Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to the claims filed 4/26/2024. Claims 1-20 are pending. Claims 1 (a non-transitory CRM), 11 (a method), and 18 (a machine) are independent.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Independent claims 1, 11, and 18, and therefore each of the claims, require: “initiate an over-the-air (OTA) update”. No transmission or reception of data is required.
It is unclear what is required of an OTA update in the absence of any communication.
For additional context, it appears that OTA is intended to require an update that is considered untrusted, see Applicant’s specification ¶ 5, rather than actually receiving an update over the air.
Independent claims 1, 11, and 18, and therefore each of the claims, require:
“translate a start address of the application image from the second address space to the first address space, to thereby obtain a translated start address;”
As shown in Applicant’s Figure 3, there is a single address space. It is not clear what translation is required when the address space is identical. Additionally, any reference is presumed to be enabled, MPEP 2121, and thereby capable of utilizing information stored within any address of memory. Therefore, it is unclear what special acts are required of this ‘translation’ beyond that which would be inherent of any data access.
Claim interpretation: HSM
Although termed “hardware security manager”, Applicant’s specification describes software components (e.g. Applicant’s specification ¶ 88) and claim 7 requires software components. Therefore, this term is interpreted as any element, hardware or software, that provides security.
Claim interpretation: Claim 18
Claim 18 sets forth a plurality of physical configurations in the preamble of the claim and then requires “at least one processor … [to]” implement limitations analogous to the CRM/method of claims 1 and 11.
The physical configuration in the preamble of claim 18 appears to be non-limiting intended use. Per MPEP 2111.02: “If the body of a claim fully and intrinsically sets forth all of the limitations of the claimed invention, and the preamble merely states, for example, the purpose or intended use of the invention, rather than any distinct definition of any of the claimed invention’s limitations, then the preamble is not considered a limitation and is of no significance to claim construction.”
Thus, it appears reasonable to interpret the following statements in claim 18 as non-limiting:
“a chassis;
a frame mounted on the chassis;
a motor mounted within the frame;
a plurality of sensors mounted on the vehicle and configured to generate sensor data characterizing an environment of the vehicle”
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claim(s) 1-4, 9, 11-14, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over “NuvoTon – AN0025 Dual Bank Firmware Upgrade Mechanism” (published 2018), in view of “Secure Boot in SimpleLink” (published 2019).
As to claims 1, 11, and 18, NuvoTon discloses a CRM/method/machine comprising:
computer program product being tangibly embodied on a non-transitory computer-readable storage medium and comprising instructions that, when executed by at least one computing device, are configured to cause the at least one computing device to: (“the NuMicro® M2351 series microcontroller (MCU) is provided to avoid such firmware upgrade failures.
The FMC (Flash Memory Controller) in the M2351 series provides APROM Flash memory for users to develop application.” NuvoTon § 1)
initiate an over-the-air (OTA) update of a software application using an application image, (“For example, if the new firmware is stored in a SD card, the download process will start to read new firmware data from external SD card and program the data to Bank1 region. Figure 3-2 shows the firmware download process.” NuvoTon p. 6) using a dual bank architecture with a first memory bank having a first address space and a second memory bank having a second address space; (see Figures 3-2 and 3-3 in NuvoTon p. 6)
translate a start address of the application image from the second address space to the first address space, to thereby obtain a translated start address; (NuvoTon p. 14 as cited below, and NuvoTon Figure 2-1 showing a single address space for bank 1 and bank 2 – in the same manner as Applicant’s Fig. 3. See 112(b) rejection above. Firmware downloaded to Bank 1 and a CRC calculated therefrom inherently requires the addresses for bank 1, which is in the first address space and thereby ‘translated’.)
calculate a pre-boot application authentication code for the application image, using the translated start address; (“5. If there is any other version of firmware in PC, SD card, or other storage, the CRC of each firmware page and full CRC of the firmware should also be calculated after the firmware being downloaded to Bank1 firmware region. 6. Writes CRC value and version number of the firmware into Bank1 CRC region, as shown in Figure 4-4” NuvoTon p. 14. “After active firmware downloads a remote new firmware to the Bank1 region, the relative CRC value and version number will be written into the Bank1 CRC region. The format of CRC region is show in Figure 3-5.” NuvoTon § 3.2)
write the application image to the second address space, using the start address; (“5. If there is any other version of firmware in PC, SD card, or other storage, the CRC of each firmware page and full CRC of the firmware should also be calculated after the firmware being downloaded to Bank1 firmware region. 6. Writes CRC value and version number of the firmware into Bank1 CRC region, as shown in Figure 4-4” NuvoTon p. 14)
execute a swap of the first address space and the second address space with respect to the first memory bank and the second memory bank, so that the application image has a swapped start address instead of the start address; (see NuvoTon p. 9, § 3.4.1 Swap Process)
perform a reset of the dual bank architecture; (see NuvoTon Figure 3-1, Swap Process followed by a Reset on the right side.)
