From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757489AbeD0GyN (ORCPT ); Fri, 27 Apr 2018 02:54:13 -0400 Received: from mail-lf0-f51.google.com ([209.85.215.51]:35784 "EHLO mail-lf0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757354AbeD0GyL (ORCPT ); Fri, 27 Apr 2018 02:54:11 -0400 X-Google-Smtp-Source: AB8JxZq2koQ/098RaaRckIHcpPJJDO9b22/dZ0FOByhiXkAsRYeC07aNtlcCFH0hlCvPLG/hrXWWmQ== Subject: Re: [Xen-devel] [PATCH 0/1] drm/xen-zcopy: Add Xen zero-copy helper DRM driver To: Dongwon Kim , jgross@suse.com, Artem Mygaiev , Wei Liu , konrad.wilk@oracle.com, airlied@linux.ie, "Oleksandr_Andrushchenko@epam.com" , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, "Potrola, MateuszX" , xen-devel@lists.xenproject.org, daniel.vetter@intel.com, boris.ostrovsky@oracle.com, =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= References: <20180418101058.hyqk3gr3b2ibxswu@MacBook-Pro-de-Roger.local> <20180420071914.GG31310@phenom.ffwll.local> <76cdc65a-7bb1-9377-7bc5-6164e32f7b5d@gmail.com> <20180423115242.ywdwqblj2aseu3fr@citrix.com> <61105351-8896-072b-abf0-757c7f6c0edf@gmail.com> <20180424115437.GT31310@phenom.ffwll.local> <18ab5f76-00b0-42a0-fcb8-e0cbf4cdd527@gmail.com> <20180424203514.GA26787@downor-Z87X-UD5H> <43bc755f-3e31-6841-0962-542c42515f88@gmail.com> <20180425063455.GH25142@phenom.ffwll.local> <20180425171657.GA28803@downor-Z87X-UD5H> From: Oleksandr Andrushchenko Message-ID: Date: Fri, 27 Apr 2018 09:54:07 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180425171657.GA28803@downor-Z87X-UD5H> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 04/25/2018 08:16 PM, Dongwon Kim wrote: > On Wed, Apr 25, 2018 at 08:34:55AM +0200, Daniel Vetter wrote: >> On Wed, Apr 25, 2018 at 09:07:07AM +0300, Oleksandr Andrushchenko wrote: >>> On 04/24/2018 11:35 PM, Dongwon Kim wrote: >>>> Had a meeting with Daniel and talked about bringing out generic >>>> part of hyper-dmabuf to the userspace, which means we most likely >>>> reuse IOCTLs defined in xen-zcopy for our use-case if we follow >>>> his suggestion. >>> I will still have kernel side API, so backends/frontends implemented >>> in the kernel can access that functionality as well. >>>> So assuming we use these IOCTLs as they are, >>>> Several things I would like you to double-check.. >>>> >>>> 1. returning gref as is to the user space is still unsafe because >>>> it is a constant, easy to guess and any process that hijacks it can easily >>>> exploit the buffer. So I am wondering if it's possible to keep dmabuf-to >>>> -gref or gref-to-dmabuf in kernel space and add other layers on top >>>> of those in actual IOCTLs to add some safety.. We introduced flink like >>>> hyper_dmabuf_id including random number but many says even that is still >>>> not safe. >>> Yes, it is generally unsafe. But even if we have implemented >>> the approach you have in hyper-dmabuf or similar, what stops >>> malicious software from doing the same with the existing gntdev UAPI? >>> No need to brute force new UAPI if there is a