From 5038f1f90e3f0580a0d9a6d5b65154168ce1fd3a Mon Sep 17 00:00:00 2001 From: Manish V Badarkhe Date: Mon, 12 Jun 2023 21:33:35 +0100 Subject: [PATCH] docs: add Measured Boot design Added design document for Measured Boot implementation in TF-A. Change-Id: I25b57ec555b289eb6bbf0a6aae014d7bf6d152fd Signed-off-by: Manish V Badarkhe --- docs/design_documents/index.rst | 1 + docs/design_documents/measured_boot.rst | 212 ++++++++++++++++++ docs/design_documents/measured_boot_poc.rst | 2 + docs/resources/diagrams/Makefile | 11 +- .../diagrams/measured_boot_design.dia | Bin 0 -> 2187 bytes .../diagrams/measured_boot_design.png | Bin 0 -> 26177 bytes 6 files changed, 225 insertions(+), 1 deletion(-) create mode 100644 docs/design_documents/measured_boot.rst create mode 100644 docs/resources/diagrams/measured_boot_design.dia create mode 100644 docs/resources/diagrams/measured_boot_design.png diff --git a/docs/design_documents/index.rst b/docs/design_documents/index.rst index d20fc5809..ecc68b237 100644 --- a/docs/design_documents/index.rst +++ b/docs/design_documents/index.rst @@ -11,6 +11,7 @@ Design Documents drtm_poc rss psci_osi_mode + measured_boot -------------- diff --git a/docs/design_documents/measured_boot.rst b/docs/design_documents/measured_boot.rst new file mode 100644 index 000000000..8130d7d7b --- /dev/null +++ b/docs/design_documents/measured_boot.rst @@ -0,0 +1,212 @@ +Measured Boot Design +==================== + +This document briefly explains the Measured-Boot design implementation +in |TF-A|. + +Introduction +------------ + +Measured Boot is the process of computing and securely recording hashes of code +and critical data at each stage in the boot chain before the code/data is used. + +These measurements can be leveraged by other components in the system to +implement a complete attestation system. For example, they could be used to +enforce local attestation policies (such as releasing certain platform keys or +not), or they could be securely sent to a remote challenger a.k.a. `verifier` +after boot to attest to the state of the code and critical-data. + +Measured Boot does not authenticate the code or critical-data, but simply +records what code/critical-data was present on the system during boot. + +It is assumed that BL1 is implicitly trusted (by virtue of immutability) and +acts as the root of trust for measurement hence it is not measured. + +The Measured Boot implementation in TF-A supports multiple backends to securely +store measurements mentioned below in the :ref:`Measured Boot Backends` section. + +Critical data +------------- + +All firmware images - i.e. BLx images and their corresponding configuration +files, if any - must be measured. In addition to that, there might be specific +pieces of data which needs to be measured as well. These are typically different +on each platform. They are referred to as *critical data*. + +Critical data for the platform can be determined using the following criteria: + +#. Data that influence boot flow behaviour such as - + + - Configuration parameters that alter the boot flow path. + - Parameters that determine which firmware to load from NV-Storage to + SRAM/DRAM to pass the boot process successfully. + +#. Hardware configurations settings, debug settings and security policies + that need to be in a valid state for a device to maintain its security + posture during boot and runtime. +#. Security-sensitive data that is being updated by hardware. + +Examples of Critical data: + +#. The list of errata workarounds being applied at reset. +#. State of fuses such as whether an SoC is in secure mode. +#. NV counters that determine whether firmware is up-to-date and secure. + +Measurement slot +---------------- + +The measurement slot resides in a Trusted Module and can be either a secure +register or memory. +The measurement slot is used to provide a method to cryptographically record +(measure) images and critical data on a platform. +The measurement slot update calculation, called an **extend** operation, is +a one-way hash of all the previous measurements and the new measurement. It +is the only way to change the slot value, thus no measurements can ever be +removed or overwritten. + +.. _Measured Boot Backends: + +Measured Boot Backends +---------------------- + +The Measured Boot implementation in TF-A supports: + +#. Event Log + + The TCG Event Log holds a record of measurements made into the Measurement + Slot aka PCR (Platform Configuration Register). + + The `TCG EFI Protocol Specification`_ provides details on how to measure + components. The Arm document + `Arm® Server Base Security Guide`_ provides specific guidance for + measurements on an SBSA/SBBR server system. By considering these + specifications it is decided that - + + #. Use PCR0 for images measurements. + #. Use PCR1 for Critical data measurements. + + TCG has specified the architecture for the structure of this log in the + `TCG EFI Protocol Specification`_. The specification describes two event + log event records—the legacy, fixed size SHA1 structure called TCG_PCR_EVENT + and the variable length crypto agile structure called TCG_PCR_EVENT2. Event + Log driver implemented in TF-A covers later part. + +#. RSS + + It is one of physical backend to extend the measurements. Please refer this + document :ref:`Runtime Security Subsystem (RSS)` for more details. + +Platform Interface +------------------ + +Every image which gets successfully loaded in memory (and authenticated, if +trusted boot is enabled) then gets measured. In addition to that, platforms +can measure any relevant piece of critical data at any point during the boot. +The following diagram outlines the call sequence for Measured Boot platform +interfaces invoked from generic code: + +.. image:: ../resources/diagrams/measured_boot_design.png + +These platform interfaces are used by BL1 and BL2 only, and are declared in +``include/plat/common/platform.h``. +BL31 