From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0E5B9C11F67 for ; Wed, 14 Jul 2021 10:44:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E74DC613AA for ; Wed, 14 Jul 2021 10:44:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232185AbhGNKrV convert rfc822-to-8bit (ORCPT ); Wed, 14 Jul 2021 06:47:21 -0400 Received: from lithops.sigma-star.at ([195.201.40.130]:38632 "EHLO lithops.sigma-star.at" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232133AbhGNKrU (ORCPT ); Wed, 14 Jul 2021 06:47:20 -0400 Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 71B6C6169BC1; Wed, 14 Jul 2021 12:44:27 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id JR8DSbn3rLNy; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id CF0236169BC8; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cpm4SZBSJOXK; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id 91DB06169BC1; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Date: Wed, 14 Jul 2021 12:44:26 +0200 (CEST) From: Richard Weinberger To: Ahmad Fatoum Cc: "open list, ASYMMETRIC KEYS" , david , David Howells , davem , festevam , Herbert Xu , James Bottomley , James Morris , Jarkko Sakkinen , Jonathan Corbet , linux-arm-kernel , Linux Crypto Mailing List , Linux Doc Mailing List , linux-integrity , linux-kernel , LSM , Mimi Zohar , linux-imx , kernel , Sascha Hauer , "Serge E. Hallyn" , shawnguo Message-ID: <2032322938.25484.1626259466410.JavaMail.zimbra@nod.at> In-Reply-To: <714571a1-e8dd-3417-b5ab-2a6d611fb3ee@pengutronix.de> References: <20210614201620.30451-1-richard@nod.at> <20210614201620.30451-3-richard@nod.at> <714571a1-e8dd-3417-b5ab-2a6d611fb3ee@pengutronix.de> Subject: Re: [PATCH 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF78 (Linux)/8.8.12_GA_3809) Thread-Topic: KEYS: trusted: Introduce support for NXP DCP-based trusted keys Thread-Index: vMUSY/wC2Uw3FhL++LkJN55JKnqxvQ== Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Ahmad, ----- Ursprüngliche Mail ----- > Von: "Ahmad Fatoum" [...] >> /* >> * struct dcp_blob_fmt - DCP BLOB format. >> * >> * @fmt_version: Format version, currently being %1 >> * @blob_key: Random AES 128 key which is used to encrypt @payload, >> * @blob_key itself is encrypted with OTP or UNIQUE device key in >> * AES-128-ECB mode by DCP. >> * @nonce: Random nonce used for @payload encryption. >> * @payload_len: Length of the plain text @payload. >> * @payload: The payload itself, encrypted using AES-128-GCM and @blob_key, >> * GCM