From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BBE60C4332F for ; Fri, 22 Apr 2022 16:51:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1449895AbiDVQy2 (ORCPT ); Fri, 22 Apr 2022 12:54:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1449875AbiDVQyR (ORCPT ); Fri, 22 Apr 2022 12:54:17 -0400 Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 882BC5F8E7 for ; Fri, 22 Apr 2022 09:51:20 -0700 (PDT) Received: by mail-lj1-x234.google.com with SMTP id bj36so10319108ljb.13 for ; Fri, 22 Apr 2022 09:51:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LliXt8vJbXvk0gdFymCWz7TFV5bME1jg6XdQF6Tyw7k=; b=E9bX8ntWQGbQG1g3CC0CY2p2Kmtu3Nq9zrBtYvnyvEBLe7UDaSXAfZp84Hz0Tmy7ZA AATF/cIenThS+4zqHWER1H04j8AbhDQSZaiKleKvsWFfPEERKOkds0mIPjp1CnINcTYs RLpfQnNiRd8n8brSU0+bqdlt5sMm5kgdxDCiGtBaZHF3pAZRJU4F2T867V9vCEExFw7G OI9aX+a85bD1I3FoyNGdVkXG/48sjsOQuXPybwv6PTvN6tn1yJhSp1wtym1oBJjESUKS NjVtGr70HWW9TBwhjue+jdSTc64xnZqHDbqFQjwFr0fddlJhOkp/FOuMjxHmyoihZYWs hrIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LliXt8vJbXvk0gdFymCWz7TFV5bME1jg6XdQF6Tyw7k=; b=I8wdjJo+mLfrL/Qeucp0vDON6Kf48iBY8lPA6lP2YO3AVlBpvTJYsYLFaeS04KHVoe zt/YOy2zZ8vwVhLp1v81ysX7XXHR7/HPABXARDbN5lOp8xGxgO0L5NIa5xoQGNSlxKKX BxGmc1XV/DVsb4P5JailTTPDGMHrMpDVhryc0ggL+CO/Efgqsdlb3tfJp0G+SVL2EpHI Uz8nCiLk6MdnNqSzJsONQnIByhK91lXgMpFaM8WJ178K8w7AGVQX8kXEkF2jEEfp2aGn 8jDGv0OYvalEFXULTYaj3/78SqQiJA7S/E3bTe5rttgg406qUSJwaAzIpXouz1DIZ7vD 8R+Q== X-Gm-Message-State: AOAM530nSwao2JYf8RjShPewlVniRnbzD/1IKUsx+vx21e35KYgdj8gh gHnTGKSgR2vGcUqcXxuEiaM= X-Google-Smtp-Source: ABdhPJy6agfKahSo69KTOtM8idnRXj26r9imzfrM1EBFWoxzebKvrJ8xa3gfhyv7KZGn11RXBkTAWA== X-Received: by 2002:a2e:9984:0:b0:24e:f843:3e8c with SMTP id w4-20020a2e9984000000b0024ef8433e8cmr1173572lji.299.1650646278427; Fri, 22 Apr 2022 09:51:18 -0700 (PDT) Received: from otyshchenko.router ([212.22.223.21]) by smtp.gmail.com with ESMTPSA id n2-20020a056512310200b0046e2f507a3asm279742lfb.167.2022.04.22.09.51.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Apr 2022 09:51:17 -0700 (PDT) From: Oleksandr Tyshchenko To: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, virtualization@lists.linux-foundation.org, x86@kernel.org Cc: Oleksandr Tyshchenko , "Michael S. Tsirkin" , Christoph Hellwig , Stefano Stabellini , Boris Ostrovsky , Juergen Gross , Julien Grall , Bertrand Marquis , Wei Chen , Henry Wang , Kaly Xin , Jiamei Xie , =?UTF-8?q?Alex=20Benn=C3=A9e?= Subject: [PATCH V1 0/6] virtio: Solution to restrict memory access under Xen using xen-grant DMA-mapping layer Date: Fri, 22 Apr 2022 19:50:57 +0300 Message-Id: <1650646263-22047-1-git-send-email-olekstysh@gmail.