From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (146.0.238.70:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 02 Jul 2018 14:52:15 -0000 Received: from userp2130.oracle.com ([156.151.31.86]) by Galois.linutronix.de with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fa0BZ-0003YG-HT for speck@linutronix.de; Mon, 02 Jul 2018 16:52:14 +0200 Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w62Eia0W021627 for ; Mon, 2 Jul 2018 14:52:06 GMT Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2130.oracle.com with ESMTP id 2jx19smvm1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 02 Jul 2018 14:52:06 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w62Eq544007799 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 2 Jul 2018 14:52:06 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w62Eq5rU027203 for ; Mon, 2 Jul 2018 14:52:05 GMT Date: Mon, 2 Jul 2018 10:51:58 -0400 From: Konrad Rzeszutek Wilk Subject: [MODERATED] Re: [PATCH 1/1 v4] Linux patch #1 Message-ID: <20180702145158.GA4474@char.US.ORACLE.com> References: MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline To: speck@linutronix.de List-ID: --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ..snip.. > What should be done next on top of this: > - once Paolo's/Konrad's KVM bits land in the tree, they should > look at the currently active mitigation setting and decide about > doing L1D flushes based on that I would say the inverse. That is this patch should be on top of the kvm pile as it simplies it a bit, but Anyhow got a couple of input that were raised when I posted the patch for KVM for the warning. > - sysfs toggling can also be added later on top > > > Documentation/admin-guide/kernel-parameters.txt | 18 ++++++++ > arch/x86/Kconfig | 18 ++++++++ > arch/x86/include/asm/processor.h | 7 ++++ > arch/x86/kernel/cpu/bugs.c | 56 +++++++++++++++++++++++-- > arch/x86/kvm/vmx.c | 19 +++++++++ > include/linux/cpu.h | 2 + > kernel/cpu.c | 9 +++- > 7 files changed, 124 insertions(+), 5 deletions(-) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt > index 8e29c4b6756f..5dc277555ea6 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -1971,6 +1971,24 @@ > feature (tagged TLBs) on capable Intel chips. > Default is 1 (enabled) > > + l1tf= [X86] Control mitigation of L1TF vulnerability on the > + affected CPUs > + full Provide all available mitigations for L1TF > + vulnerability (disable HT, perform PTE bit > + inversion, allow hypervisors to know that > + they should provide all mitigations) > + novirt Provide all available mitigations needed > + for running on bare metal (PTE bit inversion), > + while not applying mitigations needed for > + VM isolation. Hypervisors will be issuing > + warning when first VM is being started in > + pontentially insecure configuraion > + off Claim "I don't care at all about this issue". > + The PTE bit inversion (bare metal mitigation) will > + still be performed, but hypervisors will not be > + issuing warning when VM is being started in > + potentially insecure configuration > + > l2cr= [PPC] > > l3cr= [PPC] > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 