From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f174.google.com (mail-pf1-f174.google.com [209.85.210.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C168155338 for ; Mon, 22 Apr 2024 19:06:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713812761; cv=none; b=rlWw+i35eyKJ/Cjo3OXTGejpQ3j5bnYNzTWAt+Ff4YCEErOap3+GzmrQBsBHvRoyrkgyFmhYEs+qRkYapmj6YXXiSAv+q8JoOX/Er2yf2sA4cWBF9wBYdF6zSEivEZzR9r1nvVQiz21LjNdWCWEJGPVoqdnwYAw7cAUxmj2RkbY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713812761; c=relaxed/simple; bh=wsHaXBjTA7hCRyjHqUrFEB/n+csR/RFsdQXajUpDcwc=; h=From:To:Cc:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type; b=lrY8ugzF0MckID0AV1J9svQ1cpP1Oj/ag3NDaqyoCoH6RH3Sd5dvGjFjXLtd9CG11kQuTIpoxDr2hoblSJY0PwKpWZoI1bHhQE8NOL7YEmm8AIF62qVIEJ223Kly03+btt46P/x90qZ/EsCwlMYcmz2CSu1ry2tev1/6fYvKGQM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com; spf=pass smtp.mailfrom=googlemail.com; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=NgS9WYjn; arc=none smtp.client-ip=209.85.210.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=googlemail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=googlemail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="NgS9WYjn" Received: by mail-pf1-f174.google.com with SMTP id d2e1a72fcca58-6edc61d0ff6so4783269b3a.2 for ; Mon, 22 Apr 2024 12:05:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1713812759; x=1714417559; darn=vger.kernel.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=yNds/3XriKnoMzKRIOjk4mym3GCRF/+b+SL9UQdmBcA=; b=NgS9WYjny5+S/uD0/Vnxs2qWsdSwouSBIdWgL+vD6iUHxuUUA61MSNiTS5cMnLPsUh 308D2VGjXSu/0KrnMvmJ/4RvLWnaj9gzNKZlhPYVcQFupPzVkt/YNrn/STE86DSjrzSF pBfb77aEhfSVeJxPtEAmbraOhG0yWu/yCPfJIHEHpysjP/UflSHZRNhOgiUcVZ56L32D Twhhd4wZA3QFOBxBrd361z/uTRF9yvMvH6nLDaM5imPXple6bAHFkdFH2LDy3M594aRG 0Z0KiAPtPbdBhXJ0vUmVu4Sw8mxl663B8NrqCi3ndL90hNlQTB8jpICToX/VVEu3rDmt aCdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713812759; x=1714417559; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yNds/3XriKnoMzKRIOjk4mym3GCRF/+b+SL9UQdmBcA=; b=nKq5N0PcgmVjEr1J1xvW1MmPyyP6veCj7H+ko2rcJXeKcbjXkqZ5OucWnQkSXR2QMV Ty7cS+ys5Y75Ij3XPmPrGUjVOC5RltYQ54z9lZPDL6w3n1aOCe0l/QOemZQmy/Ev7SUw G7qaM+t3yxgvYiorwP821BDQrNpNkPlwp7vCeTijyzZbQ4e8o+OypAbMu+I2NgxiO1Q4 Eu9EDgvXj9CPUzKyTIAqosQZubPcL+lc9iB6vol55igkLauW/1bGxtpDUEXWJ1UKd7eL fnO2Ajel+XieWSvRr8K5vbqk7KdSjLuew5H0SzuumVaEtdzO7Xz6fPIgCH2o4V1A0M/c BkKg== X-Forwarded-Encrypted: i=1; AJvYcCVfFHksepWVyhaoik6uErtEK5KYXuIay/br30QGfWEuFaIgsw2fvtDWjKcokWpx0BuPBcgCMt4olCf9HA4GxDK023F/ X-Gm-Message-State: AOJu0YwIJIYL7lrhphDyjw2U8XJwDParMaZSCPBXD1TITrfV9vrLy4Lk 8oSyRG68/1FZVfDngM+H0IazV2B2QC2qwqcTkVHDXC6fLcDyfZ6ulWZ3Y417 