DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In communications filed on 03/04/2025. Claims 3, 5-6, 9-13, 15-17, and 20-21 are amended. Claims 4, 14, and 18 are cancelled. Claims 1-3, 5-13, 15-17, and 19-23 are pending in this examination.
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. This examination is in response to US Patent Application No. 19/108,542.
CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked.
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph:
(A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function;
(B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and
(C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function.
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function.
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function.
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “a memory protection unit configured” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-3, 5-10, 15-17, 19, and 22-23 are rejected under 35 U.S.C. 102(a) (1) as being anticipated by Bolotov (US2019/0042795)(Filed in IDS 03/04/2025).
Regarding claim 1, Bolotov discloses an apparatus comprising: [0020] FIG. 1 is a block diagram of an example of an environment including a system 125 for compressed integrity check counters in memory, according to an embodiment. The system 125 represents a secure, or trusted, zone of a computer system. The system 125 includes a processor 120, cache 115 (e.g., used to speed processor access to frequently used data), and a memory controller 110. The memory controller 110 is connected to a memory 105.
counter control circuitry to maintain a plurality of counters associated with a plurality of data items [0028] FIG. 2 illustrates an example relationship between cache lines and counters in memory, according to an embodiment. The illustrated example is of ECC memory where user data is stored in a data area of cache lines 1-9 and corresponding ICVs are stored in the ECC area of these cache lines. The data areas of cache lines 10-12 hold counters used for cache lines 1-9 (order 1 counters), and each has its own corresponding ICV in the respective ECC areas, while the counters in cache line 13 hold counters used for cache lines 10-12 (order 2 counters). The counter for cache line 13 (order 3 counter) is stored in the memory controller.
the plurality of counters including: a plurality of minor counters each associated with one of the plurality of data items [0028] FIG. 2 illustrates an example relationship between cache lines and counters in memory, according to an embodiment. The illustrated example is of ECC memory where user data is stored in a data area of cache lines 1-9 and corresponding ICVs are stored in the ECC area of these cache lines. The data areas of cache lines 10-12 hold counters used for cache lines 1-9 (order 1 counters), and each has its own corresponding ICV in the respective ECC areas, while the counters in cache line 13 hold counters used for cache lines 10-12 (order 2 counters). The counter for cache line 13 (order 3 counter) is stored in the memory controller.
a plurality of middle counters each associated with a subset of the plurality of data items and a corresponding subset of the plurality of minor counters [0028] FIG. 2 illustrates an example relationship between cache lines and counters in memory, according to an embodiment. The illustrated example is of ECC memory where user data is stored in a data area of cache lines 1-9 and corresponding ICVs are stored in the ECC area of these cache lines ( order 1 counters). The data areas of cache lines 10-12 hold counters used for cache lines 1-9 (order 1 counters), and each has its own corresponding ICV in the respective ECC areas, while the counters in cache line 13 hold counters used for cache lines 10-12 (order 2 counters). The counter for cache line 13 (order 3 counter) is stored in the memory controller.
and a major counter associated with the plurality of data items[0028] FIG. 2 illustrates an example relationship between cache lines and counters in memory, according to an embodiment. The illustrated example is of ECC memory where user data is stored in a data area of cache lines 1-9 and corresponding ICVs are stored in the ECC area of these cache lines ( order 1 counters). The data areas of cache lines 10-12 hold counters used for cache lines 1-9 (order 1 counters), and each has its own corresponding ICV in the respective ECC areas, while the counters in cache line 13 hold counters used for cache lines 10-12 (order 2 counters). The counter for cache line 13 (order 3 counter) is stored in the memory controller.
and a memory protection unit configured: in response to a transfer of a data item of the plurality of data items from secure storage to off-chip storage, to modify a corresponding minor counter associated with the data item, and subsequently to encrypt the data item using an encryption process based on each of the plurality of counters associated with the data item [0019] , "a cryptographically strong integrity and replay protection solution (e.g., for off-chip memory and remote storage systems) is enabled], and [0036] 4) replace local copy of data 4 by its new value], and [0037] 5) update (e.g., increment) ctr4], and [0038] 6) encrypt cache line 4, cache line 11, and cache line 13 using new values of data and counters].
