Received: by 10.223.176.46 with SMTP id f43csp3943940wra; Tue, 23 Jan 2018 01:31:46 -0800 (PST) X-Google-Smtp-Source: AH8x226pSMFy9+hEXRqrDHsZs0jq3sw8UZJuhic1xbo1kpb2TY0QFvzvcvr3i0br/qkikvmNcZuT X-Received: by 10.98.231.11 with SMTP id s11mr9965131pfh.174.1516699906222; Tue, 23 Jan 2018 01:31:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516699906; cv=none; d=google.com; s=arc-20160816; b=0H6g/ln5VRSTAep/H57a5O1aGTH/ChjmgYRObHoTGp128bDyZb1sKJGc5//mgi/sh6 0aNMdNHB5B1BUc46z2r2KNq0dE/DPT17nffNV+evzdBGKmproV8mik9uNKtNSOS/MPxO ORUh3jg2RRrhaP2ZzmUZktb9mfFJXaukbw6qEQdcU3QeD+Zkwh/Sri4912gJJoX6K6Hu MXlrMAtzU5x0eewZz1lH0xugzjhqNsvX8nvKVkIDAvISWEcz7DsBBWmJ7vuRPUiMmPCk IYrfeBBeV+wKQPAn7PMIsBHGg59eSG+XDmSQ94ThFNKRUXSOR05f9Ml4q8MS3FgGBP7B iK6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:date:face:references :in-reply-to:cc:to:from:subject:message-id:dkim-signature :arc-authentication-results; bh=+hjWjs1WZCSOrNrS8TWnRksR0NwoauBto3x0ifCRu9c=; b=enbMrMqAkX3aWbAzJixhVRUSS9LvV2Bpf/dWsG81bZzi6+YBha0x9JXSxNiCVvor0S 39zyuIP80HmNfnl8waSVvWU66sOoYm7fbFn+bJLw1KMEFIVPoCGnh9DdSvuvoioDqgjr kU/f3J1J1N82kjR9Ft2cPAF7KBXQyS36nSGdtpMCBhIph3ZwiC//SvQpRxsS7t9pFv6x Kkyq4xjiwjWNnbGczb+lPDOckKWRD7rv4n6iMYbW0Ftq0kQiZfViRCXRD+mOrCs+YrwG aCzt9QxDD7cocWygWSyRfuIeVoVjWYsLRii1CJhUqsaDbB1KzMKYC5KljJ16eVk9QnrZ gfXw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=twosheds.20170209 header.b=u7oJwV9G; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p24si1181782pff.76.2018.01.23.01.31.31; Tue, 23 Jan 2018 01:31:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=twosheds.20170209 header.b=u7oJwV9G; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751247AbeAWJaw (ORCPT + 99 others); Tue, 23 Jan 2018 04:30:52 -0500 Received: from twosheds.infradead.org ([90.155.92.209]:55410 "EHLO twosheds.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751141AbeAWJau (ORCPT ); Tue, 23 Jan 2018 04:30:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=twosheds.20170209; h=Mime-Version:Date:Content-Type: References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=+hjWjs1WZCSOrNrS8TWnRksR0NwoauBto3x0ifCRu9c=; b=u7oJwV9GjWF4GgOSvG/Q5dPuf 1Uy9qxs9lWNUI7Cbt4Up9iUf/zgnSvFVPVD61Q8QQOMKEUHaAJ84q0WXEGzYMi+qvdVPtv4UOjjMX eDXgaaiJokK2v+9/LrbsiCYxRJGjU3VofzqXow7IwsazjO3+tc7zp4ouDcNb8tR/xFAoeDV+tZ4by grl654ZHm1BoqdqWYJo4negZMJfsYX7TVppLrkKylZiZd2FnL3vtwauV5q8YxhSTmqstPkXgCuP7p quC4uokTLdlV1btEF8iNWJc1BbhM7iJhtJKd5EvtsaYv8YJHUI96TQaFRAkAKVYVWNlM+WXySvJ8t 9XpHxoOsg==; Received: from [2001:8b0:10b:1:ecaa:dfd5:f046:56e2] by twosheds.infradead.org with esmtpsa (Exim 4.89 #1 (Red Hat Linux)) id 1eduuZ-0002HJ-4s; Tue, 23 Jan 2018 09:30:37 +0000 Message-ID: <1516699832.9521.123.camel@infradead.org> Subject: Re: [RFC 09/10] x86/enter: Create macros to restrict/unrestrict Indirect Branch Speculation From: David Woodhouse To: Ingo Molnar Cc: Linus Torvalds , KarimAllah Ahmed , Linux Kernel Mailing List , Andi Kleen , Andrea Arcangeli , Andy Lutomirski , Arjan van de Ven , Ashok Raj , Asit Mallick , Borislav Petkov , Dan Williams , Dave Hansen , Greg Kroah-Hartman , "H . Peter Anvin" , Ingo Molnar , Janakarajan Natarajan , Joerg Roedel , Jun Nakajima , Laura Abbott , Masami Hiramatsu , Paolo Bonzini , Peter Zijlstra , Radim =?UTF-8?Q?Kr=C4=8Dm=C3=A1=C5=99?