Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Claims 1-20 are pending.
Examiner Notes
Examiner cites particular paragraphs and/or columns and lines in the references as applied to Applicant’s claims for the convenience of the Applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the Applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner. The prompt development of a clear issue requires that the replies of the Applicant meet the objections to and rejections of the claims. Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Authorization for Internet Communications in a Patent Application
Applicant is encouraged to file an Authorization for Internet Communications in a Patent Application form (http://www.uspto.gov/sites/default/files/documents/sb0439.pdf) along with the response to this office action to facilitate and expedite future communication between Applicant and the examiner. If the form is submitted then Applicant is requested to provide a contact email address in the signature block at the conclusion of the official reply.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 3, 8, 10, 12, 17, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Nystrom et al. (US 2015/0178504) (hereinafter Nystrom) in view of Shi et al. (US 2018/0181426) (hereinafter Shi).
As per claim 1, Nystrom primarily teaches the invention as claimed including a system comprising:
a processor (fig. 1, block 120);
memory comprising program code executable by the processor (fig. 1, block 130), the program code comprising an instance of a virtual machine (fig. 5, blocks 208-210) and a virtual trusted platform module (vTPM) (fig. 5, blocks 220-222), the vTPM configured to:
the first key configured to unseal a sealed state of an operating system of the virtual machine ([0071] secret key can decrypt a virtual hard drive of a virtual machine and [0075]-[0076] unseal operation performed by key distribution service and the unseal operation will succeed and the host will be provided with a key to decrypt the virtual machine’s vTPM or virtual hard drive);
utilize the first key to unseal the sealed state of the operating system ([0071] secret key can decrypt a virtual hard drive of a virtual machine and [0075]-[0076] unseal operation performed by key distribution service and the unseal operation will succeed and the host will be provided with a key to decrypt the virtual machine’s vTPM or virtual hard drive); and
provide the unsealed state to the instance of the virtual machine to cause the instance of the virtual machine to boot the operating system based on the unsealed state ([0076] if the host is in a state compliant with the policy, the unseal will succeed and the host will be provided with a key to decrypt the virtual machine's vTPM or a key to decrypt virtual hard drives directly. At this point the virtual machine may boot, since the vTPM is available to unseal the key necessary to decrypt the virtual hard drives of the virtual machine. If the vTPM state after boot is in accordance with the tenant's policy, an unlock will occur).
Nystrom does not explicitly teach:
receive a first seed value representative of a system feature of the system;
generate a first key from the first seed value.
However, Shi teaches:
receive a first seed value representative of a system feature of the system ([0008] the primary seed acquisition request carries information such as a universally unique identifier and [0034] host operating system creates, on the virtual platform by using Libvirt, a virtual machine that has a vTPM configured therein. The virtual machine includes a client operating system and various function components such as a virtual CPU and a hard disk. The client operating system is an operating system that is run by a virtual machine managed by the virtual platform);
generate a first key from the first seed value ([0071] create the root key for the vTPM according to the primary seed and [0073] create a virtual endorsement key for the vTPM based on the endorsement primary seed).
Shi and Nystrom are both concerned with vTPMs and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi because it would provide a way for a physical host to encrypt, by using the public key, a universally unique identifier (UUID) and the other information that are to be sent to a key management center (KMC). This prevents the UUID and the other information from being intercepted by another user in a process of sending to the KMC, and improves information security of the virtual machine. The KMC can encrypt the generated primary seed by using the stored private key, and send the encrypted primary seed to the physical host. When receiving the primary seed that is encrypted by the KMC by using the private key, the physical host invokes the public key from the first TPM, and decrypts the encrypted primary seed by using the public key to obtain the primary seed. By encrypting the primary seed, security of the primary seed is effectively ensured. The KMC can also store the generated primary seed and the UUID in a database. Even if the first TPM or a mainboard of a physical platform is damaged, the virtual machine can still obtain the primary seed from the KMC, and further recover the same root key according to the primary seed and set up a same key system, thereby effectively preventing a loss of data in the virtual machine. This reduces operation complexity and saves resources, without breaking a key hierarchy in the virtual machine.
As per claim 3, Shi teaches wherein to receive the first seed value, the vTPM is further configured to: transmit, to a host service of the system, a request for the first seed value; and receive, from the host service, the first seed value ([0015] the virtual machine sends a primary seed acquisition request to the physical host, and the primary seed acquisition request carries information such as a universally unique identifier (UUID). The physical host receives the primary seed acquisition request sent by the virtual machine, and sends the UUID carried in the primary seed acquisition request to the key management center (KMC). The KMC generates a primary seed based on the UUID, and sends the generated primary seed to the virtual machine).