simpler one. >>> That being said, I'll put security aside at the first stage, >>> but of course we can start investigating ways to improve >>> (I assume you already have use-cases where security issues must >>> be considered, so, probably you can tell more on what was investigated >>> so far). > Yeah, although we think we lowered the chance of guessing the right id > by adding random number to it, the security hole is still there as far > as we use a constant id across VMs. We understood this from the beginning > but couldn't find a better way. So what we proposed is to make sure our > customer understand this and prepare very secure way to handle this id > in the userspace (mattrope however recently proposed a "hyper-pipe" which > FD-type id can be converted and exchanged safely through. So we are looking > into this now.) > > And another approach we have proposed is to use event-polling, that lets > the privileged userapp in importing guest to know about a new exported > DMABUF so that it can retrieve it from the queue then redistribute to > other applications. This method is not very flexible however, is one way > to hide ID from userspace completely. > > Anyway, yes, we can continue to investigate the possible way to make it > more secure. Great, if you come up with something then you'll be able to plumb this in >> Maybe a bit more context here: >> >> So in graphics we have this old flink approach for buffer sharing with >> processes, and it's unsafe because way too easy to guess the buffer >> handles. And anyone with access to the graphics driver can then import >> that buffer object. We switched to file descriptor passing to make sure >> only the intended recipient can import a buffer. >> >> So at the vm->vm level it sounds like grefs are safe, because they're only >> for a specific other guest (or sets of guests, not sure about). That means >> security is only within the OS. For that you need to make sure that >> unpriviledge userspace simply can't ever access a gref. If that doesn't >> work out, then I guess we should improve the xen gref stuff to have a more >> secure cookie. >> >>>> 2. maybe we could take hypervisor-independent process (e.g. SGT<->page) >>>> out of xen-zcopy and put those in a new helper library. >>> I believe this can be done, but at the first stage I would go without >>> that helper library, so it is clearly seen what can be moved to it later >>> (I know that you want to run ACRN as well, but can I run it on ARM? ;) >> There's already helpers for walking sgtables and adding pages/enumerating >> pages. I don't think we need more. > ok, where would that helpers be located? If we consider we will use these > with other hypervisor drivers, maybe it's better to place those in some > common area? I am not quite sure what and if those helpers be really needed. Let's try to prototype the thing and then see what can be moved to a helper library and where it should live >>>> 3. please consider the case where original DMA-BUF's first offset >>>> and last