Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp819879pxu; Wed, 2 Dec 2020 04:24:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJyVLi1z0mn87Kmk/wlJR2s15ZHDaxJ1D2GU109wISnW+qDEclbXKWI39Vv5OfYpNMQRZoND X-Received: by 2002:a50:da84:: with SMTP id q4mr2247198edj.377.1606911878048; Wed, 02 Dec 2020 04:24:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606911878; cv=none; d=google.com; s=arc-20160816; b=oneznd5rLjYFTr81BAN6+ly8wly6eeY7HlZFyhrGNxBgRGX7BM7uFnDeX7XnSVDH6e Tn/18dgj3oy7MSz/902028ASDtITGpRZwq6K0vsjZagMFqPg208cuFsb2Xi+WAY0c4c1 fFulrQFaf7IIGfs0caZvt1RtSEQ43Skd4o69wkLU8C9fHsW/SciUXki+kih7BofF+5uL iQdBNHfEqpL0xMxF6wT6NPf5JMDmteugmx2OsSVa35qCUffURWqEtyqCiQsr/GkV6MfP i2s7Ra8Drjx8jRJatPyTnT4XGF9TaPkuqAVYVtfF3Hq/pR09dnFEk1N9hwYYHt71prbw 6wnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:date:cc:to :from:subject:message-id:dkim-signature; bh=0qwrnherWP4ru4uKQB8XamwrLihv5OafwMg8xKkjn0Q=; b=CkjpkOKlrOJCtedivpV7p1zStfl3/ydFG0UCM0rSZZ6pU7w714ygLoHpI9aP0krqRJ U9gcM5ZPbsEwOpp1pzT8X8kcz8As+TPniFmb6z8OEW6F/b7FbFDPJSz4eSJ3g0Tk5lMY gOmmqoXAXIj7LWjHTsp94F9h5DOkSLR0d/23N5juYC8CqxQciV/QW1ldjUVwa6x0jy70 TRgNNnOz7jwZso3BWRsrrHyhXt3SCpT0wKJ/UUmC0yMOryoHLzI3m4vfxKwngsWeFB9s Fz0hCM2c6wSiL2s4J5txjtsRpzm7ew4CdqWm4b5yKhzNDHCvcmSHSuigTYVCw2k+XFoD zkSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=C9uHI56w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q3si756002eja.541.2020.12.02.04.24.13; Wed, 02 Dec 2020 04:24:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=merlin.20170209 header.b=C9uHI56w; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729778AbgLBMVg (ORCPT + 99 others); Wed, 2 Dec 2020 07:21:36 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51072 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727427AbgLBMVf (ORCPT ); Wed, 2 Dec 2020 07:21:35 -0500 Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0C65C0613D4; Wed, 2 Dec 2020 04:20:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Mime-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=0qwrnherWP4ru4uKQB8XamwrLihv5OafwMg8xKkjn0Q=; b=C9uHI56wZty6DXixAFxf9w6xv6 Dys55vVfQCjqLXwzaBVsZxnrIHH/HI4DftWsqUK7VAV89xdo43NQwfGGKTHlbdnlrIuGDHjVYTr5m T7ax42ZQBXv2U5HKNtUCt/JtFpasegMstac+lJEFl7dAZhDphP4cAfcZn+A9kCAFxhUW6eLaNnTW1 92W0cWM8mX4ten67DukM7vhJo4g/Pic/1+vW/UCj9ahNgF9IeYBMuckxuoBV81fpb89lyj2/7xYFE Ie52VqY9rkN7hZMtrrnyhFLxc+EBslgmumgeQuGS/WZwlXt1NxDp3YbmfMQ+C7YSKTNtzu7IU/E8X WYdks1yw==; Received: from 54-240-197-235.amazon.com ([54.240.197.235] helo=u3832b3a9db3152.ant.amazon.com) by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1kkR7l-0005Y2-07; Wed, 02 Dec 2020 12:20:45 +0000 Message-ID: <58db65203b9464f6f225f4ef97c45af3c72cf068.camel@infradead.org> Subject: Re: [PATCH RFC 03/39] KVM: x86/xen: register shared_info page From: David Woodhouse To: Joao Martins , Ankur Arora Cc: Boris Ostrovsky , Paolo Bonzini , Radim =?UTF-8?Q?Kr=C4=8Dm=C3=A1=C5=99?= , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org Date: Wed, 02 Dec 2020 12:20:42 +0000 In-Reply-To: <896dc984-fa71-8f2f-d12b-458294f5f706@oracle.com> References: <20190220201609.28290-1-joao.m.martins@oracle.com> <20190220201609.28290-4-joao.m.martins@oracle.com> <2d4df59d-f945-32dc-6999-a6f711e972ea@oracle.com> <896dc984-fa71-8f2f-d12b-458294f5f706@oracle.com> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-2sx9H7tYaCbChok8+xcS" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 Mime-Version: 1.