auth tag of size AES_BLOCK_SIZE is attached at the end of it. >> * >> * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + @payload_len + >> * AES_BLOCK_SIZE. >> */ >> struct dcp_blob_fmt { >> __u8 fmt_version; >> __u8 blob_key[AES_KEYSIZE_128]; >> __u8 nonce[AES_KEYSIZE_128]; >> __le32 payload_len; >> __u8 payload[0]; > > There's been ongoing effort to replace the [0] GNU extension with C99 > flexible array members. Please use [] here as well. Makes sense! [...] >> +KEYS-TRUSTED-DCP >> +M: David Gstir >> +M: Richard Weinberger >> +L: linux-integrity@vger.kernel.org >> +L: keyrings@vger.kernel.org >> +S: Supported >> +F: include/keys/trusted_dcp.h >> +F: security/keys/trusted-keys/trusted_dcp.c > > Hmm, I didn't add a MAINTAINERS entry for CAAM trusted keys. Do you think I > should? Sure, why not? It shows that you will also in future take care of it. [...] >> +} __packed; >> + >> +static bool use_otp_key; >> +module_param_named(dcp_use_otp_key, use_otp_key, bool, 0); >> +MODULE_PARM_DESC(dcp_use_otp_key, "Use OTP instead of UNIQUE key for sealing"); > > Shouldn't these be documented in admin-guide/kernel-parameters.txt as well? Yes. Will do. >> +static bool skip_zk_test; >> +module_param_named(dcp_skip_zk_test, skip_zk_test, bool, 0); >> +MODULE_PARM_DESC(dcp_skip_zk_test, "Don't test whether device keys are >> zero'ed"); > > Does this need to be configurible? I'd assume this can only happen when using an > unfused OTP. In such a case, it's ok to always warn, so you don't need to make > this configurible. We found such a setting super useful while working with targets where the keys are zero'ed for various reasons. There are cases where you want to use/test trusted keys even when the master key is void. Our detection logic does not only print a warning, it refuses to load blobs. So IMHO the config knob makes sense. >> + >> +static unsigned int calc_blob_len(unsigned int payload_len) >> +{ >> + return sizeof(struct dcp_blob_fmt) + payload_len + DCP_BLOB_AUTHLEN; >> +} >> + >> +static int do_dcp_crypto(u8 *in, u8 *out, bool is_encrypt) > > I assume in can't be const because the use with sg APIs? I'm pretty sure this was the main reason, but I can check again. >> +{ >> + int res = 0; >> + struct skcipher_request *req = NULL; >> + DECLARE_CRYPTO_WAIT(wait); >> + struct scatterlist src_sg, dst_sg; >> + struct crypto_skcipher *tfm; >> + u8 paes_key[DCP_PAES_KEYSIZE]; >> + >> + if (!use_otp_key) > > I'd invert this. Makes