Received: by 2002:a05:7412:37c9:b0:e2:908c:2ebd with SMTP id jz9csp153763rdb; Mon, 18 Sep 2023 10:46:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFP6gqs6YrgtrbleVOFeGaGj8b7+QO/kEODb7k3lBD0EANAhVJViOnYukq6h2n6k8FHvsW3 X-Received: by 2002:a17:903:48a:b0:1c0:bcbc:d66 with SMTP id jj10-20020a170903048a00b001c0bcbc0d66mr415486plb.7.1695059167919; Mon, 18 Sep 2023 10:46:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695059167; cv=none; d=google.com; s=arc-20160816; b=w2BJM4yXkVxNo2HwGJNNjnmJ8bB9GqwPkfL9dWBNmnPR/BZOZ3NjRZlfOg3gnip4V0 KogtOeDb7EydPERtFVKS4w+nwC+vmZGwDnWZ22ACUzBaJV+h33B6IZ0P2rcMjkvuuLu7 CUhiGdiR/JENbh5NBNeiQujS1Me47QQLgpk/UC12gZcJyKe9+fORrsGIg2azP6tKZBNs tqg98t55e089HnJqHpgM7JXeHZWIZtGqNA5mGnbZCrhBlNk45SMbovpZptrANNutHqvp eRi2erC+ivQPRVmlubaJzCzg3E9Z1Ugnw9jJ4OplO+JoY0SBt1ey5QSXITOq4/Vbe3ut lMZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :date:cc:to:from:subject:message-id:dkim-signature; bh=7ydROei8VlxicBn5/ZdpkjRZdnRCTyhqPyMsALiH8Ok=; fh=ZkASlKRvSjjehGEve9dirxb5g7aSKqhXIWUGfY2Cm2Q=; b=CQYCYFW2W152MWfXtt7EHe0THkG3Ud3DbSrMXnGDQVLT4OvumFRv5Ddf6NpLK0DXAo LGng4ukLzA8sED/6YoZa95O4gt0ihYrJ8m9nKIhulU5ItroJ9ZrnWSqu0tvCeZQcA9Fr maCvFpO2eKtVXApP+RANCRi6azxUQoU/xBfjWSGQaCDm5Qpvs961NAViFi/4Qilxn+6K ZMosfEvAMrz/aZsbJALPKGa6Mjc1Y8hWYvYeqQG19mFsby2Ngt3ug/Po2AjlKj+umH63 PBGI6xYEfi49e3+sW5J0jCQyotTvDEaQOWFMz2eaAXqE0sCIsXIY2HYToi0hCg2tlL7x iVLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b="neXWrZ/G"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id m2-20020a170902c44200b001bf20e8f66asi8166712plm.26.2023.09.18.10.45.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 Sep 2023 10:46:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b="neXWrZ/G"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 417758373823; Mon, 18 Sep 2023 09:09:24 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229986AbjIRQJW (ORCPT + 99 others); Mon, 18 Sep 2023 12:09:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54816 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229978AbjIRQJF (ORCPT ); Mon, 18 Sep 2023 12:09:05 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F301644BA; Mon, 18 Sep 2023 09:07:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=MIME-Version:Content-Type:References: In-Reply-To:Date:Cc:To:From:Subject:Message-ID:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=7ydROei8VlxicBn5/ZdpkjRZdnRCTyhqPyMsALiH8Ok=; b=neXWrZ/GN4cxvmJfQbgThS5fRc 5+nB6FhrOJHFBqI7Gr2BZYRSHDIPTAKsW3gppCKhQXjIJvdlvJywuPSfLHDqa13tb/Ch715bDW8FW uBccyEWx6xx4EEqSUiroOzGU9AnTdS4EYPkpxTmXJ0EdNTXyaJmhbc9y6ld9KiYanoyOLDbaOVOfH 9HN9Qpan9zUAf7LO6qmnaAEJTsu2rqOUSIBRPSCKtmWIIim82P1f3WWDp79Y8jHTtMYspcs0gHy29 L2QGJUaJ3O1bKYhLxA4dd6MIggy1AqSfJY6gJlpc07JoQmD1Z5CCFqoCrd3hEN+Q/5NFXJ/wtkwmY ER25s/7A==; Received: from [2001:8b0:10b:5:7930:9714:474a:dcad] (helo=u3832b3a9db3152.ant.amazon.com) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1qiGmU-00Bvf3-Jr; Mon, 18 Sep 2023 16:07:26 +0000 Message-ID: Subject: Re: [PATCH v3 09/13] KVM: xen: automatically use the vcpu_info embedded in