handling container images that have multiple layers and flattening the multiple layers into a single layer of the container image (Gao Fig. 2-4, [0021], [0026-0027], [0029-0031]). One of ordinary skill in the art before the time the invention was effectively filed would have recognized that applying the technique of handling container images with multiple layers and then flattening the layers into a single layer would have yielded predictable results in producing a container image with a single unified layer, and that application would have yielded an improved system in producing a single layered container image that is ready to be encrypted to prevent access to the underlying layers of the container image in view of Gao (Gao [0026-0027]). Claim 1 recites substantially the same content and is therefore rejected under the same rationales. Pascual discloses “a method comprising” (Pascual [0036]) “receiving, from a client device, a request to create a confidential container image” (Pascual Fig. 1, [0018] system 100 receives requests from client device 102). Regarding Claims 2 and 16: Claim 16. The combination of Pascual, Srivastava, Sood, and Gao further teaches the non-transitory computer-readable storage medium of claim 15, wherein the instructions, when executed by the processing device, further cause the processing device to (Pascual Fig. 7; claim 20): extract, based on the request and prior to copying the disk image, a set of workload parameters from the container image (Pascual [0026] the initial request may include encryption parameters and initial code/payload); and generate, prior to copying the disk image, the configuration file based on the set of workload parameters (Pascual [0026] the initial request may include encryption parameters and initial code/payload, of which is copied into the encrypted memory reserved for the various containers; [0049-0050] may receive a request at the registry and deliver the matching encrypted image containing the proper application/workload). Claim 2 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claims 4 and 18: Claim 18. The combination of Pascual, Srivastava, Sood, and Gao further teaches the non-transitory computer-readable storage medium of claim 15 (Pascual Fig. 7; claim 20), … and the configuration file (Pascual [0031-0036] empty virtual machine may be created allocating portions of memory and/or storage and “may include initializing execution of the virtual machine (e.g., according to a virtualization protocol such as the Red Hat® Virtualization platform)” to configure it). The combination of Pascual, Srivastava, and Sood does not currently teach wherein to register the confidential container image, the instructions, when executed by the processing device, cause the processing device to provide to the attestation server: a hash of the container image within the encrypted volume; a key used to encrypt the encrypted volume. Srivastava further teaches wherein to register the confidential container image, the instructions, when executed by the processing device, cause the processing device to provide to the attestation server: a hash of the container image within the encrypted volume (Srivastava [0023-0029] “hashes of workload component image disks”); a key used to encrypt the encrypted volume (Srivastava [0034-0036] trust authority 202 may designate a public/private key pair and a digital certificate to be used). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to further combine the registration process taught by Srivastava. The motivation for this combination would be to provide a thorough implementation of the attestation process briefly described in Pascual [0032] and to ensure that the containers are created and validated securely by the trust authority. Claim 4 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claims 5 and 19: Claim 19. The combination of Pascual, Srivastava, Sood, and Gao further teaches the non-transitory computer-readable storage medium of claim 18 (Pascual Fig. 7; claim 20), wherein the key is a random encryption key (Srivastava [0024] AMD SEV uses AES 128-bit encryption). Claim 5 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claim 7: The combination of The combination of Pascual, Srivastava, Sood, and Gao further teaches the method of claim 1 (Pascual [0036]), wherein the confidential container image comprises: the disk image (Pascual [0016] request may contain the application, firmware, and specified operating system); and the configuration file (Pascual [0031-0036] empty virtual machine may be created allocating portions of memory and/or storage and “may include initializing execution of the virtual machine (e.g., according to a virtualization protocol such as the Red Hat® Virtualization platform)” to configure it, includes encrypting a portion of the storage). Regarding Claim 8: Pascual discloses a system comprising: a processing device; and a memory, operatively coupled to the processing device, the memory storing instructions which when executed by the processing device, cause the processing device to (Pascual Fig. 1, [0018]): obtain a confidential container image comprising: a disk image … and a second partition including an encrypted volume, and a configuration file (Pascual [0031-0036] portions of the storage reserved explicitly disclosed; [0019] and [0032-0036]), provide, based on the attestation parameters, a signed launch measurement to an