packages/secGear
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport some patches from openEuler

Browse Source
This commit is contained in:
gaoyusong 2022-04-28 20:34:30 +08:00
parent 3fae1682d3
commit 387e01dde4
8 changed files with 433 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
0040-fix-double-free.patch Normal file
View File

@ -0,0 +1,36 @@
From 297bce40545793d545747e25f614b09a185ef489 Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Wed, 23 Feb 2022 20:33:32 +0800
Subject: [PATCH] fix double free
---
src/host_src/gp/gp_enclave.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c
index c7554de..9bc9514 100644
--- a/src/host_src/gp/gp_enclave.c
+++ b/src/host_src/gp/gp_enclave.c
@@ -255,10 +255,15 @@ static bool handle_ocall(uint32_t agent_id, int dev_fd, void *buffer, cc_ocall_f
}
ret = true;
done:
- free(tmp_input_buffer);
- free(tmp_output_buffer);
- tmp_input_buffer = NULL;
- tmp_output_buffer = NULL;
+ if (tmp_input_buffer != NULL) {
+ free(tmp_input_buffer);
+ tmp_input_buffer = NULL;
+ }
+ if (tmp_output_buffer != NULL) {
+ free(tmp_output_buffer);
+ tmp_output_buffer = NULL;
+ }
+
return ret;
}
--
2.27.0

50
0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch Normal file
View File

@ -0,0 +1,50 @@
From a3a3a1e9e19f5595cb66fdc7928da70ca9f250a5 Mon Sep 17 00:00:00 2001
From: chenmaodong <chenmaodong@huawei.com>
Date: Wed, 8 Sep 2021 16:48:05 +0800
Subject: [PATCH] fix logs redirection error and delete
rsa_public_key_cloud.pem
PrintInfo will send the message from enclave to host with a program
name "[secGear]", however it'll print the wrong program name while
there are multi threads, so we delete this rule. On the same time, we
delete rsa_public_key_cloud.pem, because itrustee_sdk will provide it
Signed-off-by: chenmaodong <chenmaodong@huawei.com>
---
conf/rsyslog.d/secgear.conf | 3 +--
tools/sign_tool/cloud/rsa_public_key_cloud.pem | 11 -----------
2 files changed, 1 insertion(+), 13 deletions(-)
delete mode 100644 tools/sign_tool/cloud/rsa_public_key_cloud.pem
diff --git a/conf/rsyslog.d/secgear.conf b/conf/rsyslog.d/secgear.conf
index b835a94..7f1d898 100644
--- a/conf/rsyslog.d/secgear.conf
+++ b/conf/rsyslog.d/secgear.conf
@@ -1,6 +1,5 @@
#Do not modify this file
-if (($programname == 'teeos') or ($programname == 'secGear')) and \
- ($msg contains '[secGear]') then {
+if ($msg contains '[secGear]') then {
action(type="omfile" fileCreateMode="0600" file="/var/log/secgear/secgear.log")
stop
}
diff --git a/tools/sign_tool/cloud/rsa_public_key_cloud.pem b/tools/sign_tool/cloud/rsa_public_key_cloud.pem
deleted file mode 100644
index a321f63..0000000
--- a/tools/sign_tool/cloud/rsa_public_key_cloud.pem
+++ /dev/null
@@ -1,11 +0,0 @@
------BEGIN PUBLIC KEY-----
-MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAzAPwbnbgBg7JgXERA9Bx
-p7GLI1S3e1zL83RMd2+GXb6kO4yMKUL3NUCE2HhA2BtQYmLyGovx59UUcKnU58is
-Xux++kH+A2shmOPjYvEFuX0Kt8tc19b8M9b/iHsY8ZmKykqia2a5U+IrECRFJo5p
-DWUnl7jrHVtq78BSR1c7iXG1frrEC0AYCuqKJo/fxfmOKL0Y9mENCB3nAwjn9unD
-BsO/OhkqvvB3nkeuMfNKPh4wCqtQPve13eTojbuxjX/3ePijplTI5X2Gr+n6Ximn
-fYRlytQmMgMl/db0ARSKNApq9bmwzVNrnGWWZWJksdRvf6iL7t17Gs4L9AApOuC9
-WkzxPvwp5ZUqjsGd4oJGWeC6ZE6BTw2vxE+xMFI9uAKHxq9pBKkcGMa0g4fANNNV
-+W+8JZGanxEXKB3y/M7BCyQAPCWOHC/RNjmRA1gczLYCPzC4pWu935UZdF1RR6zY
-CD3t+FoOGGET/g4CwWgyhb5qkp65Hs6ayYt/DUAqo+yBAgMBAAE=
------END PUBLIC KEY-----
--
1.8.3.1

