From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7F1BC77B7F for ; Wed, 17 May 2023 10:49:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 33F8C900005; Wed, 17 May 2023 06:49:46 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2EF32900003; Wed, 17 May 2023 06:49:46 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1B790900005; Wed, 17 May 2023 06:49:46 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 0BA40900003 for ; Wed, 17 May 2023 06:49:46 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id BE699A0546 for ; Wed, 17 May 2023 10:49:45 +0000 (UTC) X-FDA: 80799426330.14.F7B8FDA Received: from mail-ua1-f51.google.com (mail-ua1-f51.google.com [209.85.222.51]) by imf14.hostedemail.com (Postfix) with ESMTP id 12089100007 for ; Wed, 17 May 2023 10:49:42 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=5KdNxGBK; spf=pass (imf14.hostedemail.com: domain of sroettger@google.com designates 209.85.222.51 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684320583; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Kfj1QqQfWwNU3Pqbiyhx4k/Uo22gHKfh+iJrrtcVFe4=; b=2ITnNRhAUxY7EBE4QGbxXVfjqul7lcBcRrkUng58rAkTEoDx5kHDRo0PtvUb4ioSU8qe3G MVdN+E1AX458cAIOQxmWhjZr1icBE/RHXB/ZgeUuz46AWymp8WwuPC5tOz2An8XwqTyP1v WMudV3tRVAYMDtaZakHTFlH6WbOICp8= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=5KdNxGBK; spf=pass (imf14.hostedemail.com: domain of sroettger@google.com designates 209.85.222.51 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684320583; a=rsa-sha256; cv=none; b=xxao8jgTZrwgb2/MLKTj3ZFQuykZCYd5RIYM8JsZCT4iGXM8dE6aJHkC4WmX7EnI0LnDDM iTdzrMbetYisM9KW7WJrAV3HRQ4Nq957Jtj0qBqoIaIt6D3imCFN/DikESDGcUTisb9j/t VbKP8AYG0WyTBPBgQbPPr310tFGZDjw= Received: by mail-ua1-f51.google.com with SMTP id a1e0cc1a2514c-77d0522feaeso454589241.2 for ; Wed, 17 May 2023 03:49:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684320582; x=1686912582; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Kfj1QqQfWwNU3Pqbiyhx4k/Uo22gHKfh+iJrrtcVFe4=; b=5KdNxGBKN+m+J8wuCO+sp2wMp00mSn1SxiUFrj+s1g234t1m9WDiBqSWvkNmueHWHX 1e0KEjY868xH80mLDID1M8KK/d8dKqQ/s/ITTqxbo00ZIhm94nUTFqS1cAIRX/4K/aBf Bzzp5/dEKkCTD5val8aLUexmV8Q8lqS7ZJ5+2cQeve0LK8jz1aOdMZ3nsYL2yHh+oqw6 Xnd9TUwIbzzG/ArW6o1oBeFUf1WuG089IkxGV7eqMMt9IUX/iBewvep2ATi3es3zKNY6 ulEOA77W3MIZoh+yC5UM9SXBc4jPdfVl4R2Mx7faUWwPoq9fXqyt8ZfpcGMtU0Tb1rC3 /JyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684320582; x=1686912582; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Kfj1QqQfWwNU3Pqbiyhx4k/Uo22gHKfh+iJrrtcVFe4=; b=ZBr8Pt97ASBohCdTpf5AWoj9FPnIe3Ye+GXAg3qjCUa9gTMDLMcTk+0IDqPqdMPCxO s68PNUdNYnAYRft7jipEicz6ofIgFQqWr28iTDbGZBXXpWZTRKvl1h4OP3tg5INxjRwx lJJyS4VvYkd5xotqL2Jh5NJcyU18d3MjiDt+g3c0CftMrai6jFISJcwX4Mne6X+RI8tZ 2xNJs7dBQ/H/RzIkq5werV7LP17bK66chgtJSwLqcUJ7cdKLx/4gLLgt/ecVHYvWrN9j P7+7kgmDf5AMuvvbbM+/O5byngpLx87ANJ+tlNbRR/z9MlkBjDgM32OeBt1RAvSXfK7l C3wQ== X-Gm-Message-State: AC+VfDzprfEj1jOA7bvtmSpK2n2rzPcyGKUE2RyB3jxLqwkJkhqz2Hrx zHKkBMdNdUxgjBqStR85/GPQEPOwtWX2FYbl1k/qPA== X-Google-Smtp-Source: ACHHUZ5XIVB9cSnyGkPwnNROE+X+rE6yITb1RkOAokMaOKl5265EQa54Etj7fujoMW0JpCmqvEkAbitPcHPrjKVM9lQ= X-Received: by 2002:a05:6102:384:b0:42c:3457:6718 with SMTP id m4-20020a056102038400b0042c34576718mr15375115vsq.5.1684320581922; Wed, 17 May 2023 03:49:41 -0700 (PDT) MIME-Version: 1.0 References: <20230515130553.2311248-1-jeffxu@chromium.org> <202305161307.4A16BB6A47@keescook> In-Reply-To: <202305161307.4A16BB6A47@keescook> From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Wed, 17 May 2023 12:49:27 +0200 Message-ID: Subject: Re: [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 To: Kees Cook Cc: jeffxu@chromium.org, dave.hansen@intel.com, luto@kernel.org, jorgelo@chromium.org, groeck@chromium.org, jannh@google.com, akpm@linux-foundation.org, jeffxu@google.com, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000fea87d05fbe1714d" X-Stat-Signature: ktggcytcdg18ug1x19mmw8y4dhdjqt5r X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 12089100007 X-Rspam-User: X-HE-Tag: 1684320582-927146 X-HE-Meta: U2FsdGVkX19g88hrSmAJCPSc5ZpNSSRB4HnyclS1g1i+2Lf801Mq9EtCUpeG0vlSzmY3efbmssZffVE7WOlWyply9y1+rVEYE/o48XmFZH658iPDniBQH6JrM9yKkZAA8CPCLiBR/RzBwxZbMF5RKGwcfy4egHZUW6t1UCu0ZVSlhdschwINqQRRPUu8hzZtxtOKa1E0yFqO6jOQnAxy/k5Vhij3LMqSplLjnUrz0d4VXVA/mKJhwawq7D3fU/4ixhycKcjP+CHoJo4MhnEALPy6OHDofWpJLMj+ncwFLLmckDdj6XwmeGeHx5+zznwkqbrwYJCFxvL8abVyeMogV3LzF3mxVR/uxQuGlRUJe7gX3U7gVGhHSome81hsu9F9Hzzq0EtSE4vpIDGNzABZTzshlPboUAT5cyrJB2VqbunNQOVBoNjhB08HYlOMtjC3Dc+MeT0HSX1OpzghrARjNAw7NUcJwJ5d7/nIgk9qsLWUQKrwmTms7iidfRWmTrQxzuUovLPj+YvkbwsxsH/b0pJg1Sijw6MddBO4YBa7JrM5EcFWoMU6Ra5AH4QYLIejpGHhSC1w5LVrg/08dtIB1iLGwTA69v1b79+J2Ctyf4rw/Kf6P6DSol7Esr8tjwkvrklbQSMOPxCZbqJ5/FQEVbRgMDiW7OmVcBK/CQOkHZ1G2lpIuImP6O3+NxdQRP13o4KNAjy2GMq4a1fVnyGcADLasG1g9IcqUcDrFN8Pl3dY6F2y85e8BZaSqeMRYlsMg0tB99cnLS3+e46jg9vdGzJjh5o+4dge8O3GU5rt8ykxu6ztFUaPiig4XJEfsvisvjZDeUf4NnayTf5zsporjYgOSyuR4cJPpDvLqfBZppWFrqsut1vnN6FlRAGiA0jat2+AZwOVRi4mEVTsC1d5fa/ucYmQ0hkHzACYDhgup24s+3QZol+DmDi33kvQBk0qnN7hzoZrhY5nnHfdNgT aH1ceuzO 3LTbf4o/+5evH00cjXwWSyUwJpV0moZyUyyA42rgm2PJf9Dnkevb1k4ogp40jciQBNjflnVLgQUrtcpzGR4G3Rjb5ME+MxeqL1hMoNPO9wKoi0L4qDjLLduDL+tHfR5+BXYa3NZfPBsjYBvOfolgSr3C11B3hs6Gcf/IYCuLE6UJqlj5v8hhLffv6Ipq1Llol8yCxJ+0rYE9sPQS2sHDfgLKw0v8gJs6+Yn52/Z49lVn+XN/EPRHekLWVszy8kYlNJMpPTUjYfZwGdtHdtRyhnnrYEtGV8jXQp5MoLe2GtttMdDpyC9aVF/oxhAWzYSQSYA/7Ir6L/z2YhCjzoAaeQlG4D1N17p/9iDX2RZWWAnz1pGAjafUBYD1CmzJzmfJ7FwxIcKj+UnUw1ge3KYdItB3NITP3unrETqqiLXEQnpfEPR9EtA/6Gj5Ll4SmfS12YBKV X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --000000000000fea87d05fbe1714d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, May 16, 2023 at 10:08=E2=80=AFPM Kees Cook = wrote: > > On Mon, May 15, 2023 at 01:05:46PM +0000, jeffxu@chromium.org wrote: > > This patch introduces a new flag, PKEY_ENFORCE_API, to the pkey_alloc() > > function. When a PKEY is created with this flag, it is enforced that an= y > > thread that wants to make changes to the memory mapping (such as mprote= ct) > > of the memory must have write access to the PKEY. PKEYs created without > > this flag will continue to work as they do now, for backwards > > compatibility. > > > > Only PKEY created from user space can have the new flag set, the PKEY > > allocated by the kernel internally will not have it. In other words, > > ARCH_DEFAULT_PKEY(0) and execute_only_pkey won=E2=80=99t have this flag= set, > > and continue work as today. > > Cool! Yeah, this looks like it could become quite useful. I assume > V8 folks are on board with this API, etc? Yes! (I'm from the v8 team driving the implementation on v8 side) > > This set of patch covers mprotect/munmap, I plan to work on other > > syscalls after this. > > Which ones are on your list currently? > > -- > Kees Cook --000000000000fea87d05fbe1714d Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPoQYJKoZIhvcNAQcCoIIPkjCCD44CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggz7MIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBNowggPCoAMCAQICEAGkX4MOebzHzp8Y/d5N uOkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yMzAzMjQx MDU0MjJaFw0yMzA5MjAxMDU0MjJaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLPyMENiepo0e0KKXnecXERM1v8X LP8OaCG/arg3dD1qpML+nhDtU7YL7M+uU/zvIxrine9sVeBPMAsLyIBm/r4f6mk0Zo/1Nd/I2VL7 JpL/XH8AloTMPn8ftcCAGtMjR6GHaQJt6AFuV5SV/LMkzQ1w0TyNPSn5akNB5fuqDDSqSSiWdEcz QNoEndEWuInBDSbUxc2cqYzY3PpGpJjrKOy1KbJzQ8KcZvrtFZpLnWN6Ry51yog7bRBCFmCaCV2w 6aqHjyzIZlqXlIFBPZsMUke9QkLosM0XP1eL6NpSfJclTy3ZIULo+kiW3IxdbA/JidNnmYzCfZJo 48ZLbpQbsQIDAQABo4IB1TCCAdEwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUZ+MO 2DeNJUdew/schvbvw4wolIIwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBmgYI KwYBBQUHAQEEgY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh L2dzYXRsYXNyM3NtaW1lY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcnQwHwYDVR0jBBgwFoAUfMwKaNei 6x4schvRzV2Vb4378mMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9jYS9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcmwwDQYJKoZIhvcNAQELBQADggEBAEWztMCBdTNW CGPLcNM/ovJHsl+VF/BsKdiiwJoodyWO9fmhOgEVex1vfc+njM0bkWC0b4U08iUPP91eksCFGhhi cCchsXpkAzfcKPJ7OsFd7J4xQUQPpi02r1P7Y9UKLa8nsNChf9ck1GAz1Skb77r1JWgSlHOcyuVZ UQ/JuUVMf/XW7flFfNybswGgFmfnBvDW1qrqBPHpEFmWeNYXISpFQj0UWyGmykQGKi8q44IPy5Qg uId+alGaBDlL5OAZQtmhRyh1MVd2wtgvGEfNGDGq603urx17nwEvM1gjSmOgnhEigOhhHH7DOeyt 5zPYLaKguxLWPGXlZ0UUjA7lH3gxggJqMIICZgIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFzIFIzIFNNSU1FIENB IDIwMjACEAGkX4MOebzHzp8Y/d5NuOkwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIE IAsDym7QVgBaFxPG4GvyOQtpPwYKLTA60kllYbOQJ1vsMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDUxNzEwNDk0MlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgB ZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQow CwYJKoZIhvcNAQEHMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCf85LtV9budX9oqTK1 kOVGxm/TmBb/4NS1ZOkwvYTEuYKL1fuj/Hyc3CYoLUSq/81Xkbm6kv8VEXzEBj8o0Ke2zgqlYJ2D phxgbe5qK3SX2Pj45cf4uT+SDuptuu/lQkIyOeILy/U35e9JfzP2TCOW9ciEAGFhUh5MeHgs15K+ j9ezortF6HzAUGxSQhKNr/hfEEu46L0pgMBB7lofJfX9tDWKtHvtoxW+GIK1HBCGQRmOZQfT4bdB M3G/8sD3zg8HT+Qf3sZrI+3KqbEr6G12ZFDRz4XqWhHGPD8ETVv6F1Vwpg633u9tDRqhnsJzjMMu m3y+2aaWHroATh5t7d64 --000000000000fea87d05fbe1714d--