in response to an overflowing minor counter of the plurality of minor counters, to perform a middle re-encryption process comprising modifying a middle counter associated with the overflowing minor counter and re-encrypting each of the subset of the plurality of data items associated with the middle counter using the encryption process [0083] Counters are organized into groups. Each group includes a dedicated overflow sub- counter. In the case of overflow, only the counters inside the related group are reset and the group-overflow sub- counter is incremented], and [0024] As each data area is visited, the memory controller 110 is arranged to refresh the data area with a new key. The refreshing may include re-encrypting the data area or retagging the data area via a new ICV.
and in response to an overflowing middle counter of the plurality of middle counters, to perform a major re-encryption process comprising modifying the major counter to indicate occurrence of the overflowing middle counter, and subsequently re-encrypting each of the plurality of data items using the encryption process [0083] Counters are organized into groups. Each group includes a dedicated overflow sub- counter. In the case of overflow, only the counters inside the related group are reset and the group-overflow sub- counter is incremented. "], and [0024] As each data area is visited, the memory controller 110 is arranged to refresh the data area with a new key. The refreshing may include re-encrypting the data area or retagging the data area via a new ICV.
Regarding claim 2, Bolotov discloses wherein the middle re-encryption process comprises, prior to re-encrypting each of the subset of the plurality of data items associated with the middle counter, resetting each of the corresponding subset of the plurality of minor counters associated with the middle counter. [0017] To address these problems of counter size and integrity tree depth, a technique of compressed integrity check counters may be used. Here, small counters are used to provide short term freshness, while keys used to encrypt data are continually changed. In such an implementation, the combination of the counter value and the key provide the freshness that protects the data, and the counters are able to be reset as data is refreshed (e.g., re-encrypted or re-tagged with a new ICV) with the new key without sacrificing the monotonic property. Thus, the small counters are still monotonic with respect to a given key, and do not overflow.
[0024] The counter reset includes visitation of data areas with corresponding counters. This includes both user data areas (e.g., containing data originating from an entity other than the memory controller 110, such as the processor 120, an application, other device, etc.) and data areas containing counters (or other memory controller 110 data) protected by an ICV or another encryption operation using a counter. As each data area is visited, the memory controller 110 is arranged to refresh the data area with a new key. The refreshing may include re-encrypting the data area or retagging the data area via a new ICV. The new key is different than previous keys used to refresh the data area. In an example, the new key is used to encrypt all data areas. With the refreshing of the data area, the counter may be reset because the combination of the key and the counter provides the freshness (e.g., the counter tracks versions of the data area encrypted with a given key). Thus, the memory controller 110 is arranged to reset the counter to a default value in response to encrypting the data area using the new key. In an example, the default value is zero], and [0083] FIG. 7 is another example of GMDC. This structure is a lightweight solution to reduce, in most but not in all cases, the amount of overhead caused by counter overflows. Counters are organized into groups. Each group includes a dedicated overflow sub-counter. In the case of overflow, only the counters inside the related group are reset and the group-overflow sub-counter is incremented. Only in the case of an overflow of one of these sub-counters, are all counters and overflow sub-counters across groups reset, and the main overflow counter is incremented. In an example, there may be more than one layer of these sub-counters.
Regarding claim 3, Bolotov discloses wherein the major re-encryption process comprises, prior to re-encrypting each of the plurality of data items, resetting at least one of: each of the plurality of middle counters; and/or each of the plurality of minor counters.
[0017, 0024, 0083].
Regarding claim 5, Bolotov discloses wherein each of the plurality of data items has a size corresponding to a size of a single cache line.[0028] FIG. 2 illustrates an example relationship between cache lines and counters in memory, according to an embodiment. The illustrated example is of ECC memory where user data is stored in a data area of cache lines 1-9 and corresponding ICVs are stored in the ECC area of these cache lines. The data areas of cache lines 10-12 hold counters used for cache lines 1-9 (order 1 counters), and each has its own corresponding ICV in the respective ECC areas, while the counters in cache line 13 hold counters used for cache lines 10-12 (order 2 counters). The counter for cache line 13 (order 3 counter) is stored in the memory controller.