39
0042-destroy-rwlock-when-create-enclave-failed.patch Normal file
View File

@ -0,0 +1,39 @@
From e716ff141b967986d35fc65c59ab0e03015dce48 Mon Sep 17 00:00:00 2001
From: houmingyong<houmingyong@huawei.com>
Date: Thu, 13 Jan 2022 10:24:23 +0800
Subject: [PATCH] destroy rwlock when create enclave failed
Conflict:NA
Reference:https://gitee.com/openeuler/secGear/commit/cb80972c3a60261786d76a2a50ab5ce29b312ebd
---
src/host_src/enclave.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index 8d6c8a6..e163b58 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -68,6 +68,7 @@ static void error_handle(cc_enclave_t *enclave, void *handle, p_tee_registered r
}
if (enclave) {
+ pthread_rwlock_destroy(&enclave->rwlock);
explicit_bzero(enclave, sizeof(cc_enclave_t));
}
}
@@ -192,7 +193,10 @@ cc_enclave_result_t cc_enclave_create(const char *path, enclave_type_t type, uin
memset(enclave, 0, sizeof(cc_enclave_t));
if (!check_transform_path(&res, path, &l_path) || !chose_engine_type(&res, type, version, &type_version)) {
- goto done;
+ if (l_path) {
+ free(l_path);
+ }
+ return CC_FAIL;
}
/* to do: gp support enter enclave debugging */
--
2.27.0

