From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 89AB0C77B7A for ; Fri, 19 May 2023 11:22:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1E262900004; Fri, 19 May 2023 07:22:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 19375900003; Fri, 19 May 2023 07:22:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 015BB900004; Fri, 19 May 2023 07:22:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E0FAE900003 for ; Fri, 19 May 2023 07:22:35 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id AF9C71609D7 for ; Fri, 19 May 2023 11:22:35 +0000 (UTC) X-FDA: 80806766670.13.F4D84CC Received: from mail-ua1-f49.google.com (mail-ua1-f49.google.com [209.85.222.49]) by imf12.hostedemail.com (Postfix) with ESMTP id EE16640010 for ; Fri, 19 May 2023 11:22:33 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=HCE6ncgX; spf=pass (imf12.hostedemail.com: domain of sroettger@google.com designates 209.85.222.49 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684495354; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=QYdIIJuyfkz+cydh5ggfK3KgdxESFsFJevu+qz3FIzE=; b=JLiV/ZFqwPrCT+y2x2nWgC3+cEdOFyf+37G30G6dLvsJPG86IF+sTZLmwYIM9JWLSsHCyZ e5I8z/jfVqtha8jHGnJE9S6g/YAlZ2sLyxPJ+LYHBt0q11LdyN/9nLcu82KefR3IPdse49 kr+LcUFbzvsXNIMYkP2rNZ9oCGIwN3s= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684495354; a=rsa-sha256; cv=none; b=oQog3HglDkAFa0raVP8b9TtPt/LTa0qN0OBh+ugcE84WuTPFn3hISGVImg1irWCoEgi2Wq z70sb2Eavq/tbHRq40X3tHmZAgK50aN2Yyw0/ZwS9v2JdRO+WH9Njzd25NG9eIChL7re7q dynl714ude77M780YtoWGiXyEsqv9Io= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=HCE6ncgX; spf=pass (imf12.hostedemail.com: domain of sroettger@google.com designates 209.85.222.49 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ua1-f49.google.com with SMTP id a1e0cc1a2514c-78412128326so896156241.1 for ; Fri, 19 May 2023 04:22:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684495353; x=1687087353; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QYdIIJuyfkz+cydh5ggfK3KgdxESFsFJevu+qz3FIzE=; b=HCE6ncgXTntBvGLGo23SqXlO2Ipv2glfFGFfesUtDT04lNyaADdr7IBJMXzawdp+2v sCaswjXqWI11uUdF9k48YU9VkmrYxnDt4+6+GBjAbyNir0dgYaM7b+YLycnCMapYEliD FzwRAvvLJuma6p1zQbvE8XyW4NYXzdDfI+KRCfNLqbw5RCxjj55cJiPGITHimgsbHa9G /EfY/X00WXp6qQkQIpoAfoCskeZof7jmRX/+lHXHHEhCyjvhaU9eASm7w2XFTDlMxnXl 9roRbNdO8mugY8vytj/X27Gsm4ONWgopBvRqUKMxlpwudzVIXpAYjJ5GZUUiitRl5ply KeYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684495353; x=1687087353; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QYdIIJuyfkz+cydh5ggfK3KgdxESFsFJevu+qz3FIzE=; b=etAfB14TEqfRYcdw2wV970nDLi27uZGwsv8XRmnCMyTE31Rou+gqRVfP1rI+CFT38N PqFWrnrgb/r5hDM6UNHEWBodddaXzwf67+0U1mzVhEqJzkLjhEEceQ6rio0XU4h7V0vI OrGTdh9t7h0y5jxr8djxZOza/KlW+YxDKfNG9s7X2kqaZQjHjpPowXNCrKw/IWGLEQwK 1K+w/OzaSNnVmW2hMdDfrknREKm9HuQo237nRPOFECxLsdiTkwl7DHYtaopzR9+G5+kD 5AIJ4MsPnOA4Vmb9/fvZFOkmBfO/HkuSVpU4PiCSrGXAtK3/Th7H2rAvEq0Smyhm79PR iG+w== X-Gm-Message-State: AC+VfDzZOMGFbrr6+LNR+38EtYKW0DEHhP/O2oSDuwskEKm2sHHde6e3 z5SB16E8VedTNPSa1fVEHgyEy7QxKL62/N+ipxWNUA== X-Google-Smtp-Source: ACHHUZ7m3qaP/XE7vb1368EreQjFE2cU1V3DCULqQOCIm46K9tyTtrCNoT9GRM8U6EPOAVWlCCXig+GTn2cUepThfS0= X-Received: by 2002:a67:ba03:0:b0:42c:543a:ab2a with SMTP id l3-20020a67ba03000000b0042c543aab2amr584690vsn.35.1684495352840; Fri, 19 May 2023 04:22:32 -0700 (PDT) MIME-Version: 1.0 References: <20230515130553.2311248-1-jeffxu@chromium.org> <20230515130553.2311248-3-jeffxu@chromium.org> <6dbbc3da-78c9-8101-d52a-0be47da9d67e@intel.com> In-Reply-To: From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Fri, 19 May 2023 13:22:21 +0200 Message-ID: Subject: Re: [PATCH 2/6] PKEY: Add arch_check_pkey_enforce_api() To: Dave Hansen Cc: Jeff Xu , jeffxu@chromium.org, luto@kernel.org, jorgelo@chromium.org, keescook@chromium.org, groeck@chromium.org, jannh@google.com, akpm@linux-foundation.