As per claim 8, Shi teaches wherein the system feature comprises at least one of: a hardware configuration of the system; a geographic region to which the vTPM is assigned; a tenant of a cloud service to which the vTPM is assigned; the instance of the virtual machine; the operating system of the virtual machine ([0034] host operating system creates, on the virtual platform by using Libvirt, a virtual machine that has a vTPM configured therein. The virtual machine includes a client operating system and various function components such as a virtual CPU and a hard disk. The client operating system is an operating system that is run by a virtual machine managed by the virtual platform); or a firmware disk of the virtual machine.
As per claim 10, it has similar limitations as claim 1 and is therefore rejected using the same rationale.
As per claim 12, it has similar limitations as claim 3 and is therefore rejected using the same rationale.
As per claim 17, it has similar limitations as claim 8 and is therefore rejected using the same rationale.
As per claim 20, it has similar limitations as claim 1 and is therefore rejected using the same rationale.
Claims 2 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Hillier et al. (US 2023/0421389).
As per claim 2, Nystrom in view of Shi do not explicitly teach wherein to receive the first seed value, the vTPM is further configured to receive the first seed value from a secured portion of the memory.
However, Hillier teaches wherein to receive the first seed value, the vTPM is further configured to receive the first seed value from a secured portion of the memory ([0040] storing seeds in a secure memory).
Hillier and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Hillier because it would provide for a particular advantage of storing data representing a seed rather than storing data representing the actual private initial device identifier key because the seed may have a significantly smaller storage footprint authentication including selecting a hierarchical level of the hierarchy of identifiers. Responsive to the selection, the process includes accessing a part of the certificate, which corresponds to the first logical identifier. A particular advantage is that a secure connection between nodes may be set up responsive to the exchange of certificates between the nodes.
As per claim 11, it has similar limitations as claim 2 and is therefore rejected using the same rationale.
Claims 4 and 13 are rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Smith et al. (US 2009/0169012) (hereinafter Smith) in view of Graham (US 2024/0012665).
As per claim 4, Nystrom in view of Shi do not explicitly teach wherein the system feature is a configuration of the instance of the virtual machine, and to receive the first seed value, the vTPM is further configured to: transmit, to a server of a cloud service platform associated with the virtual machine, a request for the first seed value; and receive, from the server, the first seed value.
However, Smith teaches wherein the system feature is a configuration of the instance of the virtual machine ([0013] the vTPM key ensures that only an authorized virtual machine configuration may access the key, while the hTPM ensures that only the correct platform configuration may access the key)
Smith and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Smith because it would result in a vTPM which can provide the actual TPM functionality to the VMs. By providing all TPM functionality in the vTPM, the design of the framework follows the principle of least common mechanism while also maximizing the flexibility of the vTPM implementation to balance performance and security. This may result in faster encryption operations or enhanced migration by implementing keys in software within the vTPM.
Nystrom in view of Shi in view of Smith do not explicitly teach to receive the first seed value, the vTPM is further configured to: transmit, to a server of a cloud service platform associated with the virtual machine, a request for the first seed value; and receive, from the server, the first seed value.
However, Graham teaches to receive the first seed value, the vTPM is further configured to: transmit, to a server of a cloud service platform associated with the virtual machine, a request for the first seed value; and receive, from the server, the first seed value ([0084]-[0085] desktop delivery controller (DDC) can enroll the vTPM for the virtual delivery agent (VDA), and/or the VM hosting the VDA, such as the VM. For example, the DDC can interoperate with the cloud computing service and can request the public keys for the vTPM via API calls to the cloud computing service. The cloud computing service can return the vTPM's public key to the DDC. For example, the vTPM can return the public keys in response to API calls of the cloud computing service initiated by the DDC).
Graham and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Smith in view of Graham because it would provide a way to address issues when initializing a VM image by retrieving identity data from a metadata service of a cloud computing service, and writing the identity data to a virtual identity disk assigned to the VM. The system can encrypt the identity data in order to secure it, for example with a public key of a vTPM. This can provide advantages over other approaches to initializing a VM image, including by reducing the amount of data that must be transferred, simplifying the VM initialization, and conserving CPU time, network bandwidth, and other computing resources.
As per claim 13, it has similar limitations as claim 4 and is therefore rejected using the same rationale.
Claims 5 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Khare et al. (US 11,924,336) (hereinafter Khare).
