Received: by 2002:a05:6358:45e:b0:b5:b6eb:e1f9 with SMTP id 30csp3570384rwe;
        Mon, 29 Aug 2022 14:51:14 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4Knr60D2iU4V3cXLX0QWMxiVu7wS6hybkpZ634nBjlpFBrDpjwnQW6BF0dhnZlfJK2laHH
X-Received: by 2002:a05:6402:4305:b0:448:5b80:757a with SMTP id m5-20020a056402430500b004485b80757amr7110407edc.198.1661809874661;
        Mon, 29 Aug 2022 14:51:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1661809874; cv=none;
        d=google.com; s=arc-20160816;
        b=AiNEC3LWylnvbYmqvMO5K8fIhmMD3JVAWxY9CtonYVWG+sgkJayB8vLN9atwmVNX9l
         drPi0JwWnDLTWhxo1qjX6IO0weMgigbUkIJcZOor0Rg0V21nXqOKpYA1cyTZ/ZvlvInK
         V91qW+dnuYhcwaYus10r05CqSoG+NmX9sl+O9OnLPqnEhsxDZzK6SuKlR/gEbR+m/J+e
         3TVjWOO8ttv59mGrUOqtoq5q2uM7IhITFZonO4iCUSSAJ3TyxrMrGOdERiwALENmzpJK
         qoOBP7JiSJZLMPGSu7WgeLsYrCvYYSVfthwviv4gihVvxxJCCu8AG0IehmmJqvvUWTl2
         LxbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:from:references:cc:to
         :content-language:subject:user-agent:mime-version:date:message-id
         :dkim-signature;
        bh=QurS7Cp8A08/zbXA0jXFasH/YMGPo+bWbYTvk0y0d/E=;
        b=nOlzAUgbg8Cz29zwfhig4lH+DlBCsAUFEx7Lop1Og9jN64B/Yhi2LBI6EVqHt+kNId
         aTVM6gnXH7JZ6UB26SnKXukMKU49r2AK87Sh7qX1D6cMiLjJuuKQTtWxDjrZUJY0GLJ3
         clXMcfbS4nKpkeR3KxLFpZ+nZRoUJj87B0FjUIduwT/n+XHumIn8ytE3tdoQW3KjPxP4
         y9/phQ0o7IkPv8qKdRI+TDc37RFUjITyIjvVLS/Z/TIfHy6wqWIBAGv5OwsoFTratpPw
         uBgvtgdebGhAAEBg0PB2RwyFUtKu2c+WJdu1muGNMSb+QeX0FYaCN/gA+8s1dbpbK4Z0
         7pLw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=jhPUmqHT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id hz5-20020a1709072ce500b007414886601asi6369686ejc.25.2022.08.29.14.50.48;
        Mon, 29 Aug 2022 14:51:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ibm.com header.s=pp1 header.b=jhPUmqHT;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229635AbiH2Vpm (ORCPT
        <rfc822;andriy.druk.mailinglists@gmail.com> + 99 others);
        Mon, 29 Aug 2022 17:45:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37704 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229543AbiH2Vpk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Aug 2022 17:45:40 -0400
Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5646F83BEC;
        Mon, 29 Aug 2022 14:45:37 -0700 (PDT)
Received: from pps.filterd (m0098421.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27TLFL6W016622;
        Mon, 29 Aug 2022 21:45:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=message-id : date :
 mime-version : subject : to : cc : references : from : in-reply-to :
 content-type; s=pp1; bh=QurS7Cp8A08/zbXA0jXFasH/YMGPo+bWbYTvk0y0d/E=;
 b=jhPUmqHTj3kt/qWdfzPCtDbYQkB9hbSUgW/xx3dLBBKIGU2wP2TKuVtg56wfPiM5z5QT
 w3eznhmly3IaKHXOo4vF56A5R6Hj2Sc1FxxvJlF1+FCNe0+TaTBAuvyO+ndGZ2Gm+rKv
 gWuZ+V7cx0bGoUwoIqOvVIm15EXP4qwOLHBDYjYBqTM5DkAAesehXFPfnU7lvVperNE9
 IOpxCYA/PQqF1iUfFWhc2RwMdBY8WFxqW0+c9sIYwK5k3tEX+Rt5uQ5vxinvga5l/BeX
 eV5oWS8Fwes68lCr4SV4CWNs2SbGsuyvyQ5CoqF9u2O2fTneSFLD3/UmMbJBbFlJ1ze1 Vw== 
Received: from pps.reinject (localhost [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3j95799bw9-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 29 Aug 2022 21:45:24 +0000
Received: from m0098421.ppops.net (m0098421.ppops.net [127.0.0.1])
        by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 27TLJsZj030185;
        Mon, 29 Aug 2022 21:45:24 GMT
