DETAILED ACTION
Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed 02/02/2026 have been fully considered but they are not persuasive.
Regarding applicant’s argument that Deymonnaz, Siegler, Baltes, Vajravel, Khatri, Kumar, and/or Nix do not teach accessing two or more secure boot keys from a table that stores a plurality of secure boot keys, and performing an authentication process using each of the subset of secure boot keys, Examiner respectfully disagrees. Baltes at least in paragraph [0030] teaches two or more secure boot keys being accessed from a table that stores a plurality of secure boot keys. Deymonnaz in at least paragraph [0082] teaches performing an authentication process using each of the subset of secure boot keys.
Regarding applicant’s arguments that Baltes cannot be construed to teach accessing two or more secure boot keys from a table that stores a plurality of secure boot keys, Examiner respectfully disagrees. Applicant cites that Baltes teaches the bootloader uses the last valid key in the key table as the current valid key and whenever a new updated bootloader is written, the previously used public key is invalidated such that only the last (i.e. a single) public key is used, and therefore Baltes cannot teach accessing two or more secure boot keys from a table. However, the claim language does not explicitly claim that the keys are accessed at the same time. The keys may be accessed at different times, thus, Baltes does teach accessing two or more secure boot keys from a table that stores a plurality of secure boot keys.
Regarding applicant’s arguments that Baltes cannot be construed to teach performing an authentication process using each of the subset of secure boot keys, Examiner respectfully disagrees. One cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Deymonnaz is used to teach performing an authentication process using each of the subset of secure boot keys at least in paragraph [0082].
For at least these reasons, Deymonnaz, Siegler, Baltes, Vajravel, Khatri, Kumar, and/or Nix, in combination do teach accessing two or more secure boot keys from a table that stores a plurality of secure boot keys, and performing an authentication process using each of the subset of secure boot keys. Therefore, the current rejection is maintained.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim(s) 1, 4, 8, 9, 15, 16, 18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. 20180198629 A1 to Deymonnaz et al. (Deymonnaz) in view of US 20070067634 A1 to Siegler (Siegler), and in further view of US 20130111203 A1 to Baltes et al. (Baltes).
Regarding claim 1, Deymonnaz teaches a multi-party authorized secure boot system comprising: a processing device comprising one or more processors (Deymonnaz [0115], e.g., programmable processor) and one or more memory units (Deymonnaz [0115], e.g., memory device) including instructions (Deymonnaz [0115], e.g., computer program instructions) that, upon execution by the processors, cause the processing device to: during a boot process of the processing device, identify two or more secure boot keys that may be used to authorize, using an authentication process, an ensuing phase of the boot process (Deymonnaz [0048], e.g., Part of the boot process for the user device 140 includes checking the key version code against the stored version code to verify that the key used is current; [0051], e.g., After the developer has selected the desired set of software modules, the developer can instruct the platform provider system 110 to generate the software image and appropriate signatures), [the two or more secure boot keys being accessed from a table that stores a plurality of the secure boot keys and an indication whether each of the secure boot keys have been invalidated]; identify a subset of the secure boot keys that are to be used to perform the authentication process (Deymonnaz [0051], e.g., selected the desired set of software modules, Fig. 2, element 200; Note that software modules comprises of a signature and key; [0088], e.g., The bootloader performs verification steps for each module 440a-440d in the software image) [wherein the subset is less than a total quantity of the secure boot keys]; and using each of the subset of secure boot keys, perform the authentication process based upon whether the two or more secure boot keys have been invalidated (Deymonnaz [0082], e.g., In step 518, the bootloader determines if there is a match between the key used to sign the module-specific vbmeta image and a public key in the chain descriptor within the image-level vbmeta partition 432); [0048], e.g., Part of the boot process for the user device 140 includes checking the key version code against the stored version code to verify that the key used is current. During boot, if the user device 140 determines that a software module 132 is signed using an outdated key, the user device 140 may block execution of the software module or terminate the boot process to avoid running software that is potentially unsafe)
Deymonnaz does not explicitly teach, but Siegler teaches wherein the subset of the secure boot keys is less than a total quantity of the secure boot keys (Siegler [0049], e.g., In an exemplary embodiment, the first and second private keys used to construct the first and second digital signatures have been selected from within a larger set of N private keys (such as 10 or more) and referred to as "2 of N" signing where N represents the total number of private keys within the larger set of private keys).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the teachings of Deymonnaz with the teachings of Siegler with reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of flexibility in use of the system in case of a key compromise. (Siegler [0049], e.g., advantage of having a large set of these keys in the first device is that it provides flexibility in use of the system should a key become compromised in some way. If a key is compromised, it can be erased, invalidated, retired, etc. from use).
