CODE INTEGRITY PRESERVING COMPILER

DETAILED ACTION This action is in response to the claims filed 6/21/2024. Claims 1-20 are pending. Independent claims 1, 9 and 16, and corresponding dependent claims are directed towards an apparatus, method and non-transitory computer-readable medium for a code integrity preserving compiler. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Specification The disclosure is objected to because of the following informalities: the first recitation of the following acronyms is not expanded: [0009] CPU, GRPU, DSP, NPU and I/O; [0027] ARM and USB; [0028] RoT; [0034] MD-5, SHA-256, DSA and DSS; [0038] LLVM; [0052] UE; [0062] 3G; and [0063] EMV. Appropriate correction is required. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Robison et al. (US 2020/0073657 A1), published Mar. 5, 2020, in view of Novotny et al. (US 2022/0391541 A1), published Dec. 8, 2022. As to claims 1, 9 and 16, Robison substantially discloses an apparatus (Robison Fig. 1 item 104 information handling system; [0034] requested to load application/service; [0035] source code that needs to be compiled), method (Robison [0010] method) and non-transitory computer-readable medium (Robison [0044] medium) for compiling source code, hereinafter referred to as an apparatus, comprising: a volatile memory system including instructions (Robison Fig. 1 item 121 memory; [0018] DRAM; [0044] instructions); and a processor system coupled to the volatile memory system (Robison Fig. 1 item 106 host processor connected to memory 121), wherein the processor system is configured to: obtain, from a source code repository (Robison Fig. 1 item 198 code repository), a first portion of source code (Robison [0035] obtain code digest from code repository that is source code that must be compiled prior to execution); load the first portion of source code into the volatile memory system (Robison Fig. 412 load into memory and execute; [0038]); generate a second hash of the first portion of source code in the volatile memory system (Robison [0037] loader regenerates the hash digest of the compilation which has the code digest, code ID, developer’s public key and previous block’s signed hash); verify the first portion of source code based on a determination that the first hash is equal to the second hash (Robison [0037] loader verifies that the hash digest matches the signed hash digest of the block associated with the code digest); and compile the first portion of source code (Robison Fig. 4 item 412 Load/Execute App/Service; [0035] dependency for app/service is source code that must be compiled prior to execution). Robison fails to explicitly disclose obtaining, from a source code repository, a first overall hash of a first hash of a first portion of source code; generating a second overall hash of the first hash of the first portion of source code; and verifying the first overall hash based on a determination that the first overall hash is equal to the second overall hash. However, Robison does disclose obtaining, from a source code repository, a first hash of a first portion of source code (Robison [0036]-[0037] identify blockchain associated with code digest and access relevant blocks of blockchain (to get signed hash of code digest)); generating a second hash of the first portion of source code (Robison [0037] loader regenerates the hash digest of the compilation which has the code digest, code ID, developer’s public key and previous block’s signed hash); and verifying the hash based on a determination that the hash is equal to the second hash (Robison [0037] loader verifies that the hash digest matches the signed hash digest of the block associated with the code digest). As such, Robison is lacking in that it fails to explicitly disclose obtaining an overall hash and verifying an overall hash. With this in mind, Novotny describes obtaining an overall hash (Novotny Fig. 3 showing manifest properties including manifest checksum 302 and source code file checksum 310 and manifest digital signature 352; [0053]) and verifying an overall hash (Novotny [0064] validation to detect tampering with manifest by using digitally signed checksum; [0272] checking manifest checksum). It would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains to combine the manifest checksum verification with the integrity validation of Robison, such that an overall manifest checksum is checked for tampering, as it would advantageously allow for reliance upon binaries that are found to sufficiently match their source code (Novotny [0003]). As to claims 2, 10 and 17, Robison and Novotny disclose the invention as claimed as described in claims 1, 9 and 16, respectively, including wherein the processor system is further configured to: obtain a second portion of source code (Robison [0035] obtain code digest from code repository that is source code that must be compiled prior to execution; [0032] multiple code digests and signed hashes stored for multiple developers) and a third hash of the second portion of source code (Robison [0036]-[0037] identify blockchain associated with code digest and access relevant blocks of blockchain (to get signed hash of code digest); [0032] multiple code digests and signed hashes stored for multiple developers); load the second portion of the source code into the volatile memory system (Robison Fig. 412 load into memory and execute; [0038]); generate a fourth hash of the second portion of source code in the volatile memory system (Robison [0037] loader regenerates the hash digest of the compilation which has the code digest, code ID, developer’s public key and previous block’s signed hash); and generate an error based on a determination that the third hash is not equal to the fourth hash (Robison [0006] prevent installing of code that has been tampered with; [0037] loader verifies that the hash digest matches the signed hash digest of the block associated with the code digest; Novotny [0064] validation failing; Fig. 6; [0270] result of comparison reported as “no match”). As to claims 3, 11 and 18, Robison and Novotny disclose the invention as claimed as described in claims 1, 9 and 16, respectively, including wherein the first portion of source code is signed with a digital signature of a signer (Robison [0005] compilation including code digest is signed using developer private key). As to claims 4, 12 and 19, Robison and Novotny disclose the invention as claimed as described in claims 3, 11 and 18, respectively, including wherein the processor system is further configured to verify the digital signature based on a public key of the signer (Robison [0037] use developer’s public key to validate code digest by verifying the signature of the signed hash). As to claims 5, 13 and 20, Robison and Novotny disclose the invention as claimed as described in claims 1, 9 and 16, respectively, including wherein generating the second hash and verifying the first portion of source code are performed by a module of a compiler (Robison Fig. 4 item 412 Load/Execute App/Service; [0035] dependency for app/service is source code that must be compiled prior to execution – indicates that any source code that must be compiled is compiled prior to execution by the information handing system that is performing the loading/execution). As to claim 6, Robison and Novotny disclose the invention as claimed as described in claim 1, including wherein the apparatus comprises a build device separate from the source code repository (Robison Fig. 1 showing information handling system separate from the code repository server). As to claims 7 and 14, Robison and Novotny disclose the invention as claimed as described in claims 1 and 9, respectively, including wherein the first hash is generated by a developer of the first portion of source code (Robison [0027]-[0029] hash includes developer’s public key and is signed after prompting the developer for their private key, indicating the developer is involved in the hashing process). As to claims 8 and 15, Robison and Novotny disclose the invention as claimed as described in claims 1 and 9, respectively, including wherein the first overall hash is signed with a digital signature of the source code repository (Robison [0029] code repository signs hash using developer private key), and wherein the processor system is further configured to verify the digital signature based on a public key of the source code repository (Robison Fig. 1 items 171 developer accounts on code repository having public key of developer; [0022] public key of developer is made available for download by repository; [0037] use developer’s public key to validate code digest by verifying the signature of the signed hash). Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. O'Rourke et al. (US 9,851,956 B2) is related to certification of source code plugins during compilation. O'Cleirigh (US 2020/0110905 A1) is related to source code hash verification. Duval (US 2022/0083640 A1) is related to authenticating software images. Weber (US 2023/0069564 A1) is related to verification of an overall checksum. Any inquiry concerning this communication or earlier communications from the examiner should be directed to ERIC W SHEPPERD whose telephone number is (571)270-5654. The examiner can normally be reached on Monday - Thursday, Alt. Friday, 7:30AM - 5:00PM, EST. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571)272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Eric W Shepperd/Primary Examiner, Art Unit 2492