DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-31 are pending in this office action and presented for examination. Claims 1, 3-6, 8-12, 26-27, and 29 are newly amended by the response received November 7, 2025.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 and 4-5 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965. Although the claims at issue are not identical, they are not patentably distinct from each other because all the limitations of each of the aforementioned instant claims are taught by a corresponding claim of the ‘965 patent.
Claim 6 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 as applied to claim 1 above, and further in view of Bonzini (Reading privileged memory with a side-channel | Hacker News). Regarding the additional limitation(s) not taught by the applied reference(s) thus far, Bonzini is relied upon to render obvious the additional limitation(s) in an analogous manner as Bonzini is relied upon in the rejection(s) of the aforementioned instant claim(s) below; see the citations of Bonzini and corresponding rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below.
Claim 7 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 as applied to claim 1 above, and further in view of Horn (Project Zero: Reading privileged memory with a side-channel). Regarding the additional limitation(s) not taught by the applied reference(s) thus far (i.e., a more-privileged privilege level being a “supervisor” privilege level, and a less-privileged privilege level being a “user” privilege level), Horn is relied upon to render obvious the additional limitation(s); see the citation(s) of Horn in the rejection(s) of the aforementioned instant claim(s) below; note that it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the relied-upon teachings of Horn with the reference(s) thus far, as this modification merely entails combining prior art elements according to known methods to yield predictable results, which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Claims 2-3 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 as applied to claim 1 above, and further in view of Wang et al. (Wang) (US 20120278598 A1). Regarding the additional limitation(s) not taught by the applied reference(s) thus far, Wang is relied upon to render obvious the additional limitation(s) in an analogous manner as Wang is relied upon in the rejection(s) of the aforementioned instant claim(s) below; see the citations of Wang and corresponding rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below.
Claims 8, 11, 13, and 16-17 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 in view of Gopal et al. (Gopal) (US 20140095844 A1). Regarding the additional limitation(s) not taught by the applied reference(s) thus far, Gopal is relied upon to render obvious the additional limitation(s) in an analogous manner as Gopal is relied upon in the rejection(s) of the aforementioned instant claim(s) below; see the citations of Gopal and corresponding rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below.
Claims 9-10 and 14-15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 and Gopal as applied to claims 8 and 13 above, and further in view of Wang et al. (Wang) (US 20120278598 A1). Regarding the additional limitation(s) not taught by the applied reference(s) thus far, Wang is relied upon to render obvious the additional limitation(s) in an analogous manner as Wang is relied upon in the rejection(s) of the aforementioned instant claim(s) below; see the citations of Wang and corresponding rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below.
Claims 12 and 18-25 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 and Gopal as applied to claims 11 and 13 above, and further in view of Bonzini (Reading privileged memory with a side-channel | Hacker News). Regarding the additional limitation(s) not taught by the applied reference(s) thus far, Bonzini is relied upon to render obvious the additional limitation(s) in an analogous manner as Bonzini is relied upon in the rejection(s) of the aforementioned instant claim(s) below; see the citations of Bonzini and corresponding rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below.
Claims 26-27 and 29-31 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 in view of Horn (Project Zero: Reading privileged memory with a side-channel) in view of Mills et al. (Mills) (US 5721945) in view of Wang et al. (Wang) (US 20120278598 A1). See the citation(s) and rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below. Regarding the additional limitation(s) taught by Horn, see the citation(s) of Horn in the rejection(s) of the aforementioned instant claim(s) below; note that it would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to combine the relied-upon teachings of Horn (e.g., a plurality of cache levels) with the reference(s) thus far, as this modification merely entails combining prior art elements according to known methods to yield predictable results, which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Claim 28 is rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1 of U.S. Patent No. 11635965 and Horn, Mills, and Wang as applied to claim 27 above, and further in view of Soltis, JR. et al. (Soltis, JR.) (US 20060031679 A1). Regarding the additional limitation(s) not taught by the applied reference(s) thus far, Soltis, JR. is relied upon to render obvious the additional limitation(s) in an analogous manner as Soltis, JR. is relied upon in the rejection(s) of the aforementioned instant claim(s) below; see the citations of Soltis, JR. and corresponding rationale(s) for obviousness in the rejection(s) of the aforementioned instant claim(s) under 35 USC 103 below.
Each of claims 1-31 are rejected on the ground of nonstatutory double patenting as being unpatentable over one of claims 1, 2, 5, 6, and 7 of U.S. Patent No. 12236243 in view of zero or more of Horn (Project Zero: Reading privileged memory with a side-channel), Bonzini (Reading privileged memory with a side-channel | Hacker News), Gopal et al. (Gopal) (US 20140095844 A1), and Soltis, JR. et al. (Soltis, JR.) (US 20060031679 A1). Examiner notes that the particular zero or more secondary references relied upon to reject each claim, the limitation(s) that each secondary reference is relied upon to teach, and the associated rationale(s) for obviousness, are readily recognizable in view of the citation(s) and associated rationale(s) for obviousness provided for the used secondary reference in the rejection of that claim under 35 USC 103 below. Regarding any limitations in a claim taught by the Horn reference (the primary reference in the rejections under 35 USC 103 below) but not the associated claim of U.S. Patent No. 12236243 (e.g., a plurality of cache levels), note that it would have been obvious to one ordinary skill in the art before the effective filing date of the claimed invention to combine the cited elements of Horn teaching the aforementioned limitations with the other reference(s) used to reject that claim, as this modification merely entails combining prior art elements according to known methods to yield predictable results, which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.
The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.
Claims 2, 9-10, 13-25, and 29 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 2 recites the limitation “The apparatus of claim 1, wherein the value indicates an always on indirect branch prediction protection” in lines 1-2. The recited value, in view of the limitations of claim 1, appears to be IA32_SPEC_CTRL.IBRS of paragraph [00115]. (Examiner submits that this value does not appear to be bit 1 of the IA32_ARCH_CAPABILITIES MSR of paragraph [00115], because this bit merely appears to indicate whether the processor supports enhanced IBRS, rather than itself indicating the core is to indicate the core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the core at a second privilege level.) However, the original disclosure (e.g., paragraph [00115]) does not appear to provide support for IA32_SPEC_CTRL.IBRS itself indicating an “always on” indirect branch prediction protection.
Claim 9 recites the limitation “The SoC of claim 8, wherein the value indicates an always on indirect branch prediction protection” in lines 1-2. The recited value, in view of the limitations of claim 1, appears to be IA32_SPEC_CTRL.IBRS of paragraph [00115]. (Examiner submits that this value does not appear to be bit 1 of the IA32_ARCH_CAPABILITIES MSR of paragraph [00115], because this bit merely appears to indicate whether the processor supports enhanced IBRS, rather than itself indicating the core is to indicate the core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the core at a second privilege level.) However, the original disclosure (e.g., paragraph [00115]) does not appear to provide support for IA32_SPEC_CTRL.IBRS itself indicating an “always on” indirect branch prediction protection.
