From 8cbadb488fc8fbe36aa47926915f59bff89dd988 Mon Sep 17 00:00:00 2001 From: Amy Reyes Date: Wed, 24 Nov 2021 14:20:30 -0800 Subject: [PATCH] doc: terminology cleanup in secure boot GRUB - Replace UOS or User OS with User VM - Replace SOS or Service OS with Service VM - Clean up some of the grammar Signed-off-by: Amy Reyes --- doc/tutorials/acrn-secure-boot-with-grub.rst | 38 +++++++++--------- doc/tutorials/images/acrn_secureboot_flow.png | Bin 10746 -> 12144 bytes 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/doc/tutorials/acrn-secure-boot-with-grub.rst b/doc/tutorials/acrn-secure-boot-with-grub.rst index daf4b47ba..068316753 100644 --- a/doc/tutorials/acrn-secure-boot-with-grub.rst +++ b/doc/tutorials/acrn-secure-boot-with-grub.rst @@ -5,16 +5,16 @@ Enable ACRN Secure Boot With GRUB This document shows how to enable ACRN secure boot with GRUB including: -- ACRN Secure Boot Sequence -- Generate GPG Key -- Setup Standalone GRUB EFI Binary -- Enable UEFI Secure Boot +- `ACRN Secure Boot Sequence`_ +- `Generate GPG Key`_ +- `Setup Standalone GRUB EFI Binary`_ +- `Enable UEFI Secure Boot`_ **Validation Environment:** -- Hardware Platform: TGL-I7, Supported hardware described in +- Hardware Platform: Tiger Lake, supported hardware described in :ref:`hardware`. -- ACRN Scenario: Industry +- ACRN Scenario: Shared - Service VM: Yocto & Ubuntu - GRUB: 2.04 @@ -25,7 +25,7 @@ This document shows how to enable ACRN secure boot with GRUB including: ACRN Secure Boot Sequence ************************* -ACRN can be booted by Multiboot compatible bootloader, following diagram +ACRN can be booted by a multiboot compatible bootloader. The following diagram illustrates the boot sequence of ACRN with GRUB: .. image:: images/acrn_secureboot_flow.png @@ -35,16 +35,16 @@ illustrates the boot sequence of ACRN with GRUB: For details on enabling GRUB on ACRN, see :ref:`using_grub`. -From a secureboot point of view: +From a secure boot point of view: - UEFI firmware verifies shim/GRUB - GRUB verifies ACRN, Service VM kernel, and pre-launched User VM kernel - Service VM OS kernel verifies the Device Model (``acrn-dm``) and User VM OVMF bootloader (with the help of ``acrn-dm``) -- User VM virtual bootloader (e.g. OVMF) starts the guest side verified boot process +- User VM virtual bootloader (e.g., OVMF) starts the guest side verified boot process This document shows you how to enable GRUB to -verify ACRN binaries such ``acrn.bin``, Service VM kernel (``bzImage``), and +verify ACRN binaries such as ``acrn.bin``, Service VM kernel (``bzImage``), and if present, a pre-launched User VM kernel image. .. rst-class:: numbered-step @@ -185,9 +185,9 @@ For example:: Use the output of the :command:`blkid` to find the right values for the UUID (``--set``) and PARTUUID (``root=PARTUUID=`` parameter) of the root -partition (e.g. `/dev/nvme0n1p2`) according to your your hardware. +partition (e.g., ``/dev/nvme0n1p2``) according to your hardware. -Copy this new :file:`grub.cfg` to your ESP (e.g. `/boot/efi/EFI/`). +Copy this new :file:`grub.cfg` to your ESP (e.g., ``/boot/efi/EFI/``). Sign grub.cfg and ACRN Binaries @@ -196,11 +196,11 @@ Sign grub.cfg and ACRN Binaries The :file:`grub.cfg` and all ACRN binaries that will be loaded by GRUB **must** be signed with the same GPG key. -Here's sequence example of signing the individual binaries:: +Here's a sequence example of signing the individual binaries:: gpg --homedir keys --detach-sign path/to/grub.cfg gpg --homedir keys --detach-sign path/to/acrn.bin - gpg --homedir keys --detach-sign path/to/sos_kernel/bzImage + gpg --homedir keys --detach-sign path/to/service_vm_kernel/bzImage Now, you can reboot and the system will boot with the signed GRUB EFI binary. GRUB will refuse to boot if any files it attempts to load have been tampered @@ -215,25 +215,25 @@ Enable UEFI Secure Boot Creating UEFI Secure Boot Key ============================= --Generate your own keys for Secure Boot:: +- Generate your own keys for Secure Boot:: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=PK/" -keyout PK.key -out PK.crt -days 7300 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=KEK/" -keyout KEK.key -out KEK.crt -days 7300 -nodes -sha256 openssl req -new -x509 -newkey rsa:2048 -subj "/CN=db/" -keyout db.key -out db.crt -days 7300 -nodes -sha256 --Convert ``*.crt`` keys to the ESL format understood for UEFI:: +- Convert ``*.crt`` keys to the ESL format understood for UEFI:: cert-to-efi-sig-list PK.crt PK.esl cert-to-efi-sig-list KEK.crt KEK.esl cert-to-efi-sig-list db.crt db.esl --Sign ESL files:: +- Sign ESL files:: sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth sign-efi-sig-list -k PK.key -c PK.crt KEK KEK.esl KEK.auth sign-efi-sig-list -k KEK.key -c KEK.crt db db.esl db.auth --Convert to DER format:: +- Convert to DER format:: openssl x509 -outform DER -in PK.crt -out PK.der openssl x509 -outform DER -in KEK.crt -out KEK.der @@ -246,6 +246,8 @@ The keys to sign bootloader image: :file:`grubx64.efi`, :file:`db.key` , :file:` Sign GRUB Image With db Key =========================== +Command example:: + sbsign --key db.key --cert db.crt path/to/grubx64.efi :file:`grubx64.efi.signed` will be created, it will be your bootloader. diff --git a/doc/tutorials/images/acrn_secureboot_flow.png b/doc/tutorials/images/acrn_secureboot_flow.png index 0a9183ef2d27b1f884468d1f28ec7fc0fdc37923..4a9751ef7bc98628e82a92d5d05305437fc675e1 100644 GIT binary patch literal 12144 zcmdUVbySpZ+wG{RAPOi-DIkI%-O?aKcZ)QF2!eD;he(KYBVEIg(p}O+NlOeN4BgEz zz`61FzTZ0iowd$C=gfkcS+i!I=Z@>z*WUZOgOnAe?%g4~1A##9$w-TeE={kWH_BByaVG>5qot(tEi@Th^Z~rIDVA!iz;V8cO zBK9)bd_DZJ0lf%)RlIZ4OZ2=Q4@wNVpHk!UTpcOaSyN# zBnL*_AOKtOOIk*y^Kqi;!LHuD!z*d_Bj zgA4Z*_DbA~H4#b_yc*Pgyf%4D&2X~!BG+lJfA)Z|Dbk})9(uSdNWlpH^wru!1EY6p;BvR}2X}btagvBph<%8GZZD`e%Wf1VWQ^wp_jEDna&=tYUx)I}U(6XQKvaMnfsNv*~=;*9d)PKv0OsDrK)MG}I=h=$9+Q-ysy_$UnSL_RosQ9e7Ho`^j|>s?}Wd zQIl5o#PH01t&Bd3R~IWit|OsMFgE@%b%JVoD!`s*b>fnF zPZ~Am12uvFVX$rBg@8y#_c)aQxn)o(4r5XiF#?v@|+qDMhaZeqoZBbEtAE6LX( zPoawc`s zqGuOSPcvL3fjc6w7#IBk?k|dk;2?{}l!MFnn1zd|OMNUneQt6V$IMcytyn%4_FEe@ zpaE~F>*PF|K~Dz_N)1>dpNJC`<9L*I>N4yyev z##}j9_4t1Gs?+hOTl;c|=u7as(gkyqNSV{9G{k(b90weqslpkTs+ZF=k4KyEu24z~ zmZy!iG9K7#C*71xZnd$o4$Qw~uoh(A#7}$JOt%_TJszY99fqv=L^1>nSADB$PD+YoyDQtm`; z1QzXRgomh~yN95OkCR%3xUR7FwF`Gs)<*-eGIul>O<8`^#AwqHouU@uT^E_0&&wie zl%LwhwBJ=6e7Y60yRPb1H7$%|Fu7=awIqI;?N<7ctIENJ>Ek8}Z1H~_e3C?KrgUc@ z)m{@uO?8{vU$<{vLF^m7Q zlsP>?XDT|aHp@Ho?#@8}z}?Alh#^xhh=Hg3dGsp#dDOcConh6amF`vf>)P(lzmpPL z_BdWi|N8GC>;7V3A=s?mZJ~Q$C@~)dZP?U zBW|vMb#zz3niDLht1*}Nx}sxNt%xzK-wPl}a;HU))hHIK?iW;VZPFY21@ z?OvD!$7l&I9-Qyl&g+(;!xd05U=>bzp-Wrue`)&|!I-#z9ttI(caB<=^0YD9PUj&gSSYdCO!}rJAqU2r;_XHH}J6BxDY9#c}d_x^{GzCV?>|T;pUO8Me^JaMP6tky$$}2%x?0E<% z37{8IlWjOrmRwH+FSQ~@?b^oHDrh5zH}6Apmse8BVP`+VTdq3vr~uuXku}Ait=+q> zg{MLSiafTPsj64g?N)nxCMZG4S{D76BamC0xdP51m#-OemUI;7m6a`1^8wCHo{UhN zAUbU9?gF3gz7$^_~mx zvfO}y4c1HPZq+s0S0-G2^=B1;JxKyeDP|4mQPdP5i$zZ&)$otHg;4znofpdoWR+1b zm)8c>Iu|4k8eqh z7xCICyTJ3k3;`d*uN0}8NjyALB13g>ChM^>8RQ9{fhYE;+dp`@B^u!$Ej^bSMA7g4W)L)LF-rGq z2{M|KKC-WP*&TIEe?KEj1evSUFGmbre4YSm9f~O}`)G?HKy9n+FA(PUUZ4E6j$oyq z8vi9IV<3}zA4rp^wJSo`7L^fZU^|zl8gj8-whWkZDNOdlU{zi_De)QQ$KLMP8}_hC zesg~Q27l}@9={ezEl0VI*z+G9|| z0Ep+&$$oM>l!Z+(<4<^^djSLn7ZA;I20S+hj7X$7LmMl(z$H@5vAEbv9(!<9gbm%` zsl=*X4N?G*%JIQv)ySwst!?DsGe2c#hf^VQW5uJ`su_?ayI@B~sXY+i8{ep+L7D;r zuYdk_cyOur?