Regarding claim 6, Bolotov discloses wherein a total number of bits used to store the plurality of counters is fewer than or equal to a number of bits of a single cache line [ see FIG 2 , [0022] The environment contemplates malicious devices 130 that may access the memory 105 via software or hardware. To prevent the unauthorized access to, or tampering with, data in the memory 105 by the malicious devices 130, the memory controller 110 is configured to implement memory security. As part of this memory security, the memory controller 110 implements and uses compressed memory integrity check counters, used to provide variance (e.g., freshness, versioning, etc.) to encryption operations including creation of ICVs. To this end, the memory controller 110 is arranged to maintain a set of counters for data areas in the memory 105. A given counter in the set of counters is used to provide a variance to encryption operations on a corresponding data area. Generally, the counter is related to the data area via the data area's address. The counter is incremented each time data is modified in the data area. The counter incrementation usually occurs before it is used to compute a new ICV for the data area as the data area is written. The ICV may then be used (e.g., by the memory controller 110), during a subsequent read to verify that the content of the data area has not been manipulated. In an example, the counter is stored in a cache line of the memory along with the ICV. In ECC memories, the ECC area of a cache line may be used to store the ICV. This has several advantages, including preventing additional reads to perform the integrity check when the data is read. This ECC area may have additional bits that are free to store the counter upon. In an example, the data area is a cache line of the memory. Here, cache line refers to an addressable portion of the physical cache line. Thus, in ECC memory, the addressable cache line may be 512 bits, while an additional 128 bits are reserved for the memory controller 110 and referred to here as the ECC area (although it may be used for things other than ECC information). In non-ECC memories, the addressable cache line may be the same as the physical cache line.
Regarding claim 7, Bolotov discloses wherein: each of the plurality of minor counters is a 5-bit counter; and the plurality of middle counters comprises 8 middle counters and each of the 8 middle counters is an 8-bit counter. [0022, 0084], Examiner note : the size of the counters is considered as an obvious design option.
Regarding claim 8, Bolotov discloses wherein: each of the plurality of minor counters is a 3-bit counter; and the plurality of middle counters comprises 8 middle counters and each of the 8 middle counters is a 4-bit counter. [0022, 0084], Examiner note : the size of the counters is considered as an obvious design option.
Regarding claim 9, Bolotov discloses wherein the number of bits of the single cache line is 512 bits [ see FIG 2 , [0022].
Regarding claim 10, Bolotov discloses wherein the major counter is a 64-bit counter
[0022, 0084], Examiner note : the size of the counters is considered as an obvious design option.
Regarding claim 15, Bolotov discloses wherein: the plurality of middle counters comprises a plurality of layers of middle counters arranged as part of a hierarchical tree structure comprising the major counter, the plurality of layers of middle counters, and the plurality of minor counters; each middle counter of one of the plurality of layers is associated with a plurality of lower level counters associated with a sequentially lower layer of the hierarchical structure; and the memory protection unit is responsive to an overflowing lower level counter of the corresponding subset of the plurality of lower level counters, to perform a next level re-encryption process comprising modifying a next level counter associated with the overflowing lower level counter and re-encrypting each of the subset of the plurality of data items associated with the next level counter [0060] FIG. 4 illustrates an example of a counter hierarchy being reset, according to an embodiment. Specifically, FIG. 4 is a graphical representation of an integrity tree during the refreshing procedure. Each node that is not the root node represents one cache line. The nodes in the top row contain user data and the remaining nodes hold counters. Refreshing may be viewed as a wave which traverses all levels of the tree except for the level containing user data, starting from the on-chip root. At the end of a single pass of the wave all tags (e.g., ICVs) are recomputed with the new key.
Regarding claim 16, Bolotov discloses wherein the memory protection engine and the secure storage are integrated on a same chip [0019] Implementing the compressed integrity check counters as described herein provides several benefits. For example, the reduced integrity tree depth and background processing of data refreshing result in robust security while minimizing the average impact of data and latency (e.g., throughput) of the memory. That is, in contrast to other techniques, a cryptographically strong integrity and replay protection solution (e.g., for off-chip memory and remote storage systems) is enabled that has with high throughput, low latency, and low peak values of read and write overhead for a given memory access. Additional examples and details are described below], and [0020] FIG. 1 is a block diagram of an example of an environment including a system 125 for compressed integrity check counters in memory, according to an embodiment. The system 125 represents a secure, or trusted, zone of a computer system. The system 125 includes a processor 120, cache 115 (e.g., used to speed processor access to frequently used data), and a memory controller 110. The memory controller 110 is connected to a memory 105.