Claim 10 is rejected for failing to alleviate the rejection of claim 9 above.
Claim 13 recites the limitation “A method of manufacturing a processor core comprising: coupling a branch predictor of the processor core to a register of the processor core; coupling the branch predictor to an instruction fetch unit of the processor core; coupling the instruction fetch unit to an instruction cache of the processor core; coupling the instruction fetch unit to a decoder of the processor core; coupling the decoder to an execution unit of the processor core; and coupling the execution unit to general purpose registers of the processor core” in lines 1-15. However, the original disclosure does not appear to provide support for this limitation. For example, while the original disclosure may provide support for the aforementioned components of a processor core being coupled together in the manner recited, the original disclosure (e.g., paragraph [00304]) does not appear to provide support for “a method of manufacturing a processor core” comprising the recited coupling steps.
Claims 14-25 are rejected for failing to alleviate the rejection of claim 13 above.
Claim 14 recites the limitation “The method of claim 13, wherein the value indicates an always on indirect branch prediction protection” in lines 1-2. The recited value, in view of the limitations of claim 1, appears to be IA32_SPEC_CTRL.IBRS of paragraph [00115]. (Examiner submits that this value does not appear to be bit 1 of the IA32_ARCH_CAPABILITIES MSR of paragraph [00115], because this bit merely appears to indicate whether the processor supports enhanced IBRS, rather than itself indicating the core is to indicate the core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the core at a second privilege level.) However, the original disclosure (e.g., paragraph [00115]) does not appear to provide support for IA32_SPEC_CTRL.IBRS itself indicating an “always on” indirect branch prediction protection.
Claim 29 recites the limitation “a bit, when set to a value of zero, causes the hardware branch predictor to enable another indirect branch restricted speculation mode” in lines 2-3. However, the original disclosure (e.g., paragraph [00115]) does not appear to provide support for this limitation. Examiner notes that the original disclosure does not appear to convey that bit 1 of the IA32_ARCH_CAPABILITIES MSR “causes” the hardware branch predictor to enable another indirect branch restricted speculation mode. Examiner further notes that a value of 0 for bit 1 of the IA32_ARCH_CAPABILITIES MSR would appear to conflict with parent claim 26’s “always-on mode” subject matter.
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 3, 10, 15, 26-29, and 31 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claim 3 recites the limitation “the value cannot be changed by software executed by the hardware core” in lines 1-2. However, the metes and bounds of this limitation are indefinite. For example, it is indefinite as to whether the value cannot be changed by [any and all] software executed by the core, or whether the value cannot be changed by [first] software executed by the core, but can be changed by [second] software executed by the core.
Claim 10 recites the limitation “the value cannot be changed by software executed by the hardware core” in lines 1-2. However, the metes and bounds of this limitation are indefinite. For example, it is indefinite as to whether the value cannot be changed by [any and all] software executed by the core, or whether the value cannot be changed by [first] software executed by the core, but can be changed by [second] software executed by the core.
Claim 15 recites the limitation “the value cannot be changed by software executed by the processor core” in lines 1-2. However, the metes and bounds of this limitation are indefinite. For example, it is indefinite as to whether the value cannot be changed by [any and all] software executed by the core, or whether the value cannot be changed by [first] software executed by the core, but can be changed by [second] software executed by the core.
Claim 26 recites the limitation “a model specific register to store an indirect branch restricted speculation bit for the hardware core that when set to a value of one causes the hardware branch predictor to enable an always-on mode” in lines 6-8. However, the metes and bounds of this limitation are indefinite. For example, it is unclear as to how, if a mode is “always-on”, it would need to be caused to be enabled in the first place. For the purposes of this office action, Examiner is interpreting this limitation as if the “always-on” limitation was further limited by the subject matter of claim 30.
Claims 27-29 and 31 are rejected for failing to alleviate the rejection of claim 49 above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1 and 4-7 is/are rejected under 35 U.S.C. 103 as being unpatentable over Horn (Project Zero: Reading privileged memory with a side-channel) in view of Gilbert et al. (Gilbert) (US 20060136608 A1) in view of Bonzini (Reading privileged memory with a side-channel | Hacker News).
Consider claim 1, Horn discloses an apparatus comprising: a hardware core (page 2, processor core) comprising: a branch predictor to predict target instructions of indirect branch instructions to be performed by the hardware core (page 6, indirect call predictor that can store multiple targets per source address); and a register having a field to store a value, wherein the value is to indicate behavior (page 2, tested processors, each of which have a register having a field to store a value to indicate behavior), and the hardware core is to use branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the hardware core at a second privilege level, wherein the branch history information is to have been created based on software performed by the hardware core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the hardware core from the first privilege level to the second privilege level, the hardware core is to use the branch history information by the branch predictor to predict target instructions at the second privilege level (page 5, which shows the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level)
To any extent to which Horn does not inherently disclose a register having a field to store a value to indicate behavior, Gilbert explicitly discloses a register having a field to store a value to indicate behavior ([0002], lines 1-18, microprocessor systems may use various forms of control registers to support their operation. One form of control register may be written to in order to set system parameters and otherwise configure the system. Various combinations of bits in such a register may set operational limits, such as depth of speculative execution or the size of a cache, or may turn on or off optional functional circuitry, such as branch predictors and prefetch units, or may enable or disable interrupts for certain events. Other forms of control registers may be read from in order to receive system status. Such control registers may also be called status registers. The status registers may provide information about system health, contents of program registers associated with a fault condition, operational temperature, and other forms of status. Many control registers may be both written to and read from. Examples of control registers may be the Model Specific Registers (MSRs) implemented in Pentium.RTM. class compatible microprocessors). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gilbert with the invention of Horn in order to support operation of the system (Gilbert, [0002], lines 1-2) in a flexible manner. Alternatively, this modification merely entails combining prior art elements (the prior art elements of Horn cited above, and Gilbert’s teaching of a model specific register as cited above) according to known methods (Examiner submits that model specific registers were well-known to one of ordinary skill in the art before the effective filing date of the claimed invention) to yield predictable results (the invention of Horn, entailing a model specific register), which is a rationale that may support a conclusion of obviousness as per MPEP 2143.
However, the combination thus far does not entail that the value is to indicate the hardware core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the hardware core at a second privilege level, wherein the branch history information is to have been created based on software performed by the hardware core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the core from the first privilege level to the second privilege level, the hardware core is to prevent the use of the branch history information by the branch predictor to predict target instructions at the second privilege level.