length are not 0 and PAGE_SIZE respectively. I assume current >>>> xen-zcopy only supports page-aligned buffer with PAGE_SIZE x n big. >>> Hm, what is the use-case for that? > Just in general use-case.. I was just considering the case (might be corner > case..) where sg->offset != 0 or sg->length != PAGE_SIZE. Hyper dmabuf sends > this information (first offset and last length) together with references for > pages. So I was wondering if we should so similar thing in zcopy since your > goal is now to cover general dma-buf use-cases (however, danvet mentioned > hard constaint of dma-buf below.. so if this can't happen according to the > spec, then we can ignore it..) I won't be considering this use-case during prototyping as it seems it doesn't have a *real* ground underneath >> dma-buf is always page-aligned. That's a hard constraint of the linux >> dma-buf interface spec. >> -Daniel > Hmm.. I am little bit confused.. > So does it mean dmabuf->size is always n*PAGE_SIZE? What is the sgt behind > dmabuf has an offset other than 0 for the first sgl or the length of the > last sgl is not PAGE_SIZE? You are saying this case is not acceptable for > dmabuf? IMO, yes, see above >>>> thanks, >>>> DW >>> Thank you, >>> Oleksandr >>>> On Tue, Apr 24, 2018 at 02:59:39PM +0300, Oleksandr Andrushchenko wrote: >>>>> On 04/24/2018 02:54 PM, Daniel Vetter wrote: >>>>>> On Mon, Apr 23, 2018 at 03:10:35PM +0300, Oleksandr Andrushchenko wrote: >>>>>>> On 04/23/2018 02:52 PM, Wei Liu wrote: >>>>>>>> On Fri, Apr 20, 2018 at 02:25:20PM +0300, Oleksandr Andrushchenko wrote: >>>>>>>>>>> the gntdev. >>>>>>>>>>> >>>>>>>>>>> I think this is generic enough that it could be implemented by a >>>>>>>>>>> device not tied to Xen. AFAICT the hyper_dma guys also wanted >>>>>>>>>>> something similar to this. >>>>>>>>>> You can't just wrap random userspace memory into a dma-buf. We've just had >>>>>>>>>> this discussion with kvm/qemu folks, who proposed just that, and after a >>>>>>>>>> bit of discussion they'll now try to have a driver which just wraps a >>>>>>>>>> memfd into a dma-buf. >>>>>>>>> So, we have to decide either we introduce a new driver >>>>>>>>> (say, under drivers/xen/xen-dma-buf) or extend the existing >>>>>>>>> gntdev/balloon to support dma-buf use-cases. >>>>>>>>> >>>>>>>>> Can anybody from Xen community express their preference here? >>>>>>>>> >>>>>>>> Oleksandr talked to me on IRC about this, he said a few IOCTLs need to >>>>>>>> be added to either existing drivers or a new driver. >>>>>>>> >>>>>>>> I went through this thread twice and skimmed through the relevant >>>>>>>> documents, but I couldn't see any obvious pros and cons for either >>>>>>>> approach. So I don't really have an opinion on this. >>>>>>>> >>>>>>>> But, assuming if implemented in existing drivers, those IOCTLs need to >>>>>>>> be added to different drivers, which means userspace program needs to >>>>>>>> write more code and get more handles, it would be slightly better to >>>>>>>> implement a new driver from that