As per claim 5, Nystrom in view of Shi do not explicitly teach wherein the vTPM is further configured to: receive a second seed value representative of another system feature; and generate the first key from the first seed value and the second seed value.
However, Khare teaches wherein the vTPM is further configured to: receive a second seed value representative of another system feature; and generate the first key from the first seed value and the second seed value (col. 14, ll. 41-47 once the primary seeds are determined for a given hierarchy, a respective set of cryptographic keys or other artifacts may be derived deterministically from the primary seeds. Different deterministically derived keys may be generated using different primary seeds).
Khare and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Khare because it would provide a way of enhancing the security of computations performed at or on behalf of compute instances of a virtual computing service (VCS) by utilizing instance-specific virtualized security devices, e.g., instead of potentially having to share a common hardware security device such as a physical TPM across multiple compute instances, while also ensuring that a single successful attack directed at the VCS resources is insufficient to breach the VSDs, (b) migrating VSD-enabled compute instances from one virtualization server with equivalent ease and speed as during the migration of compute instances which do not utilize VSDs, and/or (c) reducing the amount of network traffic required to migrate compute instances which utilize security devices similar to VSDs.
As per claim 14, it has similar limitations as claim 5 and is therefore rejected using the same rationale.
Claims 6-7 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Smith in view of Young et al. (US 2018/0006815) (hereinafter Young).
As per claim 6, Nystrom in view of Shi do not explicitly teach wherein, subsequent to the vTPM rebooting, the vTPM is further configured to: receive a second seed value representative of the system feature; determine the second seed value does not meet criterion for unsealing the sealed state of the operating system.
However, Smith teaches wherein, subsequent to the vTPM rebooting ([0037] vTPM architecture/design that re-instantiates for each VM).
Smith and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Smith because it would result in a vTPM which can provide the actual TPM functionality to the VMs. By providing all TPM functionality in the vTPM, the design of the framework follows the principle of least common mechanism while also maximizing the flexibility of the vTPM implementation to balance performance and security. This may result in faster encryption operations or enhanced migration by implementing keys in software within the vTPM.
Nystrom in view of Shi in view of Smith do not explicitly teach the vTPM is further configured to: receive a second seed value representative of the system feature; determine the second seed value does not meet criterion for unsealing the sealed state of the operating system.
However, Young teaches the vTPM is further configured to: receive a second seed value representative of the system feature; determine the second seed value does not meet criterion for unsealing the sealed state of the operating system ([0050] each key can have associated with it a particular policy, and, prior to unsealing the key, a check is made to verify that the current policy of the computing device satisfies e.g., matches, or at least includes all the restrictions of the policy associated with the key. If the current policy of the computing device satisfies the policy associated with the key, then the key is unsealed. However, if the current policy of the computing device does not satisfy the policy associated with the key, then the key is not unsealed).
Young and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Smith in view of Young because it would provide for a master key that is specific to the computing device. The master key cannot be reset by the user of the computing device, preventing the operating system secrets from becoming in accessible due to a master key change by the user thus providing improved security for the computing device. The decrypted boot configuration specific key is stored in the decrypted key store. This allows the decrypted boot configuration specific key to be accessed and used by the trusted key service without needing to be re-decrypted.
As per claim 7, Shi teaches generate a second key from the second seed value ([0071] create the root key for the vTPM according to the primary seed and [0073] create a virtual endorsement key for the vTPM based on the endorsement primary seed).
Nystrom in view of Shi do not explicitly teach wherein to determine the second seed value does not meet the criterion, the vTPM is further configured to determine the second key is unable to unseal the sealed state of the operating system.
However, Young teaches wherein to determine the second seed value does not meet the criterion, the vTPM is further configured to determine the second key is unable to unseal the sealed state of the operating system ([0050] each key can have associated with it a particular policy, and, prior to unsealing the key, a check is made to verify that the current policy of the computing device satisfies e.g., matches, or at least includes all the restrictions of the policy associated with the key. If the current policy of the computing device satisfies the policy associated with the key, then the key is unsealed. However, if the current policy of the computing device does not satisfy the policy associated with the key, then the key is not unsealed).
As per claim 15, it has similar limitations as claim 6 and is therefore rejected using the same rationale.
As per claim 16, it has similar limitations as claim 7 and is therefore rejected using the same rationale.
Claim 9 is rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Ferguson et al. (US 2016/0357988) (hereinafter Ferguson).
As per claim 9, Nystrom in view of Shi do not explicitly teach wherein the instance of the virtual machine comprises the vTPM.