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000002709e905fc0a2374" X-Rspamd-Queue-Id: EE16640010 X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: u1b55gyjegdbsgq9n9n33t1pti8pwdpc X-HE-Tag: 1684495353-80817 X-HE-Meta: U2FsdGVkX18mDkJaHmPyJuVahiOcbEUraloY0fBwUohMH+axybiNvAUQfMXMElCdMgJ8WMx1pE4bZqn7uyI8P2vineCDjSFP2gIzvrbzBf/+p5tKt9rQfFZGbvI1NmYKYPb8rSxA368GTWuAB+JmZo6L6DjEav6+Xi7/BCCVthT735CaQj+utqiKtSwe27tW9bBGE+HTZFc8HHvsJvcFVAIMiDptf/1K+vQQdj8MLQYzplasAwgJcluflEyhtrk9nynFusdbAN/bKS2QHm5rJf7elMm8OdpBEJGqUPA0vvLps5G10NqNtb1mI/4eXsvMBzJRSYIQZpZCHTH/+mbpd0MxvvhMRWmWSaFCsIvsln8ccInEuYZap85V+tCZptIjYUpyiKRSOfGIsiUZ5J536S7C5TDVu4ybIJpU/vuzHf7AWuo3ZiQTPOolEog0PXaNJm+uZvf8UD1z0CVim241984h+vjvvS4sMPtVwpZMKKjlrK9hDO0Pk9M+2kR4UjmSQelsq8IazMNzU1eefKJxHsP7FeaYcN9jTeLsbE9uU1Y10SduAOQb3WlWGlQaru0rzoKKYEIprVhFA7lWsRoh5C4afv8dwiayOd9M1tP6nxdv0dEGwBw4GvuZobtnZcUpM6RpjrPrDsy8NNfUDcHM15WqWLNpZZMDeyhWWwi7LpgWmFpWfT3l1mX/A5KKgX9ysUm2ZU3yJycHzuCCAJovbADxNLbQiiuPbTeCACW/20O5G6hgHRuETpMMu2j9COZ6iV6qOzVD1iDYgjddzNNBOApzTvW/DnNFPY2Al4do0/ryOOHWfyCbXiwLG4L4SX5M6JekkgVwT5f/2zNcpNZGlZ7Y/EumYX4ZCwDsRrp+9Vbl5nzSP3gD9gLB/eWX/YmDBM4F1VMjZpZSNVf4iuuDSO9id7JwzWgxv4quJpZTP9GO5AhqkZ6L6ttItYyP/pRSIzymPsSwQPEDI9o7KeM mXa8sHEV rse0eRaIwjkaMjeK6Ks9LMwNdhYg63BG/xPmhB/se4AbmVKuttXPmbzAWGCfxLg4vuPtnNLb4V+LDN0jcE51xMYzBLdfsVxZBtHdH2zGQ+rM8c2WC+RQDGYTQSqKtJkEIn0ToJj0D2VGwUuhl1IQjTLKpzKEy3snJgqUffUutC3DkmeU6X10QAASLZgNFEZ1jQkvcnB3kpyuclovEe3eO72QgcNNJ/yQXy8ZJ9QAPMS1msWkYN+BTjwTOX6CyiCxkgsThejPgX8ioQ18SQqu1+Juji0kblPVO8Des4ye2Is8xG8ADawWnFHgCgnlTFQOQ3ag6UazX9ze1gbpMuuRxHQ3kHcWTRK4ODWyXNeE/cbYCSBMhs3tIuZmyvA77+HmUV5kJifL6ynSQhUIPoM0dV+RTzYydPGBnTwagaRKC5jEj/T9vDSGP+SbN6Al8XRTVhLawWSwG5u2rkdTnWClnD3Ocj7wp3swTahLHASRjNRYLd+YbcdEeNiMfH1DBAiLxB86v X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --0000000000002709e905fc0a2374 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, May 19, 2023 at 2:00=E2=80=AFAM Dave Hansen = wrote: > > On 5/18/23 15:51, Jeff Xu wrote: > >> Do you have a solid handle on all call paths that will reach > >> __arch_check_vma_pkey_for_write() and can you ensure they are all > >> non-remote? > > Is this about the attack scenario where the attacker uses ptrace() > > into the chrome process ? if so it is not in our threat model, and > > that is more related to sandboxing on the host. > > The attacker would use *some* remote interface. ptrace() is just one of > those remote interfaces. > > > Or is this about io_uring? Yes, io_uring kernel thread breaks our > > expectations of PKRU & user space threads, however I thought the break > > is not just for this - any syscall involved in memory operation will > > break after into io_uring ? > > I'm not quite following. > > Please just do me a favor: have the io_uring maintainers look at your > proposal. Make sure that the defenses you are building can work in a > process where io_uring is in use by the benign threads. > > Those same