7a34fdf8daf0..a5231a0812e3 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -2390,6 +2390,24 @@ config MODIFY_LDT_SYSCALL > surface. Disabling it removes the modify_ldt(2) system call. > > Saying 'N' here may make sense for embedded or server kernels. > +choice > + prompt "Default L1TF mitigation" > + default L1TF_MITIGATION_NOVIRT > + help > + Define what the default behavior for selecting mitigation on > + CPUs affected by L1TF should be. The default can be overrided > + on the kernel command-line. Refer to > + > + > +config L1TF_MITIGATION_FULL > + bool "Full available L1TF mitigation" > +config L1TF_MITIGATION_NOVIRT > + bool "Use L1TF bare metal mitigations only" > +config L1TF_MITIGATION_OFF > + bool "Ignore L1TF issue" > + > +endchoice > + > > source "kernel/livepatch/Kconfig" > > diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h > index 7e3ac5eedcd6..05471c590964 100644 > --- a/arch/x86/include/asm/processor.h > +++ b/arch/x86/include/asm/processor.h > @@ -982,4 +982,11 @@ bool xen_set_default_idle(void); > void stop_this_cpu(void *dummy); > void df_debug(struct pt_regs *regs, long error_code); > void microcode_check(void); > + > +enum l1tf_mitigations { > + L1TF_MITIGATION_OFF, > + L1TF_MITIGATION_NOVIRT, > + L1TF_MITIGATION_FULL > +}; > +enum l1tf_mitigations get_l1tf_mitigation(void); > #endif /* _ASM_X86_PROCESSOR_H */ > diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c > index 50500cea6eba..9aa8b94334d5 100644 > --- a/arch/x86/kernel/cpu/bugs.c > +++ b/arch/x86/kernel/cpu/bugs.c > @@ -657,6 +657,23 @@ void x86_spec_ctrl_setup_ap(void) > > #undef pr_fmt > #define pr_fmt(fmt) "L1TF: " fmt > +/* Default mitigation for L1TF-affected CPUs */ > +static int l1tf_mitigation = > +#ifdef CONFIG_L1TF_MITIGATION_FULL > + L1TF_MITIGATION_NOVIRT; > +#endif > +#ifdef CONFIG_L1TF_MITIGATION_NOVIRT > + L1TF_MITIGATION_NOVIRT; > +#endif > +#ifdef CONFIG_L1TF_MITIGATION_OFF > + L1TF_MITIGATION_OFF; > +#endif > +enum l1tf_mitigations get_l1tf_mitigation(void) > +{ > + return l1tf_mitigation; > +} > +EXPORT_SYMBOL(get_l1tf_mitigation); > + > static void __init l1tf_select_mitigation(void) > { > u64 half_pa; > @@ -664,6 +681,15 @@ static void __init l1tf_select_mitigation(void) > if (!boot_cpu_has_bug(X86_BUG_L1TF)) > return; > > + switch (get_l1tf_mitigation()) { > + case L1TF_MITIGATION_FULL: > + cpu_smt_disable(true); > + break; > + case L1TF_MITIGATION_OFF: > + case L1TF_MITIGATION_NOVIRT: > + break; > + } > + > #if CONFIG_PGTABLE_LEVELS == 2 > pr_warn("Kernel not compiled for PAE. No mitigation for L1TF\n"); > return; > @@ -682,10 +708,36 @@ static void __init l1tf_select_mitigation(void) > > setup_force_cpu_cap(X86_FEATURE_L1TF_PTEINV); > } > + > +static int __init l1tf_cmdline(char *str) > +{ > + if (!boot_cpu_has_bug(X86_BUG_L1TF)) > + return 0; > + > + if (!str) > + return 0; > + > + if (!strcmp(str, "full")) > + l1tf_mitigation = L1TF_MITIGATION_FULL; > + else if (!strcmp(str, "novirt")) > + l1tf_mitigation = L1TF_MITIGATION_NOVIRT; > + else if (!strcmp(str, "off")) > + l1tf_mitigation = L1TF_MITIGATION_OFF; > + > + return 0; > +} > +early_param("l1tf", l1tf_cmdline); > + > #undef