On the other hand, Bonzini discloses preventing use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the hardware core at a second privilege level, wherein the branch history information is to have been created based on software performed by the hardware core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the hardware core from the first privilege level to the second privilege level, the hardware core is to prevent the use of the branch history information by the branch predictor to predict target instructions at the second privilege level (page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bonzini with the combination of Horn and Gilbert in order to increase security.
Consider claim 4, the overall combination entails the apparatus of claim 1 (see above), wherein the hardware core is to allow use of second branch history information by the branch predictor to predict the target instruction of the indirect branch instruction, wherein the second branch history information is to have been created based on software performed by the hardware core at the second privilege level (Bonzini, page 12, flushing the indirect branch predictor on kernel mode entry; Horn, page 6, indirect call predictor that can store multiple targets per source address).
Consider claim 5, the overall combination entails the apparatus of claim 1 (see above), wherein the hardware core is one of a plurality of hardware cores of the apparatus (Horn, page 2, cores).
Consider claim 6, the overall combination entails the apparatus of claim 1 (see above), wherein the hardware core, to prevent the use of the branch history information, is to disable the branch predictor or invalidate the branch predictor or stall the branch predictor or clear one or more entries of the branch predictor or flush one or more entries of the branch predictor or invalidate a prediction of the branch predictor or cause a query of the branch predictor to result in a miss (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 7, the overall combination entails the apparatus of claim 1 (see above), wherein the second privilege level is a supervisor privilege level, and wherein the first privilege level is a user privilege level (Horn, page 5, which shows the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level; Bonzini, page 12, kernel mode entry).
Claim(s) 2-3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Horn, Gilbert, and Bonzini as applied to claim 1 above, and further in view of Wang et al. (Wang) (US 20120278598 A1).
Consider claim 2, the combination thus far entails the apparatus of claim 1 (see above), wherein the value indicates an indirect branch prediction protection (Gilbert, [0002], lines 1-18; Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction), but does not disclose that the indirect branch prediction protection is always on.
On the other hand, Wang discloses a mode being an always-on mode ([0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Wang’s teaching increases security by preventing circumventing of protection (Wang, [0009], line 4; [0010], line 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the combination of Horn, Gilbert, and Bonzini, in order to increase security. Alternatively, this modification merely entails combining prior art elements (the prior art elements of the combination of Horn, Gilbert, and Bonzini, cited above, including the indirect branch prediction protection mode, and the teaching of Wang of a mode being an always-on mode) according to known methods (as reflected by Wang, a mode being an always-on mode was known) to yield predictable results (the combination of Horn, Gilbert, and Bonzini, wherein the indirect branch prediction protection mode is an always-on mode), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Consider claim 3, the combination thus far entails the apparatus of claim 1 (see above), comprising the value (Gilbert, [0002], lines 1-18; Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction), but does not disclose that the value cannot be changed by software executed by the hardware core.
On the other hand, Wang discloses a value cannot be changed by software executed by the hardware core ([0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Wang’s teaching increases security by preventing circumventing of protection (Wang, [0009], line 4; [0010], line 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the combination of Horn, Gilbert, and Bonzini, in order to increase security. Alternatively, this modification merely entails combining prior art elements (the prior art elements of the combination of Horn, Gilbert, and Bonzini, cited above, including the indirect branch prediction protection mode, and the teaching of Wang that a value cannot be changed by software executed by the hardware core) according to known methods (as reflected by Wang, a value that cannot be changed by software executed by a hardware core was known) to yield predictable results (the combination of Horn, Gilbert, and Bonzini, wherein the value cannot be changed by software executed by the hardware core), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Claim(s) 8, 11-13, and 16-25 is/are rejected under 35 U.S.C. 103 as being unpatentable over Horn (Project Zero: Reading privileged memory with a side-channel) in view of Gilbert et al. (Gilbert) (US 20060136608 A1) in view of Bonzini (Reading privileged memory with a side-channel | Hacker News) in view of Gopal et al. (Gopal) (US 20140095844 A1).
Consider claim 8, Horn discloses a hardware core (page 2, processor core) coupled with the memory controller, the hardware core comprising: a branch predictor to predict target instructions of indirect branch instructions to be performed by the core (page 6, indirect call predictor that can store multiple targets per source address); and a register having a field to store a value to indicate behavior (page 2, tested processors, each of which have a register having a field to store a value to indicate behavior), and the hardware core is to use branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the hardware core at a second privilege level, wherein the branch history information is to have been created based on software performed by the hardware core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the hardware core from the first privilege level to the second privilege level, the hardware core is to use the branch history information by the branch predictor to predict target instructions at the second privilege level (page 5, which shows the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level)
To any extent to which Horn does not inherently disclose a register having a field to store a value to indicate behavior, Gilbert explicitly discloses a register having a field to store a value to indicate behavior ([0002], lines 1-18, microprocessor systems may use various forms of control registers to support their operation. One form of control register may be written to in order to set system parameters and otherwise configure the system. Various combinations of bits in such a register may set operational limits, such as depth of speculative execution or the size of a cache, or may turn on or off optional functional circuitry, such as branch predictors and prefetch units, or may enable or disable interrupts for certain events. Other forms of control registers may be read from in order to receive system status. Such control registers may also be called status registers. The status registers may provide information about system health, contents of program registers associated with a fault condition, operational temperature, and other forms of status. Many control registers may be both written to and read from. Examples of control registers may be the Model Specific Registers (MSRs) implemented in Pentium.RTM. class compatible microprocessors).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gilbert with the invention of Horn in order to support operation of the system (Gilbert, [0002], lines 1-2) in a flexible manner. Alternatively, this modification merely entails combining prior art elements (the prior art elements of Horn cited above, and Gilbert’s teaching of a model specific register as cited above) according to known methods (Examiner submits that model specific registers were well-known to one of ordinary skill in the art before the effective filing date of the claimed invention) to yield predictable results (the invention of Horn, entailing a model specific register), which is a rationale that may support a conclusion of obviousness as per MPEP 2143.
However, the combination thus far does not entail that the value is to indicate the hardware core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the hardware core at a second privilege level, wherein the branch history information is to have been created based on software performed by the core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the hardware core from the first privilege level to the second privilege level, the hardware core is to prevent the use of the branch history information by the branch predictor to predict target instructions at the second privilege level.
On the other hand, Bonzini discloses preventing use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the hardware core at a second privilege level, wherein the branch history information is to have been created based on software performed by the hardware core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the hardware core from the first privilege level to the second privilege level, the hardware core is to prevent the use of the branch history information by the branch predictor to predict target instructions at the second privilege level (page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bonzini with the combination of Horn and Gilbert in order to increase security.