shared_info From: David Woodhouse To: Paul Durrant , kvm@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Paul Durrant , Sean Christopherson , Paolo Bonzini , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , x86@kernel.org Date: Mon, 18 Sep 2023 17:07:26 +0100 In-Reply-To: <20230918144111.641369-10-paul@xen.org> References: <20230918144111.641369-1-paul@xen.org> <20230918144111.641369-10-paul@xen.org> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/pkcs7-signature"; boundary="=-74fRSbl1qn1ttLJDp1io" User-Agent: Evolution 3.44.4-0ubuntu2 MIME-Version: 1.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by casper.infradead.org. See http://www.infradead.org/rpr.html X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Mon, 18 Sep 2023 09:09:24 -0700 (PDT) --=-74fRSbl1qn1ttLJDp1io Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 2023-09-18 at 14:41 +0000, Paul Durrant wrote: > From: Paul Durrant >=20 > The VMM should only need to set the KVM_XEN_VCPU_ATTR_TYPE_VCPU_INFO > attribute in response to a VCPUOP_register_vcpu_info hypercall. We can > handle the default case internally since we already know where the > shared_info page is. Modify get_vcpu_info_cache() to pass back a pointer > to the shared info pfn cache (and appropriate offset) for any of the > first 32 vCPUs if the attribute has not been set. >=20 > A VMM will be able to determine whether it needs to set up default > vcpu_info using the previously defined KVM_XEN_HVM_CONFIG_SHARED_INFO_HVA > Xen capability flag, which will be advertized in a subsequent patch. >=20 > Also update the KVM API documentation to describe the new behaviour. >=20 > Signed-off-by: Paul Durrant > --- > Cc: Sean Christopherson > Cc: Paolo Bonzini > Cc: Thomas Gleixner > Cc: Ingo Molnar > Cc: Borislav Petkov > Cc: Dave Hansen > Cc: "H. Peter Anvin" > Cc: David Woodhouse > Cc: x86@kernel.org >=20 > v3: > =C2=A0- Add a note to the API documentation discussing vcpu_info copying. >=20 > v2: > =C2=A0- Dispense with the KVM_XEN_HVM_CONFIG_DEFAULT_VCPU_INFO capability= . > =C2=A0- Add API documentation. > --- > =C2=A0Documentation/virt/kvm/api.rst | 22 +++++++++++++++------- > =C2=A0arch/x86/kvm/xen.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 | 15 +++++++++++++++ > =C2=A02 files changed, 30 insertions(+), 7 deletions(-) >=20 > diff --git a/Documentation/virt/kvm/api.rst b/Documentation/virt/kvm/api.= rst > index e9df4df6fe48..47bf3db74674 100644 > --- a/Documentation/virt/kvm/api.rst > +++ b/Documentation/virt/kvm/api.rst > @@ -5442,13 +5442,7 @@ KVM_XEN_ATTR_TYPE_LONG_MODE > =C2=A0 > =C2=A0KVM_XEN_ATTR_TYPE_SHARED_INFO > =C2=A0=C2=A0 Sets the guest physical frame number at which the Xen shared= _info > -=C2=A0 page resides. Note that although Xen places vcpu_info for the fir= st > -=C2=A0 32 vCPUs in the shared_info page, KVM does not automatically do s= o > -=C2=A0 and instead requires that KVM_XEN_VCPU_ATTR_TYPE_VCPU_INFO be use= d > -=C2=A0 explicitly even when the vcpu_info for a given vCPU resides at th= e > -=C2=A0 "default" location