pr_fmt > > #ifdef CONFIG_SYSFS > > +static const char *l1tf_states[] = { > + [L1TF_MITIGATION_FULL] = "Mitigation: Full", > + [L1TF_MITIGATION_NOVIRT] = "Mitigation: Page Table Inversion", > + [L1TF_MITIGATION_OFF] = "Mitigation: Page Table Inversion" > +}; > + > static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr, > char *buf, unsigned int bug) > { > @@ -712,9 +764,7 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr > return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); > > case X86_BUG_L1TF: > - if (boot_cpu_has(X86_FEATURE_L1TF_PTEINV)) > - return sprintf(buf, "Mitigation: Page Table Inversion\n"); > - break; > + return sprintf(buf, "%s\n", l1tf_states[get_l1tf_mitigation()]); > > default: > break; > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > index 559a12b6184d..8a5921ad38e2 100644 > --- a/arch/x86/kvm/vmx.c > +++ b/arch/x86/kvm/vmx.c > @@ -10370,10 +10370,29 @@ static struct kvm_vcpu *vmx_create_vcpu(struct kvm *kvm, unsigned int id) > return ERR_PTR(err); > } > > +#define L1TF_MSG_NOVIRT "kvm: L1TF CPU bug present and virtualization mitigation disabled. Refer to CVE-2018-3620 for details.\n" > +#define L1TF_MSG_FULL "kvm: L1TF CPU bug present and KVM lacks support for L1D flushes. Refer to CVE-2018-3620 for details.\n" > static int vmx_vm_init(struct kvm *kvm) This should be in a different function - when the guest is created/started. > { > if (!ple_gap) > kvm->arch.pause_in_guest = true; > + if (boot_cpu_has(X86_BUG_L1TF)) { > + switch (get_l1tf_mitigation()) { > + case L1TF_MITIGATION_OFF: > + break; > + case L1TF_MITIGATION_NOVIRT: > + printk_once (KERN_ERR L1TF_MSG_NOVIRT); Linus/Paolo/etc mentioned that it should be WARN not ERR unless you really want to enforce it in which case it should an error and fail the creation of the guest. Not sure if this patch does that? > + break; > + case L1TF_MITIGATION_FULL: > + /* > + * FIXME: once L1D flushes are implemented for > + * VMX, this will go away and L1TF_MITIGATION_FULL > + * would imply L1D flushing being turned on Missing stop. > + */ > + printk_once (KERN_ERR L1TF_MSG_FULL); But more importantly, I think you are missing the check to see .. why not just rebase this on top of the kvm/pile. Then you already have the right CPU bits. Attaching the bundle I had sent to Thomas. --wRRV7LY7NUeQGEoC Content-Type: application/octet-stream Content-Disposition: attachment; filename="kvm.l1tf.v5.rc2.bundle" Content-Transfer-Encoding: base64 IyB2MiBnaXQgYnVuZGxlCi0zOThmNWQxZmIxOTJhNTFiMjE4MzMwMTNmYTQ5MjFhNDE1MDE4 M2Y1IHg4Ni9zcGVjdWxhdGlvbi9sMXRmOiBGaXggdXAgcHRlLT5wZm4gY29udmVyc2lvbiBm b3IgUEFFCjgxNzA2Y2I4YjBmZjY3Yzc0NjllMzE4NDE0NTBhM2ZiN2MxOWU2OTEgSEVBRAoK UEFDSwAAAAIAAABBmSp4nJ2QTW/bMAyG7/oVvO3k1JY/EwzDirTDitZDkTTZboUsU7YQW/Ik 2Znz66d4H8Cw0yZAgF6SIh++ziBCxOI0iirBQhqLglY0DqOs8FdUGU9pnq/TcF2lNRmYQeWg KNKQhwVfxzzhcbROUsriHHPKGbI6qvOC5jTx9Wx0rTbwqJVhNewuaC+jwxN8lt0J3p6W8Ors xXttGO9wxXX/DqI0Din1LBkEYRKGxEd76Rz+b6csTX92It+K7ObxWN4cyy8bOFiEcr8DyyaE TloHwtM+3Mb09cPTYf/xdVvegRRg8OsoDdYrQh4EuBah1/XYIXg/WI9XMGnBaRDdaNul4Cm6 A864f2kFOKGZ4Vjef3q53xGfVnBGn1agByd7eUGoZhitVM3y+U8m37e9imtm+3wggz7h77Kz