DETAILED ACTION
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is responsive to the amendment filed 02/27/2026.
Claims 1-20 are pending in this application.
The Examiner thanks the Applicant for pointing out typographical errors in the previous Office Action. On pages 9-12 of the Office Action, “Che teaches” (claims 1-7) should read “Kaplan teaches”. (As indicated in the 35 USC § 102 section, “claims 1-20 are rejected...as being anticipated by Kaplan et al.”).
Allowable Subject Matter
2. Claims 2, 5, 10, 16, and 19 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims, subject to the results of a final search by the Examiner.
Claim Rejections - 35 USC § 102
3. In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kaplan et al. (US 20180107608).
It is noted that any citations to specific, pages, columns, paragraphs, lines, or figures in the prior art references and any interpretation of the reference should not be considered to be limiting in any way. A reference is relevant for all it contains and may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art. See MPEP 2123.
As to claim 8:
Kaplan teaches a method ([0007]: a method of processing memory access requests)
comprising:
preventing, execution of a first MMIO request for a first virtual machine (VM) responsive to the first MMIO request being targeted to at least one memory address outside of a first set of memory addresses assigned to the first VM ([0031-0032]: the security module 310 associates the VMs with the I/O device VFs by assigning a unique identification tag value (e.g., the VM TAG) to each VF. When the processor 302 executes VM-A, it is loaded with a VM-A TAG (i.e., identification tag value) and this tag is used when accessing memory…This same tag is provided when accessing memory-mapped I/O (MMIO) registers in the I/O device 318. The IOMMU 322 is configured with protection tables to identify whether an MMIO request with VM-A Tag is allowed to access the requested MMIO address. In some embodiments, the IOMMU includes a lookup table (not shown) which contains MMIO apertures (e.g., portions of memory physical address space associated with the MMIO registers) along with VM accessibility. The lookup table is used to check MMIO traffic (e.g., read/writes from the VMs to MMIO of the I/O device 318) and associates VM TAGS with allowable downstream MMIO address ranges. The VM TAG is included in MMIO access requests to authorize traffic from the VMs to the I/O device 318. If a mismatch in the VM TAG value between the value provided by the VM and the value assigned to the VF, access to the I/O device 318 MMIO is prevented. This MMIO isolation prevents a malicious hypervisor from controlling a VF that has access to a VM).
As to claim 9:
Kaplan teaches executing, at an input/output memory management unit (IOMMU), a second MMIO request for the first VM responsive to the second MMIO request being targeted to at least one memory address of the first set of memory addresses assigned to the first VM ([0036-0038]).
As to claim 11:
Kaplan teaches preventing, execution of the first MMIO request for a first virtual machine (VM) responsive to the first MMIO request being targeted to a communication port not assigned to the first VM ([0027-0028] and [0032-0033]).
As to claim 12:
Kaplan teaches receiving the first set of memory addresses assigned to the first VM from a security coprocessor of a processor configured to execute the first VM ([0013-0014] and [0037-0038]).
As to claim 13:
Kaplan teaches determining the first set of memory addresses assigned to the first VM based on a mapping table mapping addresses associated with the first VM ([0013] and [0040]).
As to claim 14:
Kaplan teaches the mapping table is cached at an IOMMU ([0036-0037]).
As to claim 1:
Kaplan teaches a method ([0007]: a method of processing memory access requests)
comprising:
in response to receiving a first memory mapped input/output (MMIO) request associated with a first virtual machine (VM), identifying whether the first MMIO request is targeted to at least one of a set of memory addresses assigned to the first VM ([0025-0026]: The hypervisor 208 maps (e.g., assigns) the VFs 218, 220 to the VMs 204, 206. For example, VF-A 218 is mapped to VM-A 204 and VF-B 220 is mapped to VM-B 206. Further, the security module 210 associates the VMs with the I/O device VFs by assigning a unique identification tag value (e.g., the VM TAG) to each VF. This configuration provides a path from the VMs to the registers of the I/O device 216 via the IOMMU 224 and ensures that only authorized VMs can reach the registers of their associated VFs…An IOMMU 224 is used to connect devices (such as the I/O device 216) to the memory controller 222. The IOMMU 224 provides an interface for the I/O device 216 to communicate with the memory 214. The memory controller 222 receives memory access requests (e.g., direct memory access requests) from the I/O device 216 via IOMMU 224 and controls provision of those requests to the memory 214. In addition, the memory controller 222 receives responses to memory access requests from the memory 214 and controls provision of the responses to the I/O device 216); and
preventing, execution of the first MMIO request responsive to identifying that the first MMIO request is targeted to a memory address outside the set of memory addresses assigned to the first VM ([0031-0032]: the security module 310 associates the VMs with the I/O device VFs by assigning a unique identification tag value (e.g., the VM TAG) to each VF. When the processor 302 executes VM-A, it is loaded with a VM-A TAG (i.e., identification tag value) and this tag is used when accessing memory…This same tag is provided when accessing memory-mapped I/O (MMIO) registers in the I/O device 318. The IOMMU 322 is configured with protection tables to identify whether an MMIO request with VM-A Tag is allowed to access the requested MMIO address. In some embodiments, the IOMMU includes a lookup table (not shown) which contains MMIO apertures (e.g., portions of memory physical address space associated with the MMIO registers) along with VM accessibility. The lookup table is used to check MMIO traffic (e.g., read/writes from the VMs to MMIO of the I/O device 318) and associates VM TAGS with allowable downstream MMIO address ranges. The VM TAG is included in MMIO access requests to authorize traffic from the VMs to the I/O device 318. If a mismatch in the VM TAG value between the value provided by the VM and the value assigned to the VF, access to the I/O device 318 MMIO is prevented. This MMIO isolation prevents a malicious hypervisor from controlling a VF that has access to a VM; see also, [0041]).
