From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66617E936F5 for ; Wed, 4 Oct 2023 22:10:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237148AbjJDWKL (ORCPT ); Wed, 4 Oct 2023 18:10:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236551AbjJDWKE (ORCPT ); Wed, 4 Oct 2023 18:10:04 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E1BE2C9; Wed, 4 Oct 2023 15:09:55 -0700 (PDT) Received: by linux.microsoft.com (Postfix, from userid 1052) id 44DE520B74E5; Wed, 4 Oct 2023 15:09:50 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 44DE520B74E5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1696457391; bh=umsYx6futICn0ECblX5WD3g6cuUzfUnmzwqtL0c221k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BROJM6rZe0atQ3m1jUQ1wCAbWWiBJDekcVaWQTFB6r5h+KQDaHC/6i4SjcJb0OeFH q4aYLHyR7mJknVHNjVl5a5ew7JR4B3KWNoC77M4koMoq7Trb4iBW+vFWO8XNDfp1kY vBAILvC71YDVWy7N75bkhn8Q5tMkC77iDJvGlD54= From: Fan Wu To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org, dm-devel@redhat.com, audit@vger.kernel.org, roberto.sassu@huawei.com, linux-kernel@vger.kernel.org, Deven Bowers , Fan Wu Subject: [RFC PATCH v11 19/19] documentation: add ipe documentation Date: Wed, 4 Oct 2023 15:09:46 -0700 Message-Id: <1696457386-3010-20-git-send-email-wufan@linux.microsoft.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1696457386-3010-1-git-send-email-wufan@linux.microsoft.com> References: <1696457386-3010-1-git-send-email-wufan@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: audit@vger.kernel.org From: Deven Bowers Add IPE's admin and developer documentation to the kernel tree. Co-developed-by: Fan Wu Signed-off-by: Deven Bowers Signed-off-by: Fan Wu --- v2: + No Changes v3: + Add Acked-by + Fixup code block syntax + Fix a minor grammatical issue. v4: + Update documentation with the results of other code changes. v5: + No changes v6: + No changes v7: + Add additional developer-level documentation + Update admin-guide docs to reflect changes. + Drop Acked-by due to significant changes + Added section about audit events in admin-guide v8: + Correct terminology from "audit event" to "audit record" + Add associated documentation with the correct "audit event" terminology. + Add some context to the historical motivation for IPE and design philosophy. + Add some content about the securityfs layout in the policies directory. + Various spelling and grammatical corrections. v9: + Correct spelling of "pitfalls" + Update the docs w.r.t the new parser and new audit formats v10: + Refine user docs per upstream suggetions + Update audit events part v11: + No changes --- Documentation/admin-guide/LSM/index.rst | 1 + Documentation/admin-guide/LSM/ipe.rst | 752 ++++++++++++++++++ .../admin-guide/kernel-parameters.txt | 12 + Documentation/security/index.rst | 1 + Documentation/security/ipe.rst | 420 ++++++++++ MAINTAINERS | 2 + 6 files changed, 1188 insertions(+) create mode 100644 Documentation/admin-guide/LSM/ipe.rst create mode 100644 Documentation/security/ipe.rst diff --git a/Documentation/admin-guide/LSM/index.rst b/Documentation/admin-guide/LSM/index.rst index a6ba95fbaa9f..ce63be6d64ad 100644 --- a/Documentation/admin-guide/LSM/index.rst +++ b/Documentation/admin-guide/LSM/index.rst @@ -47,3 +47,4 @@ subdirectories. tomoyo Yama SafeSetID + ipe diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst new file mode 100644 index 000000000000..da59f78427fa --- /dev/null +++ b/Documentation/admin-guide/LSM/ipe.rst @@ -0,0 +1,752 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Integrity Policy Enforcement (IPE) +================================== + +.. NOTE:: + + This is the documentation for admins, system builders, or individuals + attempting to use IPE. If you're looking for more developer-focused + documentation about IPE please see `Documentation/security/ipe.rst` + +Overview +-------- + +IPE is a Linux Security Module which takes a complimentary approach to +access control. Whereas existing mandatory access control mechanisms +base their decisions on labels and paths, IPE instead determines +whether or not an operation should be allowed based on immutable +security properties of the system component the operation is being +performed on. + +IPE itself does not mandate how the security property should be +evaluated, but relies on an extensible set of external property providers +to evaluate the component. IPE makes its decision based on reference +values for the selected properties, specified in the IPE policy. + +The reference values represent the value that the policy writer and the +local system administrator (based on the policy signature) trust for the +system to accomplish the desired tasks. + +One such provider is for example dm-verity, which is able to represent +the integrity property of a partition (its immutable state) with a digest. + +To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under +:menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config +option is enabled. + +Use Cases +--------- + +IPE works best in fixed-function devices: devices in which their purpose +is clearly defined and not supposed to be changed (e.g. network firewall +device in a data center, an IoT device, etcetera), where all software and +configuration is built and provisioned by the system owner. + +IPE is a long-way off for use in general-purpose computing: the Linux +community as a whole tends to follow a decentralized trust model (known as +the web of trust), which IPE has no support for it yet. Instead, IPE +supports PKI (public key infrastructure), which generally designates a +set of trusted entities that provide a measure of absolute trust. + +Additionally, while most packages are signed today, the files inside +the packages (for instance, the executables), tend to be unsigned. This +makes it difficult to utilize IPE in systems where a package manager is +expected to be functional, without major changes to the package manager +and ecosystem behind it. + +DIGLIM [#diglim]_ is a system that when combined with IPE, could be used to +enable and support general-purpose computing use cases. + +Known Limitations +----------------- + +IPE cannot verify the integrity of anonymous executable memory, such as +the trampolines created by gcc closures and libffi (<3.4.2), or JIT'd code. +Unfortunately, as this is dynamically generated code, there is no way +for IPE to ensure the integrity of this code to form a trust basis. In all +cases, the return result for these operations will be whatever the admin +configures as the ``DEFAULT`` action for ``EXECUTE``. + +IPE cannot verify the integrity of programs written in interpreted +languages when these scripts are invoked by passing these program files +to the interpreter. This is because the way interpreters execute these +files; the scripts themselves are not evaluated as executable code +through one of IPE's hooks, but they are merely text files that are read +(as opposed to compiled executables) [#interpreters]_. + +Threat Model +------------ + +The threat type addressed by IPE is tampering of executable userspace +code beyond the initially booted kernel, and the initial verification of +kernel modules that are loaded in userspace through ``modprobe`` or +``insmod``. + +A bare-minimum example of a threat that should be mitigated by IPE, is +an untrusted (potentially malicious) binary that is downloaded and +bundled with all required dependencies (including a loader, libc, etc). +With IPE, this binary should not be allowed to be executed, not even any +of its dependencies. + +Tampering violates integrity, yet lack of trust is caused by being +unable to detect tampering (and by extent verifying the integrity). +IPE's role in mitigating this threat is to verify the integrity (and +authenticity) of all executable code and to deny their use if they +cannot be trusted (as integrity verification fails, or the authorization +check fails against the reference value in the policy). IPE generates +audit logs which may be utilized to detect and analyze failures +resulting from policy violation. + +Tampering threat scenarios include modification or replacement of +executable code by a range of actors including: + +- Actors with physical access to the hardware +- Actors with local network access to the system +- Actors with access to the deployment system +- Compromised internal systems under external control +- Malicious end users of the system +- Compromised end users of the system +- Remote (external) compromise of the system + +IPE does not mitigate threats arising from malicious but authorized +developers (with access to a signing certificate), or compromised +developer tools used by them (i.e. return-oriented programming attacks). +Additionally, IPE draws hard security boundary between userspace and +kernelspace. As a result, IPE does not provide any protections against a +kernel level exploit, and a kernel-level exploit can disable or tamper +with IPE's protections. + +Policy +------ + +IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements +over several lines. There is one required line, at the top of the +policy, indicating the policy name, and the policy version, for +instance:: + + policy_name=Ex_Policy policy_version=0.0.0 + +The policy name is a unique key identifying this policy in a human +readable name. This is used to create nodes under securityfs as well as +uniquely identify policies to deploy new policies vs update existing +policies. + +The policy version indicates the current version of the policy (NOT the +policy syntax version). This is used to prevent rollback of policy to +potentially insecure previous versions of the policy. + +The next portion of IPE policy are rules. Rules are formed by key=value +pairs, known as properties. IPE rules require two properties: ``action``, +which determines what IPE does when it encounters a match against the +rule, and ``op``, which determines when the rule should be evaluated. +The ordering is significant, a rule must start with ``op``, and end with +``action``. Thus, a minimal rule is:: + + op=EXECUTE action=ALLOW + +This example will allow any execution. Additional properties are used to +restrict attributes about the files being evaluated. These properties +are intended to be descriptions of systems within the kernel that can +provide a measure of integrity verification, such that IPE can determine +the trust of the resource based on the value of the property. + +Rules are evaluated top-to-bottom. As a result, any revocation rules, +or denies should be placed early in the file to ensure that these rules +are evaluated before a rule with ``action=ALLOW``. + +IPE policy supports comments. The character '#' will function as a +comment, ignoring all characters to the right of '#' until the newline. + +The default behavior of IPE evaluations can also be expressed in policy, +through the ``DEFAULT`` statement. This can be done at a global level, +or a per-operation level:: + + # Global + DEFAULT action=ALLOW + + # Operation Specific + DEFAULT op=EXECUTE action=ALLOW + +A default must be set for all known operations in IPE. If you want to +preserve older policies being compatible with newer kernels that can introduce +new operations, set a global default of ``ALLOW``, then override the +defaults on a per-operation basis (as above). + +With configurable policy-based LSMs, there's several issues with +enforcing the configurable policies at startup, around reading and +parsing the policy: + +1. The kernel *should* not read files from userspace, so directly reading + the policy file is prohibited. +2. The kernel command line has a character limit, and one kernel module + should not reserve the entire character limit for its own + configuration. +3. There are various boot loaders in the kernel ecosystem, so handing + off a memory block would be costly to maintain. + +As a result, IPE has addressed this problem through a concept of a "boot +policy". A boot policy is a minimal policy which is compiled into the +kernel. This policy is intended to get the system to a state where +userspace is set up and ready to receive commands, at which point a more +complex policy can be deployed via securityfs. The boot policy can be +specified via ``SECURITY_IPE_BOOT_POLICY`` config option, which accepts +a path to a plain-text version of the IPE policy to apply. This policy +will be compiled into the kernel. If not specified, IPE will be disabled +until a policy is deployed and activated through securityfs. + +Deploying Policies +~~~~~~~~~~~~~~~~~~ + +Policies can be deployed from userspace through securityfs. These policies +are signed through the PKCS#7 message format to enforce some level of +authorization of the policies (prohibiting an attacker from gaining +unconstrained root, and deploying an "allow all" policy). These +policies must be signed by a certificate that chains to the +``SYSTEM_TRUSTED_KEYRING``. With openssl, the policy can be signed by:: + + openssl smime -sign \ + -in "$MY_POLICY" \ + -signer "$MY_CERTIFICATE" \ + -inkey "$MY_PRIVATE_KEY" \ + -noattr \ + -nodetach \ + -nosmimecap \ + -outform der \ + -out "$MY_POLICY.p7b" + +Deploying the policies is done through securityfs, through the +``new_policy`` node. To deploy a policy, simply cat the file into the +securityfs node:: + + cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy + +Upon success, this will create one subdirectory under +``/sys/kernel/security/ipe/policies/``. The subdirectory will be the +``policy_name`` field of the policy deployed, so for the example above, +the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``. +Within this directory, there will be five files: ``pkcs7``, ``policy``, +``active``, ``update``, and ``delete``. + +The ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data +that was provided to the kernel, representing the policy. If the policy being +read is the boot policy, this will return ``ENOENT``, as it is not signed. + +The ``policy`` file is read only. Reading it returns the PKCS#7 inner +content of the policy, which will be the plain text policy. + +The ``active`` file is used to set a policy as the currently active policy. +This file is rw, and accepts a value of ``"1"`` to set the policy as active. +Since only a single policy can be active at one time, all other policies +will be marked inactive. The policy being marked active must have a policy +version greater or equal to the currently-running version. + +The ``update`` file is used to update a policy that is already present +in the kernel. This file is write-only and accepts a PKCS#7 signed +policy. Two checks will always be performed on this policy: First, the +``policy_names`` must match with the updated version and the existing +version. Second the updated policy must have a policy version greater than +or equal to the currently-running version. This is to prevent rollback attacks. + +The ``delete`` file is used to remove a policy that is no longer needed. +This file is write-only and accepts a value of ``1`` to delete the policy. +On deletion, the securityfs node representing the policy will be removed. +However, delete the current active policy is not allowed and will return +an operation not permitted error. + +Similarly, writing to both ``update`` and ``new_policy`` could result in +bad message(policy syntax error) or file exists error. The latter error happens +when trying to deploy a policy with a ``policy_name`` while the kernel already +has a deployed policy with the same ``policy_name``. + +Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will +only enforce the policy marked active. Note that only one policy can be active +at a time. + +Once deployment is successful, the policy can be activated, by writing file +``/sys/kernel/security/ipe/$policy_name/active``. +For example, the ``Ex_Policy`` can be activated by:: + + echo 1 > "/sys/kernel/security/ipe/Ex_Policy/active" + +From above point on, ``Ex_Policy`` is now the enforced policy on the +system. + +IPE also provides a way to delete policies. This can be done via the +``delete`` securityfs node, ``/sys/kernel/security/ipe/$policy_name/delete``. +Writing ``1`` to that file deletes the policy:: + + echo 1 > "/sys/kernel/security/ipe/$policy_name/delete" + +There is only one requirement to delete a policy: the policy being deleted +must be inactive. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack), all + writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Modes +~~~~~ + +IPE supports two modes of operation: permissive (similar to SELinux's +permissive mode) and enforced. In permissive mode, all events are +checked and policy violations are logged, but the policy is not really +enforced. This allows users to test policies before enforcing them. + +The default mode is enforce, and can be changed via the kernel command +line parameter ``ipe.enforce=(0|1)``, or the securityfs node +``/sys/kernel/security/ipe/enforce``. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Audit Events +~~~~~~~~~~~~ + +1420 AUDIT_IPE_ACCESS +^^^^^^^^^^^^^^^^^^^^^ +Event Examples:: + + type=1420 audit(1653364370.067:61): path="/root/fs/rw/plain/execve" dev="vdc1" ino=16 rule="DEFAULT op=EXECUTE action=DENY" + type=1300 audit(1653364370.067:61): arch=c000003e syscall=10 success=no exit=-13 a0=7f0bf0644000 a1=4f80 a2=5 a3=7f0bf043d300 items=0 ppid=455 pid=737 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mprotect" exe="/root/host/mprotect" subj=kernel key=(null) + type=1327 audit(1653364370.067:61): proctitle=686F73742F6D70726F7465637400534800527C5700527C5800706C61696E2F657865637665 + + type=1420 audit(1653364735.161:64): rule="DEFAULT op=EXECUTE action=DENY" + type=1300 audit(1653364735.161:64): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=20 items=0 ppid=455 pid=774 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=3 comm="mmap" exe="/root/host/mmap" subj=kernel key=(null) + type=1327 audit(1653364735.161:64): proctitle=686F73742F6D6D617000410058⏎ + +This event indicates that IPE made an access control decision; the IPE +specific record (1420) is always emitted in conjunction with a +``AUDITSYSCALL`` record. + +Determining whether IPE is in permissive or enforced mode can be derived +from ``success`` property and exit code of the ``AUDITSYSCALL`` record. + + +Field descriptions: + ++-------+------------+-----------+-------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++=======+============+===========+=================================================+ +| path | string | Yes | The absolute path to the evaluated file | ++-------+------------+-----------+-------------------------------------------------+ +| ino | integer | Yes | The inode number of the evaluated file | ++-------+------------+-----------+-------------------------------------------------+ +| dev | string | Yes | The device name of the evaluated file, e.g. vda | ++-------+------------+-----------+-------------------------------------------------+ +| rule | string | No | The matched policy rule | ++-------+------------+-----------+-------------------------------------------------+ + +1421 AUDIT_IPE_CONFIG_CHANGE +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Event Example:: + + type=1421 audit(1653425583.136:54): old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 + type=1300 audit(1653425583.136:54): SYSCALL arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=5596fcae1fb0 a2=2 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null) + type=1327 audit(1653425583.136:54): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2 + +This event indicates that IPE switched the active poliy from one to another +along with the version and the hash digest of the two policies. +Note IPE can only have one policy active at a time, all access decision +evaluation is based on the current active policy. +The normal procedure to deploy a new policy is loading the policy to deploy +into the kernel first, then switch the active policy to it. + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++------------------------+------------+-----------+---------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++========================+============+===========+===================================================+ +| old_active_pol_name | string | No | The name of previous active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| old_active_pol_version | string | No | The version of previous active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| old_policy_digest | string | No | The hash of previous active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| new_active_pol_name | string | No | The name of current active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| new_active_pol_version | string | No | The version of current active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| new_policy_digest | string | No | The hash of current active policy | ++------------------------+------------+-----------+---------------------------------------------------+ +| auid | integer | No | The login user ID | ++------------------------+------------+-----------+---------------------------------------------------+ +| ses | integer | No | The login session ID | ++------------------------+------------+-----------+---------------------------------------------------+ +| lsm | string | No | The lsm name associated with the event | ++------------------------+------------+-----------+---------------------------------------------------+ +| res | integer | No | The result of the audited operation(success/fail) | ++------------------------+------------+-----------+---------------------------------------------------+ + +1422 AUDIT_IPE_POLICY_LOAD +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Event Example:: + + type=1422 audit(1653425529.927:53): policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 + type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=2567 a0=3 a1=5596fcae1fb0 a2=a07 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null) + type=1327 audit(1653425529.927:53): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2E + +This record indicates a new policy has been loaded into the kernel with the policy name, policy version and policy hash. + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++----------------+------------+-----------+---------------------------------------------------+ +| Field | Value Type | Optional? | Description of Value | ++================+============+===========+===================================================+ +| policy_name | string | No | The policy_name | ++----------------+------------+-----------+---------------------------------------------------+ +| policy_version | string | No | The policy_version | ++----------------+------------+-----------+---------------------------------------------------+ +| policy_digest | string | No | The policy hash | ++----------------+------------+-----------+---------------------------------------------------+ +| auid | integer | No | The login user ID | ++----------------+------------+-----------+---------------------------------------------------+ +| ses | integer | No | The login session ID | ++----------------+------------+-----------+---------------------------------------------------+ +| lsm | string | No | The lsm name associated with the event | ++----------------+------------+-----------+---------------------------------------------------+ +| res | integer | No | The result of the audited operation(success/fail) | ++----------------+------------+-----------+---------------------------------------------------+ + + +1404 AUDIT_MAC_STATUS +^^^^^^^^^^^^^^^^^^^^^ + +Event Examples:: + + type=1404 audit(1653425689.008:55): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) + type=1327 audit(1653425689.008:55): proctitle="-bash" + + type=1404 audit(1653425689.008:55): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 + type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=) + type=1327 audit(1653425689.008:55): proctitle="-bash" + +This record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall. + ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| Field | Value Type | Optional? | Description of Value | | ++===============+============+===========+=================================================================================================+=====+ +| enforcing | integer | No | The enforcing state IPE is being switched to, 1 is in enforcing mode, 0 is in permissive mode | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| old_enforcing | integer | No | The enforcing state IPE is being switched from, 1 is in enforcing mode, 0 is in permissive mode | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| auid | integer | No | The login user ID | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| ses | integer | No | The login session ID | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| enabled | integer | No | The new TTY audit enabled setting | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| old-enabled | integer | No | The old TTY audit enabled setting | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| lsm | string | No | The lsm name associated with the event | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ +| res | integer | No | The result of the audited operation(success/fail) | | ++---------------+------------+-----------+-------------------------------------------------------------------------------------------------+-----+ + +Success Auditing +^^^^^^^^^^^^^^^^ + +IPE supports success auditing. When enabled, all events that pass IPE +policy and are not blocked will emit an audit event. This is disabled by +default, and can be enabled via the kernel command line +``ipe.success_audit=(0|1)`` or +``/sys/kernel/security/ipe/success_audit`` securityfs file. + +This is *very* noisy, as IPE will check every userspace binary on the +system, but is useful for debugging policies. + +.. NOTE:: + + If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera), + all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``. + +Properties +---------- + +As explained above, IPE properties are ``key=value`` pairs expressed in +IPE policy. Two properties are built-into the policy parser: 'op' and +'action'. The other properties are deterministic attributes to express +across files. Currently those properties are: '``boot_verified``', +'``dmverity_signature``', '``dmverity_roothash``', '``fsverity_signature``', +'``fsverity_digest``'. A description of all properties supported by IPE +are listed below: + +op +~~ + +Indicates the operation for a rule to apply to. Must be in every rule, +as the first token. IPE supports the following operations: + + ``EXECUTE`` + + Pertains to any file attempting to be executed, or loaded as an + executable. + + ``FIRMWARE``: + + Pertains to firmware being loaded via the firmware_class interface. + This covers both the preallocated buffer and the firmware file + itself. + + ``KMODULE``: + + Pertains to loading kernel modules via ``modprobe`` or ``insmod``. + + ``KEXEC_IMAGE``: + + Pertains to kernel images loading via ``kexec``. + + ``KEXEC_INITRAMFS`` + + Pertains to initrd images loading via ``kexec --initrd``. + + ``POLICY``: + + Controls loading policies via reading a kernel-space initiated read. + + An example of such is loading IMA policies by writing the path + to the policy file to ``$securityfs/ima/policy`` + + ``X509_CERT``: + + Controls loading IMA certificates through the Kconfigs, + ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``. + +action +~~~~~~ + + Determines what IPE should do when a rule matches. Must be in every + rule, as the final clause. Can be one of: + + ``ALLOW``: + + If the rule matches, explicitly allow access to the resource to proceed + without executing any more rules. + + ``DENY``: + + If the rule matches, explicitly prohibit access to the resource to + proceed without executing any more rules. + +boot_verified +~~~~~~~~~~~~~ + + This property can be utilized for authorization of the first super-block + that executes a file. This is almost always init. Typically this is used + for systems with an initramfs or other initial disk, where this is unmounted + before the system becomes available, and is not covered by any other property. + The format of this property is:: + + boot_verified=(TRUE|FALSE) + + + .. WARNING:: + + This property will trust any disk where the first execution evaluation + occurs. If you do *NOT* have a startup disk that is unpacked and unmounted + (like initramfs), then it will automatically trust the root filesystem and + potentially overauthorize the entire disk. + +dmverity_roothash +~~~~~~~~~~~~~~~~~ + + This property can be utilized for authorization or revocation of + specific dm-verity volumes, identified via sroot hash. It has a + dependency on the DM_VERITY module. This property is controlled by + the ``IPE_PROP_DM_VERITY`` config option, it will be automatically + selected when ``IPE_SECURITY``, ``DM_VERITY `` and + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled. + The format of this property is:: + + dmverity_roothash=DigestName:HexadecimalString + + The supported DigestNames for dmverity_roothash are [#dmveritydigests]_ [#securedigest]_ : + + + blake2b-512 + + blake2s-256 + + sha1 + + sha256 + + sha384 + + sha512 + + sha3-224 + + sha3-256 + + sha3-384 + + sha3-512 + + md4 + + md5 + + sm3 + + rmd160 + +dmverity_signature +~~~~~~~~~~~~~~~~~~ + + This property can be utilized for authorization of all dm-verity + volumes that have a signed roothash that chains to a keyring + specified by dm-verity's configuration, either the system trusted + keyring, or the secondary keyring. It depends on + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` config option and is controlled by + the ``IPE_PROP_DM_VERITY`` config option, it will be automatically + selected when ``IPE_SECURITY``, ``DM_VERITY `` and + ``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled. + The format of this property is:: + + dmverity_signature=(TRUE|FALSE) + +fsverity_digest +~~~~~~~~~~~~~~~ + + This property can be utilized for authorization or revocation of + specific fsverity enabled file, identified via its fsverity digest. + It depends on ``FS_VERITY`` config option and is controlled by + ``CONFIG_IPE_PROP_FS_VERITY``. The format of this property is:: + + fsverity_digest=DigestName:HexadecimalString + + The supported DigestNames for dmverity_roothash are [#fsveritydigest] [#securedigest]_ : + + + sha256 + + sha512 + +fsverity_signature +~~~~~~~~~~~~~~~~~~ + + This property can be utilized for authorization of all fsverity + enabled files that is verified by fsverity. The keyring that the + signature is verified against is subject to fsverity's configuration, + typically the fsverity keyring. It depends on + ``CONFIG_FS_VERITY_BUILTIN_SIGNATURES`` and it is controlled by + the Kconfig ``CONFIG_IPE_PROP_FS_VERITY``. The format of this + property is:: + + fsverity_signature=(TRUE|FALSE) + +Policy Examples +--------------- + +Allow all +~~~~~~~~~ + +:: + + policy_name=Allow_All policy_version=0.0.0 + DEFAULT action=ALLOW + +Allow only initial superblock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=Allow_All_Initial_SB policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + +Allow any signed dm-verity volume and the initial superblock +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedAndInitial policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Prohibit execution from a specific dm-verity volume +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedAndInitial policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY + + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Allow only a specific dm-verity volume +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedAndInitial policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW + +Allow any signed fs-verity file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=AllowSignedFSVerity policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE fsverity_signature=TRUE action=ALLOW + +Prohibit execution of a specific fs-verity file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + policy_name=ProhibitSpecificFSVF policy_version=0.0.0 + DEFAULT action=DENY + + op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=DENY + op=EXECUTE boot_verified=TRUE action=ALLOW + op=EXECUTE dmverity_signature=TRUE action=ALLOW + +Additional Information +---------------------- + +- `Github Repository `_ +- `Design Documentation `_ + +FAQ +--- + +Q: + What's the difference between other LSMs which provide a measure of + trust-based access control? + +A: + + In general, there's two other LSMs that can provide similar functionality: + IMA, and Loadpin. + + IMA and IPE are functionally very similar. The significant difference between + the two is the policy. [#devdoc]_ + + Loadpin and IPE differ fairly dramatically, as Loadpin controls only the IPE + equivalent of ``KERNEL_READ``, whereas IPE is capable of controlling execution, + on top of ``KERNEL_READ``. The trust model is also different; Loadpin roots its + trust in the initial super-block, whereas trust in IPE is stemmed from kernel + itself (via ``SYSTEM_TRUSTED_KEYS``). + +----------- + +.. [#diglim] 1: https://lore.kernel.org/bpf/4d6932e96d774227b42721d9f645ba51@huawei.com/T/ + +.. [#interpreters] There is `some interest in solving this issue `_. + +.. [#devdoc] Please see `Documentation/security/ipe.rst` for more on this topic. + +.. [#fsveritydigest] These hash algorithms are based on values accepted by fsverity-utils; + IPE does not impose any restrictions on the digest algorithm itself; + thus, this list may be out of date. + +.. [#dmveritydigests] These hash algorithms are based on values accepted by dm-verity, + specifically ``crypto_alloc_ahash`` in ``verity_ctr``; ``veritysetup`` + does support more algorithms than the list