99
0043-fix-partial-resource-leak.patch Normal file
View File

@ -0,0 +1,99 @@
From c64400a742d292585f06590741ceb5b37837e4bc Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Mon, 17 Jan 2022 19:21:12 +0800
Subject: [PATCH] fix partial resource leak
Conflict:NA
Reference:https://gitee.com/openeuler/secGear/pulls/79
---
src/host_src/enclave.c | 49 ++++++++++++++++++------------------------
1 file changed, 21 insertions(+), 28 deletions(-)
diff --git a/src/host_src/enclave.c b/src/host_src/enclave.c
index e163b58..36a50b9 100644
--- a/src/host_src/enclave.c
+++ b/src/host_src/enclave.c
@@ -264,7 +264,7 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
{
int32_t ires = 0;
cc_enclave_result_t res = CC_FAIL;
- p_tee_unregistered unregistered_funcc;
+ p_tee_unregistered unregistered_funcc = NULL;
/* check context and enclave engine context */
if (!context || !context->list_ops_node || !context->list_ops_node->ops_desc ||
@@ -273,50 +273,43 @@ cc_enclave_result_t cc_enclave_destroy(cc_enclave_t *context)
return CC_ERROR_BAD_PARAMETERS;
}
- ires = pthread_rwlock_wrlock(&(context->rwlock));
- if (ires) {
- return CC_ERROR_BUSY;
- }
+ (void)pthread_rwlock_wrlock(&(context->rwlock));
if (context->list_ops_node->ops_desc->ops->cc_destroy_enclave != NULL) {
res = context->list_ops_node->ops_desc->ops->cc_destroy_enclave(context);
- SECGEAR_CHECK_RES(res);
- } else {
- print_error_goto("Enclave context no valid ops function\n");
+ if (res != CC_SUCCESS) {
+ print_warning("destory enclave error\n");
+ }
}
/* look up enclave engine unregistered */
- res = find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc);
- SECGEAR_CHECK_RES(res);
+ (void)find_engine_registered(context->list_ops_node->ops_desc->handle, NULL, &unregistered_funcc);
/* lock call unregistered func */
- ires = pthread_mutex_lock(&(g_list_ops.mutex_work));
- SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
+ (void)pthread_mutex_lock(&(g_list_ops.mutex_work));
/* call enclave engine free node */
- res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version);
- SECGEAR_CHECK_RES_UNLOCK(res);
+ if (unregistered_funcc) {
+ res = (*unregistered_funcc)(context, context->list_ops_node->ops_desc->type_version);
+ if (res != CC_SUCCESS) {
+ print_warning("unregister func error\n");
+ }
+ }
if (context->list_ops_node->ops_desc->count == 0) {
ires = dlclose(context->list_ops_node->ops_desc->handle);
if (ires != 0) {
- res = CC_FAIL;
- pthread_mutex_unlock(&(g_list_ops.mutex_work));
- print_error_goto("Close engine failure\n");
+ print_warning("close engine error\n");
}
context->list_ops_node = NULL;
}
/* free enclave number resources */
g_list_ops.enclaveState.enclave_count--;
- ires = pthread_mutex_unlock(&(g_list_ops.mutex_work));
- SECGEAR_CHECK_MUTEX_RES_CC(ires, res);
+ (void)pthread_mutex_unlock(&(g_list_ops.mutex_work));
- res = CC_SUCCESS;
-done:
- if (context && context->path) {
+ if (context->path) {
free(context->path);
}
- if (context) {
- pthread_rwlock_unlock(&context->rwlock);
- pthread_rwlock_destroy(&context->rwlock);
- explicit_bzero(context, sizeof(cc_enclave_t));
- }
- return res;
+ pthread_rwlock_unlock(&context->rwlock);
+ pthread_rwlock_destroy(&context->rwlock);
+ explicit_bzero(context, sizeof(cc_enclave_t));
+
+ return CC_SUCCESS;
}
--
2.23.0