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Oleksandr Tyshchenko Hello all. The purpose of this patch series is to add support for restricting memory access under Xen using specific grant table [1] based DMA-mapping layer. Patch series is based on Juergen Gross’ initial work [2] which implies using grant references instead of raw guest physical addresses (GPA) for the virtio communications (some kind of the software IOMMU). You can find RFC patch series (and previous discussions) at [3]. The high level idea is to create new Xen’s grant table based DMA-mapping layer for the guest Linux whose main purpose is to provide a special 64-bit DMA address which is formed by using the grant reference (for a page to be shared with the backend) with offset and setting the highest address bit (this is for the backend to be able to distinguish grant ref based DMA address from normal GPA). For this to work we need the ability to allocate contiguous (consecutive) grant references for multi-page allocations. And the backend then needs to offer VIRTIO_F_ACCESS_PLATFORM and VIRTIO_F_VERSION_1 feature bits (it must support virtio-mmio modern transport for 64-bit addresses in the virtqueue). Xen's grant mapping mechanism is the secure and safe solution to share pages between domains which proven to work and works for years (in the context of traditional Xen PV drivers for example). So far, the foreign mapping is used for the virtio backend to map and access guest memory. With the foreign mapping, the backend is able to map arbitrary pages from the guest memory (or even from Dom0 memory). And as the result, the malicious backend which runs in a non-trusted domain can take advantage of this. Instead, with the grant mapping the backend is only allowed to map pages which were explicitly granted by the guest before and nothing else. According to the discussions in various mainline threads this solution would likely be welcome because it perfectly fits in the security model Xen provides. What is more, the grant table based solution requires zero changes to the Xen hypervisor itself at least with virtio-mmio and DT (in comparison, for example, with "foreign mapping + virtio-iommu" solution which would require the whole new complex emulator in hypervisor in addition to new functionality/hypercall to pass IOVA from the virtio backend running elsewhere to the hypervisor and translate it to the GPA before mapping into P2M or denying the foreign mapping request if no corresponding IOVA-GPA mapping present in the IOMMU page table for that particular device). We only need to update