In addition, to any extent to which Horn does not inherently disclose (via the disclosure on page 2 of the specific models of tested processors) a System-on-a-Chip (SoC) comprising: a memory controller coupled to the core, Gopal explicitly discloses a System-on-a-Chip (SoC) ([0120], line 2, SoC 1700) comprising: a memory controller (FIG. 17, integrated memory controller unit(s)) coupled to the hardware core (FIG. 17, core). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopal with the combination of Horn, Gilbert, and Bonzini, in order to facilitate memory control. Alternatively, this modification merely entails combining prior art elements (the cited prior art elements of Horn, Gilbert, and Bonzini, and Gopal’s explicit teaching of a System-on-a-Chip (SoC) comprising: a memory controller coupled to the hardware core) according to known methods (Examiner submits that an SoC and a memory controller were very well known to one of ordinary skill in the art before the effective filing date of the claimed invention) to yield predictable results (the combination of Horn, Gilbert, and Bonzini, further entailing a System-on-a-Chip (SoC) comprising: a memory controller coupled to the hardware core), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Consider claim 11, the overall combination entails the SoC of claim 8 (see above), wherein the hardware core is to allow use of second branch history information by the branch predictor to predict the target instruction of the indirect branch instruction, wherein the second branch history information is to have been created based on software performed by the hardware core at the second privilege level (Bonzini, page 12, flushing the indirect branch predictor on kernel mode entry; Horn, page 6, indirect call predictor that can store multiple targets per source address), and further comprising a direct memory access (DMA) unit coupled with the hardware core (Gopal, FIG, 17, DMA unit 1732).
Consider claim 12, the overall combination entails the SoC of claim 11 (see above), wherein the hardware core, to prevent the use of the branch history information, is to disable the branch predictor or invalidate the branch predictor or stall the branch predictor or clear one or more entries of the branch predictor or flush one or more entries of the branch predictor or invalidate a prediction of the branch predictor or cause a query of the branch predictor to result in a miss (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 13, Horn discloses a method of manufacturing a processor core comprising: coupling a branch predictor (page 6, indirect call predictor that can store multiple targets per source address) of the processor core (page 2, processor core) to a register of the processor core (page 2, tested processors, each of which have a register having a field to store a value to indicate behavior), the branch predictor to predict target instructions of indirect branch instructions to be performed by the processor core (page 6, indirect call predictor that can store multiple targets per source address), the register having a field to store a value, wherein the value is to indicate behavior (page 2, tested processors, each of which have a register having a field to store a value to indicate behavior), wherein the processor core is to use branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the processor core at a second privilege level, wherein the branch history information is to have been created based on software performed by the processor core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level (page 5, which shows the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level); coupling the branch predictor to an instruction fetch unit of the processor core (page 2, tested processors, each of which have a branch predictor coupled to an instruction fetch unit); coupling the instruction fetch unit to an instruction cache of the processor core (page 2, tested processors, each of which have an instruction fetch unit coupled to an instruction cache); coupling the instruction fetch unit to a decoder of the processor core (page 2, tested processors, each of which have an instruction fetch unit coupled to a decoder); coupling the decoder to an execution unit of the processor core (page 2, tested processors, each of which have a decoder coupled to an execution unit); and coupling the execution unit to general purpose registers of the processor core (page 2, tested processors, each of which have an execution unit coupled to general purpose registers); wherein, after a transition of the processor core from the first privilege level to the second privilege level, the processor core is to use the branch history information by the branch predictor to predict target instructions at the second privilege level (page 5, which shows the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level).
To any extent to which Horn does not inherently disclose a register having a field to store a value to indicate behavior, Gilbert explicitly discloses a register having a field to store a value to indicate behavior ([0002], lines 1-18, microprocessor systems may use various forms of control registers to support their operation. One form of control register may be written to in order to set system parameters and otherwise configure the system. Various combinations of bits in such a register may set operational limits, such as depth of speculative execution or the size of a cache, or may turn on or off optional functional circuitry, such as branch predictors and prefetch units, or may enable or disable interrupts for certain events. Other forms of control registers may be read from in order to receive system status. Such control registers may also be called status registers. The status registers may provide information about system health, contents of program registers associated with a fault condition, operational temperature, and other forms of status. Many control registers may be both written to and read from. Examples of control registers may be the Model Specific Registers (MSRs) implemented in Pentium.RTM. class compatible microprocessors).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gilbert with the invention of Horn in order to support operation of the system (Gilbert, [0002], lines 1-2) in a flexible manner. Alternatively, this modification merely entails combining prior art elements (the prior art elements of Horn cited above, and Gilbert’s teaching of a model specific register as cited above) according to known methods (Examiner submits that model specific registers were well-known to one of ordinary skill in the art before the effective filing date of the claimed invention) to yield predictable results (the invention of Horn, entailing a model specific register), which is a rationale that may support a conclusion of obviousness as per MPEP 2143.
However, the combination thus far does not entail that the value is to indicate the core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the core at a second privilege level, wherein the branch history information is to have been created based on software performed by the core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the core from the first privilege level to the second privilege level, the core is to prevent the use of the branch history information by the branch predictor to predict target instructions at the second privilege level.
On the other hand, Bonzini discloses preventing use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the core at a second privilege level, wherein the branch history information is to have been created based on software performed by the core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level; wherein, after a transition of the core from the first privilege level to the second privilege level, the core is to prevent the use of the branch history information by the branch predictor to predict target instructions at the second privilege level (page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bonzini with the combination of Horn and Gilbert in order to increase security.
In addition, to any extent to which Horn does not inherently disclose (via the disclosure on page 2 of the specific models of tested processors) coupling the branch predictor to an instruction fetch unit of the processor core; coupling the instruction fetch unit to an instruction cache of the processor core; coupling the instruction fetch unit to a decoder of the processor core; coupling the decoder to an execution unit of the processor core; and coupling the execution unit to general purpose registers of the processor core, Gopal explicitly discloses coupling the branch predictor to an instruction fetch unit of the processor core (FIG. 11B, branch prediction unit 1132 coupled to instruction fetch 1138); coupling the instruction fetch unit to an instruction cache of the processor core (FIG. 11B, instruction fetch 1138 coupled to instruction cache unit 1134, which is coupled to L2 cache unit 1176); coupling the instruction fetch unit to a decoder of the processor core (FIG. 11B, instruction fetch 1138 coupled to decode unit 1140); coupling the decoder to an execution unit of the processor core (FIG. 11B, decode unit 1140 coupled to execution unit(s) 1162); and coupling the execution unit to general purpose registers of the processor core (FIG. 11B, execution unit(s) 1162 coupled to physical register file unit(s) 1158).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gopal with the combination of Horn, Gilbert, and Bonzini, in order to facilitate instruction execution. Alternatively, this modification merely entails combining prior art elements (the cited prior art elements of Horn, Gilbert, and Bonzini, and Gopal’s explicit teaching of an instruction fetch unit, instruction cache, decoder, execution unit, and general purpose registers) according to known methods (Examiner submits that an instruction fetch unit, instruction cache, decoder, execution unit, and general purpose registers were very well known to one of ordinary skill in the art before the effective filing date of the claimed invention) to yield predictable results (the combination of Horn, Gilbert, and Bonzini, further entailing an instruction fetch unit, instruction cache, decoder, execution unit, and general purpose registers), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Consider claim 16, the overall combination entails the method of claim 13 (see above), wherein the processor core is to allow use of second branch history information by the branch predictor to predict the target instruction of the indirect branch instruction, wherein the second branch history information is to have been created based on software performed by the processor core at the second privilege level (Bonzini, page 12, flushing the indirect branch predictor on kernel mode entry; Horn, page 6, indirect call predictor that can store multiple targets per source address).
