From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yb1-f202.google.com (mail-yb1-f202.google.com [209.85.219.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F8B8612E for ; Tue, 30 Aug 2022 23:31:33 +0000 (UTC) Received: by mail-yb1-f202.google.com with SMTP id k13-20020a056902024d00b0066fa7f50b97so866676ybs.6 for ; Tue, 30 Aug 2022 16:31:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:from:subject:mime-version :message-id:date:from:to:cc:subject:date; bh=wxlH8xA4LQR+FV13439fFhyozXQfxG9gvwfZcr+I1X0=; b=POkRmE8aafNm3/PH1cboLlP54QAN+TftgHR2R3yH3TEjt/IbATtHEOBs2o7UdzeK17 kbSiAnR1xP4j8t5uhQfvb1HlcNbqpBy1lytzSHagEtln9V/DUFfo86yfLMiRSoGAztfo 6go6vl5eC3Rny22uzHfnw3KDRWxub0NmRUzqi30P62k7CkKWhUyc3/JIqbEZytQHEkoP ITbmIQ10Mi+p+M3Hsi34M205D5kGCpDCNmmig9PSsef8dERWCQngnBFI/g+j2AmzRDsy FiKEGHBBOA+eXFtB24NUPB9SMT38hcAm2PpHziHG8SOIhNX6xmE3e7QZTFcoph+B538p iP6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:from:subject:mime-version :message-id:date:x-gm-message-state:from:to:cc:subject:date; bh=wxlH8xA4LQR+FV13439fFhyozXQfxG9gvwfZcr+I1X0=; b=Rc5qGDgXHxNESvv4QlWCM6kYnu1cCyYt3rnyK11gFJ80ukqBsI23YDBKqVLegElIQB K+4IH+x/GYl9UrNkT8hBsv8sTRhWsP8T5OtZpPDp6ktm8I3NIdkRFUYTe+YoTQM/aN4p BOFZcmCgim3oWL+3g5J+VG6YantSMocbnnq0zZ+FbhTsAJ4OHTlpki0/OnqrQWvGYnWj j8h0HG0KBqTLciYGRI8kT/h5O/RoFIPY2HUVNUwS+bMNTsNeXjB14VE5dYGe4L6M7KQB TLhsaG9eEHc463MHdIrEJjIBFZcWUeY3jiSjSsI08WiKxqVinQoa1ugKmNyl+B0QeAty 4jlw== X-Gm-Message-State: ACgBeo1Q0Gvqivz3yWjCk13aDOiwntAkT9Bl3yhfcTheuTaMwvfVNNKa XW2CfxcyyOMJxCTYGMfgTuHp1VnIu4JrW8z6WHo= X-Google-Smtp-Source: AA6agR4v2PVJmqWWFyBdaFu4zQQGW908XZpcVafT7sRMHM37DM1+c6YtP3ux8jCwgh/EkSwhtoz8ePlg9kkGk0yAPLk= X-Received: from samitolvanen1.mtv.corp.google.com ([2620:15c:201:2:54d9:7143:6a7d:91d]) (user=samitolvanen job=sendgmr) by 2002:a81:77c4:0:b0:33f:20dc:e694 with SMTP id s187-20020a8177c4000000b0033f20dce694mr15958230ywc.395.1661902292327; Tue, 30 Aug 2022 16:31:32 -0700 (PDT) Date: Tue, 30 Aug 2022 16:31:08 -0700 Message-Id: <20220830233129.30610-1-samitolvanen@google.com> Precedence: bulk X-Mailing-List: llvm@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Developer-Key: i=samitolvanen@google.com; a=openpgp; fpr=35CCFB63B283D6D3AEB783944CB5F6848BBC56EE X-Developer-Signature: v=1; a=openpgp-sha256; l=7686; i=samitolvanen@google.com; h=from:subject; bh=9FeElwC34gkH48qe7/HORXxbE8G1sjqjDa+3EzwhFyw=; b=owEB7QES/pANAwAKAUy19oSLvFbuAcsmYgBjDp3Lx50pzG9GxQ7I/Weg1LhkuJn0JlTvJ2dPDsbI VH+16Q+JAbMEAAEKAB0WIQQ1zPtjsoPW0663g5RMtfaEi7xW7gUCYw6dywAKCRBMtfaEi7xW7usrC/ 49i1iNgi+cLrnUgBqADncpVCZSjFRHwv3rMy/FjWehIMep/CKfe2q5s2Afdeh1WtEw3+a7p8J5sU5e /DgnzJAggkEFoJujwMm6VWjBB5nmjtwLnhGaLyXN36Pg0dE2f/M+pj63IQ6rb4hYGORpB1RTj6yuJG 392x9DetVVk6S8dn/1gkTA1MbqYS0m41SbI+F5vZ5ZF9lmQkezM0+jeBBPJ0ycOL+WEMMDFg8IxqGH twbJSMEWigzxECjQBdOCV5YAoS1+zaRKSOQMeCUjEUfr7tf/gCT083hUgvrX+pU+t6aE014nXa15n9 BNONcGdJmLf25s9hLZbr3HcC56vbUNqZ1tta/9evYmfz981PfPF09+/mNnMJPtJzfuLAWxHKM9LPTj QxQDIHHYBPVptznB4ihLnrtJE6BA1VLAL7l7B4HSSPmZeubsCsGTh7FLoJb6MJQgjeRH5H8jVi0Nop P6S1XaUMHURYhJgn10atIHGAUQLkCCoTpIjWl/B7dBXu0= X-Mailer: git-send-email 