From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti33d1t02-1918895-1528142040-2-17137173902303908308 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no ("Email failed DMARC policy for domain") X-Spam-charsets: plain='UTF-8' X-IgnoreVacation: yes ("Email failed DMARC policy for domain") X-Resolved-to: linux@kroah.com X-Delivered-to: linux@kroah.com X-Mail-from: linux-security-module-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t= 1528142040; b=dbdIVC2Ai7eunb0nf/jGbtt6BbOWmUBpGzcL4qxLL118a3nbW0 VRXJcPYCYXXi155HahFZ859zj5TD8vHjncPYnWEzcnaF3LQ8fxnNrzepqKVckPQ5 +cF8dBVZhBi3HdHKhAXGT9mJ9psmZAHFBBJDoAV8QXF54qwYbcntnLel7iWr2Gy8 I7jIwAPFKkeXlNJvj1aEZypmRf5swnm2oTJNbfCsexm4TTKZ9qT8doIHtO+88WZZ Y4Ien5zT1pG/PQ5kUcliwt9amOg90tKVVHdsrLU/JzFCvNe4bG4dGMvGMgIaTwuZ WJi8ERxvzCh73ROMmvneUH+QASfY4/oGdoRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=subject:from:to:cc:date:in-reply-to :references:content-type:mime-version:content-transfer-encoding :message-id:sender:list-id; s=fm2; t=1528142040; bh=vQqdSzbJ/bye 9rf0weCqbDio+uIKF756hpt3aSM34qo=; b=DogDNVIsOCjNm6ny8V/4GHe4IC4v a1z35wd7XziUxcj+Q3d5NWnVd7F6ssFLPkxcxQ1hPDYyXR4yJeYjQ3HGlO3WJQc7 jrKbgBQWu9mutKRslAwffXYHGCGoWqdhItElhTsmE2T/kohC0RxkXC0jYYAr4qSm ttV30V3C9Zscgcrs9VZB/JvOF/xEGFDRJyLrQW2qIFkJTyp4a0mhN74YLrQXAzVa 4NZNpYJCleYXC2jtZ1SyYFU9UGamTWDKtkYDTifKTjJKbIwTAS0vcMBBNssdpqHP KwDONWtJ20qAWj4HiKe79k36aHh0OAz7wDrNW9yEKI1e49Zw5bythKQRwg== ARC-Authentication-Results: i=1; mx3.messagingengine.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=fail (p=none,has-list-id=yes,d=none) header.from=linux.vnet.ibm.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=linux-security-module-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-cm=none score=0; x-ptr=pass smtp.helo=vger.kernel.org policy.ptr=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=linux.vnet.ibm.com header.result=pass header_org.domain=ibm.com header_org.result=pass header_is_org_domain=no; x-vs=clean score=-100 state=0 Authentication-Results: mx3.messagingengine.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=fail (p=none,has-list-id=yes,d=none) header.from=linux.vnet.ibm.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=linux-security-module-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-cm=none score=0; x-ptr=pass smtp.helo=vger.kernel.org policy.ptr=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=linux.vnet.ibm.com header.result=pass header_org.domain=ibm.com header_org.result=pass header_is_org_domain=no; x-vs=clean score=-100 state=0 X-ME-VSCategory: clean X-CM-Envelope: MS4wfDwgVsOeIrdz79zAwhpxn7wWrMNicCXnVqeLAE3E94oIPWlPzwWlK40VA5B0xZbMTnHNrojtXGHj6FS3yqTylsmYTZRd7H+1XdS7z5Z38SuHzIlIfhY/ 0l4G7SOXgH4uLa8azOU/10cLBKMTisYHHONIgXb5tR4By1NaqVNCUTCR51HdZMlNhrEVQCA903G8y5pPeBLRiHBR73JV1N79gLFueFvc8NjeW2Cdi4qxLPOs iSWN8FEnS8qNjuuIIhON2Q== X-CM-Analysis: v=2.3 cv=Tq3Iegfh c=1 sm=1 tr=0 a=UK1r566ZdBxH71SXbqIOeA==:117 a=UK1r566ZdBxH71SXbqIOeA==:17 a=IkcTkHD0fZMA:10 a=7mUfYlMuFuIA:10 a=VnNF1IyMAAAA:8 a=VwQbUJbxAAAA:8 a=BisZxQ6Ubofqs-P1gUUA:9 a=QEXdDO2ut3YA:10 a=x8gzFH9gYPwA:10 a=AjGcO6oz07-iQ99wixmX:22 X-ME-CMScore: 0 X-ME-CMCategory: none Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751017AbeFDTxz (ORCPT ); Mon, 4 Jun 2018 15:53:55 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:41380 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751010AbeFDTxw (ORCPT ); Mon, 4 Jun 2018 15:53:52 -0400 Subject: Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures From: Mimi Zohar To: "Serge E. Hallyn" Cc: Casey Schaufler , James Morris , Kees Cook , Paul Moore , linux-integrity , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Jessica Yu Date: Mon, 04 Jun 2018 15:53:40 -0400 In-Reply-To: <20180604193215.GA13553@mail.hallyn.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1528121025.3237.116.camel@linux.vnet.ibm.com> <20180604193215.GA13553@mail.hallyn.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18060419-4275-0000-0000-0000028A103E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18060419-4276-0000-0000-0000379110B7 Message-Id: <1528142020.3237.138.camel@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-06-04_14:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=15 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806040228 Sender: owner-linux-security-module@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: On Mon, 2018-06-04 at 14:32 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com): > > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > > > Instead of adding the security_kernel_read_file LSM hook - or defining a > > > wrapper for security_kernel_read_file LSM hook and adding it, or > > > renaming the existing hook to security_kernel_read_data() and adding it > > > - in places where the kernel isn't reading a file, this version of the > > > patch set defines a new LSM hook named security_kernel_load_data(). > > > > > > The new LSM hook does not replace the existing security_kernel_read_file > > > LSM hook, which is still needed, but defines a new LSM hook allowing > > > LSMs and IMA-appraisal the opportunity to fail loading userspace > > > provided file/data. > > > > > > The only difference between the two LSM hooks is the LSM hook name and a > > > file descriptor. Whether this is cause enough for requiring a new LSM > > > hook, is left to the security community. > > > > Paul does not have a preference as to adding a new LSM hook or calling > > the existing hook.  Either way is fine, as long as both the new and > > existing hooks call the existing function. > > > > Casey didn't like the idea of a wrapper. > > James suggested renaming the LSM hook. > > > > The maintainers for the callers of the LSM hook prefer a meaningful > > LSM hook name.  The "null" argument is not as much of a concern.  Only > > Eric seems to be asking for a separate, new LSM hook, without the > > "null" argument. > > > > Unless someone really objects, to accommodate Eric we'll define a new > > LSM hook named security_kernel_load_data.  Eric, are you planning on > > I'm confused - isn't that what this patchset did? :) Right.  I'm trying to get consensus whether it is needed. > > > Ack'ing patches 1 & 2? > > > > Mimi > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Mon, 04 Jun 2018 15:53:40 -0400 Subject: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures In-Reply-To: <20180604193215.GA13553@mail.hallyn.