summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeremy Cline <jcline@redhat.com>2019-11-04 11:12:42 -0500
committerJeremy Cline <jcline@redhat.com>2019-11-04 11:18:33 -0500
commit5fe065b6c0e7dce82e4a85fedf5513d2d9970a41 (patch)
treeed3642d59a508a7d5f13c7c7372f5bc6ef5902c3
parent32fe916e9be64984d89982b8cd9bb19c0c51f8aa (diff)
downloadkernel-5fe065b6c0e7dce82e4a85fedf5513d2d9970a41.tar.gz
kernel-5fe065b6c0e7dce82e4a85fedf5513d2d9970a41.tar.xz
kernel-5fe065b6c0e7dce82e4a85fedf5513d2d9970a41.zip
Linux v5.4-rc6
-rw-r--r--efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch87
-rw-r--r--efi-libstub-arm-account-for-firmware-reserved-memory-at-the-base-of-RAM.patch216
-rw-r--r--kernel.spec16
-rw-r--r--sources3
4 files changed, 7 insertions, 315 deletions
diff --git a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch b/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
deleted file mode 100644
index 61a52c6fd..000000000
--- a/efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Javier Martinez Canillas <javierm@redhat.com>
-Subject: [PATCH v2] efi/efi_test: lock down /dev/efi_test and require
- CAP_SYS_ADMIN
-Date: Tue, 8 Oct 2019 12:55:10 +0200
-
-The driver exposes EFI runtime services to user-space through an IOCTL
-interface, calling the EFI services function pointers directly without
-using the efivar API.
-
-Disallow access to the /dev/efi_test character device when the kernel is
-locked down to prevent arbitrary user-space to call EFI runtime services.
-
-Also require CAP_SYS_ADMIN to open the chardev to prevent unprivileged
-users to call the EFI runtime services, instead of just relying on the
-chardev file mode bits for this.
-
-The main user of this driver is the fwts [0] tool that already checks if
-the effective user ID is 0 and fails otherwise. So this change shouldn't
-cause any regression to this tool.
-
-[0]: https://wiki.ubuntu.com/FirmwareTestSuite/Reference/uefivarinfo
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
-Acked-by: Laszlo Ersek <lersek@redhat.com>
-Acked-by: Matthew Garrett <mjg59@google.com>
----
-
-Changes in v2:
-- Also disable /dev/efi_test access when the kernel is locked down as
- suggested by Matthew Garrett.
-- Add Acked-by tag from Laszlo Ersek.
-
- drivers/firmware/efi/test/efi_test.c | 8 ++++++++
- include/linux/security.h | 1 +
- security/lockdown/lockdown.c | 1 +
- 3 files changed, 10 insertions(+)
-
-diff --git a/drivers/firmware/efi/test/efi_test.c b/drivers/firmware/efi/test/efi_test.c
-index 877745c3aaf..7baf48c01e7 100644
---- a/drivers/firmware/efi/test/efi_test.c
-+++ b/drivers/firmware/efi/test/efi_test.c
-@@ -14,6 +14,7 @@
- #include <linux/init.h>
- #include <linux/proc_fs.h>
- #include <linux/efi.h>
-+#include <linux/security.h>
- #include <linux/slab.h>
- #include <linux/uaccess.h>
-
-@@ -717,6 +718,13 @@ static long efi_test_ioctl(struct file *file, unsigned int cmd,
-
- static int efi_test_open(struct inode *inode, struct file *file)
- {
-+ int ret = security_locked_down(LOCKDOWN_EFI_TEST);
-+
-+ if (ret)
-+ return ret;
-+
-+ if (!capable(CAP_SYS_ADMIN))
-+ return -EACCES;
- /*
- * nothing special to do here
- * We do accept multiple open files at the same time as we
-diff --git a/include/linux/security.h b/include/linux/security.h
-index a8d59d612d2..9df7547afc0 100644
---- a/include/linux/security.h
-+++ b/include/linux/security.h
-@@ -105,6 +105,7 @@ enum lockdown_reason {
- LOCKDOWN_NONE,
- LOCKDOWN_MODULE_SIGNATURE,
- LOCKDOWN_DEV_MEM,