perspective. >>>>>>> If gntdev/balloon extension is still considered: >>>>>>> >>>>>>> All the IOCTLs will be in gntdev driver (in current xen-zcopy terminology): >>>>> I was lazy to change dumb to dma-buf, so put this notice ;) >>>>>>>  - DRM_ICOTL_XEN_ZCOPY_DUMB_FROM_REFS >>>>>>>  - DRM_IOCTL_XEN_ZCOPY_DUMB_TO_REFS >>>>>>>  - DRM_IOCTL_XEN_ZCOPY_DUMB_WAIT_FREE >>>>>> s/DUMB/DMA_BUF/ please. This is generic dma-buf, it has nothing to do with >>>>>> the dumb scanout buffer support in the drm/gfx subsystem. This here can be >>>>>> used for any zcopy sharing among guests (as long as your endpoints >>>>>> understands dma-buf, which most relevant drivers do). >>>>> Of course, please see above >>>>>> -Daniel >>>>>> >>>>>>> Balloon driver extension, which is needed for contiguous/DMA >>>>>>> buffers, will be to provide new *kernel API*, no UAPI is needed. >>>>>>> >>>>>>>> Wei. >>>>>>> Thank you, >>>>>>> Oleksandr >>>>>>> _______________________________________________ >>>>>>> dri-devel mailing list >>>>>>> dri-devel@lists.freedesktop.org >>>>>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel >>> _______________________________________________ >>> dri-devel mailing list >>> dri-devel@lists.freedesktop.org >>> https://lists.freedesktop.org/mailman/listinfo/dri-devel >> -- >> Daniel Vetter >> Software Engineer, Intel Corporation >> http://blog.ffwll.ch From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oleksandr Andrushchenko Subject: Re: [Xen-devel] [PATCH 0/1] drm/xen-zcopy: Add Xen zero-copy helper DRM driver Date: Fri, 27 Apr 2018 09:54:07 +0300 Message-ID: References: <20180418101058.hyqk3gr3b2ibxswu@MacBook-Pro-de-Roger.local> <20180420071914.GG31310@phenom.ffwll.local> <76cdc65a-7bb1-9377-7bc5-6164e32f7b5d@gmail.com> <20180423115242.ywdwqblj2aseu3fr@citrix.com> <61105351-8896-072b-abf0-757c7f6c0edf@gmail.com> <20180424115437.GT31310@phenom.ffwll.local> <18ab5f76-00b0-42a0-fcb8-e0cbf4cdd527@gmail.com> <20180424203514.GA26787@downor-Z87X-UD5H> <43bc755f-3e31-6841-0962-542c42515f88@gmail.com> <20180425063455.GH25142@phenom.ffwll.local> <20180425171657.GA28803@downor-Z87X-UD5H> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) by gabe.freedesktop.org (Postfix) with ESMTPS id AF9856E1EF for ; Fri, 27 Apr 2018 06:54:11 +0000 (UTC) Received: by mail-lf0-x231.google.com with SMTP id b23-v6so1150419lfg.4 for ; Thu, 26 Apr 2018 23:54:11 -0700 (PDT) In-Reply-To: <20180425171657.GA28803@downor-Z87X-UD5H> Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" To: Dongwon Kim , jgross@suse.com, Artem Mygaiev , Wei Liu , konrad.wilk@oracle.com, airlied@linux.ie, "Oleksandr_Andrushchenko@epam.com" , linux-kernel@vger.kernel.org, dri-devel@lists.freedesktop.org, "Potrola, MateuszX" , xen-devel@lists.xenproject.org, daniel.vetter@intel.com, boris.ostrovsky@oracle.com, =?UTF-8?Q?Roger_Pau_Monn=c3=a9?