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1528121025.3237.116.camel@linux.vnet.ibm.com> <20180604193215.GA13553@mail.hallyn.com> Message-ID: <1528142020.3237.138.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Mon, 2018-06-04 at 14:32 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar at linux.vnet.ibm.com): > > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > > > Instead of adding the security_kernel_read_file LSM hook - or defining a > > > wrapper for security_kernel_read_file LSM hook and adding it, or > > > renaming the existing hook to security_kernel_read_data() and adding it > > > - in places where the kernel isn't reading a file, this version of the > > > patch set defines a new LSM hook named security_kernel_load_data(). > > > > > > The new LSM hook does not replace the existing security_kernel_read_file > > > LSM hook, which is still needed, but defines a new LSM hook allowing > > > LSMs and IMA-appraisal the opportunity to fail loading userspace > > > provided file/data. > > > > > > The only difference between the two LSM hooks is the LSM hook name and a > > > file descriptor. Whether this is cause enough for requiring a new LSM > > > hook, is left to the security community. > > > > Paul does not have a preference as to adding a new LSM hook or calling > > the existing hook. ?Either way is fine, as long as both the new and > > existing hooks call the existing function. > > > > Casey didn't like the idea of a wrapper. > > James suggested renaming the LSM hook. > > > > The maintainers for the callers of the LSM hook prefer a meaningful > > LSM hook name. ?The "null" argument is not as much of a concern. ?Only > > Eric seems to be asking for a separate, new LSM hook, without the > > "null" argument. > > > > Unless someone really objects, to accommodate Eric we'll define a new > > LSM hook named security_kernel_load_data. ?Eric, are you planning on > > I'm confused - isn't that what this patchset did? :) Right. ?I'm trying to get consensus whether it is needed. > > > Ack'ing patches 1 & 2? > > > > Mimi > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo at vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:48662 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751017AbeFDTxw (ORCPT ); Mon, 4 Jun 2018 15:53:52 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w54Jo65t116397 for ; Mon, 4 Jun 2018 15:53:52 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2jd89jhry0-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 04 Jun 2018 15:53:51 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 4 Jun 2018 20:53:49 +0100 Subject: Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures From: Mimi Zohar To: "Serge E. Hallyn" Cc: Casey Schaufler , James Morris , Kees Cook , Paul Moore , linux-integrity , linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, David Howells , "Luis R . Rodriguez" , Eric Biederman , kexec@lists.infradead.org, Andres Rodriguez , Greg Kroah-Hartman , Ard Biesheuvel , Jessica Yu Date: Mon, 04 Jun 2018 15:53:40 -0400 In-Reply-To: <20180604193215.GA13553@mail.hallyn.