From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2E91C77B7D for ; Mon, 15 May 2023 15:06:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 36C64900003; Mon, 15 May 2023 11:06:19 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2F581900002; Mon, 15 May 2023 11:06:19 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 16F27900003; Mon, 15 May 2023 11:06:19 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 03C5F900002 for ; Mon, 15 May 2023 11:06:19 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id CD7C0413A2 for ; Mon, 15 May 2023 15:06:18 +0000 (UTC) X-FDA: 80792815236.27.DE1A0B1 Received: from mail-yw1-f178.google.com (mail-yw1-f178.google.com [209.85.128.178]) by imf21.hostedemail.com (Postfix) with ESMTP id 0AE911C015A for ; Mon, 15 May 2023 15:03:25 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=VTP97a9d; spf=pass (imf21.hostedemail.com: domain of sroettger@google.com designates 209.85.128.178 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1684163006; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bJepaJYFE+pzv+rPtN1rc018lwu5FwIhFJjHo1/4ryg=; b=I+YhVlyd4GZuUqj0SKJNkz0KmfdPTl/VT+qVLkKBsASXKc8IpjJQLtV5n3LcRTv4SAAH4N eZOFnz3P/xTC4+PbVyRHXxb6OoMT/nsmkgP2igWc/paeiIWyD3+C7xK4jR4K5mDV2eooET 0vKQy4fOespsnoiYYkxs+VQbRHcgolk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684163006; a=rsa-sha256; cv=none; b=6l8epzjDq8fczYI0leeqt3ZkrcKW711En1j24BUvtgZMTjIHhbtt4QFK/vif04Cg6D9G1q vzPIuTEeGa/YUVhnl9lJNrp9SEfq6s7Y/IiDQ3MZJItUewc3g+HAlx0v6JJh0MfR2p7GGw tEoB+039aCKeo62uYxpLdOrP5MNwe08= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=google.com header.s=20221208 header.b=VTP97a9d; spf=pass (imf21.hostedemail.com: domain of sroettger@google.com designates 209.85.128.178 as permitted sender) smtp.mailfrom=sroettger@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-yw1-f178.google.com with SMTP id 00721157ae682-55a2cb9788dso183449167b3.2 for ; Mon, 15 May 2023 08:03:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1684163005; x=1686755005; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bJepaJYFE+pzv+rPtN1rc018lwu5FwIhFJjHo1/4ryg=; b=VTP97a9d+iRz/vSYIPp2IUr34S5fR531qVEBom9Tln1usmjB0D2/K5RpwPUAvRkqBH 8rREaFJJfhQyPFVtCdZ0WhOo/jNNj8phZ+94O8ZZwNf1ZtSFg9XqMLeshRH+g0zUeAvu leL+AShGDndEssl/lzhkWWC1/HTv8vZAwUxKK80H/PO6dgm2ezYMwA7h+kbqpQJxY/Mj abTtZ7JsEdEdVM9otv50zVyokK4PU5kj5bW/6ZsRnTu+oAXpKWdoMEafhWAqRiHtuuEG LM2/1i4ywpTNTZUJssT9i4x5l6n2MjcivzncK+19emggrIW5xXXNXf7dvzsBm9V8KjjQ y8Tg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684163005; x=1686755005; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bJepaJYFE+pzv+rPtN1rc018lwu5FwIhFJjHo1/4ryg=; b=foQSQvl4zY3Blz3SWCQd5Ko0+uYU1HTrw6Nqyj3mP6xI4dg4YXP/dPoC93P7iJf1cF Hz3MgosuB8LY7fb4FZVonRwUrH5rnjNNaSJnUtcU5nJz2dZKxV051hCg6MwE7hn1bCn9 