= List-Id: dri-devel@lists.freedesktop.org T24gMDQvMjUvMjAxOCAwODoxNiBQTSwgRG9uZ3dvbiBLaW0gd3JvdGU6Cj4gT24gV2VkLCBBcHIg MjUsIDIwMTggYXQgMDg6MzQ6NTVBTSArMDIwMCwgRGFuaWVsIFZldHRlciB3cm90ZToKPj4gT24g V2VkLCBBcHIgMjUsIDIwMTggYXQgMDk6MDc6MDdBTSArMDMwMCwgT2xla3NhbmRyIEFuZHJ1c2hj aGVua28gd3JvdGU6Cj4+PiBPbiAwNC8yNC8yMDE4IDExOjM1IFBNLCBEb25nd29uIEtpbSB3cm90 ZToKPj4+PiBIYWQgYSBtZWV0aW5nIHdpdGggRGFuaWVsIGFuZCB0YWxrZWQgYWJvdXQgYnJpbmdp bmcgb3V0IGdlbmVyaWMKPj4+PiBwYXJ0IG9mIGh5cGVyLWRtYWJ1ZiB0byB0aGUgdXNlcnNwYWNl LCB3aGljaCBtZWFucyB3ZSBtb3N0IGxpa2VseQo+Pj4+IHJldXNlIElPQ1RMcyBkZWZpbmVkIGlu IHhlbi16Y29weSBmb3Igb3VyIHVzZS1jYXNlIGlmIHdlIGZvbGxvdwo+Pj4+IGhpcyBzdWdnZXN0 aW9uLgo+Pj4gSSB3aWxsIHN0aWxsIGhhdmUga2VybmVsIHNpZGUgQVBJLCBzbyBiYWNrZW5kcy9m cm9udGVuZHMgaW1wbGVtZW50ZWQKPj4+IGluIHRoZSBrZXJuZWwgY2FuIGFjY2VzcyB0aGF0IGZ1 bmN0aW9uYWxpdHkgYXMgd2VsbC4KPj4+PiBTbyBhc3N1bWluZyB3ZSB1c2UgdGhlc2UgSU9DVExz IGFzIHRoZXkgYXJlLAo+Pj4+IFNldmVyYWwgdGhpbmdzIEkgd291bGQgbGlrZSB5b3UgdG8gZG91 YmxlLWNoZWNrLi4KPj4+Pgo+Pj4+IDEuIHJldHVybmluZyBncmVmIGFzIGlzIHRvIHRoZSB1c2Vy IHNwYWNlIGlzIHN0aWxsIHVuc2FmZSBiZWNhdXNlCj4+Pj4gaXQgaXMgYSBjb25zdGFudCwgZWFz eSB0byBndWVzcyBhbmQgYW55IHByb2Nlc3MgdGhhdCBoaWphY2tzIGl0IGNhbiBlYXNpbHkKPj4+ PiBleHBsb2l0IHRoZSBidWZmZXIuIFNvIEkgYW0gd29uZGVyaW5nIGlmIGl0J3MgcG9zc2libGUg dG8ga2VlcCBkbWFidWYtdG8KPj4+PiAtZ3JlZiBvciBncmVmLXRvLWRtYWJ1ZiBpbiBrZXJuZWwg c3BhY2UgYW5kIGFkZCBvdGhlciBsYXllcnMgb24gdG9wCj4+Pj4gb2YgdGhvc2UgaW4gYWN0dWFs IElPQ1RMcyB0byBhZGQgc29tZSBzYWZldHkuLiBXZSBpbnRyb2R1Y2VkIGZsaW5rIGxpa2UKPj4+ PiBoeXBlcl9kbWFidWZfaWQgaW5jbHVkaW5nIHJhbmRvbSBudW1iZXIgYnV0IG1hbnkgc2F5cyBl dmVuIHRoYXQgaXMgc3RpbGwKPj4+PiBub3Qgc2FmZS4KPj4+IFllcywgaXQgaXMgZ2VuZXJhbGx5 IHVuc2FmZS4gQnV0IGV2ZW4gaWYgd2UgaGF2ZSBpbXBsZW1lbnRlZAo+Pj4gdGhlIGFwcHJvYWNo IHlvdSBoYXZlIGluIGh5cGVyLWRtYWJ1ZiBvciBzaW1pbGFyLCB3aGF0IHN0b3BzCj4+PiBtYWxp Y2lvdXMgc29mdHdhcmUgZnJvbSBkb2luZyB0aGUgc2FtZSB3aXRoIHRoZSBleGlzdGluZyBnbnRk ZXYgVUFQST8KPj4+IE5vIG5lZWQgdG8gYnJ1dGUgZm9yY2UgbmV3IFVBUEkgaWYgdGhlcmUgaXMg YSBzaW1wbGVyIG9uZS4KPj4+IFRoYXQgYmVpbmcgc2FpZCwgSSdsbCBwdXQgc2VjdXJpdHkgYXNp ZGUgYXQgdGhlIGZpcnN0IHN0YWdlLAo+Pj4gYnV0IG9mIGNvdXJzZSB3ZSBjYW4gc3RhcnQgaW52 ZXN0aWdhdGluZyB3YXlzIHRvIGltcHJvdmUKPj4+IChJIGFzc3VtZSB5b3UgYWxyZWFkeSBoYXZl IHVzZS1jYXNlcyB3aGVyZSBzZWN1cml0eSBpc3N1ZXMgbXVzdAo+Pj4gYmUgY29uc2lkZXJlZCwg c28sIHByb2JhYmx5IHlvdSBjYW4gdGVsbCBtb3JlIG9uIHdoYXQgd2FzIGludmVzdGlnYXRlZAo+ Pj4gc28gZmFyKS4KPiBZZWFoLCBhbHRob3VnaCB3ZSB0aGluayB3ZSBsb3dlcmVkIHRoZSBjaGFu Y2Ugb2YgZ3Vlc3NpbmcgdGhlIHJpZ2h0IGlkCj4gYnkgYWRkaW5nIHJhbmRvbSBudW1iZXIgdG8g aXQsIHRoZSBzZWN1cml0eSBob2xlIGlzIHN0aWxsIHRoZXJlIGFzIGZhcgo+IGFzIHdlIHVzZSBh IGNvbnN0YW50IGlkIGFjcm9zcyBWTXMuIFdlIHVuZGVyc3Rvb2QgdGhpcyBmcm9tIHRoZSBiZWdp bm5pbmcKPiBidXQgY291bGRuJ3QgZmluZCBhIGJldHRlciB3YXkuIFNvIHdoYXQgd2UgcHJvcG9z ZWQgaXMgdG8gbWFrZSBzdXJlIG91cgo+IGN1c3RvbWVyIHVuZGVyc3RhbmQgdGhpcyBhbmQgcHJl cGFyZSB2ZXJ5IHNlY3VyZSB3YXkgdG8gaGFuZGxlIHRoaXMgaWQKPiBpbiB0aGUgdXNlcnNwYWNl IChtYXR0cm9wZSBob3dldmVyIHJlY2VudGx5IHByb3Bvc2VkIGEgImh5cGVyLXBpcGUiIHdoaWNo Cj4gRkQtdHlwZSBpZCBjYW4gYmUgY29udmVydGVkIGFuZCBleGNoYW5nZWQgc2FmZWx5IHRocm91 Z2guIFNvIHdlIGFyZSBsb29raW5nCj4gaW50byB0aGlzIG5vdy4pCj4KPiBBbmQgYW5vdGhlciBh cHByb2FjaCB3ZSBoYXZlIHByb3Bvc2VkIGlzIHRvIHVzZSBldmVudC1wb2xsaW5nLCB0aGF0IGxl