does not load and thus does not measure any image. + +Responsibilities of these platform interfaces are - + +#. **Function : blx_plat_mboot_init()** + + .. code-block:: c + + void bl1_plat_mboot_init(void); + void bl2_plat_mboot_init(void); + + Initialise all Measured Boot backends supported by the platform + (e.g. Event Log buffer, RSS). As these functions do not return any value, + the platform should deal with error management, such as logging the error + somewhere, or panicking the system if this is considered a fatal error. + + - On the Arm FVP port - + + - In BL1, this function is used to initialize the Event Log backend + driver, and also to write header information in the Event Log + buffer. + - In BL2, this function is used to initialize the Event Log buffer with + the information received from the BL1. It results in panic on + error. + +#. **Function : plat_mboot_measure_image()** + + .. code-block:: c + + int plat_mboot_measure_image(unsigned int image_id, + image_info_t *image_data); + + - Measure the image using a hash function of the crypto module. + + - Record the measurement in the corresponding backend - + + - If it is Event Log backend, then record the measurement in TCG Event Log + format. + - If it is a secure crypto-processor (like RSS), then extend the designated + PCR (or slot) with the given measurement. + - This function must return 0 on success, a signed integer error code + otherwise. + - On the Arm FVP port, this function measures the given image and then + records that measurement in the Event Log buffer. + The passed id is used to retrieve information about on how to measure + the image (e.g. PCR number). + +#. **Function : blx_plat_mboot_finish()** + + .. code-block:: c + + void bl1_plat_mboot_finish(void); + void bl2_plat_mboot_finish(void); + + - Do all teardown operations with respect to initialised Measured Boot backends. + This could be - + + - Pass the Event Log details (start address and size) to Normal world or to + Secure World using any platform implementation way. + - Measure all critical data if any. + - As these functions do not return any value, the platform should deal with + error management, such as logging the error somewhere, or panicking the + system if this is considered a fatal error. + + - On the Arm FVP port - + + - In BL1, this function is used to pass the base address of + the Event Log buffer and its size to BL2 via tb_fw_config to extend the + Event Log buffer with the measurement of various images loaded by BL2. + It results in panic on error. + - In BL2, this function is used to pass the Event Log buffer information + (base address and size) to non-secure(BL33) and trusted OS(BL32) via + nt_fw and tos_fw config respectively. + See :ref:`DTB binding for Event Log properties` for a description of the + bindings used for Event Log properties. + +#. **Function : plat_mboot_measure_critical_data()** + + .. code-block:: c + + int plat_mboot_measure_critical_data(unsigned