above. IPE does not impose + any restrictions on the digest algorithm itself; thus, this list + may be out of date. + +.. [#securedigest] Please ensure you are using cryptographically secure hash functions; + just because something is *supported* does not mean it is *secure*. diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0a1731a0f0ef..6a71d9d9be36 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2262,6 +2262,18 @@ ipcmni_extend [KNL] Extend the maximum number of unique System V IPC identifiers from 32,768 to 16,777,216. + ipe.enforce= [IPE] + Format: + Determine whether IPE starts in permissive (0) or + enforce (1) mode. The default is enforce. + + ipe.success_audit= + [IPE] + Format: + Start IPE with success auditing enabled, emitting + an audit event when a binary is allowed. The default + is 0. + irqaffinity= [SMP] Set the default irq affinity mask The argument is a cpu list, as described above. diff --git a/Documentation/security/index.rst b/Documentation/security/index.rst index 6ed8d2fa6f9e..a5248d4fd510 100644 --- a/Documentation/security/index.rst +++ b/Documentation/security/index.rst @@ -18,3 +18,4 @@ Security Documentation digsig landlock secrets/index + ipe diff --git a/Documentation/security/ipe.rst b/Documentation/security/ipe.rst new file mode 100644 index 000000000000..6a47a2ab5e39 --- /dev/null +++ b/Documentation/security/ipe.rst @@ -0,0 +1,420 @@ +.. SPDX-License-Identifier: GPL-2.0 + +Integrity Policy Enforcement (IPE) - Kernel Documentation +========================================================= + +.. NOTE:: + + This is documentation targeted at developers, instead of administrators. + If you're looking for documentation on the usage of IPE, please see + `Documentation/admin-guide/LSM/ipe.rst` + +Historical Motivation +--------------------- + +The original issue that prompted IPE's implementation was the creation +of a locked-down system. This system would be born-secure, and have +strong integrity guarantees over both the executable code, and specific +*data files* on the system, that were critical to its function. These +specific data files would not be readable unless they passed integrity +policy. A mandatory access control system would be present, and +as a result, xattrs would have to be protected. This lead to a selection +of what would provide the integrity claims. At the time, there were two +main mechanisms considered that could guarantee integrity for the system +with these requirements: + + 1. IMA + EVM Signatures + 2. DM-Verity + +Both options were carefully considered, however the choice to use DM-Verity +over IMA+EVM as the *integrity mechanism* in the original use case of IPE +was due to three main reasons: + + 1. Protection of additional attack vectors: + + * With IMA+EVM, without an encryption solution, the system is vulnerable + to offline attack against the aforemetioned specific data files. + + Unlike executables, read operations (like those on the protected data + files), cannot be enforced to be globally integrtiy verified. This means + there must be some form of selector to determine whether a read should + enforce the integrity policy, or it should not. + + At the time, this was done with mandatory access control labels. An IMA + policy would indicate what labels required integrity verification, which + presented an issue: EVM would protect the label, but if an attacker could + modify filesystem offline, the attacker could wipe all the xattrs - + including the SELinux labels that would be used to determine whether the + file should be subject to integrity policy. + + With DM-Verity, as the xattrs are saved as part of the merkel tree, if + offline mount occurs against the filesystem protected by dm-verity, the + checksum no longer matches and the file fails to be read. + + * As userspace binaries are paged in Linux, dm-verity also offers the + additional protection against a hostile block device. In such an attack, + the block device reports the appropriate content for the IMA hash + initially, passing the required integrity check. Then, on the page fault + that accesses the real data, will report the attacker's payload. Since + dm-verity will check the data when the page fault occurs (and the disk + access), this attack is mitigated. + + 2. Performance: + + * dm-verity provides integrity verification on demand as blocks are + read versus requiring the entire file being read into memory for + validation. + + 3. Simplicity of signing: + + * No need for two signatures (IMA, then EVM): one signature covers + an entire block device. + * Signatures can be stored externally to the filesystem metadata. + * The signature supports an x.509-based signing infrastructure. + +The next step was to choose a *policy* to enforce the integrity mechanism. +The minimum requirements for the policy were: + + 1. The policy itself must be integrity verified (preventing trivial + attack against it). + 2. The policy itself must be resistant to rollback attacks. + 3. The policy enforcement must have a permissive-like mode. + 4. The policy must be able to be updated, in its entirety, without + a reboot. + 5. Policy updates must be atomic. + 6. The policy must support *revocations* of previously authored + components. + 7. The policy must be auditable, at any point-of-time. + +IMA, as the only integrity policy mechanism at the time, was +considered against these list of requirements, and did not fulfill +all of the minimum requirements. Extending IMA to cover these +requirements was considered, but ultimately discarded for a +two reasons: + + 1. Regression risk; many of these changes would result in + dramatic code changes to IMA, which is already present in the + kernel, and therefore might impact users. + + 2. IMA was used in the system for measurement and attestation; + separation of measurement policy from local integrity policy + enforcement was considered favorable. + +Due to these reasons, it was decided that a new LSM should be created, +whose responsibility would be only the local integrity policy enforcement. + +Role and Scope +-------------- + +IPE, as its name implies, is fundamentally an integrity policy enforcement +solution; IPE does not mandate how integrity is provided, but instead +leaves that decision to the system administrator to set the security bar, +via the mechanisms that they select that suit their individual needs. +There are several different integrity solutions that provide a different +level of security guarantees; and IPE allows sysadmins to express policy for +theoretically all of them. + +IPE does not have an inherent mechanism to ensure integrity on its own. +Instead, there are more effective layers available for building systems that +can guarantee integrity. It's important to note that the mechanism for proving +integrity is independent of the policy for enforcing that integrity claim. + +Therefore, IPE was designed around: + + 1. Easy integrations with integrity providers. + 2. Ease of use for platform administrators/sysadmins. + +Design Rationale: +----------------- + +IPE was designed after evaluating existing integrity policy solutions +in other operating systems and environments. In this survey of other +implementations, there were a few pitfalls identified: + + 1. Policies were not readable by humans, usually requiring a binary + intermediary format. + 2. A single, non-customizable action was implicitly taken as a default. + 3. Debugging the policy required manual steps to determine what rule was violated. + 4. Authoring a policy required an in-depth knowledge of the larger system, + or operating system. + +IPE attempts to avoid all of these pitfalls. + +Policy +~~~~~~ + +Plain Text +^^^^^^^^^^ + +IPE's policy is plain-text. This introduces slightly larger policy files than +other LSMs, but solves two major problems that occurs with some integrity policy +solutions on other platforms. + +The first issue is one of code maintenance and duplication. To author policies, +the policy has to be some form of string representation (be it structured, +through XML, JSON, YAML, etcetera), to allow the policy author to understand +what is being written. In a hypothetical binary policy design, a serializer +is necessary to write the policy from the human readable form, to the binary +form, and a deserializer is needed to interpret the binary form into a data +structure in the kernel. + +Eventually, another deserializer will be needed to transform the binary from +back into the human-readable form with as much information preserved. This is because a +user of this access control system will have to keep a lookup table of a checksum +and the original file itself to try to understand what policies have been deployed +on this system and what policies have not. For a single user, this may be alright, +as old policies can be discarded almost immediately after the update takes hold. +For users that manage computer fleets in the thousands, if not hundreds of thousands, +with multiple different operating systems, and multiple different operational needs, +this quickly becomes an issue, as stale policies from years ago may be present, +quickly resulting in the need to recover the policy or fund extensive infrastructure +to track what each policy contains. + +With now three separate serializer/deserializers, maintenance becomes costly. If the +policy avoids the binary format, there is only one required serializer: from the +human-readable form to the data structure in kernel, saving on code maintenance, +and retaining operability. + +The second issue with a binary format is one of transparency. As IPE controls +access based on the trust of the system's resources, it's policy must also be +trusted to be changed. This is done through signatures, resulting in needing +signing as a process. Signing, as a process, is typically done with a +high security bar, as anything signed can be used to attack integrity +enforcement systems. It is also important that, when signing something, that +the signer is aware of what they are signing. A binary policy can cause +obfuscation of that fact; what signers see is an opaque binary blob. A +plain-text policy, on the other hand, the signers see the actual policy +submitted for signing. + +Boot Policy +~~~~~~~~~~~ + +IPE, if configured appropriately, is able to enforce a policy as soon as a +kernel is booted and usermode starts. That implies some level of storage +of the policy to apply the minute usermode starts. Generally, that storage +can be handled in one of three ways: + + 1. The policy file(s) live on disk and the kernel loads the policy prior + to an code path that would result in an enforcement decision. + 2. The policy file(s) are passed by the bootloader to the kernel, who + parses the policy. + 3. There is a policy file that is compiled into the kernel that is + parsed and enforced on initialization. + +The first option has problems: the kernel reading files from userspace +is typically discouraged and very uncommon in the kernel. + +The second option also has problems: Linux supports a variety of bootloaders +across its entire ecosystem - every bootloader would have to support this +new methodology or there must be an independent source. It would likely +result in more drastic changes to the kernel startup than necessary. + +The third option is the best but it's important to be aware that the policy +will take disk space against the kernel it's compiled in. It's important to +keep this policy generalized enough that userspace can load a new, more +complicated policy, but restrictive enough that it will not overauthorize +and cause security issues. + +The initramfs provides a way that this bootup path can be established. The +kernel starts with a minimal policy, that trusts the initramfs only. Inside +the initramfs, when the real rootfs is mounted, but not yet transferred to, +it deploys and activates a policy that trusts the new root filesystem. +This prevents overauthorization at any step, and keeps the kernel policy +to a minimal size. + +Startup +^^^^^^^ + +Not every system, however starts with an initramfs, so the startup policy +compiled into the kernel will need some flexibility to express how trust +is established for the next phase of the bootup. To this end, if we just +make the compiled-in policy a full IPE policy, it allows system builders +to express the first stage bootup requirements appropriately. + +Updatable, Rebootless Policy +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +As requirements change over time (vulnerabilities are found in previously +trusted applications, keys roll, etcetera). Updating a kernel to change the +meet those security goals is not always a suitable option, as updates are not +always risk-free, and blocking a security update leaves systems vulnerable. +This means IPE requires a policy that can be completely updated (allowing +revocations of existing policy) from a source external to the kernel (allowing +policies to be updated without updating the kernel). + +Additionally, since the kernel is stateless between invocations, and reading +policy files off the disk from kernel space is a bad idea(tm), then the +policy updates have to be done rebootlessly. + +To allow an update from an external source, it could be potentially malicious, +so this policy needs to have a way to be identified as trusted. This is +done via a signature chained to a trust source in the kernel. Arbitrarily, +this is the ``SYSTEM_TRUSTED_KEYRING``, a keyring that is initially +populated at kernel compile-time, as this matches the expectation that the +author of the compiled-in policy described above is the same entity that can +deploy policy updates. + +Anti-Rollback / Anti-Replay +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Over time, vulnerabilities are found and trusted resources may not be +trusted anymore. IPE's policy has no exception to this. There can be +instances where a mistaken policy author deploys an insecure policy, +before correcting it with a secure policy. + +Assuming that as soon as the insecure policy is signed, and an attacker +acquires the insecure policy, IPE needs a way to prevent rollback +from the secure policy update to the insecure policy update. + +Initially, IPE's policy can have a policy_version that states the +minimum required version across all policies that can be active on +the system. This will prevent rollback while the system is live. + +.. WARNING:: + + However, since the kernel is stateless across boots, this policy + version will be reset to 0.0.0 on the next boot. System builders + need to be aware of this, and ensure the new secure policies are + deployed ASAP after a boot to ensure that the window of + opportunity is minimal for an attacker to deploy the insecure policy. + +Implicit Actions: +~~~~~~~~~~~~~~~~~ + +The issue of impicit actions only becomes visible when you consider +a mixed level of security bars across multiple operations in a system. +For example, consider a system that has strong integrity guarantees +over both the executable code, and specific *data files* on the system, +that were critical to its function. In this system, three types of policies +are possible: + + 1. A policy in which failure to match any rules in the policy results + in the action being denied. + 2. A policy in which failure to match any rules in the policy results + in the action being allowed. + 3. A policy in which the action taken when no rules are matched is + specified by the policy author. + +The first option could make a policy like this:: + + op=EXECUTE integrity_verified=YES action=ALLOW + +In the example system, this works well for the executables, as all +executables should have integrity guarantees, without exception. The +issue becomes with the second requirement about specific data files. +This would result in a policy like this (assuming each line is +evaluated in order):: + + op=EXECUTE integrity_verified=YES action=ALLOW + + op=READ integrity_verified=NO label=critical_t action=DENY + op=READ action=ALLOW + +This is somewhat clear if you read the docs, understand the policy +is executed in order and that the default is a denial; however, the +last line effectively changes that default to an ALLOW. This is +required, because in a realistic system, there are some unverified +reads (imagine appending to a log file). + +The second option, matching no rules results in an allow, is clearer +for the specific data files:: + + op=READ integrity_verified=NO label=critical_t action=DENY + +And, like the first option, falls short with the opposite scenario, +effectively needing to override the default:: + + op=EXECUTE integrity_verified=YES action=ALLOW + op=EXECUTE action=DENY + + op=READ integrity_verified=NO label=critical_t action=DENY + +This leaves the third option. Instead of making users be clever +and override the default with an empty rule, force the end-user +to consider what the appropriate default should be for