2.37.2.672.g94769d06f0-goog Subject: [PATCH v4 00/21] KCFI support From: Sami Tolvanen To: linux-kernel@vger.kernel.org Cc: Kees Cook , Josh Poimboeuf , Peter Zijlstra , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev, Sami Tolvanen Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable KCFI is a forward-edge control-flow integrity scheme in the upcoming Clang 16 release, which is more suitable for kernel use than the existing CFI scheme used by CONFIG_CFI_CLANG. KCFI doesn't require LTO, doesn't alter function references to point to a jump table, and won't break function address equality. This series replaces the current arm64 CFI implementation with KCFI and adds support for x86_64. KCFI requires assembly functions that are indirectly called from C code to be annotated with type identifiers. As type information is only available in C, the compiler emits expected type identifiers into the symbol table, so they can be referenced from assembly without having to hardcode type hashes. Patch 6 adds helper macros for annotating functions, and patches 9 and 19 add annotations. In case of a type mismatch, KCFI always traps. To support error handling, the compiler generates a .kcfi_traps section for x86_64, which contains the locations of each trap, and for arm64, encodes the necessary register information to the ESR. Patches 10 and 21 add arch-specific error handlers. To test this series, you'll a ToT Clang toolchain. The series is also available in GitHub: https://github.com/samitolvanen/linux/commits/kcfi-v4 --- Changes in v4: - Dropped the RFC now that Clang support is merged. - Changed the x86_64 function preamble to match the the preamble generated by the compiler, and fixed a code generation issue, which Peter pointed out. - Added a patch to fix arm64 psci_initcall_t type mismatch based on Mark's suggestion. Changes in v3: - Merged the patches that split CC_FLAGS_CFI from CC_FLAGS_LTO. - Dropped the psci_initcall_t patch as Mark volunteered to send a patch for this. Note that this patch is still needed to boot a CFI kernel on certain arm64 systems: https://lore.kernel.org/lkml/YoNhKaTT3EDukxXY@FVFF77S0Q05N/ - Added a patch to remove the now unnecessary workarounds with CFI+ThinLTO in kallsyms. - Added an lkdtm patch to ensure the test actually generates an indirect call. - Changed report_cfi_failure to clearly indicate if we failed to decode target address. - Switched to relative offsets for .kcfi_traps. - On x86_64, moved CFI error handling from traps.c to cfi.c, and as we only call memcpy indirectly w/ CONFIG_MODULES, ensured that the compiler emits __kcfi_typeid_memcpy also without modules. - On x86_64, added a check for the cmpl REX prefix to handle the case where the compiler might not use r8-r15 registers for the call target. - On the compiler side, ensured that on x86_64 calls are emitted immediately after the CFI check, fixed the __cfi_ preamble linkage, and changed the compiler to emit relative offsets in .kcfi_traps. Changes in v2: - Changed the compiler patch to encode arm64 target and type details in