As to claim 3:
Kaplan teaches receiving the set of memory addresses assigned to the first VM from a security coprocessor of a processor configured to execute the first VM ([0013-0014] and [0037-0038]).
As to claim 4:
Kaplan teaches preventing execution of the first MMIO request responsive to identifying that the first MMIO request is targeted to a port number not assigned to the set of memory addresses ([0027-0028] and [0032-0033]).
As to claim 6:
Kaplan teaches the MMIO request targets an input/output device ([0021] and [0032).
As to claim 7:
Kaplan teaches responsive to identifying that the first MMIO request is targeted to a memory address assigned to the first VM, selecting an encrypted data stream to execute the first MMIO request ([0028-0029] and [0038-0039]).
As to claims 15, 17, 18, and 20:
Refer to the discussion of claims 1, 3, 4, and 7 above, respectively, for rejection. Claims 15, 17, 18, and 20 are the same as claims 1, 3, 4, and 7, except claims 15, 17, 18, and 20 are processor claims and claims 1, 3, 4, and 7 are method claims.
Response to Arguments
4. Applicant’s arguments filed 02/27/2026 have been fully considered but they are not
persuasive.
Applicant argues that Kaplan does not teach “preventing, execution of a first MMIO request for a first virtual machine (VM) responsive to the first MMIO request being targeted to at least one memory address outside of a first set of memory addresses assigned to the first VM.”
In response, under a broadest reasonable interpretation, Kaplan’s teaching “the security module 310 associates the VMs with the I/O device VFs by assigning a unique identification tag value (e.g., the VM TAG) to each VF. When the processor 302 executes VM-A, it is loaded with a VM-A TAG (i.e., identification tag value) and this tag is used when accessing memory…This same tag is provided when accessing memory-mapped I/O (MMIO) registers in the I/O device 318. The IOMMU 322 is configured with protection tables to identify whether an MMIO request with VM-A Tag is allowed to access the requested MMIO address. In some embodiments, the IOMMU includes a lookup table (not shown) which contains MMIO apertures (e.g., portions of memory physical address space associated with the MMIO registers) along with VM accessibility. The lookup table is used to check MMIO traffic (e.g., read/writes from the VMs to MMIO of the I/O device 318) and associates VM TAGS with allowable downstream MMIO address ranges. The VM TAG is included in MMIO access requests to authorize traffic from the VMs to the I/O device 318. If a mismatch in the VM TAG value between the value provided by the VM and the value assigned to the VF, access to the I/O device 318 MMIO is prevented. This MMIO isolation prevents a malicious hypervisor from controlling a VF that has access to a VM” ([0031-0032]) reads-on “preventing, execution of a first MMIO request for a first virtual machine (VM) responsive to the first MMIO request being targeted to at least one memory address outside of a first set of memory addresses assigned to the first VM.”
During patent examination, the pending claims must be “given their broadest reasonable interpretation consistent with the specification.” In re Hyatt 21 1 F.3d 1367, 1372, 54 USPQ2d 1664, 166du7 (Fed. Cir. 2000).
Applicant argues that the cited portions of Kaplan do not teach claims 4, 7, 11, 18, and 20.
In the Office Action, the examiner mapped each claimed limitation to specific relevant passages in the reference to show how the reference meets the claim limitations. Applicants in response did not provide any underlying analysis as to why the portions of the prior art relied on did not support the examiner’s position. This response by Applicants is insufficient to satisfy the requirement of specific argument to have the claims considered for patentability; in accordance with 37 C.F.R. § 1.111 Applicant must distinctly and specifically point out “how the language of the claims patentably distinguishes them from the references”.
Conclusion
5. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Contact Information
6. Any inquiry concerning this communication or earlier communications from the examiner should be directed to VAN H. NGUYEN whose telephone number is (571) 272-3765. The examiner can normally be reached on Monday- Friday from 9:00AM to 5:30 PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LEWIS BULLOCK, can be reached at telephone number (571) 272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center or Private PAIR to authorized users only. Should you have questions about access to Patent Center or the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/VAN H NGUYEN/Primary Examiner, Art Unit 2199