X-Google-Smtp-Source: AGHT+IF5UON05abLTAAbAQNK8RFOtuHoX93xAO4TpEBG0WikCVlleKBSDulNclfcv7ahwMKbU8NO6w== X-Received: by 2002:a05:6a00:2181:b0:6e8:f66f:6b33 with SMTP id h1-20020a056a00218100b006e8f66f6b33mr13880081pfi.4.1713812759355; Mon, 22 Apr 2024 12:05:59 -0700 (PDT) Received: from ArmidaleLaptop (c-67-170-74-237.hsd1.wa.comcast.net. [67.170.74.237]) by smtp.gmail.com with ESMTPSA id b1-20020aa78ec1000000b006ece7bb5636sm8152692pfr.134.2024.04.22.12.05.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Apr 2024 12:05:59 -0700 (PDT) From: dthaler1968@googlemail.com X-Google-Original-From: To: "'Watson Ladd'" Cc: , References: <093301da933d$0d478510$27d68f30$@gmail.com> In-Reply-To: Subject: RE: [Bpf] BPF ISA Security Considerations section Date: Mon, 22 Apr 2024 12:05:57 -0700 Message-ID: <151e01da94e8$1c391f00$54ab5d00$@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIuELsBo+B+UsoJNRbSlFOn1N3FrQGJMFTgsMFkZeA= Content-Language: en-us > -----Original Message----- > From: Watson Ladd > Sent: Monday, April 22, 2024 12:02 PM > To: dthaler1968=3D40googlemail.com@dmarc.ietf.org > Cc: bpf@ietf.org; bpf@vger.kernel.org > Subject: Re: [Bpf] BPF ISA Security Considerations section >=20 > On Sat, Apr 20, 2024 at 9:09=E2=80=AFAM > wrote: > > > > Per > > = https://authors.ietf.org/en/required-content#security-considerations, > > the BPF ISA draft is required to have a Security Considerations > > section before it can become an RFC. > > > > Below is strawman text that tries to strike a balance between > > discussing security issues and solutions vs keeping details out of > > scope that belong in other documents like the "verifier expectations > > and building blocks for allowing safe execution of untrusted BPF > > programs" document that is a separate item on the IETF WG charter. > > > > Proposed text: > > > > > Security Considerations > > > > > > BPF programs could use BPF instructions to do malicious things = with > > memory, > > > CPU, networking, or other system resources. This is not > > > fundamentally > > different > > > from any other type of software that may run on a device. = Execution > > environments > > > should be carefully designed to only run BPF programs that are > > > trusted or > > verified, > > > and sandboxing and privilege level separation are key strategies = for > > limiting > > > security and abuse impact. For example, BPF verifiers are = well-known > > > and > > widely > > > deployed and are responsible for ensuring that BPF programs will > > > terminate within a reasonable time, only interact with memory in > > > safe ways, and > > adhere to > > > platform-specified API contracts. The details