in the shared_info page. This is because KVM m= ay > -=C2=A0 not be aware of the Xen CPU id which is used as the index into th= e > -=C2=A0 vcpu_info[] array, so may know the correct default location. > +=C2=A0 page resides. > =C2=A0 > =C2=A0=C2=A0 Note that the shared_info page may be constantly written to = by KVM; > =C2=A0=C2=A0 it contains the event channel bitmap used to deliver interru= pts to > @@ -5564,12 +5558,26 @@ type values: > =C2=A0 > =C2=A0KVM_XEN_VCPU_ATTR_TYPE_VCPU_INFO > =C2=A0=C2=A0 Sets the guest physical address of the vcpu_info for a given= vCPU. > +=C2=A0 The vcpu_info for the first 32 vCPUs defaults to the structures > +=C2=A0 embedded in the shared_info page. The above is true only if KVM has KVM_XEN_HVM_CONFIG_SHARED_INFO_HVA. You kind of touch on that next, but perhaps the 'if the KVM_...' condition should be moved up? > +=C2=A0 If the KVM_XEN_HVM_CONFIG_SHARED_INFO_HVA flag is also set in the > +=C2=A0 Xen capabilities then the VMM is not required to set this default > +=C2=A0 location; KVM will handle that internally. Otherwise this attribu= te > +=C2=A0 must be set for all vCPUs. > + > =C2=A0=C2=A0 As with the shared_info page for the VM, the corresponding p= age may be > =C2=A0=C2=A0 dirtied at any time if event channel interrupt delivery is e= nabled, so > =C2=A0=C2=A0 userspace should always assume that the page is dirty withou= t relying > =C2=A0=C2=A0 on dirty logging. Setting the gpa to KVM_XEN_INVALID_GPA wil= l disable > =C2=A0=C2=A0 the vcpu_info. > =C2=A0 > +=C2=A0 Note that, if the guest sets an explicit vcpu_info location in gu= est > +=C2=A0 memory then the VMM is expected to copy the content of the struct= ure > +=C2=A0 embedded in the shared_info page to the new location. It is there= fore > +=C2=A0 important that no event delivery is in progress at this time, oth= erwise > +=C2=A0 events may be missed. >=20 That's difficult. It means tearing down all interrupts from passthrough devices which are mapped via PIRQs, and also all IPIs.=20 The IPI code *should* be able to fall back to just letting the VMM handle the hypercall in userspace. But PIRQs are harder. I'd be happier if our plan =E2=80=94 handwavy though it may be =E2=80=94 led to being able= to use the existing slow path for delivering interrupts by just *invalidating* the cache. Maybe we *should* move the memcpy into the kernel, and let it lock *both* the shinfo and new vcpu_info caches while it's doing the copy? Given that that's the only valid transition, that shouldn't be so hard, should it? > =C2=A0KVM_XEN_VCPU_ATTR_TYPE_VCPU_TIME_INFO > =C2=A0=C2=A0 Sets the guest physical address of an additional pvclock str= ucture > =C2=A0=C2=A0 for a given vCPU. This is typically used for guest vsyscall = support. > diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c > index 459f3ca4710e..660a808c0b50 100644 > --- a/arch/x86/kvm/xen.c > +++ b/arch/x86/kvm/xen.c > @@ -491,6 +491,21 @@ static void kvm_xen_inject_vcpu_vector(struct kvm_vc= pu *v) > =C2=A0 > =C2=A0static struct