Consider claim 17, the overall combination entails the method of claim 13 (see above), wherein the processor core is one of a plurality of cores (Horn, page 2, cores).
Consider claim 18, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to disable the branch predictor (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 19, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to invalidate the branch predictor (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 20, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to stall the branch predictor (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 21, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to clear one or more entries of the branch predictor (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 22, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to flush one or more entries of the branch predictor (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 23, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to invalidate a prediction of the branch predictor (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 24, the overall combination entails the method of claim 13 (see above), wherein the processor core, to prevent the use of the branch history information, is to cause a query of the branch predictor to result in a miss (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Consider claim 25, the overall combination entails the method of claim 13 (see above), wherein the second privilege level is a supervisor privilege level, and wherein the first privilege level is a user privilege level (Horn, page 5, which shows the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level; Bonzini, page 12, kernel mode entry).
Claim(s) 9-10 and 14-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Horn, Gilbert, Bonzini, and Gopal as applied to claims 8 and 13 above, and further in view of Wang et al. (Wang) (US 20120278598 A1).
Consider claim 9, the combination thus far entails the SoC of claim 8 (see above), wherein the value indicates an indirect branch prediction protection (Gilbert, [0002], lines 1-18; Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction), and further comprising a bus controller unit coupled with the hardware core (Gopal, FIG. 17, bus control unit(s)), but does not disclose that the indirect branch prediction protection is always on.
On the other hand, Wang discloses a mode being an always-on mode ([0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Wang’s teaching increases security by preventing circumventing of protection (Wang, [0009], line 4; [0010], line 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the combination of Horn, Gilbert, Bonzini, and Gopal in order to increase security. Alternatively, this modification merely entails combining prior art elements (the prior art elements of the combination of Horn, Gilbert, and Bonzini, and Gopal cited above, including the indirect branch prediction protection mode, and the teaching of Wang of a mode being an always-on mode) according to known methods (as reflected by Wang, a mode being an always-on mode was known) to yield predictable results (the combination of Horn, Gilbert, Bonzini, and Gopal wherein the indirect branch prediction protection mode is an always-on mode), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Consider claim 10, the overall combination entails the value cannot be changed by software executed by the hardware core (Wang, [0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled), and further comprising a display unit coupled with the hardware core (Gopal, FIG. 17, display unit 1740).
Consider claim 14, the combination thus far entails the method of claim 13 (see above), wherein the value indicates an indirect branch prediction protection (Gilbert, [0002], lines 1-18; Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction), but does not disclose that the indirect branch prediction protection is always on.
On the other hand, Wang discloses a mode being an always-on mode ([0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Wang’s teaching increases security by preventing circumventing of protection (Wang, [0009], line 4; [0010], line 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the combination of Horn, Gilbert, Bonzini, and Gopal, in order to increase security. Alternatively, this modification merely entails combining prior art elements (the prior art elements of the combination of Horn, Gilbert, Bonzini, and Gopal, cited above, including the indirect branch prediction protection mode, and the teaching of Wang of a mode being an always-on mode) according to known methods (as reflected by Wang, a mode being an always-on mode was known) to yield predictable results (the combination of Horn, Gilbert, Bonzini, and Gopal, wherein the indirect branch prediction protection mode is an always-on mode), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Consider claim 15, the combination thus far entails the method of claim 13 (see above), comprising the value (Gilbert, [0002], lines 1-18; Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction), but does not disclose that the value cannot be changed by software executed by the core.
On the other hand, Wang discloses a value cannot be changed by software executed by the core ([0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Wang’s teaching increases security by preventing circumventing of protection (Wang, [0009], line 4; [0010], line 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the combination of Horn, Gilbert, Bonzini, and Gopal in order to increase security. Alternatively, this modification merely entails combining prior art elements (the prior art elements of the combination of Horn, Gilbert, Bonzini, and Gopal, cited above, including the indirect branch prediction protection mode, and the teaching of Wang that a value cannot be changed by software executed by the core) according to known methods (as reflected by Wang, a value that cannot be changed by software executed by a core was known) to yield predictable results (the combination of Horn, Gilbert, Bonzini, and Gopal, wherein the value cannot be changed by software executed by the core), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Claim(s) 26-27 and 29-31 is/are rejected under 35 U.S.C. 103 as being unpatentable over Horn (Project Zero: Reading privileged memory with a side-channel) in view of Gilbert et al. (Gilbert) (US 20060136608 A1) in view of Bonzini (Reading privileged memory with a side-channel | Hacker News) in view of Mills et al. (Mills) (US 5721945) in view of Wang et al. (Wang) (US 20120278598 A1).
Consider claim 26, Horn discloses an apparatus comprising: a hardware core (page 2, processor core), including: a plurality of caches at a plurality of cache levels (page 2, cache levels of the CPU); a hardware branch predictor to predict a target instruction of an indirect branch instruction (page 6, indirect call predictor that can store multiple targets per source address); and a model specific register to store a bit for the hardware core to enable a mode (page 2, tested processors, each of which have a model specific register).