attestation server (Pascual [0019] attestation may be provided to a security controller; [0032] “Once the application node 110 has created the virtual machine 138 and encrypted the portions of the memory 134 and/or storage 135 associated with the virtual machine, the application node 110 may generate an attestation 122. For example, the attestation 122 may be generated based on the encryption parameters 316 and a public key associated with the virtual machine 138. As a specific example, and as discussed further above, the attestation 122 may be generated according to one or more cryptographic certification protocols, such as the X.509 protocols”); open the encrypted volume of the confidential container image using an encryption key obtained from the attestation server based on the signed launch measurement (Pascual [0033-0036]); and execute a workload obtained from the encrypted volume (Pascual [0033-0036]). Pascual does not explicitly disclose [a disk image] comprising a first partition including attestation parameters … wherein the encrypted volume includes a single layer flattened from a plurality of layers of an original container image associated with the confidential container image; … [a configuration file] including Confidential Computing Trusted Execution Environment (TEE) parameters. Srivastava teaches [a configuration file] including the Confidential Computing Trusted Execution Environment (TEE) parameters (Srivastava [0024] AMD SEV provides an open source secure container environment). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the management of containers discloses by Pascual with the secured execution environment provided for by Srivastava. The motivation for this combination would be to provide the necessary execution environment for the secure containers so that for example even the hypervisor of the operating system may not perform an unauthorized access as discussed in Srivastava [0014]. Srivastava does not explicitly teach [a confidential image comprising:] a disk image comprising a first partition including attestation parameters… wherein the encrypted volume includes a single layer flattened from a plurality of layers of an original container image associated with the confidential container image. The combination of Pascual and Srivastava teaches an attestation (Pascual [0019] and [0032] “Once the application node 110 has created the virtual machine 138 and encrypted the portions of the memory 134 and/or storage 135 associated with the virtual machine, the application node 110 may generate an attestation 122. For example, the attestation 122 may be generated based on the encryption parameters 316 and a public key associated with the virtual machine 138. As a specific example, and as discussed further above, the attestation 122 may be generated according to one or more cryptographic certification protocols, such as the X.509 protocols.”). Sood teaches a comparable technique of attestation keys and private direct anonymous attestation (DAA) keys being stored in a secure partition of memory (Sood [0031]). One of ordinary skill in the art before the time the invention was effectively filed would have recognized that applying the technique of choosing to store the attestation information inside of a partition of secure memory would have yielded predictable results in merely changing the storage location of the attestation information, and that the application would yield an improved system in view of Sood, “Of course, it should be appreciated that the secure memory 210 may store various other data depending on the particular embodiment (e.g., group names, device identifiers, whitelists, expected PIN values, etc.). In some embodiments, the provisioned data may be stored in read-only memory of the secure memory 210” (Sood [0031], emphasis added). The combination of Pascual, Srivastava, and Sood teaches obtaining a confidential container image comprising … including an encrypted volume (Pascual [0031-0036] portions of the storage reserved explicitly disclosed; [0019] and [0032-0036]). Gao teaches a comparable technique of handling container images that have multiple layers and flattening the layers into a single layer of the container image (Gao Fig. 2-4, [0021], [0026-0027], [0029-0031]). One of ordinary skill in the art before the time the invention was effectively filed would have recognized that applying the technique of handling container images with multiple layers and then flattening the layers into a single layer would have yielded predictable results in producing a container image with a single unified layer, and that application would have yielded an improved system in producing a single layered container image that is ready to be encrypted to prevent access to the underlying layers of the container image in view of Gao (Gao [0026-0027]). Regarding Claim 10: The combination of The combination of Pascual, Srivastava, Sood, and Gao further teaches the system of claim 8 (Pascual Fig. 1, [0018]), wherein the encryption key is a random encryption key (Pascual [0026] the encryption parameters may be SHA-256, AES-256, RSA and the like). Regarding Claim 14: The combination of The combination of Pascual, Srivastava, Sood, and Gao further teaches the system of claim 14 (Pascual Fig. 1, [0018]), wherein the Confidential Computing TEE parameters comprise a trusted computing base (TCB) identity digest (Srivastava [0024] AMD