T 2393/18 (Securely separated/LYNX) 15-02-2021
Download and more information:
SYSTEMS AND METHODS OF SECURE DOMAIN ISOLATION
I. The appeal is against the decision of the examining division to refuse the patent application on the grounds that the sole request then on file did not meet the requirements of Article 56 EPC with regard to the combination of the following documents:
D1: WO 2010/021631 A1
D2: US 2008/215770 A1
II. With the statement setting out the grounds of appeal, the appellant filed a main request and an auxiliary request. It requested that the decision be set aside and a patent be granted on the basis of one of these requests. It further requested oral proceedings and reimbursement of the appeal fee.
III. In its preliminary opinion issued in preparation for the oral proceedings, the board raised objections with regard to Articles 84, 123(2) and 56 EPC. It deemed the request for reimbursement of the appeal fee to be not yet validly filed.
IV. With its letter of reply submitted on 5 February 2021, the appellant filed a main request and an auxiliary request.
V. Oral proceedings were held before the board. In the course of the oral proceedings, the appellant filed a main request and an auxiliary request at 13:40, and a NEW main request, a NEW auxiliary request and a NEW second auxiliary request at 14:47.
VI. The order of the requests was indicated as
- main request filed with the letter of 5 February 2021,
- auxiliary request filed with the letter of 5 February 2021,
- main request filed at 13:40 during the oral proceedings,
- auxiliary request filed at 13:40 during the oral proceedings,
- NEW main request filed at 14:47 during the oral proceedings,
- NEW auxiliary request filed at 14:47 during the oral proceedings,
- NEW second auxiliary request filed at 14:47 during the oral proceedings.
VII. Claim 1 of the main request filed with the letter of 5 February 2021 reads as follows:
"A method of secure information processing in a computing device (140), the computing device (140) having a CPU, a memory, a physical keyboard (148), a physical display (156), a physical graphics controller having a physical frame buffer memory, the method comprising:
running on the CPU a Separation Kernel Hypervisor (136) which virtualizes the underlying hardware of the computing device;
running multiple guest operating systems (108, 164, 188) in respective protection domains (104, 160, 184) wherein the Separation Kernel Hypervisor (136) provides secure isolation between these protection domains (104, 160, 184), and wherein the physical display (156) is virtualized by dividing the physical frame buffer memory of the physical graphics controller into memory regions and assigning each memory region, exclusively, to one of the multiple guest operating systems (108, 164, 188);
running in each protection domain (104, 160, 184) a virtualized hardware interface identical to the physical keyboard (148);
running a Virtual Device Server (128) in a separate protection domain, wherein the Virtual Device Server (128) has sole access to the physical keyboard (148);
configuring the Separation Kernel Hypervisor (136) associated with video frame buffer management to establish secure isolation between the protection domains (104, 160, 184) by presenting, via the virtual device server (128), to each operating system (108, 164, 188) associated with each of the domains (104, 160, 184), a physical frame buffer as a memory region in the physical graphics controller frame memory to display data on the physical display (156) such that only code running within the protection domain (104, 160, 184) to which that physical frame buffer is assigned can access the securely separated display data;
processing information associated with the physical keyboard (148) while keeping the domains (104, 160, 184) separate;
performing, by the Virtual Device Server (128), navigating from one of the guest operating systems (108, 164, 188) to another one of the guest operating systems (108, 164, 188) as a function of securely changing information displayed on the physical display (156) in response to detecting the input of special keystroke data from the physical keyboard (148) by setting the address which the physical graphics controller will use to the address of the memory region of the physical frame buffer associated with the guest operating system (108, 164, 188) indicated by the special keystroke data;
routing inputs from the physical keyboard (148) to the guest operating system (108, 164, 188) indicated by the special keystroke data by allowing communication between the Virtual Device Server (128) and the virtualized hardware interface in the domain (104, 160, 184) of the indicated guest operating systems (108, 164, 188);
isolating one or more physical frame buffers via the Separation Kernel Hypervisor (136) such that the secure isolation between the protection domains (104, 160, 184) is maintained; and
processing information via a Keyboard Video Mouse, KVM, component included within the Virtual Device Server (128), wherein the KVM component has access to input from a physical keyboard (148)."
VIII. Claim 1 of the main request filed at 13:40 during the oral proceedings differs from claim 1 of the main request filed with the letter of 5 February 2021 in that the text ", exclusively," in the second method step was deleted in the former.
IX. Claim 1 of the auxiliary request filed with the letter of 5 February 2021 differs from that of the main request filed with the letter of 5 February 2021, and claim 1 of the auxiliary request filed at 13:40 during the oral proceedings differs from that of the main request filed at 13:40 during the oral proceedings, in that it has the following additional text at the end:
"wherein
the Separation Kernel Hypervisor (136) provides secure separation of display data between different protection domains (104, 160, 184)."