the ESR, and updated the kernel error handling patch accordingly. - Changed the compiler patch to embed the x86_64 type hash in a valid instruction to avoid special casing objtool instruction decoding, and added a __cfi_ symbol for the preamble. Changed the kernel error handling and manual type annotations to match. - Dropped the .kcfi_types section as that=E2=80=99s no longer needed by objtool, and changed the objtool patch to simply ignore the __cfi_ preambles falling through. - Dropped the .kcfi_traps section on arm64 as it=E2=80=99s no longer needed= , and moved the trap look-up code behind CONFIG_ARCH_USES_CFI_TRAPS, which is selected only for x86_64. - Dropped __nocfi attributes from arm64 code where CFI was disabled due to address space confusion issues, and added type annotations to relevant assembly functions. - Dropped __nocfi from __init. Sami Tolvanen (21): treewide: Filter out CC_FLAGS_CFI scripts/kallsyms: Ignore __kcfi_typeid_ cfi: Remove CONFIG_CFI_CLANG_SHADOW cfi: Drop __CFI_ADDRESSABLE cfi: Switch to -fsanitize=3Dkcfi cfi: Add type helper macros lkdtm: Emit an indirect call for CFI tests psci: Fix the function type for psci_initcall_t arm64: Add types to indirect called assembly functions arm64: Add CFI error handling arm64: Drop unneeded __nocfi attributes init: Drop __nocfi from __init treewide: Drop function_nocfi treewide: Drop WARN_ON_FUNCTION_MISMATCH treewide: Drop __cficanonical objtool: Disable CFI warnings kallsyms: Drop CONFIG_CFI_CLANG workarounds x86/tools/relocs: Ignore __kcfi_typeid_ relocations x86: Add types to indirectly called assembly functions x86/purgatory: Disable CFI x86: Add support for CONFIG_CFI_CLANG Makefile | 13 +- arch/Kconfig | 18 +- arch/arm64/crypto/ghash-ce-core.S | 5 +- arch/arm64/crypto/sm3-ce-core.S | 3 +- arch/arm64/include/asm/brk-imm.h | 6 + arch/arm64/include/asm/ftrace.h | 2 +- arch/arm64/include/asm/mmu_context.h | 4 +- arch/arm64/kernel/acpi_parking_protocol.c | 2 +- arch/arm64/kernel/alternative.c | 2 +- arch/arm64/kernel/cpu-reset.S | 5 +- arch/arm64/kernel/cpufeature.c | 4 +- arch/arm64/kernel/ftrace.c | 2 +- arch/arm64/kernel/machine_kexec.c | 2 +- arch/arm64/kernel/psci.c | 2 +- arch/arm64/kernel/smp_spin_table.c | 2 +- arch/arm64/kernel/traps.c | 47 ++- arch/arm64/kernel/vdso/Makefile | 3 +- arch/arm64/mm/proc.S | 5 +- arch/x86/Kconfig | 2 + arch/x86/crypto/blowfish-x86_64-asm_64.S | 5 +- arch/x86/entry/vdso/Makefile | 3 +- arch/x86/include/asm/cfi.h | 22 ++ arch/x86/include/asm/linkage.h | 9 + arch/x86/kernel/Makefile | 2 + arch/x86/kernel/cfi.c | 85 ++++++ arch/x86/kernel/traps.c | 4 +- arch/x86/lib/memcpy_64.S | 3 +- arch/x86/purgatory/Makefile | 4 + arch/x86/tools/relocs.c | 1 + drivers/firmware/efi/libstub/Makefile | 2 + drivers/firmware/psci/psci.c | 12 +- drivers/misc/lkdtm/cfi.c | 15 +- drivers/misc/lkdtm/usercopy.c | 2 +- include/asm-generic/bug.h | 16 - include/asm-generic/vmlinux.lds.h | 37 +-- include/linux/cfi.h | 59 ++-- include/linux/cfi_types.h | 57 ++++ include/linux/compiler-clang.h | 14 +- include/linux/compiler.h | 16 +- include/linux/compiler_types.h | 4 - include/linux/init.h | 6 +- include/linux/module.h | 10 +- include/linux/pci.h | 4 +- kernel/cfi.c | 352 ++++------------------ kernel/kallsyms.c | 17 -- kernel/kthread.c | 3 +- kernel/module/main.c | 50 +-- kernel/workqueue.c | 2 +- scripts/kallsyms.c | 1 + scripts/module.lds.S | 23 +- tools/objtool/check.c | 7 +- 51 files changed, 423 insertions(+), 553 deletions(-) create mode 100644 arch/x86/include/asm/cfi.h create mode 100644 arch/x86/kernel/cfi.c create mode 100644 include/linux/cfi_types.h base-commit: dcf8e5633e2e69ad60b730ab5905608b756a032f --=20 2.37.2.672.g94769d06f0-goog From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9C988ECAAD4 for ; Tue, 30 Aug 2022 23:32:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version: Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=creLgdx3V9cubbodYJPoqPVw6GKlZYjZjm4geK5ZHs8=; b=n1D oBj/Kj1XpLe0tH6V197jktGN3z1Qm6ciecvqBxzo/Z8mJU0rPo1JGD3LByjjkSldu/c7a4O7MIT0+ GkSiQ8m3e6qd1pgicAP7FAR6VvOejOowOjpZN04JnDgbelFqzwYe07sRsB3tM/TnK8T7jJ3V5WK/y +3UraWhifdlCWKbR/tOMHZsESjOvPELJNAsM0DWT8kXC6rF2gNtRi6EsNsi1p9KiN2h8vAlDgvQ9b 64wsdF+KQHzRFWsqOnLeOedW/9FNv2giucM1Tp6NQ1L6PVNu4hsKDWlansp2YT1qeiEnKOB3kDcu+ QcxKP6br7UhLYLPHAA1jcwJtPEb0nRw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oTAhm-002Sb8-DO; Tue, 30 Aug 2022 23:31:38 +0000 Received: from mail-yb1-xb49.google.com ([2607:f8b0:4864:20::b49]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oTAhj-002SZF-1j for linux-arm-kernel@lists.infradead.org; Tue, 30 Aug 2022 23:31:36 +0000 Received: by mail-yb1-xb49.google.com with SMTP id 63-20020a250d42000000b00696588a0e87so869434ybn.3 for ; Tue, 30 Aug 2022 16:31:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=content-transfer-encoding:cc:to:from:subject:mime-version :message-id:date:from:to:cc:subject:date; bh=wxlH8xA4LQR+FV13439fFhyozXQfxG9gvwfZcr+I1X0=; b=POkRmE8aafNm3/PH1cboLlP54QAN+TftgHR2R3yH3TEjt/IbATtHEOBs2o7UdzeK17 kbSiAnR1xP4j8t5uhQfvb1HlcNbqpBy1lytzSHagEtln9V/DUFfo86yfLMiRSoGAztfo 6go6vl5eC3Rny22uzHfnw3KDRWxub0NmRUzqi30P62k7CkKWhUyc3/JIqbEZytQHEkoP ITbmIQ10Mi+p+M3Hsi34M205D5kGCpDCNmmig9PSsef8dERWCQngnBFI/g+j2AmzRDsy FiKEGHBBOA+eXFtB24NUPB9SMT38hcAm2PpHziHG8SOIhNX6xmE3e7QZTFcoph+B538p iP6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:cc:to:from:subject:mime-version :message-id:date:x-gm-message-state:from:to:cc:subject:date; bh=wxlH8xA4LQR+FV13439fFhyozXQfxG9gvwfZcr+I1X0=; b=hG41Wl4cHVfu3nYDAU3+j2Bq4ixIxuTrX6dwkc+noIKym7GFxJLhTlllJZHCCm7JOS tYAx3c3rCRWgQM/H+izDdGJ+qH01PuhumNbmhIzD2hZpfA4n+YFO1ELqdmGOP+Ehgv8C vMz9AscEsi3os1OG765S3SlmL0fPc0ufkyvgnOroyOOb3hNfJ6m5ftJluM5NYpgBlNTe kEIGaz59cPCjW76Ig5who9OhORfG9JYyz7tZrQuD5YD9PhoOjZhPps9PO7b0Jex5DVXG Wrfyq2fyz+XniJVJpMGFZLF2fjpYSa+Dsrak/ecnO3i0WzI/Tqv+bxfABhJ2Ve0HV4KI WntA== X-Gm-Message-State: ACgBeo0LggRiG1ckoo+WPr2dkyQfiOkSfs8f/GD9t3/6u356M7N/bagy IOJ2GJUdapUcl+9r3s2H0qaucA8ThQUmjwgISWs= X-Google-Smtp-Source: AA6agR4v2PVJmqWWFyBdaFu4zQQGW908XZpcVafT7sRMHM37DM1+c6YtP3ux8jCwgh/EkSwhtoz8ePlg9kkGk0yAPLk= X-Received: from samitolvanen1.mtv.corp.google.com ([2620:15c:201:2:54d9:7143:6a7d:91d]) (user=samitolvanen job=sendgmr) by 2002:a81:77c4:0:b0:33f:20dc:e694 with SMTP id s187-20020a8177c4000000b0033f20dce694mr15958230ywc.395.1661902292327; Tue, 30 Aug 2022 16:31:32 -0700 (PDT) Date: Tue, 30 Aug 2022 16:31:08 -0700 Message-Id: <20220830233129.30610-1-samitolvanen@google.com> Mime-Version: 1.0 X-Developer-Key: i=samitolvanen@google.com; a=openpgp; fpr=35CCFB63B283D6D3AEB783944CB5F6848BBC56EE X-Developer-Signature: v=1; a=openpgp-sha256; l=7686; i=samitolvanen@google.com; h=from:subject; bh=9FeElwC34gkH48qe7/HORXxbE8G1sjqjDa+3EzwhFyw=; b=owEB7QES/pANAwAKAUy19oSLvFbuAcsmYgBjDp3Lx50pzG9GxQ7I/Weg1LhkuJn0JlTvJ2dPDsbI VH+16Q+JAbMEAAEKAB0WIQQ1zPtjsoPW0663g5RMtfaEi7xW7gUCYw6dywAKCRBMtfaEi7xW7usrC/ 49i1iNgi+cLrnUgBqADncpVCZSjFRHwv3rMy/FjWehIMep/CKfe2q5s2Afdeh1WtEw3+a7p8J5sU5e /DgnzJAggkEFoJujwMm6VWjBB5nmjtwLnhGaLyXN36Pg0dE2f/M+pj63IQ6rb4hYGORpB1RTj6yuJG 392x9DetVVk6S8dn/1gkTA1MbqYS0m41SbI+F5vZ5ZF9lmQkezM0+jeBBPJ0ycOL+WEMMDFg8IxqGH twbJSMEWigzxECjQBdOCV5YAoS1+zaRKSOQMeCUjEUfr7tf/gCT083hUgvrX+pU+t6aE014nXa15n9 BNONcGdJmLf25s9hLZbr3HcC56vbUNqZ1tta/9evYmfz981PfPF09+/mNnMJPtJzfuLAWxHKM9LPTj QxQDIHHYBPVptznB4ihLnrtJE6BA1VLAL7l7B4HSSPmZeubsCsGTh7FLoJb6MJQgjeRH5H8jVi0Nop P6S1XaUMHURYhJgn10atIHGAUQLkCCoTpIjWl/B7dBXu0= X-Mailer: git-send-email 2.37.2.672.g94769d06f0-goog Subject: [PATCH v4 00/21] KCFI support From: Sami Tolvanen To: linux-kernel@vger.kernel.org Cc: Kees Cook , Josh Poimboeuf , Peter Zijlstra , x86@kernel.org, Catalin Marinas , Will Deacon , Mark Rutland , Nathan Chancellor , Nick Desaulniers , Joao Moreira , Sedat Dilek , Steven Rostedt , linux-hardening@vger.kernel.org, linux-arm-kernel@lists.infradead.org, llvm@lists.linux.dev, Sami Tolvanen X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220830_163135_116506_C37221DA X-CRM114-Status: GOOD ( 28.68 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org S0NGSSBpcyBhIGZvcndhcmQtZWRnZSBjb250cm9sLWZsb3cgaW50ZWdyaXR5IHNjaGVtZSBpbiB0 aGUgdXBjb21pbmcKQ2xhbmcgMTYgcmVsZWFzZSwgd2hpY2ggaXMgbW9yZSBzdWl0YWJsZSBmb3Ig a2VybmVsIHVzZSB0aGFuIHRoZQpleGlzdGluZyBDRkkgc2NoZW1lIHVzZWQgYnkgQ09ORklHX0NG SV9DTEFORy4gS0NGSSBkb2Vzbid0IHJlcXVpcmUKTFRPLCBkb2Vzbid0IGFsdGVyIGZ1bmN0aW9u IHJlZmVyZW5jZXMgdG8gcG9pbnQgdG8gYSBqdW1wIHRhYmxlLCBhbmQKd29uJ3QgYnJlYWsgZnVu Y3Rpb24gYWRkcmVzcyBlcXVhbGl0eS4KClRoaXMgc2VyaWVzIHJlcGxhY2VzIHRoZSBjdXJyZW50 IGFybTY0IENGSSBpbXBsZW1lbnRhdGlvbiB3aXRoIEtDRkkKYW5kIGFkZHMgc3VwcG9ydCBmb3Ig eDg2XzY0LgoKS0NGSSByZXF1aXJlcyBhc3NlbWJseSBmdW5jdGlvbnMgdGhhdCBhcmUgaW5kaXJl Y3RseSBjYWxsZWQgZnJvbSBDCmNvZGUgdG8gYmUgYW5ub3RhdGVkIHdpdGggdHlwZSBpZGVudGlm aWVycy4gQXMgdHlwZSBpbmZvcm1hdGlvbiBpcwpvbmx5IGF2YWlsYWJsZSBpbiBDLCB0aGUgY29t cGlsZXIgZW1pdHMgZXhwZWN0ZWQgdHlwZSBpZGVudGlmaWVycwppbnRvIHRoZSBzeW1ib2wgdGFi bGUsIHNvIHRoZXkgY2FuIGJlIHJlZmVyZW5jZWQgZnJvbSBhc3NlbWJseQp3aXRob3V0IGhhdmlu ZyB0byBoYXJkY29kZSB0eXBlIGhhc2hlcy4gUGF0Y2ggNiBhZGRzIGhlbHBlciBtYWNyb3MKZm9y IGFubm90YXRpbmcgZnVuY3Rpb25zLCBhbmQgcGF0Y2hlcyA5IGFuZCAxOSBhZGQgYW5ub3RhdGlv bnMuCgpJbiBjYXNlIG9mIGEgdHlwZSBtaXNtYXRjaCwgS0NGSSBhbHdheXMgdHJhcHMuIFRvIHN1 cHBvcnQgZXJyb3IKaGFuZGxpbmcsIHRoZSBjb21waWxlciBnZW5lcmF0ZXMgYSAua2NmaV90cmFw