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by merlin.infradead.org. See http://www.infradead.org/rpr.html Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-2sx9H7tYaCbChok8+xcS Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, 2020-12-02 at 10:44 +0000, Joao Martins wrote: > [late response - was on holiday yesterday] >=20 > On 12/2/20 12:40 AM, Ankur Arora wrote: > > On 2020-12-01 5:07 a.m., David Woodhouse wrote: > > > On Wed, 2019-02-20 at 20:15 +0000, Joao Martins wrote: > > > > +static int kvm_xen_shared_info_init(struct kvm *kvm, gfn_t gfn) > > > > +{ > > > > + struct shared_info *shared_info; > > > > + struct page *page; > > > > + > > > > + page =3D gfn_to_page(kvm, gfn); > > > > + if (is_error_page(page)) > > > > + return -EINVAL; > > > > + > > > > + kvm->arch.xen.shinfo_addr =3D gfn; > > > > + > > > > + shared_info =3D page_to_virt(page); > > > > + memset(shared_info, 0, sizeof(struct shared_info)); > > > > + kvm->arch.xen.shinfo =3D shared_info; > > > > + return 0; > > > > +} > > > > + > > >=20 > > > Hm. > > >=20 > > > How come we get to pin the page and directly dereference it every tim= e, > > > while kvm_setup_pvclock_page() has to use kvm_write_guest_cached() > > > instead? > >=20 > > So looking at my WIP trees from the time, this is something that > > we went back and forth on as well with using just a pinned page or a > > persistent kvm_vcpu_map(). > >=20 > > I remember distinguishing shared_info/vcpu_info from kvm_setup_pvclock_= page() > > as shared_info is created early and is not expected to change during th= e > > lifetime of the guest which didn't seem true for MSR_KVM_SYSTEM_TIME (o= r > > MSR_KVM_STEAL_TIME) so that would either need to do a kvm_vcpu_map() > > kvm_vcpu_unmap() dance or do some kind of synchronization. > >=20 > > That said, I don't think this code explicitly disallows any updates > > to shared_info. > >=20 > > >=20 > > > If that was allowed, wouldn't it have been a much simpler fix for > > > CVE-2019-3016? What am I missing? > >=20 > > Agreed. > >=20 > > Perhaps, Paolo can chime in with why KVM never uses pinned page > > and always prefers to do cached mappings instead? > >=20 >=20 > Part of the CVE fix to not use cached versions. >=20 > It's not a longterm pin of the page unlike we try to do here (partly due = to the nature > of the pages we are mapping) but we still we map the gpa, RMW the steal t= ime struct, and > then unmap the page. >=20 > See record_steal_time() -- but more specifically commit b043138246 ("x86/= KVM: Make sure > KVM_VCPU_FLUSH_TLB flag is not missed"). >=20 > But I am not sure it's a good idea to follow the same as record_steal_tim= e() given that > this is a fairly sensitive code path for event channels. Right. We definitely need to use atomic RMW operations (like the CVE fix did) so the page needs to be *mapped*. My question was about a permanent pinned mapping vs the map/unmap as we need it that record_steal_time() does. On IRC, Paolo told me that permanent pinning causes problems for memory hotplug, and pointed me at the trick we do with an