-+ LOCKDOWN_EFI_TEST,
- LOCKDOWN_KEXEC,
- LOCKDOWN_HIBERNATION,
- LOCKDOWN_PCI_ACCESS,
-diff --git a/security/lockdown/lockdown.c b/security/lockdown/lockdown.c
-index 8a10b43daf7..40b790536de 100644
---- a/security/lockdown/lockdown.c
-+++ b/security/lockdown/lockdown.c
-@@ -20,6 +20,7 @@ static const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
- [LOCKDOWN_NONE] = "none",
- [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
- [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
-+ [LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
- [LOCKDOWN_KEXEC] = "kexec of unsigned images",
- [LOCKDOWN_HIBERNATION] = "hibernation",
- [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
diff --git a/efi-libstub-arm-account-for-firmware-reserved-memory-at-the-base-of-RAM.patch b/efi-libstub-arm-account-for-firmware-reserved-memory-at-the-base-of-RAM.patch
deleted file mode 100644
index 47bccc262..000000000
--- a/efi-libstub-arm-account-for-firmware-reserved-memory-at-the-base-of-RAM.patch
+++ /dev/null
@@ -1,216 +0,0 @@
-From patchwork Mon Oct 14 16:33:09 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-X-Patchwork-Id: 11189097
-Return-Path:
- <SRS0=bNJh=YH=lists.infradead.org=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@kernel.org>
-Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
- [172.30.200.123])
- by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E1AD11390
- for <patchwork-linux-arm@patchwork.kernel.org>;
- Mon, 14 Oct 2019 16:33:28 +0000 (UTC)
-Received: from bombadil.infradead.org (bombadil.infradead.org
- [198.137.202.133])
- (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
- (No client certificate requested)
- by mail.kernel.org (Postfix) with ESMTPS id BF9BE217D9
- for <patchwork-linux-arm@patchwork.kernel.org>;
- Mon, 14 Oct 2019 16:33:28 +0000 (UTC)
-Authentication-Results: mail.kernel.org;
- dkim=pass (2048-bit key) header.d=lists.infradead.org
- header.i=@lists.infradead.org header.b="AWaZtE0p";
- dkim=fail reason="signature verification failed" (2048-bit key)
- header.d=linaro.org header.i=@linaro.org header.b="THTDXG/3"
-DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BF9BE217D9
-Authentication-Results: mail.kernel.org;
- dmarc=fail (p=none dis=none) header.from=linaro.org
-Authentication-Results: mail.kernel.org;
- spf=none
- smtp.mailfrom=linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
-DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
- d=lists.infradead.org; s=bombadil.20170209; h=Sender:
- Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
- List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To
- :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
- Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
- List-Owner; bh=bFVBLmSAI67EKVRVJ976rFVJhb17XzlF5Frmxpt4Q24=; b=AWaZtE0prtFAKn
- TzXV3jyYung5GM46YpbdIYSXq5utN5mbiOzHoadisQSsfKUn1h5/wpF7esUHXwHaDS5FWUUp5g6F+
- P0rKmQjVgWN+jVD7Kk7RvmJewoFKWvlUzoG5+Lfin8NLSHMwNg+v2Z+sUayE+SylST1LP8jkK8B7e
- QiOi647qxPv6IW25Zucu4D+N8DXmh+t6DjJXZ2W1LznbCD0PIPjTpcen0dntkHUYL0FHya3ghdrC3
- ejo+MjvSDlrs4LgP5ER56hiSeucu58WMLefoUS3oSEYirB+9zt3Qk2Ppxv6k2GY/NBkLjw9jT76kg
- OIZj83Gck17z+l7+NVmQ==;
-Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
- by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
- id 1iK3Hk-0001ZP-CS; Mon, 14 Oct 2019 16:33:28 +0000
-Received: from mail-wm1-x341.google.com ([2a00:1450:4864:20::341])
- by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
