DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claim(s) 1-21 is/are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Smith et al. 20200242258 herein Smith.
Per claim 1, Smith discloses: generating a first memory key that maps a host address space from a first protection domain associated with the host node to a second protection domain associated with a proxy node; (fig. 17, ¶0089; interface 1700 receives a workload request with encrypted cipher text, interface 1700 determines if the workload request is permitted by performing an access check based on a certificate, and memory controller 1726 writes the encrypted cipher text into memory…. A workload can request a memory region read or write request or other actions (e.g., create, update, delete, or notify); the examiner notes that the key is merely an ID to the memory space) generating a second memory key based on the first memory key and a first address range associated with the host node; and transmitting the second memory key to a software component executing on the proxy node, wherein the software component causes a shared storage system to access a first portion of the physical memory based on the second memory key (¶0091; (A received workload can be signed by a tenant key (e.g., encrypted using a tenant key) and arrive with tenant certificate. A certificate can identify a tenant (e.g., peer 1750) in some cases. Management interfaces 1704 can use the received certificate to create an appropriate entry in a certification table 1706 and set an expiration (e.g., time to live (TTL)) for the entry).
Per claim 2, Smith discloses: generating a third memory key based on the first memory key and a second address range associated with the host node; and transmitting the third memory key to the software component, wherein the software component causes the shared storage system to access a second portion of the physical memory based on the third memory key (¶0091; (A received workload can be signed by a tenant key (e.g., encrypted using a tenant key) and arrive with tenant certificate. A certificate can identify a tenant (e.g., peer 1750) in some cases. Management interfaces 1704 can use the received certificate to create an appropriate entry in a certification table 1706 and set an expiration (e.g., time to live (TTL)) for the entry; the examiner notes that the third key is merely an iteration of the process in claim 1).
Per claim 3, Smith discloses: wherein the first portion of the physical memory comprises a first host buffer that corresponds to the first address range (¶0099; If the certificate provided with the request is valid, at Action C, by specification of an entry in configuration table 1708, target process 1722 associated with memory region [a,b] in buffer 1724 identifies initiator 1754 is trusted on platform 1720. At Action D, a “load/store” is performed at PASID p, offset o, in buffer 1724. At Action E, a translation of <p,o> to a page table entry (PTE) address (β)+sub-page block (y)+remainder (p) in in buffer 1724 occurs using page table 1710;).
Per claim 4, Smith discloses: wherein the first memory key comprises a cross guest virtual machine identifier memory key (¶0119; configuration table 2060 specifies that PASID1 for VM1 and PASID2 for container 1 can be accessed based on an identifier of the requester (e.g., Src PASID1 and NodeID1 associated with the UE app). In other words, configuration table 2060 specifies access rights to the workload request for PASID1 and PASID2 for particular address regions for the UE app that sent the workload request).
Per claim 5, Smith discloses: further comprising storing the second memory key in a memory key cache based on the first address range prior to transmitting the second memory key to the software component (¶0094 and ¶0098; Page table 1710 can store mapping between virtual addresses and physical addresses. A page table entry in page table 1710 can convert a virtual address in configuration table 1708 to a physical addresses in buffer 1724. In some examples, validation and RDMA control 1702 can encrypt page table 1710 using one or more keys.).
Per claim 6, Smith discloses: further comprising failing to retrieve the second memory key from a memory key cache based on the first address range prior to generating the second memory key (¶0088; interface 1700 perform or include: (1) certification to store and manage certificates from sources accessing memory ranges within a local node and corresponding permissions based on received certificates; (2) validation of requests as well as memory access checks (e.g., within different ranges of a page of a local node); and (3) interfaces to manage certification and configuration in an out-of-band fashion or in-band fashion).