Regarding claim 17, Bolotov discloses wherein the plurality of counters are one of: stored in the secure storage; or stored off-chip and are encrypted using a master key stored in the secure storage [0020] FIG. 1 is a block diagram of an example of an environment including a system 125 for compressed integrity check counters in memory, according to an embodiment. The system 125 represents a secure, or trusted, zone of a computer system. The system 125 includes a processor 120, cache 115 (e.g., used to speed processor access to frequently used data), and a memory controller 110. The memory controller 110 is connected to a memory 105.], and [0024] The counter reset includes visitation of data areas with corresponding counters. This includes both user data areas (e.g., containing data originating from an entity other than the memory controller 110, such as the processor 120, an application, other device, etc.) and data areas containing counters (or other memory controller 110 data) protected by an ICV or another encryption operation using a counter. As each data area is visited, the memory controller 110 is arranged to refresh the data area with a new key. The refreshing may include re-encrypting the data area or retagging the data area via a new ICV. The new key is different than previous keys used to refresh the data area. In an example, the new key is used to encrypt all data areas. With the refreshing of the data area, the counter may be reset because the combination of the key and the counter provides the freshness (e.g., the counter tracks versions of the data area encrypted with a given key). Thus, the memory controller 110 is arranged to reset the counter to a default value in response to encrypting the data area using the new key. In an example, the default value is zero.
Regarding claim 19, Bolotov discloses wherein each data item is associated with a single minor counter, at least one middle counter and the major counter
[0083] FIG. 7 is another example of GMDC. This structure is a lightweight solution to reduce, in most but not in all cases, the amount of overhead caused by counter overflows. Counters are organized into groups. Each group includes a dedicated overflow sub-counter. In the case of overflow, only the counters inside the related group are reset and the group-overflow sub-counter is incremented. Only in the case of an overflow of one of these sub-counters, are all counters and overflow sub-counters across groups reset, and the main overflow counter is incremented. In an example, there may be more than one layer of these sub-counters.
Regarding claims 22, and 23, these claims are interpreted and rejected for the same rational set forth in claim 1.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 11, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2019/0042795 issued to Bolotov (Filed in IDS 03/04/2025)., and in view of US Patent Application No. (2017/0177505) issued to Basak (Filed in IDS 03/04/2025).
Regarding claim 11, Bolotov does not explicitly disclose, however, Basak discloses wherein each of the plurality of counters is implemented as one of: a linear feedback shift register, wherein overflowing corresponds to the linear feedback shift register reaching a predetermined state; a non-linear feedback shift register, wherein overflowing corresponds to the non-linear feedback shift register reaching a predetermined state; and a binary counter, wherein overflowing corresponds to the binary counter exceeding a predetermined value. [0039] FIG. 3 illustrates an example system 300. In some examples, as shown in FIG. 3, system 300 includes a cache line 301 being received at MEE 116. For these examples, cache line 301 may include cryptographic metadata that may include counter values generated by a linear-feedback shift register (LFSR). Counter values included in cryptographic metadata received via cache line 301 may serve as version information during writes to or read from a protected memory location of an off-die memory (e.g., EPC 122 or system memory 120). As described more below, compression-de-compression engine (CDE) 325 may include logic and/or features to implement one or more compression schemes to compress counter values such as counter values included in cache line 301 by encoding repeating data patterns and then storing compressed counter values to MEE cache 112], and [0047] According to some examples, GFSR 510 may generate binary digit counter values having temporal patterns. For example, GFSR 510 as shown in FIG. 5 may be a 16 bit GFSR with taps at the 2.sup.nd and 12.sup.th bits and may have a seed value of “0000000000000100”. As an example, states outputted by GFSR 510 between the 22.sup.nd and 31.sup.st state transitions shows recurrence of the pattern “11101110” indicated in FIG. 5 in the bolded text. Thus, GFSR 510 is able to generate a temporal pattern of “11101110” between states 22 and 31. Using the same seed value of “0000000000000100” and the configuration shown in FIG. 5 for GFSR 510 the same temporal pattern may also be observed within the first 200 states between states 113-117 as well as between states 164-169 (not shown). In a counter mode encryption scheme such as the scheme described and shown for structure 200 in FIG. 2, the version and the higher tree level counters (L0-L2) may all have the same characteristic function and are initiated from the same seed/initial value during enclave operations for the application operating with the TEE. Hence, depending on data/lower level metadata updates, the version and the higher tree level counters traverse through the same sequence of states temporally at different frequencies.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Bolotov by incorporating “counter values generated by a linear-feedback shift register (LFSR)”, as taught by Basak. One could have been motivated to do so in order for Counter values included in cryptographic metadata received via cache line may serve as version information during writes to or read from a protected memory location of an off-die memory [ Basak, Pages 0039].