Received: from ppma02dal.us.ibm.com (a.bd.3ea9.ip4.static.sl-reverse.com [169.62.189.10])
        by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 3j95799bvc-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 29 Aug 2022 21:45:24 +0000
Received: from pps.filterd (ppma02dal.us.ibm.com [127.0.0.1])
        by ppma02dal.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 27TLa8Ko001637;
        Mon, 29 Aug 2022 21:45:22 GMT
Received: from b03cxnp08026.gho.boulder.ibm.com (b03cxnp08026.gho.boulder.ibm.com [9.17.130.18])
        by ppma02dal.us.ibm.com with ESMTP id 3j7aw9bjct-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
        Mon, 29 Aug 2022 21:45:22 +0000
Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237])
        by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 27TLjLXZ4522506
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Mon, 29 Aug 2022 21:45:21 GMT
Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 03E19C605D;
        Mon, 29 Aug 2022 21:45:21 +0000 (GMT)
Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id 7C1D3C6055;
        Mon, 29 Aug 2022 21:45:19 +0000 (GMT)
Received: from [9.211.157.141] (unknown [9.211.157.141])
        by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP;
        Mon, 29 Aug 2022 21:45:19 +0000 (GMT)
Message-ID: <deafaf6f-8e79-b193-68bf-3ab01bddd5c2@linux.ibm.com>
Date:   Mon, 29 Aug 2022 17:45:18 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.2.0
Subject: TPM: hibernate with IMA PCR 10
Content-Language: en-US
To:     Evan Green <evgreen@chromium.org>, linux-kernel@vger.kernel.org
Cc:     Matthew Garrett <mgarrett@aurora.tech>, dlunev@google.com,
        zohar@linux.ibm.com, jejb@linux.ibm.com,
        linux-integrity@vger.kernel.org, corbet@lwn.net, rjw@rjwysocki.net,
        gwendal@chromium.org, jarkko@kernel.org, linux-pm@vger.kernel.org,
        Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
        "Rafael J. Wysocki" <rafael@kernel.org>
References: <20220504232102.469959-1-evgreen@chromium.org>
 <20220504161439.6.Ifff11e11797a1bde0297577ecb2f7ebb3f9e2b04@changeid>
From:   Ken Goldman <kgold@linux.ibm.com>
In-Reply-To: <20220504161439.6.Ifff11e11797a1bde0297577ecb2f7ebb3f9e2b04@changeid>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090200090100090600070905"
X-TM-AS-GCONF: 00
X-Proofpoint-ORIG-GUID: nI6maHm67WNPhoObMAol4dQt0Mbg87e9
X-Proofpoint-GUID: YP2_gk2ZTu1qSkTw2aQCoiQ0p2BJaAhz
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.517,FMLib:17.11.122.1
 definitions=2022-08-29_11,2022-08-25_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0
 malwarescore=0 spamscore=0 impostorscore=0 mlxscore=0 clxscore=1011
 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2207270000 definitions=main-2208290095
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This is a cryptographically signed message in MIME format.

--------------ms090200090100090600070905
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 5/4/2022 7:20 PM, Evan Green wrote:
> Enabling the kernel to be able to do encryption and integrity checks on
> the hibernate image prevents a malicious userspace from escalating to
> kernel execution via hibernation resume.  [snip]

I have a related question.

When a TPM powers up from hibernation, PCR 10 is reset.  When a
hibernate image is restored:

1. Is there a design for how PCR 10 is restored?

2. How are /sys/kernel/security/ima/[pseudofiles] saved and
restored?