folks are pretty familiar with the other, more traditional > I/O syscalls that have in-memory descriptors that control syscall > behavior like readv/writev. Those also need a close look. > > > Other than those, yes, I try to ensure the check is only used at the > > beginning of syscall entry in all cases, which should be non-remote I > > hope. > > You're right that synchronous, shallow syscall paths are usually > non-remote. But those aren't the problem. The problem is that there > *ARE* remote accesses and those are a potential hole for this whole > mechanism. > > Can they be closed? I don't know. I honestly don't have a great grasp > on how widespread these things are. You'll need a much more complete > grasp on them than I have before this thing can go forward. I don't think the remote writes are a problem for us if they're initiated f= rom the same process. It's a case of syscalls where we need to add special validation in userspace. --0000000000002709e905fc0a2374 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPoQYJKoZIhvcNAQcCoIIPkjCCD44CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggz7MIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBNowggPCoAMCAQICEAGkX4MOebzHzp8Y/d5N uOkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yMzAzMjQx MDU0MjJaFw0yMzA5MjAxMDU0MjJaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLPyMENiepo0e0KKXnecXERM1v8X LP8OaCG/arg3dD1qpML+nhDtU7YL7M+uU/zvIxrine9sVeBPMAsLyIBm/r4f6mk0Zo/1Nd/I2VL7 JpL/XH8AloTMPn8ftcCAGtMjR6GHaQJt6AFuV5SV/LMkzQ1w0TyNPSn5akNB5fuqDDSqSSiWdEcz QNoEndEWuInBDSbUxc2cqYzY3PpGpJjrKOy1KbJzQ8KcZvrtFZpLnWN6Ry51yog7bRBCFmCaCV2w 6aqHjyzIZlqXlIFBPZsMUke9QkLosM0XP1eL6NpSfJclTy3ZIULo+kiW3IxdbA/JidNnmYzCfZJo 48ZLbpQbsQIDAQABo4IB1TCCAdEwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUZ+MO 2DeNJUdew/schvbvw4wolIIwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBmgYI KwYBBQUHAQEEgY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh L2dzYXRsYXNyM3NtaW1lY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcnQwHwYDVR0jBBgwFoAUfMwKaNei 6x4schvRzV2Vb4378mMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9jYS9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcmwwDQYJKoZIhvcNAQELBQADggEBAEWztMCBdTNW CGPLcNM/ovJHsl+VF/BsKdiiwJoodyWO9fmhOgEVex1vfc+njM0bkWC0b4U08iUPP91eksCFGhhi cCchsXpkAzfcKPJ7OsFd7J4xQUQPpi02r1P7Y9UKLa8nsNChf9ck1GAz1Skb77r1JWgSlHOcyuVZ UQ/JuUVMf/XW7flFfNybswGgFmfnBvDW1qrqBPHpEFmWeNYXISpFQj0UWyGmykQGKi8q44IPy5Qg uId+alGaBDlL5OAZQtmhRyh1MVd2wtgvGEfNGDGq603urx17nwEvM1gjSmOgnhEigOhhHH7DOeyt 5zPYLaKguxLWPGXlZ0UUjA7lH3gxggJqMIICZgIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFzIFIzIFNNSU1FIENB IDIwMjACEAGkX4MOebzHzp8Y/d5NuOkwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIE IE0nAq+EvotYtTh7dWzvuIiOrnYIYYo0wWDwWWRq+Z+QMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDUxOTExMjIzM1owaQYJKoZIhvcNAQkPMVwwWjALBglghkgB ZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQow CwYJKoZIhvcNAQEHMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCcv6CjSuln+N+w7eq5 XdOvXNuVF5J/89mVYERuinaf71Cf7CZJaemRjWsIr08MT/piZsGiaD0HF9k1KTkTH8H7pKiI5mMR cu5PFlFAjOoHNJq243lZuZTWBqhVn/cKiPhrhcKhwblvOgGRZYF8BHQLO2D9GsKpp4m7PY2DgdYN tjhBimMLr09QKDanxV1LUXzwFWr7bEkefhU8F+zYBpsZF3f3uE7gg0dQ9X2DxdCksOkP22D2w1Pd mquscqxelRuU2C8fIjyfP1kzSsK5F65Pr9gY9w0o205YuV9NZWDBi5qrgysIt5vod+60vQBDaKDA 5MnKZXDoAREL0OWXHoXT --0000000000002709e905fc0a2374--