Received: by 10.223.176.46 with SMTP id f43csp2086142wra;
        Thu, 25 Jan 2018 04:48:10 -0800 (PST)
X-Google-Smtp-Source: AH8x224oEoOLwjeiT93CMjX/e8uJ9x6Hnmb88f9YC3P6Ug8/YtlGTYFZQ1JKSRm+izvwspHKVE37
X-Received: by 2002:a17:902:bc04:: with SMTP id n4-v6mr10966267pls.195.1516884489888;
        Thu, 25 Jan 2018 04:48:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1516884489; cv=none;
        d=google.com; s=arc-20160816;
        b=QhO2mI/w7nPFt47pUOk22bVr8iUpU+JqZ5a96pakapykrZSajN/iDfrBDTOpP9Dxpo
         2YVE9W4+L7aoD9tbeKYnLf8kxCfXClMxABPL9xiU70vACpZib+SPaHKPU+DRRCOSTP8+
         WaZiWTI8fKB2qOrM34s1xmh/8/iwTqY09VCwl6PaIErccH0dGMi5QZZ8gs18opFmMget
         eLeRzVFYD07OpNZxL1qaNOrynQBliS6d5JcZ6FVf1ZS2gQknjhOSjlOJtdfaF6WnWztW
         TVPDeGMym2rRLLoQOg+XpzcH6WbbwRE5U7zbM06CQt8GF5eIkrqx6VL7eX8XGAyHmVV9
         lpHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:date:face:references
         :in-reply-to:cc:to:from:subject:message-id:dkim-signature
         :arc-authentication-results;
        bh=W+WmYkpODwz5VpHZN/NwZf1mE5UllFHf2lfLE7b3a64=;
        b=wVZrAiZ8++KzUa1R+mWPPc8Hl6qJKWLhvzhVAnKtyunhywlzrfWWKjNW/dMC8RMV4h
         uBCQMEr9v16k/cHgwJRI2fJJrKqP2HnwD7oHAQHtOB3G1XyvcSLAXa4dGHGmreVtbDUy
         ASKFkPlG9xFS3h4Uv4dL0zJ/1guJYTbJIhZN2JiTnhN/bWgZcmynSRByRc8F5zYdWz7n
         Ltggfb7JuOvsV3zgnxEpgApf2AHTPsbpnwqM5n4bDeMyONWu9YUvjglZEYDExYmRs2dG
         /twHQMRXVKyuBazZLmOaUxT+H73c0P/vCa1EoCyI/Yeudgt4lJ7aoO7yj32f/k3KlAPx
         3TkQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=twosheds.20170209 header.b=C4Riclay;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 37-v6si1934186plq.120.2018.01.25.04.47.42;
        Thu, 25 Jan 2018 04:48:09 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=twosheds.20170209 header.b=C4Riclay;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751966AbeAYMVB (ORCPT <rfc822;marvinzhang.kernel@gmail.com>
        + 99 others); Thu, 25 Jan 2018 07:21:01 -0500
Received: from twosheds.infradead.org ([90.155.92.209]:36590 "EHLO
        twosheds.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751632AbeAYMVA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 25 Jan 2018 07:21:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=twosheds.20170209; h=Mime-Version:Date:Content-Type:
        References:In-Reply-To:Cc:To:From:Subject:Message-ID:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=W+WmYkpODwz5VpHZN/NwZf1mE5UllFHf2lfLE7b3a64=; b=C4RiclayahI6d+I9PPGbCWbGC
        G3HRlbhlYEaEvx2YkuWVXVhQH6FvyKn8J7tEmYWw8/XKXDr8F3IbvZT2ZYtHeIrbwBZAfm8C6CzYp
        dbwrX2UTGqLsVJa+P4TaN42HcFSCPb8gbNgTDKU7MkCOAvXtqoRzUKM2/cflRGTyoJ02iFj1cVgb7
        qwTP0FcAMy/YJQ6QaUomAwRUOsIMGIMiVEECPw2qk58WKG680Bsan9nW4pRIqfa+jLfXOYnCUpLQc
        uGs33hIfZerf4uZhDcPMwverA6j4g/AdHB86gv35O9i0c25MD7uFUJIDi7nLvjneKATnWx4LVMn4n
        hCIpox6IA==;
Received: from [2001:8b0:10b:1:88df:f864:4b91:a1c5]
        by twosheds.infradead.org with esmtpsa (Exim 4.89 #1 (Red Hat Linux))
        id 1eegWP-0000Cv-KE; Thu, 25 Jan 2018 12:20:49 +0000
Message-ID: <1516882849.30244.94.camel@infradead.org>
Subject: Re: [tip:x86/pti] x86/retpoline: Fill return stack buffer on vmexit
From:   David Woodhouse <dwmw2@infradead.org>
To:     Borislav Petkov <bp@alien8.de>, tim.c.chen@linux.intel.com,
        pjt@google.com, jikos@kernel.org, gregkh@linux-foundation.org,
        dave.hansen@intel.com, mingo@kernel.org, riel@redhat.com,
        luto@amacapital.net, torvalds@linux-foundation.org,
        ak@linux.intel.com, keescook@google.com, jpoimboe@redhat.com,
        peterz@infradead.org, tglx@linutronix.de, hpa@zytor.com,
        linux-kernel@vger.kernel.org
Cc:     linux-tip-commits@vger.kernel.org
In-Reply-To: <20180125120743.ey32gvl5mjam4r2s@pd.tnic>
References: <1515755487-8524-1-git-send-email-dwmw@amazon.co.uk>
         <tip-117cc7a908c83697b0b737d15ae1eb5943afe35b@git.kernel.org>
         <20180125120743.ey32gvl5mjam4r2s@pd.tnic>
Face:   iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAG1BMVEUHBwcUFBQpKSlGRkZhYWF9fX2Xl5eysrLMzMxFF+rXAAACaElEQVQ4y21UQXbbIBQE9wJALmAg6ToWON22FrhZthHgbvssUPathC7QWMful2JHSmtWwGg+zPxBCE0DU4QoJQgRgsg4w2gJjBNE8PjFBZgnQMBs+uZ1NQNQjZO3BV4AGDFC0f+l4DBG0VUAM4yv7SO8IgRdHXQ+A78HKL5OAeCfNQV5cHX8DsBUyIJKtYbt98BKaGNCKjfgFVkqYVLbkHKsRsbSCSa0T6npIqLrpRBgQKHUpQmgs9eEKaiUcooE8WWfCGVnBiUcn1uF2XhbfmN9apKnmMP2K4kizKkQWxuaVNOpU2cACIyxO1Po8ETHcXEDMVnozcejkAYA9iaD4pU0ZvNQ8VurNnTuFAYVtuIPUZW25PjDIjQAlGyffIiRQxoWAZBmJ0LTdW2Nyc0iP3DqRhxizvGJkBWZmyFVyZkddWzmBoIBVMpCCJ1CFzl98xav4VJKSSD45KbUT75ixikTphDSRh8+Uz7JLgUTAgAFwzqzjxc/nDY7WUApqY0OMdTwCKZSXplSKkgIRCHElCp8ZnhnKqXuwcNbk1L0VXE+I9alUXoHlLHl3mv7/dWQlJwtjREC7mu9L/U2jQyMUuO2EDS4q9Kl2ddm232bxIE5pjJuVwiljNn/Cfv25/T0cu5cZbwHGVq7h/zp0B4n3S99V/utD+Uo8BiGx9xCsOAV5z7/tjo4Z4z1Lvb90KZ7eFOoOeXOukqF2seo234YYuaQPpRP+cVZU5adT1Edun5Iz3z8fTz3+eSDh0Ip1c7zx1MaijGzTd/3MbRuBHz8cvcVgCMBRpOHvgu59WDhoat+nIZm+LWm9C/aaaGq5DCP9QAAAABJRU5ErkJggg==
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-Kz4QDonhB+CoU/VTripB"
Date:   Thu, 25 Jan 2018 12:20:49 +0000
Mime-Version: 1.0
X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 
X-SRS-Rewrite: SMTP reverse-path rewritten from <dwmw2@infradead.org> by twosheds.infradead.org. See http://www.infradead.org/rpr.html
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