cyBzZWN0aW9uIGZvciB4ODZfNjQsCndoaWNoIGNvbnRhaW5zIHRoZSBsb2NhdGlvbnMgb2YgZWFj aCB0cmFwLCBhbmQgZm9yIGFybTY0LCBlbmNvZGVzCnRoZSBuZWNlc3NhcnkgcmVnaXN0ZXIgaW5m b3JtYXRpb24gdG8gdGhlIEVTUi4gUGF0Y2hlcyAxMCBhbmQgMjEgYWRkCmFyY2gtc3BlY2lmaWMg ZXJyb3IgaGFuZGxlcnMuCgpUbyB0ZXN0IHRoaXMgc2VyaWVzLCB5b3UnbGwgYSBUb1QgQ2xhbmcg dG9vbGNoYWluLiBUaGUgc2VyaWVzIGlzCmFsc28gYXZhaWxhYmxlIGluIEdpdEh1YjoKCiAgaHR0 cHM6Ly9naXRodWIuY29tL3NhbWl0b2x2YW5lbi9saW51eC9jb21taXRzL2tjZmktdjQKCi0tLQpD aGFuZ2VzIGluIHY0OgotIERyb3BwZWQgdGhlIFJGQyBub3cgdGhhdCBDbGFuZyBzdXBwb3J0IGlz IG1lcmdlZC4KCi0gQ2hhbmdlZCB0aGUgeDg2XzY0IGZ1bmN0aW9uIHByZWFtYmxlIHRvIG1hdGNo IHRoZSB0aGUgcHJlYW1ibGUKICBnZW5lcmF0ZWQgYnkgdGhlIGNvbXBpbGVyLCBhbmQgZml4ZWQg YSBjb2RlIGdlbmVyYXRpb24gaXNzdWUsCiAgd2hpY2ggUGV0ZXIgcG9pbnRlZCBvdXQuCgotIEFk ZGVkIGEgcGF0Y2ggdG8gZml4IGFybTY0IHBzY2lfaW5pdGNhbGxfdCB0eXBlIG1pc21hdGNoIGJh c2VkCiAgb24gTWFyaydzIHN1Z2dlc3Rpb24uCgpDaGFuZ2VzIGluIHYzOgotIE1lcmdlZCB0aGUg cGF0Y2hlcyB0aGF0IHNwbGl0IENDX0ZMQUdTX0NGSSBmcm9tIENDX0ZMQUdTX0xUTy4KCi0gRHJv cHBlZCB0aGUgcHNjaV9pbml0Y2FsbF90IHBhdGNoIGFzIE1hcmsgdm9sdW50ZWVyZWQgdG8gc2Vu ZCBhCiAgcGF0Y2ggZm9yIHRoaXMuIE5vdGUgdGhhdCB0aGlzIHBhdGNoIGlzIHN0aWxsIG5lZWRl ZCB0byBib290IGEKICBDRkkga2VybmVsIG9uIGNlcnRhaW4gYXJtNjQgc3lzdGVtczoKICBodHRw czovL2xvcmUua2VybmVsLm9yZy9sa21sL1lvTmhLYVRUM0VEdWt4WFlARlZGRjc3UzBRMDVOLwoK LSBBZGRlZCBhIHBhdGNoIHRvIHJlbW92ZSB0aGUgbm93IHVubmVjZXNzYXJ5IHdvcmthcm91bmRz IHdpdGgKICBDRkkrVGhpbkxUTyBpbiBrYWxsc3ltcy4KCi0gQWRkZWQgYW4gbGtkdG0gcGF0Y2gg dG8gZW5zdXJlIHRoZSB0ZXN0IGFjdHVhbGx5IGdlbmVyYXRlcyBhbgogIGluZGlyZWN0IGNhbGwu CgotIENoYW5nZWQgcmVwb3J0X2NmaV9mYWlsdXJlIHRvIGNsZWFybHkgaW5kaWNhdGUgaWYgd2Ug ZmFpbGVkIHRvCiAgZGVjb2RlIHRhcmdldCBhZGRyZXNzLgoKLSBTd2l0Y2hlZCB0byByZWxhdGl2 ZSBvZmZzZXRzIGZvciAua2NmaV90cmFwcy4KCi0gT24geDg2XzY0LCBtb3ZlZCBDRkkgZXJyb3Ig aGFuZGxpbmcgZnJvbSB0cmFwcy5jIHRvIGNmaS5jLCBhbmQKICBhcyB3ZSBvbmx5IGNhbGwgbWVt Y3B5IGluZGlyZWN0bHkgdy8gQ09ORklHX01PRFVMRVMsIGVuc3VyZWQgdGhhdAogIHRoZSBjb21w aWxlciBlbWl0cyBfX2tjZmlfdHlwZWlkX21lbWNweSBhbHNvIHdpdGhvdXQgbW9kdWxlcy4KCi0g T24geDg2XzY0LCBhZGRlZCBhIGNoZWNrIGZvciB0aGUgY21wbCBSRVggcHJlZml4IHRvIGhhbmRs ZSB0aGUKICBjYXNlIHdoZXJlIHRoZSBjb21waWxlciBtaWdodCBub3QgdXNlIHI4LXIxNSByZWdp c3RlcnMgZm9yIHRoZQogIGNhbGwgdGFyZ2V0LgoKLSBPbiB0aGUgY29tcGlsZXIgc2lkZSwgZW5z dXJlZCB0aGF0IG9uIHg4Nl82NCBjYWxscyBhcmUgZW1pdHRlZAogIGltbWVkaWF0ZWx5IGFmdGVy IHRoZSBDRkkgY2hlY2ssIGZpeGVkIHRoZSBfX2NmaV8gcHJlYW1ibGUKICBsaW5rYWdlLCBhbmQg Y2hhbmdlZCB0aGUgY29tcGlsZXIgdG8gZW1pdCByZWxhdGl2ZSBvZmZzZXRzIGluCiAgLmtjZmlf dHJhcHMuCgpDaGFuZ2VzIGluIHYyOgotIENoYW5nZWQgdGhlIGNvbXBpbGVyIHBhdGNoIHRvIGVu Y29kZSBhcm02NCB0YXJnZXQgYW5kIHR5cGUgZGV0YWlscwogIGluIHRoZSBFU1IsIGFuZCB1cGRh dGVkIHRoZSBrZXJuZWwgZXJyb3IgaGFuZGxpbmcgcGF0Y2ggYWNjb3JkaW5nbHkuCgotIENoYW5n ZWQgdGhlIGNvbXBpbGVyIHBhdGNoIHRvIGVtYmVkIHRoZSB4ODZfNjQgdHlwZSBoYXNoIGluIGEg dmFsaWQKICBpbnN0cnVjdGlvbiB0byBhdm9pZCBzcGVjaWFsIGNhc2luZyBvYmp0b29sIGluc3Ry dWN0aW9uIGRlY29kaW5nLCBhbmQKICBhZGRlZCBhIF9fY2ZpXyBzeW1ib2wgZm9yIHRoZSBwcmVh bWJsZS4gQ2hhbmdlZCB0aGUga2VybmVsIGVycm9yCiAgaGFuZGxpbmcgYW5kIG1hbnVhbCB0eXBl