dD8GDkYPnmNi3YhgZNM6YO7XTKj0qGpmZr/BXjYK60ALEVTz5h8dJUEQkCnewC13I+u6GVA1 rMG/sQn4U2qv5LKCGBV30pvhWs8ljK6sp9vuyZRsYIcVs4tVTg+gBby0umf2jfUOO2+iXZHv Jvnc6Z0XeJydj0FOwzAQRfc+xVwgjeN4nKRCCNZVNq1U2I7jcRvSxMhxWujpCUgcAFZf/y+e 3k+RGbSmurFlocrCGWkqq73RvrMWK0uNVp3V0qJH8U6RpwRUSSy8qdEXHWpCdI3SzLU0iMoo U5mGJKtS0JLOIcIuTJEc7O8835fEA7z0lwEehp95c1vLU4jUXXjThfERClQNaqNrBZnUUop1 HfuU+B+kUiolUf2SxEdt8t2xzY/t6xaenQMfaeRbiAP41fRM1346gevnt9B/Px3Dskbw0B72 M6QAM105jzynEFmIQ3+a2GXB+8x+bv+oJ74A0Gd6s5AdeJydkE1uwjAQhfc+xVyA4PiPBFVV kcqioikSUGDr2GOIABslTmk5fQ3iAu1u5tPMezMvtojAlWBC85JSWzLLqVTcSFaYUlEqmDQl FbVkwpCzbtFH4MWIa+6Y1CavUeeOo6iV0FIxrUSh8rJ2+ahGovu4Dy3Mgm+1hcUVu2sf8QCb 5niAp8MdZ5fUvIRWmyNmJpyeIZeslEIJMYIBFZSSRE9NjPgPJU4Zo5LlDyXyXajhbF0N19V2 DEs8Y6sjQtwjJAKTz9X8fT55hV2PXRzuQxfB96c6OWtjQu9j43cZIRsEoz34cIFjSPdosI1z eA/nMR8cVMtFBzZ5eJvWIHhoHFwQUojEhhtaV9Pt2wq+ulv1sZoukvay2Xm0g+DcoP4Z//Fj 8gs33JSumBl4nJ2PwW7DIBBE73zF/kAcwAabKKrac+RLIqW9VRiWGNmGCGO1zdfXtfoD7XHe rGZnckIEWVaqMx2TxqJuUHErlOBOMm44RytQSJR1U5G7ThgyaIU1c1Z2damFFVR0ZaOVlYJz LWumK8prx6wgesl9THCKIWkL5wfOjyXjAK9+HOA4bLj4WMVzTNqMWJg4PQETXIlSNUrBjlaU kpVOPmf8R1JJOaeC098k8tnI/ena7q/t2wFerAXng32f5gQ9jvf1g1uCyT4GQooCctzwdgS5 R2gvZ4gB0K8ibeS24JxhHdnHOZMff/RzLgi5+FtAu4vO7bqvwx+bk2+f/IMYkyV4nJ1RwW7b MAy9+yv4A0kU2Y7jYhhaYD0MXTYgCbpeaYmKjdhSIVHL2q8fnQXYrhvAg/gkvvf4xJEIus1a a+NMSdbqBp1Vet26si1145qyVdY1rW20K14xkmeoXFcq0raq0LhObTdUlY5qqa1Mu5YU1k4m CszchwhPwUe0sH+n9J6ZzvB9GM/w4XyFlxdp7kNEM9LShOkjrGvd1utGChaqUqoQdBqY6T+Y SqW1qrW6MRU/t5vV0/Nu9bx7uYPD6zgwcE8gLewOe/jy7eETJI7ZcI6UgAP0+IMAPfQh8eqU KTH4PHUU07Iojj1FgiGBD5BoQs+DAdOjP0mqmeEycC8C8uAGXgiMkOE4houwFtl3OKI3ZAGn kCXc4GYnV+mOYAxo5S54sfj48vkoM3Y+fj0+7q/6yLP8vMNvV3/Pp9m65C+bcBCff1gEvJHA hG+FCNnBOZp/V1gPw8mTXQTnFt3b3T+GXvwCXWPD45dUeJyVVF1v2zoMfdevIPa0AbNrx/ly sXvv1o+LFUuGi6brHgtaom0hthRIctL014+2uy53e9kAw5BI8fCQPFJwRDBZlqnK0mJRpNN8 WiwXZa4kptNkqhLeTJNsgWU6Q7FDRybAMlmkRZHjYom5ylQ2nyzmMpUS5VLN5Xy2WGRTUpOZ wC7U1sF/aBsLF9Y8aaPh3a4YV+8dqRpDLG37N6SzSc7fPE0hSqZJItja6hDIwSdrHCq4fSL/ 1AXawlfdbOHddjDHB968tw5lQ9+RsmQySWZp/owkHpfzs0/363P44glWKTDRmqBsOl9DQaV1 BPfr689317egS8A96gYLhhMiy+Z5Po82O5Jdg0HvKbp+5HXQ1kQbrSi6rNEYaqK1DrrC3u7j nSpBUakNeYFg6ADrzS28vvmQTR7+XX3ZfHy4XF8BbhGSxzS5eAOHWssaavTgdcvJHRycDhRZ 0xyFpxZN0NJDsGBDzR1hOP+cQYE2wEZQVnYtT4dZ3/H2R5Qt2a/9wEEPINg09gCv+nAHlUPD tXG+I0PtsdFqKENwXN8obSrwwXUydI44nOsFetQ+9I6WJO+1bz00ekvw9eLm8/1VDDcBeC6N GMooUG4BjfoBTwNjngSvcRzHW/bKplM9KvMbjc3QwsLZrqpDX2hxhJ0jScMxbUZefc/fcj7W WhdOajhF8uI1VTGsJsB6XK0u38SwsS0xmpXkvXUeWjzyeW9/pllq5wM0tKdm/IuTxM9a4gVy PVfjeKHXLhccw91JmWz4NXJMW/C8ar5bClA66/2Qt7GVlticUuSRcLtYr/ErIT6SkQRO9615 VvGhlwEnepEzGwwxLA99lPsvfRfsCvUBXQCssOcHnWGOPnBY1ZEPHhzh0PA+uLZ8oqXWumOv hSBYUgPQIMT/QbMSPzDb3fFFgt812uvw5ZoBgwBAHcLOn5+dFV31xNLBeEuOL1ZsXXXma3t4 YEcsK/2PVn+leT5LUyE2uuIbENmyjIrj+e+8Mz+H/NnbIqIoEvvsHG5J2aEd4yslvgEOKsyr kZsBeJyNVWlv20YQ/c5fMTBQJAEkVYclK0pQJDGSNGjcFo5zAEVhLLlDaaEVl9ldUlZ+fd8s KR9JC9QwQGq5c7158yZ6ZpqcnebFcrk4U+XZfDFlPZmUvMwXxeQs1yovT5fL03Je5FmtPFeR zuY8nS3UbD5dLBa4syyWYy5m5bx8uiwXxXLCs+mimOeZauLGefpTOevolau+mcrQ8zrv3l54 1hsVR4Xb/UKT+fTp2enZfD6l4fh0PM5wujMxsqffXOWVpstvHL41kbf02dgtPd+m49EeP144 rwrLR0+z8XQ6np0ue0/Ztt39/Oniy4pulosVwatZq2hcRSWSez+hQhUbJoTamUpZKlVjI7WN