--------------ms090200090100090600070905
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
DVUwggXgMIIDyKADAgECAhBeLLAGq3EDXaRbRjTikYn/MA0GCSqGSIb3DQEBCwUAMIGBMQsw
CQYDVQQGEwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRy
bzEXMBUGA1UECgwOQWN0YWxpcyBTLnAuQS4xLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1
dGhlbnRpY2F0aW9uIENBIEczMB4XDTIyMDUxOTIwNTg0N1oXDTIzMDUxOTIwNTg0N1owHjEc
MBoGA1UEAwwTa2dvbGRAbGludXguaWJtLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJkNDunQZu1cwbeY3GSZskwtYR1hJYe9BO2TNDRFOCH6bY089nmt33kYD28R0eGD
ezG+Iptr1ini7yZ29JJaxd4V0w2Hdym7QNDfSmagQk0vftbpQUaJUbSxhZkXFXuHHg921SsY
rSsXcR06kCZPiWUjEhrXcBsOMsQKxqUcgJ3i5nTv86WdGyszPcgk3qApGJ0BNDkkIFUVrETQ
z/gR3oYJh8a/dmzh+gis7S0WyfmWA+yUt/abbngcjbUPfSF1OM37NNE/ZodeYZJvNWqDy272
U9z2Zwacg70IMbcS/nZi3xeabN1Ia24u6nXC5iYfu7rDaCTZaUahsqtYIJv5CYcCAwEAAaOC
AbQwggGwMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUvpepqoS/gL8QU30JMvnhLjIbz3cw
fgYIKwYBBQUHAQEEcjBwMDsGCCsGAQUFBzAChi9odHRwOi8vY2FjZXJ0LmFjdGFsaXMuaXQv
Y2VydHMvYWN0YWxpcy1hdXRjbGlnMzAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AwOS5hY3Rh
bGlzLml0L1ZBL0FVVEhDTC1HMzAeBgNVHREEFzAVgRNrZ29sZEBsaW51eC5pYm0uY29tMEcG
A1UdIARAMD4wPAYGK4EfARgBMDIwMAYIKwYBBQUHAgEWJGh0dHBzOi8vd3d3LmFjdGFsaXMu
aXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwSAYDVR0f
BEEwPzA9oDugOYY3aHR0cDovL2NybDA5LmFjdGFsaXMuaXQvUmVwb3NpdG9yeS9BVVRIQ0wt
RzMvZ2V0TGFzdENSTDAdBgNVHQ4EFgQUJqMiyPiZgSQozCjzm844qfabcSowDgYDVR0PAQH/
BAQDAgWgMA0GCSqGSIb3DQEBCwUAA4ICAQBMh8w3DdbSyBVOYI1WK21JPAx4RdzI9VdolNdT
UKmpXkNPD+kWI1Iez2Q2Ta/EM7PDd5FfeU/bBlSKnpvKLo5FCilguCaX8ejVXlbZkKWen0U1
OzXO/f0UWskR98isL3WvfM/IkTMYwS0YXIBqKKaHtnCyGQ9uYnh3NlSulLdOLKJca4qK24zw
UzR4+ijHlCpLbiKaq+4gZ8gX2X8TTlVxwhvPLItyK8XKTtdt6NX7gwR3WaGZH2MmMbUbm1x/
2Eq1jHcqnmkP/3FnPNdrgCOXPM6a1PTdCBFVb6AxB4Ln1p2JpoGkU2SVTdcUBiWgt9MhBoPh
028w7E9oljkBNnk8MmdPCIb9QB5LuNasnd/34o66nP0Iy5WO5pU7jT7mqnRYFaHtIiKzFFlo
s0ZazpARtRUMfB39wP40FYeMhyyiCJi8xA2ZGUHQ2jAPqX+w9uoGJSxSBIJnG4A2YmSzaBoI
KP95qYx0JbXYdaryClvrtXaSDdbWTlE6olN0b1SrZgF3C9Dfbx29+K7FQ/t2i8yBZzyhjT+f
9wEoJxl1eMP0i+AkPRSK3RyQP+bhgplpolhHlMMtr0VL7gzt+6xgwYhc6x+4EiWtN37nliaP