are out of scope of > > > this > > document > > > (but see [LINUX] and [PREVAIL]), but this level of verification = can > > > often > > provide a > > > stronger level of security assurance than for other software and > > > operating > > system > > > code. >=20 > I would put a reference to the other deliverable to say more. If we = think that's > suboptimal for publication strategy, maybe we can be more generic = about it. There's nothing that can be referenced yet. One can only say it's left = for future work, would you prefer that? > Often BPF programs are executed on the other side of a reliability = boundary, e.g. if > you execute a BPF filter saying drop all on your network card, have = fun. This isn't > different from firewalls and the like, but it's a new risk that people = aren't expecting. I > think we might also need to call out that BPF security assurance = requires careful > design and thought about what is exposed via BPF. >=20 > Sincerely, > Watson Do you have proposed text? Dave From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.ietf.org (mail.ietf.org [50.223.129.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D415A1552E8 for ; Mon, 22 Apr 2024 19:06:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=50.223.129.194 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713812767; cv=none; b=ZN9Hcx5RX0R0wL1dU0fLzjTFNr7o1h51J5059u0C1oOazfK6UzbL5oL/4/++xsh9srlQknRl/uWezY6VJznBG4stHInkfRCSwmb/eW8tBzZpB0lm6wD1PJUkESYZO5uMda6y9SqO8+t6F8adDyuSPZl2KB1UGNaoSU6sIbP9r58= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713812767; c=relaxed/simple; bh=xvuGGAYwVz2DyCXdYOdTXQSyLt3SDv0uX67YIeF5iiw=; h=To:Cc:References:In-Reply-To:Date:Message-ID:MIME-Version:Subject: Content-Type:From; b=frTle/2zjv9iAfyUnP9xzxp+TGo1WdRdKaf2iMOlsrCwuLacNFPUCBtt/C4NtuZMtshhA6tpyOSt1V5TwhIUYiGcaOfTTs7mkzYKumxWbGbakidYtxsRRtpz2hyxfHyigaodwtSn7F0ndUfC+trauTYmYXGU3so5nsJFszjpHFY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=dmarc.ietf.org; spf=pass smtp.mailfrom=ietf.org; dkim=pass (1024-bit key) header.d=ietf.org header.i=@ietf.org header.b=aF6m1K3D; dkim=fail (1024-bit key) header.d=ietf.org header.i=@ietf.org header.b=dUfNU0r9 reason="signature verification failed"; dkim=fail (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b=KQ/io276 reason="signature verification failed"; arc=none smtp.client-ip=50.223.129.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=dmarc.ietf.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=ietf.