From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 670C3EB64DC for ; Wed, 28 Jun 2023 21:10:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231182AbjF1VKE (ORCPT ); Wed, 28 Jun 2023 17:10:04 -0400 Received: from linux.microsoft.com ([13.77.154.182]:39496 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232424AbjF1VJx (ORCPT ); Wed, 28 Jun 2023 17:09:53 -0400 Received: by linux.microsoft.com (Postfix, from userid 1052) id 018FD2083951; Wed, 28 Jun 2023 14:09:48 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 018FD2083951 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1687986589; bh=3MxH67nmPMTh1Y9YHFDwcdynFIT9R+2Yy1bJAdl9Zbk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Qc8XbsJY/ZOmKZfcMPnWwl+2ZD2g4G3gyYxY5/UKTMHEQ0Vy+CuGbeq/EyiI04sh6 JyqfEyhDYyMHODqH3UmQd1ZVWWX5f1NOlbT3MVqTn8pXBC/t2tOJhs6LftalnMPTE8 jzMOqUsG+nXlY2hSVyD/nukiMliwf0MofiQ5v19s= From: Fan Wu To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: [RFC PATCH v10 17/17] documentation: add ipe documentation Date: Wed, 28 Jun 2023 14:09:31 -0700 Message-Id: <1687986571-16823-18-git-send-email-wufan@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1687986571-16823-1-git-send-email-wufan@linux.microsoft.com> References: <1687986571-16823-1-git-send-email-wufan@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: audit@vger.kernel.org From: Deven Bowers Add IPE's admin and developer documentation to the kernel tree. Co-developed-by: Fan Wu Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + No Changes v3: + Add Acked-by + Fixup code block syntax + Fix a minor grammatical issue. v4: + Update documentation with the results of other code changes. v5: + No changes v6: + No changes v7: + Add additional developer-level documentation + Update admin-guide docs to reflect changes. + Drop Acked-by due to significant changes + Added section about audit events in admin-guide v8: + Correct terminology from "audit event" to "audit record" + Add associated documentation with the correct "audit event" terminology. + Add some context to the historical motivation for IPE and design philosophy. + Add some content about the securityfs layout in the policies directory. + Various spelling and grammatical corrections. v9: + Correct spelling of "pitfalls" + Update the docs w.r.t the new parser and new audit formats v10: + Refine user docs per upstream suggetions + Update audit events part --- Documentation/admin-guide/LSM/index.rst | 1 + Documentation/admin-guide/LSM/ipe.rst | 752 ++++++++++++++++++ .../admin-guide/kernel-parameters.txt | 12 + Documentation/security/index.rst | 1 + Documentation/security/ipe.rst | 420 ++++++++++ MAINTAINERS | 2 + 6 files changed, 1188 insertions(+) create mode 100644 Documentation/admin-guide/LSM/ipe.rst create mode 100644 Documentation/security/ipe.rst diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index a6ba95fbaa9f..ce63be6d64ad 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -47,3 +47,4 @@ subdirectories. tomoyo Yama SafeSetID + ipe diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst new file mode 100644 index 000000000000..da59f78427fa --- /dev/null +++ b/Documentation/admin-guide/LSM/ipe.rst @@ -0,0 +1,752 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Integrity Policy Enforcement (IPE) +================================== + +.. NOTE:: + + This is the documentation for admins, system builders, or individuals + attempting to use IPE. If you're looking for more developer-focused + documentation about IPE please see `Documentation/security/ipe.rst` + +Overview +-------- + +IPE is a Linux Security Module which takes a complimentary approach to +access control. Whereas existing mandatory access control mechanisms +base their decisions on labels and paths, IPE instead determines +whether or not an operation should be allowed based on immutable +security properties of the system component the operation is being +performed on. + +IPE itself does not mandate how the security property should be +evaluated, but relies on an extensible set of external property providers +to evaluate the component. IPE makes its decision based on reference +values for the selected properties, specified in the IPE policy. + +The reference values represent the value that the policy writer and the +local system administrator (based on the policy signature) trust for the +system to accomplish the desired tasks. + +One such provider is for example dm-verity, which is able to represent +the integrity property of a partition (its immutable state) with a digest. + +To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under +:menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config +option is enabled. + +Use Cases +--------- + +IPE works best in fixed-function devices: devices in which their purpose +is clearly defined and not supposed to be changed (e.g. network firewall +device in a data center, an IoT device, etcetera), where all software and +configuration is built and provisioned by the system owner. + +IPE is a long-way off for use in general-purpose computing: the Linux +community as a whole tends to follow a decentralized trust model (known as +the web of trust), which IPE has no support for it yet. Instead, IPE +supports PKI (public key infrastructure), which generally designates a +set of trusted entities that provide a measure of absolute trust. + +Additionally, while most packages are signed today, the files inside +the packages (for instance, the executables), tend to be unsigned. This +makes it difficult to utilize IPE in systems where a package manager is +expected to be functional, without major changes to the package manager +and ecosystem behind it. + +DIGLIM [#diglim]_ is a system that when combined with IPE, could be used to +enable and support general-purpose computing use cases. + +Known Limitations +----------------- + +IPE cannot verify the integrity of anonymous executable memory, such as +the trampolines created by gcc closures and libffi (<3.4.2), or JIT'd code. +Unfortunately, as this is dynamically generated code, there is no way +for IPE to ensure the integrity of this code to form a trust basis. In all +cases, the return result for these operations will be whatever the admin +configures as the ``DEFAULT`` action for ``EXECUTE``. + +IPE cannot verify the integrity of programs written in interpreted +languages when these scripts are invoked by passing these program files +to the interpreter. This is because the way interpreters execute these +files; the scripts themselves are not evaluated as executable code +through one of IPE's hooks, but they are merely text files that are read +(as opposed to compiled executables) [#interpreters]_. + +Threat Model +------------ + +The threat type addressed by IPE is tampering of executable userspace +code beyond the initially booted kernel, and the initial verification of +kernel modules that are loaded in userspace through ``modprobe`` or +``insmod``. + +A bare-minimum example of a threat that should be mitigated by IPE, is +an untrusted (potentially malicious) binary that is downloaded and +bundled with all required dependencies (including a loader, libc, etc). +With IPE, this binary should not be allowed to be executed, not even any +of its dependencies. + +Tampering violates integrity, yet lack of trust is caused by being +unable to detect tampering (and by extent verifying the integrity). +IPE's role in mitigating this threat is to verify the integrity (and +authenticity) of all executable code and to deny their use if they +cannot be trusted (as integrity verification fails, or the authorization +check fails against the reference value in the policy). IPE generates +audit logs which may be utilized to detect and analyze failures +resulting from policy violation. + +Tampering threat scenarios include modification or replacement of +executable code by a range of actors including: + +- Actors with physical access to the hardware +- Actors with local network access to the system +- Actors with access to the deployment system +- Compromised internal systems under external control +- Malicious end users of the system +- Compromised end users of the system +- Remote (external) compromise of the system + +IPE does not mitigate threats arising from malicious but authorized +developers (with access to a signing certificate), or compromised +developer tools used by them (i.e. return-oriented programming attacks). +Additionally, IPE draws hard security boundary between userspace and +kernelspace. As a result, IPE does not provide any protections against a +kernel level exploit, and a kernel-level exploit can disable or tamper +with IPE's protections. + +Policy +------ + +IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements +over several lines. There is one required line, at the top of the +policy, indicating the policy name, and the policy version, for +instance:: + + policy_name=Ex_Policy policy_version=0.0.0 + +The policy name is a unique key identifying this policy in a human +readable name. This is used to create nodes under securityfs as well as +uniquely identify policies to deploy new policies vs update existing +policies. + +The policy version indicates the current version of the policy (NOT the +policy syntax version). This is used to prevent rollback of policy to +potentially insecure previous versions of the policy. + +The next portion of IPE policy are rules. Rules are formed by key=value +pairs, known as properties. IPE rules require two properties: ``action``, +which determines what IPE does when it encounters a match against the +rule, and ``op``, which determines when the rule should be evaluated. +The ordering is significant, a rule must start with ``op``, and end with +``action``. Thus, a minimal rule is:: + + op=EXECUTE action=ALLOW + +This example will allow any execution. Additional properties are used to +restrict attributes about the files being evaluated. These properties +are intended to be descriptions of systems within the kernel that can +provide a measure of integrity verification, such that IPE can determine +the trust of the resource based on the value of the property. + +Rules are evaluated top-to-bottom. As a result, any revocation rules, +or denies should be placed early in the file to ensure that these rules +are evaluated before a rule with ``action=ALLOW``. + +IPE policy supports comments. The character '#' will function as a +comment, ignoring all characters to the right of '#' until the newline. + +The default behavior of IPE evaluations can also be expressed in policy, +through the ``DEFAULT`` statement. This can be done at a global level, +or a per-operation level:: + + # Global + DEFAULT action=ALLOW + + # Operation Specific + DEFAULT op=EXECUTE action=ALLOW + +A default must be set for all known operations in IPE. If you want to +preserve older policies being compatible with newer kernels that can introduce +new operations, set a global default of ``ALLOW``, then override the +defaults on a per-operation basis (as above). + +With configurable policy-based LSMs, there's several issues with +enforcing the configurable policies at startup, around reading and +parsing the policy: + +1. The kernel *should* not read files from userspace, so directly reading + the policy file is prohibited. +2. The kernel command line has a character limit, and one kernel module + should not reserve the entire character limit for its own + configuration. +3. There are various boot loaders in the kernel ecosystem, so handing + off a memory block would be costly to maintain. + +As a result, IPE has addressed this problem through a concept of a "boot +policy". A boot policy is a minimal policy which is compiled into the +kernel. This policy is intended to get the system to a state where +userspace is set up and ready to receive commands, at which point a more +complex policy can be deployed via securityfs. The boot policy can be +specified via ``SECURITY_IPE_BOOT_POLICY`` config option, which accepts +a path to a plain-text version of the IPE policy to apply. This policy +will be compiled into the kernel. If not specified, IPE will be disabled +until a policy is deployed and activated through securityfs. + +Deploying Policies +~~~~~~~~~~~~~~~~~~ + +Policies can be deployed from userspace through securityfs. These policies +are signed through the PKCS#7 message format to enforce some level of +authorization of the policies (prohibiting an attacker from gaining +unconstrained root, and deploying an "allow all" policy). These +policies must be signed by a certificate that chains to the +``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by:: + + openssl smime -sign \ + -in "$MY_POLICY" \ + -signer "$MY_CERTIFICATE" \ + -inkey "$MY_PRIVATE_KEY" \ + -noattr \ + -nodetach \ + -nosmimecap \ + -outform der \ + -out "$MY_POLICY.p7b" + +Deploying the policies is done through securityfs, through the +``new_policy`` node. To deploy a policy, simply cat the file into the +securityfs node:: + + cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy + +Upon success, this will create one subdirectory under +``/sys/kernel/security/ipe/policies/``. The subdirectory will be the +``policy_name`` field of the policy deployed, so for the example above, +the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``. +Within this directory, there will be five files: ``pkcs7``, ``policy``, +``active``, ``update``, and ``delete``. + +The ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data +that was provided to the kernel, representing the policy. If the policy being +read is the boot policy, this will return ``ENOENT``, as it is not signed. + +The ``policy`` file is read only. Reading it returns the PKCS#7 inner +content of the policy, which will be the plain text policy. + +The ``active`` file is used to set a policy as the currently active policy. +This file is rw, and accepts a value of ``"1"`` to set the policy as active. +Since only a single policy can be active at one time, all other policies +will be marked inactive. The policy being marked active must have a policy +version greater or equal to the currently-running version. + +The ``update`` file is used to update a policy that is already present +in the kernel. This file is write-only and accepts a PKCS#7 signed +policy. Two checks will always be performed on this policy: First, the +``policy_names`` must match with the updated version and the existing +version. Second the updated policy must have a policy version greater than +or equal to the currently-running version. This is to prevent rollback attacks. + +The ``delete`` file is used to remove a policy that is no longer needed. +This file is write-only and accepts a value of ``1`` to delete the policy. +On deletion, the securityfs node representing the policy will be removed. +However, delete the current active policy is not allowed and will return +an operation not permitted error. + +Similarly, writing to both ``update`` and ``new_policy`` could result in +bad message(policy syntax error) or file exists error. The latter error happens +when trying to deploy a policy with a ``policy_name`` while the kernel already +has a deployed policy with the same ``policy_name``. + +Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will +only enforce the policy marked active. Note that only one policy can be active +at a time. + +Once deployment is successful, the policy can be activated, by writing file +``/sys/kernel/security/ipe/$policy_name/active``. +For example, the ``Ex_Policy`` can be activated by:: + + echo 1 > "/sys/kernel/security/ipe/Ex_Policy/active" + +From above point on, ``Ex_Policy`` is now the enforced policy on the +system. + +IPE also provides a way to delete policies. This can be done via the +``delete`` securityfs node, ``/sys/kernel/security/ipe/$policy_name/delete``. +Writing ``1`` to that file deletes the policy:: + + echo 1 > "/sys/kernel/security/ipe/$policy_name/delete" + +There is only one requirement to delete a policy: the policy being deleted +must be inactive. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack), all + writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Modes +~~~~~ + +IPE supports two modes of operation: permissive (similar to SELinux's +permissive mode) and enforced. In permissive mode, all events are +checked and policy violations are logged, but the policy is not really +enforced. This allows users to test policies before enforcing them. + +The default mode is enforce, and can be changed via the kernel command +line parameter ``ipe.enforce=(0|1)``, or the securityfs node +``/sys/kernel/security/ipe/enforce``. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Audit Events +~~~~~~~~~~~~ + +1420 AUDIT_IPE_ACCESS +^^^^^^^^^^^^^^^^^^^^^ +Event Examples:: + + type=1420 audit(1653364370.067:61): path="/root/fs/rw/plain/execve" dev="vdc1" ino=16 rule="DEFAULT op=EXECUTE action=DENY" + type=1300 audit(1653364370.067:61): arch=c000003e syscall=10 success=no exit=-13 a0=7f0bf0644000 a1=4f80 a2=5 a3=7f0bf043d300 items=0 ppid=455 pid=737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mprotect" exe="/root/host/mprotect" subj=kernel key=(null) + type=1327 audit(1653364370.067:61): proctitle=686F73742F6D70726F7465637400534800527C5700527C5800706C61696E2F657865637665 + + type=1420 audit(1653364735.161:64): rule="DEFAULT op=EXECUTE action=DENY" + type=1300 audit(1653364735.161:64): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=20 items=0 ppid=455 pid=774 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mmap" exe="/root/host/mmap" subj=kernel key=(null) + type=1327 audit(1653364735.161:64): proctitle=686F73742F6D6D617000410058⏎ + +This event indicates that IPE made an access control decision; the IPE +specific record (1420) is always emitted in conjunction with a +``AUDITSYSCALL`` record. + +Determining whether IPE is in permissive or enforced mode can be derived +from ``success`` property and exit code of the ``AUDITSYSCALL`` record. + + +Field descriptions: + ++-------+------------+-----------+-------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++=======+============+===========+=================================================+ +| path | string | Yes | The absolute path to the evaluated file | ++-------+------------+-----------+-------------------------------------------------+ +| ino | integer | Yes | The inode number of the evaluated file | ++-------+------------+-----------+-------------------------------------------------+ +| dev | string | Yes | The device name of the evaluated file, e.g. vda | ++-------+------------+-----------+-------------------------------------------------+ +| rule | string | No | The matched policy rule | ++-------+------------+-----------+-------------------------------------------------+ + +1421 AUDIT_IPE_CONFIG_CHANGE +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Event Example:: + + type=1421 audit(1653425583.136:54): old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 + type=1300 audit(1653425583.136:54): SYSCALL arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=5596fcae1fb0 a2=2 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null) + type=1327 audit(1653425583.136:54): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2 + +This event indicates that IPE switched the active poliy from one to another +along with the version and the hash digest of the two policies. +Note IPE can only have one policy active at a time, all access decision +evaluation is based on the current active policy. +The normal procedure to deploy a new policy is loading the policy to deploy +into the kernel first, then switch the active policy to it. + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++------------------------+------------+-----------+---------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++========================+============+===========+===================================================+ +| old_active_pol_name | string | No | The name of previous active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| old_active_pol_version | string | No | The version of previous active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| old_policy_digest | string | No | The hash of previous active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| new_active_pol_name | string | No | The name of current active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| new_active_pol_version | string | No | The version of current active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| new_policy_digest | string | No | The hash of current active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| auid | integer | No | The login user ID | ++------------------------+------------+-----------+---------------------------------------------------+ +| ses | integer | No | The login session ID | ++------------------------+------------+-----------+---------------------------------------------------+ +| lsm | string | No | The lsm name associated with the event | ++------------------------+------------+-----------+---------------------------------------------------+ +| res | integer | No | The result of the audited operation(success/fail) | ++------------------------+------------+-----------+---------------------------------------------------+ + +1422 AUDIT_IPE_POLICY_LOAD +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Event Example:: + + type=1422 audit(1653425529.927:53): policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 + type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=2567 a0=3 a1=5596fcae1fb0 a2=a07 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null) + type=1327 audit(1653425529.927:53): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2E + +This record indicates a new policy has been loaded into the kernel with the policy name, policy version and policy hash. + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++----------------+------------+-----------+---------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++================+============+===========+===================================================+ +| policy_name | string | No | The policy_name | ++----------------+------------+-----------+---------------------------------------------------+ +| policy_version | string | No | The policy_version | ++----------------+------------+-----------+---------------------------------------------------+ +| policy_digest | string | No | The policy hash | ++----------------+------------+-----------+---------------------------------------------------+ +| auid | integer | No | The login user ID | ++----------------+------------+-----------+---------------------------------------------------+ +| ses | integer | No | The login session ID | ++----------------+------------+-----------+---------------------------------------------------+ +| lsm | string | No | The lsm name associated with the event | ++----------------+------------+-----------+---------------------------------------------------+ +| res | integer | No | The result of the audited operation(success/fail) | ++----------------+------------+-----------+---------------------------------------------------+ + + +1404 AUDIT_MAC_STATUS +^^^^^^^^^^^^^^^^^^^^^ + +Event Examples:: + + type=1404 audit(1653425689.008:55): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) + type=1327 audit(1653425689.008:55): proctitle="-bash" + + type=1404 audit(1653425689.008:55): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) + type=1327 audit(1653425689.008:55): proctitle="-bash" + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| Field | Value Type | Optional? | Description of Value | | ++===============+============+===========+=================================================================================================+=====+ +| enforcing | integer | No | The enforcing state IPE is being switched to, 1 is in enforcing mode, 0 is in permissive mode | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| old_enforcing | integer | No | The enforcing state IPE is being switched from, 1 is in enforcing mode, 0 is in permissive mode | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| auid | integer | No | The login user ID | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| ses | integer | No | The login session ID | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| enabled | integer | No | The new TTY audit enabled setting | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| old-enabled | integer | No | The old TTY audit enabled setting | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| lsm | string | No | The lsm name associated with the event | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| res | integer | No | The result of the audited operation(success/fail) | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ + +Success Auditing +^^^^^^^^^^^^^^^^ + +IPE supports success auditing. When enabled, all events that pass IPE +policy and are not blocked will emit an audit event. This is disabled by +default, and can be enabled via the kernel command line +``ipe.success_audit=(0|1)`` or +``/sys/kernel/security/ipe/success_audit`` securityfs file. + +This is *very* noisy, as IPE will check every userspace binary on the +system, but is useful for debugging policies. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Properties +---------- + +As explained above, IPE properties are ``key=value`` pairs expressed in +IPE policy. Two properties are built-into the policy parser: 'op' and +'action'. The other properties are deterministic attributes to express +across files. Currently those properties are: '``boot_verified``', +'``dmverity_signature``', '``dmverity_roothash``', '``fsverity_signature``', +'``fsverity_digest``'. A description of all properties supported by IPE +are listed below: + +op +~~ + +Indicates the operation for a rule to apply to. Must be in every rule, +as the first token. IPE supports the following operations: + + ``EXECUTE`` + + Pertains to any file attempting to be executed, or loaded as an + executable. + + ``FIRMWARE``: + + Pertains to firmware being loaded via the firmware_class interface. + This covers both the preallocated buffer and the firmware file + itself. + + ``KMODULE``: + + Pertains to loading kernel modules via ``modprobe`` or ``insmod``. + + ``KEXEC_IMAGE``: + + Pertains to kernel images loading via ``kexec``. + + ``KEXEC_INITRAMFS`` + + Pertains to initrd images loading via ``kexec --initrd``. + + ``POLICY``: + + Controls loading policies via reading a kernel-space initiated read. + + An example of such is loading IMA policies by writing the path + to the policy file to ``$securityfs/ima/policy`` + + ``X509_CERT``: + + Controls loading IMA certificates through the Kconfigs, + ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``. + +action +~~~~~~ + + Determines what IPE should do when a rule matches. Must be in every + rule, as the final clause. Can be one of: + + ``ALLOW``: + + If the rule matches, explicitly allow access to the resource to proceed + without executing any more rules. + + ``DENY``: + + If the rule matches, explicitly prohibit access to the resource to + proceed without executing any more rules. + +boot_verified +~~~~~~~~~~~~~ + + This property can be utilized for authorization of the first super-block + that executes a file. This is almost always init. Typically this is used + for systems with an initramfs or other initial disk, where this is unmounted + before the system becomes available, and is not covered by any other property. + The format of this property is:: + + boot_verified=(TRUE|FALSE) + + + .. WARNING:: + + This property will trust any disk where the first execution evaluation + occurs. If you do *NOT* have a startup disk that is unpacked and unmounted + (like initramfs), then it will automatically trust the root filesystem and + potentially overauthorize the entire disk. + +dmverity_roothash +~~~~~~~~~~~~~~~~~ + + This property can be utilized for authorization or revocation of + specific dm-verity volumes, identified via sroot hash. It has a + dependency on the DM_VERITY module. This property is controlled by + the ``IPE_PROP_DM_VERITY`` config option, it will be automatically + selected when ``IPE_SECURITY``, ``DM_VERITY `` and + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled. + The format of this property is:: + + dmverity_roothash=DigestName:HexadecimalString + + The supported DigestNames for dmverity_roothash are [#dmveritydigests]_ [#securedigest]_ : + + + blake2b-512 + + blake2s-256 + + sha1 + + sha256 + + sha384 + + sha512 + + sha3-224 + + sha3-256 + + sha3-384 + + sha3-512 + + md4 + + md5 + + sm3 + + rmd160 + +dmverity_signature +~~~~~~~~~~~~~~~~~~ + + This property can be utilized for authorization of all dm-verity + volumes that have a signed roothash that chains to a keyring + specified by dm-verity's configuration, either the system trusted + keyring, or the secondary keyring. It depends on + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` config option and is controlled by + the ``IPE_PROP_DM_VERITY`` config option, it will be automatically + selected when ``IPE_SECURITY``, ``DM_VERITY `` and + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled. + The format of this property is:: + + dmverity_signature=(TRUE|FALSE) + +fsverity_digest +~~~~~~~~~~~~~~~ + + This property can be utilized for authorization or revocation of + specific fsverity enabled file, identified via its fsverity digest. + It depends on ``FS_VERITY`` config option and is controlled by + ``CONFIG_IPE_PROP_FS_VERITY``. The format of this property is:: + + fsverity_digest=DigestName:HexadecimalString + + The supported DigestNames for dmverity_roothash are [#fsveritydigest] [#securedigest]_ : + + + sha256 + + sha512 + +fsverity_signature +~~~~~~~~~~~~~~~~~~ + + This property can be utilized for authorization of all fsverity + enabled files that is verified by fsverity. The keyring that the + signature is verified against is subject to fsverity's configuration, + typically the fsverity keyring. It depends on + ``CONFIG_FS_VERITY_BUILTIN_SIGNATURES`` and it is controlled by + the Kconfig ``CONFIG_IPE_PROP_FS_VERITY``. The format of this + property is:: + + fsverity_signature=(TRUE|FALSE) + +Policy Examples +--------------- + +Allow all +~~~~~~~~~ + +:: + + policy_name=Allow_All policy_version=0.0.0 + DEFAULT action=ALLOW + +Allow only initial superblock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=Allow_All_Initial_SB policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + +Allow any signed dm-verity volume and the initial superblock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedAndInitial policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Prohibit execution from a specific dm-verity volume +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedAndInitial policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Allow only a specific dm-verity volume +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedAndInitial policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW + +Allow any signed fs-verity file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedFSVerity policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE fsverity_signature=TRUE action=ALLOW + +Prohibit execution of a specific fs-verity file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=ProhibitSpecificFSVF policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=DENY + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Additional Information +---------------------- + +- `Github Repository `_ +- `Design Documentation `_ + +FAQ +--- + +Q: + What's the difference between other LSMs which provide a measure of + trust-based access control? + +A: + + In general, there's two other LSMs that can provide similar functionality: + IMA, and Loadpin. + + IMA and IPE are functionally very similar. The significant difference between + the two is the policy. [#devdoc]_ + + Loadpin and IPE differ fairly dramatically, as Loadpin controls only the IPE + equivalent of ``KERNEL_READ``, whereas IPE is capable of controlling execution, + on top of ``KERNEL_READ``. The trust model is also different; Loadpin roots its + trust in the initial super-block, whereas trust in IPE is stemmed from kernel + itself (via ``SYSTEM_TRUSTED_KEYS``). + +----------- + +.. [#diglim] 1: https://lore.kernel.org/bpf/4d6932e96d774227b42721d9f645ba51@huawei.com/T/ + +.. [#interpreters] There is `some interest in solving this issue `_. + +.. [#devdoc] Please see `Documentation/security/ipe.rst` for more on this topic. + +.. [#fsveritydigest] These hash algorithms are based on values accepted by fsverity-utils; + IPE does not impose any restrictions on the digest algorithm itself; + thus, this list may be out of date. + +.. [#dmveritydigests] These hash algorithms are based on values accepted by dm-verity, + specifically ``crypto_alloc_ahash`` in ``verity_ctr``; ``veritysetup`` + does support more algorithms than the list above. IPE does not impose + any restrictions on the digest algorithm itself; thus, this list + may be out of date. + +.. [#securedigest] Please ensure you are using cryptographically secure hash functions; + just because something is *supported* does not mean it is *secure*. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index c5e7bb4babf0..78ddd3bbca4d 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2219,6 +2219,18 @@ ipcmni_extend [KNL] Extend the maximum number of unique System V IPC identifiers from 32,768 to 16,777,216. + ipe.enforce= [IPE] + Format: + Determine whether IPE starts in permissive (0) or + enforce (1) mode. The default is enforce. + + ipe.success_audit= + [IPE] + Format: + Start IPE with success auditing enabled, emitting + an audit event when a binary is allowed. The default + is 0. + irqaffinity= [SMP] Set the default irq affinity mask The argument is a cpu list, as described above. diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst index 6ed8d2fa6f9e..a5248d4fd510 100644 --- a/Documentation/security/index.rst +++ b/Documentation/security/index.rst @@ -18,3 +18,4 @@ Security Documentation digsig landlock secrets/index + ipe diff --git a/Documentation/security/ipe.rst b/Documentation/security/ipe.rst new file mode 100644 index 000000000000..6a47a2ab5e39 --- /dev/null +++ b/Documentation/security/ipe.rst @@ -0,0 +1,420 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Integrity Policy Enforcement (IPE) - Kernel Documentation +========================================================= + +.. NOTE:: + + This is documentation targeted at developers, instead of administrators. + If you're looking for documentation on the usage of IPE, please see + `Documentation/admin-guide/LSM/ipe.rst` + +Historical Motivation +--------------------- + +The original issue that prompted IPE's implementation was the creation +of a locked-down system. This system would be born-secure, and have +strong integrity guarantees over both the executable code, and specific +*data files* on the system, that were critical to its function. These +specific data files would not be readable unless they passed integrity +policy. A mandatory access control system would be present, and +as a result, xattrs would have to be protected. This lead to a selection +of what would provide the integrity claims. At the time, there were two +main mechanisms considered that could guarantee integrity for the system +with these requirements: + + 1. IMA + EVM Signatures + 2. DM-Verity + +Both options were carefully considered, however the choice to use DM-Verity +over IMA+EVM as the *integrity mechanism* in the original use case of IPE +was due to three main reasons: + + 1. Protection of additional attack vectors: + + * With IMA+EVM, without an encryption solution, the system is vulnerable + to offline attack against the aforemetioned specific data files. + + Unlike executables, read operations (like those on the protected data + files), cannot be enforced to be globally integrtiy verified. This means + there must be some form of selector to determine whether a read should + enforce the integrity policy, or it should not. + + At the time, this was done with mandatory access control labels. An IMA + policy would indicate what labels required integrity verification, which + presented an issue: EVM would protect the label, but if an attacker could + modify filesystem offline, the attacker could wipe all the xattrs - + including the SELinux labels that would be used to determine whether the + file should be subject to integrity policy. + + With DM-Verity, as the xattrs are saved as part of the merkel tree, if + offline mount occurs against the filesystem protected by dm-verity, the + checksum no longer matches and the file fails to be read. + + * As userspace binaries are paged in Linux, dm-verity also offers the + additional protection against a hostile block device. In such an attack, + the block device reports the appropriate content for the IMA hash + initially, passing the required integrity check. Then, on the page fault + that accesses the real data, will report the attacker's payload. Since + dm-verity will check the data when the page fault occurs (and the disk + access), this attack is mitigated. + + 2. Performance: + + * dm-verity provides integrity verification on demand as blocks are + read versus requiring the entire file being read into memory for + validation. + + 3. Simplicity of signing: + + * No need for two signatures (IMA, then EVM): one signature covers + an entire block device. + * Signatures can be stored externally to the filesystem metadata. + * The signature supports an x.509-based signing infrastructure. + +The next step was to choose a *policy* to enforce the integrity mechanism. +The minimum requirements for the policy were: + + 1. The policy itself must be integrity verified (preventing trivial + attack against it). + 2. The policy itself must be resistant to rollback attacks. + 3. The policy enforcement must have a permissive-like mode. + 4. The policy must be able to be updated, in its entirety, without + a reboot. + 5. Policy updates must be atomic. + 6. The policy must support *revocations* of previously authored + components. + 7. The policy must be auditable, at any point-of-time. + +IMA, as the only integrity policy mechanism at the time, was +considered against these list of requirements, and did not fulfill +all of the minimum requirements. Extending IMA to cover these +requirements was considered, but ultimately discarded for a +two reasons: + + 1. Regression risk; many of these changes would result in + dramatic code changes to IMA, which is already present in the + kernel, and therefore might impact users. + + 2. IMA was used in the system for measurement and attestation; + separation of measurement policy from local integrity policy + enforcement was considered favorable. + +Due to these reasons, it was decided that a new LSM should be created, +whose responsibility would be only the local integrity policy enforcement. + +Role and Scope +-------------- + +IPE, as its name implies, is fundamentally an integrity policy enforcement +solution; IPE does not mandate how integrity is provided, but instead +leaves that decision to the system administrator to set the security bar, +via the mechanisms that they select that suit their individual needs. +There are several different integrity solutions that provide a different +level of security guarantees; and IPE allows sysadmins to express policy for +theoretically all of them. + +IPE does not have an inherent mechanism to ensure integrity on its own. +Instead, there are more effective layers available for building systems that +can guarantee integrity. It's important to note that the mechanism for proving +integrity is independent of the policy for enforcing that integrity claim. + +Therefore, IPE was designed around: + + 1. Easy integrations with integrity providers. + 2. Ease of use for platform administrators/sysadmins. + +Design Rationale: +----------------- + +IPE was designed after evaluating existing integrity policy solutions +in other operating systems and environments. In this survey of other +implementations, there were a few pitfalls identified: + + 1. Policies were not readable by humans, usually requiring a binary + intermediary format. + 2. A single, non-customizable action was implicitly taken as a default. + 3. Debugging the policy required manual steps to determine what rule was violated. + 4. Authoring a policy required an in-depth knowledge of the larger system, + or operating system. + +IPE attempts to avoid all of these pitfalls. + +Policy +~~~~~~ + +Plain Text +^^^^^^^^^^ + +IPE's policy is plain-text. This introduces slightly larger policy files than +other LSMs, but solves two major problems that occurs with some integrity policy +solutions on other platforms. + +The first issue is one of code maintenance and duplication. To author policies, +the policy has to be some form of string representation (be it structured, +through XML, JSON, YAML, etcetera), to allow the policy author to understand +what is being written. In a hypothetical binary policy design, a serializer +is necessary to write the policy from the human readable form, to the binary +form, and a deserializer is needed to interpret the binary form into a data +structure in the kernel. + +Eventually, another deserializer will be needed to transform the binary from +back into the human-readable form with as much information preserved. This is because a +user of this access control system will have to keep a lookup table of a checksum +and the original file itself to try to understand what policies have been deployed +on this system and what policies have not. For a single user, this may be alright, +as old policies can be discarded almost immediately after the update takes hold. +For users that manage computer fleets in the thousands, if not hundreds of thousands, +with multiple different operating systems, and multiple different operational needs, +this quickly becomes an issue, as stale policies from years ago may be present, +quickly resulting in the need to recover the policy or fund extensive infrastructure +to track what each policy contains. + +With now three separate serializer/deserializers, maintenance becomes costly. If the +policy avoids the binary format, there is only one required serializer: from the +human-readable form to the data structure in kernel, saving on code maintenance, +and retaining operability. + +The second issue with a binary format is one of transparency. As IPE controls +access based on the trust of the system's resources, it's policy must also be +trusted to be changed. This is done through signatures, resulting in needing +signing as a process. Signing, as a process, is typically done with a +high security bar, as anything signed can be used to attack integrity +enforcement systems. It is also important that, when signing something, that +the signer is aware of what they are signing. A binary policy can cause +obfuscation of that fact; what signers see is an opaque binary blob. A +plain-text policy, on the other hand, the signers see the actual policy +submitted for signing. + +Boot Policy +~~~~~~~~~~~ + +IPE, if configured appropriately, is able to enforce a policy as soon as a +kernel is booted and usermode starts. That implies some level of storage +of the policy to apply the minute usermode starts. Generally, that storage +can be handled in one of three ways: + + 1. The policy file(s) live on disk and the kernel loads the policy prior + to an code path that would result in an enforcement decision. + 2. The policy file(s) are passed by the bootloader to the kernel, who + parses the policy. + 3. There is a policy file that is compiled into the kernel that is + parsed and enforced on initialization. + +The first option has problems: the kernel reading files from userspace +is typically discouraged and very uncommon in the kernel. + +The second option also has problems: Linux supports a variety of bootloaders +across its entire ecosystem - every bootloader would have to support this +new methodology or there must be an independent source. It would likely +result in more drastic changes to the kernel startup than necessary. + +The third option is the best but it's important to be aware that the policy +will take disk space against the kernel it's compiled in. It's important to +keep this policy generalized enough that userspace can load a new, more +complicated policy, but restrictive enough that it will not overauthorize +and cause security issues. + +The initramfs provides a way that this bootup path can be established. The +kernel starts with a minimal policy, that trusts the initramfs only. Inside +the initramfs, when the real rootfs is mounted, but not yet transferred to, +it deploys and activates a policy that trusts the new root filesystem. +This prevents overauthorization at any step, and keeps the kernel policy +to a minimal size. + +Startup +^^^^^^^ + +Not every system, however starts with an initramfs, so the startup policy +compiled into the kernel will need some flexibility to express how trust +is established for the next phase of the bootup. To this end, if we just +make the compiled-in policy a full IPE policy, it allows system builders +to express the first stage bootup requirements appropriately. + +Updatable, Rebootless Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As requirements change over time (vulnerabilities are found in previously +trusted applications, keys roll, etcetera). Updating a kernel to change the +meet those security goals is not always a suitable option, as updates are not +always risk-free, and blocking a security update leaves systems vulnerable. +This means IPE requires a policy that can be completely updated (allowing +revocations of existing policy) from a source external to the kernel (allowing +policies to be updated without updating the kernel). + +Additionally, since the kernel is stateless between invocations, and reading +policy files off the disk from kernel space is a bad idea(tm), then the +policy updates have to be done rebootlessly. + +To allow an update from an external source, it could be potentially malicious, +so this policy needs to have a way to be identified as trusted. This is +done via a signature chained to a trust source in the kernel. Arbitrarily, +this is the ``SYSTEM_TRUSTED_KEYRING``, a keyring that is initially +populated at kernel compile-time, as this matches the expectation that the +author of the compiled-in policy described above is the same entity that can +deploy policy updates. + +Anti-Rollback / Anti-Replay +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Over time, vulnerabilities are found and trusted resources may not be +trusted anymore. IPE's policy has no exception to this. There can be +instances where a mistaken policy author deploys an insecure policy, +before correcting it with a secure policy. + +Assuming that as soon as the insecure policy is signed, and an attacker +acquires the insecure policy, IPE needs a way to prevent rollback +from the secure policy update to the insecure policy update. + +Initially, IPE's policy can have a policy_version that states the +minimum required version across all policies that can be active on +the system. This will prevent rollback while the system is live. + +.. WARNING:: + + However, since the kernel is stateless across boots, this policy + version will be reset to 0.0.0 on the next boot. System builders + need to be aware of this, and ensure the new secure policies are + deployed ASAP after a boot to ensure that the window of + opportunity is minimal for an attacker to deploy the insecure policy. + +Implicit Actions: +~~~~~~~~~~~~~~~~~ + +The issue of impicit actions only becomes visible when you consider +a mixed level of security bars across multiple operations in a system. +For example, consider a system that has strong integrity guarantees +over both the executable code, and specific *data files* on the system, +that were critical to its function. In this system, three types of policies +are possible: + + 1. A policy in which failure to match any rules in the policy results + in the action being denied. + 2. A policy in which failure to match any rules in the policy results + in the action being allowed. + 3. A policy in which the action taken when no rules are matched is + specified by the policy author. + +The first option could make a policy like this:: + + op=EXECUTE integrity_verified=YES action=ALLOW + +In the example system, this works well for the executables, as all +executables should have integrity guarantees, without exception. The +issue becomes with the second requirement about specific data files. +This would result in a policy like this (assuming each line is +evaluated in order):: + + op=EXECUTE integrity_verified=YES action=ALLOW + + op=READ integrity_verified=NO label=critical_t action=DENY + op=READ action=ALLOW + +This is somewhat clear if you read the docs, understand the policy +is executed in order and that the default is a denial; however, the +last line effectively changes that default to an ALLOW. This is +required, because in a realistic system, there are some unverified +reads (imagine appending to a log file). + +The second option, matching no rules results in an allow, is clearer +for the specific data files:: + + op=READ integrity_verified=NO label=critical_t action=DENY + +And, like the first option, falls short with the opposite scenario, +effectively needing to override the default:: + + op=EXECUTE integrity_verified=YES action=ALLOW + op=EXECUTE action=DENY + + op=READ integrity_verified=NO label=critical_t action=DENY + +This leaves the third option. Instead of making users be clever +and override the default with an empty rule, force the end-user +to consider what the appropriate default should be for their +scenario and explicitly state it:: + + DEFAULT op=EXECUTE action=DENY + op=EXECUTE integrity_verified=YES action=ALLOW + + DEFAULT op=READ action=ALLOW + op=READ integrity_verified=NO label=critical_t action=DENY + +Policy Debugging: +~~~~~~~~~~~~~~~~~ + +When developing a policy, it is useful to know what line of the policy +is being violated to reduce debugging costs; narrowing the scope of the +investigation to the exact line that resulted in the action. Some integrity +policy systems do not provide this