13735350 (P.T.A.B. Jun. 27, 2018)

Ex Parte Grocutt et al

Patent Trial and Appeal BoardJun 27, 2018

13735350 (P.T.A.B. Jun. 27, 2018)

UNITED STA TES p A TENT AND TRADEMARK OFFICE APPLICATION NO. FILING DATE 13/735,350 01/07/2013 73459 7590 06/29/2018 NIXON & V ANDERHYE, P.C. 901 NORTH GLEBE ROAD, 11 TH FLOOR ARLINGTON, VA 22203 FIRST NAMED INVENTOR Thomas Christopher GROCUTT UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www .uspto.gov ATTORNEY DOCKET NO. CONFIRMATION NO. JRL-550-1574 9998 EXAMINER LA YELLE, GARY E ART UNIT PAPER NUMBER 2493 NOTIFICATION DATE DELIVERY MODE 06/29/2018 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): PTOMAIL@nixonvan.com pair_nixon@firsttofile.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE BEFORE THE PATENT TRIAL AND APPEAL BOARD Ex parte THOMAS CHRISTOPHER GROCUTT and RICHARD ROY GRISENTHW AITE Appeal2017-010800 Application 13/735,350 Technology Center 2400 Before JUSTIN BUSCH, MATTHEW J. McNEILL, and JASON M. REPKO, Administrative Patent Judges. BUSCH, Administrative Patent Judge. DECISION ON APPEAL Pursuant to 35 U.S.C. Â§ 134(a), Appellants appeal from the Examiner's decision to reject claims 1-3, 5, 6, and 8-28, which constitute all the claims pending in this application. We have jurisdiction over the pending claims under 35 U.S.C. Â§ 6(b ). We reverse. CLAIMED SUBJECT MATTER Appellants' invention generally relates to processing data in environments that operate in both a less secure domain, in which certain data may not be accessible, and a secure domain, in which the data that is inaccessible in the less secure domain may be accessible. Spec. 2:2-10. Appeal2017-010800 Application 13/735,350 More particularly, the claims are directed to devices and methods that perform both "domain selection" and "domain checking" in response to executing a control flow altering ("CF A") instruction in the secure domain, compare the allowed domains ( determined by domain checking) with the selected domain (selected by the domain selection), and trigger a domain check error if the selected domain is not one of the allowed domains. Id. at 4: 12-23. Claim 1 is exemplary and reproduced ( with slight formatting added for clarity) on the following page. 1. A data processing apparatus comprising: processing circuitry for performing data processing operations in response to program instructions, the processing circuitry having a plurality of domains of operation including a secure domain and a less secure domain, wherein when operating in the secure domain the processing circuitry has access to data that is not accessible when operating in the less secure domain; wherein in response to execution of a control flow altering instruction, the processing circuitry is configured to switch to processing a program instruction at a target address indicated by the control flow altering instruction, and to perform domain selection for determining a selected domain in which the processing circuitry is to operate for the program instruction at the target address; and at least when the control flow altering instruction is executed while operating in the secure domain, then the processing circuitry is configured to: (i) perform domain checking for determining which of the plurality of domains are allowed to be the selected domain determined by the domain selection for the program instruction at the target address, the domain checking using a different technique than the domain selection; and (ii) trigger a domain check error when the selected domain determined in the domain selection is not an allowed selected domain determined in the domain checking, 2 Appeal2017-010800 Application 13/735,350 wherein in response to execution of a control flow altering instruction while operating in the secure domain for which the domain selection determines that the secure domain is the selected domain, the processing circuitry is configured to trigger a domain check error when the secure domain is not an allowed selected domain determined in the domain checking, and to successfully switch control flow to the program instruction at the target address when the secure domain is an allowed selected domain determined in the domain checking, wherein one of the domain selection and the domain checking comprises first determining and the other of the domain selection and the domain checking comprises second determining, wherein the first determining comprises determining the selected domain in dependence upon at least which of a plurality of