--=-Kz4QDonhB+CoU/VTripB
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, 2018-01-25 at 13:07 +0100, Borislav Petkov wrote:
> On Fri, Jan 12, 2018 at 03:37:49AM -0800, tip-bot for David Woodhouse wro=
te:
> >=20
> > +/*
> > + * On VMEXIT we must ensure that no RSB predictions learned in the gue=
st
> > + * can be followed in the host, by overwriting the RSB completely. Bot=
h
> > + * retpoline and IBRS mitigations for Spectre v2 need this; only on fu=
ture
> > + * CPUs with IBRS_ATT *might* it be avoided.
> > + */
> > +static inline void vmexit_fill_RSB(void)
> > +{
> > +#ifdef CONFIG_RETPOLINE
> > +	unsigned long loops =3D RSB_CLEAR_LOOPS / 2;
> > +
> > +	asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE
> > +		=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ALTERNATIVE("jmp 910f",
> > +				=C2=A0=C2=A0__stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, =
%1)),
> > +				=C2=A0=C2=A0X86_FEATURE_RETPOLINE)
> > +		=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0"910:"
> > +		=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: "=3D&r" (loops), ASM_CALL_CONS=
TRAINT
> > +		=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: "r" (loops) : "memory" );
> > +#endif
> > +}
> Btw,
>=20
> this thing is a real pain to backport to older kernels without breaking
> kABI (I know, I know, latter sucks but it is what it is)=20