information, instead providing the +information that was used in the evaluation. This then requires a correlation +with the policy to evaluate what went wrong. + +Instead, IPE just emits the rule that was matched. This limits the scope +of the investigation to the exact policy line (in the case of a specific +rule), or the section (in the case of a DEFAULT). This decreases iteration +and investigation times when policy failures are observed while evaluating +policies. + +IPE's policy engine is also designed in a way that it makes it obvious to +a human of how to investigate a policy failure. Each line is evaluated in +the sequence that is written, so the algorithm is very simple to follow +for humans to recreate the steps and could have caused the failure. In other +surveyed systems, optimizations occur (sorting rules, for instance) when loading +the policy. In those systems, it requires multiple steps to debug, and the +algorithm may not always be clear to the end-user without reading the code first. + +Simplified Policy: +~~~~~~~~~~~~~~~~~~ + +Finally, IPE's policy is designed for sysadmins, not kernel developers. Instead +of covering individual LSM hooks (or syscalls), IPE covers operations. This means +instead of sysadmins needing to know that the syscalls ``mmap``, ``mprotect``, +``execve``, and ``uselib`` must have rules protecting them, they must simple know +that they want to restrict code execution. This limits the amount of bypasses that +could occur due to a lack of knowledge of the underlying system; whereas the +maintainers of IPE, being kernel developers can make the correct choice to determine +whether something maps to these operations, and under what conditions. + +Implementation Notes +-------------------- + +Anonymous Memory +~~~~~~~~~~~~~~~~ + +Anonymous memory isn't treated any differently from any other access in IPE. +When anonymous memory is mapped with ``+X``, it still comes into the ``file_mmap`` +or ``file_mprotect`` hook, but with a ``NULL`` file object. This is submitted to +the evaluation, like any other file, however, all current trust mechanisms will +return false as there is nothing to evaluate. This means anonymous memory +execution is subject to whatever the ``DEFAULT`` is for ``EXECUTE``. + +.. WARNING:: + + This also occurs with the ``kernel_load_data`` hook, which is used by signed + and compressed kernel modules. Using signed and compressed kernel modules with + IPE will always result in the ``DEFAULT`` action for ``KMODULE``. + +Securityfs Interface +~~~~~~~~~~~~~~~~~~~~ + +The per-policy securityfs tree is somewhat unique. For example, for +a standard securityfs policy tree:: + + MyPolicy + |- active + |- delete + |- name + |- pkcs7 + |- policy + |- update + |- version + +The policy is stored in the ``->i_private`` data of the MyPolicy inode. + +Tests +----- + +IPE has KUnit Tests, testing primarily the parser. In addition, IPE has a +python based integration test suits that can test both user interfaces and +enforcement functionalities. diff --git a/MAINTAINERS b/MAINTAINERS index fb8d6a16f2a6..a5494fb9e385 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -10283,6 +10283,8 @@ M: Fan Wu L: linux-security-module@vger.kernel.org S: Supported T: git git://github.com/microsoft/ipe.git +F: Documentation/admin-guide/LSM/ipe.rst +F: Documentation/security/ipe.rst F: scripts/ipe/ F: security/ipe/ -- 2.25.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 40DA6EB64D7 for ; Wed, 28 Jun 2023 21:19:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1687987157; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7nyjN8jQMYN/ODT7xl6cojxCCStRAxd7O7Ahmq5eXhw=; b=JY6TFaanaqjl4yLUx3lU/hWDoVbOZzAB32IIYdlbQA6Zgwdk2AmmRI7FNfbRnhtLCyG9rC 9N6jh/8+UKaJRlww8n/uxte9WjwuCyppCDciYfAqdsWcrNpPBnMBGpLtXo8pUHZyJjc4PJ m0RyTPNmC/rn7qLm0lS/E1asiYoCF9M= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-638-ldNWIX6nMA2KlqiGV5g9BA-1; Wed, 28 Jun 2023 17:19:13 -0400 X-MC-Unique: ldNWIX6nMA2KlqiGV5g9BA-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id AA83B8DBAFF; Wed, 28 Jun 2023 21:18:50 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 97377140EBB8; Wed, 28 Jun 2023 21:18:50 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 29C9F19465B6; Wed, 28 Jun 2023 21:18:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 8393F1946589 for ; Wed, 28 Jun 2023 21:18:47 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 58414207B2C6; Wed, 28 Jun 2023 21:18:47 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast04.extmail.prod.ext.rdu2.redhat.com [10.11.55.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 50737207B2C4 for ; Wed, 28 Jun 2023 21:18:47 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-inbound-delivery-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 260FF104459E for ; Wed, 28 Jun 2023 21:18:47 +0000 (UTC) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by relay.mimecast.com with ESMTP id us-mta-592-e5QQcBsLPdyjX6niiV7Rhw-1; Wed, 28 Jun 2023 17:18:43 -0400 X-MC-Unique: e5QQcBsLPdyjX6niiV7Rhw-1 Received: by linux.microsoft.com (Postfix, from userid 1052) id 018FD2083951; Wed, 28 Jun 2023 14:09:48 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 018FD2083951 From: Fan Wu To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Date: Wed, 28 Jun 2023 14:09:31 -0700 Message-Id: <1687986571-16823-18-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1687986571-16823-1-git-send-email-wufan@linux.microsoft.com> References: <1687986571-16823-1-git-send-email-wufan@linux.microsoft.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.4 Subject: [dm-devel] [RFC PATCH v10 17/17] documentation: add ipe documentation X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dm-devel@redhat.com, linux-doc@vger.kernel.org, Deven Bowers , roberto.sassu@huawei.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, audit@vger.kernel.org, linux-fscrypt@vger.kernel.org, Fan Wu , linux-integrity@vger.kernel.org Errors-To: dm-devel-bounces@redhat.com Sender: "dm-devel" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.7 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: linux.microsoft.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RnJvbTogRGV2ZW4gQm93ZXJzIDxkZXZlbi5kZXNhaUBsaW51eC5taWNyb3NvZnQuY29tPgoKQWRk IElQRSdzIGFkbWluIGFuZCBkZXZlbG9wZXIgZG9jdW1lbnRhdGlvbiB0byB0aGUga2VybmVsIHRy ZWUuCgpDby1kZXZlbG9wZWQtYnk6IEZhbiBXdSA8d3VmYW5AbGludXgubWljcm9zb2Z0LmNvbT4K U2lnbmVkLW9mZi1ieTogRGV2ZW4gQm93ZXJzIDxkZXZlbi5kZXNhaUBsaW51eC5taWNyb3NvZnQu Y29tPgpTaWduZWQtb2ZmLWJ5OiBGYW4gV3UgPHd1ZmFuQGxpbnV4Lm1pY3Jvc29mdC5jb20+Ci0t LQp2MjoKICArIE5vIENoYW5nZXMKCnYzOgogICsgQWRkIEFja2VkLWJ5CiAgKyBGaXh1cCBjb2Rl IGJsb2NrIHN5bnRheAogICsgRml4IGEgbWlub3IgZ3JhbW1hdGljYWwgaXNzdWUuCgp2NDoKICAr IFVwZGF0ZSBkb2N1bWVudGF0aW9uIHdpdGggdGhlIHJlc3VsdHMgb2Ygb3RoZXIKICAgIGNvZGUg Y2hhbmdlcy4KCnY1OgogICsgTm8gY2hhbmdlcwoKdjY6CiAgKyBObyBjaGFuZ2VzCgp2NzoKICAr IEFkZCBhZGRpdGlvbmFsIGRldmVsb3Blci1sZXZlbCBkb2N1bWVudGF0aW9uCiAgKyBVcGRhdGUg YWRtaW4tZ3VpZGUgZG9jcyB0byByZWZsZWN0IGNoYW5nZXMuCiAgKyBEcm9wIEFja2VkLWJ5IGR1 ZSB0byBzaWduaWZpY2FudCBjaGFuZ2VzCiAgKyBBZGRlZCBzZWN0aW9uIGFib3V0IGF1ZGl0IGV2 ZW50cyBpbiBhZG1pbi1ndWlkZQoKdjg6CiAgKyBDb3JyZWN0IHRlcm1pbm9sb2d5IGZyb20gImF1 ZGl0IGV2ZW50IiB0byAiYXVkaXQgcmVjb3JkIgogICsgQWRkIGFzc29jaWF0ZWQgZG9jdW1lbnRh dGlvbiB3aXRoIHRoZSBjb3JyZWN0ICJhdWRpdCBldmVudCIKICAgIHRlcm1pbm9sb2d5LgogICsg QWRkIHNvbWUgY29udGV4dCB0byB0aGUgaGlzdG9yaWNhbCBtb3RpdmF0aW9uIGZvciBJUEUgYW5k IGRlc2lnbgogICAgcGhpbG9zb3BoeS4KICArIEFkZCBzb21lIGNvbnRlbnQgYWJvdXQgdGhlIHNl Y3VyaXR5ZnMgbGF5b3V0IGluIHRoZSBwb2xpY2llcwogICAgZGlyZWN0b3J5LgogICsgVmFyaW91 cyBzcGVsbGluZyBhbmQgZ3JhbW1hdGljYWwgY29ycmVjdGlvbnMuCgp2OToKICArIENvcnJlY3Qg c3BlbGxpbmcgb2YgInBpdGZhbGxzIgogICsgVXBkYXRlIHRoZSBkb2NzIHcuci50IHRoZSBuZXcg cGFyc2VyIGFuZCBuZXcgYXVkaXQgZm9ybWF0cwoKdjEwOgogICsgUmVmaW5lIHVzZXIgZG9jcyBw ZXIgdXBzdHJlYW0gc3VnZ2V0aW9ucwogICsgVXBkYXRlIGF1ZGl0IGV2ZW50cyBwYXJ0Ci0tLQog RG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9MU00vaW5kZXgucnN0ICAgICAgIHwgICAxICsKIERv Y3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2lwZS5yc3QgICAgICAgICB8IDc1MiArKysrKysr KysrKysrKysrKysKIC4uLi9hZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQgICAgICAg ICB8ICAxMiArCiBEb2N1bWVudGF0aW9uL3NlY3VyaXR5L2luZGV4LnJzdCAgICAgICAgICAgICAg fCAgIDEgKwogRG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pcGUucnN0ICAgICAgICAgICAgICAgIHwg NDIwICsrKysrKysrKysKIE1BSU5UQUlORVJTICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICB8ICAgMiArCiA2IGZpbGVzIGNoYW5nZWQsIDExODggaW5zZXJ0aW9ucygrKQogY3JlYXRl IG1vZGUgMTAwNjQ0IERvY3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2lwZS5yc3QKIGNyZWF0 ZSBtb2RlIDEwMDY0NCBEb2N1bWVudGF0aW9uL3NlY3VyaXR5L2lwZS5yc3QKCmRpZmYgLS1naXQg YS9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9pbmRleC5yc3QgYi9Eb2N1bWVudGF0aW9u L2FkbWluLWd1aWRlL0xTTS9pbmRleC5yc3QKaW5kZXggYTZiYTk1ZmJhYTlmLi5jZTYzYmU2ZDY0 YWQgMTAwNjQ0Ci0tLSBhL0RvY3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2luZGV4LnJzdAor KysgYi9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9pbmRleC5yc3QKQEAgLTQ3LDMgKzQ3 LDQgQEAgc3ViZGlyZWN0b3JpZXMuCiAgICB0b21veW8KICAgIFlhbWEKICAgIFNhZmVTZXRJRAor ICAgaXBlCmRpZmYgLS1naXQgYS9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9pcGUucnN0 IGIvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9MU00vaXBlLnJzdApuZXcgZmlsZSBtb2RlIDEw MDY0NAppbmRleCAwMDAwMDAwMDAwMDAuLmRhNTlmNzg0MjdmYQotLS0gL2Rldi9udWxsCisrKyBi L0RvY3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2lwZS5yc3QKQEAgLTAsMCArMSw3NTIgQEAK Ky4uIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBHUEwtMi4wCisKK0ludGVncml0eSBQb2xpY3kg RW5mb3JjZW1lbnQgKElQRSkKKz09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KKwor Li4gTk9URTo6CisKKyAgIFRoaXMgaXMgdGhlIGRvY3VtZW50YXRpb24gZm9yIGFkbWlucywgc3lz dGVtIGJ1aWxkZXJzLCBvciBpbmRpdmlkdWFscworICAgYXR0ZW1wdGluZyB0byB1c2UgSVBFLiBJ ZiB5b3UncmUgbG9va2luZyBmb3IgbW9yZSBkZXZlbG9wZXItZm9jdXNlZAorICAgZG9jdW1lbnRh dGlvbiBhYm91dCBJUEUgcGxlYXNlIHNlZSBgRG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pcGUucnN0 YAorCitPdmVydmlldworLS0tLS0tLS0KKworSVBFIGlzIGEgTGludXggU2VjdXJpdHkgTW9kdWxl IHdoaWNoIHRha2VzIGEgY29tcGxpbWVudGFyeSBhcHByb2FjaCB0bworYWNjZXNzIGNvbnRyb2wu IFdoZXJlYXMgZXhpc3RpbmcgbWFuZGF0b3J5IGFjY2VzcyBjb250cm9sIG1lY2hhbmlzbXMKK2Jh c2UgdGhlaXIgZGVjaXNpb25zIG9uIGxhYmVscyBhbmQgcGF0aHMsIElQRSBpbnN0ZWFkIGRldGVy bWluZXMKK3doZXRoZXIgb3Igbm90IGFuIG9wZXJhdGlvbiBzaG91bGQgYmUgYWxsb3dlZCBiYXNl ZCBvbiBpbW11dGFibGUKK3NlY3VyaXR5IHByb3BlcnRpZXMgb2YgdGhlIHN5c3RlbSBjb21wb25l bnQgdGhlIG9wZXJhdGlvbiBpcyBiZWluZworcGVyZm9ybWVkIG9uLgorCitJUEUgaXRzZWxmIGRv ZXMgbm90IG1hbmRhdGUgaG93IHRoZSBzZWN1cml0eSBwcm9wZXJ0eSBzaG91bGQgYmUKK2V2YWx1 YXRlZCwgYnV0IHJlbGllcyBvbiBhbiBleHRlbnNpYmxlIHNldCBvZiBleHRlcm5hbCBwcm9wZXJ0 eSBwcm92aWRlcnMKK3RvIGV2YWx1YXRlIHRoZSBjb21wb25lbnQuIElQRSBtYWtlcyBpdHMgZGVj aXNpb24gYmFzZWQgb24gcmVmZXJlbmNlCit2YWx1ZXMgZm9yIHRoZSBzZWxlY3RlZCBwcm9wZXJ0 aWVzLCBzcGVjaWZpZWQgaW4gdGhlIElQRSBwb2xpY3kuCisKK1RoZSByZWZlcmVuY2UgdmFsdWVz IHJlcHJlc2VudCB0aGUgdmFsdWUgdGhhdCB0aGUgcG9saWN5IHdyaXRlciBhbmQgdGhlCitsb2Nh bCBzeXN0ZW0gYWRtaW5pc3RyYXRvciAoYmFzZWQgb24gdGhlIHBvbGljeSBzaWduYXR1cmUpIHRy dXN0IGZvciB0aGUKK3N5c3RlbSB0byBhY2NvbXBsaXNoIHRoZSBkZXNpcmVkIHRhc2tzLgorCitP bmUgc3VjaCBwcm92aWRlciBpcyBmb3IgZXhhbXBsZSBkbS12ZXJpdHksIHdoaWNoIGlzIGFibGUg dG8gcmVwcmVzZW50Cit0aGUgaW50ZWdyaXR5IHByb3BlcnR5IG9mIGEgcGFydGl0aW9uIChpdHMg aW1tdXRhYmxlIHN0YXRlKSB3aXRoIGEgZGlnZXN0LgorCitUbyBlbmFibGUgSVBFLCBlbnN1cmUg dGhhdCBgYENPTkZJR19TRUNVUklUWV9JUEVgYCAodW5kZXIKKzptZW51c2VsZWN0aW9uOmBTZWN1 cml0eSAtPiBJbnRlZ3JpdHkgUG9saWN5IEVuZm9yY2VtZW50IChJUEUpYCkgY29uZmlnCitvcHRp b24gaXMgZW5hYmxlZC4KKworVXNlIENhc2VzCistLS0tLS0tLS0KKworSVBFIHdvcmtzIGJlc3Qg aW4gZml4ZWQtZnVuY3Rpb24gZGV2aWNlczogZGV2aWNlcyBpbiB3aGljaCB0aGVpciBwdXJwb3Nl CitpcyBjbGVhcmx5IGRlZmluZWQgYW5kIG5vdCBzdXBwb3NlZCB0byBiZSBjaGFuZ2VkIChlLmcu IG5ldHdvcmsgZmlyZXdhbGwKK2RldmljZSBpbiBhIGRhdGEgY2VudGVyLCBhbiBJb1QgZGV2aWNl LCBldGNldGVyYSksIHdoZXJlIGFsbCBzb2Z0d2FyZSBhbmQKK2NvbmZpZ3VyYXRpb24gaXMgYnVp bHQgYW5kIHByb3Zpc2lvbmVkIGJ5IHRoZSBzeXN0ZW0gb3duZXIuCisKK0lQRSBpcyBhIGxvbmct d2F5IG9mZiBmb3IgdXNlIGluIGdlbmVyYWwtcHVycG9zZSBjb21wdXRpbmc6IHRoZSBMaW51eAor Y29tbXVuaXR5IGFzIGEgd2hvbGUgdGVuZHMgdG8gZm9sbG93IGEgZGVjZW50cmFsaXplZCB0cnVz dCBtb2RlbCAoa25vd24gYXMKK3RoZSB3ZWIgb2YgdHJ1c3QpLCB3aGljaCBJUEUgaGFzIG5vIHN1 cHBvcnQgZm9yIGl0IHlldC4gSW5zdGVhZCwgSVBFCitzdXBwb3J0cyBQS0kgKHB1YmxpYyBrZXkg aW5mcmFzdHJ1Y3R1cmUpLCB3aGljaCBnZW5lcmFsbHkgZGVzaWduYXRlcyBhCitzZXQgb2YgdHJ1 c3RlZCBlbnRpdGllcyB0aGF0IHByb3ZpZGUgYSBtZWFzdXJlIG9mIGFic29sdXRlIHRydXN0Lgor CitBZGRpdGlvbmFsbHksIHdoaWxlIG1vc3QgcGFja2FnZXMgYXJlIHNpZ25lZCB0b2RheSwgdGhl IGZpbGVzIGluc2lkZQordGhlIHBhY2thZ2VzIChmb3IgaW5zdGFuY2UsIHRoZSBleGVjdXRhYmxl cyksIHRlbmQgdG8gYmUgdW5zaWduZWQuIFRoaXMKK21ha2VzIGl0IGRpZmZpY3VsdCB0byB1dGls aXplIElQRSBpbiBzeXN0ZW1zIHdoZXJlIGEgcGFja2FnZSBtYW5hZ2VyIGlzCitleHBlY3RlZCB0 byBiZSBmdW5jdGlvbmFsLCB3aXRob3V0IG1ham9yIGNoYW5nZXMgdG8gdGhlIHBhY2thZ2UgbWFu YWdlcgorYW5kIGVjb3N5c3RlbSBiZWhpbmQgaXQuCisKK0RJR0xJTSBbI2RpZ2xpbV1fIGlzIGEg c3lzdGVtIHRoYXQgd2hlbiBjb21iaW5lZCB3aXRoIElQRSwgY291bGQgYmUgdXNlZCB0bworZW5h YmxlIGFuZCBzdXBwb3J0IGdlbmVyYWwtcHVycG9zZSBjb21wdXRpbmcgdXNlIGNhc2VzLgorCitL bm93biBMaW1pdGF0aW9ucworLS0tLS0tLS0tLS0tLS0tLS0KKworSVBFIGNhbm5vdCB2ZXJpZnkg dGhlIGludGVncml0eSBvZiBhbm9ueW1vdXMgZXhlY3V0YWJsZSBtZW1vcnksIHN1Y2ggYXMKK3Ro ZSB0cmFtcG9saW5lcyBjcmVhdGVkIGJ5IGdjYyBjbG9zdXJlcyBhbmQgbGliZmZpICg8My40LjIp LCBvciBKSVQnZCBjb2RlLgorVW5mb3J0dW5hdGVseSwgYXMgdGhpcyBpcyBkeW5hbWljYWxseSBn ZW5lcmF0ZWQgY29kZSwgdGhlcmUgaXMgbm8gd2F5Citmb3IgSVBFIHRvIGVuc3VyZSB0aGUgaW50 ZWdyaXR5IG9mIHRoaXMgY29kZSB0byBmb3JtIGEgdHJ1c3QgYmFzaXMuIEluIGFsbAorY2FzZXMs IHRoZSByZXR1cm4gcmVzdWx0IGZvciB0aGVzZSBvcGVyYXRpb25zIHdpbGwgYmUgd2hhdGV2ZXIg dGhlIGFkbWluCitjb25maWd1cmVzIGFzIHRoZSBgYERFRkFVTFRgYCBhY3Rpb24gZm9yIGBgRVhF Q1VURWBgLgorCitJUEUgY2Fubm90IHZlcmlmeSB0aGUgaW50ZWdyaXR5IG9mIHByb2dyYW1zIHdy aXR0ZW4gaW4gaW50ZXJwcmV0ZWQKK2xhbmd1YWdlcyB3aGVuIHRoZXNlIHNjcmlwdHMgYXJlIGlu dm9rZWQgYnkgcGFzc2luZyB0aGVzZSBwcm9ncmFtIGZpbGVzCit0byB0aGUgaW50ZXJwcmV0ZXIu IFRoaXMgaXMgYmVjYXVzZSB0aGUgd2F5IGludGVycHJldGVycyBleGVjdXRlIHRoZXNlCitmaWxl czsgdGhlIHNjcmlwdHMgdGhlbXNlbHZlcyBhcmUgbm90IGV2YWx1YXRlZCBhcyBleGVjdXRhYmxl IGNvZGUKK3Rocm91Z2ggb25lIG9mIElQRSdzIGhvb2tzLCBidXQgdGhleSBhcmUgbWVyZWx5IHRl eHQgZmlsZXMgdGhhdCBhcmUgcmVhZAorKGFzIG9wcG9zZWQgdG8gY29tcGlsZWQgZXhlY3V0YWJs ZXMpIFsjaW50ZXJwcmV0ZXJzXV8uCisKK1RocmVhdCBNb2RlbAorLS0tLS0tLS0tLS0tCisKK1Ro ZSB0aHJlYXQgdHlwZSBhZGRyZXNzZWQgYnkgSVBFIGlzIHRhbXBlcmluZyBvZiBleGVjdXRhYmxl IHVzZXJzcGFjZQorY29kZSBiZXlvbmQgdGhlIGluaXRpYWxseSBib290ZWQga2VybmVsLCBhbmQg dGhlIGluaXRpYWwgdmVyaWZpY2F0aW9uIG9mCitrZXJuZWwgbW9kdWxlcyB0aGF0IGFyZSBsb2Fk ZWQgaW4gdXNlcnNwYWNlIHRocm91Z2ggYGBtb2Rwcm9iZWBgIG9yCitgYGluc21vZGBgLgorCitB IGJhcmUtbWluaW11bSBleGFtcGxlIG9mIGEgdGhyZWF0IHRoYXQgc2hvdWxkIGJlIG1pdGlnYXRl ZCBieSBJUEUsIGlzCithbiB1bnRydXN0ZWQgKHBvdGVudGlhbGx5IG1hbGljaW91cykgYmluYXJ5 IHRoYXQgaXMgZG93bmxvYWRlZCBhbmQKK2J1bmRsZWQgd2l0aCBhbGwgcmVxdWlyZWQgZGVwZW5k ZW5jaWVzIChpbmNsdWRpbmcgYSBsb2FkZXIsIGxpYmMsIGV0YykuCitXaXRoIElQRSwgdGhpcyBi aW5hcnkgc2hvdWxkIG5vdCBiZSBhbGxvd2VkIHRvIGJlIGV4ZWN1dGVkLCBub3QgZXZlbiBhbnkK K29mIGl0cyBkZXBlbmRlbmNpZXMuCisKK1RhbXBlcmluZyB2aW9sYXRlcyBpbnRlZ3JpdHksIHll dCBsYWNrIG9mIHRydXN0IGlzIGNhdXNlZCBieSBiZWluZwordW5hYmxlIHRvIGRldGVjdCB0YW1w ZXJpbmcgKGFuZCBieSBleHRlbnQgdmVyaWZ5aW5nIHRoZSBpbnRlZ3JpdHkpLgorSVBFJ3Mgcm9s ZSBpbiBtaXRpZ2F0aW5nIHRoaXMgdGhyZWF0IGlzIHRvIHZlcmlmeSB0aGUgaW50ZWdyaXR5IChh bmQKK2F1dGhlbnRpY2l0eSkgb2YgYWxsIGV4ZWN1dGFibGUgY29kZSBhbmQgdG8gZGVueSB0aGVp ciB1c2UgaWYgdGhleQorY2Fubm90IGJlIHRydXN0ZWQgKGFzIGludGVncml0eSB2ZXJpZmljYXRp b24gZmFpbHMsIG9yIHRoZSBhdXRob3JpemF0aW9uCitjaGVjayBmYWlscyBhZ2FpbnN0IHRoZSBy ZWZlcmVuY2UgdmFsdWUgaW4gdGhlIHBvbGljeSkuIElQRSBnZW5lcmF0ZXMKK2F1ZGl0IGxvZ3Mg d2hpY2ggbWF5IGJlIHV0aWxpemVkIHRvIGRldGVjdCBhbmQgYW5hbHl6ZSBmYWlsdXJlcworcmVz dWx0aW5nIGZyb20gcG9saWN5IHZpb2xhdGlvbi4KKworVGFtcGVyaW5nIHRocmVhdCBzY2VuYXJp b3MgaW5jbHVkZSBtb2RpZmljYXRpb24gb3IgcmVwbGFjZW1lbnQgb2YKK2V4ZWN1dGFibGUgY29k ZSBieSBhIHJhbmdlIG9mIGFjdG9ycyBpbmNsdWRpbmc6CisKKy0gIEFjdG9ycyB3aXRoIHBoeXNp Y2FsIGFjY2VzcyB0byB0aGUgaGFyZHdhcmUKKy0gIEFjdG9ycyB3aXRoIGxvY2FsIG5ldHdvcmsg YWNjZXNzIHRvIHRoZSBzeXN0ZW0KKy0gIEFjdG9ycyB3aXRoIGFjY2VzcyB0byB0aGUgZGVwbG95 bWVudCBzeXN0ZW0KKy0gIENvbXByb21pc2VkIGludGVybmFsIHN5c3RlbXMgdW5kZXIgZXh0ZXJu YWwgY29udHJvbAorLSAgTWFsaWNpb3VzIGVuZCB1c2VycyBvZiB0aGUgc3lzdGVtCistICBDb21w cm9taXNlZCBlbmQgdXNlcnMgb2YgdGhlIHN5c3RlbQorLSAgUmVtb3RlIChleHRlcm5hbCkgY29t cHJvbWlzZSBvZiB0aGUgc3lzdGVtCisKK0lQRSBkb2VzIG5vdCBtaXRpZ2F0ZSB0aHJlYXRzIGFy aXNpbmcgZnJvbSBtYWxpY2lvdXMgYnV0IGF1dGhvcml6ZWQKK2RldmVsb3BlcnMgKHdpdGggYWNj ZXNzIHRvIGEgc2lnbmluZyBjZXJ0aWZpY2F0ZSksIG9yIGNvbXByb21pc2VkCitkZXZlbG9wZXIg dG9vbHMgdXNlZCBieSB0aGVtIChpLmUuIHJldHVybi1vcmllbnRlZCBwcm9ncmFtbWluZyBhdHRh Y2tzKS4KK0FkZGl0aW9uYWxseSwgSVBFIGRyYXdzIGhhcmQgc2VjdXJpdHkgYm91bmRhcnkgYmV0 d2VlbiB1c2Vyc3BhY2UgYW5kCitrZXJuZWxzcGFjZS4gQXMgYSByZXN1bHQsIElQRSBkb2VzIG5v dCBwcm92aWRlIGFueSBwcm90ZWN0aW9ucyBhZ2FpbnN0IGEKK2tlcm5lbCBsZXZlbCBleHBsb2l0 