%}T)0N)H@F=u;O5qHw-`_ua6*UFGbg7a5G&(m*5zig+{;gXdYmeaLE zlTCIP(O?Jo{nS`Y&u(MUh0i7t>d&n$2P{9DlwgbhxrgC(!gpJ%IT^VXWoC+Yfi=0k@#wleL$SW*Qv#j;^%c zF(D7+QQgDI8Xg#V$ZQe7z55jxdQbP{5L_2nw~kHY0q5RfHDWa!nY&>uvH3s9WMxnY zTGVwli<#=E{FIj>$8yuhE6xuRl5tA`Kbjoy{}A9?NgoQfK$M!8NzME>U~->hd-`X zaM?{H;CNE1R-}y4TC$QXT52X=hXKTb%mQT{9kWx z1Zwv%M9q$12ZTpY%?Lo$tzCcGgsAAt>`o~NUT8!i9< z+cj*(>t3Gk^-4=;CuT3II2G;P^+kmZ*aD(ufU}AC7$gtm=0EWwatD#pF8u%>#xe77k ztiz-Xrz`O`Ky*X}hT&ssSUFzr-T_w)f2q4`PTBewlw5nC?sKUJUkDIy^ffPEy{$C) zw9R5d|J_(81&BR8>puQU6#VDMVAVm5sSlK^3fF=_aJA6vhhU0rifSfC4RkeG{Q!59 z?TEbOu0zN8G)>s@qwX?B$@djq`0K|JWc)*{2WEe*ukGGVR6pzC+1$PR5){eh?cKZl z$Ss^pU%K``BhiE*eb7MgB&XU(y-BMnMZ_aevUoBFtOX#^5#%FOGFM`ITN>v2;V=)V zU9F!Q!-F*+t+c}%ANtYVI{PU~!oiPiMq%@ssi*s6NaZdu6KUG^u*3k`hI?y6eoiE`zF1?!n^d zH3ZC(+lr&#DoBCN&?M}(RhB|QltyTZjq^i+ONPV8%i^rry6Ys}l>&IffYO_!@5#-dg~fRxH` zzGUQKc64z~d;q($9_Ur#7C#wiUN#>+l8Xreehqmi4K`RJ5IC=}=SNAJ$1Po9)zUXw zxIMgJCtqp{pXH;(>pXNE3u|%L0M#Djv+VEX9UDupXOQcPLD;f}WzqC(RB#GS9gqI3 zSrTJ@d5Co169mZu1YYUqypfp(Sfh%^@T|iwFcpCDa)r;90}65)_){V8KxqIW4IND_ zpGkC_QxEy32JEP-GM$~Pi)1_kc?yv4{07YYid>yE5{cv8I)gkl12lNzwO)Q`${L^G ztbT)?noIWH+6%4DM8h8>2Z~iw+n7`iANpk#4lO{EOU)6-g|OX@K7M87Np&_mCV2AcF(al-FAfDZxkek~e$?2mfnwe(TH|E?s1s zFQ_rQn_{54bbRaVPc52tI^`8D@`xW{^h>D@9t1Iz1(HTh(N@m`NW+>1z5dP>2RBK4 zp#>eiEcn19ik?V$Y9Pt&tdwT)xtg+=Si27v>klH{pG5Py@%Q^f{CIAiqEGZo$2C}SZSHPv}3|vWmVUYginlu zyjQg@u;T@|q#LQUrRHMsDbIno?3;hL#q$oM*1=iS<=I=PM%yz*g~tXShofpur+T?M zKHg@S9{_@Z<8f$Cr4M-8F{_SliB;b}3a`Ehp&HYwRbr(80tU!mFo1ij@JH)o8@k~h zfF*5s&2Wd4!{e6o!6ioq!_T3h#4!1NDqb&6zH(}Ss&{Q!_?X#}&zc7xFkxSzD~uq? z7cnrSR+nJ zr36)ZH8GJ0TO%S!^2UTvpY)_CC8qMD>oS$T%n@H%7_X(e#dT0Nd38C_9-$SEh%1N1N?M70 z-BidY!&LnIQ+b8o7Xp!PuM?OBrnumExHL*6|3r?2@?sg+(yQ^;QK8G~tU;rL$I*?< z?Qd)ZOSWqRmAJswwkbb6>c0IpDfi@uGY zmjOI4N}!9fTeS=oSt^`?$%4X88y5yd6*X6|A*;@x&&J%Pd>DlZ5JM8kSF?qwi3na; z<$fpNdVS7x`sz$#a=T69JAx5ZH;LDBV#O9`tDKEeT6bM11pZW|Nu}5rh}p-qo*u2m zEPNPkxqKtoc~-ptLAEF0IiML^emw1~zSH7ViD+Gf!nOcjEZTLK5UA7UN2}kdPv}~Z0J}FNhDu@6Qrg;Zd}Y*HJ%SlDwD~_ z#c*6Hez7^vi@u#CWzz@f+>w1rG}$p7N9_+xeFysOKiFCVuUAc$1x6k)#P|XWBh_e5 z8a%_EF^N3AUn>smgazf`&A`G6#Qb#4)2VG?qR)+pd52o04rR49$CQ)XcoW6U{;)0O z`7n3BB$@2@oB+3b9vr>IAABic?`S50)rg7H_6HHbyqp)iB?FZ3+q!cgxdllqb#eiA2M2kI6MJ;!0tgR3&jYvWKN-pG> z(j>>O*!C3)ZYS--r*+P_}8Uo z;uITgX9}7{lp*papCb2RjU-x3_C3=nEdEJ*d>Z;Y_Cvx)nA27uezxG&>eedwgB0c^ zaBHspx@rhhLGmhMA2|RKiN(wi`Y%bA(poI*}hcBpm z_rUYcivAH_iKhM0NKHRjb2roBRG(74#-)t1B1uC2ykh9?O#^w_(udx*xO-0rH+YdQ zw_524Z)hI}Sv|vVGFLr7MuXy~v7u7|U%EwOuct|b zyTM-5Cb(Mx*K3Zjh8(xPmDJ;*PFE{qenWIXKl&u95;_!A3%W#rEyFfsz0_AH=8ilNp;sVeGmUas(se$ zSd%h^e59LG)DkDvm zs(+{HL804nG6wVWOQSG*gqFFEcy`X0 zH1{{4n7-G%yeMebpBg3PL$HJcLjikt1Jes$k<@=iMKcP5y3fm?fq8NUO#Sh4vDXP6 zw!uGqX5tRPLbck}3V~#vVrc~CIYahW4$Y9odW%W*rX!gr+z7wAzZ(B<-kT%X_6|cWYqU$L$ zq0~Rdn3>O^eVQCBzK3obRdN&j3=EYo4OYG&hD0p|yxE@uo~7=?clt(W*_yR{Qx@AH zmY_I=0X9|mF(U45kjxI9lzyZPZ8{Lp$G{ICAI-NO8hNwXc8=8?4I0-uMLe&Wx>@Pf z5GHMXck;yb3T7D+z_TjSy=^QnR2hnmvJ;k|Z3%kiT%a{N$zdxs z-w1&3Acpi?eG6Bz^MZCuf8DLceo$==SHcRCBUwSYd!G8% zt}ARwIoNU@i8F@vS(g$jOmvk}j1cHC# z>MX$RS$LC}FSwCorY^OITEuKpR!ZKT^k>$&(H1t{-%p}Psq2XXu-hIp#$IJ93k|SK zdpGX*5r9UP?*PxZEA#B4^L^~%IRUg<(_liybMJ7&46Oe}r=Ff4a>65F)qIQX@ILG( z*5ww^A&+QpVX^5=(<<6Vq!67rdy&n9hTqSDE1ASapo>ww_UcW>LvVEAKRX8SlPd)@ z-(o?$1CfGS1#PdJOYcs3f$RNGi))+;C>9MoQ@{X0Jyfu@Z4`)}tOL7tNRa(DT@L&1Az7`jsku0M*LIY^SV z{VeBdyze!=z@QLB7QX2qDgJs5V|@vvKzV_iffiSxA{4NDXdv(%4h(@B1v%lE1i%}V zfxIXEGH8yRl-&9GdF85W5Ly}FOgAs*SX*8_lDn4VRp=V4F$3RUhBgkwH%5`nRxz4O zmGB>9wF9RE;J9XIB!SU?5G80JNM3*f!m*Va<9Ddu9mfc^x{NpbAE=uI+5k8NZ;D$Q zyH}He-}!hp%*e*epI+iN(#r}j@em#bJ_xOb6Y*zdQ-_!Lrd7s@tW3M~0Ghw)F_HSU(WE$8We z?j$^*eVg}T#S!Ur8?0<|lKT$EGzJg0;qLmEUFSQ9%Y5hLjJ}DSU0>^$<2X&R1VFb2 zTk}2M5d+SUH&c?aXMZFG;r^i)m*cZz!lKmY!9lTc|M%kSUn#VA zn}4+@GgnsnJZ zW_5PV;Wx_VVt2=h&-i!srqL>D{YeL2It>m$;$BoV4rLFY3bomo%!OG3FJAYoqm_}U zk3G7wGPE3afT~!Zie2sh_GSxPIZ)h3SsX~&ZVgI9G;9W#*kg9x5g z%=zL>_d-Bk-5!Pyl=sOpk49UY`#I}Tk;S-#BD8jzW56u>i&WG0del?^*pp_iDeg}w z`+%A41U={Wro`j9o8z#{gF!kN%TaZJU_(P@J3MJZ=9aTObULK}hKKXz^8v#xpy~8Mgt&)^q5cHPOQ0ExHupZwl>8q2TAT zJz|m~U*=1P&0bIUHZ|}VA3b+NW|xFSVwToMo1Kp=hm!L&`<(ke)^8l~FA|%sUGPyG z%PaikDh0kE=(g4>PFqKO`diCj!n z2P?Tw`4N~Lg=XX>j^(4}aDu>+{s{@ttUpOZS!Z0Lm5P?p%G+sHv1g1r+ulz$_S-u8 zzXsihwzcb(9pZi4lRWQ6^VR-N3^o;HXZL5kAyQCus^n%pr=a?B<|qV$6$ngmY`k&3 z-6jOWJ!f@T{X*Pv|(rFfK+weTdK%!GHoW!epVoD&_o^*kDKnC-< za8)c|hK=)RDCT}#flb}^@3{Tuej*)}Qv*K&M%AH4V?_c@3>I~hf?d$bWo!z@31W@) z^c8TBs_#{ug{Cs=J?T0EQxY+V__Uwk92+U50p$fj=kC?QbAg7Ag(Rm|v+f6-aa`6S z7i^J_F83eR>`la;;&+8WvB8j8h0B#a_9BiBrn0z~%DLZtcta`I;m)v*1ZZWHX2<$0ASXnDf|m_IjzPfN7}rsPt>ug#ubTp z;&=d^&{NK3624&wy|S;=kiUL?OA^m?z5lA_qe1@$jfwd$rAC`iMn-MegvnttZ8JmI z-yVY|$((_WnuNx2J0bC8)00~E(y<oEMR?!Tq>#sc-I80wF3ME#Gq2%`x9pn24C^{{@;GUR;eJJ)>OstAx z>7ZHCBSPb*p^QZ~RJMTemV97v!zahIBh>-H%-uTY>GbT1X|OksDy|4h<7C;F^|5cO z1WHEJy`)u`1Tx}GIq4njuop?+cTXBVQ1a_NFWjW$uWd?*W^B8u=kRU7!)siUzvjvI z*{`?b68DfKtB=v^`Cy8km_II5;{8buR7GL%2?