= , Thomas Gleixner , Tim Chen , Tom Lendacky , KVM list , the arch/x86 maintainers , Arjan Van De Ven In-Reply-To: <20180123075358.nztpyxympwfkyi2a@gmail.com> References: <1516476182-5153-1-git-send-email-karahmed@amazon.de> <1516476182-5153-10-git-send-email-karahmed@amazon.de> <1516566497.9814.78.camel@infradead.org> <1516572013.9814.109.camel@infradead.org> <1516638426.9521.20.camel@infradead.org> <20180123072930.soz25cyky3u4hpgv@gmail.com> <20180123075358.nztpyxympwfkyi2a@gmail.com> Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAG1BMVEUHBwcUFBQpKSlGRkZhYWF9fX2Xl5eysrLMzMxFF+rXAAACaElEQVQ4y21UQXbbIBQE9wJALmAg6ToWON22FrhZthHgbvssUPathC7QWMful2JHSmtWwGg+zPxBCE0DU4QoJQgRgsg4w2gJjBNE8PjFBZgnQMBs+uZ1NQNQjZO3BV4AGDFC0f+l4DBG0VUAM4yv7SO8IgRdHXQ+A78HKL5OAeCfNQV5cHX8DsBUyIJKtYbt98BKaGNCKjfgFVkqYVLbkHKsRsbSCSa0T6npIqLrpRBgQKHUpQmgs9eEKaiUcooE8WWfCGVnBiUcn1uF2XhbfmN9apKnmMP2K4kizKkQWxuaVNOpU2cACIyxO1Po8ETHcXEDMVnozcejkAYA9iaD4pU0ZvNQ8VurNnTuFAYVtuIPUZW25PjDIjQAlGyffIiRQxoWAZBmJ0LTdW2Nyc0iP3DqRhxizvGJkBWZmyFVyZkddWzmBoIBVMpCCJ1CFzl98xav4VJKSSD45KbUT75ixikTphDSRh8+Uz7JLgUTAgAFwzqzjxc/nDY7WUApqY0OMdTwCKZSXplSKkgIRCHElCp8ZnhnKqXuwcNbk1L0VXE+I9alUXoHlLHl3mv7/dWQlJwtjREC7mu9L/U2jQyMUuO2EDS4q9Kl2ddm232bxIE5pjJuVwiljNn/Cfv25/T0cu5cZbwHGVq7h/zp0B4n3S99V/utD+Uo8BiGx9xCsOAV5z7/tjo4Z4z1Lvb90KZ7eFOoOeXOukqF2seo234YYuaQPpRP+cVZU5adT1Edun5Iz3z8fTz3+eSDh0Ip1c7zx1MaijGzTd/3MbRuBHz8cvcVgCMBRpOHvgu59WDhoat+nIZm+LWm9C/aaaGq5DCP9QAAAABJRU5ErkJggg== Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-if/B1LNPdXyKFpvf7IxA" Date: Tue, 23 Jan 2018 09:30:32 +0000 Mime-Version: 1.0 X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 X-SRS-Rewrite: SMTP reverse-path rewritten from by twosheds.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-if/B1LNPdXyKFpvf7IxA Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, 2018-01-23 at 08:53 +0100, Ingo Molnar wrote: >=20 > The patch below demonstrates the principle, it forcibly enables dynamic f= trace=C2=A0 > patching (CONFIG_DYNAMIC_FTRACE=3Dy et al) and turns mcount/__fentry__ in= to a RET: >=20 > =C2=A0 ffffffff81a01a40 <__fentry__>: > =C2=A0 ffffffff81a01a40:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 c3=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 retq=C2=A0=C2=A0=C2=A0 >=20 > This would have to be extended with (very simple) call stack depth tracki= ng (just=C2=A0 > 3 more instructions would do in the fast path I believe) and a suitable S= kyLake=C2=A0 > workaround (and also has to play nice with the ftrace callbacks). >=20 > On non-SkyLake the overhead would be 0 cycles. The overhead of forcing CONFIG_DYNAMIC_FTRACE=3Dy is precisely zero cycles? That seems a little optimistic. ;) I'll grant you if it goes straight to a 'ret' it isn't *that* high though. > On SkyLake this would add an overhead of maybe 2-3 cycles per function ca= ll and=C2=A0 > obviously all this code and data would be very cache hot. Given that the = average=C2=A0 > number of function calls per system call is around a dozen, this would be= _much_=C2=A0 > faster than any microcode/MSR based approach. That's kind of neat, except you don't want it at the top of the function; you