int critical_data_id, + const void *base, + size_t size); + + This interface is not invoked by the generic code and it is up to the + platform layer to call it where appropriate. + + This function measures the given critical data structure and records its + measurement using the Measured Boot backend driver. + This function must return 0 on success, a signed integer error code + otherwise. + + In FVP, Non volatile counters get measured and recorded as Critical data + using the backend via this interface. + +-------------- + +*Copyright (c) 2023, Arm Limited. All rights reserved.* + +.. _Arm® Server Base Security Guide: https://developer.arm.com/documentation/den0086/latest +.. _TCG EFI Protocol Specification: https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf diff --git a/docs/design_documents/measured_boot_poc.rst b/docs/design_documents/measured_boot_poc.rst index 7f9519e71..86cf4d13d 100644 --- a/docs/design_documents/measured_boot_poc.rst +++ b/docs/design_documents/measured_boot_poc.rst @@ -10,6 +10,8 @@ backends and each has a different means to store the measurements. This section focuses on the `TCG event log`_ backend, which stores measurements in secure memory. +See details of :ref:`Measured Boot Design`. + The driver also provides mechanisms to pass the Event Log to normal world if needed. diff --git a/docs/resources/diagrams/Makefile b/docs/resources/diagrams/Makefile index c951754cf..faf96343a 100644 --- a/docs/resources/diagrams/Makefile +++ b/docs/resources/diagrams/Makefile @@ -79,7 +79,13 @@ PSA_FWU_PNG = PSA-FWU.png FWU-update_struct_layers = "background" FWU-update_struct_opts = -all:$(RESET_PNGS) $(INT_PNGS) $(XLAT_PNG) $(RMM_PNG) $(RMM_EL3_MANIFEST_PNG) $(PSA_FWU_PNG) +MB_DESIGN_DIA = measured_boot_design.dia +MB_DESIGN_PNG = measured_boot_design.png + +measured_boot_design_layers = "background" +measured_boot_design_opts = + +all:$(RESET_PNGS) $(INT_PNGS) $(XLAT_PNG) $(RMM_PNG) $(RMM_EL3_MANIFEST_PNG) $(PSA_FWU_PNG) $(MB_DESIGN_PNG) $(RESET_PNGS):$(RESET_DIA) $(call generate_image,$($(patsubst %.png,%_layers,$@)),$@,png,$($(patsubst %.png,%_opts,$@)),$<) @@ -99,3 +105,6 @@ $(RMM_EL3_MANIFEST_PNG):$(RMM_EL3_MANIFEST_DIA) $(PSA_FWU_PNG):$(PSA_FWU_DIA) $(call generate_image,$($(patsubst %.png,%_layers,$@)),$@,png,$($(patsubst %.png,%_opts,$@)),$<) + +$(MB_DESIGN_PNG):$(MB_DESIGN_DIA) + $(call generate_image,$($(patsubst %.png,%_layers,$@)),$@,png,$($(patsubst %.png,%_opts,$@)),$<) diff --git a/docs/resources/diagrams/measured_boot_design.dia b/docs/resources/diagrams/measured_boot_design.dia new file mode 100644 index 0000000000000000000000000000000000000000..fdae46488fcf32f9e7c8dc768f66aa60ba3bc79e GIT binary patch literal 2187 zcmV;62z2)!iwFP!000021MOVfZrex_ea}}2%B$S&`(-@N02yGg3nZ8UcIH`ViEWuX z6e*BYY`^TcZ#5}jB$1X(svUbm0f{Z5-KV=*b?Q{Hq@RDeT_&S%E-&INy&MyS$0L`{ zvnWm%m*c<^cZDsp93}A@ z74H0hHc9L`3_2fw`Y;+joglKM_1896ZCU2=Y+brhYM1VEJhSt^7kRc$qj5cIGj5(G zSw8w^lgshPtIcbCzM1HJYo=#rU)hD5<<9=yJ~@V$G2JF#xqNrx@;G|ldACNi%o5$f&v+j6mfXZqc|E-ibW7^l?