JIXZO76gF+wSZ9Ccniq4mhePmPMYjp9IxbwfTmkszN8qrLJrl4LorVhpR3yr2gp8NA7TazCC
B20wggVVoAMCAQICEBcQPt49ihy1ygZRk+fKQ2swDQYJKoZIhvcNAQELBQAwazELMAkGA1UE
BhMCSVQxDjAMBgNVBAcMBU1pbGFuMSMwIQYDVQQKDBpBY3RhbGlzIFMucC5BLi8wMzM1ODUy
MDk2NzEnMCUGA1UEAwweQWN0YWxpcyBBdXRoZW50aWNhdGlvbiBSb290IENBMB4XDTIwMDcw
NjA4NDU0N1oXDTMwMDkyMjExMjIwMlowgYExCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJn
YW1vMRkwFwYDVQQHDBBQb250ZSBTYW4gUGlldHJvMRcwFQYDVQQKDA5BY3RhbGlzIFMucC5B
LjEsMCoGA1UEAwwjQWN0YWxpcyBDbGllbnQgQXV0aGVudGljYXRpb24gQ0EgRzMwggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDt5oeWocGktu3CQlX3Pw8PImBfE+CmQ4iGSZF5
HBsvGlAP3EYB7va6OobMUWHvxA+ACHEpWq0YfNh6rRUlULOGcIpEFtVf4nAiEvdQtiFQBmtW
JSn3naoMHqpMvmwZ4lL0Xr1U9JHmTqkU3DuYcNNO3S+hYWDZpWQbeSGibNVeiJ4kY6JDh0fv
qloK1BsuS3n2OgArPYGfAYtDjCvT2d+6Ym3kArHZjEcrZeBI+yVVnjPwbTSCKax8DtS2NP/C
J6RjpnRvuSwusRy84OdwdB71VKs1EDXj1ITcCWRZpkz+OhV6L8Zh+P0rmOSJF6KdHiaozfnc
URx4s54GFJNRGkx1DnCxcuL0NJMYG42/hrDYOjNv+oGWSEZO/CT3aaLSMB5wTbZKfcD1R+tT
anXD+5Gz5Mi15DTE7QH8naZjZxqqhyxL1KyuIgaVDxvQtPSjo5vTsoa09rn+Ui8ybHnvYO/a
/68OIQIHLGbUd2COnwm0TiZ3Jg/oYGxwnJPvU1nDXNcecWTIJvFF5qD2ppJH3HgJVVePUEOY
1E4Kp3k0B8hdRdhMV5n+O6RCKCTFcZaESF8sELgdrqnCLPP1+rX7DA8pxZoX0/9Jk64EOsbf
QyLIJlrrob2YS0Xlku6HisZ8qrHLhnkzF5y7O34xmatIp8oZ5c54QP+K5flnTYzWjuIxLwID
AQABo4IB9DCCAfAwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRS2Ig6yJ94Zu2J83s4
cJTJAgI20DBBBggrBgEFBQcBAQQ1MDMwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwMDUuYWN0
YWxpcy5pdC9WQS9BVVRILVJPT1QwRQYDVR0gBD4wPDA6BgRVHSAAMDIwMAYIKwYBBQUHAgEW
JGh0dHBzOi8vd3d3LmFjdGFsaXMuaXQvYXJlYS1kb3dubG9hZDAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwQwgeMGA1UdHwSB2zCB2DCBlqCBk6CBkIaBjWxkYXA6Ly9sZGFwMDUu
YWN0YWxpcy5pdC9jbiUzZEFjdGFsaXMlMjBBdXRoZW50aWNhdGlvbiUyMFJvb3QlMjBDQSxv
JTNkQWN0YWxpcyUyMFMucC5BLiUyZjAzMzU4NTIwOTY3LGMlM2RJVD9jZXJ0aWZpY2F0ZVJl
dm9jYXRpb25MaXN0O2JpbmFyeTA9oDugOYY3aHR0cDovL2NybDA1LmFjdGFsaXMuaXQvUmVw
b3NpdG9yeS9BVVRILVJPT1QvZ2V0TGFzdENSTDAdBgNVHQ4EFgQUvpepqoS/gL8QU30JMvnh
LjIbz3cwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAmm+cbWQ10sxID6edV
94SAhc1CwzthHFfHpuYS30gisWUfWpgp43Dg1XzG2in3VGV7XrzCCGZh4JM/XQWp+4oxmyV4
