From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 812A3C636C9 for ; Wed, 21 Jul 2021 17:18:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6126261244 for ; Wed, 21 Jul 2021 17:18:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235067AbhGUQhg (ORCPT ); Wed, 21 Jul 2021 12:37:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235104AbhGUQhf (ORCPT ); Wed, 21 Jul 2021 12:37:35 -0400 Received: from metis.ext.pengutronix.de (metis.ext.pengutronix.de [IPv6:2001:67c:670:201:290:27ff:fe1d:cc33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55823C061757 for ; Wed, 21 Jul 2021 10:18:12 -0700 (PDT) Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=[IPv6:::1]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m6FrA-0008OQ-Fm; Wed, 21 Jul 2021 19:18:04 +0200 From: Ahmad Fatoum Subject: Re: [PATCH 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys To: Richard Weinberger Cc: "open list, ASYMMETRIC KEYS" , david , David Howells , davem , festevam , Herbert Xu , James Bottomley , James Morris , Jarkko Sakkinen , Jonathan Corbet , linux-arm-kernel , Linux Crypto Mailing List , Linux Doc Mailing List , linux-integrity , linux-kernel , LSM , Mimi Zohar , linux-imx , kernel , Sascha Hauer , "Serge E. Hallyn" , shawnguo References: <20210614201620.30451-1-richard@nod.at> <20210614201620.30451-3-richard@nod.at> <714571a1-e8dd-3417-b5ab-2a6d611fb3ee@pengutronix.de> <2032322938.25484.1626259466410.JavaMail.zimbra@nod.at> Message-ID: <5c381015-64dc-039f-8bc2-3109dd3b9bf4@pengutronix.de> Date: Wed, 21 Jul 2021 19:17:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <2032322938.25484.1626259466410.JavaMail.zimbra@nod.at> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: a.fatoum@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-crypto@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hello Richard, On 14.07.21 12:44, Richard Weinberger wrote: > Ahmad, > > ----- Ursprüngliche Mail ----- >> Von: "Ahmad Fatoum" > > [...] > > Sure, why not? It shows that you will also in future take care of it. Good point. I did that for v3. > > [...] > >>> +} __packed; >>> + >>> +static bool use_otp_key; >>> +module_param_named(dcp_use_otp_key, use_otp_key, bool, 0); >>> +MODULE_PARM_DESC(dcp_use_otp_key, "Use OTP instead of UNIQUE key for sealing"); >> >> Shouldn't these be documented in admin-guide/kernel-parameters.txt as well? > > Yes. Will do. > >>> +static bool skip_zk_test; >>> +module_param_named(dcp_skip_zk_test, skip_zk_test, bool, 0); >>> +MODULE_PARM_DESC(dcp_skip_zk_test, "Don't