calculate an application authentication code for the application image, using the swapped start address; and (“If there is a firmware in the Bank0 firmware region and integrity check with Bank0 CRC region is correct, this firmware will be executed and called active firmware.” NuvoTon § 3.3)
verify the application image based on comparing the pre-boot application authentication code and the application authentication code. (NuvoTon § 3.3)
NuvoTon does not disclose that the update is delivered wirelessly, as claimed: Over the Air.
SimpleLink discloses: an over-the-air (OTA) update (“The BIM also handles secure OAD (over the air download) with authentication of new application firmware images to be programmed on-chip.” SimpleLink § 3.1. “The new software image along with the updated image headers is transferred over the air to the device which is configured to receive the image in either OAD on-chip or off-chip configuration. Once the new software image is received (either on-chip or off-chip), then, the BIM software is executed to validate the new software image. Once the software update is complete and the device is reset, as part of secure boot process, the BIM again validates the software image on-chip before transferring execution control to the application software image.” SimpleLink § 4.2.
“the last sector of flash containing the CCFG, BIM and public key will no longer be writable or erasable even if the ROM serial bootloader is enabled….. The corresponding public key (C-Public) should be programmed along with the BIM software and other CCFG configuration during device programming in a trusted environment. The image signature is stored as part of the image metadata in the internal flash. The image metadata also has additional details about the application software image including valid address range of the application software image to verify, type of algorithms used, and so forth (see Figure 4)…. The BIM first computes the hash of the application software image using the SHA-256 accelerator and then, verifies
the hash against the decrypted image signature value (decrypted using the secure boot public key).” SimpleLink § 2.3)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined NuvoTon with SimpleLink by incorporating the over the air updates of SimpleLink as an update mechanism to NuvoTon. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine NuvoTon with SimpleLink in order to provide a simple mechanism to update the firmware of deployed devices without requiring a user to insert an SD card or physically access the device. Thereby accelerating and easing the update process.
As to claims 2, 12, and 19, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 and further discloses:
translate the start address of the application image using an address offset between the first address space and the second address space. (The system inherently uses address offsets into the Bank 1 ROM region to perform the CRC of the downloaded firmware. “5. If there is any other version of firmware in PC, SD card, or other storage, the CRC of each firmware page and full CRC of the firmware should also be calculated after the firmware being downloaded to Bank1 firmware region. 6. Writes CRC value and version number of the firmware into Bank1 CRC region, as shown in Figure 4-4” NuvoTon p. 14. “After active firmware downloads a remote new firmware to the Bank1 region, the relative CRC value and version number will be written into the Bank1 CRC region. The format of CRC region is show in Figure 3-5.” NuvoTon § 3.2).
As to claims 3, 13, and 20, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 and further discloses:
wherein the first address space is a standard address space, and the second address space is an alternate address space, (see NuvoTon Figure 1-1) and further wherein the first memory bank is active and executing an earlier version of the application image (“The firmware in Bank0 can erase Bank1 and program new firmware to Bank1 without stopping instruction fetching form Bank0.” NuvoTon p. 3) during the translating of the start address to the translated start address. (“5. If there is any other version of firmware in PC, SD card, or other storage, the CRC of each firmware page and full CRC of the firmware should also be calculated after the firmware being downloaded to Bank1 firmware region. 6. Writes CRC value and version number of the firmware into Bank1 CRC region, as shown in Figure 4-4” NuvoTon p. 14. “After active firmware downloads a remote new firmware to the Bank1 region, the relative CRC value and version number will be written into the Bank1 CRC region. The format of CRC region is show in Figure 3-5.” NuvoTon § 3.2).
As to claims 4, 14, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 and further discloses:
wherein the instructions, when executed, are further configured to cause the at least one computing device to: store the pre-boot application authentication code in a hardware security manager (HSM) secure storage. (see NuvoTon § 3.2 and SimpleLink § 2.3. both disclosing special purpose hardware processors that validate boot images).