code easier to read. Ok. :-) >> + paes_key[0] = DCP_PAES_KEY_UNIQUE; >> + else >> + paes_key[0] = DCP_PAES_KEY_OTP; >> + >> + tfm = crypto_alloc_skcipher("ecb-paes-dcp", CRYPTO_ALG_INTERNAL, >> + CRYPTO_ALG_INTERNAL); >> + if (IS_ERR(tfm)) { >> + res = PTR_ERR(tfm); >> + pr_err("Unable to request DCP pAES-ECB cipher: %i\n", res); > > Can you define pr_fmt above? There's also %pe now that can directly print out an > error pointer. pr_fmt is not defined on purpose. include/keys/trusted-type.h defines already one and I assumed "trusted_key:" is the desired prefix for all kinds of trusted keys. [...] > - payload_len is at offset 33, but MIN_KEY_SIZE == 32 and there are no minimum > size checks. Couldn't you read beyond the buffer this way? The key has a minimum size of MIN_KEY_SIZE, but p->blob (being struct trusted_key_payload->blob[MAX_BLOB_SIZE]) is much larger. So the assumption is that a DCP blob will always be smaller than MAX_BLOB_SIZE. > - offset 33 is unaligned for payload_len. Please use get_unaligned_le32 here. Oh yes. Makes sense! [...] > > jfyi, in the prelude of my CAAM series, I made this the default > when .get_random == NULL. Right. :-) [...] >> + ret = do_dcp_crypto(buf, buf, true); >> + if (ret) >> + goto out; >> + >> + if (memcmp(buf, bad, AES_BLOCK_SIZE) == 0) { >> + pr_err("Device neither in secure nor trusted mode!\n"); > > What's the difference between secure and trusted? Can't this test be skipped > if use_otp_key == false? DCP has many modes of operation. Secure is one level above trusted. For the gory details see "Security Reference Manual for the i.MX 6ULL Applications Processor". I'm not sure whether all information my manual describes is publicly available so I don't dare to copy&paste from it. As David and I understood the logic, both OTP and UNIQUE keys can be zero'ed. It is also possible that DCP has no support at all for these keys, then you'll also get a zero key. That's why we have this check here. Thanks, //richard From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47E4CC07E9A for ; Wed, 14 Jul 2021 10:46:37 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1270C611C0 for ; Wed, 14 Jul 2021 10:46:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1270C611C0 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=nod.at Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Subject:References: In-Reply-To:Message-ID:Cc:To:From:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=fru9J01aQSV/vjaPvj+NT1ayVt4Yq5CjexwNBklwG9Q=; b=OusYkK3bY0QRefGDWCOlXxcLLD