IGFubm90YXRpb25zIHRvIG1hdGNoLgoKLSBEcm9wcGVkIHRoZSAua2NmaV90eXBlcyBzZWN0aW9u IGFzIHRoYXTigJlzIG5vIGxvbmdlciBuZWVkZWQgYnkKICBvYmp0b29sLCBhbmQgY2hhbmdlZCB0 aGUgb2JqdG9vbCBwYXRjaCB0byBzaW1wbHkgaWdub3JlIHRoZSBfX2NmaV8KICBwcmVhbWJsZXMg ZmFsbGluZyB0aHJvdWdoLgoKLSBEcm9wcGVkIHRoZSAua2NmaV90cmFwcyBzZWN0aW9uIG9uIGFy bTY0IGFzIGl04oCZcyBubyBsb25nZXIgbmVlZGVkLAogIGFuZCBtb3ZlZCB0aGUgdHJhcCBsb29r LXVwIGNvZGUgYmVoaW5kIENPTkZJR19BUkNIX1VTRVNfQ0ZJX1RSQVBTLAogIHdoaWNoIGlzIHNl bGVjdGVkIG9ubHkgZm9yIHg4Nl82NC4KCi0gRHJvcHBlZCBfX25vY2ZpIGF0dHJpYnV0ZXMgZnJv bSBhcm02NCBjb2RlIHdoZXJlIENGSSB3YXMgZGlzYWJsZWQKICBkdWUgdG8gYWRkcmVzcyBzcGFj ZSBjb25mdXNpb24gaXNzdWVzLCBhbmQgYWRkZWQgdHlwZSBhbm5vdGF0aW9ucyB0bwogIHJlbGV2 YW50IGFzc2VtYmx5IGZ1bmN0aW9ucy4KCi0gRHJvcHBlZCBfX25vY2ZpIGZyb20gX19pbml0LgoK U2FtaSBUb2x2YW5lbiAoMjEpOgogIHRyZWV3aWRlOiBGaWx0ZXIgb3V0IENDX0ZMQUdTX0NGSQog IHNjcmlwdHMva2FsbHN5bXM6IElnbm9yZSBfX2tjZmlfdHlwZWlkXwogIGNmaTogUmVtb3ZlIENP TkZJR19DRklfQ0xBTkdfU0hBRE9XCiAgY2ZpOiBEcm9wIF9fQ0ZJX0FERFJFU1NBQkxFCiAgY2Zp OiBTd2l0Y2ggdG8gLWZzYW5pdGl6ZT1rY2ZpCiAgY2ZpOiBBZGQgdHlwZSBoZWxwZXIgbWFjcm9z CiAgbGtkdG06IEVtaXQgYW4gaW5kaXJlY3QgY2FsbCBmb3IgQ0ZJIHRlc3RzCiAgcHNjaTogRml4 IHRoZSBmdW5jdGlvbiB0eXBlIGZvciBwc2NpX2luaXRjYWxsX3QKICBhcm02NDogQWRkIHR5cGVz IHRvIGluZGlyZWN0IGNhbGxlZCBhc3NlbWJseSBmdW5jdGlvbnMKICBhcm02NDogQWRkIENGSSBl cnJvciBoYW5kbGluZwogIGFybTY0OiBEcm9wIHVubmVlZGVkIF9fbm9jZmkgYXR0cmlidXRlcwog IGluaXQ6IERyb3AgX19ub2NmaSBmcm9tIF9faW5pdAogIHRyZWV3aWRlOiBEcm9wIGZ1bmN0aW9u X25vY2ZpCiAgdHJlZXdpZGU6IERyb3AgV0FSTl9PTl9GVU5DVElPTl9NSVNNQVRDSAogIHRyZWV3 aWRlOiBEcm9wIF9fY2ZpY2Fub25pY2FsCiAgb2JqdG9vbDogRGlzYWJsZSBDRkkgd2FybmluZ3MK ICBrYWxsc3ltczogRHJvcCBDT05GSUdfQ0ZJX0NMQU5HIHdvcmthcm91bmRzCiAgeDg2L3Rvb2xz L3JlbG9jczogSWdub3JlIF9fa2NmaV90eXBlaWRfIHJlbG9jYXRpb25zCiAgeDg2OiBBZGQgdHlw ZXMgdG8gaW5kaXJlY3RseSBjYWxsZWQgYXNzZW1ibHkgZnVuY3Rpb25zCiAgeDg2L3B1cmdhdG9y eTogRGlzYWJsZSBDRkkKICB4ODY6IEFkZCBzdXBwb3J0IGZvciBDT05GSUdfQ0ZJX0NMQU5HCgog TWFrZWZpbGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgMTMgKy0KIGFyY2gv S2NvbmZpZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgIDE4ICstCiBhcmNoL2FybTY0 L2NyeXB0by9naGFzaC1jZS1jb3JlLlMgICAgICAgICB8ICAgNSArLQogYXJjaC9hcm02NC9jcnlw dG8vc20zLWNlLWNvcmUuUyAgICAgICAgICAgfCAgIDMgKy0KIGFyY2gvYXJtNjQvaW5jbHVkZS9h c20vYnJrLWltbS5oICAgICAgICAgIHwgICA2ICsKIGFyY2gvYXJtNjQvaW5jbHVkZS9hc20vZnRy YWNlLmggICAgICAgICAgIHwgICAyICstCiBhcmNoL2FybTY0L2luY2x1ZGUvYXNtL21tdV9jb250 ZXh0LmggICAgICB8ICAgNCArLQogYXJjaC9hcm02NC9rZXJuZWwvYWNwaV9wYXJraW5nX3Byb3Rv Y29sLmMgfCAgIDIgKy0KIGFyY2gvYXJtNjQva2VybmVsL2FsdGVybmF0aXZlLmMgICAgICAgICAg IHwgICAyICstCiBhcmNoL2FybTY0L2tlcm5lbC9jcHUtcmVzZXQuUyAgICAgICAgICAgICB8ICAg NSArLQogYXJjaC9hcm02NC9rZXJuZWwvY3B1ZmVhdHVyZS5jICAgICAgICAgICAgfCAgIDQgKy0K IGFyY2gvYXJtNjQva2VybmVsL2Z0cmFjZS5jICAgICAgICAgICAgICAgIHwgICAyICstCiBhcmNo L2FybTY0L2tlcm5lbC9tYWNoaW5lX2tleGVjLmMgICAgICAgICB8ICAgMiArLQogYXJjaC9hcm02 NC9rZXJuZWwvcHNjaS5jICAgICAgICAgICAgICAgICAgfCAgIDIgKy0KIGFyY2gvYXJtNjQva2Vy bmVsL3NtcF9zcGluX3RhYmxlLmMgICAgICAgIHwgICAyICstCiBhcmNoL2FybTY0L2tlcm5lbC90 cmFwcy5jICAgICAgICAgICAgICAgICB8ICA0NyArKy0KIGFyY2gvYXJtNjQva2VybmVsL3Zkc28v