Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp378323rwe; Wed, 24 Aug 2022 02:33:55 -0700 (PDT) X-Google-Smtp-Source: AA6agR7ReeQkoihxl2p9eB0Lp/LZwuVKOb2bZA0gcRBwJMoA+EKL9WyveskRF9Iy+K36vwlC8BFc X-Received: by 2002:a17:907:d1f:b0:730:95c0:6cbc with SMTP id gn31-20020a1709070d1f00b0073095c06cbcmr2412213ejc.395.1661333635474; Wed, 24 Aug 2022 02:33:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1661333635; cv=none; d=google.com; s=arc-20160816; b=n0UWfq4Wwyx+dskZlNClXq1JJ1dLL7Njp9ECOmq/myQ6vknAnOZljP0hUt40ewTRCm vd7opZmViHudoYNFQEoYUzV2RjTHN0atIa454IO7zL+fvirOXY/2h2kIumS4zNUkpwx/ zvsAgqsQ96zWmCl8vSBX8Kc3SLYraKQ9p4T/Y8+9YvdF+GKB+fz1uRVwV6XBAXvuD+4p xjEVmbbuRZ+emvq07KcXjCsCXH5g9+ISkkMQel0yn1pYrn6b9unw4zOcebx0C2GP2iZO ZINlUt5ek8K1/OvALzAq854/5eDSDm/xdytZrBojQFD+MDkBEydQAUDVccsCIaoe7rll 6vKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=dg9IP5hlktbkw1xdJeMq6Y8R8Sy1tdC0F/hgQSHESME=; b=hOiWcU9eWGHbm4Lnjp2fESYHWPRakEMn53onH2TL5FVg86xbQJy/CsC+u7oNJwYuyP 0fE5rm+EahoNpFajU/FEDfWCq2u/LZVDAE9yQX6MILn3ljBVVdyOjcIApmOYH5kHFZTv 7n2F/LG9wJ3MF76dZHWFreuXHsk+WNM7H4isq7ioh52NPGQCnEAiHipLNPVSLk2Q5UDj vMgrwHZ/PZ1I14656rkFh13LbfkVrsiE15PwbOrGckRnHx/45xWPy0irZKfXXwz2aJ+P lMDVVd/mc0TQ7Aj0NtG9GfMdNIzT8QqxeJnvSYlNfc+9fUeU888Q8ZpAqAMG744WWXj2 EQpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=lRP1bcKS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id qf18-20020a1709077f1200b00732f74749d1si1602079ejc.911.2022.08.24.02.33.29; Wed, 24 Aug 2022 02:33:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=lRP1bcKS; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236083AbiHXIwN (ORCPT + 99 others); Wed, 24 Aug 2022 04:52:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43420 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236090AbiHXIwG (ORCPT ); Wed, 24 Aug 2022 04:52:06 -0400 Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A5B3977540 for ; Wed, 24 Aug 2022 01:52:00 -0700 (PDT) Received: by mail-qk1-x732.google.com with SMTP id j6so12151051qkl.10 for ; Wed, 24 Aug 2022 01:52:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=dg9IP5hlktbkw1xdJeMq6Y8R8Sy1tdC0F/hgQSHESME=; b=lRP1bcKSvhPJS+z8dahme9kO819HB7pOpSkmrcA8mD1itM3GdZTwyquSD2FrVKVInr MIXBrKXgZJqm0+mPR5AhqAGYL49jiWjyPKV9deGh+0xdbSRcFgC8mFhph4QdxbpSBEOA bP5QXgeWqwD23CTOTKqs0C5eqWRGnk6CzeQ6o/reGsj8XXAVoRBK8DAMVBx4fZOo5/oE nCIBlnj+iU6u+Wz8uNApfZdNHCj1zvfOH/JZSpF4WYZXD41GYKM2+EKfX+edQARFCZGe meeo8lDsp6AJT1PuWm+kFajrYOB6K0hMVJcIU7Jj+4ThNL/aj7Ls+86TOKbMNGkwkKoS 6YlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=dg9IP5hlktbkw1xdJeMq6Y8R8Sy1tdC0F/hgQSHESME=; b=1n3rpsXGXiPfMESFZOwlyIZCroDUrK1OC6cExngLYziqAtmSnjpDW+W7zSG+CoJdYv m4Q9yXTfbC/VYke/8sxmmwg4D9VYnEiwCWSDZ73PzhaREPXWDsdlSIRuwE0oVdiGHLLS b7uZp+BT4xAja74PcozqnYcvIv/jnNTiPQhiavafWsFJBFAf5suwp9A/5666tK7p+LfF 9X3Anbl7XOqnVyPGDzTkYVd2RyujcYT8nTgCxQx1RDiFq4FXFlH8Hq5W9m+CbDneV2EC NmiAtgzxZICFmPFBDHzCWjSzVKsSh5I1jEiK/H30YKwDn3etaXyJQwVv4COu5FfVNbOW ppjA== X-Gm-Message-State: ACgBeo2918GUGWG5DiNPh4CRmmamJTIwVL4Arw65wE9VtAj8Mwa++Obj 1T4goMrlCpIMICHv618iPie9/+KwJpxArycBuMH2kw== X-Received: by 2002:a37:6905:0:b0:6bb:5827:e658 with SMTP id e5-20020a376905000000b006bb5827e658mr19459191qkc.735.1661331119571; Wed, 24 Aug 2022 01:51:59 -0700 (PDT) MIME-Version: 1.0 References: <202208221331.71C50A6F@keescook> <26078f2a-67be-4aa1-bbb2-dcd1168c9d12@www.fastmail.com> In-Reply-To: <26078f2a-67be-4aa1-bbb2-dcd1168c9d12@www.fastmail.com> From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Wed, 24 Aug 2022 10:51:48 +0200 Message-ID: Subject: Re: PKU usage improvements for threads To: Andy Lutomirski Cc: Dave Hansen , Kees Cook , Dave Hansen , "the arch/x86 maintainers" , Linux Kernel Mailing List , Jann