test whether device keys are >>> zero'ed"); >> >> Does this need to be configurible? I'd assume this can only happen when using an >> unfused OTP. In such a case, it's ok to always warn, so you don't need to make >> this configurible. > > We found such a setting super useful while working with targets where the keys are > zero'ed for various reasons. > There are cases where you want to use/test trusted keys even when the master key > is void. Our detection logic does not only print a warning, it refuses to load > blobs. So IMHO the config knob makes sense. Ah, I missed that it refuses to continue in that case. > >>> + >>> +static unsigned int calc_blob_len(unsigned int payload_len) >>> +{ >>> + return sizeof(struct dcp_blob_fmt) + payload_len + DCP_BLOB_AUTHLEN; >>> +} >>> + >>> +static int do_dcp_crypto(u8 *in, u8 *out, bool is_encrypt) >> >> I assume in can't be const because the use with sg APIs? > > I'm pretty sure this was the main reason, but I can check again. > >>> +{ >>> + int res = 0; >>> + struct skcipher_request *req = NULL; >>> + DECLARE_CRYPTO_WAIT(wait); >>> + struct scatterlist src_sg, dst_sg; >>> + struct crypto_skcipher *tfm; >>> + u8 paes_key[DCP_PAES_KEYSIZE]; >>> + >>> + if (!use_otp_key) >> >> I'd invert this. Makes code easier to read. > > Ok. :-) > >>> + paes_key[0] = DCP_PAES_KEY_UNIQUE; >>> + else >>> + paes_key[0] = DCP_PAES_KEY_OTP; >>> + >>> + tfm = crypto_alloc_skcipher("ecb-paes-dcp", CRYPTO_ALG_INTERNAL, >>> + CRYPTO_ALG_INTERNAL); >>> + if (IS_ERR(tfm)) { >>> + res = PTR_ERR(tfm); >>> + pr_err("Unable to request DCP pAES-ECB cipher: %i\n", res); >> >> Can you define pr_fmt above? There's also %pe now that can directly print out an >> error pointer. > > pr_fmt is not defined on purpose. include/keys/trusted-type.h defines already one > and I assumed "trusted_key:" is the desired prefix for all kinds of trusted keys. Ah, all good then. I didn't define it for CAAM either, but forgot why I didn't along the way. May've been the same reason. > [...] > >> - payload_len is at offset 33, but MIN_KEY_SIZE == 32 and there are no minimum >> size checks. Couldn't you read beyond the buffer this way? > > The key has a minimum size of MIN_KEY_SIZE, but p->blob (being struct trusted_key_payload->blob[MAX_BLOB_SIZE]) > is much larger. > So the assumption is that a DCP blob will always be smaller than MAX_BLOB_SIZE. > >> - offset 33 is unaligned for payload_len. Please use get_unaligned_le32 here. > > Oh yes. Makes sense! > > [...] > >> >> jfyi, in the prelude of my CAAM series, I made this the default >> when .get_random == NULL. > > Right. :-) > > [...] > >>> + ret = do_dcp_crypto(buf, buf, true); >>> + if (ret) >>> + goto out; >>> + >>> + if (memcmp(buf, bad, AES_BLOCK_SIZE) == 0) { >>> + pr_err("Device neither in secure nor trusted mode!