*EKM)dGq4Gu5Q-Rv%h_2JA9hzv6DjZ2Nb>Kg4vOKdNtAECn5#M zO^z4;%6%`MS#VtnFLPv+GU1Ku){>x$U?z1zi&;uk#T+Bw@TBEBFRSPwXIhrB< z#oM)i4uuhf|2NbMH2tqnpL#W%pZ%P0Rx)$T$@%v8F?dWm?EJvJE+=iy^9AULd3(t> z{euh5%<(U-kuY8rCgKvfZ_oqp5^yTe+bio1LSak(#sqIz#)VVa&mm$ z9;~gS^VzYIuR+Lqiht;y^QD+#4hh)bQb0eml^h0aq(1HGfUOj~}cwz%;kYn>EMB`?zt z7Ws0p$Eaq*px+=}ZNY(GZ!b~#N0-H|p52@)HNrHSD}+!?W3f`vBTg=^h1)q3MJu> zRDUbt*o^k619N!UDc_GOy6Stk*l5AdHq+F6_mvU)xuEexT0I#bsQzk%lg(J^jx2KdDKa;ZfCFUytq6mXB`V3cU)D zui$7jp5tSPVI(**O92iEHz(_WedSg8$rTxK^1C{t;ZieoW}ohbxP%b6J=NG z3B%d83cAK$V+CpC%DilI6mj0nH`o?YbyeND{x(e20dn8(>zv`d03R)g;is~LATDzV z!20~hvFjHSw+XcVIX@XFj+y(y^Y=SkSLfUQQ)Tx5?1}Eh%Nw-6aqdexlv@MA3Xzde K6fc4r`u-O<4DK2L literal 10746 zcmdsdc{tQ<-@Z28N|dEUh(cpYl5H5ulC5Si6OpA7gOY}kWiTzu7Ak|nkY$XqBwIz8 z?%NhZ7-X-p(~y0gnfE*BuI}e~j^lT{$Meto`@=ZK;o3gS`8luibA^~d_4n)&+{MPm zw#U#w*NlyAn;;w8mOuX33jD<)mA@4DwZ+3sUz_b^A}XfFPHVRWsz;irRIzTDf| zEJh5=Ncbx{3-MvUz>%62HTtUBXHCVsFWsmA1j{3c2^$l(B`$F$|t6 zYRvI$|JFGbS2Q`IrdUue8gAS0(N+;Ng~>s-&o>4H_>Eft+j(|60oeI7?f>6DUp#+?_i*Ru%I&g4Ilq>;raxalh_UPi)l9SRte++@esC;akSIz6SCAgEVrF0Xv-Z}Hp z#WG`13^x%N3}-tLY$>-pS|iXMzZbQOja?zjA^B;L$xB{w=$7|~9gAcUGkfbiwJSkv z0yxht^jR`P2wxZ0UN+kR!wy5p3q`q@CJ~j{60XPv^0Iz^YXDwz1?G~ai}o7^O>Z);+!RSk$JiV|pP5heO12GMv2aQARfy@ZwRrZ0KxXna(@I}fhe zoSsl6@D1Uuyx83}W*RcR=Tyq)cXq7}ke7^euIm|Rdz-G(dO=cRa^SU!g3=3Gm@+%@ z7UyY?Wrs?t<17!XXe+SkVm#pgSC6xIJM~M225gY3;TEs4)CbDd4{RxE;!Wz&D<}!4_#i)vZdTq~Pw$vjkw z)IUZ__OCXl;O7}1ROV++Kz&R{JF7{))8Q{^&iKzq@7c%(fNMbVH`U~)5i&2VrEuLK zz^l7!OYYpXkLsA9^B5YRsj)-~5f3F7YCM9^AMCMRlkKMSAX}*;`JXLc6D1N|cKkf> z|1O3qvtu3@iD(x?gH?C1-GA1WZ&Isstb=18k?r!{0;~Q1-GHTFw_K=?jx~GW4{_ZK ztTJ?a7i!mg?G^bKF3ZTQaT3q+m&dj4W4B^xW|@jE3{E9h?9JJoZp#l0o1a5~yrfIY zYTa`*1Q$O>zVA^u#|kFK?$J8li?C>SVoGyB19p@%fOAXy)+B$!0oEBP0eVEyRPR3hb_Dm@u?5+ZvtK;t5geMzb;1&D#*nNSYW?fGF^;!;CJ(-d!byLdaK3-S^0=_=ieqEN z*JRWXDkCUP$Uv}!OUGp|QzCd?Qdz0u!m8(uLk?i(+EQWd)4HE4WI7bzfCVGcERQlG zZ^k)l1hrB7-dCtfbd7a>*h4Az!8c!i2sO)ml}p_7*R|p}TakrZ-cBEUD9e+k1xv}2 zYRgCS3IYn#?Tg5kaq@vzz!yl38Ow?k0PgpPGx5dq3TAI4f48wQRn0l~?(KF| zUF$O`jWBja^wW)uk*p_F825klQPmKinCKsNG&|pb&W`a`fS@u(5{l;@5x}X#O(sX6 zTP_+fcOc~I9WdJG5Kt|Js5Xxl9qs`fGk0p<>C1CjD;IxtI}yS^Y;xP1VmP||3jH~A zDziF|J1FZEGwcHaDcg2X>GuFi9Sv@y6Z8aE)RqB zpYW1F^vYwdBH;=L^GG6J1p}WX^t8azq9p?wB4Mp0BhRx9zsK6K25|+&kR!MektUfw z=3}X}XKxNY^UGG+Q#fg8EK^D1jgyV#lJ{5CA90SMIhjg#VGskw<=u!H(Dboh5drn0 z%3wUPAbR{!oR&^F3;pQ_Op0V>>SgpnD|Xb)j8T zu4aeY8?EOG&H>wpBd%=XvWL{G>p#&%I6MO0%{h2kH$hNm14o=Dx8Ih7T&Tl`-gL{i zE>3Mm87X8eix_=__{lghEnfYb7WrixA75Nk$DSdOK5b?E}gAVL+Ku zX~k~Ik-FdZcSRVAI2$CEb8JP|z^td40fstDv`0Tj2Mev<%9ROphEQ?l;>v9eK(gJE z*$fPznm9X3udwKgu!wP|`qz%~g?Sc1s;@p1px_p;Qjkw?ck`RzMniLNh_>l;EstR7 zDh}@|2D>Q$M4i-4Ff(YO;`?|}b!w#YBm7ScWKcLK;s6dRR9u%L0T8#F1m@Q9PKWc5 z3xbKEIBj&c_9GSk`wwCKj#S*}_x`oisp#-Gb5H%WM>1EMKipFZhS!