From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7435CC77B75 for ; Wed, 17 May 2023 11:07:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D993A900004; Wed, 17 May 2023 07:07:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D48CF900003; Wed, 17 May 2023 07:07:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C10D4900004; Wed, 17 May 2023 07:07:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id AF0CD900003 for ; Wed, 17 May 2023 07:07:16 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 84DA6ADDD7 for ; Wed, 17 May 2023 11:07:16 +0000 (UTC) X-FDA: 80799470472.09.F89430C Received: from mail-ua1-f50.google.com (mail-ua1-f50.google.com [209.85.222.50]) by imf14.hostedemail.com (Postfix) with ESMTP id C354610000E for ; Wed, 17 May 2023 11:07:14 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=ejtggwOQ; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf14.hostedemail.com: domain of sroettger@google.com designates 209.85.222.50 as permitted sender) smtp.mailfrom=sroettger@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684321634; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SrzUTVMzG+t0EaOzQbyY/GQvZtgYxDOL/au4O6eRQFk=; b=7xokx0r8mKiN7jYfXht04+v7+HzBWp1Y3acF/eLlHm8eXFdoivCXcT7nD+JgxPSq1tRmKg ZtQtl/OlJ2hZC6XDHsk2dFUbFHF0a6Cg+gUBbiUh6TdhQ3QSA1sXZK1TPhDHvEWeur+S5E bnFZ801/GzSCdZi3lvg+0NwSek0oXwU= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=ejtggwOQ; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf14.hostedemail.com: domain of sroettger@google.com designates 209.85.222.50 as permitted sender) smtp.mailfrom=sroettger@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684321634; a=rsa-sha256; cv=none; b=6anc2j1amR9LQgl8jx8I6F8rJCggCmeInvRYDwUDYlnxcWjaHTqul9U0NfEcymQ2L2FRKY MlQv8yIBNaoieFk+M0Hra9hparen417aPDYMsXnxDnxHuYZBdzV+ap/ZXE33jvAeKmZLne XkHpiB5FdVszmNfNFqKSIg6Qum3UiqU= Received: by mail-ua1-f50.google.com with SMTP id a1e0cc1a2514c-77d049b9040so8073535241.1 for ; Wed, 17 May 2023 04:07:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684321633; x=1686913633; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SrzUTVMzG+t0EaOzQbyY/GQvZtgYxDOL/au4O6eRQFk=; b=ejtggwOQ1/olCy8ODTt4ATuyMDw2PflnELWQPuDIwL3mLYgOizN1kOol37i0WRGfc7 nGkmKDiWOkhT27lBAzd4ibqRmRmBuNcAnI7qhlY2HR8U+d9O2wgEYnvftdHEr89GYqe0 ugd3IFh1HYBH8skFU95XUNCJu0EPBdpn15MwyBVIqpMGpZMMN7qElFW9yWsjErtR15t9 cAy4+uzbKOHKQDhARkyZEEG/UrDMTE7h52ZwG3wDCPqzEgQC9Plv0QXxXdVqueyUpyh4 +xYPsFf4oSlpzgM7B1ongwj+5KNex92e1aJHlJpUdHtL0qCRajvcdsvroWdtCm1OqX4W LT8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684321633; x=1686913633; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SrzUTVMzG+t0EaOzQbyY/GQvZtgYxDOL/au4O6eRQFk=; b=PxefOwaLThS6PZAJ36EByt2Ehb7SfGHjzxbNPK/OqGKMFhrOe9AJO8b7fEdHb/bTv3 toR+ePR9bhQZ/9oHBu5fYZrgB7g8a9XwBEE3RhiQqKeVhfzkIEgFDBdeWJONjHfyGQxQ IYjcVYJ3A5r1wlfbqHeYN68jYWEbdHeEOQsMIp5Gz/27xHpUgnKHk+CId7foVZhstC2f Fx+AoRsvHI102WwdlmmWR3RQ0sgJ61XA9QJBB9JGXz4OmbX3Ty0o6p4qmCbxO1v/STw6 SyBPxqed8YWWke6gfHUSEeIR9JowE0rkZ0yxA5sl4yN0FLW9y284vupzs1vT3FoYZlxy vIfg== X-Gm-Message-State: AC+VfDxgCXGZ5gsw5Kc5OrKRHhNF8bJIzHKFYLYXB9DeSPwDIhN6iD9d 90RWN03Xkym70PvDIC/IaIrRuIECLFYjgTRsvire+w== X-Google-Smtp-Source: ACHHUZ7NGWDwURvS+B/o20Pj1OlKKl8DdgirNwoFFAASL3RFJKZSpkMAoFKJJ0fqdOUdcBhe5ub9s9qt5fz41p672YQ= X-Received: by 2002:a05:6102:1506:b0:42e:5b08:ec71 