gfn_to_pfn_cache *get_vcpu_info_cache(struct kvm_vcpu= *v, unsigned long *offset) > =C2=A0{ > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if (!v->arch.xen.vcpu_info_cac= he.active && v->arch.xen.vcpu_id < MAX_VIRT_CPUS) { > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0struct kvm *kvm =3D v->kvm; > + > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0if (offset) { > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if (IS_EN= ABLED(CONFIG_64BIT) && kvm->arch.xen.long_mode) > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0*offset =3D offsetof(struct shared_i= nfo, > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 vc= pu_info[v->arch.xen.vcpu_id]); > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0else > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0*offset =3D offsetof(struct compat_s= hared_info, > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 vc= pu_info[v->arch.xen.vcpu_id]); > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0} > + > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0return &kvm->arch.xen.shinfo_cache; > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0} > + > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if (offset) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0*offset =3D 0; > =C2=A0 --=-74fRSbl1qn1ttLJDp1io Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEkQw ggYQMIID+KADAgECAhBNlCwQ1DvglAnFgS06KwZPMA0GCSqGSIb3DQEBDAUAMIGIMQswCQYDVQQG EwJVUzETMBEGA1UECBMKTmV3IEplcnNleTEUMBIGA1UEBxMLSmVyc2V5IENpdHkxHjAcBgNVBAoT FVRoZSBVU0VSVFJVU1QgTmV0d29yazEuMCwGA1UEAxMlVVNFUlRydXN0IFJTQSBDZXJ0aWZpY2F0 aW9uIEF1dGhvcml0eTAeFw0xODExMDIwMDAwMDBaFw0zMDEyMzEyMzU5NTlaMIGWMQswCQYDVQQG EwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD VQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAyjztlApB/975Rrno1jvm2pK/KxBOqhq8gr2+JhwpKirSzZxQgT9tlC7zl6hn1fXjSo5MqXUf ItMltrMaXqcESJuK8dtK56NCSrq4iDKaKq9NxOXFmqXX2zN8HHGjQ2b2Xv0v1L5Nk1MQPKA19xeW QcpGEGFUUd0kN+oHox+L9aV1rjfNiCj3bJk6kJaOPabPi2503nn/ITX5e8WfPnGw4VuZ79Khj1YB rf24k5Ee1sLTHsLtpiK9OjG4iQRBdq6Z/TlVx/hGAez5h36bBJMxqdHLpdwIUkTqT8se3ed0PewD ch/8kHPo5fZl5u1B0ecpq/sDN/5sCG52Ds+QU5O5EwIDAQABo4IBZDCCAWAwHwYDVR0jBBgwFoAU U3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFAnA8vwL2pTbX/4r36iZQs/J4K0AMA4GA1Ud DwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF BQcDBDARBgNVHSAECjAIMAYGBFUdIAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2Vy dHJ1c3QuY29tL1VTRVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUF BwEBBGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdFJT QUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3QuY29tMA0G CSqGSIb3DQEBDAUAA4ICAQBBRHUAqznCFfXejpVtMnFojADdF9d6HBA4kMjjsb0XMZHztuOCtKF+ xswhh2GqkW5JQrM8zVlU+A2VP72Ky2nlRA1GwmIPgou74TZ/XTarHG8zdMSgaDrkVYzz1g3nIVO9 IHk96VwsacIvBF8JfqIs+8aWH2PfSUrNxP6Ys7U0sZYx4rXD6+cqFq/ZW5BUfClN/rhk2ddQXyn7 kkmka2RQb9d90nmNHdgKrwfQ49mQ2hWQNDkJJIXwKjYA6VUR/fZUFeCUisdDe/0ABLTI+jheXUV1 eoYV7lNwNBKpeHdNuO6Aacb533JlfeUHxvBz9OfYWUiXu09sMAviM11Q0DuMZ5760CdO2VnpsXP4 KxaYIhvqPqUMWqRdWyn7crItNkZeroXaecG03i3mM7dkiPaCkgocBg0EBYsbZDZ8bsG3a08LwEsL 