their +scenario and explicitly state it:: + + DEFAULT op=EXECUTE action=DENY + op=EXECUTE integrity_verified=YES action=ALLOW + + DEFAULT op=READ action=ALLOW + op=READ integrity_verified=NO label=critical_t action=DENY + +Policy Debugging: +~~~~~~~~~~~~~~~~~ + +When developing a policy, it is useful to know what line of the policy +is being violated to reduce debugging costs; narrowing the scope of the +investigation to the exact line that resulted in the action. Some integrity +policy systems do not provide this information, instead providing the +information that was used in the evaluation. This then requires a correlation +with the policy to evaluate what went wrong. + +Instead, IPE just emits the rule that was matched. This limits the scope +of the investigation to the exact policy line (in the case of a specific +rule), or the section (in the case of a DEFAULT). This decreases iteration +and investigation times when policy failures are observed while evaluating +policies. + +IPE's policy engine is also designed in a way that it makes it obvious to +a human of how to investigate a policy failure. Each line is evaluated in +the sequence that is written, so the algorithm is very simple to follow +for humans to recreate the steps and could have caused the failure. In other +surveyed systems, optimizations occur (sorting rules, for instance) when loading +the policy. In those systems, it requires multiple steps to debug, and the +algorithm may not always be clear to the end-user without reading the code first. + +Simplified Policy: +~~~~~~~~~~~~~~~~~~ + +Finally, IPE's policy is designed for sysadmins, not kernel developers. Instead +of covering individual LSM hooks (or syscalls), IPE covers operations. This means +instead of sysadmins needing to know that the syscalls ``mmap``, ``mprotect``, +``execve``, and ``uselib`` must have rules protecting them, they must simple know +that they want to restrict code execution. This limits the amount of bypasses that +could occur due to a lack of knowledge of the underlying system; whereas the +maintainers of IPE, being kernel developers can make the correct choice to determine +whether something maps to these operations, and under what conditions. + +Implementation Notes +-------------------- + +Anonymous Memory +~~~~~~~~~~~~~~~~ + +Anonymous memory isn't treated any differently from any other access in IPE. +When anonymous memory is mapped with ``+X``, it still comes into the ``file_mmap`` +or ``file_mprotect`` hook, but with a ``NULL`` file object. This is submitted to +the evaluation, like any other file, however, all current trust mechanisms will +return false as there is nothing to evaluate. This means anonymous memory +execution is subject to whatever the ``DEFAULT`` is for ``EXECUTE``. + +.. WARNING:: + + This also occurs with the ``kernel_load_data`` hook, which is used by signed + and compressed kernel modules. Using signed and compressed kernel modules with + IPE will always result in the ``DEFAULT`` action for ``KMODULE``. + +Securityfs Interface +~~~~~~~~~~~~~~~~~~~~ + +The per-policy securityfs tree is somewhat unique. For example, for +a standard securityfs policy tree:: + + MyPolicy + |- active + |- delete + |- name + |- pkcs7 + |- policy + |- update + |- version + +The policy is stored in the ``->i_private`` data of the MyPolicy inode. + +Tests +----- + +IPE has KUnit Tests, testing primarily the parser. In addition, IPE has a +python based integration test suits that can test both user interfaces and +enforcement functionalities. diff --git a/MAINTAINERS b/MAINTAINERS index 18b1aeea6306..c62d546baf00 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -10394,6 +10394,8 @@ M: Fan Wu L: linux-security-module@vger.kernel.org S: Supported T: git https://github.com/microsoft/ipe.git +F: Documentation/admin-guide/LSM/ipe.rst +F: Documentation/security/ipe.rst F: scripts/ipe/ F: security/ipe/ -- 2.25.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 665DAE936F1 for ; Wed, 4 Oct 2023 22:15:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1696457731; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=+26mhhLiZEhff3+YIBtBPykv2QwIWbiqlMHIwAsfPnA=; b=Ox9vJq5hnkHwFKQuchS6p377ckZMdSbfbImRh2bLv8H43wPZNHHj0DqbsdArMhDophEBB5 TiELgfYYGyBfDVbbcrc7Oyu9D9plQRsQmICXp9sIhnEX7R0WXpnRk34vbbJjRiN09vUMFK 8pUx209v6Se0CIOuwE5tTK6GB6Q4NoM= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-454-54UG_7wPOlacbdGC3G4v2w-1; Wed, 04 Oct 2023 18:15:27 -0400 X-MC-Unique: 54UG_7wPOlacbdGC3G4v2w-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 46AB985A5BE; Wed, 4 Oct 2023 22:15:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2E146215670B; Wed, 4 Oct 2023 22:15:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 21DA91946597; Wed, 4 Oct 2023 22:15:21 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 4C43A194658F for ; Wed, 4 Oct 2023 22:15:20 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 3C9D940C2018; Wed, 4 Oct 2023 22:15:20 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast08.extmail.prod.ext.rdu2.redhat.com [10.11.55.24]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3436940C2017 for ; Wed, 4 Oct 2023 22:15:20 +0000 (UTC) Received: from us-smtp-inbound-delivery-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 021AB3801EFF for ; Wed, 4 Oct 2023 22:15:20 +0000 (UTC) Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by relay.mimecast.com with ESMTP id us-mta-550-qBMA0nDAOE-DSbxruRFZ_g-1; Wed, 04 Oct 2023 18:15:08 -0400 X-MC-Unique: qBMA0nDAOE-DSbxruRFZ_g-1 Received: by linux.microsoft.com (Postfix, from userid 1052) id 44DE520B74E5; Wed, 4 Oct 2023 15:09:50 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 44DE520B74E5 From: Fan Wu To: corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org, serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org, axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org, eparis@redhat.com, paul@paul-moore.com Date: Wed, 4 Oct 2023 15:09:46 -0700 Message-Id: <1696457386-3010-20-git-send-email-wufan@linux.microsoft.com> In-Reply-To: <1696457386-3010-1-git-send-email-wufan@linux.microsoft.com> References: <1696457386-3010-1-git-send-email-wufan@linux.microsoft.com> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 Subject: [dm-devel] [RFC PATCH v11 19/19] documentation: add ipe documentation X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dm-devel@redhat.com, linux-doc@vger.kernel.org, Deven Bowers , roberto.sassu@huawei.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-block@vger.kernel.org, audit@vger.kernel.org, linux-fscrypt@vger.kernel.org, Fan Wu , linux-integrity@vger.kernel.org Errors-To: dm-devel-bounces@redhat.com Sender: "dm-devel" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.6 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: linux.microsoft.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 RnJvbTogRGV2ZW4gQm93ZXJzIDxkZXZlbi5kZXNhaUBsaW51eC5taWNyb3NvZnQuY29tPgoKQWRk IElQRSdzIGFkbWluIGFuZCBkZXZlbG9wZXIgZG9jdW1lbnRhdGlvbiB0byB0aGUga2VybmVsIHRy ZWUuCgpDby1kZXZlbG9wZWQtYnk6IEZhbiBXdSA8d3VmYW5AbGludXgubWljcm9zb2Z0LmNvbT4K U2lnbmVkLW9mZi1ieTogRGV2ZW4gQm93ZXJzIDxkZXZlbi5kZXNhaUBsaW51eC5taWNyb3NvZnQu Y29tPgpTaWduZWQtb2ZmLWJ5OiBGYW4gV3UgPHd1ZmFuQGxpbnV4Lm1pY3Jvc29mdC5jb20+Ci0t LQp2MjoKICArIE5vIENoYW5nZXMKCnYzOgogICsgQWRkIEFja2VkLWJ5CiAgKyBGaXh1cCBjb2Rl IGJsb2NrIHN5bnRheAogICsgRml4IGEgbWlub3IgZ3JhbW1hdGljYWwgaXNzdWUuCgp2NDoKICAr IFVwZGF0ZSBkb2N1bWVudGF0aW9uIHdpdGggdGhlIHJlc3VsdHMgb2Ygb3RoZXIKICAgIGNvZGUg Y2hhbmdlcy4KCnY1OgogICsgTm8gY2hhbmdlcwoKdjY6CiAgKyBObyBjaGFuZ2VzCgp2NzoKICAr IEFkZCBhZGRpdGlvbmFsIGRldmVsb3Blci1sZXZlbCBkb2N1bWVudGF0aW9uCiAgKyBVcGRhdGUg YWRtaW4tZ3VpZGUgZG9jcyB0byByZWZsZWN0IGNoYW5nZXMuCiAgKyBEcm9wIEFja2VkLWJ5IGR1 ZSB0byBzaWduaWZpY2FudCBjaGFuZ2VzCiAgKyBBZGRlZCBzZWN0aW9uIGFib3V0IGF1ZGl0IGV2 ZW50cyBpbiBhZG1pbi1ndWlkZQoKdjg6CiAgKyBDb3JyZWN0IHRlcm1pbm9sb2d5IGZyb20gImF1 ZGl0IGV2ZW50IiB0byAiYXVkaXQgcmVjb3JkIgogICsgQWRkIGFzc29jaWF0ZWQgZG9jdW1lbnRh dGlvbiB3aXRoIHRoZSBjb3JyZWN0ICJhdWRpdCBldmVudCIKICAgIHRlcm1pbm9sb2d5LgogICsg QWRkIHNvbWUgY29udGV4dCB0byB0aGUgaGlzdG9yaWNhbCBtb3RpdmF0aW9uIGZvciBJUEUgYW5k IGRlc2lnbgogICAgcGhpbG9zb3BoeS4KICArIEFkZCBzb21lIGNvbnRlbnQgYWJvdXQgdGhlIHNl Y3VyaXR5ZnMgbGF5b3V0IGluIHRoZSBwb2xpY2llcwogICAgZGlyZWN0b3J5LgogICsgVmFyaW91 cyBzcGVsbGluZyBhbmQgZ3JhbW1hdGljYWwgY29ycmVjdGlvbnMuCgp2OToKICArIENvcnJlY3Qg c3BlbGxpbmcgb2YgInBpdGZhbGxzIgogICsgVXBkYXRlIHRoZSBkb2NzIHcuci50IHRoZSBuZXcg cGFyc2VyIGFuZCBuZXcgYXVkaXQgZm9ybWF0cwoKdjEwOgogICsgUmVmaW5lIHVzZXIgZG9jcyBw ZXIgdXBzdHJlYW0gc3VnZ2V0aW9ucwogICsgVXBkYXRlIGF1ZGl0IGV2ZW50cyBwYXJ0Cgp2MTE6 CiAgKyBObyBjaGFuZ2VzCi0tLQogRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9MU00vaW5kZXgu cnN0ICAgICAgIHwgICAxICsKIERvY3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2lwZS5yc3Qg ICAgICAgICB8IDc1MiArKysrKysrKysrKysrKysrKysKIC4uLi9hZG1pbi1ndWlkZS9rZXJuZWwt cGFyYW1ldGVycy50eHQgICAgICAgICB8ICAxMiArCiBEb2N1bWVudGF0aW9uL3NlY3VyaXR5L2lu ZGV4LnJzdCAgICAgICAgICAgICAgfCAgIDEgKwogRG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pcGUu cnN0ICAgICAgICAgICAgICAgIHwgNDIwICsrKysrKysrKysKIE1BSU5UQUlORVJTICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgMiArCiA2IGZpbGVzIGNoYW5nZWQsIDExODgg aW5zZXJ0aW9ucygrKQogY3JlYXRlIG1vZGUgMTAwNjQ0IERvY3VtZW50YXRpb24vYWRtaW4tZ3Vp ZGUvTFNNL2lwZS5yc3QKIGNyZWF0ZSBtb2RlIDEwMDY0NCBEb2N1bWVudGF0aW9uL3NlY3VyaXR5 L2lwZS5yc3QKCmRpZmYgLS1naXQgYS9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9pbmRl eC5yc3QgYi9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9pbmRleC5yc3QKaW5kZXggYTZi YTk1ZmJhYTlmLi5jZTYzYmU2ZDY0YWQgMTAwNjQ0Ci0tLSBhL0RvY3VtZW50YXRpb24vYWRtaW4t Z3VpZGUvTFNNL2luZGV4LnJzdAorKysgYi9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9p bmRleC5yc3QKQEAgLTQ3LDMgKzQ3LDQgQEAgc3ViZGlyZWN0b3JpZXMuCiAgICB0b21veW8KICAg IFlhbWEKICAgIFNhZmVTZXRJRAorICAgaXBlCmRpZmYgLS1naXQgYS9Eb2N1bWVudGF0aW9uL2Fk bWluLWd1aWRlL0xTTS9pcGUucnN0IGIvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9MU00vaXBl LnJzdApuZXcgZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAuLmRhNTlmNzg0Mjdm YQotLS0gL2Rldi9udWxsCisrKyBiL0RvY3VtZW50YXRpb24vYWRtaW4tZ3VpZGUvTFNNL2lwZS5y c3QKQEAgLTAsMCArMSw3NTIgQEAKKy4uIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBHUEwtMi4w CisKK0ludGVncml0eSBQb2xpY3kgRW5mb3JjZW1lbnQgKElQRSkKKz09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT0KKworLi4gTk9URTo6CisKKyAgIFRoaXMgaXMgdGhlIGRvY3VtZW50 YXRpb24gZm9yIGFkbWlucywgc3lzdGVtIGJ1aWxkZXJzLCBvciBpbmRpdmlkdWFscworICAgYXR0 ZW1wdGluZyB0byB1c2UgSVBFLiBJZiB5b3UncmUgbG9va2luZyBmb3IgbW9yZSBkZXZlbG9wZXIt Zm9jdXNlZAorICAgZG9jdW1lbnRhdGlvbiBhYm91dCBJUEUgcGxlYXNlIHNlZSBgRG9jdW1lbnRh dGlvbi9zZWN1cml0eS9pcGUucnN0YAorCitPdmVydmlldworLS0tLS0tLS0KKworSVBFIGlzIGEg TGludXggU2VjdXJpdHkgTW9kdWxlIHdoaWNoIHRha2VzIGEgY29tcGxpbWVudGFyeSBhcHByb2Fj aCB0bworYWNjZXNzIGNvbnRyb2wuIFdoZXJlYXMgZXhpc3RpbmcgbWFuZGF0b3J5IGFjY2VzcyBj b250cm9sIG1lY2hhbmlzbXMKK2Jhc2UgdGhlaXIgZGVjaXNpb25zIG9uIGxhYmVscyBhbmQgcGF0 aHMsIElQRSBpbnN0ZWFkIGRldGVybWluZXMKK3doZXRoZXIgb3Igbm90IGFuIG9wZXJhdGlvbiBz aG91bGQgYmUgYWxsb3dlZCBiYXNlZCBvbiBpbW11dGFibGUKK3NlY3VyaXR5IHByb3BlcnRpZXMg b2YgdGhlIHN5c3RlbSBjb21wb25lbnQgdGhlIG9wZXJhdGlvbiBpcyBiZWluZworcGVyZm9ybWVk IG9uLgorCitJUEUgaXRzZWxmIGRvZXMgbm90IG1hbmRhdGUgaG93IHRoZSBzZWN1cml0eSBwcm9w ZXJ0eSBzaG91bGQgYmUKK2V2YWx1YXRlZCwgYnV0IHJlbGllcyBvbiBhbiBleHRlbnNpYmxlIHNl dCBvZiBleHRlcm5hbCBwcm9wZXJ0eSBwcm92aWRlcnMKK3RvIGV2YWx1YXRlIHRoZSBjb21wb25l bnQuIElQRSBtYWtlcyBpdHMgZGVjaXNpb24gYmFzZWQgb24gcmVmZXJlbmNlCit2YWx1ZXMgZm9y IHRoZSBzZWxlY3RlZCBwcm9wZXJ0aWVzLCBzcGVjaWZpZWQgaW4gdGhlIElQRSBwb2xpY3kuCisK K1RoZSByZWZlcmVuY2UgdmFsdWVzIHJlcHJlc2VudCB0aGUgdmFsdWUgdGhhdCB0aGUgcG9saWN5 IHdyaXRlciBhbmQgdGhlCitsb2NhbCBzeXN0ZW0gYWRtaW5pc3RyYXRvciAoYmFzZWQgb24gdGhl IHBvbGljeSBzaWduYXR1cmUpIHRydXN0IGZvciB0aGUKK3N5c3RlbSB0byBhY2NvbXBsaXNoIHRo ZSBkZXNpcmVkIHRhc2tzLgorCitPbmUgc3VjaCBwcm92aWRlciBpcyBmb3IgZXhhbXBsZSBkbS12 ZXJpdHksIHdoaWNoIGlzIGFibGUgdG8gcmVwcmVzZW50Cit0aGUgaW50ZWdyaXR5IHByb3BlcnR5 IG9mIGEgcGFydGl0aW9uIChpdHMgaW1tdXRhYmxlIHN0YXRlKSB3aXRoIGEgZGlnZXN0LgorCitU byBlbmFibGUgSVBFLCBlbnN1cmUgdGhhdCBgYENPTkZJR19TRUNVUklUWV9JUEVgYCAodW5kZXIK KzptZW51c2VsZWN0aW9uOmBTZWN1cml0eSAtPiBJbnRlZ3JpdHkgUG9saWN5IEVuZm9yY2VtZW50 IChJUEUpYCkgY29uZmlnCitvcHRpb24gaXMgZW5hYmxlZC4KKworVXNlIENhc2VzCistLS0tLS0t LS0KKworSVBFIHdvcmtzIGJlc3QgaW4gZml4ZWQtZnVuY3Rpb24gZGV2aWNlczogZGV2aWNlcyBp biB3aGljaCB0aGVpciBwdXJwb3NlCitpcyBjbGVhcmx5IGRlZmluZWQgYW5kIG5vdCBzdXBwb3Nl ZCB0byBiZSBjaGFuZ2VkIChlLmcuIG5ldHdvcmsgZmlyZXdhbGwKK2RldmljZSBpbiBhIGRhdGEg Y2VudGVyLCBhbiBJb1QgZGV2aWNlLCBldGNldGVyYSksIHdoZXJlIGFsbCBzb2Z0d2FyZSBhbmQK K2NvbmZpZ3VyYXRpb24gaXMgYnVpbHQgYW5kIHByb3Zpc2lvbmVkIGJ5IHRoZSBzeXN0ZW0gb3du ZXIuCisKK0lQRSBpcyBhIGxvbmctd2F5IG9mZiBmb3IgdXNlIGluIGdlbmVyYWwtcHVycG9zZSBj b21wdXRpbmc6IHRoZSBMaW51eAorY29tbXVuaXR5IGFzIGEgd2hvbGUgdGVuZHMgdG8gZm9sbG93 IGEgZGVjZW50cmFsaXplZCB0cnVzdCBtb2RlbCAoa25vd24gYXMKK3RoZSB3ZWIgb2YgdHJ1c3Qp LCB3aGljaCBJUEUgaGFzIG5vIHN1cHBvcnQgZm9yIGl0IHlldC4gSW5zdGVhZCwgSVBFCitzdXBw b3J0cyBQS0kgKHB1YmxpYyBrZXkgaW5mcmFzdHJ1Y3R1cmUpLCB3aGljaCBnZW5lcmFsbHkgZGVz aWduYXRlcyBhCitzZXQgb2YgdHJ1c3RlZCBlbnRpdGllcyB0aGF0IHByb3ZpZGUgYSBtZWFzdXJl IG9mIGFic29sdXRlIHRydXN0LgorCitBZGRpdGlvbmFsbHksIHdoaWxlIG1vc3QgcGFja2FnZXMg YXJlIHNpZ25lZCB0b2RheSwgdGhlIGZpbGVzIGluc2lkZQordGhlIHBhY2thZ2VzIChmb3IgaW5z dGFuY2UsIHRoZSBleGVjdXRhYmxlcyksIHRlbmQgdG8gYmUgdW5zaWduZWQuIFRoaXMKK21ha2Vz IGl0IGRpZmZpY3VsdCB0byB1dGlsaXplIElQRSBpbiBzeXN0ZW1zIHdoZXJlIGEgcGFja2FnZSBt YW5hZ2VyIGlzCitleHBlY3RlZCB0byBiZSBmdW5jdGlvbmFsLCB3aXRob3V0IG1ham9yIGNoYW5n ZXMgdG8gdGhlIHBhY2thZ2UgbWFuYWdlcgorYW5kIGVjb3N5c3RlbSBiZWhpbmQgaXQuCisKK0RJ R0xJTSBbI2RpZ2xpbV1fIGlzIGEgc3lzdGVtIHRoYXQgd2hlbiBjb21iaW5lZCB3aXRoIElQRSwg Y291bGQgYmUgdXNlZCB0bworZW5hYmxlIGFuZCBzdXBwb3J0IGdlbmVyYWwtcHVycG9zZSBjb21w dXRpbmcgdXNlIGNhc2VzLgorCitLbm93biBMaW1pdGF0aW9ucworLS0tLS0tLS0tLS0tLS0tLS0K KworSVBFIGNhbm5vdCB2ZXJpZnkgdGhlIGludGVncml0eSBvZiBhbm9ueW1vdXMgZXhlY3V0YWJs ZSBtZW1vcnksIHN1Y2ggYXMKK3RoZSB0cmFtcG9saW5lcyBjcmVhdGVkIGJ5IGdjYyBjbG9zdXJl cyBhbmQgbGliZmZpICg8My40LjIpLCBvciBKSVQnZCBjb2RlLgorVW5mb3J0dW5hdGVseSwgYXMg dGhpcyBpcyBkeW5hbWljYWxseSBnZW5lcmF0ZWQgY29kZSwgdGhlcmUgaXMgbm8gd2F5Citmb3Ig SVBFIHRvIGVuc3VyZSB0aGUgaW50ZWdyaXR5IG9mIHRoaXMgY29kZSB0byBmb3JtIGEgdHJ1c3Qg YmFzaXMuIEluIGFsbAorY2FzZXMsIHRoZSByZXR1cm4gcmVzdWx0IGZvciB0aGVzZSBvcGVyYXRp b25zIHdpbGwgYmUgd2hhdGV2ZXIgdGhlIGFkbWluCitjb25maWd1cmVzIGFzIHRoZSBgYERFRkFV TFRgYCBhY3Rpb24gZm9yIGBgRVhFQ1VURWBgLgorCitJUEUgY2Fubm90IHZlcmlmeSB0aGUgaW50 ZWdyaXR5IG9mIHByb2dyYW1zIHdyaXR0ZW4gaW4gaW50ZXJwcmV0ZWQKK2xhbmd1YWdlcyB3aGVu IHRoZXNlIHNjcmlwdHMgYXJlIGludm9rZWQgYnkgcGFzc2luZyB0aGVzZSBwcm9ncmFtIGZpbGVz Cit0byB0aGUgaW50ZXJwcmV0ZXIuIFRoaXMgaXMgYmVjYXVzZSB0aGUgd2F5IGludGVycHJldGVy cyBleGVjdXRlIHRoZXNlCitmaWxlczsgdGhlIHNjcmlwdHMgdGhlbXNlbHZlcyBhcmUgbm90IGV2 YWx1YXRlZCBhcyBleGVjdXRhYmxlIGNvZGUKK3Rocm91Z2ggb25lIG9mIElQRSdzIGhvb2tzLCBi dXQgdGhleSBhcmUgbWVyZWx5IHRleHQgZmlsZXMgdGhhdCBhcmUgcmVhZAorKGFzIG9wcG9zZWQg dG8gY29tcGlsZWQgZXhlY3V0YWJsZXMpIFsjaW50ZXJwcmV0ZXJzXV8uCisKK1RocmVhdCBNb2Rl bAorLS0tLS0tLS0tLS0tCisKK1RoZSB0aHJlYXQgdHlwZSBhZGRyZXNzZWQgYnkgSVBFIGlzIHRh bXBlcmluZyBvZiBleGVjdXRhYmxlIHVzZXJzcGFjZQorY29kZSBiZXlvbmQgdGhlIGluaXRpYWxs eSBib290ZWQga2VybmVsLCBhbmQgdGhlIGluaXRpYWwgdmVyaWZpY2F0aW9uIG9mCitrZXJuZWwg bW9kdWxlcyB0aGF0IGFyZSBsb2FkZWQgaW4gdXNlcnNwYWNlIHRocm91Z2ggYGBtb2Rwcm9iZWBg IG9yCitgYGluc21vZGBgLgorCitBIGJhcmUtbWluaW11bSBleGFtcGxlIG9mIGEgdGhyZWF0IHRo YXQgc2hvdWxkIGJlIG1pdGlnYXRlZCBieSBJUEUsIGlzCithbiB1bnRydXN0ZWQgKHBvdGVudGlh bGx5IG1hbGljaW91cykgYmluYXJ5IHRoYXQgaXMgZG93bmxvYWRlZCBhbmQKK2J1bmRsZWQgd2l0 aCBhbGwgcmVxdWlyZWQgZGVwZW5kZW5jaWVzIChpbmNsdWRpbmcgYSBsb2FkZXIsIGxpYmMsIGV0 YykuCitXaXRoIElQRSwgdGhpcyBiaW5hcnkgc2hvdWxkIG5vdCBiZSBhbGxvd2VkIHRvIGJlIGV4 ZWN1dGVkLCBub3QgZXZlbiBhbnkKK29mIGl0cyBkZXBlbmRlbmNpZXMuCisKK1RhbXBlcmluZyB2 aW9sYXRlcyBpbnRlZ3JpdHksIHlldCBsYWNrIG9mIHRydXN0IGlzIGNhdXNlZCBieSBiZWluZwor dW5hYmxlIHRvIGRldGVjdCB0YW1wZXJpbmcgKGFuZCBieSBleHRlbnQgdmVyaWZ5aW5nIHRoZSBp bnRlZ3JpdHkpLgorSVBFJ3Mgcm9sZSBpbiBtaXRpZ2F0aW5nIHRoaXMgdGhyZWF0IGlzIHRvIHZl cmlmeSB0aGUgaW50ZWdyaXR5IChhbmQKK2F1dGhlbnRpY2l0eSkgb2YgYWxsIGV4ZWN1dGFibGUg Y29kZSBhbmQgdG8gZGVueSB0aGVpciB1c2UgaWYgdGhleQorY2Fubm90IGJlIHRydXN0ZWQgKGFz IGludGVncml0eSB2ZXJpZmljYXRpb24gZmFpbHMsIG9yIHRoZSBhdXRob3JpemF0aW9uCitjaGVj ayBmYWlscyBhZ2FpbnN0IHRoZSByZWZlcmVuY2UgdmFsdWUgaW4gdGhlIHBvbGljeSkuIElQRSBn ZW5lcmF0ZXMKK2F1ZGl0IGxvZ3Mgd2hpY2ggbWF5IGJlIHV0aWxpemVkIHRvIGRldGVjdCBhbmQg YW5hbHl6ZSBmYWlsdXJlcworcmVzdWx0aW5nIGZyb20gcG9saWN5IHZpb2xhdGlvbi4KKworVGFt cGVyaW5nIHRocmVhdCBzY2VuYXJpb3MgaW5jbHVkZSBtb2RpZmljYXRpb24gb3IgcmVwbGFjZW1l bnQgb2YKK2V4ZWN1dGFibGUgY29kZSBieSBhIHJhbmdlIG9mIGFjdG9ycyBpbmNsdWRpbmc6CisK Ky0gIEFjdG9ycyB3aXRoIHBoeXNpY2FsIGFjY2VzcyB0byB0aGUgaGFyZHdhcmUKKy0gIEFjdG9y cyB3aXRoIGxvY2FsIG5ldHdvcmsgYWNjZXNzIHRvIHRoZSBzeXN0ZW0KKy0gIEFjdG9ycyB3aXRo IGFjY2VzcyB0byB0aGUgZGVwbG95bWVudCBzeXN0ZW0KKy0gIENvbXByb21pc2VkIGludGVybmFs IHN5c3RlbXMgdW5kZXIgZXh0ZXJuYWwgY29udHJvbAorLSAgTWFsaWNpb3VzIGVuZCB1c2VycyBv ZiB0aGUgc3lzdGVtCistICBDb21wcm9taXNlZCBlbmQgdXNlcnMgb2YgdGhlIHN5c3RlbQorLSAg UmVtb3RlIChleHRlcm5hbCkgY29tcHJvbWlzZSBvZiB0aGUgc3lzdGVtCisKK0lQRSBkb2VzIG5v