LCBhbmQgYSBrZXJuZWwtbGV2ZWwgZXhwbG9pdCBjYW4gZGlzYWJsZSBvciB0YW1wZXIKK3dpdGgg SVBFJ3MgcHJvdGVjdGlvbnMuCisKK1BvbGljeQorLS0tLS0tCisKK0lQRSBwb2xpY3kgaXMgYSBw bGFpbi10ZXh0IFsjZGV2ZG9jXV8gcG9saWN5IGNvbXBvc2VkIG9mIG11bHRpcGxlIHN0YXRlbWVu dHMKK292ZXIgc2V2ZXJhbCBsaW5lcy4gVGhlcmUgaXMgb25lIHJlcXVpcmVkIGxpbmUsIGF0IHRo ZSB0b3Agb2YgdGhlCitwb2xpY3ksIGluZGljYXRpbmcgdGhlIHBvbGljeSBuYW1lLCBhbmQgdGhl IHBvbGljeSB2ZXJzaW9uLCBmb3IKK2luc3RhbmNlOjoKKworICAgcG9saWN5X25hbWU9RXhfUG9s aWN5IHBvbGljeV92ZXJzaW9uPTAuMC4wCisKK1RoZSBwb2xpY3kgbmFtZSBpcyBhIHVuaXF1ZSBr ZXkgaWRlbnRpZnlpbmcgdGhpcyBwb2xpY3kgaW4gYSBodW1hbgorcmVhZGFibGUgbmFtZS4gVGhp cyBpcyB1c2VkIHRvIGNyZWF0ZSBub2RlcyB1bmRlciBzZWN1cml0eWZzIGFzIHdlbGwgYXMKK3Vu aXF1ZWx5IGlkZW50aWZ5IHBvbGljaWVzIHRvIGRlcGxveSBuZXcgcG9saWNpZXMgdnMgdXBkYXRl IGV4aXN0aW5nCitwb2xpY2llcy4KKworVGhlIHBvbGljeSB2ZXJzaW9uIGluZGljYXRlcyB0aGUg Y3VycmVudCB2ZXJzaW9uIG9mIHRoZSBwb2xpY3kgKE5PVCB0aGUKK3BvbGljeSBzeW50YXggdmVy c2lvbikuIFRoaXMgaXMgdXNlZCB0byBwcmV2ZW50IHJvbGxiYWNrIG9mIHBvbGljeSB0bworcG90 ZW50aWFsbHkgaW5zZWN1cmUgcHJldmlvdXMgdmVyc2lvbnMgb2YgdGhlIHBvbGljeS4KKworVGhl IG5leHQgcG9ydGlvbiBvZiBJUEUgcG9saWN5IGFyZSBydWxlcy4gUnVsZXMgYXJlIGZvcm1lZCBi eSBrZXk9dmFsdWUKK3BhaXJzLCBrbm93biBhcyBwcm9wZXJ0aWVzLiBJUEUgcnVsZXMgcmVxdWly ZSB0d28gcHJvcGVydGllczogYGBhY3Rpb25gYCwKK3doaWNoIGRldGVybWluZXMgd2hhdCBJUEUg ZG9lcyB3aGVuIGl0IGVuY291bnRlcnMgYSBtYXRjaCBhZ2FpbnN0IHRoZQorcnVsZSwgYW5kIGBg b3BgYCwgd2hpY2ggZGV0ZXJtaW5lcyB3aGVuIHRoZSBydWxlIHNob3VsZCBiZSBldmFsdWF0ZWQu CitUaGUgb3JkZXJpbmcgaXMgc2lnbmlmaWNhbnQsIGEgcnVsZSBtdXN0IHN0YXJ0IHdpdGggYGBv cGBgLCBhbmQgZW5kIHdpdGgKK2BgYWN0aW9uYGAuIFRodXMsIGEgbWluaW1hbCBydWxlIGlzOjoK KworICAgb3A9RVhFQ1VURSBhY3Rpb249QUxMT1cKKworVGhpcyBleGFtcGxlIHdpbGwgYWxsb3cg YW55IGV4ZWN1dGlvbi4gQWRkaXRpb25hbCBwcm9wZXJ0aWVzIGFyZSB1c2VkIHRvCityZXN0cmlj dCBhdHRyaWJ1dGVzIGFib3V0IHRoZSBmaWxlcyBiZWluZyBldmFsdWF0ZWQuIFRoZXNlIHByb3Bl cnRpZXMKK2FyZSBpbnRlbmRlZCB0byBiZSBkZXNjcmlwdGlvbnMgb2Ygc3lzdGVtcyB3aXRoaW4g dGhlIGtlcm5lbCB0aGF0IGNhbgorcHJvdmlkZSBhIG1lYXN1cmUgb2YgaW50ZWdyaXR5IHZlcmlm aWNhdGlvbiwgc3VjaCB0aGF0IElQRSBjYW4gZGV0ZXJtaW5lCit0aGUgdHJ1c3Qgb2YgdGhlIHJl c291cmNlIGJhc2VkIG9uIHRoZSB2YWx1ZSBvZiB0aGUgcHJvcGVydHkuCisKK1J1bGVzIGFyZSBl dmFsdWF0ZWQgdG9wLXRvLWJvdHRvbS4gQXMgYSByZXN1bHQsIGFueSByZXZvY2F0aW9uIHJ1bGVz LAorb3IgZGVuaWVzIHNob3VsZCBiZSBwbGFjZWQgZWFybHkgaW4gdGhlIGZpbGUgdG8gZW5zdXJl IHRoYXQgdGhlc2UgcnVsZXMKK2FyZSBldmFsdWF0ZWQgYmVmb3JlIGEgcnVsZSB3aXRoIGBgYWN0 aW9uPUFMTE9XYGAuCisKK0lQRSBwb2xpY3kgc3VwcG9ydHMgY29tbWVudHMuIFRoZSBjaGFyYWN0 ZXIgJyMnIHdpbGwgZnVuY3Rpb24gYXMgYQorY29tbWVudCwgaWdub3JpbmcgYWxsIGNoYXJhY3Rl cnMgdG8gdGhlIHJpZ2h0IG9mICcjJyB1bnRpbCB0aGUgbmV3bGluZS4KKworVGhlIGRlZmF1bHQg YmVoYXZpb3Igb2YgSVBFIGV2YWx1YXRpb25zIGNhbiBhbHNvIGJlIGV4cHJlc3NlZCBpbiBwb2xp Y3ksCit0aHJvdWdoIHRoZSBgYERFRkFVTFRgYCBzdGF0ZW1lbnQuIFRoaXMgY2FuIGJlIGRvbmUg YXQgYSBnbG9iYWwgbGV2ZWwsCitvciBhIHBlci1vcGVyYXRpb24gbGV2ZWw6OgorCisgICAjIEds b2JhbAorICAgREVGQVVMVCBhY3Rpb249QUxMT1cKKworICAgIyBPcGVyYXRpb24gU3BlY2lmaWMK KyAgIERFRkFVTFQgb3A9RVhFQ1VURSBhY3Rpb249QUxMT1cKKworQSBkZWZhdWx0IG11c3QgYmUg c2V0IGZvciBhbGwga25vd24gb3BlcmF0aW9ucyBpbiBJUEUuIElmIHlvdSB3YW50IHRvCitwcmVz ZXJ2ZSBvbGRlciBwb2xpY2llcyBiZWluZyBjb21wYXRpYmxlIHdpdGggbmV3ZXIga2VybmVscyB0 aGF0IGNhbiBpbnRyb2R1Y2UKK25ldyBvcGVyYXRpb25zLCBzZXQgYSBnbG9iYWwgZGVmYXVsdCBv ZiBgYEFMTE9XYGAsIHRoZW4gb3ZlcnJpZGUgdGhlCitkZWZhdWx0cyBvbiBhIHBlci1vcGVyYXRp b24gYmFzaXMgKGFzIGFib3ZlKS4KKworV2l0aCBjb25maWd1cmFibGUgcG9saWN5LWJhc2VkIExT TXMsIHRoZXJlJ3Mgc2V2ZXJhbCBpc3N1ZXMgd2l0aAorZW5mb3JjaW5nIHRoZSBjb25maWd1cmFi bGUgcG9saWNpZXMgYXQgc3RhcnR1cCwgYXJvdW5kIHJlYWRpbmcgYW5kCitwYXJzaW5nIHRoZSBw b2xpY3k6CisKKzEuIFRoZSBrZXJuZWwgKnNob3VsZCogbm90IHJlYWQgZmlsZXMgZnJvbSB1c2Vy c3BhY2UsIHNvIGRpcmVjdGx5IHJlYWRpbmcKKyAgIHRoZSBwb2xpY3kgZmlsZSBpcyBwcm9oaWJp dGVkLgorMi4gVGhlIGtlcm5lbCBjb21tYW5kIGxpbmUgaGFzIGEgY2hhcmFjdGVyIGxpbWl0LCBh bmQgb25lIGtlcm5lbCBtb2R1bGUKKyAgIHNob3VsZCBub3QgcmVzZXJ2ZSB0aGUgZW50aXJlIGNo YXJhY3RlciBsaW1pdCBmb3IgaXRzIG93bgorICAgY29uZmlndXJhdGlvbi4KKzMuIFRoZXJlIGFy ZSB2YXJpb3VzIGJvb3QgbG9hZGVycyBpbiB0aGUga2VybmVsIGVjb3N5c3RlbSwgc28gaGFuZGlu ZworICAgb2ZmIGEgbWVtb3J5IGJsb2NrIHdvdWxkIGJlIGNvc3RseSB0byBtYWludGFpbi4KKwor QXMgYSByZXN1bHQsIElQRSBoYXMgYWRkcmVzc2VkIHRoaXMgcHJvYmxlbSB0aHJvdWdoIGEgY29u Y2VwdCBvZiBhICJib290Citwb2xpY3kiLiBBIGJvb3QgcG9saWN5IGlzIGEgbWluaW1hbCBwb2xp Y3kgd2hpY2ggaXMgY29tcGlsZWQgaW50byB0aGUKK2tlcm5lbC4gVGhpcyBwb2xpY3kgaXMgaW50 ZW5kZWQgdG8gZ2V0IHRoZSBzeXN0ZW0gdG8gYSBzdGF0ZSB3aGVyZQordXNlcnNwYWNlIGlzIHNl dCB1cCBhbmQgcmVhZHkgdG8gcmVjZWl2ZSBjb21tYW5kcywgYXQgd2hpY2ggcG9pbnQgYSBtb3Jl Citjb21wbGV4IHBvbGljeSBjYW4gYmUgZGVwbG95ZWQgdmlhIHNlY3VyaXR5ZnMuIFRoZSBib290 IHBvbGljeSBjYW4gYmUKK3NwZWNpZmllZCB2aWEgYGBTRUNVUklUWV9JUEVfQk9PVF9QT0xJQ1lg YCBjb25maWcgb3B0aW9uLCB3aGljaCBhY2NlcHRzCithIHBhdGggdG8gYSBwbGFpbi10ZXh0IHZl cnNpb24gb2YgdGhlIElQRSBwb2xpY3kgdG8gYXBwbHkuIFRoaXMgcG9saWN5Cit3aWxsIGJlIGNv bXBpbGVkIGludG8gdGhlIGtlcm5lbC4gSWYgbm90IHNwZWNpZmllZCwgSVBFIHdpbGwgYmUgZGlz YWJsZWQKK3VudGlsIGEgcG9saWN5IGlzIGRlcGxveWVkIGFuZCBhY3RpdmF0ZWQgdGhyb3VnaCBz ZWN1cml0eWZzLgorCitEZXBsb3lpbmcgUG9saWNpZXMKK35+fn5+fn5+fn5+fn5+fn5+fgorCitQ b2xpY2llcyBjYW4gYmUgZGVwbG95ZWQgZnJvbSB1c2Vyc3BhY2UgdGhyb3VnaCBzZWN1cml0eWZz LiBUaGVzZSBwb2xpY2llcworYXJlIHNpZ25lZCB0aHJvdWdoIHRoZSBQS0NTIzcgbWVzc2FnZSBm b3JtYXQgdG8gZW5mb3JjZSBzb21lIGxldmVsIG9mCithdXRob3JpemF0aW9uIG9mIHRoZSBwb2xp Y2llcyAocHJvaGliaXRpbmcgYW4gYXR0YWNrZXIgZnJvbSBnYWluaW5nCit1bmNvbnN0cmFpbmVk IHJvb3QsIGFuZCBkZXBsb3lpbmcgYW4gImFsbG93IGFsbCIgcG9saWN5KS4gVGhlc2UKK3BvbGlj aWVzIG11c3QgYmUgc2lnbmVkIGJ5IGEgY2VydGlmaWNhdGUgdGhhdCBjaGFpbnMgdG8gdGhlCitg YFNZU1RFTV9UUlVTVEVEX0tFWVJJTkdgYC4gV2l0aCBvcGVuc3NsLCB0aGUgcG9saWN5IGNhbiBi ZSBzaWduZWQgYnk6OgorCisgICBvcGVuc3NsIHNtaW1lIC1zaWduIFwKKyAgICAgIC1pbiAiJE1Z X1BPTElDWSIgXAorICAgICAgLXNpZ25lciAiJE1ZX0NFUlRJRklDQVRFIiBcCisgICAgICAtaW5r ZXkgIiRNWV9QUklWQVRFX0tFWSIgXAorICAgICAgLW5vYXR0ciBcCisgICAgICAtbm9kZXRhY2gg XAorICAgICAgLW5vc21pbWVjYXAgXAorICAgICAgLW91dGZvcm0gZGVyIFwKKyAgICAgIC1vdXQg IiRNWV9QT0xJQ1kucDdiIgorCitEZXBsb3lpbmcgdGhlIHBvbGljaWVzIGlzIGRvbmUgdGhyb3Vn aCBzZWN1cml0eWZzLCB0aHJvdWdoIHRoZQorYGBuZXdfcG9saWN5YGAgbm9kZS4gVG8gZGVwbG95 IGEgcG9saWN5LCBzaW1wbHkgY2F0IHRoZSBmaWxlIGludG8gdGhlCitzZWN1cml0eWZzIG5vZGU6 OgorCisgICBjYXQgIiRNWV9QT0xJQ1kucDdiIiA+IC9zeXMva2VybmVsL3NlY3VyaXR5L2lwZS9u ZXdfcG9saWN5CisKK1Vwb24gc3VjY2VzcywgdGhpcyB3aWxsIGNyZWF0ZSBvbmUgc3ViZGlyZWN0 b3J5IHVuZGVyCitgYC9zeXMva2VybmVsL3NlY3VyaXR5L2lwZS9wb2xpY2llcy9gYC4gVGhlIHN1 YmRpcmVjdG9yeSB3aWxsIGJlIHRoZQorYGBwb2xpY3lfbmFtZWBgIGZpZWxkIG9mIHRoZSBwb2xp Y3kgZGVwbG95ZWQsIHNvIGZvciB0aGUgZXhhbXBsZSBhYm92ZSwKK3RoZSBkaXJlY3Rvcnkgd2ls bCBiZSBgYC9zeXMva2VybmVsL3NlY3VyaXR5L2lwZS9wb2xpY2llcy9FeF9Qb2xpY3lgYC4KK1dp dGhpbiB0aGlzIGRpcmVjdG9yeSwgdGhlcmUgd2lsbCBiZSBmaXZlIGZpbGVzOiBgYHBrY3M3YGAs IGBgcG9saWN5YGAsCitgYGFjdGl2ZWBgLCBgYHVwZGF0ZWBgLCBhbmQgYGBkZWxldGVgYC4KKwor VGhlIGBgcGtjczdgYCBmaWxlIGlzIHJlYWQtb25seS4gUmVhZGluZyBpdCByZXR1cm5zIHRoZSBy YXcgUEtDUyM3IGRhdGEKK3RoYXQgd2FzIHByb3ZpZGVkIHRvIHRoZSBrZXJuZWwsIHJlcHJlc2Vu dGluZyB0aGUgcG9saWN5LiBJZiB0aGUgcG9saWN5IGJlaW5nCityZWFkIGlzIHRoZSBib290IHBv bGljeSwgdGhpcyB3aWxsIHJldHVybiBgYEVOT0VOVGBgLCBhcyBpdCBpcyBub3Qgc2lnbmVkLgor CitUaGUgYGBwb2xpY3lgYCBmaWxlIGlzIHJlYWQgb25seS4gUmVhZGluZyBpdCByZXR1cm5zIHRo ZSBQS0NTIzcgaW5uZXIKK2NvbnRlbnQgb2YgdGhlIHBvbGljeSwgd2hpY2ggd2lsbCBiZSB0aGUg cGxhaW4gdGV4dCBwb2xpY3kuCisKK1RoZSBgYGFjdGl2ZWBgIGZpbGUgaXMgdXNlZCB0byBzZXQg YSBwb2xpY3kgYXMgdGhlIGN1cnJlbnRseSBhY3RpdmUgcG9saWN5LgorVGhpcyBmaWxlIGlzIHJ3 LCBhbmQgYWNjZXB0cyBhIHZhbHVlIG9mIGBgIjEiYGAgdG8gc2V0IHRoZSBwb2xpY3kgYXMgYWN0 aXZlLgorU2luY2Ugb25seSBhIHNpbmdsZSBwb2xpY3kgY2FuIGJlIGFjdGl2ZSBhdCBvbmUgdGlt ZSwgYWxsIG90aGVyIHBvbGljaWVzCit3aWxsIGJlIG1hcmtlZCBpbmFjdGl2ZS4gVGhlIHBvbGlj eSBiZWluZyBtYXJrZWQgYWN0aXZlIG11c3QgaGF2ZSBhIHBvbGljeQordmVyc2lvbiBncmVhdGVy IG9yIGVxdWFsIHRvIHRoZSBjdXJyZW50bHktcnVubmluZyB2ZXJzaW9uLgorCitUaGUgYGB1cGRh dGVgYCBmaWxlIGlzIHVzZWQgdG8gdXBkYXRlIGEgcG9saWN5IHRoYXQgaXMgYWxyZWFkeSBwcmVz ZW50CitpbiB0aGUga2VybmVsLiBUaGlzIGZpbGUgaXMgd3JpdGUtb25seSBhbmQgYWNjZXB0cyBh IFBLQ1MjNyBzaWduZWQKK3BvbGljeS4gVHdvIGNoZWNrcyB3aWxsIGFsd2F5cyBiZSBwZXJmb3Jt ZWQgb24gdGhpcyBwb2xpY3k6IEZpcnN0LCB0aGUKK2BgcG9saWN5X25hbWVzYGAgbXVzdCBtYXRj aCB3aXRoIHRoZSB1cGRhdGVkIHZlcnNpb24gYW5kIHRoZSBleGlzdGluZwordmVyc2lvbi4gU2Vj b25kIHRoZSB1cGRhdGVkIHBvbGljeSBtdXN0IGhhdmUgYSBwb2xpY3kgdmVyc2lvbiBncmVhdGVy IHRoYW4KK29yIGVxdWFsIHRvIHRoZSBjdXJyZW50bHktcnVubmluZyB2ZXJzaW9uLiBUaGlzIGlz IHRvIHByZXZlbnQgcm9sbGJhY2sgYXR0YWNrcy4KKworVGhlIGBgZGVsZXRlYGAgZmlsZSBpcyB1 c2VkIHRvIHJlbW92ZSBhIHBvbGljeSB0aGF0IGlzIG5vIGxvbmdlciBuZWVkZWQuCitUaGlzIGZp bGUgaXMgd3JpdGUtb25seSBhbmQgYWNjZXB0cyBhIHZhbHVlIG9mIGBgMWBgIHRvIGRlbGV0ZSB0 aGUgcG9saWN5LgorT24gZGVsZXRpb24sIHRoZSBzZWN1cml0eWZzIG5vZGUgcmVwcmVzZW50aW5n IHRoZSBwb2xpY3kgd2lsbCBiZSByZW1vdmVkLgorSG93ZXZlciwgZGVsZXRlIHRoZSBjdXJyZW50 IGFjdGl2ZSBwb2xpY3kgaXMgbm90IGFsbG93ZWQgYW5kIHdpbGwgcmV0dXJuCithbiBvcGVyYXRp b24gbm90IHBlcm1pdHRlZCBlcnJvci4KKworU2ltaWxhcmx5LCB3cml0aW5nIHRvIGJvdGggYGB1 cGRhdGVgYCBhbmQgYGBuZXdfcG9saWN5YGAgY291bGQgcmVzdWx0IGluCitiYWQgbWVzc2FnZShw b2xpY3kgc3ludGF4IGVycm9yKSBvciBmaWxlIGV4aXN0cyBlcnJvci4gVGhlIGxhdHRlciBlcnJv ciBoYXBwZW5zCit3aGVuIHRyeWluZyB0byBkZXBsb3kgYSBwb2xpY3kgd2l0aCBhIGBgcG9saWN5 X25hbWVgYCB3aGlsZSB0aGUga2VybmVsIGFscmVhZHkKK2hhcyBhIGRlcGxveWVkIHBvbGljeSB3 aXRoIHRoZSBzYW1lIGBgcG9saWN5X25hbWVgYC4KKworRGVwbG95aW5nIGEgcG9saWN5IHdpbGwg Km5vdCogY2F1c2UgSVBFIHRvIHN0YXJ0IGVuZm9yY2luZyB0aGUgcG9saWN5LiBJUEUgd2lsbAor b25seSBlbmZvcmNlIHRoZSBwb2xpY3kgbWFya2VkIGFjdGl2ZS4gTm90ZSB0aGF0IG9ubHkgb25l IHBvbGljeSBjYW4gYmUgYWN0aXZlCithdCBhIHRpbWUuCisKK09uY2UgZGVwbG95bWVudCBpcyBz dWNjZXNzZnVsLCB0aGUgcG9saWN5IGNhbiBiZSBhY3RpdmF0ZWQsIGJ5IHdyaXRpbmcgZmlsZQor YGAvc3lzL2tlcm5lbC9zZWN1cml0eS9pcGUvJHBvbGljeV9uYW1lL2FjdGl2ZWBgLgorRm9yIGV4 YW1wbGUsIHRoZSBgYEV4X1BvbGljeWBgIGNhbiBiZSBhY3RpdmF0ZWQgYnk6OgorCisgICBlY2hv IDEgPiAiL3N5cy9rZXJuZWwvc2VjdXJpdHkvaXBlL0V4X1BvbGljeS9hY3RpdmUiCisKK0Zyb20g YWJvdmUgcG9pbnQgb24sIGBgRXhfUG9saWN5YGAgaXMgbm93IHRoZSBlbmZvcmNlZCBwb2xpY3kg b24gdGhlCitzeXN0ZW0uCisKK0lQRSBhbHNvIHByb3ZpZGVzIGEgd2F5IHRvIGRlbGV0ZSBwb2xp Y2llcy4gVGhpcyBjYW4gYmUgZG9uZSB2aWEgdGhlCitgYGRlbGV0ZWBgIHNlY3VyaXR5ZnMgbm9k ZSwgYGAvc3lzL2tlcm5lbC9zZWN1cml0eS9pcGUvJHBvbGljeV9uYW1lL2RlbGV0ZWBgLgorV3Jp dGluZyBgYDFgYCB0byB0aGF0IGZpbGUgZGVsZXRlcyB0aGUgcG9saWN5OjoKKworICAgZWNobyAx ID4gIi9zeXMva2VybmVsL3NlY3VyaXR5L2lwZS8kcG9saWN5X25hbWUvZGVsZXRlIgorCitUaGVy ZSBpcyBvbmx5IG9uZSByZXF1aXJlbWVudCB0byBkZWxldGUgYSBwb2xpY3k6IHRoZSBwb2xpY3kg YmVpbmcgZGVsZXRlZAorbXVzdCBiZSBpbmFjdGl2ZS4KKworLi4gTk9URTo6CisKKyAgIElmIGEg dHJhZGl0aW9uYWwgTUFDIHN5c3RlbSBpcyBlbmFibGVkIChTRUxpbnV4LCBhcHBhcm1vciwgc21h Y2spLCBhbGwKKyAgIHdyaXRlcyB0byBpcGUncyBzZWN1cml0eWZzIG5vZGVzIHJlcXVpcmUgYGBD QVBfTUFDX0FETUlOYGAuCisKK01vZGVzCit+fn5+fgorCitJUEUgc3VwcG9ydHMgdHdvIG1vZGVz IG9mIG9wZXJhdGlvbjogcGVybWlzc2l2ZSAoc2ltaWxhciB0byBTRUxpbnV4J3MKK3Blcm1pc3Np dmUgbW9kZSkgYW5kIGVuZm9yY2VkLiBJbiBwZXJtaXNzaXZlIG1vZGUsIGFsbCBldmVudHMgYXJl CitjaGVja2VkIGFuZCBwb2xpY3kgdmlvbGF0aW9ucyBhcmUgbG9nZ2VkLCBidXQgdGhlIHBvbGlj eSBpcyBub3QgcmVhbGx5CitlbmZvcmNlZC4gVGhpcyBhbGxvd3MgdXNlcnMgdG8gdGVzdCBwb2xp Y2llcyBiZWZvcmUgZW5mb3JjaW5nIHRoZW0uCisKK1RoZSBkZWZhdWx0IG1vZGUgaXMgZW5mb3Jj ZSwgYW5kIGNhbiBiZSBjaGFuZ2VkIHZpYSB0aGUga2VybmVsIGNvbW1hbmQKK2xpbmUgcGFyYW1l dGVyIGBgaXBlLmVuZm9yY2U9KDB8MSlgYCwgb3IgdGhlIHNlY3VyaXR5ZnMgbm9kZQorYGAvc3lz L2tlcm5lbC9zZWN1cml0eS9pcGUvZW5mb3JjZWBgLgorCisuLiBOT1RFOjoKKworICAgSWYgYSB0 cmFkaXRpb25hbCBNQUMgc3lzdGVtIGlzIGVuYWJsZWQgKFNFTGludXgsIGFwcGFybW9yLCBzbWFj aywgZXRjZXRlcmEpLAorICAgYWxsIHdyaXRlcyB0byBpcGUncyBzZWN1cml0eWZzIG5vZGVzIHJl cXVpcmUgYGBDQVBfTUFDX0FETUlOYGAuCisKK0F1ZGl0IEV2ZW50cworfn5+fn5+fn5+fn5+CisK KzE0MjAgQVVESVRfSVBFX0FDQ0VTUworXl5eXl5eXl5eXl5eXl5eXl5eXl5eCitFdmVudCBFeGFt cGxlczo6CisKKyAgIHR5cGU9MTQyMCBhdWRpdCgxNjUzMzY0MzcwLjA2Nzo2MSk6IHBhdGg9Ii9y b290L2ZzL3J3L3BsYWluL2V4ZWN2ZSIgZGV2PSJ2ZGMxIiBpbm89MTYgcnVsZT0iREVGQVVMVCBv cD1FWEVDVVRFIGFjdGlvbj1ERU5ZIgorICAgdHlwZT0xMzAwIGF1ZGl0KDE2NTMzNjQzNzAuMDY3 OjYxKTogYXJjaD1jMDAwMDAzZSBzeXNjYWxsPTEwIHN1Y2Nlc3M9bm8gZXhpdD0tMTMgYTA9N2Yw YmYwNjQ0MDAwIGExPTRmODAgYTI9NSBhMz03ZjBiZjA0M2QzMDAgaXRlbXM9MCBwcGlkPTQ1NSBw aWQ9NzM3IGF1aWQ9MCB1aWQ9MCBnaWQ9MCBldWlkPTAgc3VpZD0wIGZzdWlkPTAgZWdpZD0wIHNn aWQ9MCBmc2dpZD0wIHR0eT10dHlTMCBzZXM9MyBjb21tPSJtcHJvdGVjdCIgZXhlPSIvcm9vdC9o b3N0L21wcm90ZWN0IiBzdWJqPWtlcm5lbCBrZXk9KG51bGwpCisgICB0eXBlPTEzMjcgYXVkaXQo MTY1MzM2NDM3MC4wNjc6NjEpOiBwcm9jdGl0bGU9Njg2RjczNzQyRjZENzA3MjZGNzQ2NTYzNzQw MDUzNDgwMDUyN0M1NzAwNTI3QzU4MDA3MDZDNjE2OTZFMkY2NTc4NjU2Mzc2NjUKKworICAgdHlw ZT0xNDIwIGF1ZGl0KDE2NTMzNjQ3MzUuMTYxOjY0KTogcnVsZT0iREVGQVVMVCBvcD1FWEVDVVRF IGFjdGlvbj1ERU5ZIgorICAgdHlwZT0xMzAwIGF1ZGl0KDE2NTMzNjQ3MzUuMTYxOjY0KTogYXJj aD1jMDAwMDAzZSBzeXNjYWxsPTkgc3VjY2Vzcz1ubyBleGl0PS0xMyBhMD0wIGExPTEwMDAgYTI9 NCBhMz0yMCBpdGVtcz0wIHBwaWQ9NDU1IHBpZD03NzQgYXVpZD0wIHVpZD0wIGdpZD0wIGV1aWQ9 MCBzdWlkPTAgZnN1aWQ9MCBlZ2lkPTAgc2dpZD0wIGZzZ2lkPTAgdHR5PXR0eVMwIHNlcz0zIGNv bW09Im1tYXAiIGV4ZT0iL3Jvb3QvaG9zdC9tbWFwIiBzdWJqPWtlcm5lbCBrZXk9KG51bGwpCisg ICB0eXBlPTEzMjcgYXVkaXQoMTY1MzM2NDczNS4xNjE6NjQpOiBwcm9jdGl0bGU9Njg2RjczNzQy RjZENkQ2MTcwMDA0MTAwNTjij44KKworVGhpcyBldmVudCBpbmRpY2F0ZXMgdGhhdCBJUEUgbWFk ZSBhbiBhY2Nlc3MgY29udHJvbCBkZWNpc2lvbjsgdGhlIElQRQorc3BlY2lmaWMgcmVjb3JkICgx NDIwKSBpcyBhbHdheXMgZW1pdHRlZCBpbiBjb25qdW5jdGlvbiB3aXRoIGEKK2BgQVVESVRTWVND QUxMYGAgcmVjb3JkLgorCitEZXRlcm1pbmluZyB3aGV0aGVyIElQRSBpcyBpbiBwZXJtaXNzaXZl IG9yIGVuZm9yY2VkIG1vZGUgY2FuIGJlIGRlcml2ZWQKK2Zyb20gYGBzdWNjZXNzYGAgcHJvcGVy dHkgYW5kIGV4aXQgY29kZSBvZiB0aGUgYGBBVURJVFNZU0NBTExgYCByZWNvcmQuCisKKworRmll bGQgZGVzY3JpcHRpb25zOgorCisrLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsKK3wgRmllbGQg fCBWYWx1ZSBUeXBlIHwgT3B0aW9uYWw/IHwgRGVzY3JpcHRpb24gb2YgVmFsdWUgICAgICAgICAg ICAgICAgICAgICAgICAgICAgfAorKz09PT09PT0rPT09PT09PT09PT09Kz09PT09PT09PT09Kz09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0rCit8IHBhdGgg IHwgc3RyaW5nICAgICB8IFllcyAgICAgICB8IFRoZSBhYnNvbHV0ZSBwYXRoIHRvIHRoZSBldmFs dWF0ZWQgZmlsZSAgICAgICAgIHwKKystLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKworfCBpbm8g ICB8IGludGVnZXIgICAgfCBZZXMgICAgICAgfCBUaGUgaW5vZGUgbnVtYmVyIG9mIHRoZSBldmFs dWF0ZWQgZmlsZSAgICAgICAgICB8CisrLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0r LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsKK3wgZGV2 ICAgfCBzdHJpbmcgICAgIHwgWWVzICAgICAgIHwgVGhlIGRldmljZSBuYW1lIG9mIHRoZSBldmFs dWF0ZWQgZmlsZSwgZS5nLiB2ZGEgfAorKy0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t Ky0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IHJ1 bGUgIHwgc3RyaW5nICAgICB8IE5vICAgICAgICB8IFRoZSBtYXRjaGVkIHBvbGljeSBydWxlICAg ICAgICAgICAgICAgICAgICAgICAgIHwKKystLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0t LSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKworCisx NDIxIEFVRElUX0lQRV9DT05GSUdfQ0hBTkdFCiteXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5e CisKK0V2ZW50IEV4YW1wbGU6OgorCisgICB0eXBlPTE0MjEgYXVkaXQoMTY1MzQyNTU4My4xMzY6 NTQpOiBvbGRfYWN0aXZlX3BvbF9uYW1lPSJBbGxvd19BbGwiIG9sZF9hY3RpdmVfcG9sX3ZlcnNp b249MC4wLjAgb2xkX3BvbGljeV9kaWdlc3Q9c2hhMjU2OkUzQjBDNDQyOThGQzFDMTQ5QUZCRjRD ODk5NkZCOTI0MjdBRTQxRTQ2NDlCOTM0Q0E0OTU5OTFCNzg1MkI4NTUgbmV3X2FjdGl2ZV9wb2xf bmFtZT0iYm9vdF92ZXJpZmllZCIgbmV3X2FjdGl2ZV9wb2xfdmVyc2lvbj0wLjAuMCBuZXdfcG9s aWN5X2RpZ2VzdD1zaGEyNTY6ODIwRUVBNUI0MENBNDJCNTFGNjg5NjIzNTRCQTA4MzEyMkEyMEJC ODQ2RjI2NzY1MDc2REQ4RUVEN0I4RjREQiBhdWlkPTQyOTQ5NjcyOTUgc2VzPTQyOTQ5NjcyOTUg bHNtPWlwZSByZXM9MQorICAgdHlwZT0xMzAwIGF1ZGl0KDE2NTM0MjU1ODMuMTM2OjU0KTogU1lT Q0FMTCBhcmNoPWMwMDAwMDNlIHN5c2NhbGw9MSBzdWNjZXNzPXllcyBleGl0PTIgYTA9MyBhMT01 NTk2ZmNhZTFmYjAgYTI9MiBhMz0yIGl0ZW1zPTAgcHBpZD0xODQgcGlkPTIyOSBhdWlkPTQyOTQ5 NjcyOTUgdWlkPTAgZ2lkPTAgZXVpZD0wIHN1aWQ9MCBmc3VpZD0wIGVnaWQ9MCBzZ2lkPTAgZnNn aWQ9MCB0dHk9cHRzMCBzZXM9NDI5NDk2NzI5NSBjb21tPSJweXRob24zIiBleGU9Ii91c3IvYmlu L3B5dGhvbjMuMTAiIGtleT0obnVsbCkKKyAgIHR5cGU9MTMyNyBhdWRpdCgxNjUzNDI1NTgzLjEz Njo1NCk6IFBST0NUSVRMRSBwcm9jdGl0bGU9NzA3OTc0Njg2RjZFMzMwMDc0NjU3Mzc0MkY2RDYx Njk2RTJFNzA3OTAwMkQ2NjAwMkUyCisKK1RoaXMgZXZlbnQgaW5kaWNhdGVzIHRoYXQgSVBFIHN3 aXRjaGVkIHRoZSBhY3RpdmUgcG9saXkgZnJvbSBvbmUgdG8gYW5vdGhlcgorYWxvbmcgd2l0aCB0 aGUgdmVyc2lvbiBhbmQgdGhlIGhhc2ggZGlnZXN0IG9mIHRoZSB0d28gcG9saWNpZXMuCitOb3Rl IElQRSBjYW4gb25seSBoYXZlIG9uZSBwb2xpY3kgYWN0aXZlIGF0IGEgdGltZSwgYWxsIGFjY2Vz cyBkZWNpc2lvbgorZXZhbHVhdGlvbiBpcyBiYXNlZCBvbiB0aGUgY3VycmVudCBhY3RpdmUgcG9s aWN5LgorVGhlIG5vcm1hbCBwcm9jZWR1cmUgdG8gZGVwbG95IGEgbmV3IHBvbGljeSBpcyBsb2Fk aW5nIHRoZSBwb2xpY3kgdG8gZGVwbG95CitpbnRvIHRoZSBrZXJuZWwgZmlyc3QsIHRoZW4gc3dp dGNoIHRoZSBhY3RpdmUgcG9saWN5IHRvIGl0LgorCitUaGlzIHJlY29yZCB3aWxsIGFsd2F5cyBi ZSBlbWl0dGVkIGluIGNvbmp1bmN0aW9uIHdpdGggYSBgYEFVRElUU1lTQ0FMTGBgIHJlY29yZCBm b3IgdGhlIGBgd3JpdGVgYCBzeXNjYWxsLgorCisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0t LS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0rCit8IEZpZWxkICAgICAgICAgICAgICAgICAgfCBWYWx1ZSBUeXBl IHwgT3B0aW9uYWw/IHwgRGVzY3JpcHRpb24gb2YgVmFsdWUgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICB8CisrPT09PT09PT09PT09PT09PT09PT09PT09Kz09PT09PT09PT09PSs9PT09PT09 PT09PSs9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0r Cit8IG9sZF9hY3RpdmVfcG9sX25hbWUgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhl IG5hbWUgb2YgcHJldmlvdXMgYWN0aXZlIHBvbGljeSAgICAgICAgICAgICAgICB8CisrLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG9sZF9hY3RpdmVfcG9s X3ZlcnNpb24gfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIHZlcnNpb24gb2YgcHJldmlv dXMgYWN0aXZlIHBvbGljeSAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t Ky0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG9sZF9wb2xpY3lfZGlnZXN0ICAgICAgfCBzdHJpbmcg ICAgIHwgTm8gICAgICAgIHwgVGhlIGhhc2ggb2YgcHJldmlvdXMgYWN0aXZlIHBvbGljeSAgICAg ICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rCit8IG5ld19hY3RpdmVfcG9sX25hbWUgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwg VGhlIG5hbWUgb2YgY3VycmVudCBhY3RpdmUgcG9saWN5ICAgICAgICAgICAgICAgICB8CisrLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG5ld19hY3RpdmVf cG9sX3ZlcnNpb24gfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIHZlcnNpb24gb2YgY3Vy cmVudCBhY3RpdmUgcG9saWN5ICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG5ld19wb2xpY3lfZGlnZXN0ICAgICAgfCBzdHJp bmcgICAgIHwgTm8gICAgICAgIHwgVGhlIGhhc2ggb2YgY3VycmVudCBhY3RpdmUgcG9saWN5ICAg ICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSst LS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rCit8IGF1aWQgICAgICAgICAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAg IHwgVGhlIGxvZ2luIHVzZXIgSUQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8Cisr LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IHNlcyAgICAg ICAgICAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGxvZ2luIHNlc3Np b24gSUQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IGxzbSAgICAgICAgICAgICAgICAgICAgfCBz dHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIGxzbSBuYW1lIGFzc29jaWF0ZWQgd2l0aCB0aGUg ZXZlbnQgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rCit8IHJlcyAgICAgICAgICAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAg ICAgIHwgVGhlIHJlc3VsdCBvZiB0aGUgYXVkaXRlZCBvcGVyYXRpb24oc3VjY2Vzcy9mYWlsKSB8 CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCisKKzE0MjIg QVVESVRfSVBFX1BPTElDWV9MT0FECiteXl5eXl5eXl5eXl5eXl5eXl5eXl5eXl5eXgorCitFdmVu dCBFeGFtcGxlOjoKKworICAgdHlwZT0xNDIyIGF1ZGl0KDE2NTM0MjU1MjkuOTI3OjUzKTogcG9s aWN5X25hbWU9ImJvb3RfdmVyaWZpZWQiIHBvbGljeV92ZXJzaW9uPTAuMC4wIHBvbGljeV9kaWdl c3Q9c2hhMjU2OjgyMEVFQTVCNDBDQTQyQjUxRjY4OTYyMzU0QkEwODMxMjJBMjBCQjg0NkYyNjc2 NTA3NkREOEVFRDdCOEY0REIgYXVpZD00Mjk0OTY3Mjk1IHNlcz00Mjk0OTY3Mjk1IGxzbT1pcGUg cmVzPTEKKyAgIHR5cGU9MTMwMCBhdWRpdCgxNjUzNDI1NTI5LjkyNzo1Myk6IGFyY2g9YzAwMDAw M2Ugc3lzY2FsbD0xIHN1Y2Nlc3M9eWVzIGV4aXQ9MjU2NyBhMD0zIGExPTU1OTZmY2FlMWZiMCBh Mj1hMDcgYTM9MiBpdGVtcz0wIHBwaWQ9MTg0IHBpZD0yMjkgYXVpZD00Mjk0OTY3Mjk1IHVpZD0w IGdpZD0wIGV1aWQ9MCBzdWlkPTAgZnN1aWQ9MCBlZ2lkPTAgc2dpZD0wIGZzZ2lkPTAgdHR5PXB0 czAgc2VzPTQyOTQ5NjcyOTUgY29tbT0icHl0aG9uMyIgZXhlPSIvdXNyL2Jpbi9weXRob24zLjEw IiBrZXk9KG51bGwpCisgICB0eXBlPTEzMjcgYXVkaXQoMTY1MzQyNTUyOS45Mjc6NTMpOiBQUk9D VElUTEUgcHJvY3RpdGxlPTcwNzk3NDY4NkY2RTMzMDA3NDY1NzM3NDJGNkQ2MTY5NkUyRTcwNzkw MDJENjYwMDJFMkUKKworVGhpcyByZWNvcmQgaW5kaWNhdGVzIGEgbmV3IHBvbGljeSBoYXMgYmVl biBsb2FkZWQgaW50byB0aGUga2VybmVsIHdpdGggdGhlIHBvbGljeSBuYW1lLCBwb2xpY3kgdmVy c2lvbiBhbmQgcG9saWN5IGhhc2guCisKK1RoaXMgcmVjb3JkIHdpbGwgYWx3YXlzIGJlIGVtaXR0 ZWQgaW4gY29uanVuY3Rpb24gd2l0aCBhIGBgQVVESVRTWVNDQUxMYGAgcmVjb3JkIGZvciB0aGUg YGB3cml0ZWBgIHN5c2NhbGwuCisKKystLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rCit8IEZpZWxkICAgICAgICAgIHwgVmFsdWUgVHlwZSB8IE9wdGlvbmFsPyB8IERlc2NyaXB0 aW9uIG9mIFZhbHVlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfAorKz09PT09PT09PT09 PT09PT0rPT09PT09PT09PT09Kz09PT09PT09PT09Kz09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PSsKK3wgcG9saWN5X25hbWUgICAgfCBzdHJpbmcgICAg IHwgTm8gICAgICAgIHwgVGhlIHBvbGljeV9uYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKworfCBwb2xp Y3lfdmVyc2lvbiB8IHN0cmluZyAgICAgfCBObyAgICAgICAgfCBUaGUgcG9saWN5X3ZlcnNpb24g ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKKystLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rCit8IHBvbGljeV9kaWdlc3QgIHwgc3RyaW5nICAgICB8IE5vICAgICAg ICB8IFRoZSBwb2xpY3kgaGFzaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfAor Ky0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsKK3wgYXVpZCAgICAgICAgICAg fCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGxvZ2luIHVzZXIgSUQgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tKworfCBzZXMgICAgICAgICAgICB8IGludGVnZXIgICAgfCBObyAgICAgICAgfCBUaGUgbG9n aW4gc2Vzc2lvbiBJRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKKystLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IGxzbSAgICAgICAgICAgIHwgc3RyaW5nICAg ICB8IE5vICAgICAgICB8IFRoZSBsc20gbmFtZSBhc3NvY2lhdGVkIHdpdGggdGhlIGV2ZW50ICAg ICAgICAgICAgfAorKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSsKK3wgcmVz ICAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIHJlc3VsdCBvZiB0aGUg YXVkaXRlZCBvcGVyYXRpb24oc3VjY2Vzcy9mYWlsKSB8CisrLS0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tKworCisKKzE0MDQgQVVESVRfTUFDX1NUQVRVUworXl5eXl5eXl5eXl5e Xl5eXl5eXl5eCisKK0V2ZW50IEV4YW1wbGVzOjoKKworICAgdHlwZT0xNDA0IGF1ZGl0KDE2NTM0 MjU2ODkuMDA4OjU1KTogZW5mb3JjaW5nPTAgb2xkX2VuZm9yY2luZz0xIGF1aWQ9NDI5NDk2NzI5 NSBzZXM9NDI5NDk2NzI5NSBlbmFibGVkPTEgb2xkLWVuYWJsZWQ9MSBsc209aXBlIHJlcz0xCisg ICB0eXBlPTEzMDAgYXVkaXQoMTY1MzQyNTY4OS4wMDg6NTUpOiBhcmNoPWMwMDAwMDNlIHN5c2Nh bGw9MSBzdWNjZXNzPXllcyBleGl0PTIgYTA9MSBhMT01NWMxMDY1ZTVjNjAgYTI9MiBhMz0wIGl0 ZW1zPTAgcHBpZD00MDUgcGlkPTQ0MSBhdWlkPTAgdWlkPTAgZ2lkPTAgZXVpZD0wIHN1aWQ9MCBm c3VpZD0wIGVnaWQ9MCBzZ2lkPSkKKyAgIHR5cGU9MTMyNyBhdWRpdCgxNjUzNDI1Njg5LjAwODo1 NSk6IHByb2N0aXRsZT0iLWJhc2giCisKKyAgIHR5cGU9MTQwNCBhdWRpdCgxNjUzNDI1Njg5LjAw ODo1NSk6IGVuZm9yY2luZz0xIG9sZF9lbmZvcmNpbmc9MCBhdWlkPTQyOTQ5NjcyOTUgc2VzPTQy OTQ5NjcyOTUgZW5hYmxlZD0xIG9sZC1lbmFibGVkPTEgbHNtPWlwZSByZXM9MQorICAgdHlwZT0x MzAwIGF1ZGl0KDE2NTM0MjU2ODkuMDA4OjU1KTogYXJjaD1jMDAwMDAzZSBzeXNjYWxsPTEgc3Vj Y2Vzcz15ZXMgZXhpdD0yIGEwPTEgYTE9NTVjMTA2NWU1YzYwIGEyPTIgYTM9MCBpdGVtcz0wIHBw aWQ9NDA1IHBpZD00NDEgYXVpZD0wIHVpZD0wIGdpZD0wIGV1aWQ9MCBzdWlkPTAgZnN1aWQ9MCBl Z2lkPTAgc2dpZD0pCisgICB0eXBlPTEzMjcgYXVkaXQoMTY1MzQyNTY4OS4wMDg6NTUpOiBwcm9j dGl0bGU9Ii1iYXNoIgorCitUaGlzIHJlY29yZCB3aWxsIGFsd2F5cyBiZSBlbWl0dGVkIGluIGNv bmp1bmN0aW9uIHdpdGggYSBgYEFVRElUU1lTQ0FMTGBgIHJlY29yZCBmb3IgdGhlIGBgd3JpdGVg YCBzeXNjYWxsLgorCisrLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSst LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tKworfCBGaWVsZCAg ICAgICAgIHwgVmFsdWUgVHlwZSB8IE9wdGlvbmFsPyB8IERlc2NyaXB0aW9uIG9mIFZhbHVlICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgIHwgICAgIHwKKys9PT09PT09PT09PT09PT0rPT09PT09PT09PT09Kz09 PT09PT09PT09Kz09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0rPT09PT0r Cit8IGVuZm9yY2luZyAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGVuZm9yY2lu ZyBzdGF0ZSBJUEUgaXMgYmVpbmcgc3dpdGNoZWQgdG8sIDEgaXMgaW4gZW5mb3JjaW5nIG1vZGUs IDAgaXMgaW4gcGVybWlzc2l2ZSBtb2RlICAgfCAgICAgfAorKy0tLS0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLSstLS0tLSsKK3wgb2xkX2VuZm9yY2luZyB8IGludGVnZXIgICAgfCBObyAgICAgICAgfCBU aGUgZW5mb3JjaW5nIHN0YXRlIElQRSBpcyBiZWluZyBzd2l0Y2hlZCBmcm9tLCAxIGlzIGluIGVu Zm9yY2luZyBtb2RlLCAwIGlzIGluIHBlcm1pc3NpdmUgbW9kZSB8ICAgICB8CisrLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tKy0tLS0tKworfCBhdWlkICAgICAgICAgIHwgaW50ZWdlciAgICB8IE5v ICAgICAgICB8IFRoZSBsb2dpbiB1c2VyIElEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIHwK KystLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rCit8IHNlcyAgICAgICAgICAgfCBpbnRl Z2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGxvZ2luIHNlc3Npb24gSUQgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgfCAgICAgfAorKy0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLSsKK3wgZW5hYmxlZCAg ICAgICB8IGludGVnZXIgICAgfCBObyAgICAgICAgfCBUaGUgbmV3IFRUWSBhdWRpdCBlbmFibGVk IHNldHRpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICB8ICAgICB8CisrLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tKwor fCBvbGQtZW5hYmxlZCAgIHwgaW50ZWdlciAgICB8IE5vICAgICAgICB8IFRoZSBvbGQgVFRZIGF1 ZGl0IGVuYWJsZWQgc2V0dGluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIHwKKystLS0tLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rLS0tLS0rCit8IGxzbSAgICAgICAgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhl IGxzbSBuYW1lIGFzc29jaWF0ZWQgd2l0aCB0aGUgZXZlbnQgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgfAorKy0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSstLS0tLSsKK3wgcmVzICAgICAgICAgICB8IGludGVnZXIgICAgfCBObyAg ICAgICAgfCBUaGUgcmVzdWx0IG9mIHRoZSBhdWRpdGVkIG9wZXJhdGlvbihzdWNjZXNzL2ZhaWwp ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICB8Cisr LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tKworCitTdWNjZXNzIEF1ZGl0aW5nCiteXl5e Xl5eXl5eXl5eXl5eCisKK0lQRSBzdXBwb3J0cyBzdWNjZXNzIGF1ZGl0aW5nLiBXaGVuIGVuYWJs ZWQsIGFsbCBldmVudHMgdGhhdCBwYXNzIElQRQorcG9saWN5IGFuZCBhcmUgbm90IGJsb2NrZWQg d2lsbCBlbWl0IGFuIGF1ZGl0IGV2ZW50LiBUaGlzIGlzIGRpc2FibGVkIGJ5CitkZWZhdWx0LCBh bmQgY2FuIGJlIGVuYWJsZWQgdmlhIHRoZSBrZXJuZWwgY29tbWFuZCBsaW5lCitgYGlwZS5zdWNj ZXNzX2F1ZGl0PSgwfDEpYGAgb3IKK2BgL3N5cy9rZXJuZWwvc2VjdXJpdHkvaXBlL3N1Y2Nlc3Nf YXVkaXRgYCBzZWN1cml0eWZzIGZpbGUuCisKK1RoaXMgaXMgKnZlcnkqIG5vaXN5LCBhcyBJUEUg d2lsbCBjaGVjayBldmVyeSB1c2Vyc3BhY2UgYmluYXJ5IG9uIHRoZQorc3lzdGVtLCBidXQgaXMg dXNlZnVsIGZvciBkZWJ1Z2dpbmcgcG9saWNpZXMuCisKKy4uIE5PVEU6OgorCisgICBJZiBhIHRy YWRpdGlvbmFsIE1BQyBzeXN0ZW0gaXMgZW5hYmxlZCAoU0VMaW51eCwgYXBwYXJtb3IsIHNtYWNr LCBldGNldGVyYSksCisgICBhbGwgd3JpdGVzIHRvIGlwZSdzIHNlY3VyaXR5ZnMgbm9kZXMgcmVx dWlyZSBgYENBUF9NQUNfQURNSU5gYC4KKworUHJvcGVydGllcworLS0tLS0tLS0tLQorCitBcyBl eHBsYWluZWQgYWJvdmUsIElQRSBwcm9wZXJ0aWVzIGFyZSBgYGtleT12YWx1ZWBgIHBhaXJzIGV4 cHJlc3NlZCBpbgorSVBFIHBvbGljeS4gVHdvIHByb3BlcnRpZXMgYXJlIGJ1aWx0LWludG8gdGhl IHBvbGljeSBwYXJzZXI6ICdvcCcgYW5kCisnYWN0aW9uJy4gVGhlIG90aGVyIHByb3BlcnRpZXMg YXJlIGRldGVybWluaXN0aWMgYXR0cmlidXRlcyB0byBleHByZXNzCithY3Jvc3MgZmlsZXMuIEN1 cnJlbnRseSB0aG9zZSBwcm9wZXJ0aWVzIGFyZTogJ2BgYm9vdF92ZXJpZmllZGBgJywKKydgYGRt dmVyaXR5X3NpZ25hdHVyZWBgJywgJ2BgZG12ZXJpdHlfcm9vdGhhc2hgYCcsICdgYGZzdmVyaXR5 X3NpZ25hdHVyZWBgJywKKydgYGZzdmVyaXR5X2RpZ2VzdGBgJy4gQSBkZXNjcmlwdGlvbiBvZiBh bGwgcHJvcGVydGllcyBzdXBwb3J0ZWQgYnkgSVBFCithcmUgbGlzdGVkIGJlbG93OgorCitvcAor fn4KKworSW5kaWNhdGVzIHRoZSBvcGVyYXRpb24gZm9yIGEgcnVsZSB0byBhcHBseSB0by4gTXVz dCBiZSBpbiBldmVyeSBydWxlLAorYXMgdGhlIGZpcnN0IHRva2VuLiBJUEUgc3VwcG9ydHMgdGhl IGZvbGxvd2luZyBvcGVyYXRpb25zOgorCisgICBgYEVYRUNVVEVgYAorCisgICAgICBQZXJ0YWlu cyB0byBhbnkgZmlsZSBhdHRlbXB0aW5nIHRvIGJlIGV4ZWN1dGVkLCBvciBsb2FkZWQgYXMgYW4K KyAgICAgIGV4ZWN1dGFibGUuCisKKyAgIGBgRklSTVdBUkVgYDoKKworICAgICAgUGVydGFpbnMg dG8gZmlybXdhcmUgYmVpbmcgbG9hZGVkIHZpYSB0aGUgZmlybXdhcmVfY2xhc3MgaW50ZXJmYWNl LgorICAgICAgVGhpcyBjb3ZlcnMgYm90aCB0aGUgcHJlYWxsb2NhdGVkIGJ1ZmZlciBhbmQgdGhl IGZpcm13YXJlIGZpbGUKKyAgICAgIGl0c2VsZi4KKworICAgYGBLTU9EVUxFYGA6CisKKyAgICAg IFBlcnRhaW5zIHRvIGxvYWRpbmcga2VybmVsIG1vZHVsZXMgdmlhIGBgbW9kcHJvYmVgYCBvciBg YGluc21vZGBgLgorCisgICBgYEtFWEVDX0lNQUdFYGA6CisKKyAgICAgIFBlcnRhaW5zIHRvIGtl cm5lbCBpbWFnZXMgbG9hZGluZyB2aWEgYGBrZXhlY2BgLgorCisgICBgYEtFWEVDX0lOSVRSQU1G U2BgCisKKyAgICAgIFBlcnRhaW5zIHRvIGluaXRyZCBpbWFnZXMgbG9hZGluZyB2aWEgYGBrZXhl YyAtLWluaXRyZGBgLgorCisgICBgYFBPTElDWWBgOgorCisgICAgICBDb250cm9scyBsb2FkaW5n IHBvbGljaWVzIHZpYSByZWFkaW5nIGEga2VybmVsLXNwYWNlIGluaXRpYXRlZCByZWFkLgorCisg ICAgICBBbiBleGFtcGxlIG9mIHN1Y2ggaXMgbG9hZGluZyBJTUEgcG9saWNpZXMgYnkgd3JpdGlu ZyB0aGUgcGF0aAorICAgICAgdG8gdGhlIHBvbGljeSBmaWxlIHRvIGBgJHNlY3VyaXR5ZnMvaW1h L3BvbGljeWBgCisKKyAgIGBgWDUwOV9DRVJUYGA6CisKKyAgICAgIENvbnRyb2xzIGxvYWRpbmcg SU1BIGNlcnRpZmljYXRlcyB0aHJvdWdoIHRoZSBLY29uZmlncywKKyAgICAgIGBgQ09ORklHX0lN QV9YNTA5X1BBVEhgYCBhbmQgYGBDT05GSUdfRVZNX1g1MDlfUEFUSGBgLgorCithY3Rpb24KK35+ fn5+fgorCisgICBEZXRlcm1pbmVzIHdoYXQgSVBFIHNob3VsZCBkbyB3aGVuIGEgcnVsZSBtYXRj aGVzLiBNdXN0IGJlIGluIGV2ZXJ5CisgICBydWxlLCBhcyB0aGUgZmluYWwgY2xhdXNlLiBDYW4g YmUgb25lIG9mOgorCisgICBgYEFMTE9XYGA6CisKKyAgICAgIElmIHRoZSBydWxlIG1hdGNoZXMs IGV4cGxpY2l0bHkgYWxsb3cgYWNjZXNzIHRvIHRoZSByZXNvdXJjZSB0byBwcm9jZWVkCisgICAg ICB3aXRob3V0IGV4ZWN1dGluZyBhbnkgbW9yZSBydWxlcy4KKworICAgYGBERU5ZYGA6CisKKyAg ICAgIElmIHRoZSBydWxlIG1hdGNoZXMsIGV4cGxpY2l0bHkgcHJvaGliaXQgYWNjZXNzIHRvIHRo ZSByZXNvdXJjZSB0bworICAgICAgcHJvY2VlZCB3aXRob3V0IGV4ZWN1dGluZyBhbnkgbW9yZSBy dWxlcy4KKworYm9vdF92ZXJpZmllZAorfn5+fn5+fn5+fn5+fgorCisgICBUaGlzIHByb3BlcnR5 IGNhbiBiZSB1dGlsaXplZCBmb3IgYXV0aG9yaXphdGlvbiBvZiB0aGUgZmlyc3Qgc3VwZXItYmxv Y2sKKyAgIHRoYXQgZXhlY3V0ZXMgYSBmaWxlLiBUaGlzIGlzIGFsbW9zdCBhbHdheXMgaW5pdC4g VHlwaWNhbGx5IHRoaXMgaXMgdXNlZAorICAgZm9yIHN5c3RlbXMgd2l0aCBhbiBpbml0cmFtZnMg b3Igb3RoZXIgaW5pdGlhbCBkaXNrLCB3aGVyZSB0aGlzIGlzIHVubW91bnRlZAorICAgYmVmb3Jl IHRoZSBzeXN0ZW0gYmVjb21lcyBhdmFpbGFibGUsIGFuZCBpcyBub3QgY292ZXJlZCBieSBhbnkg b3RoZXIgcHJvcGVydHkuCisgICBUaGUgZm9ybWF0IG9mIHRoaXMgcHJvcGVydHkgaXM6OgorCisg ICAgICAgICBib290X3ZlcmlmaWVkPShUUlVFfEZBTFNFKQorCisKKyAgIC4uIFdBUk5JTkc6Ogor CisgICAgICBUaGlzIHByb3BlcnR5IHdpbGwgdHJ1c3QgYW55IGRpc2sgd2hlcmUgdGhlIGZpcnN0 IGV4ZWN1dGlvbiBldmFsdWF0aW9uCisgICAgICBvY2N1cnMuIElmIHlvdSBkbyAqTk9UKiBoYXZl IGEgc3RhcnR1cCBkaXNrIHRoYXQgaXMgdW5wYWNrZWQgYW5kIHVubW91bnRlZAorICAgICAgKGxp a2UgaW5pdHJhbWZzKSwgdGhlbiBpdCB3aWxsIGF1dG9tYXRpY2FsbHkgdHJ1c3QgdGhlIHJvb3Qg ZmlsZXN5c3RlbSBhbmQKKyAgICAgIHBvdGVudGlhbGx5IG92ZXJhdXRob3JpemUgdGhlIGVudGly ZSBkaXNrLgorCitkbXZlcml0eV9yb290aGFzaAorfn5+fn5+fn5+fn5+fn5+fn4KKworICAgVGhp cyBwcm9wZXJ0eSBjYW4gYmUgdXRpbGl6ZWQgZm9yIGF1dGhvcml6YXRpb24gb3IgcmV2b2NhdGlv biBvZgorICAgc3BlY2lmaWMgZG0tdmVyaXR5IHZvbHVtZXMsIGlkZW50aWZpZWQgdmlhIHNyb290 IGhhc2guIEl0IGhhcyBhCisgICBkZXBlbmRlbmN5IG9uIHRoZSBETV9WRVJJVFkgbW9kdWxlLiBU aGlzIHByb3BlcnR5IGlzIGNvbnRyb2xsZWQgYnkKKyAgIHRoZSBgYElQRV9QUk9QX0RNX1ZFUklU WWBgIGNvbmZpZyBvcHRpb24sIGl0IHdpbGwgYmUgYXV0b21hdGljYWxseQorICAgc2VsZWN0ZWQg d2hlbiBgYElQRV9TRUNVUklUWWBgLCBgYERNX1ZFUklUWSBgYCBhbmQKKyAgIGBgRE1fVkVSSVRZ X1ZFUklGWV9ST09USEFTSF9TSUdgYCBhcmUgYWxsIGVuYWJsZWQuCisgICBUaGUgZm9ybWF0IG9m IHRoaXMgcHJvcGVydHkgaXM6OgorCisgICAgICBkbXZlcml0eV9yb290aGFzaD1EaWdlc3ROYW1l OkhleGFkZWNpbWFsU3RyaW5nCisKKyAgIFRoZSBzdXBwb3J0ZWQgRGlnZXN0TmFtZXMgZm9yIGRt dmVyaXR5X3Jvb3RoYXNoIGFyZSBbI2RtdmVyaXR5ZGlnZXN0c11fIFsjc2VjdXJlZGlnZXN0XV8g OgorCisgICAgICArIGJsYWtlMmItNTEyCisgICAgICArIGJsYWtlMnMtMjU2CisgICAgICArIHNo YTEKKyAgICAgICsgc2hhMjU2CisgICAgICArIHNoYTM4NAorICAgICAgKyBzaGE1MTIKKyAgICAg ICsgc2hhMy0yMjQKKyAgICAgICsgc2hhMy0yNTYKKyAgICAgICsgc2hhMy0zODQKKyAgICAgICsg c2hhMy01MTIKKyAgICAgICsgbWQ0CisgICAgICArIG1kNQorICAgICAgKyBzbTMKKyAgICAgICsg cm1kMTYwCisKK2RtdmVyaXR5X3NpZ25hdHVyZQorfn5+fn5+fn5+fn5+fn5+fn5+CisKKyAgIFRo aXMgcHJvcGVydHkgY2FuIGJlIHV0aWxpemVkIGZvciBhdXRob3JpemF0aW9uIG9mIGFsbCBkbS12 ZXJpdHkKKyAgIHZvbHVtZXMgdGhhdCBoYXZlIGEgc2lnbmVkIHJvb3RoYXNoIHRoYXQgY2hhaW5z IHRvIGEga2V5cmluZworICAgc3BlY2lmaWVkIGJ5IGRtLXZlcml0eSdzIGNvbmZpZ3VyYXRpb24s IGVpdGhlciB0aGUgc3lzdGVtIHRydXN0ZWQKKyAgIGtleXJpbmcsIG9yIHRoZSBzZWNvbmRhcnkg a2V5cmluZy4gSXQgZGVwZW5kcyBvbgorICAgYGBETV9WRVJJVFlfVkVSSUZZX1JPT1RIQVNIX1NJ R2BgIGNvbmZpZyBvcHRpb24gYW5kIGlzIGNvbnRyb2xsZWQgYnkKKyAgIHRoZSBgYElQRV9QUk9Q X0RNX1ZFUklUWWBgIGNvbmZpZyBvcHRpb24sIGl0IHdpbGwgYmUgYXV0b21hdGljYWxseQorICAg c2VsZWN0ZWQgd2hlbiBgYElQRV9TRUNVUklUWWBgLCBgYERNX1ZFUklUWSBgYCBhbmQKKyAgIGBg RE1fVkVSSVRZX1ZFUklGWV9ST09USEFTSF9TSUdgYCBhcmUgYWxsIGVuYWJsZWQuCisgICBUaGUg Zm9ybWF0IG9mIHRoaXMgcHJvcGVydHkgaXM6OgorCisgICAgICBkbXZlcml0eV9zaWduYXR1cmU9 KFRSVUV8RkFMU0UpCisKK2ZzdmVyaXR5X2RpZ2VzdAorfn5+fn5+fn5+fn5+fn5+CisKKyAgIFRo aXMgcHJvcGVydHkgY2FuIGJlIHV0aWxpemVkIGZvciBhdXRob3JpemF0aW9uIG9yIHJldm9jYXRp b24gb2YKKyAgIHNwZWNpZmljIGZzdmVyaXR5IGVuYWJsZWQgZmlsZSwgaWRlbnRpZmllZCB2aWEg aXRzIGZzdmVyaXR5IGRpZ2VzdC4KKyAgIEl0IGRlcGVuZHMgb24gYGBGU19WRVJJVFlgYCBjb25m aWcgb3B0aW9uIGFuZCBpcyBjb250cm9sbGVkIGJ5CisgICBgYENPTkZJR19JUEVfUFJPUF9GU19W RVJJVFlgYC4gVGhlIGZvcm1hdCBvZiB0aGlzIHByb3BlcnR5IGlzOjoKKworICAgICAgZnN2ZXJp dHlfZGlnZXN0PURpZ2VzdE5hbWU6SGV4YWRlY2ltYWxTdHJpbmcKKworICAgVGhlIHN1cHBvcnRl ZCBEaWdlc3ROYW1lcyBmb3IgZG12ZXJpdHlfcm9vdGhhc2ggYXJlIFsjZnN2ZXJpdHlkaWdlc3Rd IFsjc2VjdXJlZGlnZXN0XV8gOgorCisgICAgICArIHNoYTI1NgorICAgICAgKyBzaGE1MTIKKwor ZnN2ZXJpdHlfc2lnbmF0dXJlCit+fn5+fn5+fn5+fn5+fn5+fn4KKworICAgVGhpcyBwcm9wZXJ0 eSBjYW4gYmUgdXRpbGl6ZWQgZm9yIGF1dGhvcml6YXRpb24gb2YgYWxsIGZzdmVyaXR5CisgICBl bmFibGVkIGZpbGVzIHRoYXQgaXMgdmVyaWZpZWQgYnkgZnN2ZXJpdHkuIFRoZSBrZXlyaW5nIHRo YXQgdGhlCisgICBzaWduYXR1cmUgaXMgdmVyaWZpZWQgYWdhaW5zdCBpcyBzdWJqZWN0IHRvIGZz dmVyaXR5J3MgY29uZmlndXJhdGlvbiwKKyAgIHR5cGljYWxseSB0aGUgZnN2ZXJpdHkga2V5cmlu Zy4gSXQgZGVwZW5kcyBvbgorICAgYGBDT05GSUdfRlNfVkVSSVRZX0JVSUxUSU5fU0lHTkFUVVJF U2BgIGFuZCAgaXQgaXMgY29udHJvbGxlZCBieQorICAgdGhlIEtjb25maWcgYGBDT05GSUdfSVBF X1BST1BfRlNfVkVSSVRZYGAuIFRoZSBmb3JtYXQgb2YgdGhpcworICAgcHJvcGVydHkgaXM6Ogor CisgICAgICBmc3Zlcml0eV9zaWduYXR1cmU9KFRSVUV8RkFMU0UpCisKK1BvbGljeSBFeGFtcGxl cworLS0tLS0tLS0tLS0tLS0tCisKK0FsbG93IGFsbAorfn5+fn5+fn5+CisKKzo6CisKKyAgIHBv bGljeV9uYW1lPUFsbG93X0FsbCBwb2xpY3lfdmVyc2lvbj0wLjAuMAorICAgREVGQVVMVCBhY3Rp b249QUxMT1cKKworQWxsb3cgb25seSBpbml0aWFsIHN1cGVyYmxvY2sKK35+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+CisKKzo6CisKKyAgIHBvbGljeV9uYW1lPUFsbG93X0FsbF9Jbml0aWFs X1NCIHBvbGljeV92ZXJzaW9uPTAuMC4wCisgICBERUZBVUxUIGFjdGlvbj1ERU5ZCisKKyAgIG9w PUVYRUNVVEUgYm9vdF92ZXJpZmllZD1UUlVFIGFjdGlvbj1BTExPVworCitBbGxvdyBhbnkgc2ln bmVkIGRtLXZlcml0eSB2b2x1bWUgYW5kIHRoZSBpbml0aWFsIHN1cGVyYmxvY2sKK35+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fgorCis6 