1Ygz3SBsyECa0waq4hOf/Z85F2w2ZpXfP+w8q4ifwO90SGZZV+HR/Jh6rEaVPDRF/CEGVqR1hiuQ OZ1YL5ezMTX0ZSLwrymUE0pwi/KDaiYB15uswgeIAcA6JzPFf9pLkAFFWs1QNyN++niFhsM47qod x/PL+5jR87myx5uYdBEQkkDc+lKB1Wct6ucXqm2EmsaQ0M95QjTmy+rDWjkDYdw3Ms6mSWE3Bn7i 5ZgtwCLXgAIe5W8mybM2JzCCBhQwggT8oAMCAQICEQDGvhmWZ0DEAx0oURL6O6l+MA0GCSqGSIb3 DQEBCwUAMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNlY3RpZ28g UlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTIyMDEwNzAw MDAwMFoXDTI1MDEwNjIzNTk1OVowJDEiMCAGCSqGSIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9y ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQ3GpC2bomUqk+91wLYBzDMcCj5C9m6 oZaHwvmIdXftOgTbCJXADo6G9T7BBAebw2JV38EINgKpy/ZHh7htyAkWYVoFsFPrwHounto8xTsy SSePMiPlmIdQ10BcVSXMUJ3Juu16GlWOnAMJY2oYfEzmE7uT9YgcBqKCo65pTFmOnR/VVbjJk4K2 xE34GC2nAdUQkPFuyaFisicc6HRMOYXPuF0DuwITEKnjxgNjP+qDrh0db7PAjO1D4d5ftfrsf+kd RR4gKVGSk8Tz2WwvtLAroJM4nXjNPIBJNT4w/FWWc/5qPHJy2U+eITZ5LLE5s45mX2oPFknWqxBo bQZ8a9dsZ3dSPZBvE9ZrmtFLrVrN4eo1jsXgAp1+p7bkfqd3BgBEmfsYWlBXO8rVXfvPgLs32VdV NZxb/CDWPqBsiYv0Hv3HPsz07j5b+/cVoWqyHDKzkaVbxfq/7auNVRmPB3v5SWEsH8xi4Bez2V9U KxfYCnqsjp8RaC2/khxKt0A552Eaxnz/4ly/2C7wkwTQnBmdlFYhAflWKQ03Ufiu8t3iBE3VJbc2 5oMrglj7TRZrmKq3CkbFnX0fyulB+kHimrt6PIWn7kgyl9aelIl6vtbhMA+l0nfrsORMa4kobqQ5 C5rveVgmcIad67EDa+UqEKy/GltUwlSh6xy+TrK1tzDvAgMBAAGjggHMMIIByDAfBgNVHSMEGDAW gBQJwPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUzMeDMcimo0oz8o1R1Nver3ZVpSkwDgYD VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMC MEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGln by5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGln b1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYoGCCsGAQUFBwEB BH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ2xpZW50 QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29j c3Auc2VjdGlnby5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5mcmFkZWFkLm9yZzANBgkqhkiG9w0B AQsFAAOCAQEAyW6MUir5dm495teKqAQjDJwuFCi35h4xgnQvQ/fzPXmtR9t54rpmI2TfyvcKgOXp qa7BGXNFfh1JsqexVkIqZP9uWB2J+uVMD+XZEs/KYNNX2PvIlSPrzIB4Z2wyIGQpaPLlYflrrVFK v9CjT2zdqvy2maK7HKOQRt3BiJbVG5lRiwbbygldcALEV9ChWFfgSXvrWDZspnU3Gjw/rMHrGnql Htlyebp3pf3fSS9kzQ1FVtVIDrL6eqhTwJxe+pXSMMqFiN0whpBtXdyDjzBtQTaZJ7zTT/vlehc/ tDuqZwGHm/YJy883Ll+GP3NvOkgaRGWEuYWJJ6hFCkXYjyR9IzCCBhQwggT8oAMCAQICEQDGvhmW Z0DEAx0oURL6O6l+MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3Jl YXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0 ZWQxPjA8BgNVBAMTNVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJl IEVtYWlsIENBMB4XDTIyMDEwNzAwMDAwMFoXDTI1MDEwNjIzNTk1OVowJDEiMCAGCSqGSIb3DQEJ ARYTZHdtdzJAaW5mcmFkZWFkLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALQ3 GpC2bomUqk+91wLYBzDMcCj5C9m6oZaHwvmIdXftOgTbCJXADo6G9T7BBAebw2JV38EINgKpy/ZH h7htyAkWYVoFsFPrwHounto8xTsySSePMiPlmIdQ10BcVSXMUJ3Juu16GlWOnAMJY2oYfEzmE7uT 9YgcBqKCo65pTFmOnR/VVbjJk4K2xE34GC2nAdUQkPFuyaFisicc6HRMOYXPuF0DuwITEKnjxgNj P+qDrh0db7PAjO1D4d5ftfrsf+kdRR4gKVGSk8Tz2WwvtLAroJM4nXjNPIBJNT4w/FWWc/5qPHJy 2U+eITZ5LLE5s45mX2oPFknWqxBobQZ8a9dsZ3dSPZBvE9ZrmtFLrVrN4eo1jsXgAp1+p7bkfqd3 