rdir3Fjc55Bln5mU1hT37r6LndMckqPzT6+H0/FkOZwtpuMBqa0S30evWfI6IrqSUOLj1jDi 5KTdAVl/uLYTfV3aJmxOCGirHQsCgH2V0ZBOlN2rQzjBq3amWpOq7vJPVoSUuGV/oE8Xr3+/ en05SnaFq7RY8U1tlalYU87W7clUpDkqY0N3rxLbzn31KBJXa7XmlOBdyaMs6/2ZQEhZ8oiO VOuMpoDCVHX4LisUirz6jJC0RuAQWenMVfaAYLhgyhTHswp9ZwAI++Qd55tDzb41AecIm6uA GnBPPkV8ylxJBRDFgYpyg2+4AFn0KAFuNKsHdu/g2z4KwDgiyzCgvIm05ywifiRlLaEhNyYG UoGCKpmaynIIEvBwdE6h5sKUpngQGsytAgKC3TAS25SDZ0mgcrRRXst9TdaESK7MTuTSCUm8 vv7wLCV0mwOM73m9l0+ixZXkFL1Zr7ljE+8aq6LzA9pvTLGBbWOl5aRo7Rw4rPyao4CcEZGD iU+1iJVpua8PvR52gMWNwBIGEqwn7MXFx1vvYGGeGrVxKKhOlFG5laZ2HTqyIZHsXSVzZMT9 4BgJtk1gH2pVsERQVZdU7V0hqGPI7W2FqiNVcsY34IgMrRGy+KaOQY4rBr3QaHAmcTZ0zfH8 tTGejwXQ4wD1U7lr+Yn0qGsfEGl3dfRWD7qXEOUF+qL8oN3tvYmMJxDRKYWXFqTfb7hCZytt pRZTtVzHAR5tbXSWCQU1d7oCEnTj02tB4RIJ7mYbF5paJmo6mt9AJrz0o2Z0v+XsyAhQ+FcV 9gxYeoycB4tltGbjn+TzuStLVPdebZkeH2UG/QVMgyxuEEX+K81wrUXVkQOqSLDvTAGnwune bs3QQvC805j0RTiJnukno66+e5qY5hkdlPaLGKAuEQqpSTs5QXgRr9yB42mwE8E0Dp9lJkFU uxAMKJSEQJG8d0og98RRemoVQQbvdinJTnB0k6ioeqgw2Vy6vueJn1gStYWsplnuKhqkOv/b aQaiW76Xh8dg9/0LDUgZUt3xOOVSqAkyAt+Vl/UqcnDNozbNdGnWjcw0TjCDB9B2l8xZm0JB Ylil+ZUCnCTQK062bhAU0H8wa8j5EM0e5ofV/1m12XA4zNrpil5im6G4YtutoS/LxfWrj2+v 30+u3sgQDOmS985vOxjSNkZaofCm7tZAO1vBXlUYdyyzBsXebSwk++H63eXHt3+IK3xvuw5g Fd+tOCqsC93lfjc8vPyDVwxaRw8hlq03KucImCzaB2UcmiQK+DvuaaiDV4SVV3CvAEfWUn7o xpWv//ph2v911gcPh/rvLtK5aB/3MCRi4ldaare7oQvjsWHb0xVQfWNuOnpdbdwO26UJwqgQ MTsFbfmQCfTnHa53peNN7mX/AHBSVQKTVXicnVNNb9NAEL3vr5gbRarrr7iJI0BABQJBALXQ covW3nG8xN6N9sNt+PXMbn1ogQvk5MzOvHnz5o0ziNBgVzRZu8QlVkXWFUv6WnV1jYuqEEte i7oUvK5yduAGlYOyXnWVyLsmrwte5U2Rr8oyy8uOL+oi54u8yijSVYx712sDH7QyXMDlT7Q/ vcM93MhhD8/2MXx2S39easPbAc9aPb6AvCrqKltVdQlJtsgyRtFROof/gVRmBZFc1jMSu1ud px+uN2u44UaBt4QpO6AISAuD5gIFXG2+AlcCPuZf38LFl2/Q+B1pJNUODgYtKXDG2PsOXI+P cwhiToBbBD4M+jYmBfhRCz8gOE1IcyPGbXwe+Q8SSXeRTghxFz7ho1T+LjIJAD2fqNx464ji zqN1loU3oUFpasipK4fG6D0qsOj8gVheDNoLmFAJTci0vdhQK5zbhIhXpFWnjeMNEbyVroeL 6zdQ0A6T8jyvYheian3bh/LjX3Bsr/0gQlsQ0sbJt3Z0YVxKIiJX6FwQ8PfXEbmaMQKiPdJ4 I3AxSiWtM9yRMnywNCOisIwqAkIgGrZ08u54QJO43iAXBP8UpIo4r99/vjoFqp0kj4EnSlPH JxCsRPOwQSoEsjMfkXz1KDUlEqnASbZo03tCaXvwKdWnrVbO6IGdWDqbe1tCVi3Lc1zwNi9b CIm9dofB79bwxehJCoS90o0N087lgftTEuUztTNAGHLHndRq3pCO23fc7oF3HQnhjqcBOMhr T2lEYmz8wUEjVZj6lKFrISGnHF0fRA668j2p6eOiSNutVsNxey8xjTz7ByZy7n1T45WiUqbJ O7IZIkpU1YblyZ1CkeiuS5rj+h+PkCVJwqZynWw0GVjGrU/j3XaiibZhODhpo3nimsnNFKEt 7qfxQUrjXYiT6iPdDdBv1MT6YLwI1+YeFF5vvtOtKDGgOQuZyYZuLbzdvLr8FI79oQWfZ49S 3lxe/pGRx4y38o7OLugXbkP5sUHDpsUayCpzdhotlrJfvMTL4fQFKGElzeSsg9AGvOdpybUg YMNlq4R4nAFUAKv/2QnZCbBRARR+CCMfioFRxIXf42oosk6LOGZT/ZNlAeAUWvFfnPzKK71b BMZY9yDIqNPek2CzWQIvARSvr6YLoqBIiuTNhCv01B1707OsvbOcAz0BcGkoUvECRpblIkpd hGhE7rervu3NvDlj+2d4nAEhAN7/pz6nPrCYAxQQRqC7FrJJ6aWJf9fUX13FKLEII7OsA3sb /McOqvECqzuwUVJ1RJUmWG9PtDp+yXHNuip4nGvibuLecJxJZL0Rj7Djz59Fb6a/Z1jVM69p uYVj4ebbTMuZAPF8Dt/1KY4pxLZ1b9YIrDxBVkarlsQDyzRzeJx1UU1rE0EYJr3tnkvPz60J JCWpICJ4qikGjWhd40GkvNl5d3fo7EyYmW26p3iyR/0xQm/SX+DJ3yPOjCK06G0Ynu/35/f8 84/849fBu/2dNq71T94/Xy3HC+1ZfcCigm8YL2bFKU5evcW6qyEdNpYda4/hyWo+OZ7OHk0e PDyejvIsy0iLRHG989yiIYc3ywJDuiA86zdsJ0VjmYTU9Qisaa04EXSevc4yYfShBylltqg7 dt7BG6wZZeB4Fkd59HjKFXXKxyTToPxf9OhmsT/4tLdrQ1bbn6uZOK9U55o7FZfSy5q8NBqV