- id 1iK3Hf-0001Tp-Mo
- for linux-arm-kernel@lists.infradead.org; Mon, 14 Oct 2019 16:33:26 +0000
-Received: by mail-wm1-x341.google.com with SMTP id y135so386665wmc.1
- for <linux-arm-kernel@lists.infradead.org>;
- Mon, 14 Oct 2019 09:33:23 -0700 (PDT)
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google;
- h=from:to:cc:subject:date:message-id:mime-version
- :content-transfer-encoding;
- bh=yuEdphuMWOUGDahWSE97oqgmOlObKgpyvQgzFU8TRQU=;
- b=THTDXG/3mOeZtb6dOK6qrH1eQvV7z52+jijnE+ULOhMbPReKZiIPTLCR3+W7HnWIkL
- RFmtL80kGqOr/FynSqFtzLiwv4TaClqwXnVtULNnpITi/cHhy+AnvWVfQCDZ1THjSHSh
- pduFTV40hbsfQR4K3wm6K4LGLOnaAkS193JT28eOdR7oOcCjbZSKoQKTYCquWrAWTeIo
- oQAUnFNuy4gdBy+94VmzR0AdgNrDXTc5KPDYLaOTSBxZUJQ8+7pDFhxOxm06B6gNgPEp
- fzYcPcRV2R9hc6PtL8jxMKRNQ3PcJnas8KU2DsmaK/FJZxgtzXs97TaHydGKq33TYgst
- Mpow==
-X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
- d=1e100.net; s=20161025;
- h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
- :content-transfer-encoding;
- bh=yuEdphuMWOUGDahWSE97oqgmOlObKgpyvQgzFU8TRQU=;
- b=PJHaADcio6H7WwVXfMpYGT2fr/FMtU5GUUbNeD+td9rfpid6nfbHrh2TCAQtpxAMaS
- B63nd+HNchQoPhWWHWMMx8gbY9KwOKzc5/FO5wqeDo5gbpI/eWidH+ieGLaxozX/Aqku
- BLTdsnGMIB+FxmFCmtaY1y9wuqdVmS/4RiobjBycBZmXBYOYxZc3I81zM1u+nBjRKsNZ
- h2D/gN8sjkRbT4f5kU/xpHbh+8CbpVp4ze5cpKOf35Iwf+ASNw/l53NHft0Y41ehG2NA
- YFsdBpquso+CNhTGqN5VOBlpGdMFRJ4SIseygRQbXVT4KEeZBP60so7Ed8MwxoXmG6sw
- gM5w==
-X-Gm-Message-State: APjAAAUc9u8vjoe8La6L5Z/DMvnvVKz828SBRtfClkhDufJCaEZaQ1S9
- nO3+g66C+iOliANLi0dTY/L7SkabogZiQQ==
-X-Google-Smtp-Source:
- APXvYqz0XzN3uY3m31zQi76ZEDZQMtYggJ6COqe0WCePJ5GuE+rYLNtFHVBakYmvlBvQjlPYRU+lrg==
-X-Received: by 2002:a1c:a516:: with SMTP id
- o22mr16781400wme.116.1571070801893;
- Mon, 14 Oct 2019 09:33:21 -0700 (PDT)
-Received: from localhost.localdomain
- (laubervilliers-657-1-83-120.w92-154.abo.wanadoo.fr. [92.154.90.120])
- by smtp.gmail.com with ESMTPSA id o70sm25785240wme.29.2019.10.14.09.33.20
- (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
- Mon, 14 Oct 2019 09:33:21 -0700 (PDT)
-From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-To: linux-arm-kernel@lists.infradead.org
-Subject: [PATCH] efi: libstub/arm: account for firmware reserved memory at the
- base of RAM
-Date: Mon, 14 Oct 2019 18:33:09 +0200
-Message-Id: <20191014163309.2860-1-ard.biesheuvel@linaro.org>
-X-Mailer: git-send-email 2.20.1
-MIME-Version: 1.0
-X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
-X-CRM114-CacheID: sfid-20191014_093323_781941_B57BEE97
-X-CRM114-Status: GOOD ( 13.99 )
-X-Spam-Score: -0.2 (/)
-X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary:
- Content analysis details: (-0.2 points)
- pts rule name description
- ---- ----------------------
- --------------------------------------------------
- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/,
- no trust [2a00:1450:4864:20:0:0:0:341 listed in]
- [list.dnswl.org]
- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
- -0.0 SPF_PASS SPF: sender matches SPF record
- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
- author's domain
- 0.1 DKIM_SIGNED Message has a DKIM or DK signature,
- not necessarily
- valid
- -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from
- envelope-from domain
- -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
-X-BeenThere: linux-arm-kernel@lists.infradead.org
-X-Mailman-Version: 2.1.29
-Precedence: list
-List-Id: <linux-arm-kernel.lists.infradead.org>
-List-Unsubscribe:
- <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