As to claim 9, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 and further discloses:
wherein the first memory bank and the second memory bank are implemented using partitions of a flash memory. (see NuvoTon Figure 1-1, two Banks of memory within a contiguous address space. See also Applicant’s Figure 3.)
Claim(s) 5, 6, 15, 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over “NuvoTon – AN0025 Dual Bank Firmware Upgrade Mechanism” (published 2018), in view of “Secure Boot in SimpleLink” (published 2019), and Choi et al., US 2011/0125995 (published 2011).
As to claims 5, 15, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 and further discloses:
wherein the instructions, when executed, are further configured to cause the at least one computing device to: initiate a second (see NuvoTon Figure 3-1, update FW? Is followed by swap, reset, and boot from Boot Loader [the swapped boot loader] and subsequently a repeat of the decision on whether to update FW. Thus, NuvoTon is a repeating process that updates as many times as necessary, every update being performed identically.) over-the-air (OTA) update of a
translate a
calculate a pre-boot remote new firmware to the Bank1 region, the relative CRC value and version number will be written into the Bank1 CRC region. The format of CRC region is show in Figure 3-5.” NuvoTon § 3.2)
write the
execute a second (see NuvoTon Figure 3-1, update FW? Is followed by swap, reset, and boot from Boot Loader [the swapped boot loader] and subsequently a repeat of the decision on whether to update FW. Thus, NuvoTon is a repeating process that updates as many times as necessary, every update being performed identically.)swap of the first address space and the second address space with respect to the first memory bank and the second memory bank, so that the bootloader has a swapped bootloader start address instead of the bootloader start address; perform a reset of the dual bank architecture; (see NuvoTon p. 9, § 3.4.1 Swap Process)
calculate a
verify the
NuvoTon does not explicitly describe that the update is of the bootloader (see NuvoTon p. 6 first paragraph).
Choi discloses updating a bootloader:
(“an SM bootloader may be embedded in the digital broadcast receiver 220 during a manufacturing process. … When it is necessary to update the installed SM bootloader, the digital broadcast receiver 220 may connect to the digital broadcast transmitter 210 and download a new SM bootloader.” Choi ¶ 43
“The control unit 430 may verify an electronic signature attached to the received firmware through authentication.” Choi ¶ 59).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined NuvoTon in view of SimpleLink with Choi by incorporating the ability to update and verify bootloaders. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine NuvoTon in view of SimpleLink with Choi in order to provide a mechanism to update a bootloader online and offline, Choi ¶ 10, which is needed to fix bugs or add new functionality.
As to claims 6, 16, NuvoTon in view of SimpleLink and Choi discloses the CRM/method/machine of claims 5, 15 and further discloses:
verify a bootloader signature of the bootloader image (NuvoTon Figure 3-1 “Bank1 FW Integrity OK?”) using a signature (“The control unit 430 may verify an electronic signature attached to the received firmware through authentication.” Choi ¶ 59) start address in the second address space (Bank1), prior to calculating the pre-boot bootloader authentication code. (NuvoTon Figure 3-1 “Bank0 FW Integrity OK?”, performed after a swap and “Bank1 FW Integrity OK?”)
Claim(s) 7, 8, 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over “NuvoTon – AN0025 Dual Bank Firmware Upgrade Mechanism” (published 2018), in view of “Secure Boot in SimpleLink” (published 2019), and Thom et al., US 8,375,221 (published 2013).
As to claims 7, 17, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 and further discloses:
wherein the instructions, when executed, are further configured to cause the at least one computing device to:
…
calculate the pre-boot application authentication code and the application authentication code using the
NuvoTon and SimpleLink does not disclose:
duplicate a hardware security manager (HSM) module of a HSM from the first memory bank to the second memory bank; and
HSM module
Thom discloses:
duplicate a hardware security manager (HSM) module of a HSM from the first memory bank to the second memory bank; and
HSM module
(“the software embodying the fTPM can simply be included in a typical BIOS or firmware update to immediately provide such devices with TPM capabilities upon reboot…. the fTPM is first instantiated in a pre-operating system (OS) boot environment by reading the fTPM from system firmware or firmware accessible memory or storage and placing the fTPM into protected memory of the device. Note that in various embodiments, the pre-OS boot environment (or firmware) automatically verifies the integrity of the fTPM code (e.g., by validating a "signature" of the fTPM code) prior to allowing that code to be placed into protected memory” Thom Col. 5, ll. 45+)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined NuvoTon with Thom by including an fTPM in the original firmware/firmware update as described in Thom. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine NuvoTon with Thom in order to allow TPM operations without requiring hardware modifications of existing devices, Thom col. 6, ln. 30.