Vplzzba+w537lDSxY/aMwVqjMET5O8h27btQ191BlimLOXYjyU/JGq644kGrAMZoJ1sp2JPIkC+Dp R5i6BrSpHTvX5MeKsYwxrlb7CYA2+vFqoHtP3vZ5y+qMqFH1TK6MGbxB1vFgdj9cPW0ktr1KGoghN zqHx9ESHvxSLzmdyXFqFj9SFd0qVZpMtQKHQOuBcfSkckJDWIO7SvMJy4TYI+6YSnDkB6Oq2Gomba T8axmcUeWJ65lrSPNJKkmPq/xdqYMh1xItb/DlcnjhwNxMtpKSct6CHvpO/fXddNSYbwsmm0pECNM WafelobA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m3cNZ-00DDrR-2S; Wed, 14 Jul 2021 10:44:37 +0000 Received: from lithops.sigma-star.at ([195.201.40.130]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m3cNR-00DDpe-36 for linux-arm-kernel@lists.infradead.org; Wed, 14 Jul 2021 10:44:31 +0000 Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id 71B6C6169BC1; Wed, 14 Jul 2021 12:44:27 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id JR8DSbn3rLNy; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lithops.sigma-star.at (Postfix) with ESMTP id CF0236169BC8; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Received: from lithops.sigma-star.at ([127.0.0.1]) by localhost (lithops.sigma-star.at [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cpm4SZBSJOXK; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Received: from lithops.sigma-star.at (lithops.sigma-star.at [195.201.40.130]) by lithops.sigma-star.at (Postfix) with ESMTP id 91DB06169BC1; Wed, 14 Jul 2021 12:44:26 +0200 (CEST) Date: Wed, 14 Jul 2021 12:44:26 +0200 (CEST) From: Richard Weinberger To: Ahmad Fatoum Cc: "open list, ASYMMETRIC KEYS" , david , David Howells , davem , festevam , Herbert Xu , James Bottomley , James Morris , Jarkko Sakkinen , Jonathan Corbet , linux-arm-kernel , Linux Crypto Mailing List , Linux Doc Mailing List , linux-integrity , linux-kernel , LSM , Mimi Zohar , linux-imx , kernel , Sascha Hauer , "Serge E. Hallyn" , shawnguo Message-ID: <2032322938.25484.1626259466410.JavaMail.zimbra@nod.at> In-Reply-To: <714571a1-e8dd-3417-b5ab-2a6d611fb3ee@pengutronix.de> References: <20210614201620.30451-1-richard@nod.at> <20210614201620.30451-3-richard@nod.at> <714571a1-e8dd-3417-b5ab-2a6d611fb3ee@pengutronix.de> Subject: Re: [PATCH 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys MIME-Version: 1.0 X-Originating-IP: [195.201.40.130] X-Mailer: Zimbra 8.8.12_GA_3807 (ZimbraWebClient - FF78 (Linux)/8.8.12_GA_3809) Thread-Topic: KEYS: trusted: Introduce support for NXP DCP-based trusted keys Thread-Index: vMUSY/wC2Uw3FhL++LkJN55JKnqxvQ== X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210714_034429_507878_B023128A X-CRM114-Status: GOOD ( 19.62 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org QWhtYWQsCgotLS0tLSBVcnNwcsO8bmdsaWNoZSBNYWlsIC0tLS0tCj4gVm9uOiAiQWhtYWQgRmF0 b3VtIiA8YS5mYXRvdW1AcGVuZ3V0cm9uaXguZGU+CgpbLi4uXQoKPj4gLyoKPj4gICogc3RydWN0 IGRjcF9ibG9iX2ZtdCAtIERDUCBCTE9CIGZvcm1hdC4KPj4gICoKPj4gICogQGZtdF92ZXJzaW9u OiBGb3JtYXQgdmVyc2lvbiwgY3VycmVudGx5IGJlaW5nICUxCj4+ICAqIEBibG9iX2tleTogUmFu ZG9tIEFFUyAxMjgga2V5IHdoaWNoIGlzIHVzZWQgdG8gZW5jcnlwdCBAcGF5bG9hZCwKPj4gICog ICAgICAgICAgICBAYmxvYl9rZXkgaXRzZWxmIGlzIGVuY3J5cHRlZCB3aXRoIE9UUCBvciBVTklR VUUgZGV2aWNlIGtleSBpbgo+PiAgKiAgICAgICAgICAgIEFFUy0xMjgtRUNCIG1vZGUgYnkgRENQ Lgo+PiAgKiBAbm9uY2U6IFJhbmRvbSBub25jZSB1c2VkIGZvciBAcGF5bG9hZCBlbmNyeXB0aW9u Lgo+PiAgKiBAcGF5bG9hZF9sZW46IExlbmd0aCBvZiB0aGUgcGxhaW4gdGV4dCBAcGF5bG9hZC4K Pj4gICogQHBheWxvYWQ6IFRoZSBwYXlsb2FkIGl0c2VsZiwgZW5jcnlwdGVkIHVzaW5nIEFFUy0x MjgtR0NNIGFuZCBAYmxvYl9rZXksCj4+ICAqICAgICAgICAgICBHQ00gYXV0aCB0YWcgb2Ygc2l6 ZSBBRVNfQkxPQ0tfU0laRSBpcyBhdHRhY2hlZCBhdCB0aGUgZW5kIG9mIGl0Lgo+PiAgKgo+PiAg KiBUaGUgdG90YWwgc2l6ZSBvZiBhIERDUCBCTE9CIGlzIHNpemVvZihzdHJ1Y3QgZGNwX2Jsb2Jf Zm10KSArIEBwYXlsb2FkX2xlbiArCj4+ICAqIEFFU19CTE9DS19TSVpFLgo+PiAgKi8KPj4gc3Ry dWN0IGRjcF9ibG9iX2ZtdCB7Cj4+IAlfX3U4IGZtdF92ZXJzaW9uOwo+PiAJX191OCBibG9iX2tl eVtBRVNfS0VZU0laRV8xMjhdOwo+PiAJX191OCBub25jZVtBRVNfS0VZU0laRV8xMjhdOwo+PiAJ X19sZTMyIHBheWxvYWRfbGVuOwo+PiAJX191OCBwYXlsb2FkWzBdOwo+IAo+IFRoZXJlJ3MgYmVl biBvbmdvaW5nIGVmZm9ydCB0byByZXBsYWNlIHRoZSBbMF0gR05VIGV4dGVuc2lvbiB3aXRoIEM5 OQo+IGZsZXhpYmxlIGFycmF5IG1lbWJlcnMuIFBsZWFzZSB1c2UgW10gaGVyZSBhcyB3ZWxsLgoK TWFrZXMgc2Vuc2UhCgpbLi4uXQoKPj4gK0tFWVMtVFJVU1RFRC1EQ1AKPj4gK006CURhdmlkIEdz dGlyIDxkYXZpZEBzaWdtYS1zdGFyLmF0Pgo+PiArTToJUmljaGFyZCBXZWluYmVyZ2VyIDxyaWNo YXJkQG5vZC5hdD4KPj4gK0w6CWxpbnV4LWludGVncml0eUB2Z2VyLmtlcm5lbC5vcmcKPj4gK0w6 CWtleXJpbmdzQHZnZXIua2VybmVsLm9yZwo+PiArUzoJU3VwcG9ydGVkCj4+ICtGOglpbmNsdWRl L2tleXMvdHJ1c3RlZF9kY3AuaAo+PiArRjoJc2VjdXJpdHkva2V5cy90cnVzdGVkLWtleXMvdHJ1 c3RlZF9kY3AuYwo+IAo+IEhtbSwgSSBkaWRuJ3QgYWRkIGEgTUFJTlRBSU5FUlMgZW50cnkgZm9y IENBQU0gdHJ1c3RlZCBrZXlzLiBEbyB5b3UgdGhpbmsgSQo+IHNob3VsZD8KClN1cmUsIHdoeSBu b3Q/IEl0IHNob3dzIHRoYXQgeW91IHdpbGwgYWxzbyBpbiBmdXR1cmUgdGFrZSBjYXJlIG9mIGl0 LgoKWy4uLl0KCj4+ICt9IF9fcGFja2VkOwo+PiArCj4+ICtzdGF0aWMgYm9vbCB1c2Vfb3RwX2tl eTsKPj4gK21vZHVsZV9wYXJhbV9uYW1lZChkY3BfdXNlX290cF9rZXksIHVzZV9vdHBfa2V5LCBi b29sLCAwKTsKPj4gK01PRFVMRV9QQVJNX0RFU0MoZGNwX3VzZV9vdHBfa2V5LCAiVXNlIE9UUCBp