OgorCisgICBwb2xpY3lfbmFtZT1BbGxvd1NpZ25lZEFuZEluaXRpYWwgcG9saWN5X3ZlcnNpb249 MC4wLjAKKyAgIERFRkFVTFQgYWN0aW9uPURFTlkKKworICAgb3A9RVhFQ1VURSBib290X3Zlcmlm aWVkPVRSVUUgYWN0aW9uPUFMTE9XCisgICBvcD1FWEVDVVRFIGRtdmVyaXR5X3NpZ25hdHVyZT1U UlVFIGFjdGlvbj1BTExPVworCitQcm9oaWJpdCBleGVjdXRpb24gZnJvbSBhIHNwZWNpZmljIGRt LXZlcml0eSB2b2x1bWUKK35+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fgorCis6OgorCisgICBwb2xpY3lfbmFtZT1BbGxvd1NpZ25lZEFuZEluaXRpYWwg cG9saWN5X3ZlcnNpb249MC4wLjAKKyAgIERFRkFVTFQgYWN0aW9uPURFTlkKKworICAgb3A9RVhF Q1VURSBkbXZlcml0eV9yb290aGFzaD1zaGEyNTY6Y2QyYzViYWU3YzZjNTc5ZWRhYWU0MzUzMDQ5 ZDU4ZWI1ZjJlOGJlMDI0NGJmMDUzNDViYzhlNWVkMjU3YmFmZiBhY3Rpb249REVOWQorCisgICBv cD1FWEVDVVRFIGJvb3RfdmVyaWZpZWQ9VFJVRSBhY3Rpb249QUxMT1cKKyAgIG9wPUVYRUNVVEUg ZG12ZXJpdHlfc2lnbmF0dXJlPVRSVUUgYWN0aW9uPUFMTE9XCisKK0FsbG93IG9ubHkgYSBzcGVj aWZpYyBkbS12ZXJpdHkgdm9sdW1lCit+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+ fn5+fgorCis6OgorCisgICBwb2xpY3lfbmFtZT1BbGxvd1NpZ25lZEFuZEluaXRpYWwgcG9saWN5 X3ZlcnNpb249MC4wLjAKKyAgIERFRkFVTFQgYWN0aW9uPURFTlkKKworICAgb3A9RVhFQ1VURSBk bXZlcml0eV9yb290aGFzaD1zaGEyNTY6NDAxZmNlYzU5NDQ4MjNhZTEyZjYyNzI2ZTgxODQ0MDdh NWZhOTU5OTc4M2YwMzBkZWMxNDY5MzggYWN0aW9uPUFMTE9XCisKK0FsbG93IGFueSBzaWduZWQg ZnMtdmVyaXR5IGZpbGUKK35+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fgorCis6OgorCisgICBwb2xpY3lfbmFtZT1BbGxvd1NpZ25lZEZT VmVyaXR5IHBvbGljeV92ZXJzaW9uPTAuMC4wCisgICBERUZBVUxUIGFjdGlvbj1ERU5ZCisKKyAg IG9wPUVYRUNVVEUgZnN2ZXJpdHlfc2lnbmF0dXJlPVRSVUUgYWN0aW9uPUFMTE9XCisKK1Byb2hp Yml0IGV4ZWN1dGlvbiBvZiBhIHNwZWNpZmljIGZzLXZlcml0eSBmaWxlCit+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn4KKworOjoKKworICAgcG9saWN5 X25hbWU9UHJvaGliaXRTcGVjaWZpY0ZTVkYgcG9saWN5X3ZlcnNpb249MC4wLjAKKyAgIERFRkFV TFQgYWN0aW9uPURFTlkKKworICAgb3A9RVhFQ1VURSBmc3Zlcml0eV9kaWdlc3Q9c2hhMjU2OmZk ODhmMmI4ODI0ZTE5N2Y4NTBiZjRjNTEwOWJlYTVjZjBlZTM4MTA0ZjcxMDg0M2JiNzJkYTc5NmJh NWFmOWUgYWN0aW9uPURFTlkKKyAgIG9wPUVYRUNVVEUgYm9vdF92ZXJpZmllZD1UUlVFIGFjdGlv bj1BTExPVworICAgb3A9RVhFQ1VURSBkbXZlcml0eV9zaWduYXR1cmU9VFJVRSBhY3Rpb249QUxM T1cKKworQWRkaXRpb25hbCBJbmZvcm1hdGlvbgorLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQorCist IGBHaXRodWIgUmVwb3NpdG9yeSA8aHR0cHM6Ly9naXRodWIuY29tL21pY3Jvc29mdC9pcGU+YF8K Ky0gYERlc2lnbiBEb2N1bWVudGF0aW9uIDwvc2VjdXJpdHkvaXBlPmBfCisKK0ZBUQorLS0tCisK K1E6CisgICBXaGF0J3MgdGhlIGRpZmZlcmVuY2UgYmV0d2VlbiBvdGhlciBMU01zIHdoaWNoIHBy b3ZpZGUgYSBtZWFzdXJlIG9mCisgICB0cnVzdC1iYXNlZCBhY2Nlc3MgY29udHJvbD8KKworQToK KworICAgSW4gZ2VuZXJhbCwgdGhlcmUncyB0d28gb3RoZXIgTFNNcyB0aGF0IGNhbiBwcm92aWRl IHNpbWlsYXIgZnVuY3Rpb25hbGl0eToKKyAgIElNQSwgYW5kIExvYWRwaW4uCisKKyAgIElNQSBh bmQgSVBFIGFyZSBmdW5jdGlvbmFsbHkgdmVyeSBzaW1pbGFyLiBUaGUgc2lnbmlmaWNhbnQgZGlm ZmVyZW5jZSBiZXR3ZWVuCisgICB0aGUgdHdvIGlzIHRoZSBwb2xpY3kuIFsjZGV2ZG9jXV8KKwor ICAgTG9hZHBpbiBhbmQgSVBFIGRpZmZlciBmYWlybHkgZHJhbWF0aWNhbGx5LCBhcyBMb2FkcGlu IGNvbnRyb2xzIG9ubHkgdGhlIElQRQorICAgZXF1aXZhbGVudCBvZiBgYEtFUk5FTF9SRUFEYGAs IHdoZXJlYXMgSVBFIGlzIGNhcGFibGUgb2YgY29udHJvbGxpbmcgZXhlY3V0aW9uLAorICAgb24g dG9wIG9mIGBgS0VSTkVMX1JFQURgYC4gVGhlIHRydXN0IG1vZGVsIGlzIGFsc28gZGlmZmVyZW50 OyBMb2FkcGluIHJvb3RzIGl0cworICAgdHJ1c3QgaW4gdGhlIGluaXRpYWwgc3VwZXItYmxvY2ss IHdoZXJlYXMgdHJ1c3QgaW4gSVBFIGlzIHN0ZW1tZWQgZnJvbSBrZXJuZWwKKyAgIGl0c2VsZiAo dmlhIGBgU1lTVEVNX1RSVVNURURfS0VZU2BgKS4KKworLS0tLS0tLS0tLS0KKworLi4gWyNkaWds aW1dIDE6IGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2JwZi80ZDY5MzJlOTZkNzc0MjI3YjQyNzIx ZDlmNjQ1YmE1MUBodWF3ZWkuY29tL1QvCisKKy4uIFsjaW50ZXJwcmV0ZXJzXSBUaGVyZSBpcyBg c29tZSBpbnRlcmVzdCBpbiBzb2x2aW5nIHRoaXMgaXNzdWUgPGh0dHBzOi8vbG9yZS5rZXJuZWwu b3JnL2xrbWwvMjAyMjAzMjExNjE1NTcuNDk1Mzg4LTEtbWljQGRpZ2lrb2QubmV0Lz5gXy4KKwor Li4gWyNkZXZkb2NdIFBsZWFzZSBzZWUgYERvY3VtZW50YXRpb24vc2VjdXJpdHkvaXBlLnJzdGAg Zm9yIG1vcmUgb24gdGhpcyB0b3BpYy4KKworLi4gWyNmc3Zlcml0eWRpZ2VzdF0gVGhlc2UgaGFz aCBhbGdvcml0aG1zIGFyZSBiYXNlZCBvbiB2YWx1ZXMgYWNjZXB0ZWQgYnkgZnN2ZXJpdHktdXRp bHM7CisgICAgICAgICAgICAgICAgICAgICBJUEUgZG9lcyBub3QgaW1wb3NlIGFueSByZXN0cmlj dGlvbnMgb24gdGhlIGRpZ2VzdCBhbGdvcml0aG0gaXRzZWxmOworICAgICAgICAgICAgICAgICAg ICAgdGh1cywgdGhpcyBsaXN0IG1heSBiZSBvdXQgb2YgZGF0ZS4KKworLi4gWyNkbXZlcml0eWRp Z2VzdHNdIFRoZXNlIGhhc2ggYWxnb3JpdGhtcyBhcmUgYmFzZWQgb24gdmFsdWVzIGFjY2VwdGVk IGJ5IGRtLXZlcml0eSwKKyAgICAgICAgICAgICAgICAgICAgICBzcGVjaWZpY2FsbHkgYGBjcnlw dG9fYWxsb2NfYWhhc2hgYCBpbiBgYHZlcml0eV9jdHJgYDsgYGB2ZXJpdHlzZXR1cGBgCisgICAg ICAgICAgICAgICAgICAgICAgZG9lcyBzdXBwb3J0IG1vcmUgYWxnb3JpdGhtcyB0aGFuIHRoZSBs aXN0IGFib3ZlLiBJUEUgZG9lcyBub3QgaW1wb3NlCisgICAgICAgICAgICAgICAgICAgICAgYW55 IHJlc3RyaWN0aW9ucyBvbiB0aGUgZGlnZXN0IGFsZ29yaXRobSBpdHNlbGY7IHRodXMsIHRoaXMg bGlzdAorICAgICAgICAgICAgICAgICAgICAgIG1heSBiZSBvdXQgb2YgZGF0ZS4KKworLi4gWyNz ZWN1cmVkaWdlc3RdIFBsZWFzZSBlbnN1cmUgeW91IGFyZSB1c2luZyBjcnlwdG9ncmFwaGljYWxs eSBzZWN1cmUgaGFzaCBmdW5jdGlvbnM7CisgICAgICAgICAgICAgICAgICAganVzdCBiZWNhdXNl IHNvbWV0aGluZyBpcyAqc3VwcG9ydGVkKiBkb2VzIG5vdCBtZWFuIGl0IGlzICpzZWN1cmUqLgpk aWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50 eHQgYi9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL2tlcm5lbC1wYXJhbWV0ZXJzLnR4dAppbmRl eCBjNWU3YmI0YmFiZjAuLjc4ZGRkM2JiY2E0ZCAxMDA2NDQKLS0tIGEvRG9jdW1lbnRhdGlvbi9h ZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQKKysrIGIvRG9jdW1lbnRhdGlvbi9hZG1p bi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQKQEAgLTIyMTksNiArMjIxOSwxOCBAQAogCWlw Y21uaV9leHRlbmQJW0tOTF0gRXh0ZW5kIHRoZSBtYXhpbXVtIG51bWJlciBvZiB1bmlxdWUgU3lz dGVtIFYKIAkJCUlQQyBpZGVudGlmaWVycyBmcm9tIDMyLDc2OCB0byAxNiw3NzcsMjE2LgogCisJ aXBlLmVuZm9yY2U9CVtJUEVdCisJCQlGb3JtYXQ6IDxib29sPgorCQkJRGV0ZXJtaW5lIHdoZXRo ZXIgSVBFIHN0YXJ0cyBpbiBwZXJtaXNzaXZlICgwKSBvcgorCQkJZW5mb3JjZSAoMSkgbW9kZS4g VGhlIGRlZmF1bHQgaXMgZW5mb3JjZS4KKworCWlwZS5zdWNjZXNzX2F1ZGl0PQorCQkJW0lQRV0K KwkJCUZvcm1hdDogPGJvb2w+CisJCQlTdGFydCBJUEUgd2l0aCBzdWNjZXNzIGF1ZGl0aW5nIGVu YWJsZWQsIGVtaXR0aW5nCisJCQlhbiBhdWRpdCBldmVudCB3aGVuIGEgYmluYXJ5IGlzIGFsbG93 ZWQuIFRoZSBkZWZhdWx0CisJCQlpcyAwLgorCiAJaXJxYWZmaW5pdHk9CVtTTVBdIFNldCB0aGUg ZGVmYXVsdCBpcnEgYWZmaW5pdHkgbWFzawogCQkJVGhlIGFyZ3VtZW50IGlzIGEgY3B1IGxpc3Qs IGFzIGRlc2NyaWJlZCBhYm92ZS4KIApkaWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi9zZWN1cml0 eS9pbmRleC5yc3QgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2luZGV4LnJzdAppbmRleCA2ZWQ4 ZDJmYTZmOWUuLmE1MjQ4ZDRmZDUxMCAxMDA2NDQKLS0tIGEvRG9jdW1lbnRhdGlvbi9zZWN1cml0 eS9pbmRleC5yc3QKKysrIGIvRG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pbmRleC5yc3QKQEAgLTE4 LDMgKzE4LDQgQEAgU2VjdXJpdHkgRG9jdW1lbnRhdGlvbgogICAgZGlnc2lnCiAgICBsYW5kbG9j awogICAgc2VjcmV0cy9pbmRleAorICAgaXBlCmRpZmYgLS1naXQgYS9Eb2N1bWVudGF0aW9uL3Nl Y3VyaXR5L2lwZS5yc3QgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2lwZS5yc3QKbmV3IGZpbGUg bW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwLi42YTQ3YTJhYjVlMzkKLS0tIC9kZXYvbnVs bAorKysgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2lwZS5yc3QKQEAgLTAsMCArMSw0MjAgQEAK Ky4uIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBHUEwtMi4wCisKK0ludGVncml0eSBQb2xpY3kg RW5mb3JjZW1lbnQgKElQRSkgLSBLZXJuZWwgRG9jdW1lbnRhdGlvbgorPT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CisKKy4uIE5PVEU6Ogor CisgICBUaGlzIGlzIGRvY3VtZW50YXRpb24gdGFyZ2V0ZWQgYXQgZGV2ZWxvcGVycywgaW5zdGVh ZCBvZiBhZG1pbmlzdHJhdG9ycy4KKyAgIElmIHlvdSdyZSBsb29raW5nIGZvciBkb2N1bWVudGF0 aW9uIG9uIHRoZSB1c2FnZSBvZiBJUEUsIHBsZWFzZSBzZWUKKyAgIGBEb2N1bWVudGF0aW9uL2Fk bWluLWd1aWRlL0xTTS9pcGUucnN0YAorCitIaXN0b3JpY2FsIE1vdGl2YXRpb24KKy0tLS0tLS0t LS0tLS0tLS0tLS0tLQorCitUaGUgb3JpZ2luYWwgaXNzdWUgdGhhdCBwcm9tcHRlZCBJUEUncyBp bXBsZW1lbnRhdGlvbiB3YXMgdGhlIGNyZWF0aW9uCitvZiBhIGxvY2tlZC1kb3duIHN5c3RlbS4g VGhpcyBzeXN0ZW0gd291bGQgYmUgYm9ybi1zZWN1cmUsIGFuZCBoYXZlCitzdHJvbmcgaW50ZWdy aXR5IGd1YXJhbnRlZXMgb3ZlciBib3RoIHRoZSBleGVjdXRhYmxlIGNvZGUsIGFuZCBzcGVjaWZp YworKmRhdGEgZmlsZXMqIG9uIHRoZSBzeXN0ZW0sIHRoYXQgd2VyZSBjcml0aWNhbCB0byBpdHMg ZnVuY3Rpb24uIFRoZXNlCitzcGVjaWZpYyBkYXRhIGZpbGVzIHdvdWxkIG5vdCBiZSByZWFkYWJs ZSB1bmxlc3MgdGhleSBwYXNzZWQgaW50ZWdyaXR5Citwb2xpY3kuIEEgbWFuZGF0b3J5IGFjY2Vz cyBjb250cm9sIHN5c3RlbSB3b3VsZCBiZSBwcmVzZW50LCBhbmQKK2FzIGEgcmVzdWx0LCB4YXR0 cnMgd291bGQgaGF2ZSB0byBiZSBwcm90ZWN0ZWQuIFRoaXMgbGVhZCB0byBhIHNlbGVjdGlvbgor b2Ygd2hhdCB3b3VsZCBwcm92aWRlIHRoZSBpbnRlZ3JpdHkgY2xhaW1zLiBBdCB0aGUgdGltZSwg dGhlcmUgd2VyZSB0d28KK21haW4gbWVjaGFuaXNtcyBjb25zaWRlcmVkIHRoYXQgY291bGQgZ3Vh cmFudGVlIGludGVncml0eSBmb3IgdGhlIHN5c3RlbQord2l0aCB0aGVzZSByZXF1aXJlbWVudHM6 CisKKyAgMS4gSU1BICsgRVZNIFNpZ25hdHVyZXMKKyAgMi4gRE0tVmVyaXR5CisKK0JvdGggb3B0 aW9ucyB3ZXJlIGNhcmVmdWxseSBjb25zaWRlcmVkLCBob3dldmVyIHRoZSBjaG9pY2UgdG8gdXNl IERNLVZlcml0eQorb3ZlciBJTUErRVZNIGFzIHRoZSAqaW50ZWdyaXR5IG1lY2hhbmlzbSogaW4g dGhlIG9yaWdpbmFsIHVzZSBjYXNlIG9mIElQRQord2FzIGR1ZSB0byB0aHJlZSBtYWluIHJlYXNv bnM6CisKKyAgMS4gUHJvdGVjdGlvbiBvZiBhZGRpdGlvbmFsIGF0dGFjayB2ZWN0b3JzOgorCisg ICAgKiBXaXRoIElNQStFVk0sIHdpdGhvdXQgYW4gZW5jcnlwdGlvbiBzb2x1dGlvbiwgdGhlIHN5 c3RlbSBpcyB2dWxuZXJhYmxlCisgICAgICB0byBvZmZsaW5lIGF0dGFjayBhZ2FpbnN0IHRoZSBh Zm9yZW1ldGlvbmVkIHNwZWNpZmljIGRhdGEgZmlsZXMuCisKKyAgICAgIFVubGlrZSBleGVjdXRh YmxlcywgcmVhZCBvcGVyYXRpb25zIChsaWtlIHRob3NlIG9uIHRoZSBwcm90ZWN0ZWQgZGF0YQor ICAgICAgZmlsZXMpLCBjYW5ub3QgYmUgZW5mb3JjZWQgdG8gYmUgZ2xvYmFsbHkgaW50ZWdydGl5 IHZlcmlmaWVkLiBUaGlzIG1lYW5zCisgICAgICB0aGVyZSBtdXN0IGJlIHNvbWUgZm9ybSBvZiBz ZWxlY3RvciB0byBkZXRlcm1pbmUgd2hldGhlciBhIHJlYWQgc2hvdWxkCisgICAgICBlbmZvcmNl IHRoZSBpbnRlZ3JpdHkgcG9saWN5LCBvciBpdCBzaG91bGQgbm90LgorCisgICAgICBBdCB0aGUg dGltZSwgdGhpcyB3YXMgZG9uZSB3aXRoIG1hbmRhdG9yeSBhY2Nlc3MgY29udHJvbCBsYWJlbHMu IEFuIElNQQorICAgICAgcG9saWN5IHdvdWxkIGluZGljYXRlIHdoYXQgbGFiZWxzIHJlcXVpcmVk IGludGVncml0eSB2ZXJpZmljYXRpb24sIHdoaWNoCisgICAgICBwcmVzZW50ZWQgYW4gaXNzdWU6 IEVWTSB3b3VsZCBwcm90ZWN0IHRoZSBsYWJlbCwgYnV0IGlmIGFuIGF0dGFja2VyIGNvdWxkCisg ICAgICBtb2RpZnkgZmlsZXN5c3RlbSBvZmZsaW5lLCB0aGUgYXR0YWNrZXIgY291bGQgd2lwZSBh bGwgdGhlIHhhdHRycyAtCisgICAgICBpbmNsdWRpbmcgdGhlIFNFTGludXggbGFiZWxzIHRoYXQg d291bGQgYmUgdXNlZCB0byBkZXRlcm1pbmUgd2hldGhlciB0aGUKKyAgICAgIGZpbGUgc2hvdWxk IGJlIHN1YmplY3QgdG8gaW50ZWdyaXR5IHBvbGljeS4KKworICAgICAgV2l0aCBETS1WZXJpdHks IGFzIHRoZSB4YXR0cnMgYXJlIHNhdmVkIGFzIHBhcnQgb2YgdGhlIG1lcmtlbCB0cmVlLCBpZgor ICAgICAgb2ZmbGluZSBtb3VudCBvY2N1cnMgYWdhaW5zdCB0aGUgZmlsZXN5c3RlbSBwcm90ZWN0 ZWQgYnkgZG0tdmVyaXR5LCB0aGUKKyAgICAgIGNoZWNrc3VtIG5vIGxvbmdlciBtYXRjaGVzIGFu ZCB0aGUgZmlsZSBmYWlscyB0byBiZSByZWFkLgorCisgICAgKiBBcyB1c2Vyc3BhY2UgYmluYXJp ZXMgYXJlIHBhZ2VkIGluIExpbnV4LCBkbS12ZXJpdHkgYWxzbyBvZmZlcnMgdGhlCisgICAgICBh ZGRpdGlvbmFsIHByb3RlY3Rpb24gYWdhaW5zdCBhIGhvc3RpbGUgYmxvY2sgZGV2aWNlLiBJbiBz dWNoIGFuIGF0dGFjaywKKyAgICAgIHRoZSBibG9jayBkZXZpY2UgcmVwb3J0cyB0aGUgYXBwcm9w cmlhdGUgY29udGVudCBmb3IgdGhlIElNQSBoYXNoCisgICAgICBpbml0aWFsbHksIHBhc3Npbmcg dGhlIHJlcXVpcmVkIGludGVncml0eSBjaGVjay4gVGhlbiwgb24gdGhlIHBhZ2UgZmF1bHQKKyAg ICAgIHRoYXQgYWNjZXNzZXMgdGhlIHJlYWwgZGF0YSwgd2lsbCByZXBvcnQgdGhlIGF0dGFja2Vy J3MgcGF5bG9hZC4gU2luY2UKKyAgICAgIGRtLXZlcml0eSB3aWxsIGNoZWNrIHRoZSBkYXRhIHdo ZW4gdGhlIHBhZ2UgZmF1bHQgb2NjdXJzIChhbmQgdGhlIGRpc2sKKyAgICAgIGFjY2VzcyksIHRo aXMgYXR0YWNrIGlzIG1pdGlnYXRlZC4KKworICAyLiBQZXJmb3JtYW5jZToKKworICAgICogZG0t dmVyaXR5IHByb3ZpZGVzIGludGVncml0eSB2ZXJpZmljYXRpb24gb24gZGVtYW5kIGFzIGJsb2Nr cyBhcmUKKyAgICAgIHJlYWQgdmVyc3VzIHJlcXVpcmluZyB0aGUgZW50aXJlIGZpbGUgYmVpbmcg cmVhZCBpbnRvIG1lbW9yeSBmb3IKKyAgICAgIHZhbGlkYXRpb24uCisKKyAgMy4gU2ltcGxpY2l0 eSBvZiBzaWduaW5nOgorCisgICAgKiBObyBuZWVkIGZvciB0d28gc2lnbmF0dXJlcyAoSU1BLCB0 aGVuIEVWTSk6IG9uZSBzaWduYXR1cmUgY292ZXJzCisgICAgICBhbiBlbnRpcmUgYmxvY2sgZGV2 aWNlLgorICAgICogU2lnbmF0dXJlcyBjYW4gYmUgc3RvcmVkIGV4dGVybmFsbHkgdG8gdGhlIGZp bGVzeXN0ZW0gbWV0YWRhdGEuCisgICAgKiBUaGUgc2lnbmF0dXJlIHN1cHBvcnRzIGFuIHguNTA5 LWJhc2VkIHNpZ25pbmcgaW5mcmFzdHJ1Y3R1cmUuCisKK1RoZSBuZXh0IHN0ZXAgd2FzIHRvIGNo b29zZSBhICpwb2xpY3kqIHRvIGVuZm9yY2UgdGhlIGludGVncml0eSBtZWNoYW5pc20uCitUaGUg bWluaW11bSByZXF1aXJlbWVudHMgZm9yIHRoZSBwb2xpY3kgd2VyZToKKworICAxLiBUaGUgcG9s aWN5IGl0c2VsZiBtdXN0IGJlIGludGVncml0eSB2ZXJpZmllZCAocHJldmVudGluZyB0cml2aWFs CisgICAgIGF0dGFjayBhZ2FpbnN0IGl0KS4KKyAgMi4gVGhlIHBvbGljeSBpdHNlbGYgbXVzdCBi ZSByZXNpc3RhbnQgdG8gcm9sbGJhY2sgYXR0YWNrcy4KKyAgMy4gVGhlIHBvbGljeSBlbmZvcmNl bWVudCBtdXN0IGhhdmUgYSBwZXJtaXNzaXZlLWxpa2UgbW9kZS4KKyAgNC4gVGhlIHBvbGljeSBt dXN0IGJlIGFibGUgdG8gYmUgdXBkYXRlZCwgaW4gaXRzIGVudGlyZXR5LCB3aXRob3V0CisgICAg IGEgcmVib290LgorICA1LiBQb2xpY3kgdXBkYXRlcyBtdXN0IGJlIGF0b21pYy4KKyAgNi4gVGhl IHBvbGljeSBtdXN0IHN1cHBvcnQgKnJldm9jYXRpb25zKiBvZiBwcmV2aW91c2x5IGF1dGhvcmVk CisgICAgIGNvbXBvbmVudHMuCisgIDcuIFRoZSBwb2xpY3kgbXVzdCBiZSBhdWRpdGFibGUsIGF0 IGFueSBwb2ludC1vZi10aW1lLgorCitJTUEsIGFzIHRoZSBvbmx5IGludGVncml0eSBwb2xpY3kg bWVjaGFuaXNtIGF0IHRoZSB0aW1lLCB3YXMKK2NvbnNpZGVyZWQgYWdhaW5zdCB0aGVzZSBsaXN0 IG9mIHJlcXVpcmVtZW50cywgYW5kIGRpZCBub3QgZnVsZmlsbAorYWxsIG9mIHRoZSBtaW5pbXVt IHJlcXVpcmVtZW50cy4gRXh0ZW5kaW5nIElNQSB0byBjb3ZlciB0aGVzZQorcmVxdWlyZW1lbnRz IHdhcyBjb25zaWRlcmVkLCBidXQgdWx0aW1hdGVseSBkaXNjYXJkZWQgZm9yIGEKK3R3byByZWFz b25zOgorCisgIDEuIFJlZ3Jlc3Npb24gcmlzazsgbWFueSBvZiB0aGVzZSBjaGFuZ2VzIHdvdWxk IHJlc3VsdCBpbgorICAgICBkcmFtYXRpYyBjb2RlIGNoYW5nZXMgdG8gSU1BLCB3aGljaCBpcyBh bHJlYWR5IHByZXNlbnQgaW4gdGhlCisgICAgIGtlcm5lbCwgYW5kIHRoZXJlZm9yZSBtaWdodCBp bXBhY3QgdXNlcnMuCisKKyAgMi4gSU1BIHdhcyB1c2VkIGluIHRoZSBzeXN0ZW0gZm9yIG1lYXN1 cmVtZW50IGFuZCBhdHRlc3RhdGlvbjsKKyAgICAgc2VwYXJhdGlvbiBvZiBtZWFzdXJlbWVudCBw b2xpY3kgZnJvbSBsb2NhbCBpbnRlZ3JpdHkgcG9saWN5CisgICAgIGVuZm9yY2VtZW50IHdhcyBj b25zaWRlcmVkIGZhdm9yYWJsZS4KKworRHVlIHRvIHRoZXNlIHJlYXNvbnMsIGl0IHdhcyBkZWNp ZGVkIHRoYXQgYSBuZXcgTFNNIHNob3VsZCBiZSBjcmVhdGVkLAord2hvc2UgcmVzcG9uc2liaWxp dHkgd291bGQgYmUgb25seSB0aGUgbG9jYWwgaW50ZWdyaXR5IHBvbGljeSBlbmZvcmNlbWVudC4K KworUm9sZSBhbmQgU2NvcGUKKy0tLS0tLS0tLS0tLS0tCisKK0lQRSwgYXMgaXRzIG5hbWUgaW1w bGllcywgaXMgZnVuZGFtZW50YWxseSBhbiBpbnRlZ3JpdHkgcG9saWN5IGVuZm9yY2VtZW50Citz b2x1dGlvbjsgSVBFIGRvZXMgbm90IG1hbmRhdGUgaG93IGludGVncml0eSBpcyBwcm92aWRlZCwg YnV0IGluc3RlYWQKK2xlYXZlcyB0aGF0IGRlY2lzaW9uIHRvIHRoZSBzeXN0ZW0gYWRtaW5pc3Ry YXRvciB0byBzZXQgdGhlIHNlY3VyaXR5IGJhciwKK3ZpYSB0aGUgbWVjaGFuaXNtcyB0aGF0IHRo ZXkgc2VsZWN0IHRoYXQgc3VpdCB0aGVpciBpbmRpdmlkdWFsIG5lZWRzLgorVGhlcmUgYXJlIHNl dmVyYWwgZGlmZmVyZW50IGludGVncml0eSBzb2x1dGlvbnMgdGhhdCBwcm92aWRlIGEgZGlmZmVy ZW50CitsZXZlbCBvZiBzZWN1cml0eSBndWFyYW50ZWVzOyBhbmQgSVBFIGFsbG93cyBzeXNhZG1p bnMgdG8gZXhwcmVzcyBwb2xpY3kgZm9yCit0aGVvcmV0aWNhbGx5IGFsbCBvZiB0aGVtLgorCitJ UEUgZG9lcyBub3QgaGF2ZSBhbiBpbmhlcmVudCBtZWNoYW5pc20gdG8gZW5zdXJlIGludGVncml0 eSBvbiBpdHMgb3duLgorSW5zdGVhZCwgdGhlcmUgYXJlIG1vcmUgZWZmZWN0aXZlIGxheWVycyBh dmFpbGFibGUgZm9yIGJ1aWxkaW5nIHN5c3RlbXMgdGhhdAorY2FuIGd1YXJhbnRlZSBpbnRlZ3Jp dHkuIEl0J3MgaW1wb3J0YW50IHRvIG5vdGUgdGhhdCB0aGUgbWVjaGFuaXNtIGZvciBwcm92aW5n CitpbnRlZ3JpdHkgaXMgaW5kZXBlbmRlbnQgb2YgdGhlIHBvbGljeSBmb3IgZW5mb3JjaW5nIHRo YXQgaW50ZWdyaXR5IGNsYWltLgorCitUaGVyZWZvcmUsIElQRSB3YXMgZGVzaWduZWQgYXJvdW5k OgorCisgIDEuIEVhc3kgaW50ZWdyYXRpb25zIHdpdGggaW50ZWdyaXR5IHByb3ZpZGVycy4KKyAg Mi4gRWFzZSBvZiB1c2UgZm9yIHBsYXRmb3JtIGFkbWluaXN0cmF0b3JzL3N5c2FkbWlucy4KKwor RGVzaWduIFJhdGlvbmFsZToKKy0tLS0tLS0tLS0tLS0tLS0tCisKK0lQRSB3YXMgZGVzaWduZWQg YWZ0ZXIgZXZhbHVhdGluZyBleGlzdGluZyBpbnRlZ3JpdHkgcG9saWN5IHNvbHV0aW9ucworaW4g b3RoZXIgb3BlcmF0aW5nIHN5c3RlbXMgYW5kIGVudmlyb25tZW50cy4gSW4gdGhpcyBzdXJ2ZXkg b2Ygb3RoZXIKK2ltcGxlbWVudGF0aW9ucywgdGhlcmUgd2VyZSBhIGZldyBwaXRmYWxscyBpZGVu dGlmaWVkOgorCisgIDEuIFBvbGljaWVzIHdlcmUgbm90IHJlYWRhYmxlIGJ5IGh1bWFucywgdXN1 YWxseSByZXF1aXJpbmcgYSBiaW5hcnkKKyAgICAgaW50ZXJtZWRpYXJ5IGZvcm1hdC4KKyAgMi4g QSBzaW5nbGUsIG5vbi1jdXN0b21pemFibGUgYWN0aW9uIHdhcyBpbXBsaWNpdGx5IHRha2VuIGFz IGEgZGVmYXVsdC4KKyAgMy4gRGVidWdnaW5nIHRoZSBwb2xpY3kgcmVxdWlyZWQgbWFudWFsIHN0 ZXBzIHRvIGRldGVybWluZSB3aGF0IHJ1bGUgd2FzIHZpb2xhdGVkLgorICA0LiBBdXRob3Jpbmcg YSBwb2xpY3kgcmVxdWlyZWQgYW4gaW4tZGVwdGgga25vd2xlZGdlIG9mIHRoZSBsYXJnZXIgc3lz dGVtLAorICAgICBvciBvcGVyYXRpbmcgc3lzdGVtLgorCitJUEUgYXR0ZW1wdHMgdG8gYXZvaWQg YWxsIG9mIHRoZXNlIHBpdGZhbGxzLgorCitQb2xpY3kKK35+fn5+fgorCitQbGFpbiBUZXh0Cite Xl5eXl5eXl5eCisKK0lQRSdzIHBvbGljeSBpcyBwbGFpbi10ZXh0LiBUaGlzIGludHJvZHVjZXMg c2xpZ2h0bHkgbGFyZ2VyIHBvbGljeSBmaWxlcyB0aGFuCitvdGhlciBMU01zLCBidXQgc29sdmVz IHR3byBtYWpvciBwcm9ibGVtcyB0aGF0IG9jY3VycyB3aXRoIHNvbWUgaW50ZWdyaXR5IHBvbGlj eQorc29sdXRpb25zIG9uIG90aGVyIHBsYXRmb3Jtcy4KKworVGhlIGZpcnN0IGlzc3VlIGlzIG9u ZSBvZiBjb2RlIG1haW50ZW5hbmNlIGFuZCBkdXBsaWNhdGlvbi4gVG8gYXV0aG9yIHBvbGljaWVz LAordGhlIHBvbGljeSBoYXMgdG8gYmUgc29tZSBmb3JtIG9mIHN0cmluZyByZXByZXNlbnRhdGlv biAoYmUgaXQgc3RydWN0dXJlZCwKK3Rocm91Z2ggWE1MLCBKU09OLCBZQU1MLCBldGNldGVyYSks IHRvIGFsbG93IHRoZSBwb2xpY3kgYXV0aG9yIHRvIHVuZGVyc3RhbmQKK3doYXQgaXMgYmVpbmcg d3JpdHRlbi4gSW4gYSBoeXBvdGhldGljYWwgYmluYXJ5IHBvbGljeSBkZXNpZ24sIGEgc2VyaWFs aXplcgoraXMgbmVjZXNzYXJ5IHRvIHdyaXRlIHRoZSBwb2xpY3kgZnJvbSB0aGUgaHVtYW4gcmVh ZGFibGUgZm9ybSwgdG8gdGhlIGJpbmFyeQorZm9ybSwgYW5kIGEgZGVzZXJpYWxpemVyIGlzIG5l ZWRlZCB0byBpbnRlcnByZXQgdGhlIGJpbmFyeSBmb3JtIGludG8gYSBkYXRhCitzdHJ1Y3R1cmUg aW4gdGhlIGtlcm5lbC4KKworRXZlbnR1YWxseSwgYW5vdGhlciBkZXNlcmlhbGl6ZXIgd2lsbCBi ZSBuZWVkZWQgdG8gdHJhbnNmb3JtIHRoZSBiaW5hcnkgZnJvbQorYmFjayBpbnRvIHRoZSBodW1h bi1yZWFkYWJsZSBmb3JtIHdpdGggYXMgbXVjaCBpbmZvcm1hdGlvbiBwcmVzZXJ2ZWQuIFRoaXMg aXMgYmVjYXVzZSBhCit1c2VyIG9mIHRoaXMgYWNjZXNzIGNvbnRyb2wgc3lzdGVtIHdpbGwgaGF2 ZSB0byBrZWVwIGEgbG9va3VwIHRhYmxlIG9mIGEgY2hlY2tzdW0KK2FuZCB0aGUgb3JpZ2luYWwg