As to claim 8, NuvoTon in view of SimpleLink and Thom discloses the CRM/method/machine of claim 7 and further discloses:
wherein the instructions, when executed, are further configured to cause the at least one computing device to: store the pre-boot application authentication code in a secure storage of the HSM. (see NuvoTon § 3.2 and SimpleLink § 2.3. both disclosing special purpose hardware processors that validate boot images).
Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over “NuvoTon – AN0025 Dual Bank Firmware Upgrade Mechanism” (published 2018), in view of “Secure Boot in SimpleLink” (published 2019), and Smith et al., US 2012/0017271 (published 2012).
As to claim 10, NuvoTon in view of SimpleLink discloses the CRM/method/machine of claims 1, 11, and 18 but does not disclose:
wherein the application authentication code includes a cipher-based message authentication code (CMAC).
Smith discloses: wherein the application authentication code includes a cipher-based message authentication code (CMAC).
(“Data is sealed to the device configuration by applying a key-derivation function (KDF) to the access token and a measurement of device firmware. … A given device of ATA devices 180 obtains the measurement of device firmware by computing a cryptographic hash (e.g., SHA256 or AES-CMAC) of the device firmware and any relevant configuration settings. Authenticated service 150 obtains device firmware measurements from the manufacturer as part of firmware update distribution.” Smith ¶ 38).
A person of ordinary skill in the art before the effective filing date of the claimed invention would have modified NuvoTon with Smith by utilizing the CMAC of Smith in addition to or in lieu of the CRCs of NuvoTon. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine NuvoTon in view of SimpleLink with Smith in order to seal the device configuration and detect memory tampering via use of a keyed CMAC, thereby preventing software tampering.
In the alternative, claim(s) 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over “NuvoTon – AN0025 Dual Bank Firmware Upgrade Mechanism” (published 2018), in view of “Secure Boot in SimpleLink” (published 2019), and Ricci et al. US 2014/0310702 (published 2014).
As to claim 18, NuvoTon in view of SimpleLink discloses a majority of the limitations of claim 18 as seen above in claim 1. However, NuvoTon in view of SimpleLink does not disclose the preamble-statements:
“a chassis;
a frame mounted on the chassis;
a motor mounted within the frame;
a plurality of sensors mounted on the vehicle and configured to generate sensor data characterizing an environment of the vehicle”
Ricci discloses:
a chassis; (“The vehicle 104 may include a number of vehicle body sensors 782. The vehicle body sensors 782 may be configured to measure characteristics associated with the body (e.g., body panels, components, chassis, windows, etc.) of a vehicle 104.” Ricci ¶ 505. See also Fig. 6A)
a frame mounted on the chassis; (“the first body sensor may be configured to send an electrical signal across the body of the vehicle 104” Ricci ¶ 505, a body is a frame)
a motor mounted within the frame; (“A set of sensors or vehicle components 600 associated with the vehicle 104 may be as shown in FIG. 6A. The vehicle 104 can include, among many other components common to vehicles, wheels 607, a power source 609 (such as an engine, motor” Ricci ¶ 468)
a plurality of sensors mounted on the vehicle and configured to generate sensor data characterizing an environment of the vehicle” (Ricci ¶ 505)
(“FIG. 21 outlines optional vehicle componentry usable, for example, for software and/or firmware updates that can be distributed in a viral manner.” Ricci ¶ 656)
A person of ordinary skill in the art before the effective filing date of the claimed invention would have combined Ricci with NuvoTon in view of SimpleLink by incorporating the firmware updating system of NuvoTon in view of SimpleLink into the vehicle of Ricci. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to combine Ricci with NuvoTon in view of SimpleLink in order to provide a reliable firmware update mechanism in the presence of unexpected conditions, NuvoTon § 1.
As to claims 19 and 20, Nuvoton in view of SimpleLink and Ricci discloses the limitations of the respective claims as shown above.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. See PTO-892, particularly:
Liedtke et al., US 12,001,826, discloses device firmware update techniques.
Jia, US 2016/0224331, discloses Dual Bank firmware updates.
Kobayashi, US 2022/0156057, discloses in-vehicle update of dual bank storage.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL W CHAO whose telephone number is (571)272-5165. The examiner can normally be reached M, W-F 8-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached at (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/MICHAEL W CHAO/ Primary Examiner, Art Unit 2492