dHMKPiB0aGUgcHJpdmlsZWdlZCB1c2VyYXBwIGluIGltcG9ydGluZyBndWVzdCB0byBrbm93IGFi b3V0IGEgbmV3IGV4cG9ydGVkCj4gRE1BQlVGIHNvIHRoYXQgaXQgY2FuIHJldHJpZXZlIGl0IGZy b20gdGhlIHF1ZXVlIHRoZW4gcmVkaXN0cmlidXRlIHRvCj4gb3RoZXIgYXBwbGljYXRpb25zLiBU aGlzIG1ldGhvZCBpcyBub3QgdmVyeSBmbGV4aWJsZSBob3dldmVyLCBpcyBvbmUgd2F5Cj4gdG8g aGlkZSBJRCBmcm9tIHVzZXJzcGFjZSBjb21wbGV0ZWx5Lgo+Cj4gQW55d2F5LCB5ZXMsIHdlIGNh biBjb250aW51ZSB0byBpbnZlc3RpZ2F0ZSB0aGUgcG9zc2libGUgd2F5IHRvIG1ha2UgaXQKPiBt b3JlIHNlY3VyZS4KR3JlYXQsIGlmIHlvdSBjb21lIHVwIHdpdGggc29tZXRoaW5nIHRoZW4geW91 J2xsIGJlIGFibGUKdG8gcGx1bWIgdGhpcyBpbgo+PiBNYXliZSBhIGJpdCBtb3JlIGNvbnRleHQg aGVyZToKPj4KPj4gU28gaW4gZ3JhcGhpY3Mgd2UgaGF2ZSB0aGlzIG9sZCBmbGluayBhcHByb2Fj aCBmb3IgYnVmZmVyIHNoYXJpbmcgd2l0aAo+PiBwcm9jZXNzZXMsIGFuZCBpdCdzIHVuc2FmZSBi ZWNhdXNlIHdheSB0b28gZWFzeSB0byBndWVzcyB0aGUgYnVmZmVyCj4+IGhhbmRsZXMuIEFuZCBh bnlvbmUgd2l0aCBhY2Nlc3MgdG8gdGhlIGdyYXBoaWNzIGRyaXZlciBjYW4gdGhlbiBpbXBvcnQK Pj4gdGhhdCBidWZmZXIgb2JqZWN0LiBXZSBzd2l0Y2hlZCB0byBmaWxlIGRlc2NyaXB0b3IgcGFz c2luZyB0byBtYWtlIHN1cmUKPj4gb25seSB0aGUgaW50ZW5kZWQgcmVjaXBpZW50IGNhbiBpbXBv cnQgYSBidWZmZXIuCj4+Cj4+IFNvIGF0IHRoZSB2bS0+dm0gbGV2ZWwgaXQgc291bmRzIGxpa2Ug Z3JlZnMgYXJlIHNhZmUsIGJlY2F1c2UgdGhleSdyZSBvbmx5Cj4+IGZvciBhIHNwZWNpZmljIG90 aGVyIGd1ZXN0IChvciBzZXRzIG9mIGd1ZXN0cywgbm90IHN1cmUgYWJvdXQpLiBUaGF0IG1lYW5z Cj4+IHNlY3VyaXR5IGlzIG9ubHkgd2l0aGluIHRoZSBPUy4gRm9yIHRoYXQgeW91IG5lZWQgdG8g bWFrZSBzdXJlIHRoYXQKPj4gdW5wcml2aWxlZGdlIHVzZXJzcGFjZSBzaW1wbHkgY2FuJ3QgZXZl ciBhY2Nlc3MgYSBncmVmLiBJZiB0aGF0IGRvZXNuJ3QKPj4gd29yayBvdXQsIHRoZW4gSSBndWVz cyB3ZSBzaG91bGQgaW1wcm92ZSB0aGUgeGVuIGdyZWYgc3R1ZmYgdG8gaGF2ZSBhIG1vcmUKPj4g c2VjdXJlIGNvb2tpZS4KPj4KPj4+PiAyLiBtYXliZSB3ZSBjb3VsZCB0YWtlIGh5cGVydmlzb3It aW5kZXBlbmRlbnQgcHJvY2VzcyAoZS5nLiBTR1Q8LT5wYWdlKQo+Pj4+IG91dCBvZiB4ZW4temNv cHkgYW5kIHB1dCB0aG9zZSBpbiBhIG5ldyBoZWxwZXIgbGlicmFyeS4KPj4+IEkgYmVsaWV2ZSB0 aGlzIGNhbiBiZSBkb25lLCBidXQgYXQgdGhlIGZpcnN0IHN0YWdlIEkgd291bGQgZ28gd2l0aG91 dAo+Pj4gdGhhdCBoZWxwZXIgbGlicmFyeSwgc28gaXQgaXMgY2xlYXJseSBzZWVuIHdoYXQgY2Fu IGJlIG1vdmVkIHRvIGl0IGxhdGVyCj4+PiAoSSBrbm93IHRoYXQgeW91IHdhbnQgdG8gcnVuIEFD Uk4gYXMgd2VsbCwgYnV0IGNhbiBJIHJ1biBpdCBvbiBBUk0/IDspCj4+IFRoZXJlJ3MgYWxyZWFk eSBoZWxwZXJzIGZvciB3YWxraW5nIHNndGFibGVzIGFuZCBhZGRpbmcgcGFnZXMvZW51bWVyYXRp bmcKPj4gcGFnZXMuIEkgZG9uJ3QgdGhpbmsgd2UgbmVlZCBtb3JlLgo+IG9rLCB3aGVyZSB3b3Vs ZCB0aGF0IGhlbHBlcnMgYmUgbG9jYXRlZD8gSWYgd2UgY29uc2lkZXIgd2Ugd2lsbCB1c2UgdGhl c2UKPiB3aXRoIG90aGVyIGh5cGVydmlzb3IgZHJpdmVycywgbWF5YmUgaXQncyBiZXR0ZXIgdG8g cGxhY2UgdGhvc2UgaW4gc29tZQo+IGNvbW1vbiBhcmVhPwpJIGFtIG5vdCBxdWl0ZSBzdXJlIHdo YXQgYW5kIGlmIHRob3NlIGhlbHBlcnMgYmUgcmVhbGx5IG5lZWRlZC4KTGV0J3MgdHJ5IHRvIHBy b3RvdHlwZSB0aGUgdGhpbmcgYW5kIHRoZW4gc2VlIHdoYXQgY2FuIGJlCm1vdmVkIHRvIGEgaGVs cGVyIGxpYnJhcnkgYW5kIHdoZXJlIGl0IHNob3VsZCBsaXZlCj4+Pj4gMy4gcGxlYXNlIGNvbnNp ZGVyIHRoZSBjYXNlIHdoZXJlIG9yaWdpbmFsIERNQS1CVUYncyBmaXJzdCBvZmZzZXQKPj4+PiBh bmQgbGFzdCBsZW5ndGggYXJlIG5vdCAwIGFuZCBQQUdFX1NJWkUgcmVzcGVjdGl2ZWx5LiBJIGFz c3VtZSBjdXJyZW50Cj4+Pj4geGVuLXpjb3B5IG9ubHkgc3VwcG9ydHMgcGFnZS1hbGlnbmVkIGJ1 