*h&KEiU3& z;+j?;r{&3}zdOzJyB1KziN`s*zt$`@gPB_se5G~em} z=maS9EKOlMAVtqs8Mte48pvZ!vA(pUQY%z2GM8^w`uS0xjy7zwS;=U#e*5H-h3$O1 zfA_@R>l?SRGF zq9tJ%1D=-Mz;@D>t)%7im)oTTZXC zbno!|wb2y_z2puoGfT5#W#{0vMS16aUxU-uGyIyZ^VsEQpR*+DcB<7H4&6eGG~Ryk z9%x>Ktn+Wg)VXp0%Y zCE3mV+U6xhj?dX`L%<-t1BO9lLIhBr2pKF4!otH4DJ}?>$V`YqkQ(ctOx|~I$FR6U zN<1-ON?1S^hmeG|rd<2Ff@Z2~$cRD1_z0~NF>KqrdJQA&uC{vJPF+>=fNP-kG z9m@p1(m8c$v{$A*dY?^08MsfiFewe~Sc6(G=d0cIG(GuwaS5TKmED;eZ8f0X@%}=o z;)_0#Y#z8VIj#ARXmW?Oxi|sUO(+jsMIsn1 zOL&~Rj08WKmNQ0`AEikJ1<@DcV1tA>f#cMzXJ1`WGWbOQq|C}_2`(mN7vH9KCPoulpnl3s{%RT)zmwi z_I9Q^+u1vA1ACz+`O|yUlaJZmcWCwQ=_Lf>wcwuhxMUVhze7*W1hM+8-GpRb;9)v|7!pT@p%eju&T zq}5`g18KcM(mIsC5_*aR77NcCLP-`jfvwmHQ0nZJ$O)&2YRcYy_S$rSP1!3$M#_F? zJ!G##_IgbAinaGH+}Y0l;o0j!Vr8cwRx0U4fPIO;g+WRx9RH*Rn3YmJ5x_BB3m0#Q zSQ`$or5{S^J|{h}>cFZ;uqvhAvAXv14+X*g{hdT3%%pd9N^wxRxwf~Ll2gBJYTn<&VL1rF_aOwqA{AEN+Z6BmEjfc0JVBSM2Gi0L%8*t; zKkRc4M3JV3To3|?hE$)%;EcWxDY&$8I;g+U9rMi=If%da`8-&if}(sEDN{&E!vk|v zg(Q*G{&_I*-_Bzuth)RT`d5<7MpL^kuZPFLuSHdjmN{_Mcjl`4ef5=`pFV7TXXmF6 N{|BB;eqqpF001N>NX`HN literal 0 HcmV?d00001 diff --git a/docs/resources/diagrams/measured_boot_design.png b/docs/resources/diagrams/measured_boot_design.png new file mode 100644 index 0000000000000000000000000000000000000000..42469be6d58be11df46a225ddbc3283122f54f8a GIT binary patch literal 26177 zcmdqJ2UOEr_a=2uLsSUIHixC`fM#0@6F7 zM@4$Cp+{y#TxRRR_bWXO2ktiSHv-((uMSQ`tQ$&7%9&) zG&G;CcB2ogO4aUD81@XE*Dj{f?>HX6`KpL0$MJnzc-QIU`|WGxC&1n7`nLbGU%n5O zrr;_+!#Z7pClNj5Ni-+gwlDHSaRJv#x&Hwpj{b|J%13_L z({4OP>tC`k{V_n!5_Ou+)$8u%<@T!!xU)!_HrDXve7dAJ#B=!rQLYshnO?V!VW2%QWk9D!C+YW()kG9y z`-J84>ik$XFN4K~l^GRI3SvAu9%B@-VKNj zFg7qKT9g`QPu^G4@bzZ39X`6?dNlLnzzdlFw9vfB$Az2Tp`7S7+q+ipx`{%gN#)@& zp+Tke;-{=6V}@(qBIe@l>7lb1FYc$yNmw*TlX03G6laS@FK^hIeW-TR`Xj7^S>1Z5 zso(fBBU3a-X&`l)7eR5gXm%OC`Se!xI0&dP$zlVOq=S8JbP?wBKs^eDH{yzp>WV9D zWsH8sc5n3}%h80aoW#R^x`-+o=V(>mlv?l29{#9kTB^vm96O%?KYKSq&qi-nmX$0O zdbQ1wuRyPX5aMnt6v8;}zT$1w6%apQy3R+E`HCgLi_kH|Ga=#Z8vt%7Ie>cuJ%?$tkCslD-Bk7U=k4No?G<3rv? z4S8PHQKpK9jw2!381BMk&)t=+x<&o*_zCX{?|h|^lf1lNoQ?e#clS9;wa<9+7TQr4eo!t>vqW*Xu+*pe7guO>h^xa z*E?8|NzYq{+CS!0g`HizmJaQrrr9Hu=-Fs&9VVv) zc}!8n(47W8i5teHNXU=&!OvmES*Fdp7&=&4B-DexyGS%RAIk2ZvE-X;AZeww1 zepmmbeVl+(fc?ZCx6)c?Md-&b6=N<=HC|-xOiX^w(;LhIGS1W_HB7G(qIOZwUCqf^ zJ|yE^mrdCV?pEyEMt+d2g+91Ebo@gI`h44tuf3xG) z3C3A2hUI~#%#_Z>UqL*qy$lT=mSb(D1lWeZ%-FyW|9OspVr;~-3RhDF9UXj!9*UEm zYbe*jMB&F877-Xg`ud(bQ14veoq4;M$)T&rr8_e_1{{)P%kACK)~%++p0&G#nEZTd z$!)1#Z1PDOn)mH7$~W%JM0v2)E+xAndgN{(zcT&$P?-$p%sDerw+c@o5f9Z@Yh7Ch z-0f`ybw4A^bAlilFS@9RqChw1nW{XGu(=th_mHejL|SNwy#_nDq6*3*}70MLxw8_@k;$& z##9II-3BH#eIvtXbkGjzI4((-#qT@tq!EIbsGL^veD-PRqx@Qi#XxZdve5KIM zNLw>`7ln&ci`B6gxTqiyM(2$hS;k{}@ike!(t)Y@HdB4*s3^*PJ^$1oeRIcMUkUQO zUaW7A!kZ;y*D;%_cdtxUb&Puc!Y5XyPPlhA*szf)5=I)~D0^gTnCN8F+inZ4%FbFJ z>1@87d?BvNRMpsW2DvK_Y##PYezin>3yBDZL@_Z%naHAT=W3^8&?Yh#NtB!4C)Ik} zyrVx_xy0x`XHsyySAh;u=9Rd026{>HsNMiwN%VA*z5JzDjoTBSEAq*%FdkP(-Agr) z$zN8Z`@C3`KjU>y%s5T5U4ud4jalKu3VMGpPZ(Lv9w<}n0;v1jp!oW_UZ$asV&=24 zr1)Ypg57HHlISZxMD0tfrr0_Rm-QEF-3#UI7&si-@NW0r=+{4c$E_JSI`xEe1+Fb> z);BiyOC-D33^?