Horn Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000430e0405e6f8cbb0" X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --000000000000430e0405e6f8cbb0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Aug 23, 2022 at 8:24 PM Andy Lutomirski wrote: > > > > On Tue, Aug 23, 2022, at 11:12 AM, Dave Hansen wrote: > > On 8/23/22 04:08, Stephen R=C3=B6ttger wrote: > >> On Mon, Aug 22, 2022 at 11:11 PM Dave Hansen w= rote: > >>> On 8/22/22 13:40, Kees Cook wrote: > >>>> 1) It appears to be a bug that a thread without the correct PK can m= ake > >>>> VMAs covered by a separate PK, out from under other threads. (e.g. m= map > >>>> a new mapping to wipe out the defined PK for it.) It seems that PK c= hecks > >>>> should be made when modifying VMAs. > >>> > >>> Could you give an example of this? Is this something along the lines= of > >>> a mmap(MAP_FIXED) wiping out an earlier mapping? Or, is it more subt= le > >>> than that? > >> > >> Yes, that's one example. And the same applies to other operations on t= he > >> VMA. E.g. another case we'd like to prevent would be munmap(addr) wher= e > >> addr is covered by a pkey to which the calling thread doesn't have acc= ess > >> permissions to. > > > > Yeah, that's something for which our defenses are quite weak. But, it > > also calls for a very generic mm/ solution and not something specific a= t > > all to pkeys. We were also thinking about if this should be a more generic feature instea= d of being tied to pkeys. I.e. the doc above has an alternative proposal to intr= oduce something like a memory seal/unseal syscall. I was personally leaning towards using pkeys for this for a few reasons: * intuitively it would make sense to me to extend PKEY_DISABLE_ACCESS to also mean disable all changes to the memory, not just the data. * We couldn't come up with another use case for the more generic API that doesn't include pkeys. * Fewer syscalls for our use case, since we already set the pkey on the map= pings we want to become immutable. That being said, either approach works for us. > > The concept would make a good lightning talk at Plumbers of LSF/MM. > > This kind of thing seems questionable to me. If the attacker controls sys= call arguments, they can do almost anything. ISTM a CFI scheme should aim t= o prevent that bogus call in the first place, e.g. by preventing a problema= tic call. I'm not sure that CFI can solve this problem since the attacker doesn't change the control flow in this attack. We will definitely have to ensure that certain syscall arguments can't be controlled by the attacker, e.g. if the protection bits of an mmap syscall are ever spilled to the stack, that would be one way to bypass the mitigation and we have to ensure in userspace that this doesn't happen. However, this seems infeasible for common syscalls like munmap. If any thre= ad wants to unmap a page, it's likely that the data for that came from a place that the attacker might have corrupted. > Which makes me think that the actual solution is to have syscall intercep= tion support changing PKRU, perhaps via sigaltstack. Can you expand on this? I didn't really understand what you meant. > > > > >>>> 2) It would be very helpful to have a mechanism for the signal stack= to > >>>> be PK aware, in the sense that the kernel would switch to a predefin= ed > >>>> PK. i.e. having a new interface to sigaltstack() which includes a PK= . > >>> > >>> Are you thinking that when switching to the sigaltstack that it would > >>> also pick up a specific PKRU value? Or, that it would ensure that PK= RU > >>> allows access to the sigaltstack's pkey? > >> > >> Either of those would work for us. > >> > >>> Logically something like this: > >>> > >>> stack_t sas =3D { > >>> ss_sp =3D stack_ptr; > >>> ss_flags =3D ... flags; > >>> ss_size =3D ...; > >>> ss_pkey =3D 12; > >>> }; > >>> > >>> Then the kernel would set up RSP to point to ss_sp, and do (logically= ): > >>> > >>> pkkru &=3D ~(3<<(12*2)); // clear Write and Access-disable for pke= y-12 > >>> > >>> before building the signal frame running the signal handler? > >> > >> Yeah, that would work for our use case. > >> We also have a doc discussing this in more detail :) : > > > > That doesn't seem like it would be too much of a stretch. There's a > > delicate point when building the stack frame that the kernel would need > > to move over to the new PKRU value to build the frame before it writes > > the *OLD* value to the frame. But, it's far from impossible. > > > > I also bet we could do this with minimal new ABI. There's already a > > ->ss_flags field. We could assign a flag to mean that stack_t doesn't > > end at '->ss_size' and that there's a pkey value *after* ss_size. I do > > think having a single pkey that is made accessible before signal entry > > is a more flexible ABI than taking an explicit PKRU value. > > > > I think that would allow just reusing sys_sigaltstack(). > > sys_sigaltstack() is already pretty much useless with SHSTK, and it=E2=80= =99s kinda busted with AVX512. How about we just add a whole new non-kludgy= API? --000000000000430e0405e6f8cbb0 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPoQYJKoZIhvcNAQcCoIIPkjCCD44CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggz7MIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBNowggPCoAMCAQICEAEzs8uGCAkxDfyX6SyV 9lkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yMjA2MTIw NDUwMzlaFw0yMjEyMDkwNDUwMzlaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2wvxqvB53UwotrA1Y0K2qPJlqarn 4/WZPJvAG3SXF5P+v+mqUdEiaB7Tmv1lronLkJB1WCVOtgOd8ucD8csA7Qf0sod7z6a91LakMUzK K37yw58/vv1v7t9mYFgOVTbsPW43GY2r2KJ4JqcVQEwBjRPJF2FsxKW5AxOBbKIJwWWaow03ePBU XJtI5iq/gnxfohWFcqjuP8uM6w0rHFQQX+/wloDOv3k++7ge4xtKyw2E+KumMhk0FanJITgxe5O7 5ABKaOBtGtJoiOAhA0JIxiaXXIKVy8EYWbexoK7pUoIX9AuY3TILnja7PafgH5GyOC4Nd/z3N/HY m5fvEfWJfQIDAQABo4IB1TCCAdEwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUTSsd 1Xnj+ucP771ZQkdCPPi3x0wwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBmgYI KwYBBQUHAQEEgY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh L2dzYXRsYXNyM3NtaW1lY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcnQwHwYDVR0jBBgwFoAUfMwKaNei 6x4schvRzV2Vb4378mMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9jYS9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcmwwDQYJKoZIhvcNAQELBQADggEBADYMYgn8YeSC 2azHCuUUELdSMX6zHgtp7pnHsAiW/DcbzNyWqavhuxKjDZGVqBEL8XslGKMHroyP9GLRYy3fOG6K lTeSsnfQOkON4y/SaN6ew/5jl46udymNieA3FhCFrpqt5VD+LvUmSxF/8WBTTp3vfiWfymRY+CaH 4BqizkeEPW9WLDJVTu/65GqHNNG37YRMjRJI88mM3vQeNHiAXyxsGtK9AihqMu0hEx9eXLQudQNV XwfOaOvZENWKMhRgnYwvv2v1wFu92T8vxPqdCXMhGnhaUMtLSnOx8ootxQxQ47AXJmXkDvTfT/LL kpP0rI1cT2p1cY52eOyHtAHIZtQxggJqMIICZgIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFzIFIzIFNNSU1FIENB IDIwMjACEAEzs8uGCAkxDfyX6SyV9lkwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIE IGCAQv4TB00xA5r9sOKK5ve3vEw1MI5woZJAf2Zfjj1PMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDgyNDA4NTIwMFowaQYJKoZIhvcNAQkPMVwwWjALBglghkgB ZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQow CwYJKoZIhvcNAQEHMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQB5ucXYftUCRmiwKc/g jhy4FOOE+ngnNFPsWiWFfvpvWNEfYAI5+daFcqsPpiO0ivlD/4Z57Dts4nNLboEZOL/Qqvjq4t2Y /nyec6jGGbbo9Ck5kvYT82/K9DFWLGujroNUa5fw0PCv9u3zSswQ1NIglfbwpvggjDeYEy8+FxmV ru8Wl86XR2+Anfi0/xJEWA9S8ZSpuVKzCRa5IdFLc3cWkSeezz8zZQ7SjbxVwMCctGIIJtDJB+WT NqdFAcFI54bbPnj0/71jw8rBNslOB0Ar6xJowbLiMO3NbYmzYN6x2KWwvypl9MCckTmVW+SPPbrP y5CTFD6Tx0OwDX4mpIy4 --000000000000430e0405e6f8cbb0--