bnN0ZWFkIG9mIFVOSVFVRSBrZXkgZm9yIHNlYWxpbmciKTsKPiAKPiBTaG91bGRuJ3QgdGhlc2Ug YmUgZG9jdW1lbnRlZCBpbiBhZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQgYXMgd2Vs bD8KClllcy4gV2lsbCBkby4KCj4+ICtzdGF0aWMgYm9vbCBza2lwX3prX3Rlc3Q7Cj4+ICttb2R1 bGVfcGFyYW1fbmFtZWQoZGNwX3NraXBfemtfdGVzdCwgc2tpcF96a190ZXN0LCBib29sLCAwKTsK Pj4gK01PRFVMRV9QQVJNX0RFU0MoZGNwX3NraXBfemtfdGVzdCwgIkRvbid0IHRlc3Qgd2hldGhl ciBkZXZpY2Uga2V5cyBhcmUKPj4gemVybydlZCIpOwo+IAo+IERvZXMgdGhpcyBuZWVkIHRvIGJl IGNvbmZpZ3VyaWJsZT8gSSdkIGFzc3VtZSB0aGlzIGNhbiBvbmx5IGhhcHBlbiB3aGVuIHVzaW5n IGFuCj4gdW5mdXNlZCBPVFAuIEluIHN1Y2ggYSBjYXNlLCBpdCdzIG9rIHRvIGFsd2F5cyB3YXJu LCBzbyB5b3UgZG9uJ3QgbmVlZCB0byBtYWtlCj4gdGhpcyBjb25maWd1cmlibGUuCgpXZSBmb3Vu ZCBzdWNoIGEgc2V0dGluZyBzdXBlciB1c2VmdWwgd2hpbGUgd29ya2luZyB3aXRoIHRhcmdldHMg d2hlcmUgdGhlIGtleXMgYXJlCnplcm8nZWQgZm9yIHZhcmlvdXMgcmVhc29ucy4KVGhlcmUgYXJl IGNhc2VzIHdoZXJlIHlvdSB3YW50IHRvIHVzZS90ZXN0IHRydXN0ZWQga2V5cyBldmVuIHdoZW4g dGhlIG1hc3RlciBrZXkKaXMgdm9pZC4gT3VyIGRldGVjdGlvbiBsb2dpYyBkb2VzIG5vdCBvbmx5 IHByaW50IGEgd2FybmluZywgaXQgcmVmdXNlcyB0byBsb2FkCmJsb2JzLiBTbyBJTUhPIHRoZSBj b25maWcga25vYiBtYWtlcyBzZW5zZS4KCj4+ICsKPj4gK3N0YXRpYyB1bnNpZ25lZCBpbnQgY2Fs Y19ibG9iX2xlbih1bnNpZ25lZCBpbnQgcGF5bG9hZF9sZW4pIAo+PiArewo+PiArCXJldHVybiBz aXplb2Yoc3RydWN0IGRjcF9ibG9iX2ZtdCkgKyBwYXlsb2FkX2xlbiArIERDUF9CTE9CX0FVVEhM RU47Cj4+ICt9Cj4+ICsKPj4gK3N0YXRpYyBpbnQgZG9fZGNwX2NyeXB0byh1OCAqaW4sIHU4ICpv dXQsIGJvb2wgaXNfZW5jcnlwdCkKPiAKPiBJIGFzc3VtZSBpbiBjYW4ndCBiZSBjb25zdCBiZWNh dXNlIHRoZSB1c2Ugd2l0aCBzZyBBUElzPwoKSSdtIHByZXR0eSBzdXJlIHRoaXMgd2FzIHRoZSBt YWluIHJlYXNvbiwgYnV0IEkgY2FuIGNoZWNrIGFnYWluLgoKPj4gK3sKPj4gKwlpbnQgcmVzID0g MDsKPj4gKwlzdHJ1Y3Qgc2tjaXBoZXJfcmVxdWVzdCAqcmVxID0gTlVMTDsKPj4gKwlERUNMQVJF X0NSWVBUT19XQUlUKHdhaXQpOwo+PiArCXN0cnVjdCBzY2F0dGVybGlzdCBzcmNfc2csIGRzdF9z ZzsKPj4gKwlzdHJ1Y3QgY3J5cHRvX3NrY2lwaGVyICp0Zm07Cj4+ICsJdTggcGFlc19rZXlbRENQ X1BBRVNfS0VZU0laRV07Cj4+ICsKPj4gKwlpZiAoIXVzZV9vdHBfa2V5KQo+IAo+IEknZCBpbnZl cnQgdGhpcy4gTWFrZXMgY29kZSBlYXNpZXIgdG8gcmVhZC4KCk9rLiA6LSkKCj4+ICsJCXBhZXNf a2V5WzBdID0gRENQX1BBRVNfS0VZX1VOSVFVRTsKPj4gKwllbHNlCj4+ICsJCXBhZXNfa2V5WzBd ID0gRENQX1BBRVNfS0VZX09UUDsKPj4gKwo+PiArCXRmbSA9IGNyeXB0b19hbGxvY19za2NpcGhl cigiZWNiLXBhZXMtZGNwIiwgQ1JZUFRPX0FMR19JTlRFUk5BTCwKPj4gKwkJCQkgICAgQ1JZUFRP X0FMR19JTlRFUk5BTCk7Cj4+ICsJaWYgKElTX0VSUih0Zm0pKSB7Cj4+ICsJCXJlcyA9IFBUUl9F UlIodGZtKTsKPj4gKwkJcHJfZXJyKCJVbmFibGUgdG8gcmVxdWVzdCBEQ1AgcEFFUy1FQ0IgY2lw aGVyOiAlaVxuIiwgcmVzKTsKPiAKPiBDYW4geW91IGRlZmluZSBwcl9mbXQgYWJvdmU/IFRoZXJl