To any extent to which Horn does not inherently disclose a model specific register to store a bit for the hardware core to enable a mode, Gilbert explicitly discloses a model specific register to store a bit for the hardware core to enable a mode ([0002], lines 1-18, microprocessor systems may use various forms of control registers to support their operation. One form of control register may be written to in order to set system parameters and otherwise configure the system. Various combinations of bits in such a register may set operational limits, such as depth of speculative execution or the size of a cache, or may turn on or off optional functional circuitry, such as branch predictors and prefetch units, or may enable or disable interrupts for certain events. Other forms of control registers may be read from in order to receive system status. Such control registers may also be called status registers. The status registers may provide information about system health, contents of program registers associated with a fault condition, operational temperature, and other forms of status. Many control registers may be both written to and read from. Examples of control registers may be the Model Specific Registers (MSRs) implemented in Pentium.RTM. class compatible microprocessors). It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Gilbert with the invention of Horn in order to support operation of the system (Gilbert, [0002], lines 1-2) in a flexible manner. Alternatively, this modification merely entails combining prior art elements (the prior art elements of Horn cited above, and Gilbert’s teaching of a model specific register as cited above) according to known methods (Examiner submits that model specific registers were well-known to one of ordinary skill in the art before the effective filing date of the claimed invention) to yield predictable results (the invention of Horn, entailing a model specific register), which is a rationale that may support a conclusion of obviousness as per MPEP 2143.
However, the combination thus far does not disclose a model specific register to store an indirect branch restricted speculation bit for the hardware core that when set to a value of one causes the hardware branch predictor to enable an always-on mode in which predicted targets of indirect branches executed cannot be influenced by software executed in a less privileged predictor mode.
On the other hand, Bonzini discloses indirect branch restricted speculation that causes the hardware branch predictor to implement behavior in which predicted targets of indirect branches executed cannot be influenced by software executed in a less privileged predictor mode (page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry; page 12, chicken bit to disable indirect branch prediction).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bonzini with the combination of Horn and Gilbert in order to increase security.
However, the combination thus far does not explicitly disclose that the indirect branch restricted speculation bit causes the aforementioned mode enabling when set to a value of one. The combination thus far also does not disclose that the mode is an always-on mode.
On the other hand, Mills discloses a bit conveying a particular condition when set to a value of one (col. 5, lines 13-18, a signal is "asserted" if it conveys a value indicative of a particular condition. Conversely, a signal is "deasserted" if it conveys a value indicative of a lack of a particular condition. A signal may be defined to be asserted when it conveys a logical zero value or, conversely, when it conveys a logical one value.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Mills with the combination of Horn, Gilbert, and Bonzini, as this modification merely entails combining prior art elements (the indirect branch restricted speculation bit of the combination of Horn, Gilbert, and Bonzini, and the teaching of Mills of a bit conveying a particular condition when set to a value of one) according to known methods (Examiner submits that the method of setting a bit to one is known) to yield predictable results (the combination of Horn, Gilbert, and Bonzini, wherein the indirect branch restricted speculation bit enables the recited mode when set to a value of one), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143. Note that other rationales set forth in MPEP 2143 are also applicable; for example, Examiner submits that it would have been “Obvious to try” for a mode bit to be one to convey that the mode should be enabled.
However, the combination thus far does not entail that the mode is an always-on mode.
On the other hand, Wang discloses a mode being an always-on mode ([0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Wang’s teaching increases security by preventing circumventing of protection (Wang, [0009], line 4; [0010], line 1).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Wang with the combination of Horn, Gilbert, Bonzini, and Mills, in order to increase security. Alternatively, this modification merely entails combining prior art elements (the indirect branch restricted speculation bit of the combination of Horn, Gilbert, Bonzini, and Mills, and the teaching of Wang of a mode being an always-on mode) according to known methods (as reflected by Wang, a mode being an always-on mode was known) to yield predictable results (the combination of Horn, Gilbert, Bonzini, and Mills, wherein the indirect branch restricted speculation mode is an always-on mode), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Consider claim 27, the overall combination entails the apparatus of claim 26 (see above), wherein the always-on mode allows the hardware branch predictor to, for the hardware core, predict the target instruction of the indirect branch instruction based on software executed in a more privileged predictor mode (Wang, [0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled; Horn, page 6, indirect call predictor that can store multiple targets per source address; Bonzini, page 12, flushing the indirect branch predictor on kernel mode entry).
Consider claim 29, the overall combination entails the apparatus of claim 26, wherein a bit, when set to a value of zero, causes the hardware branch predictor to enable another indirect branch restricted speculation mode (Horn, page 6, section: Indirect call predictor, lines 1-7).
Consider claim 30, the overall combination entails the apparatus of claim 26 (see above), wherein the always-on mode is to stay enabled unless the apparatus is rebooted (Wang, [0010], lines 5-13, ports may be disabled using a reset write-once mechanism. In certain embodiments, a reset write-once mechanism is a mechanism where once information is written to a register, the register does not change state until the entire computing system is reset. In the example of a binary register, a 1 or a 0 can be written and not change from that state unless the computing system is reset. In certain embodiments, the computing system requires a hard reboot for the register to allow for a change; [0034], lines 9-11, the setting information can include a list of ports and a Boolean value as to whether respective ports should be disabled or enabled).
Consider claim 31, the overall combination entails the apparatus of claim 26 (see above), wherein the hardware branch predictor comprises a branch target buffer to include an entry for the target instruction predicted for the indirect branch instruction (Horn, page 6, indirect call predictor that can store multiple targets per source address; page 6, BTB), and the always-on mode is to prevent new filling of the entry (Bonzini, page 12, disabling indirect branch prediction (and thus speculation after indirect branches) while in kernel mode, or flushing the indirect branch predictor on kernel mode entry).
Claim(s) 28 is/are rejected under 35 U.S.C. 103 as being unpatentable over Horn, Gilbert, Bonzini, Mills, and Wang as applied to claim 27 above, and further in view of Soltis, JR. et al. (Soltis, JR.) (US 20060031679 A1).
Consider claim 28, the combination thus far discloses the apparatus of claim 27 (see above), but does not explicitly entail the more privileged predictor mode is a privilege level less than three, and wherein the less privileged predictor mode is a privilege level of three.
On the other hand, Soltis, JR. explicitly discloses a more privileged predictor mode is a privilege level less than three, and wherein the less privileged predictor mode is a privilege level of three ([0010], lines 1-12, There may be any number of privilege levels in a computer system. Typically, privilege levels are numbered sequentially beginning with zero. Consider, for example, a system in which there are four privilege levels, numbered from zero through three. Privilege level zero typically is the most-privileged level. The operating system typically has privilege level zero. Intermediate privilege levels (such as privilege levels 1 and 2) may be granted to device drivers and other software programs which require a relatively high degree of access to a subset of the computer's resources. The least-privileged level (e.g., privilege level 3) typically is assigned to application programs).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Soltis, JR. with the combination of Horn, Gilbert, Bonzini, Mills, and Wang in order to conform with typical privilege level numbering for ease of understanding. Alternatively, this modification merely entails combining prior art elements (the more privileged predictor mode of the combination of Horn, Gilbert, Bonzini, Mills, and Wang, and the teaching of Soltis, JR. of a more privileged predictor mode being a privilege level less than three) according to known methods (as disclosed by Soltis, JR., it is typical for a more privileged predictor mode to be a privilege level less than three) to yield predictable results (the combination of Horn, Gilbert, Bonzini, Mills, and Wang, wherein the more privileged predictor mode is a privilege level less than three), which is an example of a rationale that may support a conclusion of obviousness as per MPEP 2143.