~Y5_rf<9I6+; zm)n^vG7mMqJY!gx5)@ZOlmNJ2&Uzu-0Q;|`Q5M}3(mE60KufYnFGP@!mI;)p6D6uZ z5G%4}mF!gUnFJn*WbS}D-YQ|Kv|806_DcX-zKv$=c2bO$B@m4&;LR1>9olrY%Y*#= zqAeoWIrIKbcg_|v%BxPU_cNvvQ>fu*tL2QBX_ojS>(Wdqhaqfkb_y}El z(FIx=6d(x2qS=z@i<~#dq)tPZGE!tU5%bMD+JhS=H#l7ZiI)$6?Ko7}fh$D;o1MSfaPQJ=%LLp3`#@b;CXIX)rv6f8^-& zP9La+ru9yj-XML&oXW2**+GX&|KUuKgS6SHW*;iTQ-Fu&*7EciXK}bLaqu6{xDe(ch#ra}?!DrX?Y z)-)u2tVIbSP&UcB112!2EPqquu6Awx@!jRpAmIJejdUC}}gqptMIqOK4-Z zvL>@_fC4!egZKf(lRMB37159G@D$eU(_f9YC@t9UTub?!tiN21NjcMMCN33C^N%oc zvEG^QT@-MZe4R=;_%FlJ*FugCI#JK(syC>z`(SyW7Q!)wI9ldiMmQanWQaM`p*wP8 z#@s{*l1aEh=10}ZcS{|G;{Uv6=&(tn25nDUD8mi)2^Yt$&9wNuLd4}BIKs*fl8(7Y zSE?Pca9t+Fv+pD7M*8AaJ=voqqJJ$c?*Ko&Co2cWKBa*zF~GOzA0z=}!_N+fDe5 zAY?jl9MCUa9Hy_hp()tjZ`#17RQaoNm4gWk;qBcJ24u(l)R|{*=r)|ibNA{6p-0}p z|E|qE$4elkcjtJpIo}8Xmjt|>Fq2zziuu>a4=^i>_K^NF5_OP1%h!s!2`w@{Gw(hxeW>2!jX{>F6;C{39$64r-Ii7EM6DR>mIE@|6}dKMq? zs!gE?hv9N9cN?nCvTn~f-74gS#TzxFoiQxp(@HWlrV1f!J3_H`#VT~eB*7a4I8ifu zw}7t$*js10okOI|6d{@CMXB%L%^&4KnheYmI%qV(VGr@i#;pXP(kvtHRO_$g={F(- zQm)BD2Io?vog_o8^A1jU-e~a|S2s)1_sm>5n(x|f2t%;Q(0QV3Lgs9gc_E3NQ3_*b z(rwF|b*xH7f|e@&{5-}UuuElc4Jb$V{tBp2Dy8jNrMsB%Z|6MsT~56J$&7Eol33M? zx7Q_5`bHC0sH35(7e+GU8eh;GsBdrMxMVMU?r2Sq`m0WT0N3)UTlFZd3RE-~&`+9a z3^q#HR@M*O*PmPz4(Hi3m(hh8dFHL48rcICgZAF7u562)f!;aLuJxG$+%eR4ohkSlmmTATdtmsw!fB? zZZL@VRCWPeQD9L4Ey_CrH~}>L_gdP9VOdwm>{1Z;oRR*y9PQahFWGc$@W6QX-xj zX6!91%Fty~In;s72sqeiqE8+rl2hqJF^lh}wCQX{N$nW%h99~DbT6V^_z~sY1Q!HG z#kongMUFrAE&_*$c7?%ROoF6}LJpibV$0UJo+MtUVK!9+%(zG|g?ap;x^bsLO?8W( zG*OqITd%#d8r0mlauYs#Fo`$%01_02w~8Z9677xo7v>Ac1``nSPuz9mp^99mZLvJW zqxq&8Nq=D$sJII2qtc?I^9MmvXI`#*Y74}ZKX#IYLBpBv-mb*9JxY}Bwbv+(I%)1- z;PP2~s06SC;L!i@Z*V%~qT+r~N6{c~;T-20C1t%u!+KNWSNf~k$k~o_h%u3YuN+vx zXYSXHZrZ(+VW}Pz;ZJZ2)L3GPzREl~EDLMdFiL8HR99pHnhoowPEvpIi@hzF`Eku~ z0_IVWg-$W_7z;gqGt5hdgHkHdXirF+=!V;=dW%m}pi>!hSWGT@{#^_o0*ZSJzztR=<9y#4VS% z$ga$e`LOAs$L&sU1>ex$?%d;oA8T5Q}S^2A8}qCJ+Y&RA!M~U zDoGB*u96e|&sZXn;Up}?_trsW?Q;&r8;yh}?R_N^daqon`Y`_4&sg6BrRItoQCg zG2u&n)zQl~$Ds5Iy8JPZUfW=dNgnA2nV{*;UEND^6mWvqhn1i3h)$evF2KR)S-Fg; zskLU?jFe4RT>r#LpRik9Aulnw>lSL7;l!D=0x+h|BPTXLi%L%n83=gT9Oav9c|LtuYK*s}^TDtoGJGC~{1mKf6$vuGTA&3jE@QOm z^mPLH3;<2Qfe5%SoHhSSIC-yERBFyKV?Cn?Rf5C{RHke0^7q8p0cpr0Nj`wUvA26j zhPjF)%s&)y5p;_+7M+yPz5p|vu5(u(8b*ybG5VXP^41o(14gsR*Uq<$d{yWz9hx`} z17Ckj95+PBH0tb+*B`(wbd2~Ax$WK$H`v}>{%*6@)}*y)m!;Wdh!B14cO}#WT6jKI zFQKJm@%nUGmhaKhLl8aEUz$_|bLI+$N?8VAvtfXuwc^!Z+Q4IheV&lk7N8zkjg9aJ z^&eM|P+2Wo3Y_1$pN@XpuQwZ$`|g`(OrL${yQ!