BgBEmfsYWlBXO8rVXfvPgLs32VdVNZxb/CDWPqBsiYv0Hv3HPsz07j5b+/cVoWqyHDKzkaVbxfq/ 7auNVRmPB3v5SWEsH8xi4Bez2V9UKxfYCnqsjp8RaC2/khxKt0A552Eaxnz/4ly/2C7wkwTQnBmd lFYhAflWKQ03Ufiu8t3iBE3VJbc25oMrglj7TRZrmKq3CkbFnX0fyulB+kHimrt6PIWn7kgyl9ae lIl6vtbhMA+l0nfrsORMa4kobqQ5C5rveVgmcIad67EDa+UqEKy/GltUwlSh6xy+TrK1tzDvAgMB AAGjggHMMIIByDAfBgNVHSMEGDAWgBQJwPL8C9qU21/+K9+omULPyeCtADAdBgNVHQ4EFgQUzMeD Mcimo0oz8o1R1Nver3ZVpSkwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwQGCCsGAQUFBwMCMEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQEBMCUwIwYIKwYB BQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMFoGA1UdHwRTMFEwT6BNoEuGSWh0dHA6Ly9j cmwuc2VjdGlnby5jb20vU2VjdGlnb1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1h aWxDQS5jcmwwgYoGCCsGAQUFBwEBBH4wfDBVBggrBgEFBQcwAoZJaHR0cDovL2NydC5zZWN0aWdv LmNvbS9TZWN0aWdvUlNBQ2xpZW50QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAj BggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wHgYDVR0RBBcwFYETZHdtdzJAaW5m cmFkZWFkLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAyW6MUir5dm495teKqAQjDJwuFCi35h4xgnQv Q/fzPXmtR9t54rpmI2TfyvcKgOXpqa7BGXNFfh1JsqexVkIqZP9uWB2J+uVMD+XZEs/KYNNX2PvI lSPrzIB4Z2wyIGQpaPLlYflrrVFKv9CjT2zdqvy2maK7HKOQRt3BiJbVG5lRiwbbygldcALEV9Ch WFfgSXvrWDZspnU3Gjw/rMHrGnqlHtlyebp3pf3fSS9kzQ1FVtVIDrL6eqhTwJxe+pXSMMqFiN0w hpBtXdyDjzBtQTaZJ7zTT/vlehc/tDuqZwGHm/YJy883Ll+GP3NvOkgaRGWEuYWJJ6hFCkXYjyR9 IzGCBMcwggTDAgEBMIGsMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVz dGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMT NVNlY3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA xr4ZlmdAxAMdKFES+jupfjANBglghkgBZQMEAgEFAKCCAeswGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMjMwOTE4MTYwNzI2WjAvBgkqhkiG9w0BCQQxIgQg3TgtqCUz QhM8AZymvZyBWJg/uWyvFkz8yerkyVySJ/Awgb0GCSsGAQQBgjcQBDGBrzCBrDCBljELMAkGA1UE BhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYG A1UEChMPU2VjdGlnbyBMaW1pdGVkMT4wPAYDVQQDEzVTZWN0aWdvIFJTQSBDbGllbnQgQXV0aGVu dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRAMa+GZZnQMQDHShREvo7qX4wgb8GCyqGSIb3 DQEJEAILMYGvoIGsMIGWMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVy MRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxPjA8BgNVBAMTNVNl Y3RpZ28gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEAxr4Z lmdAxAMdKFES+jupfjANBgkqhkiG9w0BAQEFAASCAgA0gzydD5NrIDacQK9ixhdUyIiNn82Dy9WU d/iePxyRqKoGp5v5bETlwulPxxr9Jaxw2IcgdHTAcCksjcroqeNBvRlRPb4WI30NXpFIdZp8SM7H BLP1S8gyXQnDpbjLBEFiFPNHGD7BcGRrtH26NIEkjOej3HaeLpoHpqjlR1e9QAVRJm7Q47Qd0gIZ 9kUn6nts5rmtrz4ckYMVCDDQcLmAHY+3DYcZX+dj23l8+jZ6exBPsACF578QgBZeKiFmchrsKjSq 4gITH4J1+74mF5oYsvERO551VMgPSYrwJq8LcFylsDyH1+00Xd4B59OrqZ5yDRkA1HfeLD/XNKb5 jUYVBfwbuyTtUFricud6tpq7Ej9AXVWLLQPVuzMp1k/Q25QhbEFAmXl2DVIc/2lB6LcxLCbuw3Ek A27Y1Lh31KSSNSOUhKGP5IHUiF2pQUFA+oXkBgyKsktjYXCtZM+VMASaykdktnnGOYh6I+/K9nB3 TWbV/SqKAec2xYaWtD3sk0vOP3tZGai7R2KqXW/weRNb7+Tg4ZQxIzhK4OGMSgz4Pp6rWpENNFcW OPReG3NIeeNXypj5pPaBTlhxdQXxxhHD80mfaOuJpXwcge4sOQD9NUJdG0SbMpRMzc5FiMdwo15w iJGxOB4oJaO2z1yNulcqMkqgJpvU8PYzqibJYvb4pQAAAAAAAA== --=-74fRSbl1qn1ttLJDp1io--