Regarding claim 20 , Bolotov does not explicitly disclose, however, Basak discloses wherein the memory protection unit is configured to decrypt an encrypted data item transferred from the off-chip storage to the secure storage using a decryption process based on each of the plurality of counters associated with the encrypted data item. [0021] FIG. 1 illustrates an example system 100. In some examples, as shown in FIG. 1, system 100 includes a processor 110 including one or more processor core(s) 112, a cache 114 and a memory encryption engine (MEE) 116. System 100 also includes a system memory 120 that is off-die or off-chip in relation to processor 110. In some examples, as described more below, MEE 116 may include logic and/or features to perform encryption, decryption and authentication of data cache lines moving in and out of a protected region of system memory 120 that is shown in FIG. 1 as enclave page cache (EPC) 122. A trusted boundary 130 shown in FIG. 1 indicates a demarcation between trusted enclave operations for memory encryption occurring on-chip or on-die at processor 110 and enclave operations that may occur off-chip or off-die at system memory 120.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Bolotov by incorporating “logic and/or features to perform encryption, decryption inside the MME”, as taught by Basak. One could have been motivated to do so in order to authenticate the data cache lines moving in and out of a protected region of system memory [ Basak, 0021].
Claims 12-13, and 21 are rejected under 35 U.S.C. 103 as being unpatentable over US Patent No. 2019/0042795 issued to Bolotov (Filed in IDS 03/04/2025). , and in view of US Patent Application No. (2021/0058237) issued to Sandberg (Filed in IDS 03/04/2025).
Regarding claim 12 , Bolotov does not explicitly disclose, however, Sandberg discloses wherein the encryption process is performed using, as an encryption key, a combination of each of the plurality of counters associated with the data item [0104] FIG. 6 shows a split-counter integrity tree 26 which can be used by the memory security unit 20 to improve performance relative to the example shown in FIGS. 4 and 5. The counter tree has a similar arrangement of leaf nodes and non-leaf nodes 84, 88 as in FIG. 5 with each parent (non-leaf) node 88 providing the counters for computing the MACs 80 for each of its child nodes and the leaf nodes 84 providing the counters 82 for computing the MACs for other non-integrity tree related data blocks 50. However, in FIG. 6, at least some of the nodes of the tree use a split-counter approach, in which the counters in that node of the tree are represented in split-form using a major count value 95 and a number of minor count values 97. Each of the minor count values 97 corresponds to one of the data blocks covered by that node of the tree. The actual counter for a given data block is defined by the combination of the major count value 95 (which is shared between all of the blocks covered by that node) and the specific minor count value 97 specified for that data block. For example, the counter for block 0 could correspond to the major count value concatenated with the specific minor count value selected for block 0; the counter for block 1 can correspond to the shared major count value concatenated with the specific minor count value selected for block 1; and so on. Hence, when the MAC 80 is calculated for a given block of data, the MAC function 54 is applied to the contents of the data block together with both the shared major counter 95 from the parent node and one of the minor counters 97 selected for the particular data block. Each minor counter 97 is incremented on each update to the corresponding data block. The shared major counter 95 is incremented when any of the corresponding set of minor counters 97 overflows.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Bolotov by incorporating “a memory security unit 20 includes integrity tree generation and verification circuitry 36, and encryption/decryption circuitry 32”, as taught by Sandberg. One could have been motivated to do so in order to imply a counter integrity tree that can be used to check the integrity of data stored in a protected region of memory [ Sandberg, 0021, 0085].