- <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
-List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
-List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
-List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
-List-Subscribe:
- <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
- <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
-Cc: Chester Lin <clin@suse.com>, Guillaume Gardet <Guillaume.Gardet@arm.com>,
- linux-efi@vger.kernel.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
-Errors-To:
- linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org
-
-The EFI stubloader for ARM starts out by allocating a 32 MB window
-at the base of RAM, in order to ensure that the decompressor (which
-blindly copies the uncompressed kernel into that window) does not
-overwrite other allocations that are made while running in the context
-of the EFI firmware.
-
-In some cases, (e.g., U-Boot running on the Raspberry Pi 2), this is
-causing boot failures because this initial allocation conflicts with
-a page of reserved memory at the base of RAM that contains the SMP spin
-tables and other pieces of firmware data and which was put there by
-the bootloader under the assumption that the TEXT_OFFSET window right
-below the kernel is only used partially during early boot, and will be
-left alone once the memory reservations are processed and taken into
-account.
-
-So let's permit reserved memory regions to exist in the region starting
-at the base of RAM, and ending at TEXT_OFFSET - 5 * PAGE_SIZE, which is
-the window below the kernel that is not touched by the early boot code.
-
-Cc: Guillaume Gardet <Guillaume.Gardet@arm.com>
-Cc: Chester Lin <clin@suse.com>
-Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
----
- drivers/firmware/efi/libstub/Makefile | 1 +
- drivers/firmware/efi/libstub/arm32-stub.c | 16 +++++++++++++---
- 2 files changed, 14 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
-index 0460c7581220..ee0661ddb25b 100644
---- a/drivers/firmware/efi/libstub/Makefile
-+++ b/drivers/firmware/efi/libstub/Makefile
-@@ -52,6 +52,7 @@ lib-$(CONFIG_EFI_ARMSTUB) += arm-stub.o fdt.o string.o random.o \
-
- lib-$(CONFIG_ARM) += arm32-stub.o
- lib-$(CONFIG_ARM64) += arm64-stub.o
-+CFLAGS_arm32-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET)
- CFLAGS_arm64-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET)
-
- #
-diff --git a/drivers/firmware/efi/libstub/arm32-stub.c b/drivers/firmware/efi/libstub/arm32-stub.c
-index e8f7aefb6813..47aafeff3e01 100644
---- a/drivers/firmware/efi/libstub/arm32-stub.c
-+++ b/drivers/firmware/efi/libstub/arm32-stub.c
-@@ -195,6 +195,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table,
- unsigned long dram_base,
- efi_loaded_image_t *image)
- {
-+ unsigned long kernel_base;
- efi_status_t status;
-
- /*
-@@ -204,9 +205,18 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table,
- * loaded. These assumptions are made by the decompressor,
- * before any memory map is available.
- */
-- dram_base = round_up(dram_base, SZ_128M);
-+ kernel_base = round_up(dram_base, SZ_128M);
-
-- status = reserve_kernel_base(sys_table, dram_base, reserve_addr,
-+ /*
-+ * Note that some platforms (notably, the Raspberry Pi 2) put
-+ * spin-tables and other pieces of firmware at the base of RAM,
-+ * abusing the fact that the window of TEXT_OFFSET bytes at the
-+ * base of the kernel image is only partially used at the moment.