ZmZlciB3aXRoIFBBR0VfU0laRSB4IG4gYmlnLgo+Pj4gSG0sIHdoYXQgaXMgdGhlIHVzZS1jYXNl IGZvciB0aGF0Pwo+IEp1c3QgaW4gZ2VuZXJhbCB1c2UtY2FzZS4uIEkgd2FzIGp1c3QgY29uc2lk ZXJpbmcgdGhlIGNhc2UgKG1pZ2h0IGJlIGNvcm5lcgo+IGNhc2UuLikgd2hlcmUgc2ctPm9mZnNl dCAhPSAwIG9yIHNnLT5sZW5ndGggIT0gUEFHRV9TSVpFLiBIeXBlciBkbWFidWYgc2VuZHMKPiB0 aGlzIGluZm9ybWF0aW9uIChmaXJzdCBvZmZzZXQgYW5kIGxhc3QgbGVuZ3RoKSB0b2dldGhlciB3 aXRoIHJlZmVyZW5jZXMgZm9yCj4gcGFnZXMuIFNvIEkgd2FzIHdvbmRlcmluZyBpZiB3ZSBzaG91 bGQgc28gc2ltaWxhciB0aGluZyBpbiB6Y29weSBzaW5jZSB5b3VyCj4gZ29hbCBpcyBub3cgdG8g Y292ZXIgZ2VuZXJhbCBkbWEtYnVmIHVzZS1jYXNlcyAoaG93ZXZlciwgZGFudmV0IG1lbnRpb25l ZAo+IGhhcmQgY29uc3RhaW50IG9mIGRtYS1idWYgYmVsb3cuLiBzbyBpZiB0aGlzIGNhbid0IGhh cHBlbiBhY2NvcmRpbmcgdG8gdGhlCj4gc3BlYywgdGhlbiB3ZSBjYW4gaWdub3JlIGl0Li4pCkkg d29uJ3QgYmUgY29uc2lkZXJpbmcgdGhpcyB1c2UtY2FzZSBkdXJpbmcgcHJvdG90eXBpbmcgYXMK aXQgc2VlbXMgaXQgZG9lc24ndCBoYXZlIGEgKnJlYWwqIGdyb3VuZCB1bmRlcm5lYXRoCj4+IGRt YS1idWYgaXMgYWx3YXlzIHBhZ2UtYWxpZ25lZC4gVGhhdCdzIGEgaGFyZCBjb25zdHJhaW50IG9m IHRoZSBsaW51eAo+PiBkbWEtYnVmIGludGVyZmFjZSBzcGVjLgo+PiAtRGFuaWVsCj4gSG1tLi4g SSBhbSBsaXR0bGUgYml0IGNvbmZ1c2VkLi4KPiBTbyBkb2VzIGl0IG1lYW4gZG1hYnVmLT5zaXpl IGlzIGFsd2F5cyBuKlBBR0VfU0laRT8gV2hhdCBpcyB0aGUgc2d0IGJlaGluZAo+IGRtYWJ1ZiBo YXMgYW4gb2Zmc2V0IG90aGVyIHRoYW4gMCBmb3IgdGhlIGZpcnN0IHNnbCBvciB0aGUgbGVuZ3Ro IG9mIHRoZQo+IGxhc3Qgc2dsIGlzIG5vdCBQQUdFX1NJWkU/IFlvdSBhcmUgc2F5aW5nIHRoaXMg Y2FzZSBpcyBub3QgYWNjZXB0YWJsZSBmb3IKPiBkbWFidWY/CklNTywgeWVzLCBzZWUgYWJvdmUK Pj4+PiB0aGFua3MsCj4+Pj4gRFcKPj4+IFRoYW5rIHlvdSwKPj4+IE9sZWtzYW5kcgo+Pj4+IE9u IFR1ZSwgQXByIDI0LCAyMDE4IGF0IDAyOjU5OjM5UE0gKzAzMDAsIE9sZWtzYW5kciBBbmRydXNo Y2hlbmtvIHdyb3RlOgo+Pj4+PiBPbiAwNC8yNC8yMDE4IDAyOjU0IFBNLCBEYW5pZWwgVmV0dGVy IHdyb3RlOgo+Pj4+Pj4gT24gTW9uLCBBcHIgMjMsIDIwMTggYXQgMDM6MTA6MzVQTSArMDMwMCwg T2xla3NhbmRyIEFuZHJ1c2hjaGVua28gd3JvdGU6Cj4+Pj4+Pj4gT24gMDQvMjMvMjAxOCAwMjo1 MiBQTSwgV2VpIExpdSB3cm90ZToKPj4+Pj4+Pj4gT24gRnJpLCBBcHIgMjAsIDIwMTggYXQgMDI6 MjU6MjBQTSArMDMwMCwgT2xla3NhbmRyIEFuZHJ1c2hjaGVua28gd3JvdGU6Cj4+Pj4+Pj4+Pj4+ ICAgICAgICB0aGUgZ250ZGV2Lgo+Pj4+Pj4+Pj4+Pgo+Pj4+Pj4+Pj4+PiBJIHRoaW5rIHRoaXMg aXMgZ2VuZXJpYyBlbm91Z2ggdGhhdCBpdCBjb3VsZCBiZSBpbXBsZW1lbnRlZCBieSBhCj4+Pj4+ Pj4+Pj4+IGRldmljZSBub3QgdGllZCB0byBYZW4uIEFGQUlDVCB0aGUgaHlwZXJfZG1hIGd1eXMg YWxzbyB3YW50ZWQKPj4+Pj4+Pj4+Pj4gc29tZXRoaW5nIHNpbWlsYXIgdG8gdGhpcy4KPj4+Pj4+ Pj4+PiBZb3UgY2FuJ3QganVzdCB3cmFwIHJhbmRvbSB1c2Vyc3BhY2UgbWVtb3J5IGludG8gYSBk bWEtYnVmLiBXZSd2ZSBqdXN0IGhhZAo+Pj4+Pj4+Pj4+IHRoaXMgZGlzY3Vzc2lvbiB3aXRoIGt2 bS9xZW11IGZvbGtzLCB3aG8gcHJvcG9zZWQganVzdCB0aGF0LCBhbmQgYWZ0ZXIgYQo+Pj4+Pj4+ Pj4+IGJpdCBvZiBkaXNjdXNzaW9uIHRoZXknbGwgbm93IHRyeSB0byBoYXZlIGEgZHJpdmVyIHdo aWNoIGp1c3Qgd3JhcHMgYQo+Pj4+Pj4+Pj4+IG1lbWZkIGludG8gYSBkbWEtYnVmLgo+Pj4+Pj4+ Pj4gU28sIHdlIGhhdmUgdG8gZGVjaWRlIGVpdGhlciB3ZSBpbnRyb2R1Y2UgYSBuZXcgZHJpdmVy Cj4+Pj4+Pj4+PiAoc2F5LCB1bmRlciBkcml2ZXJzL3hlbi94ZW4tZG1hLWJ1Zikgb3IgZXh0ZW5k IHRoZSBleGlzdGluZwo+Pj4+Pj4+Pj4gZ250ZGV2L2JhbGxvb24gdG8gc3VwcG9ydCBkbWEtYnVm IHVzZS1jYXNlcy4KPj4+Pj4+Pj4+Cj4+Pj4+Pj4+PiBDYW4gYW55Ym9keSBmcm9tIFhlbiBjb21t dW5pdHkgZXhwcmVzcyB0aGVpciBwcmVmZXJlbmNlIGhlcmU/Cj4+Pj4+Pj4+Pgo+Pj4+Pj4+PiBP