regions corresponds to an instruction address of the program instruction at the target address, said plurality of regions including a secure region and a less secure region, wherein the secure region is for storing data which is accessible by the processing circuitry when operating in the secure domain and not accessible by the processing circuitry when operating in the less secure domain, and wherein the second determining comprises determining, as the selected domain in which the processing circuitry is to operate for processing said program instruction at the target address, one of the plurality of domains indicated by a target domain value other than the target address. REJECTIONS Claims 1-3, 5, 6, 16, 20-22, 25, 27, and 28 stand rejected under 35 U.S.C. Â§ I03(a) as obvious in view of Watt (US 2004/0139346 Al; July 15, 2004) and Kershaw (US 2008/0250217 Al; Oct. 9, 2008). Final Act. 5-32. Claims 8-13, 23, 24, and 26 stand rejected under 35 U.S.C. Â§ I03(a) as obvious in view of Watt, Kershaw, and Fukai (US 2004/0168047 Al; Aug. 26, 2004). Final Act. 32--40. 3 Appeal2017-010800 Application 13/735,350 Claims 14 and 15 stand rejected under 35 U.S.C. Â§ I03(a) as obvious in view of Watt, Kershaw, and Morfey (US 2012/0036341 Al; Feb. 9, 2012). Final Act. 40-42. Claim 17 stands rejected under 35 U.S.C. Â§ I03(a) as obvious in view of Watt, Kershaw, Fukai, and Grisenthwaite (US 2006/0224866 Al; Oct. 5, 2006). Final Act. 42--45. Claim 18 stands rejected under 35 U.S.C. Â§ 103(a) as obvious in view of Watt, Kershaw, Grisenthwaite, Morfey, and Craske (US 2010/0325397 Al; Dec. 23, 2010). Final Act. 45--48. Claim 19 stands rejected under 35 U.S.C. Â§ I03(a) as obvious in view of Watt, Kershaw, and Di Loreto (US 2004/0003377 Al; Jan. 1, 2004). Final Act. 48-50. ANALYSIS The Examiner rejects independent claims 1, 27, and 28 as obvious in view of the combined teachings of Watt and Kershaw. Final Act. 5-12, 20- 32. The Examiner finds Watt teaches the majority of the limitations of the independent claims and relies on Kershaw only to "modify[] the feature that the indicated target domain value is 'other than the target address."' Ans. 18; see Final Act. 10-12, 24--26, 31-32. Of particular note, the Examiner finds Watt teaches or suggests "in response to execution of a control flow altering instruction while operating in the secure domain ... the processing circuitry is configured to trigger a domain check error when the secure domain is not an allowed selected domain determined in the domain checking," as recited in claim 1. Final Act. 7-8 (citing Watt ,r 455, Fig. 37, Fig. 9); see Ans. 14--15. The Examiner further finds Watt's processing core accesses memory via the memory management logic "and the checking is in 4 Appeal2017-010800 Application 13/735,350 response 'to execution of a control flow altering instruction' as claimed." Ans. 14--15 (citing Watt ,r,r 263,438, 447--448, Figs. 1, 37). Among other arguments, Appellants contend Watt does not teach or suggest triggering a domain check error in response to executing the CF A instruction while operating in the secure domain, as recited in independent claim 1. See App. Br. 17-18. Appellants assert the Examiner cites Watt's SMI instruction as teaching or suggesting executing a CF A instruction while operating in the secure domain, but the Examiner cites Watt's separate disclosure of aborting a memory access without demonstrating that the abort is triggered in response to the SMI instruction. Id. at 17. Appellants, therefore, argue the Examiner does not show, and Watt does not teach or suggest, that the error is triggered in response to the CF A instruction, as required by claim 1. Id. at 1 7-18. Watt's Figure 37 depicts "memory management logic used in one embodiment of the present invention to control access to memory." Watt ,r 65 ( emphasis added). Watt explains that memory management logic 30 includes both a Memory Management Unit (MMU) 200 "for determining the physical address corresponding to [a] virtual address, and for resolving access permission rights and determining region attributes" and a Memory Protection Unit (MPU) 220, which includes partition checker 222 that "polic[ es] attempts to access secure data in secure memory by applications running on the core 10 in non-secure mode." Id. ,r,r 438--440. MMU 200 and MPU 220 work together to retrieve data from memory and ensure that the core is operating in a domain and mode that is allowed to access the data. Id. ,I,I 439--456. 