X. Claim 1 of the NEW main request filed at 14:47 during the oral proceedings reads as follows:
"A method of secure information processing in a computing device (140), the computing device (140) having a CPU, a memory, a physical keyboard (148), a physical display (156), a physical graphics controller having a physical frame buffer memory, the method comprising:
running on the CPU a Separation Kernel Hypervisor (136) which virtualizes the underlying hardware of the computing device;
running multiple guest operating systems (108, 164, 188) in respective protection domains (104, 160, 184) wherein the Separation Kernel Hypervisor (136) provides secure isolation between these protection domains (104, 160, 184), and wherein the physical display (156) is virtualized by dividing the physical frame buffer memory of the physical graphics controller into memory regions and assigning each memory region to one of the multiple guest operating systems (108, 164, 188);
running in each protection domain (104, 160, 184) a virtualized hardware interface identical to the physical keyboard (148);
running a Virtual Device Server (128) in a separate protection domain, wherein the Virtual Device Server (128) has sole access to the physical keyboard (148); processing information associated with the physical keyboard (148) while keeping the domains (104, 160, 184) separate;
performing, by the Virtual Device Server (128), navigating from one of the guest operating systems (108, 164, 188) to another one of the guest operating systems (108, 164, 188) as a function of securely changing information displayed on the physical display (156) in response to detecting the input of special keystroke data from the physical keyboard (148) by setting the address which the physical graphics controller will use to the address of the memory region of the physical frame buffer associated with the guest operating system (108, 164, 188) indicated by the special keystroke data;
routing inputs from the physical keyboard (148) to the guest operating system (108, 164, 188) indicated by the special keystroke data by allowing communication between the Virtual Device Server (128) and the virtualized hardware interface in the domain (104, 160, 184) of the indicated guest operating systems (108, 164, 188);
isolating one or more physical frame buffers via the Separation Kernel Hypervisor (136) such that the secure isolation between the protection domains (104, 160, 184) is maintained; and
processing information via a Keyboard Video Mouse, KVM, component included within the Virtual Device Server (128), wherein the KVM component has access to input from a physical keyboard (148), and wherein
the Separation Kernel Hypervisor (136) provides secure separation of display data between different protection domains (104, 160, 184)."
XI. Claim 1 of the NEW auxiliary request filed at 14:47 during the oral proceedings differs from claim 1 of the NEW main request filed at 14:47 during the oral proceedings in that it has the following additional text at the end:
", and wherein the step of processing information comprises one or more of:
displaying a frame buffer associated with a specific guest operating system (108, 164, 188) on the physical display (156);
designating a specific combination of keystrokes to indicate a switch to the next guest operating system (108, 164, 188) in sequence;
designating a specific combination of inputs to indicate a switch to the previous guest operating system (108, 164, 188) in sequence;
detecting the inputs associated with switching to the next guest operating system (108, 164, 188) in sequence, and displaying the frame buffer associated with the next guest operating system (108, 164, 188) in sequence;
detecting the inputs associated with switching to the previous guest operating system (108, 164, 188) in sequence, and
displaying the frame buffer associated with the previous guest operating system (108, 164, 188) in sequence."
XII. Claim 1 of the NEW second auxiliary request filed at 14:47 during the oral proceedings differs from claim 1 of the NEW auxiliary request filed at 14:47 during the oral proceedings in that it has the following additional text at the end:
", further comprising
setting the physical graphics controller's frame buffer to point to an initial guest operating systems's [sic] (108, 164, 188) frame buffer memory region, and/or opening, via a KVM server (132), a physical keyboard (148) and/or a mouse device (144) and, optionally, initializing them, and/or
presenting a virtualization layer associated with one or more guest operating systems (108, 164, 188) that is/are sharing the physical display (156) with a virtual mouse device (112, 168, 192), a virtual keyboard device (112, 172, 196), and/or a virtual graphics controller (120, 176, 197), and preferably including Video Electronics System Administration BIOS extensions with a frame buffer address pointing to the section of the actual physical frame buffer which has been assigned to it, further including one or more of: physical keyboard (148) and mouse (144) input from a user received by a KVM server (132) and sent to the corresponding currently-selected guest operating system (108, 164, 188);
outputs to the physical keyboard (148), preferably turning a Caps Lock indicator on or off, from the guest operating systems (108, 164, 188) is captured by the virtual keyboard (112, 172, 196) driver and sent to the KVM server (132), which may be configured to communicate such information to the physical keyboard (148); and/or
calls to a virtual Video Electronics System Administration BIOS in the selected guest operating system (108, 164, 188) may be communicated to the KVM server (132), which performs the requested action, if allowed, and communicates any results back to the guest operating system (108, 164, 188)."