I haven't had lunch yet, so I don't feel queasy and I'm vaguely
interested... *why* does it break kABI?

> so I'm thinking we could simplify that thing regardless.
>=20
> As it is, 41 bytes get replaced currently:
>=20
> [=C2=A0=C2=A0=C2=A0=C2=A00.437005] apply_alternatives: feat: 7*32+12, old=
: (=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0(ptrval), len: 43), repl=
: (=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0(ptrval), len: 43), pad:=
 41
> [=C2=A0=C2=A0=C2=A0=C2=A00.438885]=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0(ptrval): old_insn: eb 29 90 90 90 90 90 90 90 90 90 90 90 9=
0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9=
0 90 90 90 90
> [=C2=A0=C2=A0=C2=A0=C2=A00.440001]=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0(ptrval): rpl_insn: 48 c7 c0 10 00 00 00 e8 07 00 00 00 f3 9=
0 0f ae e8 eb f9 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 ff c8 75 e3 48 81 c=
4 00 01 00 00
> [=C2=A0=C2=A0=C2=A0=C2=A00.444002]=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0(ptrval): final_insn: 48 c7 c0 10 00 00 00 e8 07 00 00 00 f3=
 90 0f ae e8 eb f9 e8 07 00 00 00 f3 90 0f ae e8 eb f9 48 ff c8 75 e3 48 81=
 c4 00 01 00 00
>=20
> Not that it doesn't work but the less bytes we replace, the better.
>=20
> So it could be made to simply call two functions. The replacing then
> turns into:
>=20
> [=C2=A0=C2=A0=C2=A0=C2=A00.438154] apply_alternatives: feat: 7*32+12, old=
: (ffffffff81060b60 len: 5), repl: (ffffffff82434692, len: 5), pad: 0
> [=C2=A0=C2=A0=C2=A0=C2=A00.440002] ffffffff81060b60: old_insn: e8 ab 73 0=
1 00
> [=C2=A0=C2=A0=C2=A0=C2=A00.441003] ffffffff82434692: rpl_insn: e8 89 38 c=
4 fe
> [=C2=A0=C2=A0=C2=A0=C2=A00.441966] apply_alternatives: Fix CALL offset: 0=
x173bb, CALL 0xffffffff81077f20
> [=C2=A0=C2=A0=C2=A0=C2=A00.444002] ffffffff81060b60: final_insn: e8 bb 73=
 01 00
>=20
> The "old_insn" above is:
> ffffffff81060b60:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0e8 ab 73 01
> 00=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0callq=C2=A0=
=C2=A0ffffffff81077f10 <__fill_rsb_nop>
>=20
> and final_insn is
> ffffffff82434692:=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0e8 89 38 c4
> fe=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0callq=C2=A0=
=C2=A0ffffffff81077f20 <__fill_rsb>
>=20
> so both CALLs with immediates for which there's no speculation going
> on.
>=20
> I had to add a new alternative_void_call() macro for that but that's
> straight-forward. Also, this causes objtool to segfault so Josh and I
> need to look at that first.
>=20
> Other than that, it gets a lot simpler this way:
>=20
> --
> diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/al=
ternative.h
> index cf5961ca8677..a84863c1b7d3 100644
> --- a/arch/x86/include/asm/alternative.h
> +++ b/arch/x86/include/asm/alternative.h
> @@ -210,6 +210,11 @@ static inline int alternatives_text_reserved(void *s=
tart, void *end)
> =C2=A0	asm volatile (ALTERNATIVE("call %P[old]", "call %P[new]", feature)=
 \
> =C2=A0		: output : [old] "i" (oldfunc), [new] "i" (newfunc), ## input)
> =C2=A0
> +/* Like alternative_io, but for replacing a direct call with another one=
. */
> +#define alternative_void_call(oldfunc, newfunc, feature, input...)		\
> +	asm volatile (ALTERNATIVE("call %P[old]", "call %P[new]", feature)	\
> +		: : [old] "i" (oldfunc), [new] "i" (newfunc), ## input)

But you aren't doing the call at all in the other case, and
alternatives *always* handled the case where the first 'alternative'
instruction was a branch, didn't it?