saEqCrat1KRwGl2i4Z2avzOsSEkBsnUX1d1jaL5kO0ZptBiHBlvqXQKS2sU3SEftksowTkqB 4Bg5PVbL+ctifnYU4ZEPbyWnLnRpgoszaEn3/+D/YUZ1AanD5CSiijCQPgBUD1nt0kEuZICY KgQUHD4ozcdXXHZhKWxNpwRUoAfbqBCegVGjMc6j5dbYPuVLNSGki5dzSbn9u+D966Qyw8OQ 5l50qeE2XMpKlik26ZLd9e3B4Ob2YO/bl18XAdh/8AKEyVxJ8/4mLJsSz5QVumdcEPVZv3ic ASAA3//JBskGsBQDFAK/+zk5xm8Oa7mn888Lp99N/f4EkygDIeMeDjT6AzpxhEd9TV3749Xb KLIjYdAR6JZgeJwBOgDF/9UI1QiwIgIUoqKHbcbUAlY3zxFiJb/16W9WnzKTNgIrFPZcidHL zE4CBnhf0UH21csXPLhDs3UC4AH2ixoZrQN4nDMxAAKFxOJchq4oU9/wZddZyvVmNGZcest2 /S7LMhOwbGliQSaD6IXw/8zL1ujvbyjOy25aOUeIfe1GALLeGCj7A2ExHkd+t3CrFKfZPwxH WWB+8SCBeJwBOwDE/5FhkWGw/hQUeHSJJaNwVq9R+2NDlglo2lSn7kyzEhXRBBQOdRcIm4CU pDaP8SqGOysVhW3vl7P3GZoWFMQZ+f0LwTzSjZ0b5avf+P35NpLVF1XIkwx4nFt0men0FaYN z93quTj1tRTS8osUfAwVSlKLcjPzEnMU0hJLc0oUykpz8lKLEpMyczJLKhW09Lk4k/LzcxTK kgtK40vzkvPz0jLzUlOsucBG5JYWlyik5ZQWZyiUZKSCTHNJLElUSE5MBvLgesEK4sGC8UWp hdZcm5+75fFz5himxIOlNvuFLQsQKsvPTFHILsuNh4tPvjtFfLL8ConN0svbmQDpnEP5/gho ssMVDeFTT9ouQ8zEpGRSKjUMEXice/eUsfM544Yv3PVuPqHBHvHOvi6cnAYVBiBgaJDEpZyS mpaZl6rgY+gSD1bBycmpYahgY6NgoKmgoKCvxcUJBkC2gpZCeFFmSWpSYnK2QmJeikJmXlli TmZKYkmqQklGKopCH0MFoHiiQnJickaqHkhq8w1usXQAFAIlhPwGRQ1ylsKuAvrY5fyAo8Nt pSIa5m54nAFsAJP/2ArYCrC3AhRNTj3CSU5EpEKraxBQTnCoA9WAibPLAnwBFP/8RH9UEDpR R005kEJPAVDivZiAk1sEURQhwZ8SVkZ2FqD0rZ2pGb3ZyaryK5PABGMUMKMv4zvJInU3QmFr 2PpAzjJtb/aTNwUhk5YuTfQD1ZRpDYuVl6h/TLom6MG+XLLeIt54nJv3kePQR46GLYz59Upl yQWlunaJRckZeiBmfGlecn5eWmZeaoqCrUJJUWmq9fbcekbDnQBCKBTZ9APwWac/D9CI/Oxf HGzuBc9LudzJqHic69/IvWUjd0ML4xYmcb3pGfKMPOJpOaXFGfHJickZqfFFqYUKtgppiTnF qZMPOkts19VjSloFAOhnEnH+6QFVmhK2GE3jjGfvTyABljYA9B+HU3iclVdNbBvHFcbyR/Gy TmQ1MeVYVvCkNuqSWlKUGySK6cSQJdpWK5GqSKlJXWewWg7Flclddn9oq47AOECRW4JASOdU FCgKFAVs1LURLHoQaqRoix5a5NqbnUPbgy8+tOip7Ztd/qwkSkgJAeLMe/N+vve9N8MPPxm+ 96vhe08HxnTDqtvwBlSUmkWzsbpRdmqUNBRTqUuebEc49sqDfw+Eh1qKrakwn7u0kM+RYmm2 tDBHvp17m1yaXSzmpGb9JqlNl4lVNZxamVRqjlVNZGOxqSSUqtSisLRaLME6BU0Ha0tX4YZm V6FZp7ptbnknPZ9gmGVqpiE5FaO6U4eOWbTXsqrEshWbwq2YuLaUy5dyK2Rxep5cWlwtXiH5 3FpuRe4nmSvk5/sKZhe/O/t2UY5tY5zcMqa332nXJ5DXiEmVMqkbll3b2hO5p4cY9ne9kx8Y bmHIqqFbNqhVxYSk0bA1Q8/GxEP9qfVyNrZ9EKCr19ARWrs1rtMmNcflw6DYlrkSOi2jTqt/ aL6OUruhbFl9LfkIbe+BSNPtg9kTi9pSMENLBn9p2aajTtlwnZo6rbWrnLzeSMQwC0e3tA2d lj2jGvoQtQpIYxb7+LYQZzk5PNral38iC9rkZIJD0Na1TbXekNDfQay0a2kf6YR/QOxXtb7H PPjxgNmitmPqkOGr7Rj+xUTT30rlFvJrs4tYpaOR2eDI9MHkEEja1q2GieYq0jk8NP6y9X19 vF+CB7x1E8awdgoD8VbQBzEaVp8A+S7nFLQ/aazlPly6NZZ7WhuHaG1wLc4XPkuKnWFC1HXp gK4ME33D6bcvQ5EsrKxeLiQe/Gt45mIce6ZumRYEWaSb7L0/Rk692FRqV/MrZHa1VFgszM6T peJK8Roikn3w9e89Cafa8Dc7JjYcatm8wPsFVez1Bz985093s7y0FU0v831pv1qyLkM3BtzZ S212eyb8IjOeE75yqsvaeupNHiMSDW3SmzuZz4eHtgPMyhewE9lrx4XlMHp2Pzou/EVoiRqf 050gJtCGF7jsucz6raPBecgk0MuGYRtgXdcapJNdKtU5kdZNXHdXfiRoe89OQBmhw85hv78T GmQ//SwUZTAoPN/qSPmU7zk6FzsYJoexf5R+wrzvvei4Yjc4bxGMrbvhfR/wQ2MP74SkYx2p qwwKfxWwVdYNowY+gwy9tuVVxJsxMmyitQz7+Lhgu7tDwnB46UvAOhY0JYqbh2fITp0URqPw 7ruwycZOCrfHgxn79Q8irZuTk2zws9BpD9ORAKZ82gQLwqbjwum32oDwfw5FQ56Y4KozO/cG 2sOXyzZ7QWwGIO3EcJLtPoocYyfiwuBMW9CLowv+Zpuz3IC1v1Sb7o/iwlejouy/JxJZ9utf hp9nRiEkup+OCF/E2Oe/FSLPNkyKQ4H6jGG7v4mMsnuvC+JJS2lSwo35l6DUVBtOgj1VQ9Dq +77wc+FaqTcVU62m/QmiKmqV4m39A4zx4NCBN/rd1P5Nl4ALfOrjB1ucwjno2H4djfPvxNFx