ZmlsZSBpdHNlbGYgdG8gdHJ5IHRvIHVuZGVyc3RhbmQgd2hhdCBwb2xpY2llcyBoYXZlIGJlZW4g ZGVwbG95ZWQKK29uIHRoaXMgc3lzdGVtIGFuZCB3aGF0IHBvbGljaWVzIGhhdmUgbm90LiBGb3Ig YSBzaW5nbGUgdXNlciwgdGhpcyBtYXkgYmUgYWxyaWdodCwKK2FzIG9sZCBwb2xpY2llcyBjYW4g YmUgZGlzY2FyZGVkIGFsbW9zdCBpbW1lZGlhdGVseSBhZnRlciB0aGUgdXBkYXRlIHRha2VzIGhv bGQuCitGb3IgdXNlcnMgdGhhdCBtYW5hZ2UgY29tcHV0ZXIgZmxlZXRzIGluIHRoZSB0aG91c2Fu ZHMsIGlmIG5vdCBodW5kcmVkcyBvZiB0aG91c2FuZHMsCit3aXRoIG11bHRpcGxlIGRpZmZlcmVu dCBvcGVyYXRpbmcgc3lzdGVtcywgYW5kIG11bHRpcGxlIGRpZmZlcmVudCBvcGVyYXRpb25hbCBu ZWVkcywKK3RoaXMgcXVpY2tseSBiZWNvbWVzIGFuIGlzc3VlLCBhcyBzdGFsZSBwb2xpY2llcyBm cm9tIHllYXJzIGFnbyBtYXkgYmUgcHJlc2VudCwKK3F1aWNrbHkgcmVzdWx0aW5nIGluIHRoZSBu ZWVkIHRvIHJlY292ZXIgdGhlIHBvbGljeSBvciBmdW5kIGV4dGVuc2l2ZSBpbmZyYXN0cnVjdHVy ZQordG8gdHJhY2sgd2hhdCBlYWNoIHBvbGljeSBjb250YWlucy4KKworV2l0aCBub3cgdGhyZWUg c2VwYXJhdGUgc2VyaWFsaXplci9kZXNlcmlhbGl6ZXJzLCBtYWludGVuYW5jZSBiZWNvbWVzIGNv c3RseS4gSWYgdGhlCitwb2xpY3kgYXZvaWRzIHRoZSBiaW5hcnkgZm9ybWF0LCB0aGVyZSBpcyBv bmx5IG9uZSByZXF1aXJlZCBzZXJpYWxpemVyOiBmcm9tIHRoZQoraHVtYW4tcmVhZGFibGUgZm9y bSB0byB0aGUgZGF0YSBzdHJ1Y3R1cmUgaW4ga2VybmVsLCBzYXZpbmcgb24gY29kZSBtYWludGVu YW5jZSwKK2FuZCByZXRhaW5pbmcgb3BlcmFiaWxpdHkuCisKK1RoZSBzZWNvbmQgaXNzdWUgd2l0 aCBhIGJpbmFyeSBmb3JtYXQgaXMgb25lIG9mIHRyYW5zcGFyZW5jeS4gQXMgSVBFIGNvbnRyb2xz CithY2Nlc3MgYmFzZWQgb24gdGhlIHRydXN0IG9mIHRoZSBzeXN0ZW0ncyByZXNvdXJjZXMsIGl0 J3MgcG9saWN5IG11c3QgYWxzbyBiZQordHJ1c3RlZCB0byBiZSBjaGFuZ2VkLiBUaGlzIGlzIGRv bmUgdGhyb3VnaCBzaWduYXR1cmVzLCByZXN1bHRpbmcgaW4gbmVlZGluZworc2lnbmluZyBhcyBh IHByb2Nlc3MuIFNpZ25pbmcsIGFzIGEgcHJvY2VzcywgaXMgdHlwaWNhbGx5IGRvbmUgd2l0aCBh CitoaWdoIHNlY3VyaXR5IGJhciwgYXMgYW55dGhpbmcgc2lnbmVkIGNhbiBiZSB1c2VkIHRvIGF0 dGFjayBpbnRlZ3JpdHkKK2VuZm9yY2VtZW50IHN5c3RlbXMuIEl0IGlzIGFsc28gaW1wb3J0YW50 IHRoYXQsIHdoZW4gc2lnbmluZyBzb21ldGhpbmcsIHRoYXQKK3RoZSBzaWduZXIgaXMgYXdhcmUg b2Ygd2hhdCB0aGV5IGFyZSBzaWduaW5nLiBBIGJpbmFyeSBwb2xpY3kgY2FuIGNhdXNlCitvYmZ1 c2NhdGlvbiBvZiB0aGF0IGZhY3Q7IHdoYXQgc2lnbmVycyBzZWUgaXMgYW4gb3BhcXVlIGJpbmFy eSBibG9iLiBBCitwbGFpbi10ZXh0IHBvbGljeSwgb24gdGhlIG90aGVyIGhhbmQsIHRoZSBzaWdu ZXJzIHNlZSB0aGUgYWN0dWFsIHBvbGljeQorc3VibWl0dGVkIGZvciBzaWduaW5nLgorCitCb290 IFBvbGljeQorfn5+fn5+fn5+fn4KKworSVBFLCBpZiBjb25maWd1cmVkIGFwcHJvcHJpYXRlbHks IGlzIGFibGUgdG8gZW5mb3JjZSBhIHBvbGljeSBhcyBzb29uIGFzIGEKK2tlcm5lbCBpcyBib290 ZWQgYW5kIHVzZXJtb2RlIHN0YXJ0cy4gVGhhdCBpbXBsaWVzIHNvbWUgbGV2ZWwgb2Ygc3RvcmFn ZQorb2YgdGhlIHBvbGljeSB0byBhcHBseSB0aGUgbWludXRlIHVzZXJtb2RlIHN0YXJ0cy4gR2Vu ZXJhbGx5LCB0aGF0IHN0b3JhZ2UKK2NhbiBiZSBoYW5kbGVkIGluIG9uZSBvZiB0aHJlZSB3YXlz OgorCisgIDEuIFRoZSBwb2xpY3kgZmlsZShzKSBsaXZlIG9uIGRpc2sgYW5kIHRoZSBrZXJuZWwg bG9hZHMgdGhlIHBvbGljeSBwcmlvcgorICAgICB0byBhbiBjb2RlIHBhdGggdGhhdCB3b3VsZCBy ZXN1bHQgaW4gYW4gZW5mb3JjZW1lbnQgZGVjaXNpb24uCisgIDIuIFRoZSBwb2xpY3kgZmlsZShz KSBhcmUgcGFzc2VkIGJ5IHRoZSBib290bG9hZGVyIHRvIHRoZSBrZXJuZWwsIHdobworICAgICBw YXJzZXMgdGhlIHBvbGljeS4KKyAgMy4gVGhlcmUgaXMgYSBwb2xpY3kgZmlsZSB0aGF0IGlzIGNv bXBpbGVkIGludG8gdGhlIGtlcm5lbCB0aGF0IGlzCisgICAgIHBhcnNlZCBhbmQgZW5mb3JjZWQg b24gaW5pdGlhbGl6YXRpb24uCisKK1RoZSBmaXJzdCBvcHRpb24gaGFzIHByb2JsZW1zOiB0aGUg a2VybmVsIHJlYWRpbmcgZmlsZXMgZnJvbSB1c2Vyc3BhY2UKK2lzIHR5cGljYWxseSBkaXNjb3Vy YWdlZCBhbmQgdmVyeSB1bmNvbW1vbiBpbiB0aGUga2VybmVsLgorCitUaGUgc2Vjb25kIG9wdGlv biBhbHNvIGhhcyBwcm9ibGVtczogTGludXggc3VwcG9ydHMgYSB2YXJpZXR5IG9mIGJvb3Rsb2Fk ZXJzCithY3Jvc3MgaXRzIGVudGlyZSBlY29zeXN0ZW0gLSBldmVyeSBib290bG9hZGVyIHdvdWxk IGhhdmUgdG8gc3VwcG9ydCB0aGlzCituZXcgbWV0aG9kb2xvZ3kgb3IgdGhlcmUgbXVzdCBiZSBh biBpbmRlcGVuZGVudCBzb3VyY2UuIEl0IHdvdWxkIGxpa2VseQorcmVzdWx0IGluIG1vcmUgZHJh c3RpYyBjaGFuZ2VzIHRvIHRoZSBrZXJuZWwgc3RhcnR1cCB0aGFuIG5lY2Vzc2FyeS4KKworVGhl IHRoaXJkIG9wdGlvbiBpcyB0aGUgYmVzdCBidXQgaXQncyBpbXBvcnRhbnQgdG8gYmUgYXdhcmUg dGhhdCB0aGUgcG9saWN5Cit3aWxsIHRha2UgZGlzayBzcGFjZSBhZ2FpbnN0IHRoZSBrZXJuZWwg aXQncyBjb21waWxlZCBpbi4gSXQncyBpbXBvcnRhbnQgdG8KK2tlZXAgdGhpcyBwb2xpY3kgZ2Vu ZXJhbGl6ZWQgZW5vdWdoIHRoYXQgdXNlcnNwYWNlIGNhbiBsb2FkIGEgbmV3LCBtb3JlCitjb21w bGljYXRlZCBwb2xpY3ksIGJ1dCByZXN0cmljdGl2ZSBlbm91Z2ggdGhhdCBpdCB3aWxsIG5vdCBv dmVyYXV0aG9yaXplCithbmQgY2F1c2Ugc2VjdXJpdHkgaXNzdWVzLgorCitUaGUgaW5pdHJhbWZz IHByb3ZpZGVzIGEgd2F5IHRoYXQgdGhpcyBib290dXAgcGF0aCBjYW4gYmUgZXN0YWJsaXNoZWQu IFRoZQora2VybmVsIHN0YXJ0cyB3aXRoIGEgbWluaW1hbCBwb2xpY3ksIHRoYXQgdHJ1c3RzIHRo ZSBpbml0cmFtZnMgb25seS4gSW5zaWRlCit0aGUgaW5pdHJhbWZzLCB3aGVuIHRoZSByZWFsIHJv b3RmcyBpcyBtb3VudGVkLCBidXQgbm90IHlldCB0cmFuc2ZlcnJlZCB0bywKK2l0IGRlcGxveXMg YW5kIGFjdGl2YXRlcyBhIHBvbGljeSB0aGF0IHRydXN0cyB0aGUgbmV3IHJvb3QgZmlsZXN5c3Rl bS4KK1RoaXMgcHJldmVudHMgb3ZlcmF1dGhvcml6YXRpb24gYXQgYW55IHN0ZXAsIGFuZCBrZWVw cyB0aGUga2VybmVsIHBvbGljeQordG8gYSBtaW5pbWFsIHNpemUuCisKK1N0YXJ0dXAKK15eXl5e Xl4KKworTm90IGV2ZXJ5IHN5c3RlbSwgaG93ZXZlciBzdGFydHMgd2l0aCBhbiBpbml0cmFtZnMs IHNvIHRoZSBzdGFydHVwIHBvbGljeQorY29tcGlsZWQgaW50byB0aGUga2VybmVsIHdpbGwgbmVl ZCBzb21lIGZsZXhpYmlsaXR5IHRvIGV4cHJlc3MgaG93IHRydXN0CitpcyBlc3RhYmxpc2hlZCBm b3IgdGhlIG5leHQgcGhhc2Ugb2YgdGhlIGJvb3R1cC4gVG8gdGhpcyBlbmQsIGlmIHdlIGp1c3QK K21ha2UgdGhlIGNvbXBpbGVkLWluIHBvbGljeSBhIGZ1bGwgSVBFIHBvbGljeSwgaXQgYWxsb3dz IHN5c3RlbSBidWlsZGVycwordG8gZXhwcmVzcyB0aGUgZmlyc3Qgc3RhZ2UgYm9vdHVwIHJlcXVp cmVtZW50cyBhcHByb3ByaWF0ZWx5LgorCitVcGRhdGFibGUsIFJlYm9vdGxlc3MgUG9saWN5Cit+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+CisKK0FzIHJlcXVpcmVtZW50cyBjaGFuZ2Ugb3Zl ciB0aW1lICh2dWxuZXJhYmlsaXRpZXMgYXJlIGZvdW5kIGluIHByZXZpb3VzbHkKK3RydXN0ZWQg YXBwbGljYXRpb25zLCBrZXlzIHJvbGwsIGV0Y2V0ZXJhKS4gVXBkYXRpbmcgYSBrZXJuZWwgdG8g Y2hhbmdlIHRoZQorbWVldCB0aG9zZSBzZWN1cml0eSBnb2FscyBpcyBub3QgYWx3YXlzIGEgc3Vp dGFibGUgb3B0aW9uLCBhcyB1cGRhdGVzIGFyZSBub3QKK2Fsd2F5cyByaXNrLWZyZWUsIGFuZCBi bG9ja2luZyBhIHNlY3VyaXR5IHVwZGF0ZSBsZWF2ZXMgc3lzdGVtcyB2dWxuZXJhYmxlLgorVGhp cyBtZWFucyBJUEUgcmVxdWlyZXMgYSBwb2xpY3kgdGhhdCBjYW4gYmUgY29tcGxldGVseSB1cGRh dGVkIChhbGxvd2luZworcmV2b2NhdGlvbnMgb2YgZXhpc3RpbmcgcG9saWN5KSBmcm9tIGEgc291 cmNlIGV4dGVybmFsIHRvIHRoZSBrZXJuZWwgKGFsbG93aW5nCitwb2xpY2llcyB0byBiZSB1cGRh dGVkIHdpdGhvdXQgdXBkYXRpbmcgdGhlIGtlcm5lbCkuCisKK0FkZGl0aW9uYWxseSwgc2luY2Ug dGhlIGtlcm5lbCBpcyBzdGF0ZWxlc3MgYmV0d2VlbiBpbnZvY2F0aW9ucywgYW5kIHJlYWRpbmcK K3BvbGljeSBmaWxlcyBvZmYgdGhlIGRpc2sgZnJvbSBrZXJuZWwgc3BhY2UgaXMgYSBiYWQgaWRl YSh0bSksIHRoZW4gdGhlCitwb2xpY3kgdXBkYXRlcyBoYXZlIHRvIGJlIGRvbmUgcmVib290bGVz c2x5LgorCitUbyBhbGxvdyBhbiB1cGRhdGUgZnJvbSBhbiBleHRlcm5hbCBzb3VyY2UsIGl0IGNv dWxkIGJlIHBvdGVudGlhbGx5IG1hbGljaW91cywKK3NvIHRoaXMgcG9saWN5IG5lZWRzIHRvIGhh dmUgYSB3YXkgdG8gYmUgaWRlbnRpZmllZCBhcyB0cnVzdGVkLiBUaGlzIGlzCitkb25lIHZpYSBh IHNpZ25hdHVyZSBjaGFpbmVkIHRvIGEgdHJ1c3Qgc291cmNlIGluIHRoZSBrZXJuZWwuIEFyYml0 cmFyaWx5LAordGhpcyBpcyAgdGhlIGBgU1lTVEVNX1RSVVNURURfS0VZUklOR2BgLCBhIGtleXJp bmcgdGhhdCBpcyBpbml0aWFsbHkKK3BvcHVsYXRlZCBhdCBrZXJuZWwgY29tcGlsZS10aW1lLCBh cyB0aGlzIG1hdGNoZXMgdGhlIGV4cGVjdGF0aW9uIHRoYXQgdGhlCithdXRob3Igb2YgdGhlIGNv bXBpbGVkLWluIHBvbGljeSBkZXNjcmliZWQgYWJvdmUgaXMgdGhlIHNhbWUgZW50aXR5IHRoYXQg Y2FuCitkZXBsb3kgcG9saWN5IHVwZGF0ZXMuCisKK0FudGktUm9sbGJhY2sgLyBBbnRpLVJlcGxh eQorfn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+CisKK092ZXIgdGltZSwgdnVsbmVyYWJpbGl0 aWVzIGFyZSBmb3VuZCBhbmQgdHJ1c3RlZCByZXNvdXJjZXMgbWF5IG5vdCBiZQordHJ1c3RlZCBh bnltb3JlLiBJUEUncyBwb2xpY3kgaGFzIG5vIGV4Y2VwdGlvbiB0byB0aGlzLiBUaGVyZSBjYW4g YmUKK2luc3RhbmNlcyB3aGVyZSBhIG1pc3Rha2VuIHBvbGljeSBhdXRob3IgZGVwbG95cyBhbiBp bnNlY3VyZSBwb2xpY3ksCitiZWZvcmUgY29ycmVjdGluZyBpdCB3aXRoIGEgc2VjdXJlIHBvbGlj eS4KKworQXNzdW1pbmcgdGhhdCBhcyBzb29uIGFzIHRoZSBpbnNlY3VyZSBwb2xpY3kgaXMgc2ln bmVkLCBhbmQgYW4gYXR0YWNrZXIKK2FjcXVpcmVzIHRoZSBpbnNlY3VyZSBwb2xpY3ksIElQRSBu ZWVkcyBhIHdheSB0byBwcmV2ZW50IHJvbGxiYWNrCitmcm9tIHRoZSBzZWN1cmUgcG9saWN5IHVw ZGF0ZSB0byB0aGUgaW5zZWN1cmUgcG9saWN5IHVwZGF0ZS4KKworSW5pdGlhbGx5LCBJUEUncyBw b2xpY3kgY2FuIGhhdmUgYSBwb2xpY3lfdmVyc2lvbiB0aGF0IHN0YXRlcyB0aGUKK21pbmltdW0g cmVxdWlyZWQgdmVyc2lvbiBhY3Jvc3MgYWxsIHBvbGljaWVzIHRoYXQgY2FuIGJlIGFjdGl2ZSBv bgordGhlIHN5c3RlbS4gVGhpcyB3aWxsIHByZXZlbnQgcm9sbGJhY2sgd2hpbGUgdGhlIHN5c3Rl bSBpcyBsaXZlLgorCisuLiBXQVJOSU5HOjoKKworICBIb3dldmVyLCBzaW5jZSB0aGUga2VybmVs IGlzIHN0YXRlbGVzcyBhY3Jvc3MgYm9vdHMsIHRoaXMgcG9saWN5CisgIHZlcnNpb24gd2lsbCBi ZSByZXNldCB0byAwLjAuMCBvbiB0aGUgbmV4dCBib290LiBTeXN0ZW0gYnVpbGRlcnMKKyAgbmVl ZCB0byBiZSBhd2FyZSBvZiB0aGlzLCBhbmQgZW5zdXJlIHRoZSBuZXcgc2VjdXJlIHBvbGljaWVz IGFyZQorICBkZXBsb3llZCBBU0FQIGFmdGVyIGEgYm9vdCB0byBlbnN1cmUgdGhhdCB0aGUgd2lu ZG93IG9mCisgIG9wcG9ydHVuaXR5IGlzIG1pbmltYWwgZm9yIGFuIGF0dGFja2VyIHRvIGRlcGxv eSB0aGUgaW5zZWN1cmUgcG9saWN5LgorCitJbXBsaWNpdCBBY3Rpb25zOgorfn5+fn5+fn5+fn5+ fn5+fn4KKworVGhlIGlzc3VlIG9mIGltcGljaXQgYWN0aW9ucyBvbmx5IGJlY29tZXMgdmlzaWJs ZSB3aGVuIHlvdSBjb25zaWRlcgorYSBtaXhlZCBsZXZlbCBvZiBzZWN1cml0eSBiYXJzIGFjcm9z cyBtdWx0aXBsZSBvcGVyYXRpb25zIGluIGEgc3lzdGVtLgorRm9yIGV4YW1wbGUsIGNvbnNpZGVy IGEgc3lzdGVtIHRoYXQgaGFzIHN0cm9uZyBpbnRlZ3JpdHkgZ3VhcmFudGVlcworb3ZlciBib3Ro IHRoZSBleGVjdXRhYmxlIGNvZGUsIGFuZCBzcGVjaWZpYyAqZGF0YSBmaWxlcyogb24gdGhlIHN5 c3RlbSwKK3RoYXQgd2VyZSBjcml0aWNhbCB0byBpdHMgZnVuY3Rpb24uIEluIHRoaXMgc3lzdGVt LCB0aHJlZSB0eXBlcyBvZiBwb2xpY2llcworYXJlIHBvc3NpYmxlOgorCisgIDEuIEEgcG9saWN5 IGluIHdoaWNoIGZhaWx1cmUgdG8gbWF0Y2ggYW55IHJ1bGVzIGluIHRoZSBwb2xpY3kgcmVzdWx0 cworICAgICBpbiB0aGUgYWN0aW9uIGJlaW5nIGRlbmllZC4KKyAgMi4gQSBwb2xpY3kgaW4gd2hp Y2ggZmFpbHVyZSB0byBtYXRjaCBhbnkgcnVsZXMgaW4gdGhlIHBvbGljeSByZXN1bHRzCisgICAg IGluIHRoZSBhY3Rpb24gYmVpbmcgYWxsb3dlZC4KKyAgMy4gQSBwb2xpY3kgaW4gd2hpY2ggdGhl IGFjdGlvbiB0YWtlbiB3aGVuIG5vIHJ1bGVzIGFyZSBtYXRjaGVkIGlzCisgICAgIHNwZWNpZmll ZCBieSB0aGUgcG9saWN5IGF1dGhvci4KKworVGhlIGZpcnN0IG9wdGlvbiBjb3VsZCBtYWtlIGEg cG9saWN5IGxpa2UgdGhpczo6CisKKyAgb3A9RVhFQ1VURSBpbnRlZ3JpdHlfdmVyaWZpZWQ9WUVT IGFjdGlvbj1BTExPVworCitJbiB0aGUgZXhhbXBsZSBzeXN0ZW0sIHRoaXMgd29ya3Mgd2VsbCBm b3IgdGhlIGV4ZWN1dGFibGVzLCBhcyBhbGwKK2V4ZWN1dGFibGVzIHNob3VsZCBoYXZlIGludGVn cml0eSBndWFyYW50ZWVzLCB3aXRob3V0IGV4Y2VwdGlvbi4gVGhlCitpc3N1ZSBiZWNvbWVzIHdp dGggdGhlIHNlY29uZCByZXF1aXJlbWVudCBhYm91dCBzcGVjaWZpYyBkYXRhIGZpbGVzLgorVGhp cyB3b3VsZCByZXN1bHQgaW4gYSBwb2xpY3kgbGlrZSB0aGlzIChhc3N1bWluZyBlYWNoIGxpbmUg aXMKK2V2YWx1YXRlZCBpbiBvcmRlcik6OgorCisgIG9wPUVYRUNVVEUgaW50ZWdyaXR5X3Zlcmlm aWVkPVlFUyBhY3Rpb249QUxMT1cKKworICBvcD1SRUFEIGludGVncml0eV92ZXJpZmllZD1OTyBs YWJlbD1jcml0aWNhbF90IGFjdGlvbj1ERU5ZCisgIG9wPVJFQUQgYWN0aW9uPUFMTE9XCisKK1Ro aXMgaXMgc29tZXdoYXQgY2xlYXIgaWYgeW91IHJlYWQgdGhlIGRvY3MsIHVuZGVyc3RhbmQgdGhl IHBvbGljeQoraXMgZXhlY3V0ZWQgaW4gb3JkZXIgYW5kIHRoYXQgdGhlIGRlZmF1bHQgaXMgYSBk ZW5pYWw7IGhvd2V2ZXIsIHRoZQorbGFzdCBsaW5lIGVmZmVjdGl2ZWx5IGNoYW5nZXMgdGhhdCBk ZWZhdWx0IHRvIGFuIEFMTE9XLiBUaGlzIGlzCityZXF1aXJlZCwgYmVjYXVzZSBpbiBhIHJlYWxp c3RpYyBzeXN0ZW0sIHRoZXJlIGFyZSBzb21lIHVudmVyaWZpZWQKK3JlYWRzIChpbWFnaW5lIGFw cGVuZGluZyB0byBhIGxvZyBmaWxlKS4KKworVGhlIHNlY29uZCBvcHRpb24sIG1hdGNoaW5nIG5v IHJ1bGVzIHJlc3VsdHMgaW4gYW4gYWxsb3csIGlzIGNsZWFyZXIKK2ZvciB0aGUgc3BlY2lmaWMg ZGF0YSBmaWxlczo6CisKKyAgb3A9UkVBRCBpbnRlZ3JpdHlfdmVyaWZpZWQ9Tk8gbGFiZWw9Y3Jp dGljYWxfdCBhY3Rpb249REVOWQorCitBbmQsIGxpa2UgdGhlIGZpcnN0IG9wdGlvbiwgZmFsbHMg c2hvcnQgd2l0aCB0aGUgb3Bwb3NpdGUgc2NlbmFyaW8sCitlZmZlY3RpdmVseSBuZWVkaW5nIHRv IG92ZXJyaWRlIHRoZSBkZWZhdWx0OjoKKworICBvcD1FWEVDVVRFIGludGVncml0eV92ZXJpZmll ZD1ZRVMgYWN0aW9uPUFMTE9XCisgIG9wPUVYRUNVVEUgYWN0aW9uPURFTlkKKworICBvcD1SRUFE IGludGVncml0eV92ZXJpZmllZD1OTyBsYWJlbD1jcml0aWNhbF90IGFjdGlvbj1ERU5ZCisKK1Ro aXMgbGVhdmVzIHRoZSB0aGlyZCBvcHRpb24uIEluc3RlYWQgb2YgbWFraW5nIHVzZXJzIGJlIGNs ZXZlcgorYW5kIG92ZXJyaWRlIHRoZSBkZWZhdWx0IHdpdGggYW4gZW1wdHkgcnVsZSwgZm9yY2Ug dGhlIGVuZC11c2VyCit0byBjb25zaWRlciB3aGF0IHRoZSBhcHByb3ByaWF0ZSBkZWZhdWx0IHNo b3VsZCBiZSBmb3IgdGhlaXIKK3NjZW5hcmlvIGFuZCBleHBsaWNpdGx5IHN0YXRlIGl0OjoKKwor ICBERUZBVUxUIG9wPUVYRUNVVEUgYWN0aW9uPURFTlkKKyAgb3A9RVhFQ1VURSBpbnRlZ3JpdHlf dmVyaWZpZWQ9WUVTIGFjdGlvbj1BTExPVworCisgIERFRkFVTFQgb3A9UkVBRCBhY3Rpb249QUxM T1cKKyAgb3A9UkVBRCBpbnRlZ3JpdHlfdmVyaWZpZWQ9Tk8gbGFiZWw9Y3JpdGljYWxfdCBhY3Rp b249REVOWQorCitQb2xpY3kgRGVidWdnaW5nOgorfn5+fn5+fn5+fn5+fn5+fn4KKworV2hlbiBk ZXZlbG9waW5nIGEgcG9saWN5LCBpdCBpcyB1c2VmdWwgdG8ga25vdyB3aGF0IGxpbmUgb2YgdGhl IHBvbGljeQoraXMgYmVpbmcgdmlvbGF0ZWQgdG8gcmVkdWNlIGRlYnVnZ2luZyBjb3N0czsgbmFy cm93aW5nIHRoZSBzY29wZSBvZiB0aGUKK2ludmVzdGlnYXRpb24gdG8gdGhlIGV4YWN0IGxpbmUg dGhhdCByZXN1bHRlZCBpbiB0aGUgYWN0aW9uLiBTb21lIGludGVncml0eQorcG9saWN5IHN5c3Rl bXMgZG8gbm90IHByb3ZpZGUgdGhpcyBpbmZvcm1hdGlvbiwgaW5zdGVhZCBwcm92aWRpbmcgdGhl CitpbmZvcm1hdGlvbiB0aGF0IHdhcyB1c2VkIGluIHRoZSBldmFsdWF0aW9uLiBUaGlzIHRoZW4g cmVxdWlyZXMgYSBjb3JyZWxhdGlvbgord2l0aCB0aGUgcG9saWN5IHRvIGV2YWx1YXRlIHdoYXQg d2VudCB3cm9uZy4KKworSW5zdGVhZCwgSVBFIGp1c3QgZW1pdHMgdGhlIHJ1bGUgdGhhdCB3YXMg bWF0Y2hlZC4gVGhpcyBsaW1pdHMgdGhlIHNjb3BlCitvZiB0aGUgaW52ZXN0aWdhdGlvbiB0byB0 aGUgZXhhY3QgcG9saWN5IGxpbmUgKGluIHRoZSBjYXNlIG9mIGEgc3BlY2lmaWMKK3J1bGUpLCBv ciB0aGUgc2VjdGlvbiAoaW4gdGhlIGNhc2Ugb2YgYSBERUZBVUxUKS4gVGhpcyBkZWNyZWFzZXMg aXRlcmF0aW9uCithbmQgaW52ZXN0aWdhdGlvbiB0aW1lcyB3aGVuIHBvbGljeSBmYWlsdXJlcyBh cmUgb2JzZXJ2ZWQgd2hpbGUgZXZhbHVhdGluZworcG9saWNpZXMuCisKK0lQRSdzIHBvbGljeSBl bmdpbmUgaXMgYWxzbyBkZXNpZ25lZCBpbiBhIHdheSB0aGF0IGl0IG1ha2VzIGl0IG9idmlvdXMg dG8KK2EgaHVtYW4gb2YgaG93IHRvIGludmVzdGlnYXRlIGEgcG9saWN5IGZhaWx1cmUuIEVhY2gg bGluZSBpcyBldmFsdWF0ZWQgaW4KK3RoZSBzZXF1ZW5jZSB0aGF0IGlzIHdyaXR0ZW4sIHNvIHRo ZSBhbGdvcml0aG0gaXMgdmVyeSBzaW1wbGUgdG8gZm9sbG93Citmb3IgaHVtYW5zIHRvIHJlY3Jl YXRlIHRoZSBzdGVwcyBhbmQgY291bGQgaGF2ZSBjYXVzZWQgdGhlIGZhaWx1cmUuIEluIG90aGVy CitzdXJ2ZXllZCBzeXN0ZW1zLCBvcHRpbWl6YXRpb25zIG9jY3VyIChzb3J0aW5nIHJ1bGVzLCBm b3IgaW5zdGFuY2UpIHdoZW4gbG9hZGluZwordGhlIHBvbGljeS4gSW4gdGhvc2Ugc3lzdGVtcywg aXQgcmVxdWlyZXMgbXVsdGlwbGUgc3RlcHMgdG8gZGVidWcsIGFuZCB0aGUKK2FsZ29yaXRobSBt YXkgbm90IGFsd2F5cyBiZSBjbGVhciB0byB0aGUgZW5kLXVzZXIgd2l0aG91dCByZWFkaW5nIHRo ZSBjb2RlIGZpcnN0LgorCitTaW1wbGlmaWVkIFBvbGljeToKK35+fn5+fn5+fn5+fn5+fn5+fgor CitGaW5hbGx5LCBJUEUncyBwb2xpY3kgaXMgZGVzaWduZWQgZm9yIHN5c2FkbWlucywgbm90IGtl cm5lbCBkZXZlbG9wZXJzLiBJbnN0ZWFkCitvZiBjb3ZlcmluZyBpbmRpdmlkdWFsIExTTSBob29r cyAob3Igc3lzY2FsbHMpLCBJUEUgY292ZXJzIG9wZXJhdGlvbnMuIFRoaXMgbWVhbnMKK2luc3Rl YWQgb2Ygc3lzYWRtaW5zIG5lZWRpbmcgdG8ga25vdyB0aGF0IHRoZSBzeXNjYWxscyBgYG1tYXBg YCwgYGBtcHJvdGVjdGBgLAorYGBleGVjdmVgYCwgYW5kIGBgdXNlbGliYGAgbXVzdCBoYXZlIHJ1 bGVzIHByb3RlY3RpbmcgdGhlbSwgdGhleSBtdXN0IHNpbXBsZSBrbm93Cit0aGF0IHRoZXkgd2Fu dCB0byByZXN0cmljdCBjb2RlIGV4ZWN1dGlvbi4gVGhpcyBsaW1pdHMgdGhlIGFtb3VudCBvZiBi eXBhc3NlcyB0aGF0Citjb3VsZCBvY2N1ciBkdWUgdG8gYSBsYWNrIG9mIGtub3dsZWRnZSBvZiB0 aGUgdW5kZXJseWluZyBzeXN0ZW07IHdoZXJlYXMgdGhlCittYWludGFpbmVycyBvZiBJUEUsIGJl aW5nIGtlcm5lbCBkZXZlbG9wZXJzIGNhbiBtYWtlIHRoZSBjb3JyZWN0IGNob2ljZSB0byBkZXRl cm1pbmUKK3doZXRoZXIgc29tZXRoaW5nIG1hcHMgdG8gdGhlc2Ugb3BlcmF0aW9ucywgYW5kIHVu ZGVyIHdoYXQgY29uZGl0aW9ucy4KKworSW1wbGVtZW50YXRpb24gTm90ZXMKKy0tLS0tLS0tLS0t LS0tLS0tLS0tCisKK0Fub255bW91cyBNZW1vcnkKK35+fn5+fn5+fn5+fn5+fn4KKworQW5vbnlt b3VzIG1lbW9yeSBpc24ndCB0cmVhdGVkIGFueSBkaWZmZXJlbnRseSBmcm9tIGFueSBvdGhlciBh Y2Nlc3MgaW4gSVBFLgorV2hlbiBhbm9ueW1vdXMgbWVtb3J5IGlzIG1hcHBlZCB3aXRoIGBgK1hg YCwgaXQgc3RpbGwgY29tZXMgaW50byB0aGUgYGBmaWxlX21tYXBgYAorb3IgYGBmaWxlX21wcm90 ZWN0YGAgaG9vaywgYnV0IHdpdGggYSBgYE5VTExgYCBmaWxlIG9iamVjdC4gVGhpcyBpcyBzdWJt aXR0ZWQgdG8KK3RoZSBldmFsdWF0aW9uLCBsaWtlIGFueSBvdGhlciBmaWxlLCBob3dldmVyLCBh bGwgY3VycmVudCB0cnVzdCBtZWNoYW5pc21zIHdpbGwKK3JldHVybiBmYWxzZSBhcyB0aGVyZSBp cyBub3RoaW5nIHRvIGV2YWx1YXRlLiBUaGlzIG1lYW5zIGFub255bW91cyBtZW1vcnkKK2V4ZWN1 dGlvbiBpcyBzdWJqZWN0IHRvIHdoYXRldmVyIHRoZSBgYERFRkFVTFRgYCBpcyBmb3IgYGBFWEVD VVRFYGAuCisKKy4uIFdBUk5JTkc6OgorCisgIFRoaXMgYWxzbyBvY2N1cnMgd2l0aCB0aGUgYGBr ZXJuZWxfbG9hZF9kYXRhYGAgaG9vaywgd2hpY2ggaXMgdXNlZCBieSBzaWduZWQKKyAgYW5kIGNv bXByZXNzZWQga2VybmVsIG1vZHVsZXMuIFVzaW5nIHNpZ25lZCBhbmQgY29tcHJlc3NlZCBrZXJu ZWwgbW9kdWxlcyB3aXRoCisgIElQRSB3aWxsIGFsd2F5cyByZXN1bHQgaW4gdGhlIGBgREVGQVVM VGBgIGFjdGlvbiBmb3IgYGBLTU9EVUxFYGAuCisKK1NlY3VyaXR5ZnMgSW50ZXJmYWNlCit+fn5+ fn5+fn5+fn5+fn5+fn5+fgorCitUaGUgcGVyLXBvbGljeSBzZWN1cml0eWZzIHRyZWUgaXMgc29t ZXdoYXQgdW5pcXVlLiBGb3IgZXhhbXBsZSwgZm9yCithIHN0YW5kYXJkIHNlY3VyaXR5ZnMgcG9s aWN5IHRyZWU6OgorCisgIE15UG9saWN5CisgICAgfC0gYWN0aXZlCisgICAgfC0gZGVsZXRlCisg ICAgfC0gbmFtZQorICAgIHwtIHBrY3M3CisgICAgfC0gcG9saWN5CisgICAgfC0gdXBkYXRlCisg ICAgfC0gdmVyc2lvbgorCitUaGUgcG9saWN5IGlzIHN0b3JlZCBpbiB0aGUgYGAtPmlfcHJpdmF0 ZWBgIGRhdGEgb2YgdGhlIE15UG9saWN5IGlub2RlLgorCitUZXN0cworLS0tLS0KKworSVBFIGhh cyBLVW5pdCBUZXN0cywgdGVzdGluZyBwcmltYXJpbHkgdGhlIHBhcnNlci4gSW4gYWRkaXRpb24s IElQRSBoYXMgYQorcHl0aG9uIGJhc2VkIGludGVncmF0aW9uIHRlc3Qgc3VpdHMgdGhhdCBjYW4g dGVzdCBib3RoIHVzZXIgaW50ZXJmYWNlcyBhbmQKK2VuZm9yY2VtZW50IGZ1bmN0aW9uYWxpdGll cy4KZGlmZiAtLWdpdCBhL01BSU5UQUlORVJTIGIvTUFJTlRBSU5FUlMKaW5kZXggZmI4ZDZhMTZm MmE2Li5hNTQ5NGZiOWUzODUgMTAwNjQ0Ci0tLSBhL01BSU5UQUlORVJTCisrKyBiL01BSU5UQUlO RVJTCkBAIC0xMDI4Myw2ICsxMDI4Myw4IEBAIE06CUZhbiBXdSA8d3VmYW5AbGludXgubWljcm9z b2Z0LmNvbT4KIEw6CWxpbnV4LXNlY3VyaXR5LW1vZHVsZUB2Z2VyLmtlcm5lbC5vcmcKIFM6CVN1 cHBvcnRlZAogVDoJZ2l0IGdpdDovL2dpdGh1Yi5jb20vbWljcm9zb2Z0L2lwZS5naXQKK0Y6CURv Y3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2lwZS5yc3QKK0Y6CURvY3VtZW50YXRpb24vc2Vj dXJpdHkvaXBlLnJzdAogRjoJc2NyaXB0cy9pcGUvCiBGOglzZWN1cml0eS9pcGUvCiAKLS0gCjIu MjUuMQoKLS0KZG0tZGV2ZWwgbWFpbGluZyBsaXN0CmRtLWRldmVsQHJlZGhhdC5jb20KaHR0cHM6 Ly9saXN0bWFuLnJlZGhhdC5jb20vbWFpbG1hbi9saXN0aW5mby9kbS1kZXZlbAo=