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ietf.org header.i=@ietf.org header.b="aF6m1K3D"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=ietf.org header.i=@ietf.org header.b="dUfNU0r9"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=googlemail.com header.i=@googlemail.com header.b="KQ/io276" Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5356FC19ECB9 for ; Mon, 22 Apr 2024 12:06:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1713812765; bh=xvuGGAYwVz2DyCXdYOdTXQSyLt3SDv0uX67YIeF5iiw=; h=To:Cc:References:In-Reply-To:Date:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=aF6m1K3DAsa7FXPA4LQATh8aZp0lJrm1VCL5NO+8YXeMgkz8q603Mh+DKpqpyC2zD u5cM4Rkxu3jSulu6o7lV/W6CAxXZKkzymb/KtJOLyiJJ5VmYPMFlgUOA1+E5u3C9gH YxuelRqGPDaKznb/XPcV3zdG6jOrrvoclqQHYgHc= Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F55BC169436; Mon, 22 Apr 2024 12:06:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1713812765; bh=xvuGGAYwVz2DyCXdYOdTXQSyLt3SDv0uX67YIeF5iiw=; h=From:To:Cc:References:In-Reply-To:Date:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe; b=dUfNU0r9idjIvxX0BFg85tfLnFbNSNuidNPNn8/4opJnPWyVGeMWO5UXBxGYnL+8s djGJTRTtp/CLUvlOAtI+P3xxnrU6n4dMKoOqqhDTNhkyYyASmbcgLLtWmXBgmc4dlO BDxQ2M+Mb6vE4mLq1/sc6YOLNe/rpdwASTUvTNwI= Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B89C169436 for ; Mon, 22 Apr 2024 12:06:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.845 X-Spam-Level: Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=googlemail.com Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I8AGy8RKIseO for ; Mon, 22 Apr 2024 12:06:00 -0700 (PDT) Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4914CC14F5EA for ; Mon, 22 Apr 2024 12:06:00 -0700 (PDT) Received: by mail-pf1-x42a.google.com with SMTP id d2e1a72fcca58-6ecec796323so4907933b3a.3 for ; Mon, 22 Apr 2024 12:06:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1713812759; x=1714417559; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=yNds/3XriKnoMzKRIOjk4mym3GCRF/+b+SL9UQdmBcA=; b=KQ/io276nrIdbUEqQWT0oQhBqxm8FmkGqgtUxrssANyc2KUPKWrd2hRodpDAuBp3s4 KIwK8qs9FjmhlP5ZqjOgxdDQzGXQwC1GkbO9DekCZPeWKDwOozNg8TXOvz3POIt04U3o SEvuqiHmgMt9bFkzE8co303s8c4PQxI92JE28jVbAM61SDHF9pAY8MvSZXBgd5D/3DVa GeEoVEuvZKCxxQqqIuxwGyQ++/FZf3Q2cPv1eJ2AdE+qwuX1qC7oDc62SjZzkTXJNdPg 2Jq3otDT2Mgp6QHe58h1nmATDlpvbCGzKnaHsA7jTVxTiJe+ff3+HGV0ZTBjpbuc0oiU Vyhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713812759; x=1714417559; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=yNds/3XriKnoMzKRIOjk4mym3GCRF/+b+SL9UQdmBcA=; b=r2HZpwYkIWLBHz75odtz+UCv1IOI+85S9yEmBBitoKbktNc38JPnn/GpOhrbFqBN8s vMyIjBZBj7FRP8RaWFf4fbN/MeO6dR/J8Y0CUEL9fned+SbuJpLUqlaDTkrbcd1PM5Nr qHJc1KyMRc7CkSGSiuRY6aAzAS9kADQo4+vtSrR0AnPDKXoWwtBPSGOWeScjjX7uRd5m vF3F3KE/DmcUqfZRjLI6D15Q5opqQYbx7mx3HMSkAmaKMtJI8zWuHOqAz6neMtlrv2Qs gxckoI/nwpqtc/sCGjr/TJmGR5e9mYFwu82eV3ZYqIdifHWtzQfmIgYdZYhBHNfaNTHx