Deymonnaz and Siegler do not explicitly teach, but Baltes teaches the two or more secure boot keys being accessed from a table that stores a plurality of the secure boot keys (Baltes [0030], e.g., Several of the memory slots 124 in the memory segment 122, here four slots, are defined as a key table 126 and are dedicated for only storing public keys within the bootloader memory segment 122) and an indication whether each of the secure boot keys have been invalidated (Baltes [0030], e.g., Each memory slot in the key table 126 includes a validity flag 130 that identifies those keys that are currently valid).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the combined teachings of Deymonnaz and Siegler with the teachings of Baltes with reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of marking keys that are compromised and need to be replaced (Baltes [0008], e.g., If the public key in the bootloader is compromised or needs to be replaced for other reasons, it is desirable to provide a secure method by the appropriate service personnel to allow the key to be replaced. The bootloader generally uses only one flash segment of memory, which includes the public key, so the public key cannot be made a separately programmable calibration. Thus, if the public key needs to be replaced, the entire bootloader needs to be rewritten and replaced, which is undesirable as an interrupted operation could lead to an ECU that can no longer be programmed).
Regarding claim 4, most of the limitations of this claim have been noted in the rejection of claim 1. Deymonnaz further teaches wherein the secure boot keys are owned and managed by different parties (Deymonnaz [0036], e.g., the boot stack includes code from at least three parties, each of which have their own signing keys to sign their part of the software).
Regarding claim 8, most of the limitations of this claim have been noted in the rejection of claim 1. Deymonnaz further teaches wherein the instructions, upon execution, cause the processing device to when the ensuing phase does not pass the authentication process, inhibit booting of the ensuing phase (Deymonnaz [0104], e.g., However, if any of the verification steps 605-613 fails, e.g., indicates a difference from the expected values, the device 140 may block booting to avoid operating using insecure software. Similarly, if the values needed to perform the verification steps cannot be accessed, or if the permanent product attributes are not successfully verified in step 602, the device 140 may refuse to boot).
Regarding claim 9, the claim recites a multi-party authorized secure boot method of the system of claim 1, and is similarly analyzed.
Regarding claim 15, the claim recites a multi-party authorized secure boot method of the system of claim 8, and is similarly analyzed.
Regarding claim 16, the claim recites a memory storage device of the method of claim 9, and it similarly analyzed.
Regarding claim 18, the claim recites a memory storage device of the system of claim 4, and is similarly analyzed.
Regarding claim 20, the claim recites a memory storage device of the system of claim 8, and is similarly analyzed.
Claim(s) 2, 3, 10, 11 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Deymonnaz in view of Siegler and Baltes, and in further view of US 20190018966 A1 to Khatri et al. (Khatri).
Regarding claim 2, most of the limitations of this claim have been noted in the rejection of claim 1. Deymonnaz. Siegler, and Baltes do not explicitly teach, but Khatri teaches a processing device comprising a Baseboard Management Controller (Khatri [0032], e.g., board management controller (BMC) 144) configured in an Information Handling System (Khatri [0032], e.g., IHS 100).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified combined teachings of Deymonnaz, Siegler, and Baltes with the teachings of Khatri with a reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of remotely managing the information handling system (Khatri [0032], e.g., to enable remote management of IHS 100. For example, BMC 144 may enable a user to discover, configure, and manage BMC 144, setup configuration options, resolve and administer hardware or software problems)
Regarding claim 3, most of the limitations of this claim have been noted in the rejection of claim 2. Deymonnaz further teaches wherein the instructions are performed during a fused authentication phase of the boot process (Fig. 5, elements 504, 506, 508, 518, 522; Deymonnaz teaches the fused authentication process because the fused process comprises of a boot method, certificate key ([0090], e.g., PRK public key), and a storage ([0090], e.g., protected storage) for the certificate keys).
Regarding claim 10, the claim recites a multi-party authorized secure boot method of the system of claim 2, and is similarly analyzed
Regarding claim 11, the claim recites a multi-party authorized secure boot method of the system of claim 1, and is similarly analyzed.
Regarding claim 17, the claim recites a memory storage device of the system of claim 3, and is similarly analyzed.
Claim(s) 5 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Deymonnaz in view of Siegler and Baltes, and in further view of U.S. Patent No. 10,057,243 B1 to Kumar et al. (Kumar).