1. Admission of the main and auxiliary requests filed with the letter of 5 February 2021
1.1 These requests were filed after the notification of the summons to oral proceedings and are therefore late-filed. Such requests shall, in principle, not be taken into account unless there are exceptional circumstances, which have been justified with cogent reasons by the party concerned (Article 13(2) RPBA 2020). When applying Article 13(2) RPBA 2020, the board may also take into account the criteria set out in Article 13(1) sentence 4 RPBA 2020. One of these criteria is, in the case of an amendment to a patent application, whether the party has demonstrated that any such amendment, prima facie, overcomes the issues raised by the board and does not give rise to new objections (T 752/16, reasons 3.2).
1.2 The appellant brought forward the raising of new objections in the board's preliminary opinion as exceptional circumstances justifying the late-filing of these requests. In both requests, the step of "running multiple guest operating systems" of claim 1 was amended inter alia by the addition of the text "[assigning each memory region], exclusively, [to one of the multiple guest operating systems]". The appellant did not provide any basis for this amendment beyond its being implicit in the entirety of the application as filed. Furthermore, the amendment is neither related to the new objections raised in the board's preliminary opinion, nor does it appear in the appellant's list of distinguishing features of claim 1 (see the appellant's letter of 5 February 2021, pages 5-6). Therefore, in addition to raising doubts as to whether the amendment gives rise to new objections with regard to Article 123(2) EPC, the amendment is not suitable for overcoming any of the outstanding objections.
1.3 Under these circumstances, the board did not admit these requests into the appeal proceedings (Article 13(2) RPBA 2020).
2. Admission of the main and auxiliary requests filed at 13:40 during the oral proceedings, Article 13(2) RPBA 2020
2.1 The configuring step of claim 1 of both of these requests includes inter alia an amendment by the addition of the text "such that only code running within the protection domain (104, 160, 184) to which that physical frame buffer is assigned can access the securely separated display data". As the basis for this amendment, the appellant gave the sentence "Only code running within the Protection Domain to which that frame buffer is assigned can access the data" at the end of the penultimate paragraph on page 5 of the description as filed. However, it is not directly and unambiguously derivable from this sentence and its context that it is related to configuring the Separation Kernel Hypervisor associated with video frame buffer management as specified in this step. Therefore the amendment involves added subject-matter (Article 123(2) EPC) and gives rise to new objections.
2.2 Furthermore, the amendments do not overcome the board's objection in its preliminary opinion, which agreed with the conclusion of the contested decision that the subject-matter of claim 1 did not involve an inventive step with regard to the combination of D1 and D2. The appellant argued essentially that there was nothing about secure isolation between protection domains in document D2 which related to the frame buffer of graphic cards. The skilled person would therefore not even combine D1 with D2. The board is not convinced that the skilled person would not consider consulting D2, since both D1 and D2 deal with sharing resources among virtual machines and are in exactly the same technical field. It also follows from the appellant's argument that the amendments to claim 1 of these requests are not suitable for overcoming an inventive-step objection based on a combination of D1 with D2.
2.3 For these reasons, the board did not admit these requests into the appeal proceedings (Article 13(2) RPBA 2020).
3. Admission of the NEW main, auxiliary and second auxiliary requests filed at 14:47 during the oral proceedings, Article 13(2) RPBA 2020
3.1 In all these requests, the configuring step in claim 1 ("configuring the Separation Kernel Hypervisor (136) associated with video frame buffer management to establish secure isolation between the protection domains (104, 160, 184) by presenting, via the virtual device server (128), to each operating system (108, 164, 188) associated with each of the domains (104, 160, 184), a physical frame buffer as a memory region in the physical graphics controller frame memory to display data on the physical display (156) such that only code running within the protection domain (104, 160, 184) to which that physical frame buffer is assigned can access the securely separated display data"), which is present in all higher-ranking requests, was deleted in its entirety. This amendment has the effect that the board at the oral proceedings would have to deal with subject-matter in part even broader than in the requests filed with the statement setting out the grounds of appeal. Such a shift in the claimed invention, in particular in view of the fact that the deleted features are a considerable part of what the appellant considers to be distinguishing features (see the appellant's letter of 5 February 2021, page 5), is a non-convergent development of the appellant's case and therefore detrimental to procedural economy, especially at the most advanced stage of the appeal proceedings.
3.2 For these reasons, the board did not admit these requests into the appeal proceedings (Article 13(2) RPBA 2020).
4. Request for reimbursement of the appeal fee
4.1 The appellant in its statement setting out the grounds of appeal requested that the appeal fee be reimbursed.
4.2 The board noted in its preliminary opinion that the request was not self-explanatory and nor had the appellant given any reasons for it. Since unsubstantiated requests that are not self-explanatory become effective only at the date on which they are substantiated (see e.g. T 1732/10, point 1.5 of the reasons; T 1784/14, point 3.5 of the reasons; T 2288/12, point 3.1 of the reasons), the board deemed this request to be not yet validly filed.
4.3 Since the appellant did not comment on this, the board sees no reason to change its preliminary opinion. Accordingly, this request is deemed not validly filed.
5. Since there is no admissible request on file, the appeal must be dismissed.
For these reasons it is decided that:
The appeal is dismissed.