Per claim 7, Smith discloses: wherein the software component causes the shared storage system to access the first portion of the physical memory by causing a storage driver executing on the proxy node to transmit to the shared storage system a remote direct memory access request that specifies the first address range and the second memory key (fig. 17, ¶0090; management interfaces 1704 can be accessed both in-band (e.g., ring 0 or kernel mode) or out-of-band to configure certificates of peer PASIDs (e.g., tokens) of the systems and a list of peer PASIDS that can access to that memory as well as the type of protection being associated to that range. For example, in-band management can be from a dedicated set of control plane and management plane devices whereas out-of-band can include an orchestrator defining permitted interactions across platforms or nodes by specific processes, VMs or containers).
Per claim 8, Smith discloses: wherein the software component comprises a software application that resides in a user space (fig. 17, ¶0088; a tenant workload can be built into multiple processes, VMs, or containers that interact across platforms or nodes. For example, to continue operation across platforms or nodes, peer 1750 can send a workload to interface 1700. The architecture can be used in an interface 1700 (e.g., Host Fabric Interface or network interface card), for example. Various embodiments of interface 1700 perform or include: (1) certification to store and manage certificates from sources accessing memory ranges within a local node and corresponding permissions based on received certificates; (2) validation of requests as well as memory access checks (e.g., within different ranges of a page of a local node); and (3) interfaces to manage certification and configuration in an out-of-band fashion or in-band fashion).
Per claim 9, Smith discloses: wherein the second memory key includes one or more memory access attributes that enable at least one of remote write access or remote read access for the first portion of the physical memory (fig. 17, ¶0029; a memory controller to use a proper key (e.g., multiple key total memory encryption (MKTME) key) to read data from a memory region, decrypt the read data, modify the read data with received data, encrypt the modified data and write the encrypted modified data to the memory region).
Per claim 10, Smith discloses: wherein the shared storage system comprises at least one of shared file storage, shared block storage, or object storage (¶0134; The system can use embodiments described herein to share memory region access and one or more keys with an initiator.).
Per claim 11, Smith discloses: wherein at least the generating the second memory key is implemented via a service ( ¶0127; An SGX security model may use an architectural enclave such as a Platform Configuration Enclave (PCE) or a Platform Services Enclave (PSE) to allow access to SGX protected PAS pages).
Claims 13-19 are the CRM claims corresponding to the method claims 1-8 and are rejected under the same reasons set forth in connection with the rejection of claims 1-8.
Per claim 14, Smith discloses: wherein the second memory key comprises a remote key that is subordinate to the first memory key ( ¶0092-93; In some examples, a tenant can be identified by a node identifier (Node ID) and a local Process Address Space ID (PASID). A local PASID can be used by interface 1700 and platform 1720 to identify the tenant and the local PASID can be assigned irrespective of a PASID of the tenant assigned by a different device….. An entry in certification table 1706 can also include a “Token” that is signed by an attestation provider. An attestation provider could be an issuer of the certificate presented with the workload request. The token could be an indication by interface 1700 to permit access by peer 1750 to a memory region in platform 1720 after performing an attestation protocol with peer 1750. An entry in certification table 1706 can include a key or keys (e.g., MKTME keys) for use to access a memory region using a memory controller (MC) 1726; the examiner notes that subordinate is interpreted as associated with).
Per claim 20, Smith discloses: wherein the second memory key includes an attribute indicating that the second memory key is subordinate to the first memory key ( ¶0092-93; In some examples, a tenant can be identified by a node identifier (Node ID) and a local Process Address Space ID (PASID). A local PASID can be used by interface 1700 and platform 1720 to identify the tenant and the local PASID can be assigned irrespective of a PASID of the tenant assigned by a different device….. An entry in certification table 1706 can also include a “Token” that is signed by an attestation provider. An attestation provider could be an issuer of the certificate presented with the workload request. The token could be an indication by interface 1700 to permit access by peer 1750 to a memory region in platform 1720 after performing an attestation protocol with peer 1750. An entry in certification table 1706 can include a key or keys (e.g., MKTME keys) for use to access a memory region using a memory controller (MC) 1726).
Claim 21 is the system claim corresponding to the method claim 1 and is rejected under the same reasons set forth in connection with the rejection of claim 1.