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1528121025.3237.116.camel@linux.vnet.ibm.com> <20180604193215.GA13553@mail.hallyn.com> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Message-Id: <1528142020.3237.138.camel@linux.vnet.ibm.com> Sender: linux-integrity-owner@vger.kernel.org List-ID: On Mon, 2018-06-04 at 14:32 -0500, Serge E. Hallyn wrote: > Quoting Mimi Zohar (zohar@linux.vnet.ibm.com): > > On Tue, 2018-05-29 at 14:01 -0400, Mimi Zohar wrote: > > > Instead of adding the security_kernel_read_file LSM hook - or defining a > > > wrapper for security_kernel_read_file LSM hook and adding it, or > > > renaming the existing hook to security_kernel_read_data() and adding it > > > - in places where the kernel isn't reading a file, this version of the > > > patch set defines a new LSM hook named security_kernel_load_data(). > > > > > > The new LSM hook does not replace the existing security_kernel_read_file > > > LSM hook, which is still needed, but defines a new LSM hook allowing > > > LSMs and IMA-appraisal the opportunity to fail loading userspace > > > provided file/data. > > > > > > The only difference between the two LSM hooks is the LSM hook name and a > > > file descriptor. Whether this is cause enough for requiring a new LSM > > > hook, is left to the security community. > > > > Paul does not have a preference as to adding a new LSM hook or calling > > the existing hook. Either way is fine, as long as both the new and > > existing hooks call the existing function. > > > > Casey didn't like the idea of a wrapper. > > James suggested renaming the LSM hook. > > > > The maintainers for the callers of the LSM hook prefer a meaningful > > LSM hook name. The "null" argument is not as much of a concern. Only > > Eric seems to be asking for a separate, new LSM hook, without the > > "null" argument. > > > > Unless someone really objects, to accommodate Eric we'll define a new > > LSM hook named security_kernel_load_data. Eric, are you planning on > > I'm confused - isn't that what this patchset did? :) Right. I'm trying to get consensus whether it is needed. > > > Ack'ing patches 1 & 2? > > > > Mimi > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5] helo=mx0a-001b2d01.pphosted.com) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fPvYJ-0002hF-Dc for kexec@lists.infradead.org; Mon, 04 Jun 2018 19:54:05 +0000 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w54JoLef016251 for ; Mon, 4 Jun 2018 15:53:52 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2jd9bnecda-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 04 Jun 2018 15:53:51 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 4 Jun 2018 20:53:49 +0100 Subject: Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures From: Mimi Zohar Date: Mon, 04 Jun 2018 15:53:40 -0400 In-Reply-To: <20180604193215.GA13553@mail.hallyn.com> References: <1527616920-5415-1-git-send-email-zohar@linux.vnet.ibm.com> <1528121025.3237.116.camel@linux.vnet.ibm.com> <20180604193215.GA13553@mail.hallyn.com> Mime-Version: 1.0 Message-Id: <1528142020.3237.138.camel@linux.vnet.ibm.