TWFrZWZpbGUgICAgICAgICAgIHwgICAzICstCiBhcmNoL2FybTY0L21tL3Byb2MuUyAgICAgICAg ICAgICAgICAgICAgICB8ICAgNSArLQogYXJjaC94ODYvS2NvbmZpZyAgICAgICAgICAgICAgICAg ICAgICAgICAgfCAgIDIgKwogYXJjaC94ODYvY3J5cHRvL2Jsb3dmaXNoLXg4Nl82NC1hc21fNjQu UyAgfCAgIDUgKy0KIGFyY2gveDg2L2VudHJ5L3Zkc28vTWFrZWZpbGUgICAgICAgICAgICAgIHwg ICAzICstCiBhcmNoL3g4Ni9pbmNsdWRlL2FzbS9jZmkuaCAgICAgICAgICAgICAgICB8ICAyMiAr KwogYXJjaC94ODYvaW5jbHVkZS9hc20vbGlua2FnZS5oICAgICAgICAgICAgfCAgIDkgKwogYXJj aC94ODYva2VybmVsL01ha2VmaWxlICAgICAgICAgICAgICAgICAgfCAgIDIgKwogYXJjaC94ODYv a2VybmVsL2NmaS5jICAgICAgICAgICAgICAgICAgICAgfCAgODUgKysrKysrCiBhcmNoL3g4Ni9r ZXJuZWwvdHJhcHMuYyAgICAgICAgICAgICAgICAgICB8ICAgNCArLQogYXJjaC94ODYvbGliL21l bWNweV82NC5TICAgICAgICAgICAgICAgICAgfCAgIDMgKy0KIGFyY2gveDg2L3B1cmdhdG9yeS9N YWtlZmlsZSAgICAgICAgICAgICAgIHwgICA0ICsKIGFyY2gveDg2L3Rvb2xzL3JlbG9jcy5jICAg ICAgICAgICAgICAgICAgIHwgICAxICsKIGRyaXZlcnMvZmlybXdhcmUvZWZpL2xpYnN0dWIvTWFr ZWZpbGUgICAgIHwgICAyICsKIGRyaXZlcnMvZmlybXdhcmUvcHNjaS9wc2NpLmMgICAgICAgICAg ICAgIHwgIDEyICstCiBkcml2ZXJzL21pc2MvbGtkdG0vY2ZpLmMgICAgICAgICAgICAgICAgICB8 ICAxNSArLQogZHJpdmVycy9taXNjL2xrZHRtL3VzZXJjb3B5LmMgICAgICAgICAgICAgfCAgIDIg Ky0KIGluY2x1ZGUvYXNtLWdlbmVyaWMvYnVnLmggICAgICAgICAgICAgICAgIHwgIDE2IC0KIGlu Y2x1ZGUvYXNtLWdlbmVyaWMvdm1saW51eC5sZHMuaCAgICAgICAgIHwgIDM3ICstLQogaW5jbHVk ZS9saW51eC9jZmkuaCAgICAgICAgICAgICAgICAgICAgICAgfCAgNTkgKystLQogaW5jbHVkZS9s aW51eC9jZmlfdHlwZXMuaCAgICAgICAgICAgICAgICAgfCAgNTcgKysrKwogaW5jbHVkZS9saW51 eC9jb21waWxlci1jbGFuZy5oICAgICAgICAgICAgfCAgMTQgKy0KIGluY2x1ZGUvbGludXgvY29t cGlsZXIuaCAgICAgICAgICAgICAgICAgIHwgIDE2ICstCiBpbmNsdWRlL2xpbnV4L2NvbXBpbGVy X3R5cGVzLmggICAgICAgICAgICB8ICAgNCAtCiBpbmNsdWRlL2xpbnV4L2luaXQuaCAgICAgICAg ICAgICAgICAgICAgICB8ICAgNiArLQogaW5jbHVkZS9saW51eC9tb2R1bGUuaCAgICAgICAgICAg ICAgICAgICAgfCAgMTAgKy0KIGluY2x1ZGUvbGludXgvcGNpLmggICAgICAgICAgICAgICAgICAg ICAgIHwgICA0ICstCiBrZXJuZWwvY2ZpLmMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8 IDM1MiArKysrLS0tLS0tLS0tLS0tLS0tLS0tCiBrZXJuZWwva2FsbHN5bXMuYyAgICAgICAgICAg ICAgICAgICAgICAgICB8ICAxNyAtLQoga2VybmVsL2t0aHJlYWQuYyAgICAgICAgICAgICAgICAg ICAgICAgICAgfCAgIDMgKy0KIGtlcm5lbC9tb2R1bGUvbWFpbi5jICAgICAgICAgICAgICAgICAg ICAgIHwgIDUwICstLQoga2VybmVsL3dvcmtxdWV1ZS5jICAgICAgICAgICAgICAgICAgICAgICAg fCAgIDIgKy0KIHNjcmlwdHMva2FsbHN5bXMuYyAgICAgICAgICAgICAgICAgICAgICAgIHwgICAx ICsKIHNjcmlwdHMvbW9kdWxlLmxkcy5TICAgICAgICAgICAgICAgICAgICAgIHwgIDIzICstCiB0 b29scy9vYmp0b29sL2NoZWNrLmMgICAgICAgICAgICAgICAgICAgICB8ICAgNyArLQogNTEgZmls ZXMgY2hhbmdlZCwgNDIzIGluc2VydGlvbnMoKyksIDU1MyBkZWxldGlvbnMoLSkKIGNyZWF0ZSBt b2RlIDEwMDY0NCBhcmNoL3g4Ni9pbmNsdWRlL2FzbS9jZmkuaAogY3JlYXRlIG1vZGUgMTAwNjQ0 IGFyY2gveDg2L2tlcm5lbC9jZmkuYwogY3JlYXRlIG1vZGUgMTAwNjQ0IGluY2x1ZGUvbGludXgv Y2ZpX3R5cGVzLmgKCgpiYXNlLWNvbW1pdDogZGNmOGU1NjMzZTJlNjlhZDYwYjczMGFiNTkwNTYw OGI3NTZhMDMyZgotLSAKMi4zNy4yLjY3Mi5nOTQ3NjlkMDZmMC1nb29nCgoKX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGludXgtYXJtLWtlcm5lbCBtYWls aW5nIGxpc3QKbGludXgtYXJtLWtlcm5lbEBsaXN0cy5pbmZyYWRlYWQub3JnCmh0dHA6Ly9saXN0 cy5pbmZyYWRlYWQub3JnL21haWxtYW4vbGlzdGluZm8vbGludXgtYXJtLWtlcm5lbAo=