toolstack to insert a new "xen,dev-domid" property to the virtio-mmio device node when creating a guest device-tree (this is an indicator for the guest to use grants and the ID of Xen domain where the corresponding backend resides, it is used as an argument to the grant mapping APIs). It worth mentioning that toolstack patch is based on non upstreamed yet “Virtio support for toolstack on Arm” series which is on review now [4]. Please note the following: - Patch series only covers Arm and virtio-mmio (device-tree) for now. To enable the restricted memory access feature on Arm the following option should be set: CONFIG_XEN_VIRTIO = y - Some callbacks in xen-grant DMA-mapping layer (alloc_pages/free_pages, etc) are not implemented yet as they are not needed/used in the first prototype - Xen should be built with the following options: CONFIG_IOREQ_SERVER=y CONFIG_EXPERT=y Patch series is rebased on Linux 5.18-rc2 tag and tested on Renesas Salvator-X board + H3 ES3.0 SoC (Arm64) with standalone userspace (non-Qemu) virtio-mmio based virtio-disk backend running in Driver domain and Linux guest running on existing virtio-blk driver (frontend). No issues were observed. Guest domain 'reboot/destroy' use-cases work properly. I have also tested other use-cases such as assigning several virtio block devices or a mix of virtio and Xen PV block devices to the guest. Patch series was build-tested on Arm32 and x86. 1. Xen changes located at (last patch): https://github.com/otyshchenko1/xen/commits/libxl_virtio_next 2. Linux changes located at: https://github.com/otyshchenko1/linux/commits/virtio_grant6 3. virtio-disk changes located at: https://github.com/otyshchenko1/virtio-disk/commits/virtio_grant Any feedback/help would be highly appreciated. [1] https://xenbits.xenproject.org/docs/4.16-testing/misc/grant-tables.txt [2] https://www.youtube.com/watch?v=IrlEdaIUDPk [3] https://lore.kernel.org/xen-devel/1649963973-22879-1-git-send-email-olekstysh@gmail.com/ [4] https://lore.kernel.org/xen-devel/1649442065-8332-1-git-send-email-olekstysh@gmail.com/ Juergen Gross (2): xen/grants: support allocating consecutive grants xen/virtio: Add option to restrict memory access under Xen Oleksandr Tyshchenko (4): arm/xen: Introduce xen_setup_dma_ops() dt-bindings: Add xen,dev-domid property description for xen-grant DMA ops xen/grant-dma-ops: Retrieve the ID of backend's domain for DT devices arm/xen: Assign xen-grant DMA ops for xen-grant DMA devices .../devicetree/bindings/arm/xen,dev-domid.yaml | 37 +++ arch/arm/include/asm/xen/xen-ops.h | 1 + arch/arm/mm/dma-mapping.c | 7 +- arch/arm/xen/enlighten.c | 8 + arch/arm64/include/asm/xen/xen-ops.h | 1 + arch/arm64/mm/dma-mapping.c | 7 +- arch/x86/mm/init.c | 11 + arch/x86/mm/mem_encrypt.c | 5 - drivers/xen/Kconfig | 15 + drivers/xen/Makefile | 1 + drivers/xen/grant-dma-ops.c | 328 +++++++++++++++++++++ drivers/xen/grant-table.c | 238 +++++++++++++-- include/xen/arm/xen-ops.h | 20 ++ include/xen/grant_table.h | 4 + include/xen/xen-ops.h | 13 + include/xen/xen.h | 5 + 16 files changed, 654 insertions(+), 47 deletions(-) create mode 100644 Documentation/devicetree/bindings/arm/xen,dev-domid.yaml create mode 100644 arch/arm/include/asm/xen/xen-ops.h create mode 100644 arch/arm64/include/asm/xen/xen-ops.h create mode 100644 drivers/xen/grant-dma-ops.c create mode 100644 include/xen/arm/xen-ops.h -- 2.7.4 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DE161C3527D for ; Fri, 22 Apr 2022 16:52:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=c9CsXRDSOqF652HrFvZtUlOvF9OgADyrvbNJLGBx1vE=; b=4GlL26Q6LkoMkY ONuF5tQPS4+LGR5ubPrwkKVkDcogOnrwSVXWpcYi7laxornQg6OM0AHohfaPJ+4HwhuESeo6Y+0jJ fnRG8TXh913me1xxHSVSTLpkslj14zYrekrXQsIK7Poxt3IFfcCQI5ztlvZFHParUl+LTk8vuNw3a 5Pswjhq/fxxwAJRzF7d4Z/Ivbd4j00SF55+kIo+tysKaJm/fON3M9yh45xlY526Q2ycfNKwcjUKBT E1vZcQMoACfqCvWOAq32R9CbySuhNQ8TVbSxT0bg++FC73j//GXLjCddJOWzCS5JwZ3EGkkbJ1G6v cYhDDO5oVo0CD8kEyvOw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhwVA-001Y5s-Qv; Fri, 22 Apr 2022 16:51:24 +0000 Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nhwV7-001Y3b-I1 for linux-arm-kernel@lists.infradead.org; Fri, 22 Apr 2022 16:51:23 +0000 Received: by mail-lj1-x230.google.com with SMTP id bn33so10343378ljb.6 for ; Fri, 22 Apr 2022 09:51:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LliXt8vJbXvk0gdFymCWz7TFV5bME1jg6XdQF6Tyw7k=; b=E9bX8ntWQGbQG1g3CC0CY2p2Kmtu3Nq9zrBtYvnyvEBLe7UDaSXAfZp84Hz0Tmy7ZA AATF/cIenThS+4zqHWER1H04j8AbhDQSZaiKleKvsWFfPEERKOkds0mIPjp1CnINcTYs RLpfQnNiRd8n8brSU0+bqdlt5sMm5kgdxDCiGtBaZHF3pAZRJU4F2T867V9vCEExFw7G OI9aX+a85bD1I3FoyNGdVkXG/48sjsOQuXPybwv6PTvN6tn1yJhSp1wtym1oBJjESUKS NjVtGr70HWW9TBwhjue+jdSTc64xnZqHDbqFQjwFr0fddlJhOkp/FOuMjxHmyoihZYWs hrIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=LliXt8vJbXvk0gdFymCWz7TFV5bME1jg6XdQF6Tyw7k=; b=XKqThuNl4BVJZ+J6G+BCYdD+uAJGbJU/53ECVkYtlOpiRYaFoK4MHvRHqujgjCEyKT Nl2r1w8iaGAuN6IWfxpGtf+9jKFRW/YVwDYqEkHcP1J3XPhdwhiSE3KcU8JFgXhm5r85 AXANwZpeC+mXV8Dpm66jHdbGrEEn80vXrtFyWAM/4d4Q5ssW48As2c0yNMIVZa7+g4Mm lwwClWyOSwxkAo05aPZaqPPmgoNUjfAK1G0Y8wsTrHDSLZTs++M3onX50Rvr23ARS8DB Bh/PzmLl9FQwQsWGInBnexECaW0o1kYYFiJDUbdiwAk3QvmcVfaKKwwsTmYfZNvJ6zCa c8bg== X-Gm-Message-State: AOAM532ZlCM5rgWyvaK0qQZLFMImtbNNpCwP+cWeSMLt9hmRJwGP6Vwm