with SMTP id f6-20020a056102150600b0042e5b08ec71mr540575vsv.11.1684321633590; Wed, 17 May 2023 04:07:13 -0700 (PDT) MIME-Version: 1.0 References: <20230515130553.2311248-1-jeffxu@chromium.org> <20230515130553.2311248-2-jeffxu@chromium.org> <6cb7df56-0479-30be-5389-b4b819572deb@intel.com> In-Reply-To: <6cb7df56-0479-30be-5389-b4b819572deb@intel.com> From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Wed, 17 May 2023 13:07:02 +0200 Message-ID: Subject: Re: [PATCH 1/6] PKEY: Introduce PKEY_ENFORCE_API flag To: Dave Hansen Cc: jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org, keescook@chromium.org, groeck@chromium.org, jannh@google.com, akpm@linux-foundation.org, jeffxu@google.com, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000ad6d1505fbe1b01c" X-Stat-Signature: zs8mdtgnc8dq8ypa9ee4xk8skzko515c X-Rspam-User: X-Rspamd-Queue-Id: C354610000E X-Rspamd-Server: rspam07 X-HE-Tag: 1684321634-765205 X-HE-Meta: U2FsdGVkX19kTaO9WKGt3aw5s34OXupbmGfR+nUh9KUYtHFOiHRih5U+L2XCttCB9+jXFWHFomgIL7c/Lf/2sgg0i2iV11iFSDaeKzVUoaBHfLy8+mtu8xBhbK+HYMuzuo3trYT9EptyVsITjnPrIgY+2VA226n7wS8uK4kjrJLkBr7ao2Er+YCfhNzt7A9+kovZRJMlUPLHr176FyY59mRgicOBo/z/YtzUpxAMwyd8x4VFQtcP+ovxEeaASgxhQ5O9KftKRVj9/IEvQqjhw3hV6hc5ogVVFXeDnsCkhM77HKTxBCjKr2+zP6S3aRS+VJyALcE6tzQRjwVqUKXwOSWt1sf7rAz4Pdzb9rjScoSJt434urivtTRwykGyQpB8dRQR9/Tm/KnMudF3/2VtVj6aFnijpe70pR3M8bBnFTImNM8kp02Y4+OO+CIlFbdp5HVVTzfPB6N3Y1/rGgRAp+4PXL0KXY147v2AKOYroTx3K+Lvv97t6Y2pxzDP0OkHY06AkTwLwoE2maC/ryDsKwOn6yr2h6lWAcj9rHs4mhKrffb6zDTNy0U0Ftc074NrXpJ9pXu4jKrY5BP+bH3Ks/pMrGiNglPwrAaBXlbW/zSNrwh9A8pmjD5ks6kBjpYqprhuaDaaWNo3tTOuJdOQyt/6F5Zc902BB0ZwxK1cdBQLjc5EtwU7d5Uh0nELC9I9D1TzJgJ8ibUdAi3NzTkaGsYZThhxd9e0ce9mIUVAqf+g3Ra+hjp682IhbsHwe1XHzLZ+j8Y4b5XIID9iSfo19xpUSGoUQr6y1xZrc7b4X/A0YbHJITlBI0ZrkDAu1Yy5p4JXx/x8rR66UuMzh0TnV44r3DrD7E1zYwqTwx7BFK2QBigM49Vcsh7DGsMnsvOHuS0KbHKTUYsyaUjX52mLxWeiiWW5O8013+Ko2O32H9TDc+ePSg8hRkpptZTobC+RLkXpLd+/4A+iatZC5j1 s1dEp10N IvEQSo5rrQQNw743ir3jZ+fHjeyakTfe0X2Tj4yS6uQQ6L92bTL2BzQRQlqvJK6zU3QyTm7QZjPwI0dRYk7dUecPeHmp01axTsRp4wJbdDDk3STOoalB+B7115X+PzDk+mF8uSkQVeo+4arerFXpnjr1lyaMk9UXftknotqu1p21ZP81ipIWdaSJhUz1nBFFaBefYt7gKJ+geK8Ht69woJ4KKWbHDvbtVu+N/9MpP9U8C82HKf62vQEPqAj/6InUFNIoEOse07CuKP2+jE+qDxZDcqBU+zsKroCZ3U/gBv+J8DHK+5XecKQpyk4nRjjvScKbjS7LPxifx+zc6WjrS/4wP3+4OByXtMm+v8JKKcv6LWDpdlDRDrTX1iYaSML+I76KN8Yj8589oqV6yWoWJivHIaLj8AjaBlmdTvzQl+OuEoCFtFLb51TG62quj7BJwlN+Rbt6S3eRLAqr/NXvCGu3szxjABJsSe57yQOWP3xIUKT2iE4vCor9zkC69H1ICdRb6nhqMdMOzW+g= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --000000000000ad6d1505fbe1b01c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, May 17, 2023 at 1:14=E2=80=AFAM Dave Hansen = wrote: > > On 5/15/23 06:05, jeffxu@chromium.org wrote: > > --- a/arch/x86/mm/pkeys.c > > +++ b/arch/x86/mm/pkeys.c > > @@ -20,7 +20,7 @@ int __execute_only_pkey(struct mm_struct *mm) > > /* Do we need to assign a pkey for mm's execute-only maps? */ > > if (execute_only_pkey =3D=3D -1) { > > /* Go allocate one to use, which might fail */ > > - execute_only_pkey =3D mm_pkey_alloc(mm); > > + execute_only_pkey =3D mm_pkey_alloc(mm, 0); > > if (execute_only_pkey < 0) > > return -1; > > need_to_set_mm_pkey =3D true; > > In your threat model, what mechanism prevents the attacker from > modifying executable mappings? There are different options how we can address this: 1) having a generic mseal() API as Jeff mentioned 2) tagging all code pages with the pkey we're using (would this affect memory sharing between processes?) 