dCBtaXRpZ2F0ZSB0aHJlYXRzIGFyaXNpbmcgZnJvbSBtYWxpY2lvdXMgYnV0IGF1dGhvcml6ZWQK K2RldmVsb3BlcnMgKHdpdGggYWNjZXNzIHRvIGEgc2lnbmluZyBjZXJ0aWZpY2F0ZSksIG9yIGNv bXByb21pc2VkCitkZXZlbG9wZXIgdG9vbHMgdXNlZCBieSB0aGVtIChpLmUuIHJldHVybi1vcmll bnRlZCBwcm9ncmFtbWluZyBhdHRhY2tzKS4KK0FkZGl0aW9uYWxseSwgSVBFIGRyYXdzIGhhcmQg c2VjdXJpdHkgYm91bmRhcnkgYmV0d2VlbiB1c2Vyc3BhY2UgYW5kCitrZXJuZWxzcGFjZS4gQXMg YSByZXN1bHQsIElQRSBkb2VzIG5vdCBwcm92aWRlIGFueSBwcm90ZWN0aW9ucyBhZ2FpbnN0IGEK K2tlcm5lbCBsZXZlbCBleHBsb2l0LCBhbmQgYSBrZXJuZWwtbGV2ZWwgZXhwbG9pdCBjYW4gZGlz YWJsZSBvciB0YW1wZXIKK3dpdGggSVBFJ3MgcHJvdGVjdGlvbnMuCisKK1BvbGljeQorLS0tLS0t CisKK0lQRSBwb2xpY3kgaXMgYSBwbGFpbi10ZXh0IFsjZGV2ZG9jXV8gcG9saWN5IGNvbXBvc2Vk IG9mIG11bHRpcGxlIHN0YXRlbWVudHMKK292ZXIgc2V2ZXJhbCBsaW5lcy4gVGhlcmUgaXMgb25l IHJlcXVpcmVkIGxpbmUsIGF0IHRoZSB0b3Agb2YgdGhlCitwb2xpY3ksIGluZGljYXRpbmcgdGhl IHBvbGljeSBuYW1lLCBhbmQgdGhlIHBvbGljeSB2ZXJzaW9uLCBmb3IKK2luc3RhbmNlOjoKKwor ICAgcG9saWN5X25hbWU9RXhfUG9saWN5IHBvbGljeV92ZXJzaW9uPTAuMC4wCisKK1RoZSBwb2xp Y3kgbmFtZSBpcyBhIHVuaXF1ZSBrZXkgaWRlbnRpZnlpbmcgdGhpcyBwb2xpY3kgaW4gYSBodW1h bgorcmVhZGFibGUgbmFtZS4gVGhpcyBpcyB1c2VkIHRvIGNyZWF0ZSBub2RlcyB1bmRlciBzZWN1 cml0eWZzIGFzIHdlbGwgYXMKK3VuaXF1ZWx5IGlkZW50aWZ5IHBvbGljaWVzIHRvIGRlcGxveSBu ZXcgcG9saWNpZXMgdnMgdXBkYXRlIGV4aXN0aW5nCitwb2xpY2llcy4KKworVGhlIHBvbGljeSB2 ZXJzaW9uIGluZGljYXRlcyB0aGUgY3VycmVudCB2ZXJzaW9uIG9mIHRoZSBwb2xpY3kgKE5PVCB0 aGUKK3BvbGljeSBzeW50YXggdmVyc2lvbikuIFRoaXMgaXMgdXNlZCB0byBwcmV2ZW50IHJvbGxi YWNrIG9mIHBvbGljeSB0bworcG90ZW50aWFsbHkgaW5zZWN1cmUgcHJldmlvdXMgdmVyc2lvbnMg b2YgdGhlIHBvbGljeS4KKworVGhlIG5leHQgcG9ydGlvbiBvZiBJUEUgcG9saWN5IGFyZSBydWxl cy4gUnVsZXMgYXJlIGZvcm1lZCBieSBrZXk9dmFsdWUKK3BhaXJzLCBrbm93biBhcyBwcm9wZXJ0 aWVzLiBJUEUgcnVsZXMgcmVxdWlyZSB0d28gcHJvcGVydGllczogYGBhY3Rpb25gYCwKK3doaWNo IGRldGVybWluZXMgd2hhdCBJUEUgZG9lcyB3aGVuIGl0IGVuY291bnRlcnMgYSBtYXRjaCBhZ2Fp bnN0IHRoZQorcnVsZSwgYW5kIGBgb3BgYCwgd2hpY2ggZGV0ZXJtaW5lcyB3aGVuIHRoZSBydWxl IHNob3VsZCBiZSBldmFsdWF0ZWQuCitUaGUgb3JkZXJpbmcgaXMgc2lnbmlmaWNhbnQsIGEgcnVs ZSBtdXN0IHN0YXJ0IHdpdGggYGBvcGBgLCBhbmQgZW5kIHdpdGgKK2BgYWN0aW9uYGAuIFRodXMs IGEgbWluaW1hbCBydWxlIGlzOjoKKworICAgb3A9RVhFQ1VURSBhY3Rpb249QUxMT1cKKworVGhp cyBleGFtcGxlIHdpbGwgYWxsb3cgYW55IGV4ZWN1dGlvbi4gQWRkaXRpb25hbCBwcm9wZXJ0aWVz IGFyZSB1c2VkIHRvCityZXN0cmljdCBhdHRyaWJ1dGVzIGFib3V0IHRoZSBmaWxlcyBiZWluZyBl dmFsdWF0ZWQuIFRoZXNlIHByb3BlcnRpZXMKK2FyZSBpbnRlbmRlZCB0byBiZSBkZXNjcmlwdGlv bnMgb2Ygc3lzdGVtcyB3aXRoaW4gdGhlIGtlcm5lbCB0aGF0IGNhbgorcHJvdmlkZSBhIG1lYXN1 cmUgb2YgaW50ZWdyaXR5IHZlcmlmaWNhdGlvbiwgc3VjaCB0aGF0IElQRSBjYW4gZGV0ZXJtaW5l Cit0aGUgdHJ1c3Qgb2YgdGhlIHJlc291cmNlIGJhc2VkIG9uIHRoZSB2YWx1ZSBvZiB0aGUgcHJv cGVydHkuCisKK1J1bGVzIGFyZSBldmFsdWF0ZWQgdG9wLXRvLWJvdHRvbS4gQXMgYSByZXN1bHQs IGFueSByZXZvY2F0aW9uIHJ1bGVzLAorb3IgZGVuaWVzIHNob3VsZCBiZSBwbGFjZWQgZWFybHkg aW4gdGhlIGZpbGUgdG8gZW5zdXJlIHRoYXQgdGhlc2UgcnVsZXMKK2FyZSBldmFsdWF0ZWQgYmVm b3JlIGEgcnVsZSB3aXRoIGBgYWN0aW9uPUFMTE9XYGAuCisKK0lQRSBwb2xpY3kgc3VwcG9ydHMg Y29tbWVudHMuIFRoZSBjaGFyYWN0ZXIgJyMnIHdpbGwgZnVuY3Rpb24gYXMgYQorY29tbWVudCwg aWdub3JpbmcgYWxsIGNoYXJhY3RlcnMgdG8gdGhlIHJpZ2h0IG9mICcjJyB1bnRpbCB0aGUgbmV3 bGluZS4KKworVGhlIGRlZmF1bHQgYmVoYXZpb3Igb2YgSVBFIGV2YWx1YXRpb25zIGNhbiBhbHNv IGJlIGV4cHJlc3NlZCBpbiBwb2xpY3ksCit0aHJvdWdoIHRoZSBgYERFRkFVTFRgYCBzdGF0ZW1l bnQuIFRoaXMgY2FuIGJlIGRvbmUgYXQgYSBnbG9iYWwgbGV2ZWwsCitvciBhIHBlci1vcGVyYXRp b24gbGV2ZWw6OgorCisgICAjIEdsb2JhbAorICAgREVGQVVMVCBhY3Rpb249QUxMT1cKKworICAg IyBPcGVyYXRpb24gU3BlY2lmaWMKKyAgIERFRkFVTFQgb3A9RVhFQ1VURSBhY3Rpb249QUxMT1cK KworQSBkZWZhdWx0IG11c3QgYmUgc2V0IGZvciBhbGwga25vd24gb3BlcmF0aW9ucyBpbiBJUEUu IElmIHlvdSB3YW50IHRvCitwcmVzZXJ2ZSBvbGRlciBwb2xpY2llcyBiZWluZyBjb21wYXRpYmxl IHdpdGggbmV3ZXIga2VybmVscyB0aGF0IGNhbiBpbnRyb2R1Y2UKK25ldyBvcGVyYXRpb25zLCBz ZXQgYSBnbG9iYWwgZGVmYXVsdCBvZiBgYEFMTE9XYGAsIHRoZW4gb3ZlcnJpZGUgdGhlCitkZWZh dWx0cyBvbiBhIHBlci1vcGVyYXRpb24gYmFzaXMgKGFzIGFib3ZlKS4KKworV2l0aCBjb25maWd1 cmFibGUgcG9saWN5LWJhc2VkIExTTXMsIHRoZXJlJ3Mgc2V2ZXJhbCBpc3N1ZXMgd2l0aAorZW5m b3JjaW5nIHRoZSBjb25maWd1cmFibGUgcG9saWNpZXMgYXQgc3RhcnR1cCwgYXJvdW5kIHJlYWRp bmcgYW5kCitwYXJzaW5nIHRoZSBwb2xpY3k6CisKKzEuIFRoZSBrZXJuZWwgKnNob3VsZCogbm90 IHJlYWQgZmlsZXMgZnJvbSB1c2Vyc3BhY2UsIHNvIGRpcmVjdGx5IHJlYWRpbmcKKyAgIHRoZSBw b2xpY3kgZmlsZSBpcyBwcm9oaWJpdGVkLgorMi4gVGhlIGtlcm5lbCBjb21tYW5kIGxpbmUgaGFz IGEgY2hhcmFjdGVyIGxpbWl0LCBhbmQgb25lIGtlcm5lbCBtb2R1bGUKKyAgIHNob3VsZCBub3Qg cmVzZXJ2ZSB0aGUgZW50aXJlIGNoYXJhY3RlciBsaW1pdCBmb3IgaXRzIG93bgorICAgY29uZmln dXJhdGlvbi4KKzMuIFRoZXJlIGFyZSB2YXJpb3VzIGJvb3QgbG9hZGVycyBpbiB0aGUga2VybmVs IGVjb3N5c3RlbSwgc28gaGFuZGluZworICAgb2ZmIGEgbWVtb3J5IGJsb2NrIHdvdWxkIGJlIGNv c3RseSB0byBtYWludGFpbi4KKworQXMgYSByZXN1bHQsIElQRSBoYXMgYWRkcmVzc2VkIHRoaXMg cHJvYmxlbSB0aHJvdWdoIGEgY29uY2VwdCBvZiBhICJib290Citwb2xpY3kiLiBBIGJvb3QgcG9s aWN5IGlzIGEgbWluaW1hbCBwb2xpY3kgd2hpY2ggaXMgY29tcGlsZWQgaW50byB0aGUKK2tlcm5l bC4gVGhpcyBwb2xpY3kgaXMgaW50ZW5kZWQgdG8gZ2V0IHRoZSBzeXN0ZW0gdG8gYSBzdGF0ZSB3 aGVyZQordXNlcnNwYWNlIGlzIHNldCB1cCBhbmQgcmVhZHkgdG8gcmVjZWl2ZSBjb21tYW5kcywg YXQgd2hpY2ggcG9pbnQgYSBtb3JlCitjb21wbGV4IHBvbGljeSBjYW4gYmUgZGVwbG95ZWQgdmlh IHNlY3VyaXR5ZnMuIFRoZSBib290IHBvbGljeSBjYW4gYmUKK3NwZWNpZmllZCB2aWEgYGBTRUNV UklUWV9JUEVfQk9PVF9QT0xJQ1lgYCBjb25maWcgb3B0aW9uLCB3aGljaCBhY2NlcHRzCithIHBh dGggdG8gYSBwbGFpbi10ZXh0IHZlcnNpb24gb2YgdGhlIElQRSBwb2xpY3kgdG8gYXBwbHkuIFRo aXMgcG9saWN5Cit3aWxsIGJlIGNvbXBpbGVkIGludG8gdGhlIGtlcm5lbC4gSWYgbm90IHNwZWNp ZmllZCwgSVBFIHdpbGwgYmUgZGlzYWJsZWQKK3VudGlsIGEgcG9saWN5IGlzIGRlcGxveWVkIGFu ZCBhY3RpdmF0ZWQgdGhyb3VnaCBzZWN1cml0eWZzLgorCitEZXBsb3lpbmcgUG9saWNpZXMKK35+ fn5+fn5+fn5+fn5+fn5+fgorCitQb2xpY2llcyBjYW4gYmUgZGVwbG95ZWQgZnJvbSB1c2Vyc3Bh Y2UgdGhyb3VnaCBzZWN1cml0eWZzLiBUaGVzZSBwb2xpY2llcworYXJlIHNpZ25lZCB0aHJvdWdo IHRoZSBQS0NTIzcgbWVzc2FnZSBmb3JtYXQgdG8gZW5mb3JjZSBzb21lIGxldmVsIG9mCithdXRo b3JpemF0aW9uIG9mIHRoZSBwb2xpY2llcyAocHJvaGliaXRpbmcgYW4gYXR0YWNrZXIgZnJvbSBn YWluaW5nCit1bmNvbnN0cmFpbmVkIHJvb3QsIGFuZCBkZXBsb3lpbmcgYW4gImFsbG93IGFsbCIg cG9saWN5KS4gVGhlc2UKK3BvbGljaWVzIG11c3QgYmUgc2lnbmVkIGJ5IGEgY2VydGlmaWNhdGUg dGhhdCBjaGFpbnMgdG8gdGhlCitgYFNZU1RFTV9UUlVTVEVEX0tFWVJJTkdgYC4gV2l0aCBvcGVu c3NsLCB0aGUgcG9saWN5IGNhbiBiZSBzaWduZWQgYnk6OgorCisgICBvcGVuc3NsIHNtaW1lIC1z aWduIFwKKyAgICAgIC1pbiAiJE1ZX1BPTElDWSIgXAorICAgICAgLXNpZ25lciAiJE1ZX0NFUlRJ RklDQVRFIiBcCisgICAgICAtaW5rZXkgIiRNWV9QUklWQVRFX0tFWSIgXAorICAgICAgLW5vYXR0 ciBcCisgICAgICAtbm9kZXRhY2ggXAorICAgICAgLW5vc21pbWVjYXAgXAorICAgICAgLW91dGZv cm0gZGVyIFwKKyAgICAgIC1vdXQgIiRNWV9QT0xJQ1kucDdiIgorCitEZXBsb3lpbmcgdGhlIHBv bGljaWVzIGlzIGRvbmUgdGhyb3VnaCBzZWN1cml0eWZzLCB0aHJvdWdoIHRoZQorYGBuZXdfcG9s aWN5YGAgbm9kZS4gVG8gZGVwbG95IGEgcG9saWN5LCBzaW1wbHkgY2F0IHRoZSBmaWxlIGludG8g dGhlCitzZWN1cml0eWZzIG5vZGU6OgorCisgICBjYXQgIiRNWV9QT0xJQ1kucDdiIiA+IC9zeXMv a2VybmVsL3NlY3VyaXR5L2lwZS9uZXdfcG9saWN5CisKK1Vwb24gc3VjY2VzcywgdGhpcyB3aWxs IGNyZWF0ZSBvbmUgc3ViZGlyZWN0b3J5IHVuZGVyCitgYC9zeXMva2VybmVsL3NlY3VyaXR5L2lw ZS9wb2xpY2llcy9gYC4gVGhlIHN1YmRpcmVjdG9yeSB3aWxsIGJlIHRoZQorYGBwb2xpY3lfbmFt ZWBgIGZpZWxkIG9mIHRoZSBwb2xpY3kgZGVwbG95ZWQsIHNvIGZvciB0aGUgZXhhbXBsZSBhYm92 ZSwKK3RoZSBkaXJlY3Rvcnkgd2lsbCBiZSBgYC9zeXMva2VybmVsL3NlY3VyaXR5L2lwZS9wb2xp Y2llcy9FeF9Qb2xpY3lgYC4KK1dpdGhpbiB0aGlzIGRpcmVjdG9yeSwgdGhlcmUgd2lsbCBiZSBm aXZlIGZpbGVzOiBgYHBrY3M3YGAsIGBgcG9saWN5YGAsCitgYGFjdGl2ZWBgLCBgYHVwZGF0ZWBg LCBhbmQgYGBkZWxldGVgYC4KKworVGhlIGBgcGtjczdgYCBmaWxlIGlzIHJlYWQtb25seS4gUmVh ZGluZyBpdCByZXR1cm5zIHRoZSByYXcgUEtDUyM3IGRhdGEKK3RoYXQgd2FzIHByb3ZpZGVkIHRv IHRoZSBrZXJuZWwsIHJlcHJlc2VudGluZyB0aGUgcG9saWN5LiBJZiB0aGUgcG9saWN5IGJlaW5n CityZWFkIGlzIHRoZSBib290IHBvbGljeSwgdGhpcyB3aWxsIHJldHVybiBgYEVOT0VOVGBgLCBh cyBpdCBpcyBub3Qgc2lnbmVkLgorCitUaGUgYGBwb2xpY3lgYCBmaWxlIGlzIHJlYWQgb25seS4g UmVhZGluZyBpdCByZXR1cm5zIHRoZSBQS0NTIzcgaW5uZXIKK2NvbnRlbnQgb2YgdGhlIHBvbGlj eSwgd2hpY2ggd2lsbCBiZSB0aGUgcGxhaW4gdGV4dCBwb2xpY3kuCisKK1RoZSBgYGFjdGl2ZWBg IGZpbGUgaXMgdXNlZCB0byBzZXQgYSBwb2xpY3kgYXMgdGhlIGN1cnJlbnRseSBhY3RpdmUgcG9s aWN5LgorVGhpcyBmaWxlIGlzIHJ3LCBhbmQgYWNjZXB0cyBhIHZhbHVlIG9mIGBgIjEiYGAgdG8g c2V0IHRoZSBwb2xpY3kgYXMgYWN0aXZlLgorU2luY2Ugb25seSBhIHNpbmdsZSBwb2xpY3kgY2Fu IGJlIGFjdGl2ZSBhdCBvbmUgdGltZSwgYWxsIG90aGVyIHBvbGljaWVzCit3aWxsIGJlIG1hcmtl ZCBpbmFjdGl2ZS4gVGhlIHBvbGljeSBiZWluZyBtYXJrZWQgYWN0aXZlIG11c3QgaGF2ZSBhIHBv bGljeQordmVyc2lvbiBncmVhdGVyIG9yIGVxdWFsIHRvIHRoZSBjdXJyZW50bHktcnVubmluZyB2 ZXJzaW9uLgorCitUaGUgYGB1cGRhdGVgYCBmaWxlIGlzIHVzZWQgdG8gdXBkYXRlIGEgcG9saWN5 IHRoYXQgaXMgYWxyZWFkeSBwcmVzZW50CitpbiB0aGUga2VybmVsLiBUaGlzIGZpbGUgaXMgd3Jp dGUtb25seSBhbmQgYWNjZXB0cyBhIFBLQ1MjNyBzaWduZWQKK3BvbGljeS4gVHdvIGNoZWNrcyB3 aWxsIGFsd2F5cyBiZSBwZXJmb3JtZWQgb24gdGhpcyBwb2xpY3k6IEZpcnN0LCB0aGUKK2BgcG9s aWN5X25hbWVzYGAgbXVzdCBtYXRjaCB3aXRoIHRoZSB1cGRhdGVkIHZlcnNpb24gYW5kIHRoZSBl eGlzdGluZwordmVyc2lvbi4gU2Vjb25kIHRoZSB1cGRhdGVkIHBvbGljeSBtdXN0IGhhdmUgYSBw b2xpY3kgdmVyc2lvbiBncmVhdGVyIHRoYW4KK29yIGVxdWFsIHRvIHRoZSBjdXJyZW50bHktcnVu bmluZyB2ZXJzaW9uLiBUaGlzIGlzIHRvIHByZXZlbnQgcm9sbGJhY2sgYXR0YWNrcy4KKworVGhl IGBgZGVsZXRlYGAgZmlsZSBpcyB1c2VkIHRvIHJlbW92ZSBhIHBvbGljeSB0aGF0IGlzIG5vIGxv bmdlciBuZWVkZWQuCitUaGlzIGZpbGUgaXMgd3JpdGUtb25seSBhbmQgYWNjZXB0cyBhIHZhbHVl IG9mIGBgMWBgIHRvIGRlbGV0ZSB0aGUgcG9saWN5LgorT24gZGVsZXRpb24sIHRoZSBzZWN1cml0 eWZzIG5vZGUgcmVwcmVzZW50aW5nIHRoZSBwb2xpY3kgd2lsbCBiZSByZW1vdmVkLgorSG93ZXZl ciwgZGVsZXRlIHRoZSBjdXJyZW50IGFjdGl2ZSBwb2xpY3kgaXMgbm90IGFsbG93ZWQgYW5kIHdp bGwgcmV0dXJuCithbiBvcGVyYXRpb24gbm90IHBlcm1pdHRlZCBlcnJvci4KKworU2ltaWxhcmx5 LCB3cml0aW5nIHRvIGJvdGggYGB1cGRhdGVgYCBhbmQgYGBuZXdfcG9saWN5YGAgY291bGQgcmVz dWx0IGluCitiYWQgbWVzc2FnZShwb2xpY3kgc3ludGF4IGVycm9yKSBvciBmaWxlIGV4aXN0cyBl cnJvci4gVGhlIGxhdHRlciBlcnJvciBoYXBwZW5zCit3aGVuIHRyeWluZyB0byBkZXBsb3kgYSBw b2xpY3kgd2l0aCBhIGBgcG9saWN5X25hbWVgYCB3aGlsZSB0aGUga2VybmVsIGFscmVhZHkKK2hh cyBhIGRlcGxveWVkIHBvbGljeSB3aXRoIHRoZSBzYW1lIGBgcG9saWN5X25hbWVgYC4KKworRGVw bG95aW5nIGEgcG9saWN5IHdpbGwgKm5vdCogY2F1c2UgSVBFIHRvIHN0YXJ0IGVuZm9yY2luZyB0 aGUgcG9saWN5LiBJUEUgd2lsbAorb25seSBlbmZvcmNlIHRoZSBwb2xpY3kgbWFya2VkIGFjdGl2 ZS4gTm90ZSB0aGF0IG9ubHkgb25lIHBvbGljeSBjYW4gYmUgYWN0aXZlCithdCBhIHRpbWUuCisK K09uY2UgZGVwbG95bWVudCBpcyBzdWNjZXNzZnVsLCB0aGUgcG9saWN5IGNhbiBiZSBhY3RpdmF0 ZWQsIGJ5IHdyaXRpbmcgZmlsZQorYGAvc3lzL2tlcm5lbC9zZWN1cml0eS9pcGUvJHBvbGljeV9u YW1lL2FjdGl2ZWBgLgorRm9yIGV4YW1wbGUsIHRoZSBgYEV4X1BvbGljeWBgIGNhbiBiZSBhY3Rp dmF0ZWQgYnk6OgorCisgICBlY2hvIDEgPiAiL3N5cy9rZXJuZWwvc2VjdXJpdHkvaXBlL0V4X1Bv bGljeS9hY3RpdmUiCisKK0Zyb20gYWJvdmUgcG9pbnQgb24sIGBgRXhfUG9saWN5YGAgaXMgbm93 IHRoZSBlbmZvcmNlZCBwb2xpY3kgb24gdGhlCitzeXN0ZW0uCisKK0lQRSBhbHNvIHByb3ZpZGVz IGEgd2F5IHRvIGRlbGV0ZSBwb2xpY2llcy4gVGhpcyBjYW4gYmUgZG9uZSB2aWEgdGhlCitgYGRl bGV0ZWBgIHNlY3VyaXR5ZnMgbm9kZSwgYGAvc3lzL2tlcm5lbC9zZWN1cml0eS9pcGUvJHBvbGlj eV9uYW1lL2RlbGV0ZWBgLgorV3JpdGluZyBgYDFgYCB0byB0aGF0IGZpbGUgZGVsZXRlcyB0aGUg cG9saWN5OjoKKworICAgZWNobyAxID4gIi9zeXMva2VybmVsL3NlY3VyaXR5L2lwZS8kcG9saWN5 X25hbWUvZGVsZXRlIgorCitUaGVyZSBpcyBvbmx5IG9uZSByZXF1aXJlbWVudCB0byBkZWxldGUg YSBwb2xpY3k6IHRoZSBwb2xpY3kgYmVpbmcgZGVsZXRlZAorbXVzdCBiZSBpbmFjdGl2ZS4KKwor Li4gTk9URTo6CisKKyAgIElmIGEgdHJhZGl0aW9uYWwgTUFDIHN5c3RlbSBpcyBlbmFibGVkIChT RUxpbnV4LCBhcHBhcm1vciwgc21hY2spLCBhbGwKKyAgIHdyaXRlcyB0byBpcGUncyBzZWN1cml0 eWZzIG5vZGVzIHJlcXVpcmUgYGBDQVBfTUFDX0FETUlOYGAuCisKK01vZGVzCit+fn5+fgorCitJ UEUgc3VwcG9ydHMgdHdvIG1vZGVzIG9mIG9wZXJhdGlvbjogcGVybWlzc2l2ZSAoc2ltaWxhciB0 byBTRUxpbnV4J3MKK3Blcm1pc3NpdmUgbW9kZSkgYW5kIGVuZm9yY2VkLiBJbiBwZXJtaXNzaXZl IG1vZGUsIGFsbCBldmVudHMgYXJlCitjaGVja2VkIGFuZCBwb2xpY3kgdmlvbGF0aW9ucyBhcmUg bG9nZ2VkLCBidXQgdGhlIHBvbGljeSBpcyBub3QgcmVhbGx5CitlbmZvcmNlZC4gVGhpcyBhbGxv d3MgdXNlcnMgdG8gdGVzdCBwb2xpY2llcyBiZWZvcmUgZW5mb3JjaW5nIHRoZW0uCisKK1RoZSBk ZWZhdWx0IG1vZGUgaXMgZW5mb3JjZSwgYW5kIGNhbiBiZSBjaGFuZ2VkIHZpYSB0aGUga2VybmVs IGNvbW1hbmQKK2xpbmUgcGFyYW1ldGVyIGBgaXBlLmVuZm9yY2U9KDB8MSlgYCwgb3IgdGhlIHNl Y3VyaXR5ZnMgbm9kZQorYGAvc3lzL2tlcm5lbC9zZWN1cml0eS9pcGUvZW5mb3JjZWBgLgorCisu LiBOT1RFOjoKKworICAgSWYgYSB0cmFkaXRpb25hbCBNQUMgc3lzdGVtIGlzIGVuYWJsZWQgKFNF TGludXgsIGFwcGFybW9yLCBzbWFjaywgZXRjZXRlcmEpLAorICAgYWxsIHdyaXRlcyB0byBpcGUn cyBzZWN1cml0eWZzIG5vZGVzIHJlcXVpcmUgYGBDQVBfTUFDX0FETUlOYGAuCisKK0F1ZGl0IEV2 ZW50cworfn5+fn5+fn5+fn5+CisKKzE0MjAgQVVESVRfSVBFX0FDQ0VTUworXl5eXl5eXl5eXl5e Xl5eXl5eXl5eCitFdmVudCBFeGFtcGxlczo6CisKKyAgIHR5cGU9MTQyMCBhdWRpdCgxNjUzMzY0 MzcwLjA2Nzo2MSk6IHBhdGg9Ii9yb290L2ZzL3J3L3BsYWluL2V4ZWN2ZSIgZGV2PSJ2ZGMxIiBp bm89MTYgcnVsZT0iREVGQVVMVCBvcD1FWEVDVVRFIGFjdGlvbj1ERU5ZIgorICAgdHlwZT0xMzAw IGF1ZGl0KDE2NTMzNjQzNzAuMDY3OjYxKTogYXJjaD1jMDAwMDAzZSBzeXNjYWxsPTEwIHN1Y2Nl c3M9bm8gZXhpdD0tMTMgYTA9N2YwYmYwNjQ0MDAwIGExPTRmODAgYTI9NSBhMz03ZjBiZjA0M2Qz MDAgaXRlbXM9MCBwcGlkPTQ1NSBwaWQ9NzM3IGF1aWQ9MCB1aWQ9MCBnaWQ9MCBldWlkPTAgc3Vp ZD0wIGZzdWlkPTAgZWdpZD0wIHNnaWQ9MCBmc2dpZD0wIHR0eT10dHlTMCBzZXM9MyBjb21tPSJt cHJvdGVjdCIgZXhlPSIvcm9vdC9ob3N0L21wcm90ZWN0IiBzdWJqPWtlcm5lbCBrZXk9KG51bGwp CisgICB0eXBlPTEzMjcgYXVkaXQoMTY1MzM2NDM3MC4wNjc6NjEpOiBwcm9jdGl0bGU9Njg2Rjcz NzQyRjZENzA3MjZGNzQ2NTYzNzQwMDUzNDgwMDUyN0M1NzAwNTI3QzU4MDA3MDZDNjE2OTZFMkY2 NTc4NjU2Mzc2NjUKKworICAgdHlwZT0xNDIwIGF1ZGl0KDE2NTMzNjQ3MzUuMTYxOjY0KTogcnVs ZT0iREVGQVVMVCBvcD1FWEVDVVRFIGFjdGlvbj1ERU5ZIgorICAgdHlwZT0xMzAwIGF1ZGl0KDE2 NTMzNjQ3MzUuMTYxOjY0KTogYXJjaD1jMDAwMDAzZSBzeXNjYWxsPTkgc3VjY2Vzcz1ubyBleGl0 PS0xMyBhMD0wIGExPTEwMDAgYTI9NCBhMz0yMCBpdGVtcz0wIHBwaWQ9NDU1IHBpZD03NzQgYXVp ZD0wIHVpZD0wIGdpZD0wIGV1aWQ9MCBzdWlkPTAgZnN1aWQ9MCBlZ2lkPTAgc2dpZD0wIGZzZ2lk PTAgdHR5PXR0eVMwIHNlcz0zIGNvbW09Im1tYXAiIGV4ZT0iL3Jvb3QvaG9zdC9tbWFwIiBzdWJq PWtlcm5lbCBrZXk9KG51bGwpCisgICB0eXBlPTEzMjcgYXVkaXQoMTY1MzM2NDczNS4xNjE6NjQp OiBwcm9jdGl0bGU9Njg2RjczNzQyRjZENkQ2MTcwMDA0MTAwNTjij44KKworVGhpcyBldmVudCBp bmRpY2F0ZXMgdGhhdCBJUEUgbWFkZSBhbiBhY2Nlc3MgY29udHJvbCBkZWNpc2lvbjsgdGhlIElQ RQorc3BlY2lmaWMgcmVjb3JkICgxNDIwKSBpcyBhbHdheXMgZW1pdHRlZCBpbiBjb25qdW5jdGlv biB3aXRoIGEKK2BgQVVESVRTWVNDQUxMYGAgcmVjb3JkLgorCitEZXRlcm1pbmluZyB3aGV0aGVy IElQRSBpcyBpbiBwZXJtaXNzaXZlIG9yIGVuZm9yY2VkIG1vZGUgY2FuIGJlIGRlcml2ZWQKK2Zy b20gYGBzdWNjZXNzYGAgcHJvcGVydHkgYW5kIGV4aXQgY29kZSBvZiB0aGUgYGBBVURJVFNZU0NB TExgYCByZWNvcmQuCisKKworRmllbGQgZGVzY3JpcHRpb25zOgorCisrLS0tLS0tLSstLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLSsKK3wgRmllbGQgfCBWYWx1ZSBUeXBlIHwgT3B0aW9uYWw/IHwgRGVzY3JpcHRp b24gb2YgVmFsdWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgfAorKz09PT09PT0rPT09PT09 PT09PT09Kz09PT09PT09PT09Kz09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0rCit8IHBhdGggIHwgc3RyaW5nICAgICB8IFllcyAgICAgICB8IFRoZSBhYnNv bHV0ZSBwYXRoIHRvIHRoZSBldmFsdWF0ZWQgZmlsZSAgICAgICAgIHwKKystLS0tLS0tKy0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tKworfCBpbm8gICB8IGludGVnZXIgICAgfCBZZXMgICAgICAgfCBUaGUgaW5v ZGUgbnVtYmVyIG9mIHRoZSBldmFsdWF0ZWQgZmlsZSAgICAgICAgICB8CisrLS0tLS0tLSstLS0t LS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSsKK3wgZGV2ICAgfCBzdHJpbmcgICAgIHwgWWVzICAgICAgIHwgVGhlIGRl dmljZSBuYW1lIG9mIHRoZSBldmFsdWF0ZWQgZmlsZSwgZS5nLiB2ZGEgfAorKy0tLS0tLS0rLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0rCit8IHJ1bGUgIHwgc3RyaW5nICAgICB8IE5vICAgICAgICB8IFRoZSBt YXRjaGVkIHBvbGljeSBydWxlICAgICAgICAgICAgICAgICAgICAgICAgIHwKKystLS0tLS0tKy0t LS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tKworCisxNDIxIEFVRElUX0lQRV9DT05GSUdfQ0hBTkdFCiteXl5eXl5e Xl5eXl5eXl5eXl5eXl5eXl5eXl5eCisKK0V2ZW50IEV4YW1wbGU6OgorCisgICB0eXBlPTE0MjEg YXVkaXQoMTY1MzQyNTU4My4xMzY6NTQpOiBvbGRfYWN0aXZlX3BvbF9uYW1lPSJBbGxvd19BbGwi IG9sZF9hY3RpdmVfcG9sX3ZlcnNpb249MC4wLjAgb2xkX3BvbGljeV9kaWdlc3Q9c2hhMjU2OkUz QjBDNDQyOThGQzFDMTQ5QUZCRjRDODk5NkZCOTI0MjdBRTQxRTQ2NDlCOTM0Q0E0OTU5OTFCNzg1 MkI4NTUgbmV3X2FjdGl2ZV9wb2xfbmFtZT0iYm9vdF92ZXJpZmllZCIgbmV3X2FjdGl2ZV9wb2xf dmVyc2lvbj0wLjAuMCBuZXdfcG9saWN5X2RpZ2VzdD1zaGEyNTY6ODIwRUVBNUI0MENBNDJCNTFG Njg5NjIzNTRCQTA4MzEyMkEyMEJCODQ2RjI2NzY1MDc2REQ4RUVEN0I4RjREQiBhdWlkPTQyOTQ5 NjcyOTUgc2VzPTQyOTQ5NjcyOTUgbHNtPWlwZSByZXM9MQorICAgdHlwZT0xMzAwIGF1ZGl0KDE2 NTM0MjU1ODMuMTM2OjU0KTogU1lTQ0FMTCBhcmNoPWMwMDAwMDNlIHN5c2NhbGw9MSBzdWNjZXNz PXllcyBleGl0PTIgYTA9MyBhMT01NTk2ZmNhZTFmYjAgYTI9MiBhMz0yIGl0ZW1zPTAgcHBpZD0x ODQgcGlkPTIyOSBhdWlkPTQyOTQ5NjcyOTUgdWlkPTAgZ2lkPTAgZXVpZD0wIHN1aWQ9MCBmc3Vp ZD0wIGVnaWQ9MCBzZ2lkPTAgZnNnaWQ9MCB0dHk9cHRzMCBzZXM9NDI5NDk2NzI5NSBjb21tPSJw eXRob24zIiBleGU9Ii91c3IvYmluL3B5dGhvbjMuMTAiIGtleT0obnVsbCkKKyAgIHR5cGU9MTMy NyBhdWRpdCgxNjUzNDI1NTgzLjEzNjo1NCk6IFBST0NUSVRMRSBwcm9jdGl0bGU9NzA3OTc0Njg2 RjZFMzMwMDc0NjU3Mzc0MkY2RDYxNjk2RTJFNzA3OTAwMkQ2NjAwMkUyCisKK1RoaXMgZXZlbnQg aW5kaWNhdGVzIHRoYXQgSVBFIHN3aXRjaGVkIHRoZSBhY3RpdmUgcG9saXkgZnJvbSBvbmUgdG8g YW5vdGhlcgorYWxvbmcgd2l0aCB0aGUgdmVyc2lvbiBhbmQgdGhlIGhhc2ggZGlnZXN0IG9mIHRo ZSB0d28gcG9saWNpZXMuCitOb3RlIElQRSBjYW4gb25seSBoYXZlIG9uZSBwb2xpY3kgYWN0aXZl IGF0IGEgdGltZSwgYWxsIGFjY2VzcyBkZWNpc2lvbgorZXZhbHVhdGlvbiBpcyBiYXNlZCBvbiB0 aGUgY3VycmVudCBhY3RpdmUgcG9saWN5LgorVGhlIG5vcm1hbCBwcm9jZWR1cmUgdG8gZGVwbG95 IGEgbmV3IHBvbGljeSBpcyBsb2FkaW5nIHRoZSBwb2xpY3kgdG8gZGVwbG95CitpbnRvIHRoZSBr ZXJuZWwgZmlyc3QsIHRoZW4gc3dpdGNoIHRoZSBhY3RpdmUgcG9saWN5IHRvIGl0LgorCitUaGlz IHJlY29yZCB3aWxsIGFsd2F5cyBiZSBlbWl0dGVkIGluIGNvbmp1bmN0aW9uIHdpdGggYSBgYEFV RElUU1lTQ0FMTGBgIHJlY29yZCBmb3IgdGhlIGBgd3JpdGVgYCBzeXNjYWxsLgorCisrLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IEZpZWxkICAgICAgICAg ICAgICAgICAgfCBWYWx1ZSBUeXBlIHwgT3B0aW9uYWw/IHwgRGVzY3JpcHRpb24gb2YgVmFsdWUg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CisrPT09PT09PT09PT09PT09PT09PT09PT09 