want it at the bottom. If you could hijack the *return* site, then you could check for underflow and stuff the RSB right there. But in __fentry__ there's not a lot you can do other than complain that something bad is going to happen in the future. You know that a string of 16+ rets is going to happen, but you've got no gadget in *there* to deal with it when it does. HJ did have patches to turn 'ret' into a form of retpoline, which I don't think ever even got performance-tested. They'd have forced a mispredict on *every* ret. A cheaper option might be to turn ret into a 'jmp skylake_ret_hack'. Which on pre-SKL will be a bare ret, and SKL+ can do the counting (in conjunction with a 'per_cpu(call_depth)++' in __fentry__) and stuff the RSB before actually returning, when appropriate. By the time you've made it work properly, I suspect we're approaching the barf-factor of IBRS, for a less complete solution. > Is there a testcase for the SkyLake 16-deep-call-stack problem that I cou= ld run?=C2=A0 Andi's been experimenting at=C2=A0 https://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-misc.git/log/?h=3D= spec/deep-chain-3 > Is there a description of the exact speculative execution vulnerability t= hat has=C2=A0 > to be addressed to begin with? "It takes predictions from the generic branch target buffer when the RSB underflows". IBRS filters what can come from the BTB, and resolves the problem that way. Retpoline avoids the indirect branches that on *earlier* CPUs were the only things that would use the offending predictions. But on SKL, now 'ret' is one of the problematic instructions too. Fun! :) > If this approach is workable I'd much prefer it to any MSR writes in the = syscall=C2=A0 > entry path not just because it's fast enough in practice to not be turned= off by=C2=A0 > everyone, but also because everyone would agree that per function call ov= erhead=C2=A0 > needs to go away on new CPUs. Both deployment and backporting is also _mu= ch_ more=C2=A0 > flexible, simpler, faster and more complete than microcode/firmware or co= mpiler=C2=A0 > based solutions. >=20 > Assuming the vulnerability can be addressed via this route that is, which= is a big=C2=A0 > assumption! I think it's close. There are some other cases which empty the RSB, like sleeping and loading microcode, which can happily be special- cased. Andi's rounded up many of the remaining details already at=C2=A0 https://git.kernel.org/pub/scm/linux/kernel/git/ak/linux-misc.git/log/?h=3D= spec/skl-rsb-3 And there's SMI, which is a pain but I think Linus is right we can possibly just stick our fingers in our ears and pretend we didn't hear about that one as it's likely to be hard to trigger (famous last words). On the whole though, I think you can see why we're keeping IBRS around for now, sent out purely as an RFC and rebased on top of the stuff we're *actually* sending to Linus for inclusion. When we have a clear idea of what we're doing for Skylake, it'll be useful to have a proper comparison of the security, the performance and the "ick" factor of whatever we come up with, vs. IBRS. Right now the plan is just "screw Skylake"; we'll just forget it's a special snowflake and treat it like