J3MgYWxzbyAlcGUgbm93IHRoYXQgY2FuIGRpcmVjdGx5IHByaW50IG91dCBhbgo+IGVycm9yIHBv aW50ZXIuCgpwcl9mbXQgaXMgbm90IGRlZmluZWQgb24gcHVycG9zZS4gaW5jbHVkZS9rZXlzL3Ry dXN0ZWQtdHlwZS5oIGRlZmluZXMgYWxyZWFkeSBvbmUKYW5kIEkgYXNzdW1lZCAidHJ1c3RlZF9r ZXk6IiBpcyB0aGUgZGVzaXJlZCBwcmVmaXggZm9yIGFsbCBraW5kcyBvZiB0cnVzdGVkIGtleXMu CgpbLi4uXQoKPiAtIHBheWxvYWRfbGVuIGlzIGF0IG9mZnNldCAzMywgYnV0IE1JTl9LRVlfU0la RSA9PSAzMiBhbmQgdGhlcmUgYXJlIG5vIG1pbmltdW0KPiAgIHNpemUgY2hlY2tzLiBDb3VsZG4n dCB5b3UgcmVhZCBiZXlvbmQgdGhlIGJ1ZmZlciB0aGlzIHdheT8KClRoZSBrZXkgaGFzIGEgbWlu aW11bSBzaXplIG9mIE1JTl9LRVlfU0laRSwgYnV0IHAtPmJsb2IgKGJlaW5nIHN0cnVjdCB0cnVz dGVkX2tleV9wYXlsb2FkLT5ibG9iW01BWF9CTE9CX1NJWkVdKQppcyBtdWNoIGxhcmdlci4KU28g dGhlIGFzc3VtcHRpb24gaXMgdGhhdCBhIERDUCBibG9iIHdpbGwgYWx3YXlzIGJlIHNtYWxsZXIg dGhhbiBNQVhfQkxPQl9TSVpFLgoKPiAtIG9mZnNldCAzMyBpcyB1bmFsaWduZWQgZm9yIHBheWxv YWRfbGVuLiBQbGVhc2UgdXNlIGdldF91bmFsaWduZWRfbGUzMiBoZXJlLgoKT2ggeWVzLiBNYWtl cyBzZW5zZSEKClsuLi5dCgo+IAo+IGpmeWksIGluIHRoZSBwcmVsdWRlIG9mIG15IENBQU0gc2Vy aWVzLCBJIG1hZGUgdGhpcyB0aGUgZGVmYXVsdAo+IHdoZW4gLmdldF9yYW5kb20gPT0gTlVMTC4K ClJpZ2h0LiA6LSkKClsuLi5dCgo+PiArCXJldCA9IGRvX2RjcF9jcnlwdG8oYnVmLCBidWYsIHRy dWUpOwo+PiArCWlmIChyZXQpCj4+ICsJCWdvdG8gb3V0Owo+PiArCj4+ICsJaWYgKG1lbWNtcChi dWYsIGJhZCwgQUVTX0JMT0NLX1NJWkUpID09IDApIHsKPj4gKwkJcHJfZXJyKCJEZXZpY2UgbmVp dGhlciBpbiBzZWN1cmUgbm9yIHRydXN0ZWQgbW9kZSFcbiIpOwo+IAo+IFdoYXQncyB0aGUgZGlm ZmVyZW5jZSBiZXR3ZWVuIHNlY3VyZSBhbmQgdHJ1c3RlZD8gQ2FuJ3QgdGhpcyB0ZXN0IGJlIHNr aXBwZWQKPiBpZiB1c2Vfb3RwX2tleSA9PSBmYWxzZT8KCkRDUCBoYXMgbWFueSBtb2RlcyBvZiBv cGVyYXRpb24uIFNlY3VyZSBpcyBvbmUgbGV2ZWwgYWJvdmUgdHJ1c3RlZC4KRm9yIHRoZSBnb3J5 IGRldGFpbHMgc2VlICJTZWN1cml0eSBSZWZlcmVuY2UgTWFudWFsIGZvciB0aGUgaS5NWCA2VUxM IEFwcGxpY2F0aW9ucyBQcm9jZXNzb3IiLgpJJ20gbm90IHN1cmUgd2hldGhlciBhbGwgaW5mb3Jt YXRpb24gbXkgbWFudWFsIGRlc2NyaWJlcyBpcyBwdWJsaWNseSBhdmFpbGFibGUgc28gSQpkb24n dCBkYXJlIHRvIGNvcHkmcGFzdGUgZnJvbSBpdC4KCkFzIERhdmlkIGFuZCBJIHVuZGVyc3Rvb2Qg dGhlIGxvZ2ljLCBib3RoIE9UUCBhbmQgVU5JUVVFIGtleXMgY2FuIGJlIHplcm8nZWQuCkl0IGlz IGFsc28gcG9zc2libGUgdGhhdCBEQ1AgaGFzIG5vIHN1cHBvcnQgYXQgYWxsIGZvciB0aGVzZSBr ZXlzLAp0aGVuIHlvdSdsbCBhbHNvIGdldCBhIHplcm8ga2V5LiBUaGF0J3Mgd2h5IHdlIGhhdmUg dGhpcyBjaGVjayBoZXJlLgoKVGhhbmtzLAovL3JpY2hhcmQKCl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fCmxpbnV4LWFybS1rZXJuZWwgbWFpbGluZyBsaXN0 CmxpbnV4LWFybS1rZXJuZWxAbGlzdHMuaW5mcmFkZWFkLm9yZwpodHRwOi8vbGlzdHMuaW5mcmFk ZWFkLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2xpbnV4LWFybS1rZXJuZWwK