eYVifSK+nsTmgJb9gmj2ChMC+yRDYvS/5Nmee2/qFo3xT+i3W/S9NdO5XyyaRZAK4oFk o2DPeSeK6lxSbKBpnGy8eKCzi92VSXByh9aECvFVRh8tEUL68nOr3XjswQmH16uRz7Ty A3JrX7XdJ2H3rtKaPfxFwj++LqIty1WwB8Ns/X5UZaGwSM5QxXk7zG0XNOgtXbp2r0Kl rfZw== X-Gm-Message-State: AC+VfDzBqOTrxYCNWbvQoxBiB2dIDBQYSgrAb+bP8e11QcdqyWEp0TRd TxipIJOgEFfnRJ87fHiWb5Cmzc8hCeJHj3wyzlg11g== X-Google-Smtp-Source: ACHHUZ6ZPmVNiYLcpZ8o0QWc5QaFaz8qkG2CBDPYNVgw/0Jd4u+uuX4FPfkb3ix3phiHPyZqlemvkBtrodfNiI8lK78= X-Received: by 2002:a05:7500:e323:b0:106:af0d:2e7a with SMTP id qq35-20020a057500e32300b00106af0d2e7amr1116145gab.65.1684163004736; Mon, 15 May 2023 08:03:24 -0700 (PDT) MIME-Version: 1.0 References: <20230515130553.2311248-1-jeffxu@chromium.org> <2bcffc9f-9244-0362-2da9-ece230055320@intel.com> In-Reply-To: <2bcffc9f-9244-0362-2da9-ece230055320@intel.com> From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Mon, 15 May 2023 17:03:11 +0200 Message-ID: Subject: Re: [PATCH 0/6] Memory Mapping (VMA) protection using PKU - set 1 To: Dave Hansen Cc: jeffxu@chromium.org, Andy Lutomirski , Jorge Lucangeli Obes , Kees Cook , groeck@chromium.org, Jann Horn , akpm@linux-foundation.org, Jeff Xu , Linux Kernel Mailing List , linux-kselftest@vger.kernel.org, linux-mm@kvack.org, linux-hardening@vger.kernel.org Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000ab425505fbbcc12d" X-Rspamd-Queue-Id: 0AE911C015A X-Stat-Signature: gb164q1etj49o9jfstd3rruzg6gog37w X-Rspam-User: X-Rspamd-Server: rspam09 X-HE-Tag: 1684163005-861014 X-HE-Meta: U2FsdGVkX18WP8Dclw7uAWiXPE3LGQ4jA7GvXr4YNf5fsKVoK0ebKZpL4LqDe5UBDp3CZqV9739r4suZr3yV7hUI0femnGRqfTAMxL5W++n6onVBiiTOs1BJ3tqwfzU3PKk9n2Z3jJe8mkO5WxwDC3eCGc6woVGKVK3opERd68dEk0/yACkmn7K3nQk6vYG3psKgZWVgUQt5R1zZ4sR2ZdauXlc51UBWPpqFYLITP794TYViUG00ZxzJxoU9kEBdgnbDpbNwHTEVw7UR+sNQ10sYLyAmeNoOJmuw3iC8T8Tz+vt8jcvHFCDTEllVcWjputShaZDscFtjcFPhyyi1SJwwZmyxWHS1m+AoO3NHz34PcJae8/p+B1vck9uewruqwrnWVeUEvOqnsXO55ST0oB3vhRq3b4pF2aBB5rIeEvSeITjZf+w6QOZKpFlhUCjRrpSKNHO5mx6E3fmquP56TG24gD0W9ikWQaZOd77MlQNPS7pvL6dEbR/gEhbG0h4ZCxtCQDL4QjwKBElH2TgAf9hFMGcg1IqEPH4S8Ejyrx96R53F0u/FkvdF6ms/uUCfog2sA4PpSMfUsh0MpUFm9vi5oaB1M+NRokOwbt5vb1fIyAGHkIixbEwTo2sIiXaQwO4MGLVr5tbxmfo+ic0mdd9iSKCKj5X1zd0juAsH7QPzqkVOgCG1gIFeInrf3ZMQLTeU6rJ0Z8fxjGlL50s8T0K4Wy4yDalJuftZabPPyZUbgB2JRn6AleokohuNgd5DNBIoLYcVVGLKEUj811KiST3M6ijS/KxUG2llBaT16WwKBL/7wqNPPOQD2P8MWC6xxwRyl2kLzJRm07i0UEVMlzPGz4q8BPzWc9yypuT0Z3hV4ax8rs+BUwTFT7RotxKhorV8LyYCQDhmNE0BZfx3CkVyIfKrfQqMZF12qs8yIszWR1y76hz5cB8u+WzrERVx6chmHrP4ndYrx7ZAxcv Hj4g6zST lyQRszUiaRgJiYPTE6q9UoSX61izS3VCo5NqUMrpvAofdF3APk50CJ/0uYQ9m3EA/JlpLNbXH7zI3jCxkOt8MFecvldh5ReAoD3VzrqobKr30w1AfImdxVzjQq/JJKRpsD1m5r1E6AuNNja5p9e+1Z/W6vwnwiyI6I9buTJeTYAIvg+W3Fc2nERa/uBy+z8y0u3L566cjbynJ2CZNZoCqSOFfvAB1/l2Qg/nj4eISWfpwbFVACj8MElf9pTtgTi1tXxzfthso9I/96GWOSjkY0xZLY98Q9204rjfyvx1iumZVXMAwXRClo0HJWhaWB0MvbHlKfGFwHae81DQNGVfKtrFghqlSiJq10d7Bzp/2o6+ISOmXgOJgC5hB8DRBTzXWuwv3yG2ytD0k6rzkrBPCKncsgCSu6eSm8C4vTNQPHAjWTjbMJzXiHgIKaCvoEab0oNc9CTRynXmyKxzGGbQt2kkA2UC2EAjowqxhrrt3uwtwJdbR8H9eWSZqSnrloE2lytxDUfz1h0FEPsBEwIHpSs0vCJltRUNsUQErcILezpiHXGtb0rpAxrYnqxhTFk9k/seSo14veUdlGQS3lexAClYPC8dRn5V8QF/Y