2Qjz9vc8GRksgo6X2nYObPYZzQjda9wxsCB38i4G3H33w8lf9sFvl0xm4ZXZ2s2bF/PdqvrK
0ZgvF51+MoIPnli/wJBw3p72xbk5Sb1MneSO3tZ293WFzDmz7tuGU0PfytYUkG7O6annGqbU
1I6CA6QVKUqeFLPodSODAFqJ3pimKD0vX9MuuSa0QinH7CkiPtZMD0mpwwzIsnSs3qOOl60t
IZQOTc0I6lCe1LLhrz7Q75J6nNL9N5zVwZ1I3o2Lb8Dt7BA13VFuZvZIzapUGV83R7pmSVaj
1Bik1nJ/R393e6mwppsT140KDVLh4Oenywmp2VpBDuEj9RgICAO0sibv8n379LbO7ARa0kw9
y9pggFzN2PAX25b7w0n9m78kpv3z3vW65rs6wl7E8VEHNfv8+cnb81dxN3C51KElz+l31zch
FTurD5HFEpyEhzO/fMS5AkweRJIzwozxNs7OL/S/SVTpJLJL1ukZ1lnHHX0d3xCzRy/5HqfK
3uiG22LPB5+RjNDobPAjAz2BKMfkF/+v0pzn8mqqkopQaJzEAbLbMpgQYHRCjvrUxxwjJyUF
b2Z+40UNtMF4MTK7zTGCA/MwggPvAgEBMIGWMIGBMQswCQYDVQQGEwJJVDEQMA4GA1UECAwH
QmVyZ2FtbzEZMBcGA1UEBwwQUG9udGUgU2FuIFBpZXRybzEXMBUGA1UECgwOQWN0YWxpcyBT
LnAuQS4xLDAqBgNVBAMMI0FjdGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIENBIEczAhBe
LLAGq3EDXaRbRjTikYn/MA0GCWCGSAFlAwQCAQUAoIICLTAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMjA4MjkyMTQ1MThaMC8GCSqGSIb3DQEJBDEiBCDq
rpkdrg2LkHbiTcSrcPkAixGpH3YogmNGh5VcBtckojBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCG
SAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqG
SIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGnBgkrBgEEAYI3EAQxgZkwgZYw
gYExCzAJBgNVBAYTAklUMRAwDgYDVQQIDAdCZXJnYW1vMRkwFwYDVQQHDBBQb250ZSBTYW4g
UGlldHJvMRcwFQYDVQQKDA5BY3RhbGlzIFMucC5BLjEsMCoGA1UEAwwjQWN0YWxpcyBDbGll
bnQgQXV0aGVudGljYXRpb24gQ0EgRzMCEF4ssAarcQNdpFtGNOKRif8wgakGCyqGSIb3DQEJ
EAILMYGZoIGWMIGBMQswCQYDVQQGEwJJVDEQMA4GA1UECAwHQmVyZ2FtbzEZMBcGA1UEBwwQ
UG9udGUgU2FuIFBpZXRybzEXMBUGA1UECgwOQWN0YWxpcyBTLnAuQS4xLDAqBgNVBAMMI0Fj
dGFsaXMgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIENBIEczAhBeLLAGq3EDXaRbRjTikYn/MA0G
CSqGSIb3DQEBAQUABIIBAFkBmv1dgvBp15cHN9XU6Zf3+ESWfgwRKbcJjZ+ZcZq88XuR/jAV
xwX8ZWzQYCeyfTf08vAcgotZ07VUaQRBwslBmjOYDycGBTqc39W8pqlmuLKePz9CbS2CTSGM
focr89q/A2k5+0yYfBytfb4/QJHHjnBG6MEx4yqFxxKtn7O4WT19MEMQKl3M6ocrUPZIBJUe
C+P4niLWz7LoYbjVok38vB/C8RtqW+rsxoggLVcbwskS8xZIT2IcfFN+cXF4AwV0QoWMCWnM
97zczwq7poLVd9BuAywwrmjxL7zzAnzW2lDi7kvwLy9zHae6gRx6N1YrF3PW8GIIFcq1zDjC
3DgAAAAAAAA=
--------------ms090200090100090600070905--