Regarding claim 13, Bolotov does not explicitly disclose, however, Sandberg discloses wherein the combination is one of: a concatenation of each of the plurality of counters associated with the value; or an addition of values stored in each of the plurality of counters associated with the data item [0104] FIG. 6 shows a split-counter integrity tree 26 which can be used by the memory security unit 20 to improve performance relative to the example shown in FIGS. 4 and 5. The counter tree has a similar arrangement of leaf nodes and non-leaf nodes 84, 88 as in FIG. 5 with each parent (non-leaf) node 88 providing the counters for computing the MACs 80 for each of its child nodes and the leaf nodes 84 providing the counters 82 for computing the MACs for other non-integrity tree related data blocks 50. However, in FIG. 6, at least some of the nodes of the tree use a split-counter approach, in which the counters in that node of the tree are represented in split-form using a major count value 95 and a number of minor count values 97. Each of the minor count values 97 corresponds to one of the data blocks covered by that node of the tree. The actual counter for a given data block is defined by the combination of the major count value 95 (which is shared between all of the blocks covered by that node) and the specific minor count value 97 specified for that data block. For example, the counter for block 0 could correspond to the major count value concatenated with the specific minor count value selected for block 0; the counter for block 1 can correspond to the shared major count value concatenated with the specific minor count value selected for block 1; and so on. Hence, when the MAC 80 is calculated for a given block of data, the MAC function 54 is applied to the contents of the data block together with both the shared major counter 95 from the parent node and one of the minor counters 97 selected for the particular data block. Each minor counter 97 is incremented on each update to the corresponding data block. The shared major counter 95 is incremented when any of the corresponding set of minor counters 97 overflows.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Bolotov by incorporating “a memory security unit 20 includes integrity tree generation and verification circuitry 36, and encryption/decryption circuitry 32”, as taught by Sandberg. One could have been motivated to do so in order to imply a counter integrity tree that can be used to check the integrity of data stored in a protected region of memory [ Sandberg, 0021, 0085].
Regarding claim 21 , Bolotov does not explicitly disclose, however, Sandberg discloses wherein the plurality of counters corresponds to a single node in a data integrity tree, the data integrity tree comprising a plurality of nodes each storing a corresponding plurality of counters and at least one node of the plurality of nodes is an intermediate node associated with a corresponding set of data items each data item comprising a further node of the plurality of nodes.[0100] FIG. 5 shows an alternative way of implementing the integrity tree 26 using a counter tree instead of a hash tree. In this case, rather than a given node of the tree providing all the MACs to be used for authenticating the blocks at a subsequent node of the tree, each node instead defines separate counters for each child node of the current node of the tree. Each data block 50 of the protected memory region 22 which is not part of the integrity tree 26 itself is protected by a MAC 80, which is computed based on the contents of the data block 50 and a counter 82 which is read from a leaf node 84 of the counter integrity tree 26. The leaf node 84 may specify a number of counters each corresponding to different data blocks 50. In this example the MAC 80 calculated for a given data block 50 is stored within the same region of memory as the corresponding data. This is not essential, and in other examples, the MAC could be stored separately from the corresponding data. For each leaf node 84 of the tree a similar MAC 80 is computed based on the contents of the leaf node 84 and a counter 86 read from a non-leaf node 88 which acts as the parent node of the leaf node 84. Each non-leaf node 88 provides the counters used for multiple child nodes 84. Similarly, at each level of the tree, the counter 86 used to compute the MAC 80 for a given child node is read from a data block 88 corresponding to the parent node of that child node, all the way up to the root node 88-R. The address calculating circuitry 40 of the memory security unit 20 identifies, for a given target data block of interest which other data blocks store the required nodes of the integrity tree 26 providing the relevant counters. Eventually, the root node 88-R is reached and the MAC 80 for the root node is computed as a function of the contents of the root node and a root counter 89. The root counter 89 could be stored as the root verification data 38 in the on-chip memory 34. Alternatively, the entire root node 88-R of the tree could be stored in the root verification data in the on-chip memory and in this case there is no need to compute a further MAC for this root node.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Bolotov by incorporating “a memory security unit 20 includes integrity tree generation and verification circuitry 36, and encryption/decryption circuitry 32”, as taught by Sandberg. One could have been motivated to do so in order to imply a counter integrity tree that can be used to check the integrity of data stored in a protected region of memory [ Sandberg, 0021, 0085].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
See submitted 892 for more relevant references.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHAHRIAR ZARRINEH whose telephone number is (571)272-1207. The examiner can normally be reached Monday-Friday, 8:30am-5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached at 571-272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SHAHRIAR ZARRINEH/Primary Examiner, Art Unit 2496