X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: --000000000000ab425505fbbcc12d Content-Type: multipart/alternative; boundary="000000000000a51a3505fbbcc15d" --000000000000a51a3505fbbcc15d Content-Type: text/plain; charset="UTF-8" Hi Dave, Since we're using the feature for control-flow integrity, we assume the control-flow is still intact at this point. I.e. the attacker thread can't run arbitrary instructions. * For JIT code, we're going to scan it for wrpkru instructions before writing it to executable memory * For regular code, we only use wrpkru around short critical sections to temporarily enable write access Sigreturn is a separate problem that we hope to solve by adding pkey support to sigaltstack On Mon, May 15, 2023, 16:28 Dave Hansen wrote: > On 5/15/23 06:05, jeffxu@chromium.org wrote: > > We're using PKU for in-process isolation to enforce control-flow > integrity > > for a JIT compiler. In our threat model, an attacker exploits a > > vulnerability and has arbitrary read/write access to the whole process > > space concurrently to other threads being executed. This attacker can > > manipulate some arguments to syscalls from some threads. > > This all sounds like it hinges on the contents of PKRU in the attacker > thread. > > Could you talk a bit about how the attacker is prevented from running > WRPKRU, XRSTOR or compelling the kernel to write to PKRU like at sigreturn? > --000000000000a51a3505fbbcc15d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Dave,

Since we're using the feature for control-flow integrity, we = assume the control-flow is still intact at this point. I.e. the attacker th= read can't run arbitrary instructions.
* For JIT= code, we're going to scan it for wrpkru instructions before writing it= to executable memory
* For regular code, we only us= e wrpkru around short critical sections to temporarily enable write access<= /div>

Sigreturn is a separate = problem that we hope to solve by adding pkey support to sigaltstack

On Mon, May 15, 2023, 16:28 Dave Hansen <dave.hansen@intel.com> wrote:
<= /div>
On 5/15/23 06:05, jeffxu@chromium.org<= /a> wrote:
> We're using PKU for in-process isolation to enforce control-flow i= ntegrity
> for a JIT compiler. In our threat model, an attacker exploits a
> vulnerability and has arbitrary read/write access to the whole process=
> space concurrently to other threads being executed. This attacker can<= br> > manipulate some arguments to syscalls from some threads.

This all sounds like it hinges on the contents of PKRU in the attacker
thread.