WY2g== X-Gm-Message-State: AOJu0YwzylshY4elIcO1x3vTxN2iXp8PbDh2DuQXzCJXAk6/wejQIYkd zUW7rTt8tUGfuIjp72USUtvFf/0KUD2rOJHxumBorr5LN5Q6FaWvKzboyW0q X-Google-Smtp-Source: AGHT+IF5UON05abLTAAbAQNK8RFOtuHoX93xAO4TpEBG0WikCVlleKBSDulNclfcv7ahwMKbU8NO6w== X-Received: by 2002:a05:6a00:2181:b0:6e8:f66f:6b33 with SMTP id h1-20020a056a00218100b006e8f66f6b33mr13880081pfi.4.1713812759355; Mon, 22 Apr 2024 12:05:59 -0700 (PDT) Received: from ArmidaleLaptop (c-67-170-74-237.hsd1.wa.comcast.net. [67.170.74.237]) by smtp.gmail.com with ESMTPSA id b1-20020aa78ec1000000b006ece7bb5636sm8152692pfr.134.2024.04.22.12.05.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Apr 2024 12:05:59 -0700 (PDT) X-Google-Original-From: To: "'Watson Ladd'" Cc: , References: <093301da933d$0d478510$27d68f30$@gmail.com> In-Reply-To: Date: Mon, 22 Apr 2024 12:05:57 -0700 Message-ID: <151e01da94e8$1c391f00$54ab5d00$@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQIuELsBo+B+UsoJNRbSlFOn1N3FrQGJMFTgsMFkZeA= Content-Language: en-us Archived-At: Subject: Re: [Bpf] BPF ISA Security Considerations section X-BeenThere: bpf@ietf.org X-Mailman-Version: 2.1.39 Precedence: list List-Archive: List-Post: List-Help: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: bpf-bounces@ietf.org Sender: "Bpf" X-Original-From: dthaler1968@googlemail.com From: dthaler1968=40googlemail.com@dmarc.ietf.org Message-ID: <20240422190557.9dxJAhQm0yZHT1FTO5CbKz8_AlIJb3jBmV_Dsntwlx4@z> PiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQo+IEZyb206IFdhdHNvbiBMYWRkIDx3YXRzb25i bGFkZEBnbWFpbC5jb20+Cj4gU2VudDogTW9uZGF5LCBBcHJpbCAyMiwgMjAyNCAxMjowMiBQTQo+ IFRvOiBkdGhhbGVyMTk2OD00MGdvb2dsZW1haWwuY29tQGRtYXJjLmlldGYub3JnCj4gQ2M6IGJw ZkBpZXRmLm9yZzsgYnBmQHZnZXIua2VybmVsLm9yZwo+IFN1YmplY3Q6IFJlOiBbQnBmXSBCUEYg SVNBIFNlY3VyaXR5IENvbnNpZGVyYXRpb25zIHNlY3Rpb24KPiAKPiBPbiBTYXQsIEFwciAyMCwg MjAyNCBhdCA5OjA54oCvQU0KPiA8ZHRoYWxlcjE5Njg9NDBnb29nbGVtYWlsLmNvbUBkbWFyYy5p ZXRmLm9yZz4gd3JvdGU6Cj4gPgo+ID4gUGVyCj4gPiBodHRwczovL2F1dGhvcnMuaWV0Zi5vcmcv ZW4vcmVxdWlyZWQtY29udGVudCNzZWN1cml0eS1jb25zaWRlcmF0aW9ucywKPiA+IHRoZSBCUEYg SVNBIGRyYWZ0IGlzIHJlcXVpcmVkIHRvIGhhdmUgYSBTZWN1cml0eSBDb25zaWRlcmF0aW9ucwo+ ID4gc2VjdGlvbiBiZWZvcmUgaXQgY2FuIGJlY29tZSBhbiBSRkMuCj4gPgo+ID4gQmVsb3cgaXMg c3RyYXdtYW4gdGV4dCB0aGF0IHRyaWVzIHRvIHN0cmlrZSBhIGJhbGFuY2UgYmV0d2Vlbgo+ID4g ZGlzY3Vzc2luZyBzZWN1cml0eSBpc3N1ZXMgYW5kIHNvbHV0aW9ucyB2cyBrZWVwaW5nIGRldGFp bHMgb3V0IG9mCj4gPiBzY29wZSB0aGF0IGJlbG9uZyBpbiBvdGhlciBkb2N1bWVudHMgbGlrZSB0 aGUgInZlcmlmaWVyIGV4cGVjdGF0aW9ucwo+ID4gYW5kIGJ1aWxkaW5nIGJsb2NrcyBmb3IgYWxs b3dpbmcgc2FmZSBleGVjdXRpb24gb2YgdW50cnVzdGVkIEJQRgo+ID4gcHJvZ3JhbXMiIGRvY3Vt