MMU notifier and kvm_vcpu_reload_apic_access_page(). I'm going to stick with the pinning we have for the moment, and just fix up the fact that it leaks the pinned pages if the guest sets the shared_info address more than once. At some point the apic page MMU notifier thing can be made generic, and we can use that for this and for KVM steal time too. --=-2sx9H7tYaCbChok8+xcS Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCECow ggUcMIIEBKADAgECAhEA4rtJSHkq7AnpxKUY8ZlYZjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhl bnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTkwMTAyMDAwMDAwWhcNMjIwMTAxMjM1 OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkd213MkBpbmZyYWRlYWQub3JnMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAsv3wObLTCbUA7GJqKj9vHGf+Fa+tpkO+ZRVve9EpNsMsfXhvFpb8 RgL8vD+L133wK6csYoDU7zKiAo92FMUWaY1Hy6HqvVr9oevfTV3xhB5rQO1RHJoAfkvhy+wpjo7Q cXuzkOpibq2YurVStHAiGqAOMGMXhcVGqPuGhcVcVzVUjsvEzAV9Po9K2rpZ52FE4rDkpDK1pBK+ uOAyOkgIg/cD8Kugav5tyapydeWMZRJQH1vMQ6OVT24CyAn2yXm2NgTQMS1mpzStP2ioPtTnszIQ Ih7ASVzhV6csHb8Yrkx8mgllOyrt9Y2kWRRJFm/FPRNEurOeNV6lnYAXOymVJwIDAQABo4IB0zCC Ac8wHwYDVR0jBBgwFoAUgq9sjPjF/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFLfuNf820LvaT4AK xrGK3EKx1DE7MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF BwMEBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1o dHRwczovL3NlY3VyZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3Js LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWls Q0EuY3JsMIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2Eu Y29tL0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAeBgNVHREEFzAVgRNkd213MkBpbmZy YWRlYWQub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQALbSykFusvvVkSIWttcEeifOGGKs7Wx2f5f45b nv2ghcxK5URjUvCnJhg+soxOMoQLG6+nbhzzb2rLTdRVGbvjZH0fOOzq0LShq0EXsqnJbbuwJhK+ PnBtqX5O23PMHutP1l88AtVN+Rb72oSvnD+dK6708JqqUx2MAFLMevrhJRXLjKb2Mm+/8XBpEw+B 7DisN4TMlLB/d55WnT9UPNHmQ+3KFL7QrTO8hYExkU849g58Dn3Nw3oCbMUgny81ocrLlB2Z5fFG Qu1AdNiBA+kg/UxzyJZpFbKfCITd5yX49bOriL692aMVDyqUvh8fP+T99PqorH4cIJP6OxSTdxKM MIIFHDCCBASgAwIBAgIRAOK7SUh5KuwJ6cSlGPGZWGYwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE5MDEwMjAwMDAwMFoXDTIyMDEwMTIz NTk1OVowJDEiMCAGCSqGSIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALL98Dmy0wm1AOxiaio/bxxn/hWvraZDvmUVb3vRKTbDLH14bxaW /EYC/Lw/i9d98CunLGKA1O8yogKPdhTFFmmNR8uh6r1a/aHr301d8YQea0DtURyaAH5L4cvsKY6O 0HF7s5DqYm6tmLq1UrRwIhqgDjBjF4XFRqj7hoXFXFc1VI7LxMwFfT6PStq6WedhROKw5KQytaQS vrjgMjpICIP3A/CroGr+bcmqcnXljGUSUB9bzEOjlU9uAsgJ9sl5tjYE0DEtZqc0rT9oqD7U57My ECIewElc4VenLB2/GK5MfJoJZTsq7fWNpFkUSRZvxT0TRLqznjVepZ2AFzsplScCAwEAAaOCAdMw ggHPMB8GA1UdIwQYMBaAFIKvbIz4xf6WYXzoHz0rcUhexIvAMB0GA1UdDgQWBBS37jX/NtC72k+A CsaxitxCsdQxOzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF BQcDBAYIKwYBBQUHAwIwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwUwKzApBggrBgEFBQcCARYd aHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2gS4ZJaHR0cDovL2Ny bC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFp bENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LmNvbW9kb2Nh LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3J0MCQG CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5m cmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAC20spBbrL71ZEiFrbXBHonzhhirO1sdn+X+O