J1QfKVIDui/aTcphmHFTJXg= X-Google-Smtp-Source: ABdhPJy6agfKahSo69KTOtM8idnRXj26r9imzfrM1EBFWoxzebKvrJ8xa3gfhyv7KZGn11RXBkTAWA== X-Received: by 2002:a2e:9984:0:b0:24e:f843:3e8c with SMTP id w4-20020a2e9984000000b0024ef8433e8cmr1173572lji.299.1650646278427; Fri, 22 Apr 2022 09:51:18 -0700 (PDT) Received: from otyshchenko.router ([212.22.223.21]) by smtp.gmail.com with ESMTPSA id n2-20020a056512310200b0046e2f507a3asm279742lfb.167.2022.04.22.09.51.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Apr 2022 09:51:17 -0700 (PDT) From: Oleksandr Tyshchenko To: xen-devel@lists.xenproject.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, virtualization@lists.linux-foundation.org, x86@kernel.org Cc: Oleksandr Tyshchenko , "Michael S. Tsirkin" , Christoph Hellwig , Stefano Stabellini , Boris Ostrovsky , Juergen Gross , Julien Grall , Bertrand Marquis , Wei Chen , Henry Wang , Kaly Xin , Jiamei Xie , =?UTF-8?q?Alex=20Benn=C3=A9e?= Subject: [PATCH V1 0/6] virtio: Solution to restrict memory access under Xen using xen-grant DMA-mapping layer Date: Fri, 22 Apr 2022 19:50:57 +0300 Message-Id: <1650646263-22047-1-git-send-email-olekstysh@gmail.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220422_095121_622594_58140C97 X-CRM114-Status: GOOD ( 24.89 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org RnJvbTogT2xla3NhbmRyIFR5c2hjaGVua28gPG9sZWtzYW5kcl90eXNoY2hlbmtvQGVwYW0uY29t PgoKSGVsbG8gYWxsLgoKVGhlIHB1cnBvc2Ugb2YgdGhpcyBwYXRjaCBzZXJpZXMgaXMgdG8gYWRk IHN1cHBvcnQgZm9yIHJlc3RyaWN0aW5nIG1lbW9yeSBhY2Nlc3MgdW5kZXIgWGVuIHVzaW5nIHNw ZWNpZmljCmdyYW50IHRhYmxlIFsxXSBiYXNlZCBETUEtbWFwcGluZyBsYXllci4gUGF0Y2ggc2Vy aWVzIGlzIGJhc2VkIG9uIEp1ZXJnZW4gR3Jvc3PigJkgaW5pdGlhbCB3b3JrIFsyXSB3aGljaCBp bXBsaWVzCnVzaW5nIGdyYW50IHJlZmVyZW5jZXMgaW5zdGVhZCBvZiByYXcgZ3Vlc3QgcGh5c2lj YWwgYWRkcmVzc2VzIChHUEEpIGZvciB0aGUgdmlydGlvIGNvbW11bmljYXRpb25zIChzb21lCmtp bmQgb2YgdGhlIHNvZnR3YXJlIElPTU1VKS4KCllvdSBjYW4gZmluZCBSRkMgcGF0Y2ggc2VyaWVz IChhbmQgcHJldmlvdXMgZGlzY3Vzc2lvbnMpIGF0IFszXS4KClRoZSBoaWdoIGxldmVsIGlkZWEg aXMgdG8gY3JlYXRlIG5ldyBYZW7igJlzIGdyYW50IHRhYmxlIGJhc2VkIERNQS1tYXBwaW5nIGxh eWVyIGZvciB0aGUgZ3Vlc3QgTGludXggd2hvc2UgbWFpbgpwdXJwb3NlIGlzIHRvIHByb3ZpZGUg YSBzcGVjaWFsIDY0LWJpdCBETUEgYWRkcmVzcyB3aGljaCBpcyBmb3JtZWQgYnkgdXNpbmcgdGhl IGdyYW50IHJlZmVyZW5jZSAoZm9yIGEgcGFnZQp0byBiZSBzaGFyZWQgd2l0aCB0aGUgYmFja2Vu ZCkgd2l0aCBvZmZzZXQgYW5kIHNldHRpbmcgdGhlIGhpZ2hlc3QgYWRkcmVzcyBiaXQgKHRoaXMg aXMgZm9yIHRoZSBiYWNrZW5kIHRvCmJlIGFibGUgdG8gZGlzdGluZ3Vpc2ggZ3JhbnQgcmVmIGJh c2VkIERNQSBhZGRyZXNzIGZyb20gbm9ybWFsIEdQQSkuIEZvciB0aGlzIHRvIHdvcmsgd2UgbmVl