\n"); >> >> What's the difference between secure and trusted? Can't this test be skipped >> if use_otp_key == false? > > DCP has many modes of operation. Secure is one level above trusted. > For the gory details see "Security Reference Manual for the i.MX 6ULL Applications Processor". > I'm not sure whether all information my manual describes is publicly available so I > don't dare to copy&paste from it. > > As David and I understood the logic, both OTP and UNIQUE keys can be zero'ed. > It is also possible that DCP has no support at all for these keys, > then you'll also get a zero key. That's why we have this check here. Thanks for the clarification. Cheers, Ahmad > > Thanks, > //richard > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 920B5C12002 for ; Wed, 21 Jul 2021 17:19:51 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4EF0160FDA for ; Wed, 21 Jul 2021 17:19:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4EF0160FDA Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=pengutronix.de Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date: Message-ID:References:Cc:To:Subject:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=IJUxG6TYC7udjzUIACqRKn8NbTtuTTlpHOP/vMbHy8s=; b=io5SHNrezqr+Svh0GeXMFhE2o7 /GDNNOeIvI74jXFVpvNPcMiV3s505Wv5NAvYPGxaX+O9sNXoSL1n8szUt0lstEKTelr226aOWzj+W Egnfnbhh+39j9cAWhiDhMP0xLvHHKvVKy6XMX3Z22qCtPXqJgWgOTseCDd/niB3bi83af0AglTimM kEQHO0dFvi7FDEydEl+lmGriZADyk52tpkb7X4160jE4OlrFGoS7MZ45kwTHpKNkRYKmGGMRVSYK3 FKWV35kN42VOiz66T6U8d2nxzXW6crLDBI83qt/qv/0wfbHZ6DbWOhzM4PqeuEHeX6Hsw7KpiYNa4 XIfoFoQQ==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m6FrO-00GiHo-Mu; Wed, 21 Jul 2021 17:18:18 +0000 Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m6FrK-00GiGq-Ph for linux-arm-kernel@lists.infradead.org; Wed, 21 Jul 2021 17:18:16 +0000 Received: from gallifrey.ext.pengutronix.de ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=[IPv6:::1]) by metis.ext.pengutronix.de with esmtp (Exim 4.92) (envelope-from ) id 1m6FrA-0008OQ-Fm; Wed, 21 Jul 2021 19:18:04 +0200 From: Ahmad Fatoum Subject: Re: [PATCH 2/3] KEYS: trusted: Introduce support for NXP DCP-based trusted keys To: Richard Weinberger Cc: "open list, ASYMMETRIC KEYS" , david , David Howells , davem , festevam , Herbert Xu , James Bottomley , James Morris , Jarkko Sakkinen , Jonathan Corbet , linux-arm-kernel , Linux Crypto Mailing List , Linux Doc Mailing List , linux-integrity , linux-kernel , LSM , Mimi Zohar , linux-imx , kernel , Sascha Hauer , "Serge E. Hallyn" , shawnguo References: <20210614201620.30451-1-richard@nod.at> <20210614201620.30451-3-richard@nod.at> <714571a1-e8dd-3417-b5ab-2a6d611fb3ee@pengutronix.de> <2032322938.25484.1626259466410.JavaMail.zimbra@nod.at> Message-ID: <5c381015-64dc-039f-8bc2-3109dd3b9bf4@pengutronix.de> Date: Wed, 21 Jul 2021 19:17:59 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: <2032322938.25484.1626259466410.JavaMail.zimbra@nod.at> Content-Language: en-US X-SA-Exim-Connect-IP: 2001:67c:670:201:5054:ff:fe8d:eefb X-SA-Exim-Mail-From: a.fatoum@pengutronix.de X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false X-PTX-Original-Recipient: linux-arm-kernel@lists.infradead.org X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210721_101814_884542_862194E1 X-CRM114-Status: GOOD ( 39.32 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org SGVsbG8gUmljaGFyZCwKCk9uIDE0LjA3LjIxIDEyOjQ0LCBSaWNoYXJkIFdlaW5iZXJnZXIgd3Jv dGU6Cj4gQWhtYWQsCj4gCj4gLS0tLS0gVXJzcHLDvG5nbGljaGUgTWFpbCAtLS0tLQo+PiBWb246 ICJBaG1hZCBGYXRvdW0iIDxhLmZhdG91bUBwZW5ndXRyb25peC5kZT4KPiAKPiBbLi4uXQo+IAo+ IFN1cmUsIHdoeSBub3Q/IEl0IHNob3dzIHRoYXQgeW91IHdpbGwgYWxzbyBpbiBmdXR1cmUgdGFr ZSBjYXJlIG9mIGl0LgoKR29vZCBwb2ludC4gSSBkaWQgdGhhdCBmb3IgdjMuCgo+IAo+IFsuLi5d Cj4gCj4+PiArfSBfX3BhY2tlZDsKPj4+ICsKPj4+ICtzdGF0aWMgYm9vbCB1c2Vfb3RwX2tleTsK Pj4+ICttb2R1bGVfcGFyYW1fbmFtZWQoZGNwX3VzZV9vdHBfa2V5LCB1c2Vfb3RwX2tleSwgYm9v bCwgMCk7Cj4+PiArTU9EVUxFX1BBUk1fREVTQyhkY3BfdXNlX290cF9rZXksICJVc2UgT1RQIGlu c3RlYWQgb2YgVU5JUVVFIGtleSBmb3Igc2VhbGluZyIpOwo+Pgo+PiBTaG91bGRuJ3QgdGhlc2Ug YmUgZG9jdW1lbnRlZCBpbiBhZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQgYXMgd2Vs bD8KPiAKPiBZZXMuIFdpbGwgZG8uCj4gCj4+PiArc3RhdGljIGJvb2wgc2tpcF96a190ZXN0Owo+ Pj4gK21vZHVsZV9wYXJhbV9uYW1lZChkY3Bfc2tpcF96a190ZXN0LCBza2lwX3prX3Rlc3QsIGJv b2wsIDApOwo+Pj4gK01PRFVMRV9QQVJNX0RFU0MoZGNwX3NraXBfemtfdGVzdCwgIkRvbid0IHRl c3Qgd2hldGhlciBkZXZpY2Uga2V5cyBhcmUKPj4+IHplcm8nZWQiKTsKPj4KPj4gRG9lcyB0aGlz IG5lZWQgdG8gYmUgY29uZmlndXJpYmxlPyBJJ2QgYXNzdW1lIHRoaXMgY2FuIG9ubHkgaGFwcGVu IHdoZW4gdXNpbmcgYW4KPj4gdW5mdXNlZCBPVFAuIEluIHN1Y2ggYSBjYXNlLCBpdCdzIG9rIHRv IGFsd2F5cyB3YXJuLCBzbyB5b3UgZG9uJ3QgbmVlZCB0byBtYWtlCj4+IHRoaXMgY29uZmlndXJp YmxlLgo+IAo+IFdlIGZvdW5kIHN1Y2ggYSBzZXR0aW5nIHN1cGVyIHVzZWZ1bCB3aGlsZSB3b3Jr