Response to Arguments
Applicant's arguments filed 12/15/25 have been fully considered but they are not persuasive.
The applicant argues: Smith discloses the general idea of providing secure access to a particular memory space using a tenant key that acts as an encryption key. See Smith at [0089], [0091]; Fig. 17. In the rejections, the Examiner maps the first memory key, recited in claim 1, to an identifier (ID) of the memory space being accessed, disclosed in Smith; and the second memory key, recited in claim 1, to the tenant key that acts as an encryption key, disclosed in Smith. See Office Action at pp. 2-3. Based on these claim mappings, to teach or suggest the above limitations of claim 1, Smith would have to disclose that the ID of the memory space is a first memory key that maps one address space from one protection domain associated with one node, to a different protection domain associated with a different node. Smith also would have to disclose generating a different memory key based on this first memory key and a particular address range. Importantly, Smith contains no such teachings. Rather, as noted by the Examiner, "the key is merely an ID to the memory space."See Office Action at p. 3. As a technical matter, an ID to a single memory space does not provide any kind of a mapping from one protection domain on one node to a different protection domain on a different node, as would be required to meet the claim language. Further, since Smith does not disclose a first memory key that maps one protection domain on one node to a different protection domain on a different node, Smith cannot, as a technical or logical matter, disclose the idea of generating a different memory key based on the first memory key and a particular address range, as claimed. In view of these distinctions, Applicant submits that Smith cannot be properly interpreted as teaching or suggesting the above limitations of claim 1.
The examiner respectfully disagrees and asserts that Smith discloses a first memory key that maps a host node to a second protection domain associated with the host node to a second protection domain associated with a proxy node. First, the examiner notes that the claim requires a first memory key which maps a host address of a first protection domain to a second protection domain. The claim does not set the metes and bounds of how a memory key maps a first protection domain to a second protection domain. As discloses in the rejection supra the examiner interprets the key as merely an identifier, in this case the encrypted cypher text. Further, the identifier is used to determine whether a workload request is permitted to access the memory region. The applicant argues that an ID cannot map from one protection domain to another but the examiner notes that the claims do not set forth how the key maps from one domain to another. Therefor, the examiner notes that identifier taught by Smith does meet the limitation of allowing access of a tenant into the management node by presenting the identifier (encrypted cypher text).
Further, the applicant argues that Smith does not disclose second memory key generated based on the first memory key and a first address range. The examiner notes that the claim does not set forth how the second memory key is generated based on the first key and memory range. The claims is interpreted as using the identifier address of the memory range to grant permission using a key. Smith discloses a PSAID is used to identify the tenant and a corresponding certificate/token in the certification table is used to authenticate to a corresponding memory region. Also, corresponding keys can be used in the certification table to access the memory region. See ¶0091 & ¶0099. The tenant key generated is based on identifier, certificate and memory address region. Therefore, Smith discloses generating a different memory key based on the first memory key and a particular address range
Remark
Examiner respectfully requests, in response to this Office action, support be shown for language added to any original claims on amendment and any new claims. That is, indicate support for newly added claim language by specifically pointing to page(s) and line number(s) in the specification and/or drawing figure(s). This will assist Examiner in prosecuting the application.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Fliam discloses: The memory manager may access the shared area 140 to retrieve the encryption key and decrypt the received file path. The memory manager may perform one or more lookups, similar to DNS, by retrieving the memory addresses referenced in the requested file. The memory manager may send the file browser the memory addresses referenced in the file, and the file browser may retrieve the file from the local memory storage on the computer. The file browser acting as the user device 150 never sees the file paths of the referenced content.
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BABOUCARR FAAL whose telephone number is (571)270-5073. The examiner can normally be reached M-F 8:30-5:30 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Tim VO can be reached at 5712723642. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
BABOUCARR . FAAL
Primary Examiner
Art Unit 2138
/BABOUCARR FAAL/Primary Examiner, Art Unit 2138