ZCB0aGUgYWJpbGl0eQp0byBhbGxvY2F0ZSBjb250aWd1b3VzIChjb25zZWN1dGl2ZSkgZ3JhbnQg cmVmZXJlbmNlcyBmb3IgbXVsdGktcGFnZSBhbGxvY2F0aW9ucy4gQW5kIHRoZSBiYWNrZW5kIHRo ZW4gbmVlZHMKdG8gb2ZmZXIgVklSVElPX0ZfQUNDRVNTX1BMQVRGT1JNIGFuZCBWSVJUSU9fRl9W RVJTSU9OXzEgZmVhdHVyZSBiaXRzIChpdCBtdXN0IHN1cHBvcnQgdmlydGlvLW1taW8gbW9kZXJu CnRyYW5zcG9ydCBmb3IgNjQtYml0IGFkZHJlc3NlcyBpbiB0aGUgdmlydHF1ZXVlKS4KClhlbidz IGdyYW50IG1hcHBpbmcgbWVjaGFuaXNtIGlzIHRoZSBzZWN1cmUgYW5kIHNhZmUgc29sdXRpb24g dG8gc2hhcmUgcGFnZXMgYmV0d2VlbiBkb21haW5zIHdoaWNoIHByb3Zlbgp0byB3b3JrIGFuZCB3 b3JrcyBmb3IgeWVhcnMgKGluIHRoZSBjb250ZXh0IG9mIHRyYWRpdGlvbmFsIFhlbiBQViBkcml2 ZXJzIGZvciBleGFtcGxlKS4gU28gZmFyLCB0aGUgZm9yZWlnbgptYXBwaW5nIGlzIHVzZWQgZm9y IHRoZSB2aXJ0aW8gYmFja2VuZCB0byBtYXAgYW5kIGFjY2VzcyBndWVzdCBtZW1vcnkuIFdpdGgg dGhlIGZvcmVpZ24gbWFwcGluZywgdGhlIGJhY2tlbmQKaXMgYWJsZSB0byBtYXAgYXJiaXRyYXJ5 IHBhZ2VzIGZyb20gdGhlIGd1ZXN0IG1lbW9yeSAob3IgZXZlbiBmcm9tIERvbTAgbWVtb3J5KS4g QW5kIGFzIHRoZSByZXN1bHQsIHRoZSBtYWxpY2lvdXMKYmFja2VuZCB3aGljaCBydW5zIGluIGEg bm9uLXRydXN0ZWQgZG9tYWluIGNhbiB0YWtlIGFkdmFudGFnZSBvZiB0aGlzLiBJbnN0ZWFkLCB3 aXRoIHRoZSBncmFudCBtYXBwaW5nCnRoZSBiYWNrZW5kIGlzIG9ubHkgYWxsb3dlZCB0byBtYXAg cGFnZXMgd2hpY2ggd2VyZSBleHBsaWNpdGx5IGdyYW50ZWQgYnkgdGhlIGd1ZXN0IGJlZm9yZSBh bmQgbm90aGluZyBlbHNlLgpBY2NvcmRpbmcgdG8gdGhlIGRpc2N1c3Npb25zIGluIHZhcmlvdXMg bWFpbmxpbmUgdGhyZWFkcyB0aGlzIHNvbHV0aW9uIHdvdWxkIGxpa2VseSBiZSB3ZWxjb21lIGJl Y2F1c2UgaXQKcGVyZmVjdGx5IGZpdHMgaW4gdGhlIHNlY3VyaXR5IG1vZGVsIFhlbiBwcm92aWRl cy4KCldoYXQgaXMgbW9yZSwgdGhlIGdyYW50IHRhYmxlIGJhc2VkIHNvbHV0aW9uIHJlcXVpcmVz IHplcm8gY2hhbmdlcyB0byB0aGUgWGVuIGh5cGVydmlzb3IgaXRzZWxmIGF0IGxlYXN0CndpdGgg dmlydGlvLW1taW8gYW5kIERUIChpbiBjb21wYXJpc29uLCBmb3IgZXhhbXBsZSwgd2l0aCAiZm9y ZWlnbiBtYXBwaW5nICsgdmlydGlvLWlvbW11IiBzb2x1dGlvbiB3aGljaCB3b3VsZApyZXF1aXJl IHRoZSB3aG9sZSBuZXcgY29tcGxleCBlbXVsYXRvciBpbiBoeXBlcnZpc29yIGluIGFkZGl0aW9u IHRvIG5ldyBmdW5jdGlvbmFsaXR5L2h5cGVyY2FsbCB0byBwYXNzIElPVkEKZnJvbSB0aGUgdmly dGlvIGJhY2tlbmQgcnVubmluZyBlbHNld2hlcmUgdG8gdGhlIGh5cGVydmlzb3IgYW5kIHRyYW5z bGF0ZSBpdCB0byB0aGUgR1BBIGJlZm9yZSBtYXBwaW5nIGludG8KUDJNIG9yIGRlbnlpbmcgdGhl IGZvcmVpZ24gbWFwcGluZyByZXF1ZXN0IGlmIG5vIGNvcnJlc3BvbmRpbmcgSU9WQS1HUEEgbWFw cGluZyBwcmVzZW50IGluIHRoZSBJT01NVSBwYWdlIHRhYmxlCmZvciB0aGF0IHBhcnRpY3VsYXIg ZGV2aWNlKS4gV2Ugb25seSBuZWVkIHRvIHVwZGF0ZSB0b29sc3RhY2sgdG8gaW5zZXJ0IGEgbmV3 ICJ4ZW4sZGV2LWRvbWlkIiBwcm9wZXJ0eSB0bwp0aGUgdmlydGlvLW1taW8gZGV2aWNlIG5vZGUg d2hlbiBjcmVhdGluZyBhIGd1ZXN0IGRldmljZS10cmVlICh0aGlzIGlzIGFuIGluZGljYXRvciBm b3IgdGhlIGd1ZXN0IHRvIHVzZSBncmFudHMKYW5kIHRoZSBJRCBvZiBYZW4gZG9tYWluIHdoZXJl IHRoZSBjb3JyZXNwb25kaW5nIGJhY2tlbmQgcmVzaWRlcywgaXQgaXMgdXNlZCBhcyBhbiBhcmd1 