aW5nIHdpdGggdGFyZ2V0cyB3aGVyZSB0aGUga2V5cyBhcmUKPiB6ZXJvJ2VkIGZvciB2YXJpb3Vz IHJlYXNvbnMuCj4gVGhlcmUgYXJlIGNhc2VzIHdoZXJlIHlvdSB3YW50IHRvIHVzZS90ZXN0IHRy dXN0ZWQga2V5cyBldmVuIHdoZW4gdGhlIG1hc3RlciBrZXkKPiBpcyB2b2lkLiBPdXIgZGV0ZWN0 aW9uIGxvZ2ljIGRvZXMgbm90IG9ubHkgcHJpbnQgYSB3YXJuaW5nLCBpdCByZWZ1c2VzIHRvIGxv YWQKPiBibG9icy4gU28gSU1ITyB0aGUgY29uZmlnIGtub2IgbWFrZXMgc2Vuc2UuCgpBaCwgSSBt aXNzZWQgdGhhdCBpdCByZWZ1c2VzIHRvIGNvbnRpbnVlIGluIHRoYXQgY2FzZS4KCj4gCj4+PiAr Cj4+PiArc3RhdGljIHVuc2lnbmVkIGludCBjYWxjX2Jsb2JfbGVuKHVuc2lnbmVkIGludCBwYXls b2FkX2xlbikgCj4+PiArewo+Pj4gKwlyZXR1cm4gc2l6ZW9mKHN0cnVjdCBkY3BfYmxvYl9mbXQp ICsgcGF5bG9hZF9sZW4gKyBEQ1BfQkxPQl9BVVRITEVOOwo+Pj4gK30KPj4+ICsKPj4+ICtzdGF0 aWMgaW50IGRvX2RjcF9jcnlwdG8odTggKmluLCB1OCAqb3V0LCBib29sIGlzX2VuY3J5cHQpCj4+ Cj4+IEkgYXNzdW1lIGluIGNhbid0IGJlIGNvbnN0IGJlY2F1c2UgdGhlIHVzZSB3aXRoIHNnIEFQ SXM/Cj4gCj4gSSdtIHByZXR0eSBzdXJlIHRoaXMgd2FzIHRoZSBtYWluIHJlYXNvbiwgYnV0IEkg Y2FuIGNoZWNrIGFnYWluLgo+IAo+Pj4gK3sKPj4+ICsJaW50IHJlcyA9IDA7Cj4+PiArCXN0cnVj dCBza2NpcGhlcl9yZXF1ZXN0ICpyZXEgPSBOVUxMOwo+Pj4gKwlERUNMQVJFX0NSWVBUT19XQUlU KHdhaXQpOwo+Pj4gKwlzdHJ1Y3Qgc2NhdHRlcmxpc3Qgc3JjX3NnLCBkc3Rfc2c7Cj4+PiArCXN0 cnVjdCBjcnlwdG9fc2tjaXBoZXIgKnRmbTsKPj4+ICsJdTggcGFlc19rZXlbRENQX1BBRVNfS0VZ U0laRV07Cj4+PiArCj4+PiArCWlmICghdXNlX290cF9rZXkpCj4+Cj4+IEknZCBpbnZlcnQgdGhp cy4gTWFrZXMgY29kZSBlYXNpZXIgdG8gcmVhZC4KPiAKPiBPay4gOi0pCj4gCj4+PiArCQlwYWVz X2tleVswXSA9IERDUF9QQUVTX0tFWV9VTklRVUU7Cj4+PiArCWVsc2UKPj4+ICsJCXBhZXNfa2V5 WzBdID0gRENQX1BBRVNfS0VZX09UUDsKPj4+ICsKPj4+ICsJdGZtID0gY3J5cHRvX2FsbG9jX3Nr Y2lwaGVyKCJlY2ItcGFlcy1kY3AiLCBDUllQVE9fQUxHX0lOVEVSTkFMLAo+Pj4gKwkJCQkgICAg Q1JZUFRPX0FMR19JTlRFUk5BTCk7Cj4+PiArCWlmIChJU19FUlIodGZtKSkgewo+Pj4gKwkJcmVz ID0gUFRSX0VSUih0Zm0pOwo+Pj4gKwkJcHJfZXJyKCJVbmFibGUgdG8gcmVxdWVzdCBEQ1AgcEFF Uy1FQ0IgY2lwaGVyOiAlaVxuIiwgcmVzKTsKPj4KPj4gQ2FuIHlvdSBkZWZpbmUgcHJfZm10IGFi b3ZlPyBUaGVyZSdzIGFsc28gJXBlIG5vdyB0aGF0IGNhbiBkaXJlY3RseSBwcmludCBvdXQgYW4K Pj4gZXJyb3IgcG9pbnRlci4KPiAKPiBwcl9mbXQgaXMgbm90IGRlZmluZWQgb24gcHVycG9zZS4g aW5jbHVkZS9rZXlzL3RydXN0ZWQtdHlwZS5oIGRlZmluZXMgYWxyZWFkeSBvbmUKPiBhbmQgSSBh c3N1bWVkICJ0cnVzdGVkX2tleToiIGlzIHRoZSBkZXNpcmVkIHByZWZpeCBmb3IgYWxsIGtpbmRz IG9mIHRydXN0ZWQga2V5cy4KCkFoLCBhbGwgZ29vZCB0aGVuLiBJIGRpZG4ndCBkZWZpbmUgaXQg Zm9yIENBQU0gZWl0aGVyLCBidXQgZm9yZ290IHdoeSBJIGRpZG4ndAphbG9uZyB0aGUgd2F5LiBN YXkndmUgYmVlbiB0aGUgc2FtZSByZWFzb24uCgo+IFsuLi5dCj4gCj4+IC0gcGF5bG9hZF9sZW4g aXMgYXQgb2Zmc2V0IDMzLCBidXQgTUlOX0tFWV9TSVpFID09IDMyIGFuZCB0aGVyZSBhcmUgbm8g bWluaW11bQo+PiAgIHNpemUgY2hlY2tzLiBDb3VsZG4ndCB5b3UgcmVhZCBiZXlvbmQgdGhlIGJ1 