Kz09PT09PT09PT09PSs9PT09PT09PT09PSs9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0rCit8IG9sZF9hY3RpdmVfcG9sX25hbWUgICAgfCBzdHJpbmcg ICAgIHwgTm8gICAgICAgIHwgVGhlIG5hbWUgb2YgcHJldmlvdXMgYWN0aXZlIHBvbGljeSAgICAg ICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0t LS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0rCit8IG9sZF9hY3RpdmVfcG9sX3ZlcnNpb24gfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwg VGhlIHZlcnNpb24gb2YgcHJldmlvdXMgYWN0aXZlIHBvbGljeSAgICAgICAgICAgICB8CisrLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG9sZF9wb2xpY3lf ZGlnZXN0ICAgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIGhhc2ggb2YgcHJldmlv dXMgYWN0aXZlIHBvbGljeSAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG5ld19hY3RpdmVfcG9sX25hbWUgICAgfCBzdHJp bmcgICAgIHwgTm8gICAgICAgIHwgVGhlIG5hbWUgb2YgY3VycmVudCBhY3RpdmUgcG9saWN5ICAg ICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSst LS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0rCit8IG5ld19hY3RpdmVfcG9sX3ZlcnNpb24gfCBzdHJpbmcgICAgIHwgTm8gICAgICAg IHwgVGhlIHZlcnNpb24gb2YgY3VycmVudCBhY3RpdmUgcG9saWN5ICAgICAgICAgICAgICB8Cisr LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IG5ld19wb2xp Y3lfZGlnZXN0ICAgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIGhhc2ggb2YgY3Vy cmVudCBhY3RpdmUgcG9saWN5ICAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IGF1aWQgICAgICAgICAgICAgICAgICAgfCBp bnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGxvZ2luIHVzZXIgSUQgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0t LSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0rCit8IHNlcyAgICAgICAgICAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAg ICAgIHwgVGhlIGxvZ2luIHNlc3Npb24gSUQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8 CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IGxzbSAg ICAgICAgICAgICAgICAgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIGxzbSBuYW1l IGFzc29jaWF0ZWQgd2l0aCB0aGUgZXZlbnQgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IHJlcyAgICAgICAgICAgICAgICAgICAg fCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIHJlc3VsdCBvZiB0aGUgYXVkaXRlZCBvcGVy YXRpb24oc3VjY2Vzcy9mYWlsKSB8CisrLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0rCisKKzE0MjIgQVVESVRfSVBFX1BPTElDWV9MT0FECiteXl5eXl5eXl5eXl5e Xl5eXl5eXl5eXl5eXgorCitFdmVudCBFeGFtcGxlOjoKKworICAgdHlwZT0xNDIyIGF1ZGl0KDE2 NTM0MjU1MjkuOTI3OjUzKTogcG9saWN5X25hbWU9ImJvb3RfdmVyaWZpZWQiIHBvbGljeV92ZXJz aW9uPTAuMC4wIHBvbGljeV9kaWdlc3Q9c2hhMjU2OjgyMEVFQTVCNDBDQTQyQjUxRjY4OTYyMzU0 QkEwODMxMjJBMjBCQjg0NkYyNjc2NTA3NkREOEVFRDdCOEY0REIgYXVpZD00Mjk0OTY3Mjk1IHNl cz00Mjk0OTY3Mjk1IGxzbT1pcGUgcmVzPTEKKyAgIHR5cGU9MTMwMCBhdWRpdCgxNjUzNDI1NTI5 LjkyNzo1Myk6IGFyY2g9YzAwMDAwM2Ugc3lzY2FsbD0xIHN1Y2Nlc3M9eWVzIGV4aXQ9MjU2NyBh MD0zIGExPTU1OTZmY2FlMWZiMCBhMj1hMDcgYTM9MiBpdGVtcz0wIHBwaWQ9MTg0IHBpZD0yMjkg YXVpZD00Mjk0OTY3Mjk1IHVpZD0wIGdpZD0wIGV1aWQ9MCBzdWlkPTAgZnN1aWQ9MCBlZ2lkPTAg c2dpZD0wIGZzZ2lkPTAgdHR5PXB0czAgc2VzPTQyOTQ5NjcyOTUgY29tbT0icHl0aG9uMyIgZXhl PSIvdXNyL2Jpbi9weXRob24zLjEwIiBrZXk9KG51bGwpCisgICB0eXBlPTEzMjcgYXVkaXQoMTY1 MzQyNTUyOS45Mjc6NTMpOiBQUk9DVElUTEUgcHJvY3RpdGxlPTcwNzk3NDY4NkY2RTMzMDA3NDY1 NzM3NDJGNkQ2MTY5NkUyRTcwNzkwMDJENjYwMDJFMkUKKworVGhpcyByZWNvcmQgaW5kaWNhdGVz IGEgbmV3IHBvbGljeSBoYXMgYmVlbiBsb2FkZWQgaW50byB0aGUga2VybmVsIHdpdGggdGhlIHBv bGljeSBuYW1lLCBwb2xpY3kgdmVyc2lvbiBhbmQgcG9saWN5IGhhc2guCisKK1RoaXMgcmVjb3Jk IHdpbGwgYWx3YXlzIGJlIGVtaXR0ZWQgaW4gY29uanVuY3Rpb24gd2l0aCBhIGBgQVVESVRTWVND QUxMYGAgcmVjb3JkIGZvciB0aGUgYGB3cml0ZWBgIHN5c2NhbGwuCisKKystLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IEZpZWxkICAgICAgICAgIHwgVmFsdWUgVHlwZSB8 IE9wdGlvbmFsPyB8IERlc2NyaXB0aW9uIG9mIFZhbHVlICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgfAorKz09PT09PT09PT09PT09PT0rPT09PT09PT09PT09Kz09PT09PT09PT09Kz09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSsKK3wgcG9saWN5 X25hbWUgICAgfCBzdHJpbmcgICAgIHwgTm8gICAgICAgIHwgVGhlIHBvbGljeV9uYW1lICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tKworfCBwb2xpY3lfdmVyc2lvbiB8IHN0cmluZyAgICAgfCBObyAgICAgICAg fCBUaGUgcG9saWN5X3ZlcnNpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwKKyst LS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IHBvbGljeV9kaWdlc3QgIHwg c3RyaW5nICAgICB8IE5vICAgICAgICB8IFRoZSBwb2xpY3kgaGFzaCAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgfAorKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LSsKK3wgYXVpZCAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGxvZ2lu IHVzZXIgSUQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8CisrLS0tLS0tLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKworfCBzZXMgICAgICAgICAgICB8IGludGVnZXIgICAg fCBObyAgICAgICAgfCBUaGUgbG9naW4gc2Vzc2lvbiBJRCAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgIHwKKystLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rCit8IGxzbSAg ICAgICAgICAgIHwgc3RyaW5nICAgICB8IE5vICAgICAgICB8IFRoZSBsc20gbmFtZSBhc3NvY2lh dGVkIHdpdGggdGhlIGV2ZW50ICAgICAgICAgICAgfAorKy0tLS0tLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLSsKK3wgcmVzICAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAg IHwgVGhlIHJlc3VsdCBvZiB0aGUgYXVkaXRlZCBvcGVyYXRpb24oc3VjY2Vzcy9mYWlsKSB8Cisr LS0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKworCisKKzE0MDQgQVVESVRfTUFD X1NUQVRVUworXl5eXl5eXl5eXl5eXl5eXl5eXl5eCisKK0V2ZW50IEV4YW1wbGVzOjoKKworICAg dHlwZT0xNDA0IGF1ZGl0KDE2NTM0MjU2ODkuMDA4OjU1KTogZW5mb3JjaW5nPTAgb2xkX2VuZm9y Y2luZz0xIGF1aWQ9NDI5NDk2NzI5NSBzZXM9NDI5NDk2NzI5NSBlbmFibGVkPTEgb2xkLWVuYWJs ZWQ9MSBsc209aXBlIHJlcz0xCisgICB0eXBlPTEzMDAgYXVkaXQoMTY1MzQyNTY4OS4wMDg6NTUp OiBhcmNoPWMwMDAwMDNlIHN5c2NhbGw9MSBzdWNjZXNzPXllcyBleGl0PTIgYTA9MSBhMT01NWMx MDY1ZTVjNjAgYTI9MiBhMz0wIGl0ZW1zPTAgcHBpZD00MDUgcGlkPTQ0MSBhdWlkPTAgdWlkPTAg Z2lkPTAgZXVpZD0wIHN1aWQ9MCBmc3VpZD0wIGVnaWQ9MCBzZ2lkPSkKKyAgIHR5cGU9MTMyNyBh dWRpdCgxNjUzNDI1Njg5LjAwODo1NSk6IHByb2N0aXRsZT0iLWJhc2giCisKKyAgIHR5cGU9MTQw NCBhdWRpdCgxNjUzNDI1Njg5LjAwODo1NSk6IGVuZm9yY2luZz0xIG9sZF9lbmZvcmNpbmc9MCBh dWlkPTQyOTQ5NjcyOTUgc2VzPTQyOTQ5NjcyOTUgZW5hYmxlZD0xIG9sZC1lbmFibGVkPTEgbHNt PWlwZSByZXM9MQorICAgdHlwZT0xMzAwIGF1ZGl0KDE2NTM0MjU2ODkuMDA4OjU1KTogYXJjaD1j MDAwMDAzZSBzeXNjYWxsPTEgc3VjY2Vzcz15ZXMgZXhpdD0yIGEwPTEgYTE9NTVjMTA2NWU1YzYw IGEyPTIgYTM9MCBpdGVtcz0wIHBwaWQ9NDA1IHBpZD00NDEgYXVpZD0wIHVpZD0wIGdpZD0wIGV1 aWQ9MCBzdWlkPTAgZnN1aWQ9MCBlZ2lkPTAgc2dpZD0pCisgICB0eXBlPTEzMjcgYXVkaXQoMTY1 MzQyNTY4OS4wMDg6NTUpOiBwcm9jdGl0bGU9Ii1iYXNoIgorCitUaGlzIHJlY29yZCB3aWxsIGFs d2F5cyBiZSBlbWl0dGVkIGluIGNvbmp1bmN0aW9uIHdpdGggYSBgYEFVRElUU1lTQ0FMTGBgIHJl Y29yZCBmb3IgdGhlIGBgd3JpdGVgYCBzeXNjYWxsLgorCisrLS0tLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tKy0tLS0tKworfCBGaWVsZCAgICAgICAgIHwgVmFsdWUgVHlwZSB8IE9wdGlvbmFsPyB8IERl c2NyaXB0aW9uIG9mIFZhbHVlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIHwKKys9PT09PT09PT09 PT09PT0rPT09PT09PT09PT09Kz09PT09PT09PT09Kz09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0rPT09PT0rCit8IGVuZm9yY2luZyAgICAgfCBpbnRlZ2VyICAgIHwgTm8g ICAgICAgIHwgVGhlIGVuZm9yY2luZyBzdGF0ZSBJUEUgaXMgYmVpbmcgc3dpdGNoZWQgdG8sIDEg aXMgaW4gZW5mb3JjaW5nIG1vZGUsIDAgaXMgaW4gcGVybWlzc2l2ZSBtb2RlICAgfCAgICAgfAor Ky0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLSsKK3wgb2xkX2VuZm9yY2luZyB8IGludGVn ZXIgICAgfCBObyAgICAgICAgfCBUaGUgZW5mb3JjaW5nIHN0YXRlIElQRSBpcyBiZWluZyBzd2l0 Y2hlZCBmcm9tLCAxIGlzIGluIGVuZm9yY2luZyBtb2RlLCAwIGlzIGluIHBlcm1pc3NpdmUgbW9k ZSB8ICAgICB8CisrLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tKworfCBhdWlkICAgICAg ICAgIHwgaW50ZWdlciAgICB8IE5vICAgICAgICB8IFRoZSBsb2dpbiB1c2VyIElEICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgIHwgICAgIHwKKystLS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0t LS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rCit8 IHNlcyAgICAgICAgICAgfCBpbnRlZ2VyICAgIHwgTm8gICAgICAgIHwgVGhlIGxvZ2luIHNlc3Np b24gSUQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgfCAgICAgfAorKy0tLS0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LSstLS0tLSsKK3wgZW5hYmxlZCAgICAgICB8IGludGVnZXIgICAgfCBObyAgICAgICAgfCBUaGUg bmV3IFRUWSBhdWRpdCBlbmFibGVkIHNldHRpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8ICAgICB8CisrLS0tLS0tLS0tLS0t LS0tKy0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tKy0tLS0tKworfCBvbGQtZW5hYmxlZCAgIHwgaW50ZWdlciAgICB8IE5vICAg ICAgICB8IFRoZSBvbGQgVFRZIGF1ZGl0IGVuYWJsZWQgc2V0dGluZyAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwgICAgIHwKKyst LS0tLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0rLS0tLS0rCit8IGxzbSAgICAgICAgICAgfCBzdHJpbmcg ICAgIHwgTm8gICAgICAgIHwgVGhlIGxzbSBuYW1lIGFzc29jaWF0ZWQgd2l0aCB0aGUgZXZlbnQg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg fCAgICAgfAorKy0tLS0tLS0tLS0tLS0tLSstLS0tLS0tLS0tLS0rLS0tLS0tLS0tLS0rLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSstLS0tLSsKK3wgcmVzICAgICAgICAg ICB8IGludGVnZXIgICAgfCBObyAgICAgICAgfCBUaGUgcmVzdWx0IG9mIHRoZSBhdWRpdGVkIG9w ZXJhdGlvbihzdWNjZXNzL2ZhaWwpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICB8ICAgICB8CisrLS0tLS0tLS0tLS0tLS0tKy0tLS0tLS0tLS0tLSstLS0tLS0t LS0tLSstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tKy0tLS0tKworCitT dWNjZXNzIEF1ZGl0aW5nCiteXl5eXl5eXl5eXl5eXl5eCisKK0lQRSBzdXBwb3J0cyBzdWNjZXNz IGF1ZGl0aW5nLiBXaGVuIGVuYWJsZWQsIGFsbCBldmVudHMgdGhhdCBwYXNzIElQRQorcG9saWN5 IGFuZCBhcmUgbm90IGJsb2NrZWQgd2lsbCBlbWl0IGFuIGF1ZGl0IGV2ZW50LiBUaGlzIGlzIGRp c2FibGVkIGJ5CitkZWZhdWx0LCBhbmQgY2FuIGJlIGVuYWJsZWQgdmlhIHRoZSBrZXJuZWwgY29t bWFuZCBsaW5lCitgYGlwZS5zdWNjZXNzX2F1ZGl0PSgwfDEpYGAgb3IKK2BgL3N5cy9rZXJuZWwv c2VjdXJpdHkvaXBlL3N1Y2Nlc3NfYXVkaXRgYCBzZWN1cml0eWZzIGZpbGUuCisKK1RoaXMgaXMg KnZlcnkqIG5vaXN5LCBhcyBJUEUgd2lsbCBjaGVjayBldmVyeSB1c2Vyc3BhY2UgYmluYXJ5IG9u IHRoZQorc3lzdGVtLCBidXQgaXMgdXNlZnVsIGZvciBkZWJ1Z2dpbmcgcG9saWNpZXMuCisKKy4u IE5PVEU6OgorCisgICBJZiBhIHRyYWRpdGlvbmFsIE1BQyBzeXN0ZW0gaXMgZW5hYmxlZCAoU0VM aW51eCwgYXBwYXJtb3IsIHNtYWNrLCBldGNldGVyYSksCisgICBhbGwgd3JpdGVzIHRvIGlwZSdz IHNlY3VyaXR5ZnMgbm9kZXMgcmVxdWlyZSBgYENBUF9NQUNfQURNSU5gYC4KKworUHJvcGVydGll cworLS0tLS0tLS0tLQorCitBcyBleHBsYWluZWQgYWJvdmUsIElQRSBwcm9wZXJ0aWVzIGFyZSBg YGtleT12YWx1ZWBgIHBhaXJzIGV4cHJlc3NlZCBpbgorSVBFIHBvbGljeS4gVHdvIHByb3BlcnRp ZXMgYXJlIGJ1aWx0LWludG8gdGhlIHBvbGljeSBwYXJzZXI6ICdvcCcgYW5kCisnYWN0aW9uJy4g VGhlIG90aGVyIHByb3BlcnRpZXMgYXJlIGRldGVybWluaXN0aWMgYXR0cmlidXRlcyB0byBleHBy ZXNzCithY3Jvc3MgZmlsZXMuIEN1cnJlbnRseSB0aG9zZSBwcm9wZXJ0aWVzIGFyZTogJ2BgYm9v dF92ZXJpZmllZGBgJywKKydgYGRtdmVyaXR5X3NpZ25hdHVyZWBgJywgJ2BgZG12ZXJpdHlfcm9v dGhhc2hgYCcsICdgYGZzdmVyaXR5X3NpZ25hdHVyZWBgJywKKydgYGZzdmVyaXR5X2RpZ2VzdGBg Jy4gQSBkZXNjcmlwdGlvbiBvZiBhbGwgcHJvcGVydGllcyBzdXBwb3J0ZWQgYnkgSVBFCithcmUg bGlzdGVkIGJlbG93OgorCitvcAorfn4KKworSW5kaWNhdGVzIHRoZSBvcGVyYXRpb24gZm9yIGEg cnVsZSB0byBhcHBseSB0by4gTXVzdCBiZSBpbiBldmVyeSBydWxlLAorYXMgdGhlIGZpcnN0IHRv a2VuLiBJUEUgc3VwcG9ydHMgdGhlIGZvbGxvd2luZyBvcGVyYXRpb25zOgorCisgICBgYEVYRUNV VEVgYAorCisgICAgICBQZXJ0YWlucyB0byBhbnkgZmlsZSBhdHRlbXB0aW5nIHRvIGJlIGV4ZWN1 dGVkLCBvciBsb2FkZWQgYXMgYW4KKyAgICAgIGV4ZWN1dGFibGUuCisKKyAgIGBgRklSTVdBUkVg YDoKKworICAgICAgUGVydGFpbnMgdG8gZmlybXdhcmUgYmVpbmcgbG9hZGVkIHZpYSB0aGUgZmly bXdhcmVfY2xhc3MgaW50ZXJmYWNlLgorICAgICAgVGhpcyBjb3ZlcnMgYm90aCB0aGUgcHJlYWxs b2NhdGVkIGJ1ZmZlciBhbmQgdGhlIGZpcm13YXJlIGZpbGUKKyAgICAgIGl0c2VsZi4KKworICAg YGBLTU9EVUxFYGA6CisKKyAgICAgIFBlcnRhaW5zIHRvIGxvYWRpbmcga2VybmVsIG1vZHVsZXMg dmlhIGBgbW9kcHJvYmVgYCBvciBgYGluc21vZGBgLgorCisgICBgYEtFWEVDX0lNQUdFYGA6CisK KyAgICAgIFBlcnRhaW5zIHRvIGtlcm5lbCBpbWFnZXMgbG9hZGluZyB2aWEgYGBrZXhlY2BgLgor CisgICBgYEtFWEVDX0lOSVRSQU1GU2BgCisKKyAgICAgIFBlcnRhaW5zIHRvIGluaXRyZCBpbWFn ZXMgbG9hZGluZyB2aWEgYGBrZXhlYyAtLWluaXRyZGBgLgorCisgICBgYFBPTElDWWBgOgorCisg ICAgICBDb250cm9scyBsb2FkaW5nIHBvbGljaWVzIHZpYSByZWFkaW5nIGEga2VybmVsLXNwYWNl IGluaXRpYXRlZCByZWFkLgorCisgICAgICBBbiBleGFtcGxlIG9mIHN1Y2ggaXMgbG9hZGluZyBJ TUEgcG9saWNpZXMgYnkgd3JpdGluZyB0aGUgcGF0aAorICAgICAgdG8gdGhlIHBvbGljeSBmaWxl IHRvIGBgJHNlY3VyaXR5ZnMvaW1hL3BvbGljeWBgCisKKyAgIGBgWDUwOV9DRVJUYGA6CisKKyAg ICAgIENvbnRyb2xzIGxvYWRpbmcgSU1BIGNlcnRpZmljYXRlcyB0aHJvdWdoIHRoZSBLY29uZmln cywKKyAgICAgIGBgQ09ORklHX0lNQV9YNTA5X1BBVEhgYCBhbmQgYGBDT05GSUdfRVZNX1g1MDlf UEFUSGBgLgorCithY3Rpb24KK35+fn5+fgorCisgICBEZXRlcm1pbmVzIHdoYXQgSVBFIHNob3Vs ZCBkbyB3aGVuIGEgcnVsZSBtYXRjaGVzLiBNdXN0IGJlIGluIGV2ZXJ5CisgICBydWxlLCBhcyB0 aGUgZmluYWwgY2xhdXNlLiBDYW4gYmUgb25lIG9mOgorCisgICBgYEFMTE9XYGA6CisKKyAgICAg IElmIHRoZSBydWxlIG1hdGNoZXMsIGV4cGxpY2l0bHkgYWxsb3cgYWNjZXNzIHRvIHRoZSByZXNv dXJjZSB0byBwcm9jZWVkCisgICAgICB3aXRob3V0IGV4ZWN1dGluZyBhbnkgbW9yZSBydWxlcy4K KworICAgYGBERU5ZYGA6CisKKyAgICAgIElmIHRoZSBydWxlIG1hdGNoZXMsIGV4cGxpY2l0bHkg cHJvaGliaXQgYWNjZXNzIHRvIHRoZSByZXNvdXJjZSB0bworICAgICAgcHJvY2VlZCB3aXRob3V0 IGV4ZWN1dGluZyBhbnkgbW9yZSBydWxlcy4KKworYm9vdF92ZXJpZmllZAorfn5+fn5+fn5+fn5+ fgorCisgICBUaGlzIHByb3BlcnR5IGNhbiBiZSB1dGlsaXplZCBmb3IgYXV0aG9yaXphdGlvbiBv ZiB0aGUgZmlyc3Qgc3VwZXItYmxvY2sKKyAgIHRoYXQgZXhlY3V0ZXMgYSBmaWxlLiBUaGlzIGlz IGFsbW9zdCBhbHdheXMgaW5pdC4gVHlwaWNhbGx5IHRoaXMgaXMgdXNlZAorICAgZm9yIHN5c3Rl bXMgd2l0aCBhbiBpbml0cmFtZnMgb3Igb3RoZXIgaW5pdGlhbCBkaXNrLCB3aGVyZSB0aGlzIGlz IHVubW91bnRlZAorICAgYmVmb3JlIHRoZSBzeXN0ZW0gYmVjb21lcyBhdmFpbGFibGUsIGFuZCBp cyBub3QgY292ZXJlZCBieSBhbnkgb3RoZXIgcHJvcGVydHkuCisgICBUaGUgZm9ybWF0IG9mIHRo aXMgcHJvcGVydHkgaXM6OgorCisgICAgICAgICBib290X3ZlcmlmaWVkPShUUlVFfEZBTFNFKQor CisKKyAgIC4uIFdBUk5JTkc6OgorCisgICAgICBUaGlzIHByb3BlcnR5IHdpbGwgdHJ1c3QgYW55 IGRpc2sgd2hlcmUgdGhlIGZpcnN0IGV4ZWN1dGlvbiBldmFsdWF0aW9uCisgICAgICBvY2N1cnMu IElmIHlvdSBkbyAqTk9UKiBoYXZlIGEgc3RhcnR1cCBkaXNrIHRoYXQgaXMgdW5wYWNrZWQgYW5k IHVubW91bnRlZAorICAgICAgKGxpa2UgaW5pdHJhbWZzKSwgdGhlbiBpdCB3aWxsIGF1dG9tYXRp Y2FsbHkgdHJ1c3QgdGhlIHJvb3QgZmlsZXN5c3RlbSBhbmQKKyAgICAgIHBvdGVudGlhbGx5IG92 ZXJhdXRob3JpemUgdGhlIGVudGlyZSBkaXNrLgorCitkbXZlcml0eV9yb290aGFzaAorfn5+fn5+ fn5+fn5+fn5+fn4KKworICAgVGhpcyBwcm9wZXJ0eSBjYW4gYmUgdXRpbGl6ZWQgZm9yIGF1dGhv cml6YXRpb24gb3IgcmV2b2NhdGlvbiBvZgorICAgc3BlY2lmaWMgZG0tdmVyaXR5IHZvbHVtZXMs IGlkZW50aWZpZWQgdmlhIHNyb290IGhhc2guIEl0IGhhcyBhCisgICBkZXBlbmRlbmN5IG9uIHRo ZSBETV9WRVJJVFkgbW9kdWxlLiBUaGlzIHByb3BlcnR5IGlzIGNvbnRyb2xsZWQgYnkKKyAgIHRo ZSBgYElQRV9QUk9QX0RNX1ZFUklUWWBgIGNvbmZpZyBvcHRpb24sIGl0IHdpbGwgYmUgYXV0b21h dGljYWxseQorICAgc2VsZWN0ZWQgd2hlbiBgYElQRV9TRUNVUklUWWBgLCBgYERNX1ZFUklUWSBg YCBhbmQKKyAgIGBgRE1fVkVSSVRZX1ZFUklGWV9ST09USEFTSF9TSUdgYCBhcmUgYWxsIGVuYWJs ZWQuCisgICBUaGUgZm9ybWF0IG9mIHRoaXMgcHJvcGVydHkgaXM6OgorCisgICAgICBkbXZlcml0 eV9yb290aGFzaD1EaWdlc3ROYW1lOkhleGFkZWNpbWFsU3RyaW5nCisKKyAgIFRoZSBzdXBwb3J0 ZWQgRGlnZXN0TmFtZXMgZm9yIGRtdmVyaXR5X3Jvb3RoYXNoIGFyZSBbI2RtdmVyaXR5ZGlnZXN0 c11fIFsjc2VjdXJlZGlnZXN0XV8gOgorCisgICAgICArIGJsYWtlMmItNTEyCisgICAgICArIGJs YWtlMnMtMjU2CisgICAgICArIHNoYTEKKyAgICAgICsgc2hhMjU2CisgICAgICArIHNoYTM4NAor ICAgICAgKyBzaGE1MTIKKyAgICAgICsgc2hhMy0yMjQKKyAgICAgICsgc2hhMy0yNTYKKyAgICAg ICsgc2hhMy0zODQKKyAgICAgICsgc2hhMy01MTIKKyAgICAgICsgbWQ0CisgICAgICArIG1kNQor ICAgICAgKyBzbTMKKyAgICAgICsgcm1kMTYwCisKK2RtdmVyaXR5X3NpZ25hdHVyZQorfn5+fn5+ fn5+fn5+fn5+fn5+CisKKyAgIFRoaXMgcHJvcGVydHkgY2FuIGJlIHV0aWxpemVkIGZvciBhdXRo b3JpemF0aW9uIG9mIGFsbCBkbS12ZXJpdHkKKyAgIHZvbHVtZXMgdGhhdCBoYXZlIGEgc2lnbmVk IHJvb3RoYXNoIHRoYXQgY2hhaW5zIHRvIGEga2V5cmluZworICAgc3BlY2lmaWVkIGJ5IGRtLXZl cml0eSdzIGNvbmZpZ3VyYXRpb24sIGVpdGhlciB0aGUgc3lzdGVtIHRydXN0ZWQKKyAgIGtleXJp bmcsIG9yIHRoZSBzZWNvbmRhcnkga2V5cmluZy4gSXQgZGVwZW5kcyBvbgorICAgYGBETV9WRVJJ VFlfVkVSSUZZX1JPT1RIQVNIX1NJR2BgIGNvbmZpZyBvcHRpb24gYW5kIGlzIGNvbnRyb2xsZWQg YnkKKyAgIHRoZSBgYElQRV9QUk9QX0RNX1ZFUklUWWBgIGNvbmZpZyBvcHRpb24sIGl0IHdpbGwg YmUgYXV0b21hdGljYWxseQorICAgc2VsZWN0ZWQgd2hlbiBgYElQRV9TRUNVUklUWWBgLCBgYERN X1ZFUklUWSBgYCBhbmQKKyAgIGBgRE1fVkVSSVRZX1ZFUklGWV9ST09USEFTSF9TSUdgYCBhcmUg YWxsIGVuYWJsZWQuCisgICBUaGUgZm9ybWF0IG9mIHRoaXMgcHJvcGVydHkgaXM6OgorCisgICAg ICBkbXZlcml0eV9zaWduYXR1cmU9KFRSVUV8RkFMU0UpCisKK2ZzdmVyaXR5X2RpZ2VzdAorfn5+ fn5+fn5+fn5+fn5+CisKKyAgIFRoaXMgcHJvcGVydHkgY2FuIGJlIHV0aWxpemVkIGZvciBhdXRo b3JpemF0aW9uIG9yIHJldm9jYXRpb24gb2YKKyAgIHNwZWNpZmljIGZzdmVyaXR5IGVuYWJsZWQg ZmlsZSwgaWRlbnRpZmllZCB2aWEgaXRzIGZzdmVyaXR5IGRpZ2VzdC4KKyAgIEl0IGRlcGVuZHMg b24gYGBGU19WRVJJVFlgYCBjb25maWcgb3B0aW9uIGFuZCBpcyBjb250cm9sbGVkIGJ5CisgICBg YENPTkZJR19JUEVfUFJPUF9GU19WRVJJVFlgYC4gVGhlIGZvcm1hdCBvZiB0aGlzIHByb3BlcnR5 IGlzOjoKKworICAgICAgZnN2ZXJpdHlfZGlnZXN0PURpZ2VzdE5hbWU6SGV4YWRlY2ltYWxTdHJp bmcKKworICAgVGhlIHN1cHBvcnRlZCBEaWdlc3ROYW1lcyBmb3IgZG12ZXJpdHlfcm9vdGhhc2gg YXJlIFsjZnN2ZXJpdHlkaWdlc3RdIFsjc2VjdXJlZGlnZXN0XV8gOgorCisgICAgICArIHNoYTI1 NgorICAgICAgKyBzaGE1MTIKKworZnN2ZXJpdHlfc2lnbmF0dXJlCit+fn5+fn5+fn5+fn5+fn5+ fn4KKworICAgVGhpcyBwcm9wZXJ0eSBjYW4gYmUgdXRpbGl6ZWQgZm9yIGF1dGhvcml6YXRpb24g b2YgYWxsIGZzdmVyaXR5CisgICBlbmFibGVkIGZpbGVzIHRoYXQgaXMgdmVyaWZpZWQgYnkgZnN2 ZXJpdHkuIFRoZSBrZXlyaW5nIHRoYXQgdGhlCisgICBzaWduYXR1cmUgaXMgdmVyaWZpZWQgYWdh aW5zdCBpcyBzdWJqZWN0IHRvIGZzdmVyaXR5J3MgY29uZmlndXJhdGlvbiwKKyAgIHR5cGljYWxs eSB0aGUgZnN2ZXJpdHkga2V5cmluZy4gSXQgZGVwZW5kcyBvbgorICAgYGBDT05GSUdfRlNfVkVS SVRZX0JVSUxUSU5fU0lHTkFUVVJFU2BgIGFuZCAgaXQgaXMgY29udHJvbGxlZCBieQorICAgdGhl IEtjb25maWcgYGBDT05GSUdfSVBFX1BST1BfRlNfVkVSSVRZYGAuIFRoZSBmb3JtYXQgb2YgdGhp cworICAgcHJvcGVydHkgaXM6OgorCisgICAgICBmc3Zlcml0eV9zaWduYXR1cmU9KFRSVUV8RkFM U0UpCisKK1BvbGljeSBFeGFtcGxlcworLS0tLS0tLS0tLS0tLS0tCisKK0FsbG93IGFsbAorfn5+ fn5+fn5+CisKKzo6CisKKyAgIHBvbGljeV9uYW1lPUFsbG93X0FsbCBwb2xpY3lfdmVyc2lvbj0w LjAuMAorICAgREVGQVVMVCBhY3Rpb249QUxMT1cKKworQWxsb3cgb25seSBpbml0aWFsIHN1cGVy YmxvY2sKK35+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+CisKKzo6CisKKyAgIHBvbGljeV9u