SEV provides an open source secure container environment). Regarding claims 21 and 23: Claim 23. The combination of The combination of Pascual, Srivastava, Sood, and Gao further teaches the non-transitory computer-readable storage medium of claim 15, wherein the Confidential Computing TEE parameters and the attestation parameters include a Versioned Chip Endorsement Key (VCEK) certificate chain (Srivastava [0014-0016] certificate chain of trust implemented using AMD SEV of which VCEK attestation process includes AMD SEV, [0024-0029] AMD SEV to certify certificates and establish chain of trust). Claim 21 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claim 22: The combination of The combination of Pascual, Srivastava, Sood, and Gao further teaches the system of claim 8, wherein the Confidential Computing TEE parameters and the attestation parameters include a Versioned Chip Endorsement Key (VCEK) certificate chain (Srivastava [0014-0016] certificate chain of trust implemented using AMD SEV of which VCEK attestation process includes AMD SEV, [0024-0029] AMD SEV to certify certificates and establish chain of trust). Claim(s) 3, 11-12, and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Pascual, Srivastava, Sood, and Gao as applied to claims 1-2, 4-5, 7-8, 10, 14-16, 18-19, 20, and 21-23, further in view of Chen et. al. (US Publication No. US 2023/0367574 A1) hereinafter Chen. Regarding Claims 3 and 17: Claim 17. The combination of Pascual, Srivastava, Sood, and Gao further teaches the non-transitory computer-readable storage medium of claim 16 (Pascual Fig. 7; claim 20). The combination of Pascual, Srivastava, Sood, and Gao does not teach wherein the set of workload parameters comprises: environment variables; an entry point of the workload; a set of arguments for the entry point of the workload; and a list of network ports to be exposed by the workload. Chen teaches a non-transitory computer-readable storage medium wherein the set of workload parameters comprises: environment variables (Chen Fig. 1A bundle builder 120 accepts configuration files for images; Fig. 6 is an example of a configuration file provided; [0035] and [0049] configuration file); an entry point of the workload (Chen Fig. 1A bundle builder 120 accepts configuration files for images; Fig. 6 is an example of a configuration file provided; [0035] and [0049] configuration file); a set of arguments for the entry point of the workload (Chen Fig. 1A bundle builder 120 accepts configuration files for images; Fig. 6 is an example of a configuration file provided; [0035] and [0049] configuration file); and a list of network ports to be exposed by the workload (Chen Fig. 1A bundle builder 120 accepts configuration files for images; Fig. 6 is an example of a configuration file provided; [0035] and [0049] configuration file). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to combine the container image management disclosed by Pascual, the secure execution environment taught by Srivastava, the attestation management taught by Sood, and the layered containers of Gao with the configuration file taught by Chen. The motivation for this combination would be to ensure that the security and configuration of the containers may be maintained with configuration files instead of each container requiring individual configuration. Claim 3 recites substantially the same content and is therefore rejected under the same rationales. Regarding Claim 11: The combination of Pascual, Srivastava, Sood, and Gao further teaches the system of claim 8 (Pascual Fig. 1, [0018]). The combination of Pascual, Srivastava, Sood, and Gao does not teach wherein the configuration file further comprises workload parameters. Chen teaches a system wherein the configuration file further comprises workload parameters (Chen Fig. 1A bundle builder 120 accepts configuration files for images; Fig. 6 is an example of a configuration file provided; [0035] and [0049] configuration file). It would have been obvious to one having ordinary skill in the art before the time the invention was effectively filed to further combine the combination of Pascual, Srivastava, Sood, and Gao with the configuration file of Chen. The motivation for this combination would be to improve security by allowing for the standardization and maintaining of the container images through configuration files instead of having to specifically configure each container as discussed in Chen [0025]. Regarding Claim 12: The combination of Pascual, Srivastava, Sood, Gao, and Chen further teaches the system of claim 11 (Pascual Fig. 1, [0018]), wherein to execute the workload, the processing device is to apply the workload parameters obtained from the configuration file (Chen Fig. 1A bundle builder 120 accepts configuration files for images; Fig. 6 is an example of a configuration file provided; [0035] and [0049] configuration file). Conclusion The prior art made of record in the submitted PTO-892 Notice of References Cited and not relied upon is considered pertinent to applicant’s disclosure. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MIGUEL A LOPEZ whose telephone number is (703)756-1241. The examiner can normally be reached 8:00AM-5:00PM. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on 5712727624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /M.A.L./ Examiner, Art Unit 2496 /JORGE L ORTIZ CRIADO/ Supervisory Patent Examiner, Art Unit 2496