everything else, except for a bit of extra RSB-stuffing on context switch (since we had to add that for !SMEP anyway). And that's not *entirely* unreasonable but as I said I'd *really* like to have a decent analysis of the implications of that, not just some hand-wavy "nah, it'll be fine". --=-if/B1LNPdXyKFpvf7IxA Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEFQw ggUxMIIEGaADAgECAhBNRhEyk/HZ7naOeTHWrzuAMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD VQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzEyMjEwMDAwMDBaFw0xODEyMjEyMzU5 NTlaMCQxIjAgBgkqhkiG9w0BCQEWE2R3bXcyQGluZnJhZGVhZC5vcmcwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDgzLNWa18DNpGUj/ZeH0Sgz53ESIbzdPw3OJeuNP6jZhxZojbyfxbM hETscxI/Hj6UZ4a7sHm5BkVjlsB1Af2Za/PXUt8MmLAcPMHkMPGunvkUibEvblDvpqMkQZlaZM+t 5PqFmWkbehLaEvbpNY7dmEAAeKh4klTzJzrr5AAzaCQ32cA2e3+DEIv5O5l9ViMIjy/JM+xMQrfX 3PZ0chY1PaVWjg59d4Uno+5LRDbgCnPkKJX4ysBGadibjBGQGJEZCjh94iiEebn2KsRLvtrJ72Ph 3W2HDEdngW3YP0wujFQVs81U7L8XN3kdPRsa9zNqGtYQP/+1KMMJQ57hnfi9AgMBAAGjggHpMIIB 5TAfBgNVHSMEGDAWgBSCr2yM+MX+lmF86B89K3FIXsSLwDAdBgNVHQ4EFgQUpL+/5lli9jmj2KHj ryyhnB2xRt0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYBBQUH AwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEB AgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8E UzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50 aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKG SWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5k U2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAe BgNVHREEFzAVgRNkd213MkBpbmZyYWRlYWQub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCK28BdbVJ9 QKQqTDfXwogAYiRBEGptfE1Bjy4F5vC6eWJqOJ15vunxjLwdbZYb4L0qrJlh+ZHHHlbIK8uEZu7N XHUntmWMbGbZiu7JgrbSXJK1ct9gxrN/sdWYJ+JDjVHg7GfDTvTTPa26JMRqJsO1TjjyDX7A3K39 TjV8C0hqXvwF9BsNf+qBeWO6GVzJ5572awY221hc1umibmZaKV4fg+7fS7qscx5TSuIc6uvMBQhm 7NQiCq6euMMWBDUDlotQCDW0ilm0OuLW3IVLuZCm6Msc+6hT9+dCT4JUvxTHZnnO7uLCxV+Ujad+ PH3itRm38i96p2zvwgLr8vwWA0ckMIIFMTCCBBmgAwIBAgIQTUYRMpPx2e52jnkx1q87gDANBgkq hkiG9w0BAQsFADCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENP TU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcx MjIxMDAwMDAwWhcNMTgxMjIxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRl YWQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4MyzVmtfAzaRlI/2Xh9EoM+d xEiG83T8NziXrjT+o2YcWaI28n8WzIRE7HMSPx4+lGeGu7B5uQZFY5bAdQH9mWvz11LfDJiwHDzB 5DDxrp75FImxL25Q76ajJEGZWmTPreT6hZlpG3oS2hL26TWO3ZhAAHioeJJU8yc66+QAM2gkN9nA Nnt/gxCL+TuZfVYjCI8vyTPsTEK319z2dHIWNT2lVo4OfXeFJ6PuS0Q24Apz5CiV+MrARmnYm4wR kBiRGQo4feIohHm59irES77aye9j4d1thwxHZ4Ft2D9MLoxUFbPNVOy/Fzd5HT0bGvczahrWED// tSjDCUOe4Z34vQIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUgq9sjPjF/pZhfOgfPStxSF7Ei8Aw HQYDVR0OBBYEFKS/v+ZZYvY5o9ih468soZwdsUbdMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E AjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAw RgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUu Y29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20v Q09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYB BQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FD bGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRw Oi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkq hkiG9w0BAQsFAAOCAQEAitvAXW1SfUCkKkw318KIAGIkQRBqbXxNQY8uBebwunliajideb7p8Yy8 HW2WG+C9KqyZYfmRxx5WyCvLhGbuzVx1J7ZljGxm2YruyYK20lyStXLfYMazf7HVmCfiQ41R4Oxn w0700z2tuiTEaibDtU448g1+wNyt/U41fAtIal78BfQbDX/qgXljuhlcyeee9msGNttYXNbpom5m WileH4Pu30u6rHMeU0riHOrrzAUIZuzUIgqunrjDFgQ1A5aLUAg1tIpZtDri1tyFS7mQpujLHPuo U/fnQk+CVL8Ux2Z5zu7iwsVflI2nfjx94rUZt/Iveqds78IC6/L8FgNHJDCCBeYwggPOoAMCAQIC EGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYDVQQI ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD QSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X DTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBM aW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvrOeV6wodnVAFsc4 A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQPTRI5Or1u6zf+bGBSyD9aH95dDSmeny1 nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivlJTRENf+RKwrB6vcfWlP8dSsE3Rfywq09N0Zf xcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG9qrxpZxyb4o4yNNwTqzaaPpGRqXB7IMjtf7tTmU2 jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoSWY66nJN/VCJv5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO 4nLUXk0BOSxSxt8kCvsUtQIDAQABo4IBPDCCATgwHwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY 7NkyMtQwHQYDVR0OBBYEFIKvbIz4xf6WYXzoHz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNV HRMBAf8ECDAGAQH/AgEAMBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRw Oi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBx BggrBgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20w DQYJKoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo 7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaBQ+39 4k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKSTvtlenlx Bhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY+hPebuPtTbq7 vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5tdhYF/8v5UY5g2xANP ECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4jkhJiA7EuTecP/CFtR72 uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJM/1tyZR2niOYihZ+FCbtf3D9 mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJUmpvVdZ4ognzgXtgtdk3ShrtOS1iA N2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTKTlL8YXLI8nAbR9HWdFqzcOoB/hxfEyIQ px9/s81rgzdEZOofSlZHynoSMYIDxzCCA8MCAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQI ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg U2VjdXJlIEVtYWlsIENBAhBNRhEyk/HZ7naOeTHWrzuAMA0GCWCGSAFlAwQCAQUAoIIB6zAYBgkq hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODAxMjMwOTMwMzJaMC8GCSqG SIb3DQEJBDEiBCBkO/bKh0s9O8UgqNXtlJrUz2XwuuvOpEOIsJAsX8gGWjCBvQYJKwYBBAGCNxAE MYGvMIGsMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQTUYRMpPx2e52 jnkx1q87gDCBvwYLKoZIhvcNAQkQAgsxga+ggawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBM aW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj dXJlIEVtYWlsIENBAhBNRhEyk/HZ7naOeTHWrzuAMA0GCSqGSIb3DQEBAQUABIIBALozIHa8JuR9 IOqrj6Sbz+rjz+XzW16iOEXoM+QPEgtAH1O9NaxUj81kN9ACKA7ftu1AagcKH0eHbA365cTTLcb2 uZLbUJ7JLxKGA3vnD3Bzn9WCwHXzrDQo83lLCKQ+R1YafwoCVYKwtJfN1hAMn4PRkItpabCfe/oe dMwq7LDje1AjRkWFgGSr5Joyrq5nFMQeHBRVaarSBLg8XxhQe0rBtUobb0T/q4mmico0mvfKiJXP KDGERBtTjfvDvohGC9l0OaLtbI7hyJt7PqPwe4pMPcusbyZhPgc9vgV3jC2FoY1a5L/RBUliU+8t Uy+1kMZXzm92NAf0db0Rhr0inH0AAAAAAAA= --=-if/B1LNPdXyKFpvf7IxA--