bGVrc2FuZHIgdGFsa2VkIHRvIG1lIG9uIElSQyBhYm91dCB0aGlzLCBoZSBzYWlkIGEgZmV3IElP Q1RMcyBuZWVkIHRvCj4+Pj4+Pj4+IGJlIGFkZGVkIHRvIGVpdGhlciBleGlzdGluZyBkcml2ZXJz IG9yIGEgbmV3IGRyaXZlci4KPj4+Pj4+Pj4KPj4+Pj4+Pj4gSSB3ZW50IHRocm91Z2ggdGhpcyB0 aHJlYWQgdHdpY2UgYW5kIHNraW1tZWQgdGhyb3VnaCB0aGUgcmVsZXZhbnQKPj4+Pj4+Pj4gZG9j dW1lbnRzLCBidXQgSSBjb3VsZG4ndCBzZWUgYW55IG9idmlvdXMgcHJvcyBhbmQgY29ucyBmb3Ig ZWl0aGVyCj4+Pj4+Pj4+IGFwcHJvYWNoLiBTbyBJIGRvbid0IHJlYWxseSBoYXZlIGFuIG9waW5p b24gb24gdGhpcy4KPj4+Pj4+Pj4KPj4+Pj4+Pj4gQnV0LCBhc3N1bWluZyBpZiBpbXBsZW1lbnRl ZCBpbiBleGlzdGluZyBkcml2ZXJzLCB0aG9zZSBJT0NUTHMgbmVlZCB0bwo+Pj4+Pj4+PiBiZSBh ZGRlZCB0byBkaWZmZXJlbnQgZHJpdmVycywgd2hpY2ggbWVhbnMgdXNlcnNwYWNlIHByb2dyYW0g bmVlZHMgdG8KPj4+Pj4+Pj4gd3JpdGUgbW9yZSBjb2RlIGFuZCBnZXQgbW9yZSBoYW5kbGVzLCBp dCB3b3VsZCBiZSBzbGlnaHRseSBiZXR0ZXIgdG8KPj4+Pj4+Pj4gaW1wbGVtZW50IGEgbmV3IGRy aXZlciBmcm9tIHRoYXQgcGVyc3BlY3RpdmUuCj4+Pj4+Pj4gSWYgZ250ZGV2L2JhbGxvb24gZXh0 ZW5zaW9uIGlzIHN0aWxsIGNvbnNpZGVyZWQ6Cj4+Pj4+Pj4KPj4+Pj4+PiBBbGwgdGhlIElPQ1RM cyB3aWxsIGJlIGluIGdudGRldiBkcml2ZXIgKGluIGN1cnJlbnQgeGVuLXpjb3B5IHRlcm1pbm9s b2d5KToKPj4+Pj4gSSB3YXMgbGF6eSB0byBjaGFuZ2UgZHVtYiB0byBkbWEtYnVmLCBzbyBwdXQg dGhpcyBub3RpY2UgOykKPj4+Pj4+PiAgIMKgLSBEUk1fSUNPVExfWEVOX1pDT1BZX0RVTUJfRlJP TV9SRUZTCj4+Pj4+Pj4gICDCoC0gRFJNX0lPQ1RMX1hFTl9aQ09QWV9EVU1CX1RPX1JFRlMKPj4+ Pj4+PiAgIMKgLSBEUk1fSU9DVExfWEVOX1pDT1BZX0RVTUJfV0FJVF9GUkVFCj4+Pj4+PiBzL0RV TUIvRE1BX0JVRi8gcGxlYXNlLiBUaGlzIGlzIGdlbmVyaWMgZG1hLWJ1ZiwgaXQgaGFzIG5vdGhp bmcgdG8gZG8gd2l0aAo+Pj4+Pj4gdGhlIGR1bWIgc2Nhbm91dCBidWZmZXIgc3VwcG9ydCBpbiB0 aGUgZHJtL2dmeCBzdWJzeXN0ZW0uIFRoaXMgaGVyZSBjYW4gYmUKPj4+Pj4+IHVzZWQgZm9yIGFu eSB6Y29weSBzaGFyaW5nIGFtb25nIGd1ZXN0cyAoYXMgbG9uZyBhcyB5b3VyIGVuZHBvaW50cwo+ Pj4+Pj4gdW5kZXJzdGFuZHMgZG1hLWJ1Ziwgd2hpY2ggbW9zdCByZWxldmFudCBkcml2ZXJzIGRv KS4KPj4+Pj4gT2YgY291cnNlLCBwbGVhc2Ugc2VlIGFib3ZlCj4+Pj4+PiAtRGFuaWVsCj4+Pj4+ Pgo+Pj4+Pj4+IEJhbGxvb24gZHJpdmVyIGV4dGVuc2lvbiwgd2hpY2ggaXMgbmVlZGVkIGZvciBj b250aWd1b3VzL0RNQQo+Pj4+Pj4+IGJ1ZmZlcnMsIHdpbGwgYmUgdG8gcHJvdmlkZSBuZXcgKmtl cm5lbCBBUEkqLCBubyBVQVBJIGlzIG5lZWRlZC4KPj4+Pj4+Pgo+Pj4+Pj4+PiBXZWkuCj4+Pj4+ Pj4gVGhhbmsgeW91LAo+Pj4+Pj4+IE9sZWtzYW5kcgo+Pj4+Pj4+IF9fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCj4+Pj4+Pj4gZHJpLWRldmVsIG1haWxpbmcg bGlzdAo+Pj4+Pj4+IGRyaS1kZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKPj4+Pj4+PiBodHRw czovL2xpc3RzLmZyZWVkZXNrdG9wLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2RyaS1kZXZlbAo+Pj4g X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KPj4+IGRyaS1k ZXZlbCBtYWlsaW5nIGxpc3QKPj4+IGRyaS1kZXZlbEBsaXN0cy5mcmVlZGVza3RvcC5vcmcKPj4+ IGh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxtYW4vbGlzdGluZm8vZHJpLWRldmVs Cj4+IC0tIAo+PiBEYW5pZWwgVmV0dGVyCj4+IFNvZnR3YXJlIEVuZ2luZWVyLCBJbnRlbCBDb3Jw b3JhdGlvbgo+PiBodHRwOi8vYmxvZy5mZndsbC5jaAoKX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX18KZHJpLWRldmVsIG1haWxpbmcgbGlzdApkcmktZGV2ZWxA bGlzdHMuZnJlZWRlc2t0b3Aub3JnCmh0dHBzOi8vbGlzdHMuZnJlZWRlc2t0b3Aub3JnL21haWxt YW4vbGlzdGluZm8vZHJpLWRldmVsCg==