Response to Arguments
Applicant on page 8 argues: “The specification has been objected to due to various instances of underlining. Applicant is submitting herewith a substitute specification in which certain underlining has been removed. The substitute specification includes no new matter.”
In view of the aforementioned substitute specification, the previously presented objection to the specification is withdrawn.
Applicant on page 8 argues: “The drawings have been objected to due to informalities, namely lines, text, and numbers that appear blurry. Applicant is submitting herewith twenty-three (23) sheets of replacement drawings in which the informalities have been corrected. The replacement drawings include no new matter.”
In view of the aforementioned replacement drawings, the previously presented objection to the drawings is withdrawn.
Applicant on page 8 argues: ‘Claims 9-10 have been objected to due to the following informalities: in claim 9, line 2, "bus control unit" should be "bus controller unit" so that the specification (see paragraphs [00280], [00293], and [00300]) provides proper antecedent basis for the claimed subject matter. Claim 10 is objected to for failing to alleviate the objection of claim 9 above. Although the Applicant disagrees, the Applicant has amended claim 9 as suggested merely in the interest of compact prosecution.’
In view of the aforementioned amendments, the previously presented objection to the claims is withdrawn.
Applicant on page 9 argues: “As none of the Applicant's claims herein are indicated as allowed, the Applicant submits that a terminal disclaimer would be premature. If the Office maintains this rejection after there is an indication of allowance, the Applicant is willing to address the double patenting rejection at that time.”
However, “[a] complete response to a nonstatutory double patenting (NSDP) rejection is either a reply by applicant showing that the claims subject to the rejection are patentably distinct from the reference claims, or the filing of a terminal disclaimer in accordance with 37 CFR 1.321 in the pending application(s) with a reply to the Office action (see MPEP § 1490 for a discussion of terminal disclaimers). Such a response is required even when the nonstatutory double patenting rejection is provisional. As filing a terminal disclaimer, or filing a showing that the claims subject to the rejection are patentably distinct from the reference application’s claims, is necessary for further consideration of the rejection of the claims, such a filing should not be held in abeyance.” (See MPEP 804).
Applicant on page 10 argues: “As to claims 2, 9, and 14, the Applicant notes the below paragraphs from the publication of this application” and reproduces publication paragraphs [0112] and [0116] with emphasized portions.
However, the aforementioned paragraphs do not appear to provide support for the cited limitation. For example, the aforementioned paragraphs do not appear to convey that an IA32_SPEC_CTRL.IBRS value itself “indicates” an always on indirect branch prediction protection. For example, Examiner submits that a IA32_SPEC_CTRL.IBRS value being set (e.g., IA32_SPEC_CTRL.IBRS=1) or not set (e.g., IA32_SPEC_CTRL.IBRS=0) does not give any indication of whether “always on” behavior is in effect. Rather, Examiner submits that a IA32_SPEC_CTRL.IBRS value being set (e.g., IA32_SPEC_CTRL.IBRS=1) or not set (e.g., IA32_SPEC_CTRL.IBRS=0) merely gives an indication of whether IBRS (of some type) is on. In contrast, as noted in paragraph [00115] of the originally filed disclosure, “a processor supports enhanced IBRS if read MSR (RDMSR) returns a value of 1 for bit 1 of the IA32_ARCH_CAPABILITIES MSR”. In other words, Examiner submits that it is a value of 1 for bit 1 of the IA32_ARCH_CAPABILITIES MSR which indicates an always on indirect branch prediction protection.
Examiner notes that claim 1 of the parent application 18/138,591 — now patent US 12,236,243 B2 — recites “a register to store a capability bit that when set to a value of one indicates the core supports an always-on mode for indirect branch restricted speculation”, and separately recites “a model specific register to store an indirect branch restricted speculation bit”.
Applicant on page 11 argues: “As to claim 13, the Applicant notes the below paragraph from the publication of this application” and reproduces publication paragraph [0307] with an emphasized portion.
However, while the aforementioned paragraph does disclose “manufacturing facilities to load into the fabrication machines that actually make the logic or processor”, and while, as noted by examiner, the original disclosure provides support for the recited components, of an already-manufactured processor core, coupled together in the manner recited, Examiner maintains that the original disclosure does not provide support for a method of manufacturing a processor core comprising the recited steps of coupling. For example, while the original disclosure provides support for a) a processor core comprising a branch predictor coupled to an instruction fetch unit, and b) manufacturing the processor core, such does not necessarily mean that the original disclosure provides support for the method of manufacturing the processor core comprising a specific step of coupling an (already-existing) branch predictor to an (already-existing) instruction fetch unit.
Applicant on page 11 argues: “As to the "indefinite" rejections of claims 3, 10, and 15, the Applicant notes that MPEP §2173 states "Examiners, however, are cautioned against confusing claim breadth with claim indefiniteness. A broad claim is not indefinite merely because it encompasses a wide scope of subject matter provided the scope is clearly defined." The Applicant submits that those skilled in the art would understand what is claimed when claims 3, 10, and 15 are read in light of the specification.”
However, Examiner submits that the relevant limitations of the aforementioned claims are indefinite for the rationale provided.
Applicant on page 12 argues: ‘As to the "indefinite" rejection of claim 26, Applicant notes that Applicant's published paragraph [0116] discusses an example of "always-on" where "IBRS is enabled once (e.g., by setting IA32_SPEC_CTRL.IBRS) and never disabled (e.g., unless the processor is reset or rebooted)" and submits that those skilled in the art would understand what is claimed when claim 26 is read in light of the specification.’
However, to any extent that Applicant is citing paragraph [0116] to argue that the metes and bounds of the “always-on” limitation, as not requiring IBRS to actually always be on, is clear, Examiner submits, for example, that the use of “e.g.” in the cited paragraph appears to convey that the “always-on” limitation does not require IBRS to actually always be on not only for instances where the processor is reset or rebooted, but also for other instances as well. As such, the cited paragraph appears to further highlight the indefinite metes and bounds of “always-on”, as paragraph [0116] does not shed light on whether any given instance of disabling IBRS (besides processor reset or reboot) would conflict with, or be in accordance with, “always-on” mode. In other words, it is unclear as to how “always-on” is further limiting “mode”, if “always-on” does not require the mode to always be on, and any number of different instances or events may turn off the mode despite the mode being “always-on”.