However, Ferguson teaches wherein the instance of the virtual machine comprises the vTPM ([0071] the VM contains, as part of its metadata, the encrypted vTPM, as well as the protection key for the vTPM encrypted as required for the secure operations).
Ferguson and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Ferguson because it would provide a way for a VMM to deploy a guest VM to an appropriate host without doing anything security-critical with regard to deploying keys. The VMM can perform its normal management operations with normal considerations and actions, such as scheduling, optimization of placement and resource allocation, without significant change due to the protected nature of the VM. The VM can contain, as part of its metadata, the encrypted vTPM, as well as the protection key for the vTPM encrypted as required for the secure operations, but all this metadata is handled together as part of the standard deployment operations without special security-related handling by the VMM.
Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Beveridge et al. (US 2025/0028843) (hereinafter Beveridge).
As per claim 18, Nystrom in view of Shi do not explicitly teach: receiving, from an application executed by the instance of the virtual machine, a request to perform a cryptographic operation to modify an object by utilizing the first key to: seal the object, unseal the object, sign the object, verify the object, decrypt the object, or encrypt the object.
However, Beveridge teaches receiving, from an application executed by the instance of the virtual machine, a request to perform a cryptographic operation to modify an object by utilizing the first key to: seal the object, unseal the object, sign the object, verify the object, decrypt the object, or encrypt the object ([0069] virtual disks encrypted using techniques dynamically selected by crypto provider may be stored in object store. When data from such an encrypted virtual disk is retrieved from the object store, such as via a read request sent by an application or VM to the hypervisor, the encrypted data is retrieved and decrypted e.g., by crypto provider using the one or more cryptographic techniques that were used to encrypt the data in the virtual disk prior to storage).
Beveridge and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Beveridge because it would provide a way for decoupling cryptographic logic from a virtual storage area network that relies upon cryptographic functionality. This could provide flexibility and extensibility, thus allowing cryptographic algorithms to be continually updated, changed, and otherwise configured without requiring modifications to the virtual storage area network or associated applications e.g., hypervisor components themselves. Accordingly, changing circumstances and new threats may be addressed in a dynamic and efficient manner, and computing security may thereby be improved.
Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Nystrom in view of Shi in view of Kim (US 2023/0152987).
As per claim 19, Nystrom in view of Shi do not explicitly teach: determining a cryptographic operation is to be performed; determining whether a lifetime of the first key has expired; if the lifetime of the first key has not expired, attempting to utilize the first key to perform the cryptographic operation; and if the lifetime of the first key has expired, failing to perform the cryptographic operation.
However, Kim teaches determining a cryptographic operation is to be performed; determining whether a lifetime of the first key has expired; if the lifetime of the first key has not expired, attempting to utilize the first key to perform the cryptographic operation; and if the lifetime of the first key has expired, failing to perform the cryptographic operation ([0038]-[0039] when it is determined that the lifetime of the first cryptographic key does not expire, the security module may allow the storage controller to perform a normal operation such as encoding or decoding data by using the first cryptographic key. The storage controller may store the encoded data in the nonvolatile memory device or may send the decoded data to the host. However, when it is determined that the lifetime of the first cryptographic key expires, the security module may allow the storage controller to return an error or a dummy response to the first command. In this case, even in a case in which, for example, the host is hacked, data stored in the storage device may be protected).
Kim and Nystrom are both concerned with security in computing environments and are therefore combinable/modifiable. Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nystrom in view of Shi in view of Kim because it would provide for a storage device that may set up a lifetime or durability for each cryptographic key. Accordingly, even though a host is hacked, data stored in the storage device may be prevented from being leaked and damaged thus resulting in a storage device with increased security.
Citation of Relevant Prior Art
The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure:
Ryman et al. (US 2023/0106879) disclose virtualized applications on managed virtual machines.
Kani et al. (US 2023/0247023) disclose configuring instances with instance metadata stored in virtual security processors.
Challener et al. (US 2008/0244569) disclose reporting the trusted state of a virtual machine.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Adam Lee whose telephone number is (571) 270-3369. The examiner can normally be reached on M-TH 8AM-5PM.
If attempts to reach the above noted Examiner by telephone are unsuccessful, the Examiner’s supervisor, Pierre Vital, can be reached at the following telephone number: (571) 272-4215. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center. Status information for published applications may be obtained from Patent Center. Status information for unpublished applications is available through Patent Center for authorized users only. Should you have questions about access to Patent Center, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated-interview-request-air-form.
/Adam Lee/Primary Examiner, Art Unit 2198 February 9, 2026