YW1lPUFsbG93X0FsbF9Jbml0aWFsX1NCIHBvbGljeV92ZXJzaW9uPTAuMC4wCisgICBERUZBVUxU IGFjdGlvbj1ERU5ZCisKKyAgIG9wPUVYRUNVVEUgYm9vdF92ZXJpZmllZD1UUlVFIGFjdGlvbj1B TExPVworCitBbGxvdyBhbnkgc2lnbmVkIGRtLXZlcml0eSB2b2x1bWUgYW5kIHRoZSBpbml0aWFs IHN1cGVyYmxvY2sKK35+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fgorCis6OgorCisgICBwb2xpY3lfbmFtZT1BbGxvd1NpZ25lZEFuZElu aXRpYWwgcG9saWN5X3ZlcnNpb249MC4wLjAKKyAgIERFRkFVTFQgYWN0aW9uPURFTlkKKworICAg b3A9RVhFQ1VURSBib290X3ZlcmlmaWVkPVRSVUUgYWN0aW9uPUFMTE9XCisgICBvcD1FWEVDVVRF IGRtdmVyaXR5X3NpZ25hdHVyZT1UUlVFIGFjdGlvbj1BTExPVworCitQcm9oaWJpdCBleGVjdXRp b24gZnJvbSBhIHNwZWNpZmljIGRtLXZlcml0eSB2b2x1bWUKK35+fn5+fn5+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fgorCis6OgorCisgICBwb2xpY3lfbmFtZT1B bGxvd1NpZ25lZEFuZEluaXRpYWwgcG9saWN5X3ZlcnNpb249MC4wLjAKKyAgIERFRkFVTFQgYWN0 aW9uPURFTlkKKworICAgb3A9RVhFQ1VURSBkbXZlcml0eV9yb290aGFzaD1zaGEyNTY6Y2QyYzVi YWU3YzZjNTc5ZWRhYWU0MzUzMDQ5ZDU4ZWI1ZjJlOGJlMDI0NGJmMDUzNDViYzhlNWVkMjU3YmFm ZiBhY3Rpb249REVOWQorCisgICBvcD1FWEVDVVRFIGJvb3RfdmVyaWZpZWQ9VFJVRSBhY3Rpb249 QUxMT1cKKyAgIG9wPUVYRUNVVEUgZG12ZXJpdHlfc2lnbmF0dXJlPVRSVUUgYWN0aW9uPUFMTE9X CisKK0FsbG93IG9ubHkgYSBzcGVjaWZpYyBkbS12ZXJpdHkgdm9sdW1lCit+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fgorCis6OgorCisgICBwb2xpY3lfbmFtZT1BbGxvd1Np Z25lZEFuZEluaXRpYWwgcG9saWN5X3ZlcnNpb249MC4wLjAKKyAgIERFRkFVTFQgYWN0aW9uPURF TlkKKworICAgb3A9RVhFQ1VURSBkbXZlcml0eV9yb290aGFzaD1zaGEyNTY6NDAxZmNlYzU5NDQ4 MjNhZTEyZjYyNzI2ZTgxODQ0MDdhNWZhOTU5OTc4M2YwMzBkZWMxNDY5MzggYWN0aW9uPUFMTE9X CisKK0FsbG93IGFueSBzaWduZWQgZnMtdmVyaXR5IGZpbGUKK35+fn5+fn5+fn5+fn5+fn5+fn5+ fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fgorCis6OgorCisgICBwb2xp Y3lfbmFtZT1BbGxvd1NpZ25lZEZTVmVyaXR5IHBvbGljeV92ZXJzaW9uPTAuMC4wCisgICBERUZB VUxUIGFjdGlvbj1ERU5ZCisKKyAgIG9wPUVYRUNVVEUgZnN2ZXJpdHlfc2lnbmF0dXJlPVRSVUUg YWN0aW9uPUFMTE9XCisKK1Byb2hpYml0IGV4ZWN1dGlvbiBvZiBhIHNwZWNpZmljIGZzLXZlcml0 eSBmaWxlCit+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+ fn4KKworOjoKKworICAgcG9saWN5X25hbWU9UHJvaGliaXRTcGVjaWZpY0ZTVkYgcG9saWN5X3Zl cnNpb249MC4wLjAKKyAgIERFRkFVTFQgYWN0aW9uPURFTlkKKworICAgb3A9RVhFQ1VURSBmc3Zl cml0eV9kaWdlc3Q9c2hhMjU2OmZkODhmMmI4ODI0ZTE5N2Y4NTBiZjRjNTEwOWJlYTVjZjBlZTM4 MTA0ZjcxMDg0M2JiNzJkYTc5NmJhNWFmOWUgYWN0aW9uPURFTlkKKyAgIG9wPUVYRUNVVEUgYm9v dF92ZXJpZmllZD1UUlVFIGFjdGlvbj1BTExPVworICAgb3A9RVhFQ1VURSBkbXZlcml0eV9zaWdu YXR1cmU9VFJVRSBhY3Rpb249QUxMT1cKKworQWRkaXRpb25hbCBJbmZvcm1hdGlvbgorLS0tLS0t LS0tLS0tLS0tLS0tLS0tLQorCistIGBHaXRodWIgUmVwb3NpdG9yeSA8aHR0cHM6Ly9naXRodWIu Y29tL21pY3Jvc29mdC9pcGU+YF8KKy0gYERlc2lnbiBEb2N1bWVudGF0aW9uIDwvc2VjdXJpdHkv aXBlPmBfCisKK0ZBUQorLS0tCisKK1E6CisgICBXaGF0J3MgdGhlIGRpZmZlcmVuY2UgYmV0d2Vl biBvdGhlciBMU01zIHdoaWNoIHByb3ZpZGUgYSBtZWFzdXJlIG9mCisgICB0cnVzdC1iYXNlZCBh Y2Nlc3MgY29udHJvbD8KKworQToKKworICAgSW4gZ2VuZXJhbCwgdGhlcmUncyB0d28gb3RoZXIg TFNNcyB0aGF0IGNhbiBwcm92aWRlIHNpbWlsYXIgZnVuY3Rpb25hbGl0eToKKyAgIElNQSwgYW5k IExvYWRwaW4uCisKKyAgIElNQSBhbmQgSVBFIGFyZSBmdW5jdGlvbmFsbHkgdmVyeSBzaW1pbGFy LiBUaGUgc2lnbmlmaWNhbnQgZGlmZmVyZW5jZSBiZXR3ZWVuCisgICB0aGUgdHdvIGlzIHRoZSBw b2xpY3kuIFsjZGV2ZG9jXV8KKworICAgTG9hZHBpbiBhbmQgSVBFIGRpZmZlciBmYWlybHkgZHJh bWF0aWNhbGx5LCBhcyBMb2FkcGluIGNvbnRyb2xzIG9ubHkgdGhlIElQRQorICAgZXF1aXZhbGVu dCBvZiBgYEtFUk5FTF9SRUFEYGAsIHdoZXJlYXMgSVBFIGlzIGNhcGFibGUgb2YgY29udHJvbGxp bmcgZXhlY3V0aW9uLAorICAgb24gdG9wIG9mIGBgS0VSTkVMX1JFQURgYC4gVGhlIHRydXN0IG1v ZGVsIGlzIGFsc28gZGlmZmVyZW50OyBMb2FkcGluIHJvb3RzIGl0cworICAgdHJ1c3QgaW4gdGhl IGluaXRpYWwgc3VwZXItYmxvY2ssIHdoZXJlYXMgdHJ1c3QgaW4gSVBFIGlzIHN0ZW1tZWQgZnJv bSBrZXJuZWwKKyAgIGl0c2VsZiAodmlhIGBgU1lTVEVNX1RSVVNURURfS0VZU2BgKS4KKworLS0t LS0tLS0tLS0KKworLi4gWyNkaWdsaW1dIDE6IGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2JwZi80 ZDY5MzJlOTZkNzc0MjI3YjQyNzIxZDlmNjQ1YmE1MUBodWF3ZWkuY29tL1QvCisKKy4uIFsjaW50 ZXJwcmV0ZXJzXSBUaGVyZSBpcyBgc29tZSBpbnRlcmVzdCBpbiBzb2x2aW5nIHRoaXMgaXNzdWUg PGh0dHBzOi8vbG9yZS5rZXJuZWwub3JnL2xrbWwvMjAyMjAzMjExNjE1NTcuNDk1Mzg4LTEtbWlj QGRpZ2lrb2QubmV0Lz5gXy4KKworLi4gWyNkZXZkb2NdIFBsZWFzZSBzZWUgYERvY3VtZW50YXRp b24vc2VjdXJpdHkvaXBlLnJzdGAgZm9yIG1vcmUgb24gdGhpcyB0b3BpYy4KKworLi4gWyNmc3Zl cml0eWRpZ2VzdF0gVGhlc2UgaGFzaCBhbGdvcml0aG1zIGFyZSBiYXNlZCBvbiB2YWx1ZXMgYWNj ZXB0ZWQgYnkgZnN2ZXJpdHktdXRpbHM7CisgICAgICAgICAgICAgICAgICAgICBJUEUgZG9lcyBu b3QgaW1wb3NlIGFueSByZXN0cmljdGlvbnMgb24gdGhlIGRpZ2VzdCBhbGdvcml0aG0gaXRzZWxm OworICAgICAgICAgICAgICAgICAgICAgdGh1cywgdGhpcyBsaXN0IG1heSBiZSBvdXQgb2YgZGF0 ZS4KKworLi4gWyNkbXZlcml0eWRpZ2VzdHNdIFRoZXNlIGhhc2ggYWxnb3JpdGhtcyBhcmUgYmFz ZWQgb24gdmFsdWVzIGFjY2VwdGVkIGJ5IGRtLXZlcml0eSwKKyAgICAgICAgICAgICAgICAgICAg ICBzcGVjaWZpY2FsbHkgYGBjcnlwdG9fYWxsb2NfYWhhc2hgYCBpbiBgYHZlcml0eV9jdHJgYDsg YGB2ZXJpdHlzZXR1cGBgCisgICAgICAgICAgICAgICAgICAgICAgZG9lcyBzdXBwb3J0IG1vcmUg YWxnb3JpdGhtcyB0aGFuIHRoZSBsaXN0IGFib3ZlLiBJUEUgZG9lcyBub3QgaW1wb3NlCisgICAg ICAgICAgICAgICAgICAgICAgYW55IHJlc3RyaWN0aW9ucyBvbiB0aGUgZGlnZXN0IGFsZ29yaXRo bSBpdHNlbGY7IHRodXMsIHRoaXMgbGlzdAorICAgICAgICAgICAgICAgICAgICAgIG1heSBiZSBv dXQgb2YgZGF0ZS4KKworLi4gWyNzZWN1cmVkaWdlc3RdIFBsZWFzZSBlbnN1cmUgeW91IGFyZSB1 c2luZyBjcnlwdG9ncmFwaGljYWxseSBzZWN1cmUgaGFzaCBmdW5jdGlvbnM7CisgICAgICAgICAg ICAgICAgICAganVzdCBiZWNhdXNlIHNvbWV0aGluZyBpcyAqc3VwcG9ydGVkKiBkb2VzIG5vdCBt ZWFuIGl0IGlzICpzZWN1cmUqLgpkaWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlk ZS9rZXJuZWwtcGFyYW1ldGVycy50eHQgYi9Eb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL2tlcm5l bC1wYXJhbWV0ZXJzLnR4dAppbmRleCAwYTE3MzFhMGYwZWYuLjZhNzFkOWQ5YmUzNiAxMDA2NDQK LS0tIGEvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQKKysr IGIvRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9rZXJuZWwtcGFyYW1ldGVycy50eHQKQEAgLTIy NjIsNiArMjI2MiwxOCBAQAogCWlwY21uaV9leHRlbmQJW0tOTF0gRXh0ZW5kIHRoZSBtYXhpbXVt IG51bWJlciBvZiB1bmlxdWUgU3lzdGVtIFYKIAkJCUlQQyBpZGVudGlmaWVycyBmcm9tIDMyLDc2 OCB0byAxNiw3NzcsMjE2LgogCisJaXBlLmVuZm9yY2U9CVtJUEVdCisJCQlGb3JtYXQ6IDxib29s PgorCQkJRGV0ZXJtaW5lIHdoZXRoZXIgSVBFIHN0YXJ0cyBpbiBwZXJtaXNzaXZlICgwKSBvcgor CQkJZW5mb3JjZSAoMSkgbW9kZS4gVGhlIGRlZmF1bHQgaXMgZW5mb3JjZS4KKworCWlwZS5zdWNj ZXNzX2F1ZGl0PQorCQkJW0lQRV0KKwkJCUZvcm1hdDogPGJvb2w+CisJCQlTdGFydCBJUEUgd2l0 aCBzdWNjZXNzIGF1ZGl0aW5nIGVuYWJsZWQsIGVtaXR0aW5nCisJCQlhbiBhdWRpdCBldmVudCB3 aGVuIGEgYmluYXJ5IGlzIGFsbG93ZWQuIFRoZSBkZWZhdWx0CisJCQlpcyAwLgorCiAJaXJxYWZm aW5pdHk9CVtTTVBdIFNldCB0aGUgZGVmYXVsdCBpcnEgYWZmaW5pdHkgbWFzawogCQkJVGhlIGFy Z3VtZW50IGlzIGEgY3B1IGxpc3QsIGFzIGRlc2NyaWJlZCBhYm92ZS4KIApkaWZmIC0tZ2l0IGEv RG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pbmRleC5yc3QgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5 L2luZGV4LnJzdAppbmRleCA2ZWQ4ZDJmYTZmOWUuLmE1MjQ4ZDRmZDUxMCAxMDA2NDQKLS0tIGEv RG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pbmRleC5yc3QKKysrIGIvRG9jdW1lbnRhdGlvbi9zZWN1 cml0eS9pbmRleC5yc3QKQEAgLTE4LDMgKzE4LDQgQEAgU2VjdXJpdHkgRG9jdW1lbnRhdGlvbgog ICAgZGlnc2lnCiAgICBsYW5kbG9jawogICAgc2VjcmV0cy9pbmRleAorICAgaXBlCmRpZmYgLS1n aXQgYS9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2lwZS5yc3QgYi9Eb2N1bWVudGF0aW9uL3NlY3Vy aXR5L2lwZS5yc3QKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMDAwMDAwLi42YTQ3 YTJhYjVlMzkKLS0tIC9kZXYvbnVsbAorKysgYi9Eb2N1bWVudGF0aW9uL3NlY3VyaXR5L2lwZS5y c3QKQEAgLTAsMCArMSw0MjAgQEAKKy4uIFNQRFgtTGljZW5zZS1JZGVudGlmaWVyOiBHUEwtMi4w CisKK0ludGVncml0eSBQb2xpY3kgRW5mb3JjZW1lbnQgKElQRSkgLSBLZXJuZWwgRG9jdW1lbnRh dGlvbgorPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09CisKKy4uIE5PVEU6OgorCisgICBUaGlzIGlzIGRvY3VtZW50YXRpb24gdGFyZ2V0ZWQg YXQgZGV2ZWxvcGVycywgaW5zdGVhZCBvZiBhZG1pbmlzdHJhdG9ycy4KKyAgIElmIHlvdSdyZSBs b29raW5nIGZvciBkb2N1bWVudGF0aW9uIG9uIHRoZSB1c2FnZSBvZiBJUEUsIHBsZWFzZSBzZWUK KyAgIGBEb2N1bWVudGF0aW9uL2FkbWluLWd1aWRlL0xTTS9pcGUucnN0YAorCitIaXN0b3JpY2Fs IE1vdGl2YXRpb24KKy0tLS0tLS0tLS0tLS0tLS0tLS0tLQorCitUaGUgb3JpZ2luYWwgaXNzdWUg dGhhdCBwcm9tcHRlZCBJUEUncyBpbXBsZW1lbnRhdGlvbiB3YXMgdGhlIGNyZWF0aW9uCitvZiBh IGxvY2tlZC1kb3duIHN5c3RlbS4gVGhpcyBzeXN0ZW0gd291bGQgYmUgYm9ybi1zZWN1cmUsIGFu ZCBoYXZlCitzdHJvbmcgaW50ZWdyaXR5IGd1YXJhbnRlZXMgb3ZlciBib3RoIHRoZSBleGVjdXRh YmxlIGNvZGUsIGFuZCBzcGVjaWZpYworKmRhdGEgZmlsZXMqIG9uIHRoZSBzeXN0ZW0sIHRoYXQg d2VyZSBjcml0aWNhbCB0byBpdHMgZnVuY3Rpb24uIFRoZXNlCitzcGVjaWZpYyBkYXRhIGZpbGVz IHdvdWxkIG5vdCBiZSByZWFkYWJsZSB1bmxlc3MgdGhleSBwYXNzZWQgaW50ZWdyaXR5Citwb2xp Y3kuIEEgbWFuZGF0b3J5IGFjY2VzcyBjb250cm9sIHN5c3RlbSB3b3VsZCBiZSBwcmVzZW50LCBh bmQKK2FzIGEgcmVzdWx0LCB4YXR0cnMgd291bGQgaGF2ZSB0byBiZSBwcm90ZWN0ZWQuIFRoaXMg bGVhZCB0byBhIHNlbGVjdGlvbgorb2Ygd2hhdCB3b3VsZCBwcm92aWRlIHRoZSBpbnRlZ3JpdHkg Y2xhaW1zLiBBdCB0aGUgdGltZSwgdGhlcmUgd2VyZSB0d28KK21haW4gbWVjaGFuaXNtcyBjb25z aWRlcmVkIHRoYXQgY291bGQgZ3VhcmFudGVlIGludGVncml0eSBmb3IgdGhlIHN5c3RlbQord2l0 aCB0aGVzZSByZXF1aXJlbWVudHM6CisKKyAgMS4gSU1BICsgRVZNIFNpZ25hdHVyZXMKKyAgMi4g RE0tVmVyaXR5CisKK0JvdGggb3B0aW9ucyB3ZXJlIGNhcmVmdWxseSBjb25zaWRlcmVkLCBob3dl dmVyIHRoZSBjaG9pY2UgdG8gdXNlIERNLVZlcml0eQorb3ZlciBJTUErRVZNIGFzIHRoZSAqaW50 ZWdyaXR5IG1lY2hhbmlzbSogaW4gdGhlIG9yaWdpbmFsIHVzZSBjYXNlIG9mIElQRQord2FzIGR1 ZSB0byB0aHJlZSBtYWluIHJlYXNvbnM6CisKKyAgMS4gUHJvdGVjdGlvbiBvZiBhZGRpdGlvbmFs IGF0dGFjayB2ZWN0b3JzOgorCisgICAgKiBXaXRoIElNQStFVk0sIHdpdGhvdXQgYW4gZW5jcnlw dGlvbiBzb2x1dGlvbiwgdGhlIHN5c3RlbSBpcyB2dWxuZXJhYmxlCisgICAgICB0byBvZmZsaW5l IGF0dGFjayBhZ2FpbnN0IHRoZSBhZm9yZW1ldGlvbmVkIHNwZWNpZmljIGRhdGEgZmlsZXMuCisK KyAgICAgIFVubGlrZSBleGVjdXRhYmxlcywgcmVhZCBvcGVyYXRpb25zIChsaWtlIHRob3NlIG9u IHRoZSBwcm90ZWN0ZWQgZGF0YQorICAgICAgZmlsZXMpLCBjYW5ub3QgYmUgZW5mb3JjZWQgdG8g YmUgZ2xvYmFsbHkgaW50ZWdydGl5IHZlcmlmaWVkLiBUaGlzIG1lYW5zCisgICAgICB0aGVyZSBt dXN0IGJlIHNvbWUgZm9ybSBvZiBzZWxlY3RvciB0byBkZXRlcm1pbmUgd2hldGhlciBhIHJlYWQg c2hvdWxkCisgICAgICBlbmZvcmNlIHRoZSBpbnRlZ3JpdHkgcG9saWN5LCBvciBpdCBzaG91bGQg bm90LgorCisgICAgICBBdCB0aGUgdGltZSwgdGhpcyB3YXMgZG9uZSB3aXRoIG1hbmRhdG9yeSBh Y2Nlc3MgY29udHJvbCBsYWJlbHMuIEFuIElNQQorICAgICAgcG9saWN5IHdvdWxkIGluZGljYXRl IHdoYXQgbGFiZWxzIHJlcXVpcmVkIGludGVncml0eSB2ZXJpZmljYXRpb24sIHdoaWNoCisgICAg ICBwcmVzZW50ZWQgYW4gaXNzdWU6IEVWTSB3b3VsZCBwcm90ZWN0IHRoZSBsYWJlbCwgYnV0IGlm IGFuIGF0dGFja2VyIGNvdWxkCisgICAgICBtb2RpZnkgZmlsZXN5c3RlbSBvZmZsaW5lLCB0aGUg YXR0YWNrZXIgY291bGQgd2lwZSBhbGwgdGhlIHhhdHRycyAtCisgICAgICBpbmNsdWRpbmcgdGhl IFNFTGludXggbGFiZWxzIHRoYXQgd291bGQgYmUgdXNlZCB0byBkZXRlcm1pbmUgd2hldGhlciB0 aGUKKyAgICAgIGZpbGUgc2hvdWxkIGJlIHN1YmplY3QgdG8gaW50ZWdyaXR5IHBvbGljeS4KKwor ICAgICAgV2l0aCBETS1WZXJpdHksIGFzIHRoZSB4YXR0cnMgYXJlIHNhdmVkIGFzIHBhcnQgb2Yg dGhlIG1lcmtlbCB0cmVlLCBpZgorICAgICAgb2ZmbGluZSBtb3VudCBvY2N1cnMgYWdhaW5zdCB0 aGUgZmlsZXN5c3RlbSBwcm90ZWN0ZWQgYnkgZG0tdmVyaXR5LCB0aGUKKyAgICAgIGNoZWNrc3Vt IG5vIGxvbmdlciBtYXRjaGVzIGFuZCB0aGUgZmlsZSBmYWlscyB0byBiZSByZWFkLgorCisgICAg KiBBcyB1c2Vyc3BhY2UgYmluYXJpZXMgYXJlIHBhZ2VkIGluIExpbnV4LCBkbS12ZXJpdHkgYWxz byBvZmZlcnMgdGhlCisgICAgICBhZGRpdGlvbmFsIHByb3RlY3Rpb24gYWdhaW5zdCBhIGhvc3Rp bGUgYmxvY2sgZGV2aWNlLiBJbiBzdWNoIGFuIGF0dGFjaywKKyAgICAgIHRoZSBibG9jayBkZXZp Y2UgcmVwb3J0cyB0aGUgYXBwcm9wcmlhdGUgY29udGVudCBmb3IgdGhlIElNQSBoYXNoCisgICAg ICBpbml0aWFsbHksIHBhc3NpbmcgdGhlIHJlcXVpcmVkIGludGVncml0eSBjaGVjay4gVGhlbiwg b24gdGhlIHBhZ2UgZmF1bHQKKyAgICAgIHRoYXQgYWNjZXNzZXMgdGhlIHJlYWwgZGF0YSwgd2ls bCByZXBvcnQgdGhlIGF0dGFja2VyJ3MgcGF5bG9hZC4gU2luY2UKKyAgICAgIGRtLXZlcml0eSB3 aWxsIGNoZWNrIHRoZSBkYXRhIHdoZW4gdGhlIHBhZ2UgZmF1bHQgb2NjdXJzIChhbmQgdGhlIGRp c2sKKyAgICAgIGFjY2VzcyksIHRoaXMgYXR0YWNrIGlzIG1pdGlnYXRlZC4KKworICAyLiBQZXJm b3JtYW5jZToKKworICAgICogZG0tdmVyaXR5IHByb3ZpZGVzIGludGVncml0eSB2ZXJpZmljYXRp b24gb24gZGVtYW5kIGFzIGJsb2NrcyBhcmUKKyAgICAgIHJlYWQgdmVyc3VzIHJlcXVpcmluZyB0 aGUgZW50aXJlIGZpbGUgYmVpbmcgcmVhZCBpbnRvIG1lbW9yeSBmb3IKKyAgICAgIHZhbGlkYXRp b24uCisKKyAgMy4gU2ltcGxpY2l0eSBvZiBzaWduaW5nOgorCisgICAgKiBObyBuZWVkIGZvciB0 d28gc2lnbmF0dXJlcyAoSU1BLCB0aGVuIEVWTSk6IG9uZSBzaWduYXR1cmUgY292ZXJzCisgICAg ICBhbiBlbnRpcmUgYmxvY2sgZGV2aWNlLgorICAgICogU2lnbmF0dXJlcyBjYW4gYmUgc3RvcmVk IGV4dGVybmFsbHkgdG8gdGhlIGZpbGVzeXN0ZW0gbWV0YWRhdGEuCisgICAgKiBUaGUgc2lnbmF0 dXJlIHN1cHBvcnRzIGFuIHguNTA5LWJhc2VkIHNpZ25pbmcgaW5mcmFzdHJ1Y3R1cmUuCisKK1Ro ZSBuZXh0IHN0ZXAgd2FzIHRvIGNob29zZSBhICpwb2xpY3kqIHRvIGVuZm9yY2UgdGhlIGludGVn cml0eSBtZWNoYW5pc20uCitUaGUgbWluaW11bSByZXF1aXJlbWVudHMgZm9yIHRoZSBwb2xpY3kg d2VyZToKKworICAxLiBUaGUgcG9saWN5IGl0c2VsZiBtdXN0IGJlIGludGVncml0eSB2ZXJpZmll ZCAocHJldmVudGluZyB0cml2aWFsCisgICAgIGF0dGFjayBhZ2FpbnN0IGl0KS4KKyAgMi4gVGhl IHBvbGljeSBpdHNlbGYgbXVzdCBiZSByZXNpc3RhbnQgdG8gcm9sbGJhY2sgYXR0YWNrcy4KKyAg My4gVGhlIHBvbGljeSBlbmZvcmNlbWVudCBtdXN0IGhhdmUgYSBwZXJtaXNzaXZlLWxpa2UgbW9k ZS4KKyAgNC4gVGhlIHBvbGljeSBtdXN0IGJlIGFibGUgdG8gYmUgdXBkYXRlZCwgaW4gaXRzIGVu dGlyZXR5LCB3aXRob3V0CisgICAgIGEgcmVib290LgorICA1LiBQb2xpY3kgdXBkYXRlcyBtdXN0 IGJlIGF0b21pYy4KKyAgNi4gVGhlIHBvbGljeSBtdXN0IHN1cHBvcnQgKnJldm9jYXRpb25zKiBv ZiBwcmV2aW91c2x5IGF1dGhvcmVkCisgICAgIGNvbXBvbmVudHMuCisgIDcuIFRoZSBwb2xpY3kg bXVzdCBiZSBhdWRpdGFibGUsIGF0IGFueSBwb2ludC1vZi10aW1lLgorCitJTUEsIGFzIHRoZSBv bmx5IGludGVncml0eSBwb2xpY3kgbWVjaGFuaXNtIGF0IHRoZSB0aW1lLCB3YXMKK2NvbnNpZGVy ZWQgYWdhaW5zdCB0aGVzZSBsaXN0IG9mIHJlcXVpcmVtZW50cywgYW5kIGRpZCBub3QgZnVsZmls bAorYWxsIG9mIHRoZSBtaW5pbXVtIHJlcXVpcmVtZW50cy4gRXh0ZW5kaW5nIElNQSB0byBjb3Zl ciB0aGVzZQorcmVxdWlyZW1lbnRzIHdhcyBjb25zaWRlcmVkLCBidXQgdWx0aW1hdGVseSBkaXNj YXJkZWQgZm9yIGEKK3R3byByZWFzb25zOgorCisgIDEuIFJlZ3Jlc3Npb24gcmlzazsgbWFueSBv ZiB0aGVzZSBjaGFuZ2VzIHdvdWxkIHJlc3VsdCBpbgorICAgICBkcmFtYXRpYyBjb2RlIGNoYW5n ZXMgdG8gSU1BLCB3aGljaCBpcyBhbHJlYWR5IHByZXNlbnQgaW4gdGhlCisgICAgIGtlcm5lbCwg YW5kIHRoZXJlZm9yZSBtaWdodCBpbXBhY3QgdXNlcnMuCisKKyAgMi4gSU1BIHdhcyB1c2VkIGlu IHRoZSBzeXN0ZW0gZm9yIG1lYXN1cmVtZW50IGFuZCBhdHRlc3RhdGlvbjsKKyAgICAgc2VwYXJh dGlvbiBvZiBtZWFzdXJlbWVudCBwb2xpY3kgZnJvbSBsb2NhbCBpbnRlZ3JpdHkgcG9saWN5Cisg ICAgIGVuZm9yY2VtZW50IHdhcyBjb25zaWRlcmVkIGZhdm9yYWJsZS4KKworRHVlIHRvIHRoZXNl IHJlYXNvbnMsIGl0IHdhcyBkZWNpZGVkIHRoYXQgYSBuZXcgTFNNIHNob3VsZCBiZSBjcmVhdGVk LAord2hvc2UgcmVzcG9uc2liaWxpdHkgd291bGQgYmUgb25seSB0aGUgbG9jYWwgaW50ZWdyaXR5 IHBvbGljeSBlbmZvcmNlbWVudC4KKworUm9sZSBhbmQgU2NvcGUKKy0tLS0tLS0tLS0tLS0tCisK K0lQRSwgYXMgaXRzIG5hbWUgaW1wbGllcywgaXMgZnVuZGFtZW50YWxseSBhbiBpbnRlZ3JpdHkg cG9saWN5IGVuZm9yY2VtZW50Citzb2x1dGlvbjsgSVBFIGRvZXMgbm90IG1hbmRhdGUgaG93IGlu dGVncml0eSBpcyBwcm92aWRlZCwgYnV0IGluc3RlYWQKK2xlYXZlcyB0aGF0IGRlY2lzaW9uIHRv IHRoZSBzeXN0ZW0gYWRtaW5pc3RyYXRvciB0byBzZXQgdGhlIHNlY3VyaXR5IGJhciwKK3ZpYSB0 aGUgbWVjaGFuaXNtcyB0aGF0IHRoZXkgc2VsZWN0IHRoYXQgc3VpdCB0aGVpciBpbmRpdmlkdWFs IG5lZWRzLgorVGhlcmUgYXJlIHNldmVyYWwgZGlmZmVyZW50IGludGVncml0eSBzb2x1dGlvbnMg dGhhdCBwcm92aWRlIGEgZGlmZmVyZW50CitsZXZlbCBvZiBzZWN1cml0eSBndWFyYW50ZWVzOyBh bmQgSVBFIGFsbG93cyBzeXNhZG1pbnMgdG8gZXhwcmVzcyBwb2xpY3kgZm9yCit0aGVvcmV0aWNh bGx5IGFsbCBvZiB0aGVtLgorCitJUEUgZG9lcyBub3QgaGF2ZSBhbiBpbmhlcmVudCBtZWNoYW5p c20gdG8gZW5zdXJlIGludGVncml0eSBvbiBpdHMgb3duLgorSW5zdGVhZCwgdGhlcmUgYXJlIG1v cmUgZWZmZWN0aXZlIGxheWVycyBhdmFpbGFibGUgZm9yIGJ1aWxkaW5nIHN5c3RlbXMgdGhhdAor Y2FuIGd1YXJhbnRlZSBpbnRlZ3JpdHkuIEl0J3MgaW1wb3J0YW50IHRvIG5vdGUgdGhhdCB0aGUg bWVjaGFuaXNtIGZvciBwcm92aW5nCitpbnRlZ3JpdHkgaXMgaW5kZXBlbmRlbnQgb2YgdGhlIHBv bGljeSBmb3IgZW5mb3JjaW5nIHRoYXQgaW50ZWdyaXR5IGNsYWltLgorCitUaGVyZWZvcmUsIElQ RSB3YXMgZGVzaWduZWQgYXJvdW5kOgorCisgIDEuIEVhc3kgaW50ZWdyYXRpb25zIHdpdGggaW50 ZWdyaXR5IHByb3ZpZGVycy4KKyAgMi4gRWFzZSBvZiB1c2UgZm9yIHBsYXRmb3JtIGFkbWluaXN0 cmF0b3JzL3N5c2FkbWlucy4KKworRGVzaWduIFJhdGlvbmFsZToKKy0tLS0tLS0tLS0tLS0tLS0t CisKK0lQRSB3YXMgZGVzaWduZWQgYWZ0ZXIgZXZhbHVhdGluZyBleGlzdGluZyBpbnRlZ3JpdHkg cG9saWN5IHNvbHV0aW9ucworaW4gb3RoZXIgb3BlcmF0aW5nIHN5c3RlbXMgYW5kIGVudmlyb25t ZW50cy4gSW4gdGhpcyBzdXJ2ZXkgb2Ygb3RoZXIKK2ltcGxlbWVudGF0aW9ucywgdGhlcmUgd2Vy ZSBhIGZldyBwaXRmYWxscyBpZGVudGlmaWVkOgorCisgIDEuIFBvbGljaWVzIHdlcmUgbm90IHJl YWRhYmxlIGJ5IGh1bWFucywgdXN1YWxseSByZXF1aXJpbmcgYSBiaW5hcnkKKyAgICAgaW50ZXJt ZWRpYXJ5IGZvcm1hdC4KKyAgMi4gQSBzaW5nbGUsIG5vbi1jdXN0b21pemFibGUgYWN0aW9uIHdh cyBpbXBsaWNpdGx5IHRha2VuIGFzIGEgZGVmYXVsdC4KKyAgMy4gRGVidWdnaW5nIHRoZSBwb2xp Y3kgcmVxdWlyZWQgbWFudWFsIHN0ZXBzIHRvIGRldGVybWluZSB3aGF0IHJ1bGUgd2FzIHZpb2xh dGVkLgorICA0LiBBdXRob3JpbmcgYSBwb2xpY3kgcmVxdWlyZWQgYW4gaW4tZGVwdGgga25vd2xl ZGdlIG9mIHRoZSBsYXJnZXIgc3lzdGVtLAorICAgICBvciBvcGVyYXRpbmcgc3lzdGVtLgorCitJ UEUgYXR0ZW1wdHMgdG8gYXZvaWQgYWxsIG9mIHRoZXNlIHBpdGZhbGxzLgorCitQb2xpY3kKK35+ fn5+fgorCitQbGFpbiBUZXh0CiteXl5eXl5eXl5eCisKK0lQRSdzIHBvbGljeSBpcyBwbGFpbi10 ZXh0LiBUaGlzIGludHJvZHVjZXMgc2xpZ2h0bHkgbGFyZ2VyIHBvbGljeSBmaWxlcyB0aGFuCitv dGhlciBMU01zLCBidXQgc29sdmVzIHR3byBtYWpvciBwcm9ibGVtcyB0aGF0IG9jY3VycyB3aXRo IHNvbWUgaW50ZWdyaXR5IHBvbGljeQorc29sdXRpb25zIG9uIG90aGVyIHBsYXRmb3Jtcy4KKwor VGhlIGZpcnN0IGlzc3VlIGlzIG9uZSBvZiBjb2RlIG1haW50ZW5hbmNlIGFuZCBkdXBsaWNhdGlv bi4gVG8gYXV0aG9yIHBvbGljaWVzLAordGhlIHBvbGljeSBoYXMgdG8gYmUgc29tZSBmb3JtIG9m IHN0cmluZyByZXByZXNlbnRhdGlvbiAoYmUgaXQgc3RydWN0dXJlZCwKK3Rocm91Z2ggWE1MLCBK U09OLCBZQU1MLCBldGNldGVyYSksIHRvIGFsbG93IHRoZSBwb2xpY3kgYXV0aG9yIHRvIHVuZGVy c3RhbmQKK3doYXQgaXMgYmVpbmcgd3JpdHRlbi4gSW4gYSBoeXBvdGhldGljYWwgYmluYXJ5IHBv bGljeSBkZXNpZ24sIGEgc2VyaWFsaXplcgoraXMgbmVjZXNzYXJ5IHRvIHdyaXRlIHRoZSBwb2xp Y3kgZnJvbSB0aGUgaHVtYW4gcmVhZGFibGUgZm9ybSwgdG8gdGhlIGJpbmFyeQorZm9ybSwgYW5k IGEgZGVzZXJpYWxpemVyIGlzIG5lZWRlZCB0byBpbnRlcnByZXQgdGhlIGJpbmFyeSBmb3JtIGlu dG8gYSBkYXRhCitzdHJ1Y3R1cmUgaW4gdGhlIGtlcm5lbC4KKworRXZlbnR1YWxseSwgYW5vdGhl ciBkZXNlcmlhbGl6ZXIgd2lsbCBiZSBuZWVkZWQgdG8gdHJhbnNmb3JtIHRoZSBiaW5hcnkgZnJv bQorYmFjayBpbnRvIHRoZSBodW1hbi1yZWFkYWJsZSBmb3JtIHdpdGggYXMgbXVjaCBpbmZvcm1h