So couldn't it just be alternative(nop, call __fill_rsb_func)?

But I still don't understand why it matters.

> +void __fill_rsb(void)
> +{
> +	unsigned long loops;
> +
> +	asm volatile (__stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)=
)
> +		=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: "=3Dr" (loops), ASM_CALL_CONSTRA=
INT
> +		=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0: : "memory" );
> +}
> +#endif

The out-of-line function should be __clear_rsb() if it's using
RSB_CLEAR_LOOPS, and __fill_rsb() if it's using RSB_FILL_LOOPS. I think
we're only using one right now but Andi at least is posting patches
which use the other, as part of the Skylake clusterfuck.
--=-Kz4QDonhB+CoU/VTripB
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Disposition: attachment; filename="smime.p7s"
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEFQw
ggUxMIIEGaADAgECAhBNRhEyk/HZ7naOeTHWrzuAMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYDVQQG
EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYD
VQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzEyMjEwMDAwMDBaFw0xODEyMjEyMzU5
NTlaMCQxIjAgBgkqhkiG9w0BCQEWE2R3bXcyQGluZnJhZGVhZC5vcmcwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDgzLNWa18DNpGUj/ZeH0Sgz53ESIbzdPw3OJeuNP6jZhxZojbyfxbM
hETscxI/Hj6UZ4a7sHm5BkVjlsB1Af2Za/PXUt8MmLAcPMHkMPGunvkUibEvblDvpqMkQZlaZM+t
5PqFmWkbehLaEvbpNY7dmEAAeKh4klTzJzrr5AAzaCQ32cA2e3+DEIv5O5l9ViMIjy/JM+xMQrfX
3PZ0chY1PaVWjg59d4Uno+5LRDbgCnPkKJX4ysBGadibjBGQGJEZCjh94iiEebn2KsRLvtrJ72Ph
3W2HDEdngW3YP0wujFQVs81U7L8XN3kdPRsa9zNqGtYQP/+1KMMJQ57hnfi9AgMBAAGjggHpMIIB
5TAfBgNVHSMEGDAWgBSCr2yM+MX+lmF86B89K3FIXsSLwDAdBgNVHQ4EFgQUpL+/5lli9jmj2KHj
ryyhnB2xRt0wDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwIAYDVR0lBBkwFwYIKwYBBQUH
AwQGCysGAQQBsjEBAwUCMBEGCWCGSAGG+EIBAQQEAwIFIDBGBgNVHSAEPzA9MDsGDCsGAQQBsjEB
AgEBATArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8E
UzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50
aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKG
SWh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5k
U2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAe
BgNVHREEFzAVgRNkd213MkBpbmZyYWRlYWQub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQCK28BdbVJ9
QKQqTDfXwogAYiRBEGptfE1Bjy4F5vC6eWJqOJ15vunxjLwdbZYb4L0qrJlh+ZHHHlbIK8uEZu7N
XHUntmWMbGbZiu7JgrbSXJK1ct9gxrN/sdWYJ+JDjVHg7GfDTvTTPa26JMRqJsO1TjjyDX7A3K39
TjV8C0hqXvwF9BsNf+qBeWO6GVzJ5572awY221hc1umibmZaKV4fg+7fS7qscx5TSuIc6uvMBQhm
7NQiCq6euMMWBDUDlotQCDW0ilm0OuLW3IVLuZCm6Msc+6hT9+dCT4JUvxTHZnnO7uLCxV+Ujad+
PH3itRm38i96p2zvwgLr8vwWA0ckMIIFMTCCBBmgAwIBAgIQTUYRMpPx2e52jnkx1q87gDANBgkq
hkiG9w0BAQsFADCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ
MA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENP
TU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcx
MjIxMDAwMDAwWhcNMTgxMjIxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRl
YWQub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4MyzVmtfAzaRlI/2Xh9EoM+d
xEiG83T8NziXrjT+o2YcWaI28n8WzIRE7HMSPx4+lGeGu7B5uQZFY5bAdQH9mWvz11LfDJiwHDzB
5DDxrp75FImxL25Q76ajJEGZWmTPreT6hZlpG3oS2hL26TWO3ZhAAHioeJJU8yc66+QAM2gkN9nA
Nnt/gxCL+TuZfVYjCI8vyTPsTEK319z2dHIWNT2lVo4OfXeFJ6PuS0Q24Apz5CiV+MrARmnYm4wR
kBiRGQo4feIohHm59irES77aye9j4d1thwxHZ4Ft2D9MLoxUFbPNVOy/Fzd5HT0bGvczahrWED//
tSjDCUOe4Z34vQIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUgq9sjPjF/pZhfOgfPStxSF7Ei8Aw
HQYDVR0OBBYEFKS/v+ZZYvY5o9ih468soZwdsUbdMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAw
RgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUu
Y29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20v
Q09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYB
BQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FD
bGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkq
hkiG9w0BAQsFAAOCAQEAitvAXW1SfUCkKkw318KIAGIkQRBqbXxNQY8uBebwunliajideb7p8Yy8
HW2WG+C9KqyZYfmRxx5WyCvLhGbuzVx1J7ZljGxm2YruyYK20lyStXLfYMazf7HVmCfiQ41R4Oxn
w0700z2tuiTEaibDtU448g1+wNyt/U41fAtIal78BfQbDX/qgXljuhlcyeee9msGNttYXNbpom5m
WileH4Pu30u6rHMeU0riHOrrzAUIZuzUIgqunrjDFgQ1A5aLUAg1tIpZtDri1tyFS7mQpujLHPuo
U/fnQk+CVL8Ux2Z5zu7iwsVflI2nfjx94rUZt/Iveqds78IC6/L8FgNHJDCCBeYwggPOoAMCAQIC
EGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD
QSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4X
DTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBM
aW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvrOeV6wodnVAFsc4
A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQPTRI5Or1u6zf+bGBSyD9aH95dDSmeny1
nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivlJTRENf+RKwrB6vcfWlP8dSsE3Rfywq09N0Zf
xcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG9qrxpZxyb4o4yNNwTqzaaPpGRqXB7IMjtf7tTmU2
jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoSWY66nJN/VCJv5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO
4nLUXk0BOSxSxt8kCvsUtQIDAQABo4IBPDCCATgwHwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY
7NkyMtQwHQYDVR0OBBYEFIKvbIz4xf6WYXzoHz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNV
HRMBAf8ECDAGAQH/AgEAMBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRw
Oi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBx
BggrBgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20w
DQYJKoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo
7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaBQ+39
4k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKSTvtlenlx
Bhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY+hPebuPtTbq7
vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5tdhYF/8v5UY5g2xANP
ECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4jkhJiA7EuTecP/CFtR72
uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJM/1tyZR2niOYihZ+FCbtf3D9
mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJUmpvVdZ4ognzgXtgtdk3ShrtOS1iA
N2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTKTlL8YXLI8nAbR9HWdFqzcOoB/hxfEyIQ
px9/s81rgzdEZOofSlZHynoSMYIDxzCCA8MCAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQI
ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD
QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQg
U2VjdXJlIEVtYWlsIENBAhBNRhEyk/HZ7naOeTHWrzuAMA0GCWCGSAFlAwQCAQUAoIIB6zAYBgkq
hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODAxMjUxMjIwNDlaMC8GCSqG
SIb3DQEJBDEiBCAaeKofppR+v0RDNnSGDVKw5keAQxETUDJ7kVfAp87vazCBvQYJKwYBBAGCNxAE
MYGvMIGsMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP
IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIQTUYRMpPx2e52
jnkx1q87gDCBvwYLKoZIhvcNAQkQAgsxga+ggawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBM
aW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhBNRhEyk/HZ7naOeTHWrzuAMA0GCSqGSIb3DQEBAQUABIIBAI6XCaPw9JZ9
bLCwCHQZHCXU8eBp5gxJpuAXPJ5MyxnA/gN1pmjbOJDMYyvKHgbiggL0cv4+vaj1u3Xa8UzYSaJF
xKDiFu1iYnX+I0zmKKm3Ar3tRAsCvTiIGugeJHaIfeuLIgxGm+sxE0c161C01m3xQ7rzSt89RXF5
n7VMgiPJEbBMvduaIhFzBzrLKokLbkXKFq9rAmN/H/pqdM6G08mJRvX8BA1m1NAvmWIjo/Bz2HDG
X1J+eTGi/Pgwrh1Qu5Ug55ahHFU7efXg397kUZLfVYca0qI+sqBp+uPdUHR612td1fG+Skq6cFpa
eOE4fUZ+kgVFeClJq8gN0QVNgtsAAAAAAAA=


--=-Kz4QDonhB+CoU/VTripB--