ZW50IHRoYXQgaXMgYSBzZXBhcmF0ZSBpdGVtIG9uIHRoZSBJRVRGIFdHIGNoYXJ0ZXIuCj4gPgo+ ID4gUHJvcG9zZWQgdGV4dDoKPiA+Cj4gPiA+IFNlY3VyaXR5IENvbnNpZGVyYXRpb25zCj4gPiA+ Cj4gPiA+IEJQRiBwcm9ncmFtcyBjb3VsZCB1c2UgQlBGIGluc3RydWN0aW9ucyB0byBkbyBtYWxp Y2lvdXMgdGhpbmdzIHdpdGgKPiA+IG1lbW9yeSwKPiA+ID4gQ1BVLCBuZXR3b3JraW5nLCBvciBv dGhlciBzeXN0ZW0gcmVzb3VyY2VzLiBUaGlzIGlzIG5vdAo+ID4gPiBmdW5kYW1lbnRhbGx5Cj4g PiBkaWZmZXJlbnQKPiA+ID4gZnJvbSBhbnkgb3RoZXIgdHlwZSBvZiBzb2Z0d2FyZSB0aGF0IG1h eSBydW4gb24gYSBkZXZpY2UuIEV4ZWN1dGlvbgo+ID4gZW52aXJvbm1lbnRzCj4gPiA+IHNob3Vs ZCBiZSBjYXJlZnVsbHkgZGVzaWduZWQgdG8gb25seSBydW4gQlBGIHByb2dyYW1zIHRoYXQgYXJl Cj4gPiA+IHRydXN0ZWQgb3IKPiA+IHZlcmlmaWVkLAo+ID4gPiBhbmQgc2FuZGJveGluZyBhbmQg cHJpdmlsZWdlIGxldmVsIHNlcGFyYXRpb24gYXJlIGtleSBzdHJhdGVnaWVzIGZvcgo+ID4gbGlt aXRpbmcKPiA+ID4gc2VjdXJpdHkgYW5kIGFidXNlIGltcGFjdC4gRm9yIGV4YW1wbGUsIEJQRiB2 ZXJpZmllcnMgYXJlIHdlbGwta25vd24KPiA+ID4gYW5kCj4gPiB3aWRlbHkKPiA+ID4gZGVwbG95 ZWQgYW5kIGFyZSByZXNwb25zaWJsZSBmb3IgZW5zdXJpbmcgdGhhdCBCUEYgcHJvZ3JhbXMgd2ls bAo+ID4gPiB0ZXJtaW5hdGUgd2l0aGluIGEgcmVhc29uYWJsZSB0aW1lLCBvbmx5IGludGVyYWN0 IHdpdGggbWVtb3J5IGluCj4gPiA+IHNhZmUgd2F5cywgYW5kCj4gPiBhZGhlcmUgdG8KPiA+ID4g cGxhdGZvcm0tc3BlY2lmaWVkIEFQSSBjb250cmFjdHMuIFRoZSBkZXRhaWxzIGFyZSBvdXQgb2Yg c2NvcGUgb2YKPiA+ID4gdGhpcwo+ID4gZG9jdW1lbnQKPiA+ID4gKGJ1dCBzZWUgW0xJTlVYXSBh bmQgW1BSRVZBSUxdKSwgYnV0IHRoaXMgbGV2ZWwgb2YgdmVyaWZpY2F0aW9uIGNhbgo+ID4gPiBv ZnRlbgo+ID4gcHJvdmlkZSBhCj4gPiA+IHN0cm9uZ2VyIGxldmVsIG9mIHNlY3VyaXR5IGFzc3Vy YW5jZSB0aGFuIGZvciBvdGhlciBzb2Z0d2FyZSBhbmQKPiA+ID4gb3BlcmF0aW5nCj4gPiBzeXN0 ZW0KPiA+ID4gY29kZS4KPiAKPiBJIHdvdWxkIHB1dCBhIHJlZmVyZW5jZSB0byB0aGUgb3RoZXIg ZGVsaXZlcmFibGUgdG8gc2F5IG1vcmUuIElmIHdlIHRoaW5rIHRoYXQncwo+IHN1Ym9wdGltYWwg Zm9yIHB1YmxpY2F0aW9uIHN0cmF0ZWd5LCBtYXliZSB3ZSBjYW4gYmUgbW9yZSBnZW5lcmljIGFi b3V0IGl0LgoKVGhlcmUncyBub3RoaW5nIHRoYXQgY2FuIGJlIHJlZmVyZW5jZWQgeWV0LiAgT25l IGNhbiBvbmx5IHNheSBpdCdzIGxlZnQgZm9yIGZ1dHVyZSB3b3JrLAp3b3VsZCB5b3UgcHJlZmVy IHRoYXQ/Cgo+IE9mdGVuIEJQRiBwcm9ncmFtcyBhcmUgZXhlY3V0ZWQgb24gdGhlIG90aGVyIHNp ZGUgb2YgYSByZWxpYWJpbGl0eSBib3VuZGFyeSwgZS5nLiBpZgo+IHlvdSBleGVjdXRlIGEgQlBG IGZpbHRlciBzYXlpbmcgZHJvcCBhbGwgb24geW91ciBuZXR3b3JrIGNhcmQsIGhhdmUgZnVuLiBU aGlzIGlzbid0Cj4gZGlmZmVyZW50IGZyb20gZmlyZXdhbGxzIGFuZCB0aGUgbGlrZSwgYnV0IGl0 J3MgYSBuZXcgcmlzayB0aGF0IHBlb3BsZSBhcmVuJ3QgZXhwZWN0aW5nLiBJCj4gdGhpbmsgd2Ug bWlnaHQgYWxzbyBuZWVkIHRvIGNhbGwgb3V0IHRoYXQgQlBGIHNlY3VyaXR5IGFzc3VyYW5jZSBy ZXF1aXJlcyBjYXJlZnVsCj4gZGVzaWduIGFuZCB0aG91Z2h0IGFib3V0IHdoYXQgaXMgZXhwb3Nl ZCB2aWEgQlBGLgo+IAo+IFNpbmNlcmVseSwKPiBXYXRzb24KCkRvIHlvdSBoYXZlIHByb3Bvc2Vk IHRleHQ/CgpEYXZlCgotLSAKQnBmIG1haWxpbmcgbGlzdApCcGZAaWV0Zi5vcmcKaHR0cHM6Ly93 d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9icGYK