Applicant on page 12 argues: “Claims 1-12 stand rejected under 35 U.S.C. § 101 as allegedly being directed to non- statutory subject matter. Although the Applicant disagrees, the Applicant has amended the claims as suggested by the Examiner to overcome these rejections merely in the interest of compact prosecution.”
In view of the aforementioned amendments, the associated previously presented rejections under 35 U.S.C. § 101 are withdrawn.
Applicant on page 13 argues: “The Office action merely cut and pasted the claims with brief citations at the ends of certain lines. No clearly articulated reasoning is provided explaining why the citations are believed to disclose each and every element of these claims, nor are the citations mapped to each and every element of the claims. As such, Applicant cannot reasonably determine which elements of the claims are believed to correspond with the citations in this Office action.”
However, Examiner submits that the manner in which the citations teach or render obvious the elements of the claims would be apparent. Applicant, in the aforementioned argument, does not appear to provide specific instances of unclear correspondence between citations and claim elements, with associated specific rationale.
Applicant on page 13 argues: “There appears to be no allegation of any rationale that supports a conclusion of obviousness for the claims, for example, the ambiguous allegations of … do not support a conclusion of obviousness.”
However, Applicant, in the aforementioned argument, does not appear to elaborate on why Examiner’s rationales for obviousness do not support a conclusion of obviousness.
Applicant on page 14 argues: “For example, as to the rejection of independent claim 1, pages 16-19 of the Office action cursorily refer to entire sections of the alleged combination, but neither offer a clear articulation of how those sections of cited information teach or suggest the quoted language from the Applicant's claims, nor map the citations to each and every element of the claims. Said another way, the mapping of the cited portions of references to the claim language is not clearly articulated.”
However, Applicant, in the aforementioned argument, does not appear to provide specific instances of unclear articulation or insufficient mapping, with associated specific rationale.
Applicant across pages 15-16 argues: “As to (1) above, the Office action has not clearly articulated a finding that the prior art included each element claimed. For example, the citations are not mapped to each and every element of the claims as noted herein. As to (2) above, the Office action has not clearly articulated a finding that one of ordinary skill in the art could have combined the elements as claimed by known methods, and that in combination, each element merely performs the same function as it does separately. The Office action offers no clearly articulated finding of how one of ordinary skill in the art would have combined "the prior art elements of Horn cited above, and Gilbert's teaching of a model specific register as cited above". The Office action does not clearly articulate what known methods would be used to combine the cited portions of Horn with Gilbert. Further, the Office action does not clearly articulate that in combination, each element merely performs the same function as it does separately. As to (3) above, the Office action has not clearly articulated a finding that one of ordinary skill in the art would have recognized that the results of the combination were predictable. On page 18, the Office action makes the unsupported conclusion, with no clearly articulated findings, that "yield predictable results (the invention of Horn, entailing a model specific register)". Additionally, as noted above in reference to (2), the Office action does not clearly articulate what is combined or how it is combined.”
However, Applicant, in the aforementioned argument, does not appear to provide specific instances of unclear articulation or insufficient mapping, with associated specific rationale.
Applicant on page 16 argues: ‘Further, as to the rejection of independent claim 1, page 19 of the Office action alleges "combine the teaching of Bonzini with the combination of Horn and Gilbert in order to increase security". This is not a rationale to combine.’
However, Applicant, in the aforementioned argument, does not appear to elaborate on why such is not a rationale to combine.
Applicant on page 16 argues: ‘Additionally, the Office action on page 17 alleges that Horn discloses "a register having a field to store a value, wherein the value is to indicate behavior". This is not the Applicant's claim language.’
However, Examiner generally notes that the aforementioned teaching of Horn is relevant to Examiner’s explained prior art combination, and therefore is relevant to cite even if the claims do not recite “a register having a field to store a value, wherein the value is to indicate behavior”.
Applicant on page 16 argues: ‘The Office action on page 17 refers to "branch history information" but neither indicates which portion(s) of Horn of the alleged combination are alleged to disclose that claim element, nor indicates which portion(s) of Horn of the alleged combination are alleged to disclose "wherein the value is to indicate the core is to prevent use of branch history information by the branch predictor to predict a target instruction of an indirect branch instruction to be performed by the core at a second privilege level, wherein the branch history information is to have been created based on software performed by the core at a first privilege level, and wherein the second privilege level is more privileged than the first privilege level" as recited, inter alia, in independent claim 1. The Office action on page 17 appears to improperly paraphrase part of the Applicant's claim language here, which Applicant again submits is not considering claim 1 as "a whole".’
However, the Office action on page 17 cited page 5 of Horn as disclosing the attacker code at the userspace/guest privilege level performing a branch target injection on the victim code at the kernel/hypervisor privilege level, which has clear correspondence to the claimed first privilege level, branch history information, and second privilege level that is more privileged than the first privilege level. Examiner submits that the prior art rejection sufficiently conveys both a) which portions of Horn are being relied upon to render obvious, via the overall prior art combination, the overall claim as a whole, and b) how the cited portions of the cited references collectively render obvious the overall claim as a whole. Examiner notes that the overall prior art combination does not rely upon any improper paraphrasing to meet the claim language. In other words, Examiner’s prior art rejection does not rely upon improperly paraphrasing claim language from first subject matter to second subject matter, and then teaching or rendering obvious only that second subject matter. For example, as noted above, Horn’s disclosure of "a register having a field to store a value, wherein the value is to indicate behavior" is relevant to Examiner’s explained prior art combination, and therefore is relevant to cite even if the claims do not recite “a register having a field to store a value, wherein the value is to indicate behavior”, but the overall prior art combination as explained still sets forth how the claimed limitation “a register having a field to store a value, wherein the value is to indicate the hardware core is to prevent use of branch history information…” is rendered obvious.
Applicant on page 17 argues: ‘The Office action on page 18 alleges "Such control register may also be called status registers". If this is Official notice, the Applicant hereby traverses it as not "capable of instant and unquestionable demonstration as being well-known" and thus improper (see, e.g., MPEP §2144.03).’
Examiner first notes that paragraph [0002], lines 1-18, of Gilbert was cited to contain the aforementioned subject matter; as such, Official Notice was not being relied upon. Examiner nevertheless further notes that MPEP 2144.03 further conveys “an applicant must specifically point out the supposed errors in the examiner’s action, which would include stating why the noticed fact is not considered to be common knowledge or well-known in the art. A mere request by the applicant that the examiner provide documentary evidence in support of an officially-noticed fact is not a proper traversal.”
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEITH E VICARY whose telephone number is (571)270-1314. The examiner can normally be reached Monday to Friday, 9:00 AM to 5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jyoti Mehta can be reached at (571)270-3995. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/KEITH E VICARY/ Primary Examiner, Art Unit 2183
Prosecution Insights