hGPtaZmjGvS9T9x5U7FHQ6EXXDYhXP3xiS4seJJymfCsMMIeXowMuGd2hf/+jQ0XhROjPFLH opxcxEOkplm21DS0MtKY3X4lHP8G0tsm3F9Vsci6syG9NfMqubh6GRMqXUog+2Iin9Hs8Wh4 QuwtH42Gz4h+vpj5ztOHL03+H+C48Z+H4mKUFzrBpp1okv3jTijO6ndDmQjfdH9yN7QWaYlT SXSXhIUKeCY1fQPsKgU0B15lwNCBv122Op5As7BXK4apImyKXubqngmc21ymNBWtpqzXKI5Z fElyY1zCsQGOTZorT/kcb55pE+UggolEjC2PCGMMdoXoaPsVtDQvQzdRGTIy8MqzoSfh+AcD 90PuwP3whfcmjq4zP8Ebhf29GgG3cjby8MQz7VJ7htzzc5E/x9g/1dCZ7xzBYy/8Q7nM21m8 3qz3aiV53ek+k4+MJMnXypSHA5wAeN9dhvHiUglR5bCV/cc2F8Hc8iogYQBb0MLap2GFVqgJ eFnMreVSZzPTM6lvvno2A1gNKFMbgbfS+PhgcDPyDvvwZWG41aPZxARIHAz8lUAQDtvEmYv8 QRcEnZNcfvbiYm4+kJ33g6L9FGuYhJqm1Ik34T+3OhdgYTlfKBVXl5fb7y6ufkMxdWnxWOcA y9yPnnZ3bkZuVSN8ZrCPHkdOsf/cCaV7FD0f9UcMiq60dx/fC6Xc6BeR9791Fa5o5SAveQ6I iQUV06h7NNPxMMLnD2HwSIYFxMsb004fxQb3fTl694ofV9qJXvDjcGtO9BcXXtgz/oiFxVGr 7vinUf25Fu9yIETTNf99gU8upxEoeXsKtLn+5Uab93OgOwTGjpod64Hh0TyqkYJXi//6Jeum oqtV4lNOmjjkB+G2+8Hvoi+F4/2SS2Tdn/0h+iT8PxQdzYH3bABGqnAgWqLfvAV3BlJQvnF8 oltOeJydVM1vG0UUlzeH4m2lUiFBKpB4LETadY1TO1Ggdj/kOHZisHHktVGEKo3Gu2N78eyO 2Q9/BIGFuCAuHHKwKKXiH0DitlcOvSH4C+CI4IBUhJC4cGBmN3VaA43ay86+N7+Z9/u99+b9 /Nn5r788/833qy/SrIm6NPD6ShreLu23kd4qttSF9+O7q+Hd1QT7obGeglafQG+Ekc/QEMMY 0wFxwcAODANKwXLAZ44HrAtD3CNeBlLrcnJkDINXr2PX6GfELwocgzldyzn6/cPnwuu/JM49 Ja2n5vv3Es9WvannE/tJLyQmXAPfDUhBDvfuJT4ZwWnI8Dsi/bUxk9dTMsTiatkdHt7gf5YH Gzl409oG5oA+mFI8IGnoBD6nBFFmwPJhTKCPR0T4XIJNzljctLUZHewQAwce3+TXuWRIsUFs 4viAaY+5lt+3RRCHzXwgE2z4dAq1ZjsjC5Evm0TwFHxQqVjaK6NGc6fchE3Z87FvGTBilgkp hERUZDNPnCb20J+iQ+KK6vB0FWQ5gg1GNlrUUxUuTX5fTlqcimcdkhnHJYu6Xm621A5jPhKp 6mNPPXh9C223d1Et26pomkBZXVBjAg+BKuViq90so0qtre9x+I6mAQ+QHLu251K1rjdRtbiR O94v1XfSkbDI1AozjnSJH7hOQU5+wKPwRqtUD+rlPBgsoCbPH89Th8CCnIl9nJnwwFGpkBDB s567AVF/ROY12C/ulpFefacMV68u55EHwp7Nk0i5lhklKqcgolqux4vheIEbVy1KI2BuiVbk jlZtO4qRVCbMpbC2RvAkHS83nZu+Inay2TwsDJuNDjsU1LXLAqYAKup1VDwARYuOGfzY7BiK TZPCK5uXr2wt32jYw5NY2YX7Xd4g2WxnYf8/JZ40y7xvcaFvsTF0Lf7ChKZZ3PCnysrlH0fV Q6K2Nh8hif1LU+5EE+0SxyD3zTzkQXEVUJdbnceN/KL2WgRU+NV8oimkEy9GvJgT5egj7fmz i/egFebffi41LiQ9PhAMPyo5pPg3PHdLGiSObvx6RseUMiMOpO5W9lGx1ahXS+nlruJPJHoh LwmkYNFjfC6wwOf+ZcLzn7yVi/PxF9Ktp1HXJeSBrfDCbcmV3jhx5OVkBIkJqIHjWT0xwyhz etryxf/BKpzekYj02hOenn96R3oh/OMr6Tf9SiTvgakaZfD4FbrkPaE53hVDIrPI8aVL4Y9/ SsozyumzO/z7zErDVU6f8WH1cOV2/R9KXCfu8QKLtHWzMFhhrvr8P+gv1iMSMLMxrHicu6h0 UWnDQmYRXUbNL1La/9pPPHmzv8BBr/i3i1Lp5q3Mc3gB/LIO9vQC0p/dfle7PclW7c/3+4qI 6kJ/Ont4nFs/n/nyfOYNepGTG2VFeeOLc0vik/PzSoryczQnKx4R3ewYmVcGAAxkDkvhAqJ7 eJy7yXmTc4Mrk8gWn3cLY+IzuVSVak+J2t/JWPU/qGpzJFMDEwDrIA248AKEyVxJ8/4mLJsS z5QVumdcEPVZv3icO8l2km2DCLPIrNyTntdaM40e+N3gqXRp6z9fY7FvsgazIgDiQw2N4QKd cHicu8pxlWNDIpPILsdFJ5cmdX4SMi2bL3BKppDFXcV9cynTA0YA8LENTuACmVB4nLvBdYNr wxoWEcupXfoTqjIXureWBJi9vixW+Ppc/+QDLDMA6mMPFuUDl014nNuwXnz+avGGFsYtTMpr tuuvZXrAO/2KNovw9AlrmVjbOfYwATEzELNs59jDqiGyPeQCaww7ADETE1XhAqUDeJwBIQDe /9kJ2QmwRQIUY9ZuaQnbJajVkOT3CJR2ZrrNvsOzWQKAAgZtD+HwAoTJXEnz/iYsmxLPlBW6 Z1wQ9Vm/eJw7yXaSbYMIs0jV5PN7b9n9slqe4VR29+WzyPpaHZnJGsyKAPVUDk7hAp96eJy7 ynGVY0Mik4jXo3PB/W51vafidqxVdJesncyfoLW5lOkBIwD1dw3R4AKbWnicASAA3//YCtgK sKwEFMgIogYA4ebrmxmlsnU8d7OEXKdjk8AEmPLFDyLsBYEMeJybv1r8yCrxhi2MWeK8mlzV XJyZeSUKmToKWdt7xBlXMU/3lGaUnZ4uzfhv+hEZxpjpGTKMdttlZBltWbcnKDFOXtT+6wgj