97
0044-fix-pointer-without-init-or-check-NULL.patch Normal file
View File

@ -0,0 +1,97 @@
From d550148b0c79e1d544d7edd0eef52750d6422e40 Mon Sep 17 00:00:00 2001
From: houmingyong<houmingyong@huawei.com>
Date: Sat, 8 Jan 2022 17:01:27 +0800
Subject: [PATCH] modify codex
Conflict:NA
Reference:https://gitee.com/openeuler/secGear/pulls/77
---
src/enclave_src/gp/itrustee/error_conversion.c | 14 +++++++-------
src/host_src/gp/gp_enclave.c | 2 +-
tools/codegener/Gentrust.ml | 14 ++++++++------
3 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/src/enclave_src/gp/itrustee/error_conversion.c b/src/enclave_src/gp/itrustee/error_conversion.c
index 5177322..f30bc81 100644
--- a/src/enclave_src/gp/itrustee/error_conversion.c
+++ b/src/enclave_src/gp/itrustee/error_conversion.c
@@ -28,13 +28,13 @@ cc_enclave_result_t conversion_res_status(uint32_t enclave_res)
CC_ERROR_READ_DATA, CC_ERROR_WRITE_DATA, CC_ERROR_TRUNCATE_OBJECT, CC_ERROR_SEEK_DATA, CC_ERROR_SYNC_DATA,
CC_ERROR_RENAME_OBJECT, CC_ERROR_INVALID_ENCLAVE,
};
- const int res_table2_begin = 0x80000100U;
- const int res_table3_begin = 0x80001001U;
- const int res_table4_begin = 0xFFFF7000U;
- const int res_table5_begin = 0xFFFF7110U;
- const int res_table6_begin = 0xFFFF7118U;
- const int res_table7_begin = 0xFFFF9110U;
- const int shift = 7;
+ const uint32_t res_table2_begin = 0x80000100U;
+ const uint32_t res_table3_begin = 0x80001001U;
+ const uint32_t res_table4_begin = 0xFFFF7000U;
+ const uint32_t res_table5_begin = 0xFFFF7110U;
+ const uint32_t res_table6_begin = 0xFFFF7118U;
+ const uint32_t res_table7_begin = 0xFFFF9110U;
+ const uint32_t shift = 7;
if (enclave_res < res_table2_begin) {
if (enclave_res < sizeof(result_table1) / sizeof(cc_enclave_result_t)) {
diff --git a/src/host_src/gp/gp_enclave.c b/src/host_src/gp/gp_enclave.c
index c7554de..0bedb71 100644
--- a/src/host_src/gp/gp_enclave.c
+++ b/src/host_src/gp/gp_enclave.c
@@ -79,7 +79,7 @@ static cc_enclave_result_t ta_path_to_uuid(const char *path, TEEC_UUID *uuid)
const int clock_end = 7;
const int unit = 8;
const int uuid_base = 16;
- char uuid_str[UUID_LEN];
+ char uuid_str[UUID_LEN + 1] = {0};
uint64_t uuid_split[gp_token_nums];
const char *uuid_pos = NULL;
diff --git a/tools/codegener/Gentrust.ml b/tools/codegener/Gentrust.ml
index 18af7f2..b62624e 100644
--- a/tools/codegener/Gentrust.ml
+++ b/tools/codegener/Gentrust.ml
@@ -27,23 +27,23 @@ let set_parameters_point (fd : func_decl) =
let pre (_: parameter_type) = "" in
let post = "" in
let generator_in (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) =
- sprintf "uint8_t *%s_%s_p;\n " decl.identifier mem_decl.identifier in
+ sprintf "uint8_t *%s_%s_p = NULL;\n " decl.identifier mem_decl.identifier in
let generator_inout (_ : parameter_type) (_ : parameter_type) (decl : declarator) (mem_decl : declarator) =
- (sprintf "uint8_t *%s_%s_in_p;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p;\n " decl.identifier mem_decl.identifier) in
+ (sprintf "uint8_t *%s_%s_in_p = NULL;\n " decl.identifier mem_decl.identifier) ^ (sprintf "uint8_t *%s_%s_out_p = NULL;\n " decl.identifier mem_decl.identifier) in
[
- (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p;");
+ (match fd.rtype with Void -> "" | _ -> "uint8_t *retval_p = NULL;");
concat "\n "
(List.map
(fun (_, decl) ->
- sprintf "uint8_t *%s_p;" decl.identifier)
+ sprintf "uint8_t *%s_p = NULL;" decl.identifier)
params);
concat "\n "
(List.map (deep_copy_func pre generator_in post) deep_copy_in);
concat "\n "
(List.map
(fun (_, decl) ->
- sprintf "uint8_t *%s_out_p;\n " decl.identifier ^
- sprintf "uint8_t *%s_in_p;" decl.identifier)
+ sprintf "uint8_t *%s_out_p = NULL;\n " decl.identifier ^
+ sprintf "uint8_t *%s_in_p = NULL;" decl.identifier)
params_inout);
concat "\n "
(List.map (deep_copy_func pre generator_inout post) deep_copy_inout);
@@ -156,6 +156,8 @@ let set_ecall_func (tf : trusted_func) =
else
" /* There is no parameters point */";
"";
+ " if (in_buf == NULL || out_buf == NULL)";
+ " goto done;";
sprintf " %s_size_t *args_size = (%s_size_t *)in_buf;" tfd.fname tfd.fname;
" in_buf_offset += size_to_aligned_size(sizeof(*args_size));";
"";
--
2.27.0

69
0045-optimize-the-private-key-usage-of-the-single-step-si.patch Normal file
View File