W579oIXMSuVEY1LwpyYYPrKMTjKECxuvp24c829qy03UVRm742R9Hzjs6tC0oatBF7KpyW27sCYS vj5wbal+TttzzB7rT9ZfPALVTfkW+9qEr5w/nSuu9PCaqlMdjABSzHr64SUVy4ym9jJvv/FwaRMP gew4rDeEzJSwf3eeVp0/VDzR5kPtyhS+0K0zvIWBMZFPOPYOfA59zcN6AmzFIJ8vNaHKy5QdmeXx RkLtQHTYgQPpIP1Mc8iWaRWynwiE3ecl+PWzq4i+vdmjFQ8qlL4fHz/k/fT6qKx+HCCT+jsUk3cS jDCCBeYwggPOoAMCAQICEGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRp b24gQXV0aG9yaXR5MB4XDTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYT AkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNV BAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAvrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQPTRI5Or1u6zf +bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivlJTRENf+RKwrB6vcf WlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG9qrxpZxyb4o4yNNwTqza aPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoSWY66nJN/VCJv5ym6Q0mdCbDK CMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQABo4IBPDCCATgwHwYDVR0jBBgwFoAU u69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKvbIz4xf6WYXzoHz0rcUhexIvAMA4GA1Ud DwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8E RTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9u QXV0aG9yaXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29t b2RvY2EuY29tL0NPTU9ET1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz cC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2 SQgG1NgvNc3fQP7TcePo7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs 0j8CGpfb+SJA3GaBQ+394k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDM KVmU/PUWNMKSTvtlenlxBhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+ E2pvOUtY+hPebuPtTbq7vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfH M5tdhYF/8v5UY5g2xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4 jkhJiA7EuTecP/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJM/1t yZR2niOYihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJUmpvVdZ4o gnzgXtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTKTlL8YXLI8nAb R9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIDyjCCA8YCAQEwga0wgZcxCzAJBgNV BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAY BgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA4rtJSHkq7AnpxKUY8ZlYZjANBglghkgB ZQMEAgEFAKCCAe0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAx MjAyMTIyMDQyWjAvBgkqhkiG9w0BCQQxIgQgSvnrx6KNR9HIkq1lX0MfNxSyzA4gR7TtoUCCHiDm cLMwgb4GCSsGAQQBgjcQBDGBsDCBrTCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIg TWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx PTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1h aWwgQ0ECEQDiu0lIeSrsCenEpRjxmVhmMIHABgsqhkiG9w0BCRACCzGBsKCBrTCBlzELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgG A1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhl bnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEQDiu0lIeSrsCenEpRjxmVhmMA0GCSqGSIb3 DQEBAQUABIIBAFTAfvC5jvJlaSFK2VMoBpN/6AYfQXlFczzDWGm1jCGMpL1zDdeofB0oevlDdYn7 cC32/gE+1l7nI7RL2Yx177BKXNq4Sh7vB8OCTNZpgJAOF91ol9rNEsL+Pan3W0xRBXbn/5IXHApQ xxt5LEzdGt6Y3c6ruOiDrrVw6jpbSE+cHpPOcDtoS4ot4FLUj/QNraAEPRrtGx4kht8HRbymx94c gFF2jhJYcZI7ual7resoOWd6NsixRY5JeJzYPIW2ELtnss8q+SRoHcdh2qE+PG7Z8B+TJklfo/6k QEiyjHZ6lPn8Gmq1c4AVDi6C+ODB4LvH2Esh1eePhZnaovaR5uAAAAAAAAA= --=-2sx9H7tYaCbChok8+xcS--