Regarding claim 5, most of the limitations of this claim have been noted in the rejection of claim 1. Deymonnaz further teaches wherein the instructions, upon execution, cause the processing device to identify the subset ([0051], e.g., selected the desired set of software modules) of the secure boot keys ([0049], e.g., corresponding signatures and public keys). However, Deymonnaz, Siegler, and Baltes do not explicitly teach but, Kumar teaches to perform an authentication process using one or more Boolean operators (Col. 20, lines 40-46 e.g., logical operator).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the combined teachings of Deymonnaz, Siegler, and Baltes with the teachings of Kumar with a reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit as countermeasure to detect compromise of public-private key pairs associated with the signing and verification process as taught by Kumar (Col. 20, lines 40-46, e.g., countermeasure).
Regarding claim 12, the claim recites a multi-party authorized secure boot method of the system of claim 5, and is similarly analyzed.
Claim(s) 6, 7, 13, 14, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Deymonnaz in view of Siegler, Baltes and Kumar, and further in view of U.S. Patent No. 10,169,587 B1 to Nix (Nix).
Regarding claim 6, most of the limitations of this claim have been noted in the rejection of claim 5. Deymonnaz further teaches the secure boot keys ([0049], e.g., corresponding signatures and public keys, Fig. 2, element 200). However, Deymonnaz and Siegler, and Baltes do not explicitly teach, but Kumar teaches a relationship of the secure boot keys using the Boolean operators (Col. 20, lines 40-46 e.g., logical operator).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified the combined teachings Deymonnaz, Siegler, and Baltes with the teachings of Kumar with a reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit as a countermeasure to detect compromise of public-private key pairs associated with the signing and verification process as taught by Kumar (Col. 20, lines 40-46, e.g., countermeasure).
Deymonnaz, Siegler, Baltes, and Kumar do not explicitly teach, but Nix teaches wherein the instructions, upon execution, cause the processing device to access the table (Col. 37, lines 17-36, e.g., key table; Note it is implied that a table will be accessed to fetch keys stored in a key table).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified combined teachings Deymonnaz, Siegler, Baltes, and Kumar with the teachings of Nix with a reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of faster search and retrieval of keys.
Regarding claim 7, most of the limitations of this claim have been noted in the rejection of claim 6. Deymonnaz further teaches to determine whether either one of the secure boot keys has been invalidated (Deymonnaz, [0035], e.g., detect that the signature no longer valid; Deymonnaz states that signature data for the module can include a corresponding signature and public key; [0044], e.g., signature data, corresponding signature and public key; Also note that a certificate key comprises of a key and signature). However, Deymonnaz, Siegler, Baltes, and Kumar do not explicitly teach, but Nix teaches wherein the instructions, upon execution, cause the processing device to access a table (Col. 37, lines 17-36, e.g., key table; Note it is implied that a table will be accessed to fetch keys stored in a key table) to determine an appropriate cryptographic algorithm (Col. 40, lines 54-65, e.g., hash algorithm 199e; Fig. 2b, e.g., element 199) for each cert.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention, to have modified to have modified combined teachings Deymonnaz, Siegler, Baltes, and Kumar with the teachings of Nix with a reasonable expectation of success. One of ordinary skill in the art would have been motivated to make the modification for the benefit of adding another layer of defense through the use of multiple sets of cryptographic parameters, as taught by Nix (Col. 38, lines 38-41, e.g., second set), in the case that a hash algorithm becomes compromised or cracked.
Regarding claim 13, the claim recites a multi-party authorized secure boot method of the system of claim 5, and these are similarly analyzed.
Regarding claim 14, the claim recites a multi-party authorized secure boot method of the system of claim 7, and is similarly analyzed.
Regarding claim 19, the claim recites a memory storage device of the system of claim 7, and is similarly analyzed.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. US 20150058979 A1 to Peeters et al. discloses employing a plurality of signature verification keys in the boot loader. The bootloader uses a validity bit to verify that a key is valid. US 20220180005 A1 to Kwok et al. discloses a key store storing one or more cryptographic keys. The key store includes an indicator associated with one or more cryptographic keys to activate or disable the associated key.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LAWRENCE TRUONG whose telephone number is (571)272-6973. The examiner can normally be reached Monday - Friday, 8:00 am - 4 pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ali Shayanfar can be reached at (571) 270-1050. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/LAWRENCE TRUONG/Examiner, Art Unit 2434
/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434