@ -0,0 +1,69 @@
From 4320c1816627fbeff32c4388c36b31eeea24d629 Mon Sep 17 00:00:00 2001
From: gaoyusong <gaoyusong1@huawei.com>
Date: Mon, 15 Nov 2021 12:39:39 +0800
Subject: [PATCH] optimize the private key usage of the single-step signature
method
Signed-off-by: gaoyusong <gaoyusong1@huawei.com>
---
docs/sign_tool.md | 3 ++-
examples/helloworld/enclave/config_cloud.ini | 1 +
examples/seal_data/enclave/config_cloud.ini | 1 +
tools/sign_tool/sign_tool.sh | 3 ++-
4 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/docs/sign_tool.md b/docs/sign_tool.md
index a092f19..1da6d06 100644
--- a/docs/sign_tool.md
+++ b/docs/sign_tool.md
@@ -47,7 +47,8 @@ The tool supports the following two modes:
The dump command is used to generate metadata for sgx signed enclave.
-i <file> input parameter, which is enclave to be signed for digest/sign command, and signed enclave for
dump command.
- -k <file> private key required for single-step method.
+ -k <file> private key required for single-step method. NOTE: single-step method is only for the dubug mode,
+ plaintext private key does exist in the production environment.
-m <file> additional config_cloud.ini for trustzone.
-o <file> output parameter, the sign command outputs signed enclave, the digest command outputs signing
material, the dump command outputs data containing the SIGStruct metadata for the SGX signed
diff --git a/examples/helloworld/enclave/config_cloud.ini b/examples/helloworld/enclave/config_cloud.ini
index 552f59c..0960436 100644
--- a/examples/helloworld/enclave/config_cloud.ini
+++ b/examples/helloworld/enclave/config_cloud.ini
@@ -27,6 +27,7 @@ encryptKeyLen = 3072
signType = 1
;;;
;private key for signing TA
+;this private key is only for the dubug mode so plaintext private key does exist in the production environment
;[private key owned by yourself]
signKey = ../../examples/helloworld/enclave/cert/private_key.pem
;;;
diff --git a/examples/seal_data/enclave/config_cloud.ini b/examples/seal_data/enclave/config_cloud.ini
index f0c0e39..2b8a79c 100644
--- a/examples/seal_data/enclave/config_cloud.ini
+++ b/examples/seal_data/enclave/config_cloud.ini
@@ -27,6 +27,7 @@ encryptKeyLen = 3072
signType = 1
;;;
;private key for signing TA
+;this private key is only for the dubug mode so plaintext private key does exist in the production environment
;[private key owned by yourself]
signKey = ../../examples/seal_data/enclave/cert/private_key.pem
;;;
diff --git a/tools/sign_tool/sign_tool.sh b/tools/sign_tool/sign_tool.sh
index 0435a67..daca711 100755
--- a/tools/sign_tool/sign_tool.sh
+++ b/tools/sign_tool/sign_tool.sh
@@ -31,7 +31,8 @@ print_help(){
echo " The dump command is used to generate metadata for sgx signed enclave."
echo "-i <file> input parameter, which is enclave to be signed for digest/sign command, and signed enclave for"
echo " dump command."
- echo "-k <file> private key required for single-step method."
+ echo "-k <file> private key required for single-step method. NOTE: single-step method is only for the dubug mode,"
+ echo " plaintext private key does exist in the production environment."
echo "-m <file> additional config_cloud.ini for trustzone."
echo "-o <file> output parameter, the sign command outputs signed enclave, the digest command outputs signing"
echo " material, the dump command outputs data containing the SIGStruct metadata for the SGX signed"
--
2.23.0

25
0046-Delete-the-null-determination-of-out_buf-in-codegene.patch Normal file
View File