~!V`J?TR-||G%8}Kec|_q@^0xRl zK2<|gSlVLgOrEAME@LjBzCvDdrDW^~b`Kb;Ha{*?|ECO>kLh}9RFV=Oyn`cSx>zq>7 zLEhltdMMRK!XtE1phZtH$E|jw6T5?s^P((8;~y^d+#9YA;pt6=FEq=!T7%3dnPRA0&&zUr%~Or;pZk@Ot-fZ`k0pJ?g^o{@GR}ZK|uecied-inRESE6XlnV z54fHhAi_%fgVrRLSxE8i=TPbNK}cd|*$v_~Duu0zM5YsRap9WWVf~dP8qb!j&RhvF zUUmKuYJ8247%=gU>GNbuagE*6ruo7%8$xNWF!AGJ#?=rXtD5%JGR~c{!k5}7jV;ID zl&{)Fl*6NO@8G#^hnEuTfOCi&=bSj4^gVXa^K|c=SlVRI)T1I{!G473DF982~d$>(oJn3Z`h9ww^ojuHE^*d+03Z{6d z!fV<>i%E-QK6&mM^K?1XCbkc=!LirTNJ0x5as(mUKie2!C*Yit@v61Cwb+?nURWGb#J_WmV`AW>w+R(AOcI&r( z{>E#f13Dlkh&DFyvzFQdHs?+vt`i{Q+XfwkNN zDvBzzJoa}~J)wW2dt7pT*O4DHw|xwoPsprlEs#XW-8^gsFr-rWnw(`f2SZKRY_nwg z%!ZU)-Dd5Flx!n^qX#d>hQBFl6Uli?EES1wCVF~xOq4$v<8po2Ab`(d-7SQ+|FFz9 z-*IWKd0cu+(Ck&=hZ;x>`J3xa7@>i7h}i=vAu(+Zjc3d8+aW)tm;qv=&LtXY;0F5f zEc{g8&64M{QC@N2F8}ktSbB3l;zvip{Zz^$h8HTM;PoM5kG~aZVoIdvxbKJM+JT@$UMEscFs11ai2#Z2h>tTr0&RoYBqjH+Z-c@wWa1Sbg}PC~fLet! zREuJt2g65ne`Q&xVPkvyJx{ zf}VjY6Z3JH%p2d_CVPtkmZugTZLFU+Crhy1xkq$q?*=;*m;g1@fltJ&yfjlphAq5( zzEG1I_t2kM$GztosF_6@ESc|2>Sr2*zIlc#K5o4*C+7?^Lq3v8x({ttJwn2wTc$*OdXBYLZWLXK54=2lhiPrUc_xZvSrFFBJ5k zOh?`QSN-2jSbdKFNJJIQUqs`*mq9+wZY#S~Xn~Ma}9|m1z-TVI&&yLFjnlpc_?%}RtHD^j#5pld1zBroBqOmga z>s9aYBf#L%@><`7L_%45rRPpxqJ>?Zda-(0>q)Tus7P;N<7JF9V&-w4yUj}IG$1Gg zYX;~il&qNbaopl+SSsyd1%K~=O~RIFjceJ~;7ncijoFqgfo5vF*!F8c$8>#}4|n`G z55^`Nxc4#8={jkCT=;_cwuQ|-Zhf^^`!vwy`f#xrjR@iVtfIlUDa-z`h1HT}IYi>* z+Kl%xXVd`u}WwG znb-*FCt{IP#?j%Sx5veDRBe=;YxUJc)QrdMw63{)>9$}Ai)5VxCOg91|FnIieF5}m zIjbF2T}MbYiXHUvwl^FPoa>8Uj4w=spjPXUpVFhEeBkncSk1QRHM%tuVS4;?*rt%Y zkpeTL37(w0xK7Xeo|>g+enuzE(2h-+Zlh(#FLSb1BLb@_9Y64`YEuKwb0Y`yKzB~zSE}R#OpRX2vs##W?qeA( z56iO`@=}ju+|dgzbRnxsj^J|195x z5Vrm9qgzWVd%M4v7Fwl9LZCE=C*8Vxq-`R1)?9~X%mD}lXVyc{=HAa7 z9t4c(b`rC+M?y(hAPgQhCEycc{{}N2ImlRkqqz|4&c4VC6a8`wR<>4H4MUYfgYTjE*VWKz>tt#ECnv_3{^4;T` zQR|_kxxSS$5nb1f`mkY0&1F4~aB#b-f!@XDl?v6O#fEd92|PL1VFd-l>;R4o?nR|Y z3kmsV;4TB@KQPZ7GIk{JSC6jTI@$eBY!F{Am8RSWi1c2C<#gTLW{tG-5{h!Dr`5J6 zLPvZ*f2l2#Y1a7>7ZZk}Vw@W=5A@)54ty%B{V3X|=lFCiO8zo{P?@(X+e$+JrK8rOp?r%gTh9_2r_ z0Y<+dIRJdLwc7FnL-7};&-6_kX65p~hRGanBph(G*q;{VN)mpbV{fh}7st=~!8&}D z-{-}ZO`V%nNXB@6R5zd%8Fc(bJ=Aft3zltNAMsvivy5)J_#t`sXnvIC#_I(DO7f3< zfBdU!O1@pI-i+U?W0pq0Ay}i|6b>t%yG(~AF_zrs{lt7jN66;m_@&x%^v_oz!0L)x zoo~Y7jb;u55@VLZaO4kxYCWCf1c&L0t3@@KR@8UHscpvOp0Vyw7^G zv-z54y*dqsRedjmk8Qr>`2>X7$3>`(pjKyW#OAv);gUOzYuEY-`-rTgu0JlLBDevF z(cgRvv|fGy4S#cX){7uuo(#cQzr1IO(oeX#Highl4x!E*_G)ANpb%Yi?o)W|V#6ws zC(jKWf>5lei92(hEvQ%L2E(#cPM5TiDpniT$7bTx!c@Xzf0h Xc&D%z8w5O%WHZ!*>b}&zeD8k%I`r6n