EDNt/3WEObFteqEUk1h7hTfL9gpvVvUuALUWIKLhAqc4eJwBIQDe/9kJ2QmwRQIUDSe2xbmN 0jK7XWebvULQ0aIccvGzWQKAAv2TDzTwAoTJXEnz/iYsmxLPlBW6Z1wQ9Vm/eJw7yXaSbYMI s8jqDrfwCX9OKdf8ad9vFXZupe6sM3yTNZgVAetNDgjhAqIveJy7ynGVY0Mik8iM102R2k1H Nf8tvScsdu55Buv1QInNpUwPGAECUQ7y4AKeD3icASAA3//YCtgKsKwEFLlNzr14UlxEQrJC 4tUYx5eUoKZ5k8AEmPycD9npC4E1eJw7skp8/Urxhi2MySLTFUQZOSQ4dXVzde3SS1OLS/Ty iqy5IPyM/Om1Ioxm0y1FGW2mPzjJxDr9/xYmgelaMoz807e+YhGcXiDDqLh9mijjPcbpWUKM JdtfizOaMU+3l2aUnF4ozZjLppCaU5yqMP2BNKMKj7Y22ESwBdNkGC2nM8swCoFMUJk+WYYx YPoiGUYRLrB8WWJOdGY7oywjEDMBMTMQs2xnlGV13gEAxq82auECqjp4nAEhAN7/2QnZCbBF AhRYY6gzFq+wxYQkNxhI7OXawM2hqLNZAoAC8hEO8PAChMlcSfP+JiybEs+UFbpnXBD1Wb94 nDvJdpJtgwizSFnVJPmGq3ufB5Y0//e8lqC1UdFyz2QNZkUA5Y4NquECpTF4nLvKcZVjQyKT iH69+DfhxWYiF/V7WedkOvtPWl1svbmU6QEjANXIDLzgAqEReJwBIADf/9gK2AqwrAQUx1Su r/qbAINSuPu6RltcIQaw4BuTwASYAM8PRuoQggJ4nFu/UrxtpXjDFsYywen7xRhZp+8UYBSf bivEqMFRmlecmZ6XmrI9Q4jxPKNGWn6Rgkamgq2CgbVCpoKNQq6uXXppanGJXl6RtYK2dqYm FydnZpqCxjQZoAHvBRm5ZJOKUhOzrbm4wMJAnbbIerbHizAeZYJbMh1oSdn2ueKM4syk28QO tWn6RSnGKYqo9mgqVAOVa2sjCbXXSzMCMRMQMwMxy/Z6aVaDnQAdQk414QKtOXicu8l5k3OD K5PICRFmOyWdG3e27/zGnOwnOLf/75ONmyOZGpgA6hcOaPAChMlcSfP+JiybEs+UFbpnXBD1 Wb94nDvJdpJtgwizSK2+2XIut7t+0w1LZj+bsK9/08ay1ZM1mBUB0iwNe+ECqC54nLvKcZVj QyKTiLmUjPWW1SGlNyc3GbpfaH+WoFRiu7mU6QEjAOBDDZPgAqQOeJwBIADf/9gK2AqwrAQU eK37Wk/BW657wFj7gLe6NgyIFcWTwASYBeoP3uoihH94nFu/UvzgcvENvvGb58U/YuYrzSvO TM9LTVHIK7Lm4pzueIFFTCq9NLW4JNovKN4xNMTfx9/RJd43OCg4FiYvlpGPTXrz2uSTa6fv F2Nknb5TgFF8uq0QowYHzPjtGUKM5xin7xBklK3n4uTMTFPQyNW1g1iUGauXmZeSWqFga6uQ W1ykCZTnTCpKTcy25uICq8wEy+ja5YHlilJLSovygI7R1QWLAVlIRimAVUJ4YOlYiDzYzWBp bhgPSE+/J8Kozww0d/pDEUaR6TUvWTimr3/JwsMMlNvuJsp4jxHug+lAH5RtnyvOKM48fZcg o7Q2Cd6YflGKcYow3BMK1UA5bW2Q/b3SUPv7pRlFEfaLQhQCnV7LhfDedB4ZRqnpWjKM8tN9 ZRgl27NkGLdnyTA9nD7dfwtTIasmUD3X9Jh9jOZtW5natjJv28py1mT6pZcsrkyaYA9qTvev YxUCiYhPn7CFyWD7ylcsOybDvI+QFd6+t471UygAEQCyYeECsgN4nLvJeZNzgyuTSFfWuZ0T GOwVuyQ9Hdce4+X6sPt42eZIpgYmAOTlDWrwAoTJXEnz/iYsmxLPlBW6Z1wQ9Vm/eJwBIADf /8kGyQawFAMU9JkMMZDgcpAilLImH9j7OSCa8fKTKAMh4HYN6+oDrHp4nAE6AMX/1QjVCLAi AhRsY4byHQu8PkMaYf5eQ+hxdmr2cJM2AisUIm8TOtvSyAjKwtcIG0WC5ylkU7KzdQLgAblP GD6tA3icMzEAAoXE4lyGs93PpJL2uG0xusGSMCE09sAiw7WtJmDZ0sSCTAbRC+H/mZet0d/f UJyX3bRyjhD72o0AzLsYhuECrGh4nJuYODFxw2NJkYxNh0V5Hwb739JzPnNkSUqQlimP4Obv krPEAABDDkvgAoRZeJy7wXWDa4Myq4ju2/dcU86zS/N6BPGLMLbfyz+fcGyyOasiAMb1C83r ApkmeJwBKwDU/62dD8GcD4CEAbQCw5uXWpwCPwRpbnQgl5mcAiWXzZsCKIe/nAK3v5wD7jGO JRJQ6gO1FHicAToAxf/ZCdkJsFEBFKjNQT4T6JzfbTlHDpMWa0LFYUkFk2UB4BQMbI5rjJ2o /GX/vfO02zp5PbY7SLNZAoAC3RgZkfECRpblIkpdhGhE7rervu3NvDlj+2d4nAEhAN7/pz6n PrCYAxQZyToCX67j85FNOd/ORwS1fUAGsrOsA3sb9tEOXPECqzuwUVJ1RJUmWG9PtDp+yXHN uip4nGvibuLecJxJpCbQcTP/+bevLL3ZGW4eD5ThtvKYuPk203ImAN08DQ3lAbRoeJzrv8J1 5wJXwxbGteLtCZKM2xMkmdZPAABnewiP8AKEyVxJ8/4mLJsSz5QVumdcEPVZv3icO8l2km2D CLPInUzTzl2TEgOTP+3RNW++w/Dw/bcfkzWYFQHqEw7s8QI6cYRHfU1d++PV2yiyI2HQEeiW YHicu8pxlWNDIpPImZ6q+y2njsSznjbMy9Tf2Vrv+L9lcynTA0YACWwPl/ACRQ1ylsKuAvrY 5fyAo8NtpSIa5m54nLvBdYNrwxoWEWWTC8VSc2tYP6z+wH3oirpdY5Ed3+QDLDMA4y8NyugF iDx4nDu4XPzBdPENnhLNUrLbpWQZ5/C1v9NhBGImIGbe/k6HZR339oMWLEekt38JYWm6v/2a CWtPB39xYllqfEZ+cUl8cUliSer2sr2seXzbV51hFWXefuM860tmAFHUJRlxv/wE56Uc/XCC s5STEGNLuTNkUQ== --wRRV7LY7NUeQGEoC--