3) prevent this with seccomp + userspace validation If we have pkey support, we will only create executable memory using pkey_mprotect and everything else can be blocked with seccomp. This would s= till allow turning R-X memory into RW- memory, but you can't change it back with= out going through our codepath that has added validation. There's a similar challenge with making RO memory writable. For this we'll = need to use approach 1) or 2) instead. > I was trying to figure out if the implicit execute-only pkey should have > the PKEY_ENFORCE_API bit set. I think that in particular would probably > cause some kind of ABI breakage, but it still reminded me that I have an > incomplete picture of the threat model. --000000000000ad6d1505fbe1b01c Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPoQYJKoZIhvcNAQcCoIIPkjCCD44CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggz7MIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBNowggPCoAMCAQICEAGkX4MOebzHzp8Y/d5N uOkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yMzAzMjQx MDU0MjJaFw0yMzA5MjAxMDU0MjJaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLPyMENiepo0e0KKXnecXERM1v8X LP8OaCG/arg3dD1qpML+nhDtU7YL7M+uU/zvIxrine9sVeBPMAsLyIBm/r4f6mk0Zo/1Nd/I2VL7 JpL/XH8AloTMPn8ftcCAGtMjR6GHaQJt6AFuV5SV/LMkzQ1w0TyNPSn5akNB5fuqDDSqSSiWdEcz QNoEndEWuInBDSbUxc2cqYzY3PpGpJjrKOy1KbJzQ8KcZvrtFZpLnWN6Ry51yog7bRBCFmCaCV2w 6aqHjyzIZlqXlIFBPZsMUke9QkLosM0XP1eL6NpSfJclTy3ZIULo+kiW3IxdbA/JidNnmYzCfZJo 48ZLbpQbsQIDAQABo4IB1TCCAdEwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUZ+MO 2DeNJUdew/schvbvw4wolIIwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBmgYI KwYBBQUHAQEEgY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh L2dzYXRsYXNyM3NtaW1lY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcnQwHwYDVR0jBBgwFoAUfMwKaNei 6x4schvRzV2Vb4378mMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9jYS9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcmwwDQYJKoZIhvcNAQELBQADggEBAEWztMCBdTNW CGPLcNM/ovJHsl+VF/BsKdiiwJoodyWO9fmhOgEVex1vfc+njM0bkWC0b4U08iUPP91eksCFGhhi cCchsXpkAzfcKPJ7OsFd7J4xQUQPpi02r1P7Y9UKLa8nsNChf9ck1GAz1Skb77r1JWgSlHOcyuVZ UQ/JuUVMf/XW7flFfNybswGgFmfnBvDW1qrqBPHpEFmWeNYXISpFQj0UWyGmykQGKi8q44IPy5Qg uId+alGaBDlL5OAZQtmhRyh1MVd2wtgvGEfNGDGq603urx17nwEvM1gjSmOgnhEigOhhHH7DOeyt 5zPYLaKguxLWPGXlZ0UUjA7lH3gxggJqMIICZgIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFzIFIzIFNNSU1FIENB IDIwMjACEAGkX4MOebzHzp8Y/d5NuOkwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIE IMYb5TzgLLmy5EG6JB7gXi85H2/8tKyDlwIITx9Ez1Z7MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDUxNzExMDcxM1owaQYJKoZIhvcNAQkPMVwwWjALBglghkgB ZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQow CwYJKoZIhvcNAQEHMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQAVLvtya17hISoD6P9X fnV4fODrLsXCkUWrRL5dQJKIVYjYsqY6np805kYAgnltdEM0bkHoqt0Y+4yixCGMzMejZwR38kSH +A5o8Ps5Fu8L1lM8Erk/vFjSNsdTm+yv4xmRk7F4plDUfD+kQASe/MSg9x58SSw9yj6egW9PhprA hb6GCxdx/6ocgt/6j5o9Kvo4U8uEXutFyHD2xdxb/4ZCO2kalMwKaLnz69DumEDDScEjeaKVkRYq 5KKjMWSQVrNGzXsUKAzPqidMBqPqvEegMpw1DIYG7Zax+8hVS2r0kb2wQRJsLndXlwAehbGlpxIU +gngFFEiubN3TyidKW38 --000000000000ad6d1505fbe1b01c--