bWVudCB0byB0aGUgZ3JhbnQgbWFwcGluZwpBUElzKS4gSXQgd29ydGggbWVudGlvbmluZyB0aGF0 IHRvb2xzdGFjayBwYXRjaCBpcyBiYXNlZCBvbiBub24gIHVwc3RyZWFtZWQgeWV0IOKAnFZpcnRp byBzdXBwb3J0IGZvciB0b29sc3RhY2sKb24gQXJt4oCdIHNlcmllcyB3aGljaCBpcyBvbiByZXZp ZXcgbm93IFs0XS4KClBsZWFzZSBub3RlIHRoZSBmb2xsb3dpbmc6Ci0gUGF0Y2ggc2VyaWVzIG9u bHkgY292ZXJzIEFybSBhbmQgdmlydGlvLW1taW8gKGRldmljZS10cmVlKSBmb3Igbm93LiBUbyBl bmFibGUgdGhlIHJlc3RyaWN0ZWQgbWVtb3J5IGFjY2VzcwogIGZlYXR1cmUgb24gQXJtIHRoZSBm b2xsb3dpbmcgb3B0aW9uIHNob3VsZCBiZSBzZXQ6CiAgQ09ORklHX1hFTl9WSVJUSU8gPSB5Ci0g U29tZSBjYWxsYmFja3MgaW4geGVuLWdyYW50IERNQS1tYXBwaW5nIGxheWVyIChhbGxvY19wYWdl cy9mcmVlX3BhZ2VzLCBldGMpIGFyZSBub3QgaW1wbGVtZW50ZWQgeWV0IGFzIHRoZXkKICBhcmUg bm90IG5lZWRlZC91c2VkIGluIHRoZSBmaXJzdCBwcm90b3R5cGUKLSBYZW4gc2hvdWxkIGJlIGJ1 aWx0IHdpdGggdGhlIGZvbGxvd2luZyBvcHRpb25zOgogIENPTkZJR19JT1JFUV9TRVJWRVI9eQog IENPTkZJR19FWFBFUlQ9eQogIApQYXRjaCBzZXJpZXMgaXMgcmViYXNlZCBvbiBMaW51eCA1LjE4 LXJjMiB0YWcgYW5kIHRlc3RlZCBvbiBSZW5lc2FzIFNhbHZhdG9yLVggYm9hcmQgKyBIMyBFUzMu MCBTb0MgKEFybTY0KQp3aXRoIHN0YW5kYWxvbmUgdXNlcnNwYWNlIChub24tUWVtdSkgdmlydGlv LW1taW8gYmFzZWQgdmlydGlvLWRpc2sgYmFja2VuZCBydW5uaW5nIGluIERyaXZlciBkb21haW4g YW5kIExpbnV4Cmd1ZXN0IHJ1bm5pbmcgb24gZXhpc3RpbmcgdmlydGlvLWJsayBkcml2ZXIgKGZy b250ZW5kKS4gTm8gaXNzdWVzIHdlcmUgb2JzZXJ2ZWQuIEd1ZXN0IGRvbWFpbiAncmVib290L2Rl c3Ryb3knCnVzZS1jYXNlcyB3b3JrIHByb3Blcmx5LiBJIGhhdmUgYWxzbyB0ZXN0ZWQgb3RoZXIg dXNlLWNhc2VzIHN1Y2ggYXMgYXNzaWduaW5nIHNldmVyYWwgdmlydGlvIGJsb2NrIGRldmljZXMK b3IgYSBtaXggb2YgdmlydGlvIGFuZCBYZW4gUFYgYmxvY2sgZGV2aWNlcyB0byB0aGUgZ3Vlc3Qu IFBhdGNoIHNlcmllcyB3YXMgYnVpbGQtdGVzdGVkIG9uIEFybTMyIGFuZCB4ODYuCgoxLiBYZW4g Y2hhbmdlcyBsb2NhdGVkIGF0IChsYXN0IHBhdGNoKToKaHR0cHM6Ly9naXRodWIuY29tL290eXNo Y2hlbmtvMS94ZW4vY29tbWl0cy9saWJ4bF92aXJ0aW9fbmV4dAoyLiBMaW51eCBjaGFuZ2VzIGxv Y2F0ZWQgYXQ6Cmh0dHBzOi8vZ2l0aHViLmNvbS9vdHlzaGNoZW5rbzEvbGludXgvY29tbWl0cy92 aXJ0aW9fZ3JhbnQ2CjMuIHZpcnRpby1kaXNrIGNoYW5nZXMgbG9jYXRlZCBhdDoKaHR0cHM6Ly9n aXRodWIuY29tL290eXNoY2hlbmtvMS92aXJ0aW8tZGlzay9jb21taXRzL3ZpcnRpb19ncmFudAoK QW55IGZlZWRiYWNrL2hlbHAgd291bGQgYmUgaGlnaGx5IGFwcHJlY2lhdGVkLgoKWzFdIGh0dHBz Oi8veGVuYml0cy54ZW5wcm9qZWN0Lm9yZy9kb2NzLzQuMTYtdGVzdGluZy9taXNjL2dyYW50LXRh Ymxlcy50eHQKWzJdIGh0dHBzOi8vd3d3LnlvdXR1YmUuY29tL3dhdGNoP3Y9SXJsRWRhSVVEUGsK WzNdIGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL3hlbi1kZXZlbC8xNjQ5OTYzOTczLTIyODc5LTEt Z2l0LXNlbmQtZW1haWwtb2xla3N0eXNoQGdtYWlsLmNvbS8KWzRdIGh0dHBzOi8vbG9yZS5rZXJu ZWwub3JnL3hlbi1kZXZlbC8xNjQ5NDQyMDY1LTgzMzItMS1naXQtc2VuZC1lbWFpbC1vbGVrc3R5 c2hAZ21haWwuY29tLwoKSnVlcmdlbiBHcm9zcyAoMik6CiAgeGVuL2dyYW50czogc3VwcG9ydCBh bGxvY2F0aW5nIGNvbnNlY3V0aXZlIGdyYW50cwogIHhlbi92aXJ0aW86IEFkZCBvcHRpb24gdG8g