-+ * (Up to 5 pages are used for the swapper page table)
-+ */
-+ kernel_base += TEXT_OFFSET - 5 * PAGE_SIZE;
-+
-+ status = reserve_kernel_base(sys_table, kernel_base, reserve_addr,
- reserve_size);
- if (status != EFI_SUCCESS) {
- pr_efi_err(sys_table, "Unable to allocate memory for uncompressed kernel.\n");
-@@ -220,7 +230,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table,
- *image_size = image->image_size;
- status = efi_relocate_kernel(sys_table, image_addr, *image_size,
- *image_size,
-- dram_base + MAX_UNCOMP_KERNEL_SIZE, 0);
-+ kernel_base + MAX_UNCOMP_KERNEL_SIZE, 0);
- if (status != EFI_SUCCESS) {
- pr_efi_err(sys_table, "Failed to relocate kernel.\n");
- efi_free(sys_table, *reserve_size, *reserve_addr);
diff --git a/kernel.spec b/kernel.spec
index 397001d79..407167f8f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -73,7 +73,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
-%global baserelease 3
+%global baserelease 1
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@@ -98,9 +98,9 @@ Summary: The Linux kernel
# The next upstream release sublevel (base_sublevel+1)
%define upstream_sublevel %(echo $((%{base_sublevel} + 1)))
# The rc snapshot level
-%global rcrev 5
+%global rcrev 6
# The git snapshot level
-%define gitrev 1
+%define gitrev 0
# Set rpm version accordingly
%define rpmversion 5.%{upstream_sublevel}.0
%endif
@@ -666,10 +666,6 @@ Patch204: efi-secureboot.patch
Patch205: lift-lockdown-sysrq.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1759325
-# Submitted upstream at https://lore.kernel.org/patchwork/patch/1136967/
-Patch206: efi-efi_test-lock-down-dev-efi_test-and-require-CAP_.patch
-
# 300 - ARM patches
Patch300: arm64-Add-option-of-13-for-FORCE_MAX_ZONEORDER.patch
@@ -696,9 +692,6 @@ Patch324: arm64-tegra186-enable-USB-on-Jetson-TX2.patch
# https://patchwork.kernel.org/patch/11224177/
Patch325: arm64-usb-host-xhci-tegra-set-MODULE_FIRMWARE-for-tegra186.patch
-# https://www.spinics.net/lists/arm-kernel/msg761152.html
-Patch342: efi-libstub-arm-account-for-firmware-reserved-memory-at-the-base-of-RAM.patch
-
# 400 - IBM (ppc/s390x) patches
# 500 - Temp fixes/CVEs etc
@@ -2420,6 +2413,9 @@ fi
#
#
%changelog
+* Mon Nov 04 2019 Jeremy Cline <jcline@redhat.com> - 5.4.0-0.rc6.git0.1
+- Linux v5.4-rc6
+
* Mon Nov 04 2019 Jeremy Cline <jcline@redhat.com>
- Disable debugging options.
diff --git a/sources b/sources
index 99df8e5af..825fdefa3 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,2 @@
SHA512 (linux-5.3.tar.xz) = 6b5edef47c319a3fa7f6c20a3e0903a5acd89ec75e32dc5f99adcb60c9fe118ea312722d9c3d27e2e3900afa2455afb86e83a8b6bb131009bc79ddbe6fb0595d
-SHA512 (patch-5.4-rc5.xz) = 4cfdbd263b243490e9aec0f320a6ecf5d1706ed0e92129c3a107fa25fc32536e7e016086d7271196c21be39cd7cde3c4f57413eed4a07ffe28355856af500c14
-SHA512 (patch-5.4-rc5-git1.xz) = 56dbcc36eb07d37871a0a3ad59c88061a01b2e26f81bd0686e90c908684c66460a73bf1fcca866829c8d14b75a78de44e5d639d504a129db8ce8cac6d7c823cd
+SHA512 (patch-5.4-rc6.xz) = 6322ec5b2e5de13fe05abf031dea7274230c3ce77cf93f631dc504eb779f10c6658e8df083a9e96f6eca6f0bf4974bc9b4103d1399eee32c7dedadbab0692d7b