5 Appeal2017-010800 Application 13/735,350 As Appellants argue, however, Watt's MMU 200 and MPU 220 relate to accessing data in memory and ensuring that secure data is only accessed while operating in the secure domain and the appropriate mode. Id. ,r 455. In other words, Figure 37 and paragraphs 438 through 456 relate to the access of data in memory. Watt's system may operate in either a secure domain or a non-secure domain. Watt ,r 108. Watt includes a monitor program, which runs in a monitor mode and is exclusively "responsible for managing all changes between the secure domain and the non-secure domain in either direction." Watt ,r 108. There can be various overlapping and non-overlapping modes in each of the secure and non-secure domains. Id. ,r,r 110, 112-113. Modes may "support both secure and non-secure domains" in order to avoid duplicating modes in the secure and non-secure domains. Id. ,r 118. The monitor program, however, always executes in monitor mode, which is always aware of the current status of the core (i.e., secure or non-secure) and "has the highest level of security access in the system." Id. ,r 111, 118. Watt's Software Monitor Interrupt (SMI) instruction causes the core to enter "monitor mode to switch properly from one world [i.e., domain] to the other." Id. ,r 119. Figure 9 "illustrates a scenario for security domain switching using a mode switching software interrupt instruction." Watt ,r 40. The Examiner finds the SMI instruction identified as step 4 in Figure 9 discloses the recited CPA instruction. As can be seen in Figure 9, Watt executes the identified SMI instruction while operating in the secure mode (i.e., the right side of Figure 9 and, more specifically, "SECURE THREAD 1 "). In response to executing that SMI instruction, Watt branches "onto the 'return from secure' 6 Appeal2017-010800 Application 13/735,350 function of the monitor program mode (IRQ/FIQ interrupts are then disabled when the core enters monitor mode)," executes certain tasks, "[ t ]hen branches back to the non-secure domain with a SUBS instruction," returning to the "point in the non-secure domain [that] is the instruction following the previously executed SMI in thread 1." Id. ,r,r 121-133. Therefore, the functions performed "in response to" executing the identified SMI instruction are executed in monitor mode that, as discussed above, "has the highest level of security in the system." See id. ,r 111. The system then returns processing to thread 1, which may attempt to execute other instructions, potentially including attempts to access secure memory. Nevertheless, although the system may execute other instructions subsequent to executing the identified SMI instruction, the tasks executed in monitor mode are the functions performed "in response to" executing the identified SMI instruction. Put another way, the result of the SMI instruction does not influence which instructions the core subsequently executes, it only manages the necessary elements for switching execution from one domain to the other. Watt's tasks executed in response to the SMI instruction do not invoke memory management logic 30. See id. ,r,r 128-132. Thus, even to the extent the Examiner is correct that Watt's memory management logic 30 teaches or suggests the recited domain checking, the Examiner does not cite to a particular portion of Watt in support of the finding that such checking is executed in response to execution of the identified SMI instruction. Nor do we see anything in Watt that supports the Examiner's finding. Accordingly, we agree with Appellants that the Examiner has not demonstrated Watt teaches or suggests "in response to execution of a control 7 Appeal2017-010800 Application 13/735,350 flow altering instruction while operating in the secure domain ... the processing circuitry is configured to trigger a domain check error," as recited in claim 1. For the above reasons, we are persuaded the Examiner erred in rejecting claim 1. Claims 2, 3, 5, 6, and 8-26 depend from, and incorporate the limitations of, independent claim 1. Independent claims 27 and 28 recite limitations commensurate in scope with those limitations discussed with respect to claim 1. Therefore, for the same reasons, we are persuaded the Examiner erred in rejecting claims 2, 3, 5, 6, and 8-28. Because our determination is dispositive of this appeal, we do not address Appellants' other arguments. DECISION We reverse the Examiner's decision to reject claims 1-3, 5, 6, and 8- 28 under 35 U.S.C. Â§ 103(a). REVERSED 8