@ -0,0 +1,25 @@
From 19595d5dea95ccd985fdc10d175e9520f7bb0cc1 Mon Sep 17 00:00:00 2001
From: z30023234 <zhengxiaoxiao2@huawei.com>
Date: Sun, 24 Apr 2022 15:23:40 +0800
Subject: [PATCH] Delete the null determination of out_buf in codegener.
---
tools/codegener/Gentrust.ml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/codegener/Gentrust.ml b/tools/codegener/Gentrust.ml
index b62624e..58d6a8e 100644
--- a/tools/codegener/Gentrust.ml
+++ b/tools/codegener/Gentrust.ml
@@ -156,7 +156,7 @@ let set_ecall_func (tf : trusted_func) =
else
" /* There is no parameters point */";
"";
- " if (in_buf == NULL || out_buf == NULL)";
+ " if (in_buf == NULL)";
" goto done;";
sprintf " %s_size_t *args_size = (%s_size_t *)in_buf;" tfd.fname tfd.fname;
" in_buf_offset += size_to_aligned_size(sizeof(*args_size));";
--
1.8.3.1

22
secGear.spec
View File

@ -1,6 +1,6 @@
Name: secGear Name: secGear
Version: 0.1.0 Version: 0.1.0
Release: 23 Release: 24
Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features
@ -48,12 +48,18 @@ Patch35: 0036-enclave-use-the-can-pull-image-from-hub.oepkgs.net.patch
Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch Patch36: 0037-add-description-about-file-parameter-path-for-sign_t.patch
Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch Patch37: 0038-fix-use-after-free-in-cc_enclave_create.patch
Patch38: 0039-clean-memory-when-it-come-to-error_handle.patch Patch38: 0039-clean-memory-when-it-come-to-error_handle.patch
Patch39: 0040-fix-logs-redirection-error-and-delete-rsa_public_key.patch Patch39: 0040-fix-double-free.patch
Patch40: 0041-fix-logs-redirection-error-and-delete-rsa_public_key.patch
Patch41: 0042-destroy-rwlock-when-create-enclave-failed.patch
Patch42: 0043-fix-partial-resource-leak.patch
Patch43: 0044-fix-pointer-without-init-or-check-NULL.patch
Patch44: 0045-optimize-the-private-key-usage-of-the-single-step-si.patch
Patch45: 0046-Delete-the-null-determination-of-out_buf-in-codegene.patch
BuildRequires: gcc python automake autoconf libtool BuildRequires: gcc python automake autoconf libtool
BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++
%ifarch x86_64 %ifarch x86_64
BUildRequires: linux-sgx-driver sgxsdk libsgx-launch libsgx-urts openssl BUildRequires: sgxsdk libsgx-launch libsgx-urts openssl
%else %else
BUildRequires: itrustee_sdk BUildRequires: itrustee_sdk
%endif %endif
@ -70,7 +76,12 @@ secGear is an SDK to develop confidential computing apps based on hardware encla
%package devel %package devel
Summary: Development files for %{name} Summary: Development files for %{name}
Requires: %{name}%{?isa} = %{version}-%{release} cmake ocaml-dune Requires: %{name}%{?isa} = %{version}-%{release} cmake
%ifarch x86_64
Requires: sgxsdk
%else
Requires: itrustee_sdk
%endif
%description devel %description devel
The %{name}-devel is package contains Header file for developing applications that The %{name}-devel is package contains Header file for developing applications that
us %{name} us %{name}
@ -161,6 +172,9 @@ popd
systemctl restart rsyslog systemctl restart rsyslog
%changelog %changelog
* Thu Apr 28 2022 gaoyusong<gaoyusong2@huawei.com> - 0.1.0-24
- DESC: backport some patches from openEuler
* Fri Apr 22 2022 zhengxiaoxiao<zhengxiaoxiao2@huawei.com> - 0.1.0-23 * Fri Apr 22 2022 zhengxiaoxiao<zhengxiaoxiao2@huawei.com> - 0.1.0-23
- DESC: delete %{?dist} - DESC: delete %{?dist}