Could you talk a bit about how the attacker is prevented from running
WRPKRU, XRSTOR or compelling the kernel to write to PKRU like at sigreturn?=
--000000000000a51a3505fbbcc15d-- --000000000000ab425505fbbcc12d Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPoQYJKoZIhvcNAQcCoIIPkjCCD44CAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ggz7MIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBNowggPCoAMCAQICEAGkX4MOebzHzp8Y/d5N uOkwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yMzAzMjQx MDU0MjJaFw0yMzA5MjAxMDU0MjJaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLPyMENiepo0e0KKXnecXERM1v8X LP8OaCG/arg3dD1qpML+nhDtU7YL7M+uU/zvIxrine9sVeBPMAsLyIBm/r4f6mk0Zo/1Nd/I2VL7 JpL/XH8AloTMPn8ftcCAGtMjR6GHaQJt6AFuV5SV/LMkzQ1w0TyNPSn5akNB5fuqDDSqSSiWdEcz QNoEndEWuInBDSbUxc2cqYzY3PpGpJjrKOy1KbJzQ8KcZvrtFZpLnWN6Ry51yog7bRBCFmCaCV2w 6aqHjyzIZlqXlIFBPZsMUke9QkLosM0XP1eL6NpSfJclTy3ZIULo+kiW3IxdbA/JidNnmYzCfZJo 48ZLbpQbsQIDAQABo4IB1TCCAdEwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUZ+MO 2DeNJUdew/schvbvw4wolIIwTAYDVR0gBEUwQzBBBgkrBgEEAaAyASgwNDAyBggrBgEFBQcCARYm aHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wDAYDVR0TAQH/BAIwADCBmgYI KwYBBQUHAQEEgY0wgYowPgYIKwYBBQUHMAGGMmh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2Nh L2dzYXRsYXNyM3NtaW1lY2EyMDIwMEgGCCsGAQUFBzAChjxodHRwOi8vc2VjdXJlLmdsb2JhbHNp Z24uY29tL2NhY2VydC9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcnQwHwYDVR0jBBgwFoAUfMwKaNei 6x4schvRzV2Vb4378mMwRgYDVR0fBD8wPTA7oDmgN4Y1aHR0cDovL2NybC5nbG9iYWxzaWduLmNv bS9jYS9nc2F0bGFzcjNzbWltZWNhMjAyMC5jcmwwDQYJKoZIhvcNAQELBQADggEBAEWztMCBdTNW CGPLcNM/ovJHsl+VF/BsKdiiwJoodyWO9fmhOgEVex1vfc+njM0bkWC0b4U08iUPP91eksCFGhhi cCchsXpkAzfcKPJ7OsFd7J4xQUQPpi02r1P7Y9UKLa8nsNChf9ck1GAz1Skb77r1JWgSlHOcyuVZ UQ/JuUVMf/XW7flFfNybswGgFmfnBvDW1qrqBPHpEFmWeNYXISpFQj0UWyGmykQGKi8q44IPy5Qg uId+alGaBDlL5OAZQtmhRyh1MVd2wtgvGEfNGDGq603urx17nwEvM1gjSmOgnhEigOhhHH7DOeyt 5zPYLaKguxLWPGXlZ0UUjA7lH3gxggJqMIICZgIBATBoMFQxCzAJBgNVBAYTAkJFMRkwFwYDVQQK ExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFzIFIzIFNNSU1FIENB IDIwMjACEAGkX4MOebzHzp8Y/d5NuOkwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIE IOVhdlTnC+qhst/nfjrH5TEm5VLTCqab2JWyFq+eyujwMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B BwEwHAYJKoZIhvcNAQkFMQ8XDTIzMDUxNTE1MDMyNVowaQYJKoZIhvcNAQkPMVwwWjALBglghkgB ZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQow CwYJKoZIhvcNAQEHMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQCbyQBq6EiT7YUY8kvY IRn65mdIhO4e9PqDNkLK+BSwEp8Y/XyLXYu9muGFQN+5KWlws4vlvRPFa++u9lFDTEH/w1StT/kM 0ZkdjuXwhGBRTV/3ryXuDG+9WBZlwrArmGlNOhzsyy0Aw7FWqgfI9BbcdKnLSZSC3RoWeP+7+K9Q ursk+AzM4I6mqSKyNLd3tjihwN23bklAw0Hzfq53NdfgiHg0NUg1EgY2nwsGZjua+H6kFqkFsvdJ gnGJWeNujrhjChbOqkiAPk+/yCLHQLHOtJ/u3sQ4RUs93NDssVPrGa9Xcep1BiS0GekrFyo85f5v 1QwM1nY30bF70FOazE4M --000000000000ab425505fbbcc12d--