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: "Serge E. Hallyn" Cc: Andres Rodriguez , Eric Biederman , Kees Cook , Ard Biesheuvel , Greg Kroah-Hartman , kexec@lists.infradead.org, linux-kernel@vger.kernel.org, David Howells , linux-security-module@vger.kernel.org, "Luis R . Rodriguez" , James Morris , Jessica Yu , Casey Schaufler , linux-integrity , Paul Moore T24gTW9uLCAyMDE4LTA2LTA0IGF0IDE0OjMyIC0wNTAwLCBTZXJnZSBFLiBIYWxseW4gd3JvdGU6 Cj4gUXVvdGluZyBNaW1pIFpvaGFyICh6b2hhckBsaW51eC52bmV0LmlibS5jb20pOgo+ID4gT24g VHVlLCAyMDE4LTA1LTI5IGF0IDE0OjAxIC0wNDAwLCBNaW1pIFpvaGFyIHdyb3RlOgo+ID4gPiBJ bnN0ZWFkIG9mIGFkZGluZyB0aGUgc2VjdXJpdHlfa2VybmVsX3JlYWRfZmlsZSBMU00gaG9vayAt IG9yIGRlZmluaW5nIGEKPiA+ID4gd3JhcHBlciBmb3Igc2VjdXJpdHlfa2VybmVsX3JlYWRfZmls ZSBMU00gaG9vayBhbmQgYWRkaW5nIGl0LCBvcgo+ID4gPiByZW5hbWluZyB0aGUgZXhpc3Rpbmcg aG9vayB0byBzZWN1cml0eV9rZXJuZWxfcmVhZF9kYXRhKCkgYW5kIGFkZGluZyBpdAo+ID4gPiAt IGluIHBsYWNlcyB3aGVyZSB0aGUga2VybmVsIGlzbid0IHJlYWRpbmcgYSBmaWxlLCB0aGlzIHZl cnNpb24gb2YgdGhlCj4gPiA+IHBhdGNoIHNldCBkZWZpbmVzIGEgbmV3IExTTSBob29rIG5hbWVk IHNlY3VyaXR5X2tlcm5lbF9sb2FkX2RhdGEoKS4KPiA+ID4gCj4gPiA+IFRoZSBuZXcgTFNNIGhv b2sgZG9lcyBub3QgcmVwbGFjZSB0aGUgZXhpc3Rpbmcgc2VjdXJpdHlfa2VybmVsX3JlYWRfZmls ZQo+ID4gPiBMU00gaG9vaywgd2hpY2ggaXMgc3RpbGwgbmVlZGVkLCBidXQgZGVmaW5lcyBhIG5l dyBMU00gaG9vayBhbGxvd2luZwo+ID4gPiBMU01zIGFuZCBJTUEtYXBwcmFpc2FsIHRoZSBvcHBv cnR1bml0eSB0byBmYWlsIGxvYWRpbmcgdXNlcnNwYWNlCj4gPiA+IHByb3ZpZGVkIGZpbGUvZGF0 YS4KPiA+ID4gCj4gPiA+IFRoZSBvbmx5IGRpZmZlcmVuY2UgYmV0d2VlbiB0aGUgdHdvIExTTSBo b29rcyBpcyB0aGUgTFNNIGhvb2sgbmFtZSBhbmQgYQo+ID4gPiBmaWxlIGRlc2NyaXB0b3IuICBX aGV0aGVyIHRoaXMgaXMgY2F1c2UgZW5vdWdoIGZvciByZXF1aXJpbmcgYSBuZXcgTFNNCj4gPiA+ IGhvb2ssIGlzIGxlZnQgdG8gdGhlIHNlY3VyaXR5IGNvbW11bml0eS4KPiA+IAo+ID4gUGF1bCBk b2VzIG5vdCBoYXZlIGEgcHJlZmVyZW5jZSBhcyB0byBhZGRpbmcgYSBuZXcgTFNNIGhvb2sgb3Ig Y2FsbGluZwo+ID4gdGhlIGV4aXN0aW5nIGhvb2suIMKgRWl0aGVyIHdheSBpcyBmaW5lLCBhcyBs b25nIGFzIGJvdGggdGhlIG5ldyBhbmQKPiA+IGV4aXN0aW5nIGhvb2tzIGNhbGwgdGhlIGV4aXN0 aW5nIGZ1bmN0aW9uLgo+ID4gCj4gPiBDYXNleSBkaWRuJ3QgbGlrZSB0aGUgaWRlYSBvZiBhIHdy YXBwZXIuCj4gPiBKYW1lcyBzdWdnZXN0ZWQgcmVuYW1pbmcgdGhlIExTTSBob29rLgo+ID4gCj4g PiBUaGUgbWFpbnRhaW5lcnMgZm9yIHRoZSBjYWxsZXJzIG9mIHRoZSBMU00gaG9vayBwcmVmZXIg YSBtZWFuaW5nZnVsCj4gPiBMU00gaG9vayBuYW1lLiDCoFRoZSAibnVsbCIgYXJndW1lbnQgaXMg bm90IGFzIG11Y2ggb2YgYSBjb25jZXJuLiDCoE9ubHkKPiA+IEVyaWMgc2VlbXMgdG8gYmUgYXNr aW5nIGZvciBhIHNlcGFyYXRlLCBuZXcgTFNNIGhvb2ssIHdpdGhvdXQgdGhlCj4gPiAibnVsbCIg YXJndW1lbnQuCj4gPiAKPiA+IFVubGVzcyBzb21lb25lIHJlYWxseSBvYmplY3RzLCB0byBhY2Nv bW1vZGF0ZSBFcmljIHdlJ2xsIGRlZmluZSBhIG5ldwo+ID4gTFNNIGhvb2sgbmFtZWQgc2VjdXJp dHlfa2VybmVsX2xvYWRfZGF0YS4gwqBFcmljLCBhcmUgeW91IHBsYW5uaW5nIG9uCj4gCj4gSSdt IGNvbmZ1c2VkIC0gaXNuJ3QgdGhhdCB3aGF0IHRoaXMgcGF0Y2hzZXQgZGlkPyA6KQoKUmlnaHQu IMKgSSdtIHRyeWluZyB0byBnZXQgY29uc2Vuc3VzIHdoZXRoZXIgaXQgaXMgbmVlZGVkLgoKPiAK PiA+IEFjaydpbmcgcGF0Y2hlcyAxICYgMj8KPiA+IAo+ID4gTWltaQo+IC0tCj4gVG8gdW5zdWJz Y3JpYmUgZnJvbSB0aGlzIGxpc3Q6IHNlbmQgdGhlIGxpbmUgInVuc3Vic2NyaWJlIGxpbnV4LXNl Y3VyaXR5LW1vZHVsZSIgaW4KPiB0aGUgYm9keSBvZiBhIG1lc3NhZ2UgdG8gbWFqb3Jkb21vQHZn ZXIua2VybmVsLm9yZwo+IE1vcmUgbWFqb3Jkb21vIGluZm8gYXQgIGh0dHA6Ly92Z2VyLmtlcm5l bC5vcmcvbWFqb3Jkb21vLWluZm8uaHRtbAo+IAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fCmtleGVjIG1haWxpbmcgbGlzdAprZXhlY0BsaXN0cy5pbmZy YWRlYWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8va2V4 ZWMK