From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCEBCC4332F for ; Thu, 14 Dec 2023 18:07:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 150EE6B00E2; Thu, 14 Dec 2023 13:07:18 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 0B0BE6B00D8; Thu, 14 Dec 2023 13:07:18 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E92726B00DB; Thu, 14 Dec 2023 13:07:17 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id D9A666B00D3 for ; Thu, 14 Dec 2023 13:07:17 -0500 (EST) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 91826C0C4E for ; Thu, 14 Dec 2023 18:07:17 +0000 (UTC) X-FDA: 81566205714.11.415308C Received: from mail-qv1-f48.google.com (mail-qv1-f48.google.com [209.85.219.48]) by imf25.hostedemail.com (Postfix) with ESMTP id BF074A001B for ; Thu, 14 Dec 2023 18:07:15 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=vZN5OUgv; spf=pass (imf25.hostedemail.com: domain of sroettger@google.com designates 209.85.219.48 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1702577235; a=rsa-sha256; cv=none; b=Bqm8GuikL/A8/oVTjeOtWz3W7xb24jyHlB4xBXfg2+XWFdDSx4F0FXDLm9HHkd5hXDZbPB Wu0VfH69NXk1O0nsEF8yYxrvQ3qK6HxS3oSqATzaXB63VRQl7zxoO8A2Z/yoGKNC82uwEI NkwNRg7d2mMGpZgfYdyruwvzmT7cvi4= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=vZN5OUgv; spf=pass (imf25.hostedemail.com: domain of sroettger@google.com designates 209.85.219.48 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1702577235; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=ROPMrYLra7qp1JvoxGxM1Na6LK2dMFOyC4Xey7R4Zi0=; b=vNyG7thWA8ZaY3y3+Gv0kDUYhD8LrcgKDoNOWc782UFnfW0v75aSU3cLxjIfRrHzAtui4R 9QTJNIXJ8JbyeKfIwIHnvy1I28pfxi+OvuZ1CqPTaXUwBgZ7lGiMiLxRNi/jCafd/BDoiy o12meq4ZACAMx9AiKlC2UkyserK66CU= Received: by mail-qv1-f48.google.com with SMTP id 6a1803df08f44-67f06da0b15so7237666d6.2 for ; Thu, 14 Dec 2023 10:07:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1702577235; x=1703182035; darn=kvack.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ROPMrYLra7qp1JvoxGxM1Na6LK2dMFOyC4Xey7R4Zi0=; b=vZN5OUgvFQ++iHc4Mdx53ZxpZi/hpKUh6Dv402zUm8Ru2aG1saYu3Csyy+8ioanG5i WTCRNzjYoe22hhrzZSD6My51ufq1zByhbyl3tGe90zDJbsgZ/qKO1qHLF+PB1r1M4Tor trJ1Zzl5crWVi4cUIpul6b0LJI8tll3dnPDWzTHnnZn53vPH42o7kgP6hydfcE8VN7tP qPvkIhXT8epBSc7+B7hc3KvATsiXT7E19apqFrtyKoecuQPgIA3Uj5zy1/6u69RjvQ2F hrbBF2RQM8xQJLJB0cDE4+BGwYe6YX0QTun7QeFbep7fFyPaR/D/lKI32PrjpU36lSlC kGkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702577235; x=1703182035; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ROPMrYLra7qp1JvoxGxM1Na6LK2dMFOyC4Xey7R4Zi0=; b=rFZ6fVXDnO61NSxPzohTE/J698iphmMozkbG1m3FJnyLRbJ80tJH+3xvMk/+xrhrV8 WLwnWWgww9erW1cZC8DPLP1geZXthagzsb0FuBVmnVcT1ww+qtgir80wQIHUCbYhqD/X 0tMQYxbisLIphmvhiyFk1iFxNftyWkpo1NE+6VQnNyr6n5oRPXVOzfPN2wY8OjKwbnIO +U/OWxagxEPgb9SRo3H7RsrbbjxTONDdbyzs6+48aXSLaOYv707qTzcyqx7l25WvLJDg wQUbNrCyI62mK5njCyImpkFWwma+Ai08jd2JiwMYEA3UPyg/e2LUbRVWEBCBGyiaAqxT qwow== X-Gm-Message-State: AOJu0Yz1Bq/wzYbUTmxcyHE2tanP2RtVSc+1V6cQhMAMrvwjXfVTmFRA VG6kaDUKPPzN8pYUU3dGNV4gKun4c7r8K72+J5cIRw== X-Google-Smtp-Source: AGHT+IFwNSzZ0G7xHpcJXHZ4FRw8EVTJygkGWuFoYiSzxK7sPEYUVi0cGsOSRNLzHPbCptg0JCTAkZol4v5CgRSez9Q= X-Received: by 2002:ad4:5e8a:0:b0:67f:13af:385b with SMTP id jl10-20020ad45e8a000000b0067f13af385bmr381360qvb.66.1702577234734; Thu, 14 Dec 2023 10:07:14 -0800 (PST) MIME-Version: 1.0 References: <20231212231706.2680890-1-jeffxu@chromium.org> <20231212231706.2680890-12-jeffxu@chromium.org> In-Reply-To: From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Thu, 14 Dec 2023 19:06:55 +0100 Message-ID: Subject: Re: [RFC PATCH v3 11/11] mseal:add documentation To: Linus Torvalds Cc: Jeff Xu , jeffxu@chromium.org, akpm@linux-foundation.org, keescook@chromium.org, jannh@google.com, willy@infradead.org, gregkh@linuxfoundation.org, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, pedro.falcato@gmail.com, dave.hansen@intel.com, linux-hardening@vger.kernel.org, deraadt@openbsd.org Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000004e4348060c7c2799" X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: BF074A001B X-Stat-Signature: ekk5fs877ykoi1g4hmx9uu5g4i56xeri X-Rspam-User: X-HE-Tag: 1702577235-246887 X-HE-Meta: U2FsdGVkX1/NBbYJpt2p1RukLPKviq8L640hIomNGw0zaAJ9Yoo/OEm7c9w4lsl3nIR2EZBB814zM7U76x+u/vjJDjUJnv9d3Id2DdgX8r3S5SVjPXCaHT1Yx/GGSlzTB3KLAVn/octUiOgpWHt+e51E+q7/+bgzW0/9fFDom0rEWS5Z7aLxPeMNrgTw2ftEgiQigkF465y3eqHJGkVFOLiGdPpW48GLLKZr370LSNCprCwrQwJL6gZbZMaapa0wunHtv3RUC5AB9SxCoHHHsdKUOtrAdWK/N8LXmLidJcKZ2OESBOxP3HU2ecNw6sQMN3X6gKd/IQqWBivRQErwrTD+FSf9mTPy9+LgDQrfJZT/AN3uFlV+lxW4zRxl5QayO6QIhRX8yoWd+6anpt/ol3PvjpOor/FDyY9LMS6FKmtMuNjIDHNTCYqorEzoEFNocgpY83z9PzxNzUH6hgdtKm+oPakPsy7dp5zlb5xte4PNrWOK5CRMWPhgSWxpsh2B+FinHNRE6HyQyGe1KCXE9Yfvy/uSnlIhz3obCoZfEMtfiIPq8e0BkIniXcXLR8gH0757MYHT7SRJyw0M6FZ70+lJuo7wazhFp19D+7u4iTC8Qf8tY2d8jr+KLsGVvhRE3gTJYP/uXesb8+cfZEOHpb1D0Mz+nZUh44s6Gk1bu1M3Ha+TinVhSPuf8Rv8ppaCHj37urEk2Bsvp64QGqi8dyoiYit/MwXrVI4S0xfnfCdrtsjINnHEbZI0gyRCLYIOLBOkbwgvU8C2rVFERPaynPE6M9kyIssnC5FlmF4ACb6Hk+jo3fE04McoKtAzA8rQTdicskZwk9/fGqT7IA5YHg1etfoG3Z8jK7qOzwrC3czLr2boTrO+8fucW8d10FFzbKT5Xgx0jPn117bXzROItbBJiydZBE9Z/D6tkat7a/MDFhrInJfOkteHFlOoqxZ9/7EqqGlQRIVf0L97//d frqM8tKc Fqwf7jrzFWrp/ryrlncZwRgnD4lPh15+L9C8vYmFPOM0O8D8Fjf8o+ADMhMIPoL9Pg7C37zPSE/PTpI078SFEJVqm9UPbFcZM8C1/L5kMqVLJeDER+gQOpGqpTFHHlHbXcP6FGA9Zxha41lA8BI9cD0Y4vq9j9KTrGLyQSPGVxJTMImbeGhqqcUumG3Kx4elEIT/s5xYgYMoHMCRuvuUJnairz+tmqB54lcG3rZx5rXURSxSjxQzCumeJMo1LrGhsgbuyVSMdrZip2qxlwvbFpIf4Sy6IqZrqNUIIGxn6Da4QjcbDD55izvla5iKQ8jwGP/8p1ngSOFtUS7cWnS5Gb3EzDs/PGrTr9+UrfmFPlWUMXnrbx8tMz4SeaJdjDizYNrvslmbALdzGAG4BM9roV+Q6yAzdeuc0z8oJJIlFOF8onXp0MqPWedEBJXe++njMw+u3kaclA97iQ/s= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: --0000000000004e4348060c7c2799 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Dec 14, 2023 at 2:31=E2=80=AFAM Linus Torvalds wrote: > > On Wed, 13 Dec 2023 at 16:36, Jeff Xu wrote: > > > > > > > IOW, when would you *ever* say "seal this area, but MADV_DONTNEED is = ok"? > > > > > The MADV_DONTNEED is OK for file-backed mapping. > > Right. It makes no semantic difference. So there's no point to it. > > My point was that you added this magic flag for "not ok for RO anon mappi= ng". > > It's such a *completely* random flag, that I go "that's just crazy > random - make sealing _always_ disallow that case". > > So what I object to in this series is basically random small details > that should just eb part of the basic act of sealing. > > I think sealing should just mean "you can't do any operations that > have semantic meaning for the mapping, because it is SEALED". > > So I think sealing should automatically mean "can't do MADV_DONTNEED > on anon memory", because that's basically equivalent to a munmap/remap > operation. In Chrome, we have a use case to allow MADV_DONTNEED on sealed memory. We have a pkey-tagged heap and code region for JIT code. The regions are writable by page permissions, but we use the pkey to control write access. These regions are mmapped at process startup and we want to seal them to en= sure that the pkey and page permissions can't change. Since these regions are used for dynamic allocations, we still need a way t= o release unneeded resources, i.e. madvise(DONTNEED) unused pages on free(). AIUI, the madvise(DONTNEED) should effectively only change the content of anonymous pages, i.e. it's similar to a memset(0) in that case. That's why = we added this special case: if you want to madvise(DONTNEED) an anonymous page= , you should have write permissions to the page. In our allocator, on free we can then release resources via: * allow pkey writes * madvise(DONTNEED) * disallow pkey writes --0000000000004e4348060c7c2799 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPoQYJKoZIhvcNAQcCoIIPkjCCD44CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggz7MIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBNowggPCoAMCAQICEAFp/vXw/R/y8Lw9a544 0YEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yMzA4MDMx NDAzNDFaFw0yNDAxMzAxNDAzNDFaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzZBSWG7xnoaWcP4VRUAeztPXUgNd 4NVClkgOotwFn0FApauaJXUitczPQ2w4m1sPPA48zEhzTwXMSwtz6Wv7R1H9Dg1QywapO8P96WlF pG7WYEC++EJCxTk76P0djj2QNygfgvl150GkwmND15qMN8XgBgs0YMLse26UtQDC9Oz+QkMYWVal GZfXs2f/WRb1WNkLIB9JfeGE35OXFsuhrwiyfxaF3IYQNJP3OxSuYccnJUTwEKB4OqHuxdwNfvHG BsgT+rklyUPEcOT/jS9EGatv79VPLXtr21rzz4/no0sJf074YB0jjCVqlpKfQW2rYncOAI7tO/Vc ReJB/+2+iwIDAQABo4IB1TCCAdEwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUwQlr miiwZhqbFo3H+sN+36dVsCIwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBmgYI KwYBBQUHAQEEgY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh L2dzYXRsYXNyM3NtaW1lY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcnQwHwYDVR0jBBgwFoAUfMwKaNei 6x4schvRzV2Vb4378mMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9jYS9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcmwwDQYJKoZIhvcNAQELBQADggEBABDOrwE7xhhZ KPffKFRtuggfC0sfh0EHmrCzCXlyiQFmTpjm73me7rw+ibiPUnohQxkeqC9KvwDd/gF7OAY3un01 f8y5iEmwoymOLIzkTKIMHDp6qOul60jFrAWe8EQMuBMEc9TQbOiXB4jFgLuDZX7AspyVvnmLA5sw msq0yrGgxTsEeZniQpdOP/qZNS2TJmvNH8a8HuQfHH/pd20lRWfTEuhSRN8cTkKihK7iO8wjCmrp EXefUessFdMqMUSfGI6rUaZTfU0SRfdrVHW4IE8onI30/UVurbGlFiugNF3LbDMXdqzs2/eTsLiD 8Dv1+pt7SJqI4zNhzZFOpvBPVIkxggJqMIICZgIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFzIFIzIFNNSU1FIENB IDIwMjACEAFp/vXw/R/y8Lw9a5440YEwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIE IM8/A9cP2NNPis2KNHiRb446CfrNa20wSpXiVFfLImAvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTIzMTIxNDE4MDcxNVowaQYJKoZIhvcNAQkPMVwwWjALBglghkgB ZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQow CwYJKoZIhvcNAQEHMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQBdKqebtGmCYqfk8i92 Tbih5wr2OCj7bSuhQ30OLyYtZkEZJuiAuU1sueW5itmExb93/oy7vM5xG8RxQHmH6Rs1fO/S4b4N ACsB3vvwONkaOWsb5SvgwS5aMM1SQRH3p2YfIsfmo/vENC4N6q0euP7+l9ld8Q8cOHml/qvACu3c mv4VQtj6Hzo652oV3maIJ6gtt43Gi5K3L9POz1+4ZyDSGajnHnur5tKAH1XDKQBjAro6YCE6BcXd LyTjJpMJ5lgQ6obKw83+qNV5vmli6bVRU1SwKZ7sO2vDR3ovIESUzjBR36QEt5XVDaOEdi6Os3ln 97V+qbMt63pzVda/e2eS --0000000000004e4348060c7c2799--