cmVzdHJpY3QgbWVtb3J5IGFjY2VzcyB1bmRlciBYZW4KCk9sZWtzYW5kciBUeXNoY2hlbmtvICg0 KToKICBhcm0veGVuOiBJbnRyb2R1Y2UgeGVuX3NldHVwX2RtYV9vcHMoKQogIGR0LWJpbmRpbmdz OiBBZGQgeGVuLGRldi1kb21pZCBwcm9wZXJ0eSBkZXNjcmlwdGlvbiBmb3IgeGVuLWdyYW50IERN QQogICAgb3BzCiAgeGVuL2dyYW50LWRtYS1vcHM6IFJldHJpZXZlIHRoZSBJRCBvZiBiYWNrZW5k J3MgZG9tYWluIGZvciBEVCBkZXZpY2VzCiAgYXJtL3hlbjogQXNzaWduIHhlbi1ncmFudCBETUEg b3BzIGZvciB4ZW4tZ3JhbnQgRE1BIGRldmljZXMKCiAuLi4vZGV2aWNldHJlZS9iaW5kaW5ncy9h cm0veGVuLGRldi1kb21pZC55YW1sICAgICB8ICAzNyArKysKIGFyY2gvYXJtL2luY2x1ZGUvYXNt L3hlbi94ZW4tb3BzLmggICAgICAgICAgICAgICAgIHwgICAxICsKIGFyY2gvYXJtL21tL2RtYS1t YXBwaW5nLmMgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICA3ICstCiBhcmNoL2FybS94ZW4v ZW5saWdodGVuLmMgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgOCArCiBhcmNoL2FybTY0 L2luY2x1ZGUvYXNtL3hlbi94ZW4tb3BzLmggICAgICAgICAgICAgICB8ICAgMSArCiBhcmNoL2Fy bTY0L21tL2RtYS1tYXBwaW5nLmMgICAgICAgICAgICAgICAgICAgICAgICB8ICAgNyArLQogYXJj aC94ODYvbW0vaW5pdC5jICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgMTEgKwog YXJjaC94ODYvbW0vbWVtX2VuY3J5cHQuYyAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgIDUg LQogZHJpdmVycy94ZW4vS2NvbmZpZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAg MTUgKwogZHJpdmVycy94ZW4vTWFrZWZpbGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg fCAgIDEgKwogZHJpdmVycy94ZW4vZ3JhbnQtZG1hLW9wcy5jICAgICAgICAgICAgICAgICAgICAg ICAgfCAzMjggKysrKysrKysrKysrKysrKysrKysrCiBkcml2ZXJzL3hlbi9ncmFudC10YWJsZS5j ICAgICAgICAgICAgICAgICAgICAgICAgICB8IDIzOCArKysrKysrKysrKysrLS0KIGluY2x1ZGUv eGVuL2FybS94ZW4tb3BzLmggICAgICAgICAgICAgICAgICAgICAgICAgIHwgIDIwICsrCiBpbmNs dWRlL3hlbi9ncmFudF90YWJsZS5oICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgNCArCiBp bmNsdWRlL3hlbi94ZW4tb3BzLmggICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAxMyAr CiBpbmNsdWRlL3hlbi94ZW4uaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAg NSArCiAxNiBmaWxlcyBjaGFuZ2VkLCA2NTQgaW5zZXJ0aW9ucygrKSwgNDcgZGVsZXRpb25zKC0p CiBjcmVhdGUgbW9kZSAxMDA2NDQgRG9jdW1lbnRhdGlvbi9kZXZpY2V0cmVlL2JpbmRpbmdzL2Fy bS94ZW4sZGV2LWRvbWlkLnlhbWwKIGNyZWF0ZSBtb2RlIDEwMDY0NCBhcmNoL2FybS9pbmNsdWRl L2FzbS94ZW4veGVuLW9wcy5oCiBjcmVhdGUgbW9kZSAxMDA2NDQgYXJjaC9hcm02NC9pbmNsdWRl L2FzbS94ZW4veGVuLW9wcy5oCiBjcmVhdGUgbW9kZSAxMDA2NDQgZHJpdmVycy94ZW4vZ3JhbnQt ZG1hLW9wcy5jCiBjcmVhdGUgbW9kZSAxMDA2NDQgaW5jbHVkZS94ZW4vYXJtL3hlbi1vcHMuaAoK LS0gCjIuNy40CgoKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X18KbGludXgtYXJtLWtlcm5lbCBtYWlsaW5nIGxpc3QKbGludXgtYXJtLWtlcm5lbEBsaXN0cy5p bmZyYWRlYWQub3JnCmh0dHA6Ly9saXN0cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8v bGludXgtYXJtLWtlcm5lbAo=