dGlvbiBwcmVzZXJ2ZWQuIFRoaXMgaXMgYmVjYXVzZSBhCit1c2VyIG9mIHRoaXMgYWNjZXNzIGNv bnRyb2wgc3lzdGVtIHdpbGwgaGF2ZSB0byBrZWVwIGEgbG9va3VwIHRhYmxlIG9mIGEgY2hlY2tz dW0KK2FuZCB0aGUgb3JpZ2luYWwgZmlsZSBpdHNlbGYgdG8gdHJ5IHRvIHVuZGVyc3RhbmQgd2hh dCBwb2xpY2llcyBoYXZlIGJlZW4gZGVwbG95ZWQKK29uIHRoaXMgc3lzdGVtIGFuZCB3aGF0IHBv bGljaWVzIGhhdmUgbm90LiBGb3IgYSBzaW5nbGUgdXNlciwgdGhpcyBtYXkgYmUgYWxyaWdodCwK K2FzIG9sZCBwb2xpY2llcyBjYW4gYmUgZGlzY2FyZGVkIGFsbW9zdCBpbW1lZGlhdGVseSBhZnRl ciB0aGUgdXBkYXRlIHRha2VzIGhvbGQuCitGb3IgdXNlcnMgdGhhdCBtYW5hZ2UgY29tcHV0ZXIg ZmxlZXRzIGluIHRoZSB0aG91c2FuZHMsIGlmIG5vdCBodW5kcmVkcyBvZiB0aG91c2FuZHMsCit3 aXRoIG11bHRpcGxlIGRpZmZlcmVudCBvcGVyYXRpbmcgc3lzdGVtcywgYW5kIG11bHRpcGxlIGRp ZmZlcmVudCBvcGVyYXRpb25hbCBuZWVkcywKK3RoaXMgcXVpY2tseSBiZWNvbWVzIGFuIGlzc3Vl LCBhcyBzdGFsZSBwb2xpY2llcyBmcm9tIHllYXJzIGFnbyBtYXkgYmUgcHJlc2VudCwKK3F1aWNr bHkgcmVzdWx0aW5nIGluIHRoZSBuZWVkIHRvIHJlY292ZXIgdGhlIHBvbGljeSBvciBmdW5kIGV4 dGVuc2l2ZSBpbmZyYXN0cnVjdHVyZQordG8gdHJhY2sgd2hhdCBlYWNoIHBvbGljeSBjb250YWlu cy4KKworV2l0aCBub3cgdGhyZWUgc2VwYXJhdGUgc2VyaWFsaXplci9kZXNlcmlhbGl6ZXJzLCBt YWludGVuYW5jZSBiZWNvbWVzIGNvc3RseS4gSWYgdGhlCitwb2xpY3kgYXZvaWRzIHRoZSBiaW5h cnkgZm9ybWF0LCB0aGVyZSBpcyBvbmx5IG9uZSByZXF1aXJlZCBzZXJpYWxpemVyOiBmcm9tIHRo ZQoraHVtYW4tcmVhZGFibGUgZm9ybSB0byB0aGUgZGF0YSBzdHJ1Y3R1cmUgaW4ga2VybmVsLCBz YXZpbmcgb24gY29kZSBtYWludGVuYW5jZSwKK2FuZCByZXRhaW5pbmcgb3BlcmFiaWxpdHkuCisK K1RoZSBzZWNvbmQgaXNzdWUgd2l0aCBhIGJpbmFyeSBmb3JtYXQgaXMgb25lIG9mIHRyYW5zcGFy ZW5jeS4gQXMgSVBFIGNvbnRyb2xzCithY2Nlc3MgYmFzZWQgb24gdGhlIHRydXN0IG9mIHRoZSBz eXN0ZW0ncyByZXNvdXJjZXMsIGl0J3MgcG9saWN5IG11c3QgYWxzbyBiZQordHJ1c3RlZCB0byBi ZSBjaGFuZ2VkLiBUaGlzIGlzIGRvbmUgdGhyb3VnaCBzaWduYXR1cmVzLCByZXN1bHRpbmcgaW4g bmVlZGluZworc2lnbmluZyBhcyBhIHByb2Nlc3MuIFNpZ25pbmcsIGFzIGEgcHJvY2VzcywgaXMg dHlwaWNhbGx5IGRvbmUgd2l0aCBhCitoaWdoIHNlY3VyaXR5IGJhciwgYXMgYW55dGhpbmcgc2ln bmVkIGNhbiBiZSB1c2VkIHRvIGF0dGFjayBpbnRlZ3JpdHkKK2VuZm9yY2VtZW50IHN5c3RlbXMu IEl0IGlzIGFsc28gaW1wb3J0YW50IHRoYXQsIHdoZW4gc2lnbmluZyBzb21ldGhpbmcsIHRoYXQK K3RoZSBzaWduZXIgaXMgYXdhcmUgb2Ygd2hhdCB0aGV5IGFyZSBzaWduaW5nLiBBIGJpbmFyeSBw b2xpY3kgY2FuIGNhdXNlCitvYmZ1c2NhdGlvbiBvZiB0aGF0IGZhY3Q7IHdoYXQgc2lnbmVycyBz ZWUgaXMgYW4gb3BhcXVlIGJpbmFyeSBibG9iLiBBCitwbGFpbi10ZXh0IHBvbGljeSwgb24gdGhl IG90aGVyIGhhbmQsIHRoZSBzaWduZXJzIHNlZSB0aGUgYWN0dWFsIHBvbGljeQorc3VibWl0dGVk IGZvciBzaWduaW5nLgorCitCb290IFBvbGljeQorfn5+fn5+fn5+fn4KKworSVBFLCBpZiBjb25m aWd1cmVkIGFwcHJvcHJpYXRlbHksIGlzIGFibGUgdG8gZW5mb3JjZSBhIHBvbGljeSBhcyBzb29u IGFzIGEKK2tlcm5lbCBpcyBib290ZWQgYW5kIHVzZXJtb2RlIHN0YXJ0cy4gVGhhdCBpbXBsaWVz IHNvbWUgbGV2ZWwgb2Ygc3RvcmFnZQorb2YgdGhlIHBvbGljeSB0byBhcHBseSB0aGUgbWludXRl IHVzZXJtb2RlIHN0YXJ0cy4gR2VuZXJhbGx5LCB0aGF0IHN0b3JhZ2UKK2NhbiBiZSBoYW5kbGVk IGluIG9uZSBvZiB0aHJlZSB3YXlzOgorCisgIDEuIFRoZSBwb2xpY3kgZmlsZShzKSBsaXZlIG9u IGRpc2sgYW5kIHRoZSBrZXJuZWwgbG9hZHMgdGhlIHBvbGljeSBwcmlvcgorICAgICB0byBhbiBj b2RlIHBhdGggdGhhdCB3b3VsZCByZXN1bHQgaW4gYW4gZW5mb3JjZW1lbnQgZGVjaXNpb24uCisg IDIuIFRoZSBwb2xpY3kgZmlsZShzKSBhcmUgcGFzc2VkIGJ5IHRoZSBib290bG9hZGVyIHRvIHRo ZSBrZXJuZWwsIHdobworICAgICBwYXJzZXMgdGhlIHBvbGljeS4KKyAgMy4gVGhlcmUgaXMgYSBw b2xpY3kgZmlsZSB0aGF0IGlzIGNvbXBpbGVkIGludG8gdGhlIGtlcm5lbCB0aGF0IGlzCisgICAg IHBhcnNlZCBhbmQgZW5mb3JjZWQgb24gaW5pdGlhbGl6YXRpb24uCisKK1RoZSBmaXJzdCBvcHRp b24gaGFzIHByb2JsZW1zOiB0aGUga2VybmVsIHJlYWRpbmcgZmlsZXMgZnJvbSB1c2Vyc3BhY2UK K2lzIHR5cGljYWxseSBkaXNjb3VyYWdlZCBhbmQgdmVyeSB1bmNvbW1vbiBpbiB0aGUga2VybmVs LgorCitUaGUgc2Vjb25kIG9wdGlvbiBhbHNvIGhhcyBwcm9ibGVtczogTGludXggc3VwcG9ydHMg YSB2YXJpZXR5IG9mIGJvb3Rsb2FkZXJzCithY3Jvc3MgaXRzIGVudGlyZSBlY29zeXN0ZW0gLSBl dmVyeSBib290bG9hZGVyIHdvdWxkIGhhdmUgdG8gc3VwcG9ydCB0aGlzCituZXcgbWV0aG9kb2xv Z3kgb3IgdGhlcmUgbXVzdCBiZSBhbiBpbmRlcGVuZGVudCBzb3VyY2UuIEl0IHdvdWxkIGxpa2Vs eQorcmVzdWx0IGluIG1vcmUgZHJhc3RpYyBjaGFuZ2VzIHRvIHRoZSBrZXJuZWwgc3RhcnR1cCB0 aGFuIG5lY2Vzc2FyeS4KKworVGhlIHRoaXJkIG9wdGlvbiBpcyB0aGUgYmVzdCBidXQgaXQncyBp bXBvcnRhbnQgdG8gYmUgYXdhcmUgdGhhdCB0aGUgcG9saWN5Cit3aWxsIHRha2UgZGlzayBzcGFj ZSBhZ2FpbnN0IHRoZSBrZXJuZWwgaXQncyBjb21waWxlZCBpbi4gSXQncyBpbXBvcnRhbnQgdG8K K2tlZXAgdGhpcyBwb2xpY3kgZ2VuZXJhbGl6ZWQgZW5vdWdoIHRoYXQgdXNlcnNwYWNlIGNhbiBs b2FkIGEgbmV3LCBtb3JlCitjb21wbGljYXRlZCBwb2xpY3ksIGJ1dCByZXN0cmljdGl2ZSBlbm91 Z2ggdGhhdCBpdCB3aWxsIG5vdCBvdmVyYXV0aG9yaXplCithbmQgY2F1c2Ugc2VjdXJpdHkgaXNz dWVzLgorCitUaGUgaW5pdHJhbWZzIHByb3ZpZGVzIGEgd2F5IHRoYXQgdGhpcyBib290dXAgcGF0 aCBjYW4gYmUgZXN0YWJsaXNoZWQuIFRoZQora2VybmVsIHN0YXJ0cyB3aXRoIGEgbWluaW1hbCBw b2xpY3ksIHRoYXQgdHJ1c3RzIHRoZSBpbml0cmFtZnMgb25seS4gSW5zaWRlCit0aGUgaW5pdHJh bWZzLCB3aGVuIHRoZSByZWFsIHJvb3RmcyBpcyBtb3VudGVkLCBidXQgbm90IHlldCB0cmFuc2Zl cnJlZCB0bywKK2l0IGRlcGxveXMgYW5kIGFjdGl2YXRlcyBhIHBvbGljeSB0aGF0IHRydXN0cyB0 aGUgbmV3IHJvb3QgZmlsZXN5c3RlbS4KK1RoaXMgcHJldmVudHMgb3ZlcmF1dGhvcml6YXRpb24g YXQgYW55IHN0ZXAsIGFuZCBrZWVwcyB0aGUga2VybmVsIHBvbGljeQordG8gYSBtaW5pbWFsIHNp emUuCisKK1N0YXJ0dXAKK15eXl5eXl4KKworTm90IGV2ZXJ5IHN5c3RlbSwgaG93ZXZlciBzdGFy dHMgd2l0aCBhbiBpbml0cmFtZnMsIHNvIHRoZSBzdGFydHVwIHBvbGljeQorY29tcGlsZWQgaW50 byB0aGUga2VybmVsIHdpbGwgbmVlZCBzb21lIGZsZXhpYmlsaXR5IHRvIGV4cHJlc3MgaG93IHRy dXN0CitpcyBlc3RhYmxpc2hlZCBmb3IgdGhlIG5leHQgcGhhc2Ugb2YgdGhlIGJvb3R1cC4gVG8g dGhpcyBlbmQsIGlmIHdlIGp1c3QKK21ha2UgdGhlIGNvbXBpbGVkLWluIHBvbGljeSBhIGZ1bGwg SVBFIHBvbGljeSwgaXQgYWxsb3dzIHN5c3RlbSBidWlsZGVycwordG8gZXhwcmVzcyB0aGUgZmly c3Qgc3RhZ2UgYm9vdHVwIHJlcXVpcmVtZW50cyBhcHByb3ByaWF0ZWx5LgorCitVcGRhdGFibGUs IFJlYm9vdGxlc3MgUG9saWN5Cit+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+CisKK0FzIHJl cXVpcmVtZW50cyBjaGFuZ2Ugb3ZlciB0aW1lICh2dWxuZXJhYmlsaXRpZXMgYXJlIGZvdW5kIGlu IHByZXZpb3VzbHkKK3RydXN0ZWQgYXBwbGljYXRpb25zLCBrZXlzIHJvbGwsIGV0Y2V0ZXJhKS4g VXBkYXRpbmcgYSBrZXJuZWwgdG8gY2hhbmdlIHRoZQorbWVldCB0aG9zZSBzZWN1cml0eSBnb2Fs cyBpcyBub3QgYWx3YXlzIGEgc3VpdGFibGUgb3B0aW9uLCBhcyB1cGRhdGVzIGFyZSBub3QKK2Fs d2F5cyByaXNrLWZyZWUsIGFuZCBibG9ja2luZyBhIHNlY3VyaXR5IHVwZGF0ZSBsZWF2ZXMgc3lz dGVtcyB2dWxuZXJhYmxlLgorVGhpcyBtZWFucyBJUEUgcmVxdWlyZXMgYSBwb2xpY3kgdGhhdCBj YW4gYmUgY29tcGxldGVseSB1cGRhdGVkIChhbGxvd2luZworcmV2b2NhdGlvbnMgb2YgZXhpc3Rp bmcgcG9saWN5KSBmcm9tIGEgc291cmNlIGV4dGVybmFsIHRvIHRoZSBrZXJuZWwgKGFsbG93aW5n Citwb2xpY2llcyB0byBiZSB1cGRhdGVkIHdpdGhvdXQgdXBkYXRpbmcgdGhlIGtlcm5lbCkuCisK K0FkZGl0aW9uYWxseSwgc2luY2UgdGhlIGtlcm5lbCBpcyBzdGF0ZWxlc3MgYmV0d2VlbiBpbnZv Y2F0aW9ucywgYW5kIHJlYWRpbmcKK3BvbGljeSBmaWxlcyBvZmYgdGhlIGRpc2sgZnJvbSBrZXJu ZWwgc3BhY2UgaXMgYSBiYWQgaWRlYSh0bSksIHRoZW4gdGhlCitwb2xpY3kgdXBkYXRlcyBoYXZl IHRvIGJlIGRvbmUgcmVib290bGVzc2x5LgorCitUbyBhbGxvdyBhbiB1cGRhdGUgZnJvbSBhbiBl eHRlcm5hbCBzb3VyY2UsIGl0IGNvdWxkIGJlIHBvdGVudGlhbGx5IG1hbGljaW91cywKK3NvIHRo aXMgcG9saWN5IG5lZWRzIHRvIGhhdmUgYSB3YXkgdG8gYmUgaWRlbnRpZmllZCBhcyB0cnVzdGVk LiBUaGlzIGlzCitkb25lIHZpYSBhIHNpZ25hdHVyZSBjaGFpbmVkIHRvIGEgdHJ1c3Qgc291cmNl IGluIHRoZSBrZXJuZWwuIEFyYml0cmFyaWx5LAordGhpcyBpcyAgdGhlIGBgU1lTVEVNX1RSVVNU RURfS0VZUklOR2BgLCBhIGtleXJpbmcgdGhhdCBpcyBpbml0aWFsbHkKK3BvcHVsYXRlZCBhdCBr ZXJuZWwgY29tcGlsZS10aW1lLCBhcyB0aGlzIG1hdGNoZXMgdGhlIGV4cGVjdGF0aW9uIHRoYXQg dGhlCithdXRob3Igb2YgdGhlIGNvbXBpbGVkLWluIHBvbGljeSBkZXNjcmliZWQgYWJvdmUgaXMg dGhlIHNhbWUgZW50aXR5IHRoYXQgY2FuCitkZXBsb3kgcG9saWN5IHVwZGF0ZXMuCisKK0FudGkt Um9sbGJhY2sgLyBBbnRpLVJlcGxheQorfn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+CisKK092 ZXIgdGltZSwgdnVsbmVyYWJpbGl0aWVzIGFyZSBmb3VuZCBhbmQgdHJ1c3RlZCByZXNvdXJjZXMg bWF5IG5vdCBiZQordHJ1c3RlZCBhbnltb3JlLiBJUEUncyBwb2xpY3kgaGFzIG5vIGV4Y2VwdGlv biB0byB0aGlzLiBUaGVyZSBjYW4gYmUKK2luc3RhbmNlcyB3aGVyZSBhIG1pc3Rha2VuIHBvbGlj eSBhdXRob3IgZGVwbG95cyBhbiBpbnNlY3VyZSBwb2xpY3ksCitiZWZvcmUgY29ycmVjdGluZyBp dCB3aXRoIGEgc2VjdXJlIHBvbGljeS4KKworQXNzdW1pbmcgdGhhdCBhcyBzb29uIGFzIHRoZSBp bnNlY3VyZSBwb2xpY3kgaXMgc2lnbmVkLCBhbmQgYW4gYXR0YWNrZXIKK2FjcXVpcmVzIHRoZSBp bnNlY3VyZSBwb2xpY3ksIElQRSBuZWVkcyBhIHdheSB0byBwcmV2ZW50IHJvbGxiYWNrCitmcm9t IHRoZSBzZWN1cmUgcG9saWN5IHVwZGF0ZSB0byB0aGUgaW5zZWN1cmUgcG9saWN5IHVwZGF0ZS4K KworSW5pdGlhbGx5LCBJUEUncyBwb2xpY3kgY2FuIGhhdmUgYSBwb2xpY3lfdmVyc2lvbiB0aGF0 IHN0YXRlcyB0aGUKK21pbmltdW0gcmVxdWlyZWQgdmVyc2lvbiBhY3Jvc3MgYWxsIHBvbGljaWVz IHRoYXQgY2FuIGJlIGFjdGl2ZSBvbgordGhlIHN5c3RlbS4gVGhpcyB3aWxsIHByZXZlbnQgcm9s bGJhY2sgd2hpbGUgdGhlIHN5c3RlbSBpcyBsaXZlLgorCisuLiBXQVJOSU5HOjoKKworICBIb3dl dmVyLCBzaW5jZSB0aGUga2VybmVsIGlzIHN0YXRlbGVzcyBhY3Jvc3MgYm9vdHMsIHRoaXMgcG9s aWN5CisgIHZlcnNpb24gd2lsbCBiZSByZXNldCB0byAwLjAuMCBvbiB0aGUgbmV4dCBib290LiBT eXN0ZW0gYnVpbGRlcnMKKyAgbmVlZCB0byBiZSBhd2FyZSBvZiB0aGlzLCBhbmQgZW5zdXJlIHRo ZSBuZXcgc2VjdXJlIHBvbGljaWVzIGFyZQorICBkZXBsb3llZCBBU0FQIGFmdGVyIGEgYm9vdCB0 byBlbnN1cmUgdGhhdCB0aGUgd2luZG93IG9mCisgIG9wcG9ydHVuaXR5IGlzIG1pbmltYWwgZm9y IGFuIGF0dGFja2VyIHRvIGRlcGxveSB0aGUgaW5zZWN1cmUgcG9saWN5LgorCitJbXBsaWNpdCBB Y3Rpb25zOgorfn5+fn5+fn5+fn5+fn5+fn4KKworVGhlIGlzc3VlIG9mIGltcGljaXQgYWN0aW9u cyBvbmx5IGJlY29tZXMgdmlzaWJsZSB3aGVuIHlvdSBjb25zaWRlcgorYSBtaXhlZCBsZXZlbCBv ZiBzZWN1cml0eSBiYXJzIGFjcm9zcyBtdWx0aXBsZSBvcGVyYXRpb25zIGluIGEgc3lzdGVtLgor Rm9yIGV4YW1wbGUsIGNvbnNpZGVyIGEgc3lzdGVtIHRoYXQgaGFzIHN0cm9uZyBpbnRlZ3JpdHkg Z3VhcmFudGVlcworb3ZlciBib3RoIHRoZSBleGVjdXRhYmxlIGNvZGUsIGFuZCBzcGVjaWZpYyAq ZGF0YSBmaWxlcyogb24gdGhlIHN5c3RlbSwKK3RoYXQgd2VyZSBjcml0aWNhbCB0byBpdHMgZnVu Y3Rpb24uIEluIHRoaXMgc3lzdGVtLCB0aHJlZSB0eXBlcyBvZiBwb2xpY2llcworYXJlIHBvc3Np YmxlOgorCisgIDEuIEEgcG9saWN5IGluIHdoaWNoIGZhaWx1cmUgdG8gbWF0Y2ggYW55IHJ1bGVz IGluIHRoZSBwb2xpY3kgcmVzdWx0cworICAgICBpbiB0aGUgYWN0aW9uIGJlaW5nIGRlbmllZC4K KyAgMi4gQSBwb2xpY3kgaW4gd2hpY2ggZmFpbHVyZSB0byBtYXRjaCBhbnkgcnVsZXMgaW4gdGhl IHBvbGljeSByZXN1bHRzCisgICAgIGluIHRoZSBhY3Rpb24gYmVpbmcgYWxsb3dlZC4KKyAgMy4g QSBwb2xpY3kgaW4gd2hpY2ggdGhlIGFjdGlvbiB0YWtlbiB3aGVuIG5vIHJ1bGVzIGFyZSBtYXRj aGVkIGlzCisgICAgIHNwZWNpZmllZCBieSB0aGUgcG9saWN5IGF1dGhvci4KKworVGhlIGZpcnN0 IG9wdGlvbiBjb3VsZCBtYWtlIGEgcG9saWN5IGxpa2UgdGhpczo6CisKKyAgb3A9RVhFQ1VURSBp bnRlZ3JpdHlfdmVyaWZpZWQ9WUVTIGFjdGlvbj1BTExPVworCitJbiB0aGUgZXhhbXBsZSBzeXN0 ZW0sIHRoaXMgd29ya3Mgd2VsbCBmb3IgdGhlIGV4ZWN1dGFibGVzLCBhcyBhbGwKK2V4ZWN1dGFi bGVzIHNob3VsZCBoYXZlIGludGVncml0eSBndWFyYW50ZWVzLCB3aXRob3V0IGV4Y2VwdGlvbi4g VGhlCitpc3N1ZSBiZWNvbWVzIHdpdGggdGhlIHNlY29uZCByZXF1aXJlbWVudCBhYm91dCBzcGVj aWZpYyBkYXRhIGZpbGVzLgorVGhpcyB3b3VsZCByZXN1bHQgaW4gYSBwb2xpY3kgbGlrZSB0aGlz IChhc3N1bWluZyBlYWNoIGxpbmUgaXMKK2V2YWx1YXRlZCBpbiBvcmRlcik6OgorCisgIG9wPUVY RUNVVEUgaW50ZWdyaXR5X3ZlcmlmaWVkPVlFUyBhY3Rpb249QUxMT1cKKworICBvcD1SRUFEIGlu dGVncml0eV92ZXJpZmllZD1OTyBsYWJlbD1jcml0aWNhbF90IGFjdGlvbj1ERU5ZCisgIG9wPVJF QUQgYWN0aW9uPUFMTE9XCisKK1RoaXMgaXMgc29tZXdoYXQgY2xlYXIgaWYgeW91IHJlYWQgdGhl IGRvY3MsIHVuZGVyc3RhbmQgdGhlIHBvbGljeQoraXMgZXhlY3V0ZWQgaW4gb3JkZXIgYW5kIHRo YXQgdGhlIGRlZmF1bHQgaXMgYSBkZW5pYWw7IGhvd2V2ZXIsIHRoZQorbGFzdCBsaW5lIGVmZmVj dGl2ZWx5IGNoYW5nZXMgdGhhdCBkZWZhdWx0IHRvIGFuIEFMTE9XLiBUaGlzIGlzCityZXF1aXJl ZCwgYmVjYXVzZSBpbiBhIHJlYWxpc3RpYyBzeXN0ZW0sIHRoZXJlIGFyZSBzb21lIHVudmVyaWZp ZWQKK3JlYWRzIChpbWFnaW5lIGFwcGVuZGluZyB0byBhIGxvZyBmaWxlKS4KKworVGhlIHNlY29u ZCBvcHRpb24sIG1hdGNoaW5nIG5vIHJ1bGVzIHJlc3VsdHMgaW4gYW4gYWxsb3csIGlzIGNsZWFy ZXIKK2ZvciB0aGUgc3BlY2lmaWMgZGF0YSBmaWxlczo6CisKKyAgb3A9UkVBRCBpbnRlZ3JpdHlf dmVyaWZpZWQ9Tk8gbGFiZWw9Y3JpdGljYWxfdCBhY3Rpb249REVOWQorCitBbmQsIGxpa2UgdGhl IGZpcnN0IG9wdGlvbiwgZmFsbHMgc2hvcnQgd2l0aCB0aGUgb3Bwb3NpdGUgc2NlbmFyaW8sCitl ZmZlY3RpdmVseSBuZWVkaW5nIHRvIG92ZXJyaWRlIHRoZSBkZWZhdWx0OjoKKworICBvcD1FWEVD VVRFIGludGVncml0eV92ZXJpZmllZD1ZRVMgYWN0aW9uPUFMTE9XCisgIG9wPUVYRUNVVEUgYWN0 aW9uPURFTlkKKworICBvcD1SRUFEIGludGVncml0eV92ZXJpZmllZD1OTyBsYWJlbD1jcml0aWNh bF90IGFjdGlvbj1ERU5ZCisKK1RoaXMgbGVhdmVzIHRoZSB0aGlyZCBvcHRpb24uIEluc3RlYWQg b2YgbWFraW5nIHVzZXJzIGJlIGNsZXZlcgorYW5kIG92ZXJyaWRlIHRoZSBkZWZhdWx0IHdpdGgg YW4gZW1wdHkgcnVsZSwgZm9yY2UgdGhlIGVuZC11c2VyCit0byBjb25zaWRlciB3aGF0IHRoZSBh cHByb3ByaWF0ZSBkZWZhdWx0IHNob3VsZCBiZSBmb3IgdGhlaXIKK3NjZW5hcmlvIGFuZCBleHBs aWNpdGx5IHN0YXRlIGl0OjoKKworICBERUZBVUxUIG9wPUVYRUNVVEUgYWN0aW9uPURFTlkKKyAg b3A9RVhFQ1VURSBpbnRlZ3JpdHlfdmVyaWZpZWQ9WUVTIGFjdGlvbj1BTExPVworCisgIERFRkFV TFQgb3A9UkVBRCBhY3Rpb249QUxMT1cKKyAgb3A9UkVBRCBpbnRlZ3JpdHlfdmVyaWZpZWQ9Tk8g bGFiZWw9Y3JpdGljYWxfdCBhY3Rpb249REVOWQorCitQb2xpY3kgRGVidWdnaW5nOgorfn5+fn5+ fn5+fn5+fn5+fn4KKworV2hlbiBkZXZlbG9waW5nIGEgcG9saWN5LCBpdCBpcyB1c2VmdWwgdG8g a25vdyB3aGF0IGxpbmUgb2YgdGhlIHBvbGljeQoraXMgYmVpbmcgdmlvbGF0ZWQgdG8gcmVkdWNl IGRlYnVnZ2luZyBjb3N0czsgbmFycm93aW5nIHRoZSBzY29wZSBvZiB0aGUKK2ludmVzdGlnYXRp b24gdG8gdGhlIGV4YWN0IGxpbmUgdGhhdCByZXN1bHRlZCBpbiB0aGUgYWN0aW9uLiBTb21lIGlu dGVncml0eQorcG9saWN5IHN5c3RlbXMgZG8gbm90IHByb3ZpZGUgdGhpcyBpbmZvcm1hdGlvbiwg aW5zdGVhZCBwcm92aWRpbmcgdGhlCitpbmZvcm1hdGlvbiB0aGF0IHdhcyB1c2VkIGluIHRoZSBl dmFsdWF0aW9uLiBUaGlzIHRoZW4gcmVxdWlyZXMgYSBjb3JyZWxhdGlvbgord2l0aCB0aGUgcG9s aWN5IHRvIGV2YWx1YXRlIHdoYXQgd2VudCB3cm9uZy4KKworSW5zdGVhZCwgSVBFIGp1c3QgZW1p dHMgdGhlIHJ1bGUgdGhhdCB3YXMgbWF0Y2hlZC4gVGhpcyBsaW1pdHMgdGhlIHNjb3BlCitvZiB0 aGUgaW52ZXN0aWdhdGlvbiB0byB0aGUgZXhhY3QgcG9saWN5IGxpbmUgKGluIHRoZSBjYXNlIG9m IGEgc3BlY2lmaWMKK3J1bGUpLCBvciB0aGUgc2VjdGlvbiAoaW4gdGhlIGNhc2Ugb2YgYSBERUZB VUxUKS4gVGhpcyBkZWNyZWFzZXMgaXRlcmF0aW9uCithbmQgaW52ZXN0aWdhdGlvbiB0aW1lcyB3 aGVuIHBvbGljeSBmYWlsdXJlcyBhcmUgb2JzZXJ2ZWQgd2hpbGUgZXZhbHVhdGluZworcG9saWNp ZXMuCisKK0lQRSdzIHBvbGljeSBlbmdpbmUgaXMgYWxzbyBkZXNpZ25lZCBpbiBhIHdheSB0aGF0 IGl0IG1ha2VzIGl0IG9idmlvdXMgdG8KK2EgaHVtYW4gb2YgaG93IHRvIGludmVzdGlnYXRlIGEg cG9saWN5IGZhaWx1cmUuIEVhY2ggbGluZSBpcyBldmFsdWF0ZWQgaW4KK3RoZSBzZXF1ZW5jZSB0 aGF0IGlzIHdyaXR0ZW4sIHNvIHRoZSBhbGdvcml0aG0gaXMgdmVyeSBzaW1wbGUgdG8gZm9sbG93 Citmb3IgaHVtYW5zIHRvIHJlY3JlYXRlIHRoZSBzdGVwcyBhbmQgY291bGQgaGF2ZSBjYXVzZWQg dGhlIGZhaWx1cmUuIEluIG90aGVyCitzdXJ2ZXllZCBzeXN0ZW1zLCBvcHRpbWl6YXRpb25zIG9j Y3VyIChzb3J0aW5nIHJ1bGVzLCBmb3IgaW5zdGFuY2UpIHdoZW4gbG9hZGluZwordGhlIHBvbGlj eS4gSW4gdGhvc2Ugc3lzdGVtcywgaXQgcmVxdWlyZXMgbXVsdGlwbGUgc3RlcHMgdG8gZGVidWcs IGFuZCB0aGUKK2FsZ29yaXRobSBtYXkgbm90IGFsd2F5cyBiZSBjbGVhciB0byB0aGUgZW5kLXVz ZXIgd2l0aG91dCByZWFkaW5nIHRoZSBjb2RlIGZpcnN0LgorCitTaW1wbGlmaWVkIFBvbGljeToK K35+fn5+fn5+fn5+fn5+fn5+fgorCitGaW5hbGx5LCBJUEUncyBwb2xpY3kgaXMgZGVzaWduZWQg Zm9yIHN5c2FkbWlucywgbm90IGtlcm5lbCBkZXZlbG9wZXJzLiBJbnN0ZWFkCitvZiBjb3Zlcmlu ZyBpbmRpdmlkdWFsIExTTSBob29rcyAob3Igc3lzY2FsbHMpLCBJUEUgY292ZXJzIG9wZXJhdGlv bnMuIFRoaXMgbWVhbnMKK2luc3RlYWQgb2Ygc3lzYWRtaW5zIG5lZWRpbmcgdG8ga25vdyB0aGF0 IHRoZSBzeXNjYWxscyBgYG1tYXBgYCwgYGBtcHJvdGVjdGBgLAorYGBleGVjdmVgYCwgYW5kIGBg dXNlbGliYGAgbXVzdCBoYXZlIHJ1bGVzIHByb3RlY3RpbmcgdGhlbSwgdGhleSBtdXN0IHNpbXBs ZSBrbm93Cit0aGF0IHRoZXkgd2FudCB0byByZXN0cmljdCBjb2RlIGV4ZWN1dGlvbi4gVGhpcyBs aW1pdHMgdGhlIGFtb3VudCBvZiBieXBhc3NlcyB0aGF0Citjb3VsZCBvY2N1ciBkdWUgdG8gYSBs YWNrIG9mIGtub3dsZWRnZSBvZiB0aGUgdW5kZXJseWluZyBzeXN0ZW07IHdoZXJlYXMgdGhlCitt YWludGFpbmVycyBvZiBJUEUsIGJlaW5nIGtlcm5lbCBkZXZlbG9wZXJzIGNhbiBtYWtlIHRoZSBj b3JyZWN0IGNob2ljZSB0byBkZXRlcm1pbmUKK3doZXRoZXIgc29tZXRoaW5nIG1hcHMgdG8gdGhl c2Ugb3BlcmF0aW9ucywgYW5kIHVuZGVyIHdoYXQgY29uZGl0aW9ucy4KKworSW1wbGVtZW50YXRp b24gTm90ZXMKKy0tLS0tLS0tLS0tLS0tLS0tLS0tCisKK0Fub255bW91cyBNZW1vcnkKK35+fn5+ fn5+fn5+fn5+fn4KKworQW5vbnltb3VzIG1lbW9yeSBpc24ndCB0cmVhdGVkIGFueSBkaWZmZXJl bnRseSBmcm9tIGFueSBvdGhlciBhY2Nlc3MgaW4gSVBFLgorV2hlbiBhbm9ueW1vdXMgbWVtb3J5 IGlzIG1hcHBlZCB3aXRoIGBgK1hgYCwgaXQgc3RpbGwgY29tZXMgaW50byB0aGUgYGBmaWxlX21t YXBgYAorb3IgYGBmaWxlX21wcm90ZWN0YGAgaG9vaywgYnV0IHdpdGggYSBgYE5VTExgYCBmaWxl IG9iamVjdC4gVGhpcyBpcyBzdWJtaXR0ZWQgdG8KK3RoZSBldmFsdWF0aW9uLCBsaWtlIGFueSBv dGhlciBmaWxlLCBob3dldmVyLCBhbGwgY3VycmVudCB0cnVzdCBtZWNoYW5pc21zIHdpbGwKK3Jl dHVybiBmYWxzZSBhcyB0aGVyZSBpcyBub3RoaW5nIHRvIGV2YWx1YXRlLiBUaGlzIG1lYW5zIGFu b255bW91cyBtZW1vcnkKK2V4ZWN1dGlvbiBpcyBzdWJqZWN0IHRvIHdoYXRldmVyIHRoZSBgYERF RkFVTFRgYCBpcyBmb3IgYGBFWEVDVVRFYGAuCisKKy4uIFdBUk5JTkc6OgorCisgIFRoaXMgYWxz byBvY2N1cnMgd2l0aCB0aGUgYGBrZXJuZWxfbG9hZF9kYXRhYGAgaG9vaywgd2hpY2ggaXMgdXNl ZCBieSBzaWduZWQKKyAgYW5kIGNvbXByZXNzZWQga2VybmVsIG1vZHVsZXMuIFVzaW5nIHNpZ25l ZCBhbmQgY29tcHJlc3NlZCBrZXJuZWwgbW9kdWxlcyB3aXRoCisgIElQRSB3aWxsIGFsd2F5cyBy ZXN1bHQgaW4gdGhlIGBgREVGQVVMVGBgIGFjdGlvbiBmb3IgYGBLTU9EVUxFYGAuCisKK1NlY3Vy aXR5ZnMgSW50ZXJmYWNlCit+fn5+fn5+fn5+fn5+fn5+fn5+fgorCitUaGUgcGVyLXBvbGljeSBz ZWN1cml0eWZzIHRyZWUgaXMgc29tZXdoYXQgdW5pcXVlLiBGb3IgZXhhbXBsZSwgZm9yCithIHN0 YW5kYXJkIHNlY3VyaXR5ZnMgcG9saWN5IHRyZWU6OgorCisgIE15UG9saWN5CisgICAgfC0gYWN0 aXZlCisgICAgfC0gZGVsZXRlCisgICAgfC0gbmFtZQorICAgIHwtIHBrY3M3CisgICAgfC0gcG9s aWN5CisgICAgfC0gdXBkYXRlCisgICAgfC0gdmVyc2lvbgorCitUaGUgcG9saWN5IGlzIHN0b3Jl ZCBpbiB0aGUgYGAtPmlfcHJpdmF0ZWBgIGRhdGEgb2YgdGhlIE15UG9saWN5IGlub2RlLgorCitU ZXN0cworLS0tLS0KKworSVBFIGhhcyBLVW5pdCBUZXN0cywgdGVzdGluZyBwcmltYXJpbHkgdGhl IHBhcnNlci4gSW4gYWRkaXRpb24sIElQRSBoYXMgYQorcHl0aG9uIGJhc2VkIGludGVncmF0aW9u IHRlc3Qgc3VpdHMgdGhhdCBjYW4gdGVzdCBib3RoIHVzZXIgaW50ZXJmYWNlcyBhbmQKK2VuZm9y Y2VtZW50IGZ1bmN0aW9uYWxpdGllcy4KZGlmZiAtLWdpdCBhL01BSU5UQUlORVJTIGIvTUFJTlRB SU5FUlMKaW5kZXggMThiMWFlZWE2MzA2Li5jNjJkNTQ2YmFmMDAgMTAwNjQ0Ci0tLSBhL01BSU5U QUlORVJTCisrKyBiL01BSU5UQUlORVJTCkBAIC0xMDM5NCw2ICsxMDM5NCw4IEBAIE06CUZhbiBX dSA8d3VmYW5AbGludXgubWljcm9zb2Z0LmNvbT4KIEw6CWxpbnV4LXNlY3VyaXR5LW1vZHVsZUB2 Z2VyLmtlcm5lbC5vcmcKIFM6CVN1cHBvcnRlZAogVDoJZ2l0IGh0dHBzOi8vZ2l0aHViLmNvbS9t aWNyb3NvZnQvaXBlLmdpdAorRjoJRG9jdW1lbnRhdGlvbi9hZG1pbi1ndWlkZS9MU00vaXBlLnJz dAorRjoJRG9jdW1lbnRhdGlvbi9zZWN1cml0eS9pcGUucnN0CiBGOglzY3JpcHRzL2lwZS8KIEY6 CXNlY3VyaXR5L2lwZS8KIAotLSAKMi4yNS4xCgotLQpkbS1kZXZlbCBtYWlsaW5nIGxpc3QKZG0t ZGV2ZWxAcmVkaGF0LmNvbQpodHRwczovL2xpc3RtYW4ucmVkaGF0LmNvbS9tYWlsbWFuL2xpc3Rp bmZvL2RtLWRldmVsCg==