ZmZlciB0aGlzIHdheT8KPiAKPiBUaGUga2V5IGhhcyBhIG1pbmltdW0gc2l6ZSBvZiBNSU5fS0VZ X1NJWkUsIGJ1dCBwLT5ibG9iIChiZWluZyBzdHJ1Y3QgdHJ1c3RlZF9rZXlfcGF5bG9hZC0+Ymxv YltNQVhfQkxPQl9TSVpFXSkKPiBpcyBtdWNoIGxhcmdlci4KPiBTbyB0aGUgYXNzdW1wdGlvbiBp cyB0aGF0IGEgRENQIGJsb2Igd2lsbCBhbHdheXMgYmUgc21hbGxlciB0aGFuIE1BWF9CTE9CX1NJ WkUuCj4gCj4+IC0gb2Zmc2V0IDMzIGlzIHVuYWxpZ25lZCBmb3IgcGF5bG9hZF9sZW4uIFBsZWFz ZSB1c2UgZ2V0X3VuYWxpZ25lZF9sZTMyIGhlcmUuCj4gCj4gT2ggeWVzLiBNYWtlcyBzZW5zZSEK PiAKPiBbLi4uXQo+IAo+Pgo+PiBqZnlpLCBpbiB0aGUgcHJlbHVkZSBvZiBteSBDQUFNIHNlcmll cywgSSBtYWRlIHRoaXMgdGhlIGRlZmF1bHQKPj4gd2hlbiAuZ2V0X3JhbmRvbSA9PSBOVUxMLgo+ IAo+IFJpZ2h0LiA6LSkKPiAKPiBbLi4uXQo+IAo+Pj4gKwlyZXQgPSBkb19kY3BfY3J5cHRvKGJ1 ZiwgYnVmLCB0cnVlKTsKPj4+ICsJaWYgKHJldCkKPj4+ICsJCWdvdG8gb3V0Owo+Pj4gKwo+Pj4g KwlpZiAobWVtY21wKGJ1ZiwgYmFkLCBBRVNfQkxPQ0tfU0laRSkgPT0gMCkgewo+Pj4gKwkJcHJf ZXJyKCJEZXZpY2UgbmVpdGhlciBpbiBzZWN1cmUgbm9yIHRydXN0ZWQgbW9kZSFcbiIpOwo+Pgo+ PiBXaGF0J3MgdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBzZWN1cmUgYW5kIHRydXN0ZWQ/IENhbid0 IHRoaXMgdGVzdCBiZSBza2lwcGVkCj4+IGlmIHVzZV9vdHBfa2V5ID09IGZhbHNlPwo+IAo+IERD UCBoYXMgbWFueSBtb2RlcyBvZiBvcGVyYXRpb24uIFNlY3VyZSBpcyBvbmUgbGV2ZWwgYWJvdmUg dHJ1c3RlZC4KPiBGb3IgdGhlIGdvcnkgZGV0YWlscyBzZWUgIlNlY3VyaXR5IFJlZmVyZW5jZSBN YW51YWwgZm9yIHRoZSBpLk1YIDZVTEwgQXBwbGljYXRpb25zIFByb2Nlc3NvciIuCj4gSSdtIG5v dCBzdXJlIHdoZXRoZXIgYWxsIGluZm9ybWF0aW9uIG15IG1hbnVhbCBkZXNjcmliZXMgaXMgcHVi bGljbHkgYXZhaWxhYmxlIHNvIEkKPiBkb24ndCBkYXJlIHRvIGNvcHkmcGFzdGUgZnJvbSBpdC4K PiAKPiBBcyBEYXZpZCBhbmQgSSB1bmRlcnN0b29kIHRoZSBsb2dpYywgYm90aCBPVFAgYW5kIFVO SVFVRSBrZXlzIGNhbiBiZSB6ZXJvJ2VkLgo+IEl0IGlzIGFsc28gcG9zc2libGUgdGhhdCBEQ1Ag aGFzIG5vIHN1cHBvcnQgYXQgYWxsIGZvciB0aGVzZSBrZXlzLAo+IHRoZW4geW91J2xsIGFsc28g Z2V0IGEgemVybyBrZXkuIFRoYXQncyB3aHkgd2UgaGF2ZSB0aGlzIGNoZWNrIGhlcmUuCgpUaGFu a3MgZm9yIHRoZSBjbGFyaWZpY2F0aW9uLgoKQ2hlZXJzLApBaG1hZAoKPiAKPiBUaGFua3MsCj4g Ly9yaWNoYXJkCj4gCgoKLS0gClBlbmd1dHJvbml4IGUuSy4gICAgICAgICAgICAgICAgICAgICAg ICAgICB8ICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ClN0ZXVlcndhbGRlciBTdHIuIDIx ICAgICAgICAgICAgICAgICAgICAgICB8IGh0dHA6Ly93d3cucGVuZ3V0cm9uaXguZGUvICB8CjMx MTM3IEhpbGRlc2hlaW0sIEdlcm1hbnkgICAgICAgICAgICAgICAgICB8IFBob25lOiArNDktNTEy MS0yMDY5MTctMCAgICB8CkFtdHNnZXJpY2h0IEhpbGRlc2hlaW0sIEhSQSAyNjg2ICAgICAgICAg ICB8IEZheDogICArNDktNTEyMS0yMDY5MTctNTU1NSB8CgpfX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fXwpsaW51eC1hcm0ta2VybmVsIG1haWxpbmcgbGlzdAps aW51eC1hcm0ta2VybmVsQGxpc3RzLmluZnJhZGVhZC5vcmcKaHR0cDovL2xpc3RzLmluZnJhZGVh ZC5vcmcvbWFpbG1hbi9saXN0aW5mby9saW51eC1hcm0ta2VybmVsCg==