=dn&+cJV}+?M;gt4`b}im>2V!-2UWe@u3u)Sxb;L(lDS zgX`6SOS2;O9kIG6DluG2V7TJLn7TeguWGR*2~HqJ#GMe1w1%0BQc(eQ)3$8yF{XAB z>>Psm)%<6qcU9E1&`bdv%;{9piT2ja=nMf256`Ypns5=JSS_}sw`$?RBu`W7d|-^p z$W^3(`92oSJT@_Y2Fmr*+THjz4b6Q@wZ34Mx$1RVM7LaJK>HYvURFvJno@Q4Ng6WsFj?kD2WQR>k@UzYPSj8$Zh_Zue05gmGGrCxA$>EZ=TQ~ zN>pm;k%W9aCIr*D%ivJwUzB1vf9c!Bbb*WGlC}cKQ9!d4$phDedX_+bVQ9`MAM#1r z5pAxRqxhf=#rku%=tlf9*3L}I$A;lrGL}Q(VAos;gs(_jsfIzml&7Dif9A1f8TQyO zz<-R3b{?Iv``+?iDgVZ@BL_2!!|2z>SFij^#k4Dp>)>Bj&llIFpvNgk>w8pE17#Xv zZeNi!;OxoB!z61j?K48@MJ(K8jfZ>2jD>{{Rft0$kz)9dChFA&S(e$@I;$N0jcCOR ztNaaf)TD|zB=bb%I%;ICGymXw$N<*l^GRUYj%s$1EkJO+tB4~6i>kQ8svzt0kv#m? zx6(-eUG?_n>|Zj3I8JQ3?gV|wXhBkgVZ&4D3G`wbN#;-7DK@m@ZEhbpF<+pme~O7H@v>n{>FhPJluSL4WclVn>46e zAbolAXs2;=a{MN35^mD1UvsgZ=)Eto8IEf3}h#QN@*P<&{xBvK|M zLpNrz*EG<%{Rx2L`@+NahIarK#+t7ckALIklZDytWx2(wPB&i8+;~!I!=`w_m?b3; zvNbxXvr5q!6J;(-yyqZ)xKLi_B22dR0$`gpwWjd5v$^cc91Dy+;nZU@2vB1|ER}|b zlt`bGC?APeg(jG>A02BH{NWDKxw-ZFu-)ob*Z6oNb$b~v#d3bUf3}dFSJgOu+EZ?o z!OaO<%;|fV6#q8#VGvK=kh{KkM+1i|+;iHN`n^-bx9s$pu(B!sDE_Q3bkK_znSw-8 zuz|9pgUx#l7)tpw>b|8ipg)ePp?rP0L8j5Cym(cTw1+;>ndAQVzIZg8jxf)2vb1An zVWZ$?P9AW@@SjM?*IpjRW!=F9f4I*heyL2tu+~hSyq>lMR!? zP?5n-jb@(<<-icUJ5 zjQ@FPi%k?XZPZqXj~--Uzy)MAVN=kH(-k#nuL$`#M8J zl6QA|#FL*6j7hFSRcl7~hq&rYCTT5oQdgV)&|xWYhDO{pGGDYq!5>hC)5k zMxe(^wI}vU$SpgE(dfNTEc!NhTJ&V#W@pATo$Yb~hO|MmL2>mSwp)jCkaMwtE)CbBpNc8KP_ zS=a9ZT`OyF`5ky#COBPzO(5*W+QlcEhpneT<&JBu1f2_-`=!|eXLadB=f)r3xD<1S zZO`k$9kyHGg(p`N-~c)R2!8nIH(E&^KYY)ccnpm+^NKeA#+So1bHqG{|z(;}?&E=lk6Ri4M8N>&Hd8*nh;-zc~WbBT`dSGX%UgrUPuW7#SHAwG|#dr2m}9 z+F^AXr1yK~M228sfTH$0QxMTKlxDW1`QP~%L6krGc~fcfj2&qi3hZQ{`v8yUf$DOoxlG23krqWhkp9>smf{M-o1O{ zV`G(06Z?}j?uq-5ix)*Lejr;SIO=L@44*x_D=mHM^l4{oqugp~nQ71?^KTz`l<&P- z`n9xVYiT)$!=VDn1e5c?^Y_o*`vlq2jc4=;7<6=U3Wn(BXzE>R9viDsiQ#j0c3#np zyJh%dbZ~0Ql+JZ|fH$BshF`0`p&=Mz*%~=4HC^rcut9GPg$?X ziHV6ZDcrqx&#cZ9pOYTgF|_{c7lehyraDx=(C7?wZEdZ-zJ6smA2&b$CGrJfcR4XK z*5fMSk2qmddvIB>$b|)KC#S-7i-nHZ8g2l$D%iIIDRA@9bHLzc`_`ZcASfo(-a*T0R8#xuagW1C2k8Hz+AQ} zM{MI%f4_GAuvw%3SczO{myNZxL?G$#=g&t#;zmbruh(syg_@X{40!sdF3$>r?sXbKt#cA$Z`-iwf1XwJ>+o4z8C~;T^a9bjh92u8~qp<)#)S z@=s-DW$4eXxz-)=E1->d8EzYGIraFPI0KvLb=}Us&kw;DCgI7?6W?9F^8&;qaUZ`r zS+heS6Dy7Id3yP(9|b-{i4OS)$$7wp9O{aTiy_y*?Z%Dvjt*69T0%m#b!Qy#tfI1V z&KIDXuJP~$L*P9r?bau_{Wt%bQRCo991;L9cv1lU2YGFDTOym)ap(Fs#z8bH{68y414JCTr(Kw<`Ei9t~cWER+6GYJ^uwQH&K_2)^u zf}Ts#GBWw*^L$0sH8r_xTABUlF5kY2wf@Q~z&>CrK2{|db`9A_rY^97oJ*DQiVO=Q zEM-P%rrf;%3`t8X8eI0=m=;1l*3js-KH=% z6=dL)^R0L<2%LLcSd`;=5{s}&Laz1qzfUQ=@x+fW)LXoG@nU1TL03mdDT-^V$h0n2 z(7;|isXtR09wZANgRi#dRrZb?73fkmrQ8?0 zgp8}6J$rVJ8zzfmkSDH{tHldT*!Df2taep+1Cl55inJ&%ZK zA9BWOJy!odMGrv8pwP(LX1}+#EQU`b<5HOwS75uXj0%9*SI=ZUABFVq%h#o^Bq& zF5w>#ASWx^lO~rBlQ|C#7Y?r;d$kZXJzi!V9u=ka`0-iE30`9 zmwMOj`F5j9duC1Gc$(-Z&o z9NWYs6fR#_J|>}NT8H=G4xEf6z#qb#*d35To}>;s+T+*Wz47_)lu!w`j>+y=+HTe# zGu@NT#}44ZZ8j^(giB2o*+A?)J0`X#p!I$GLRTSh#<%Mq#-7YuCyyjp9cQ22)$-4D zmd?jgiZ7}wz@B#Ic z;E8d7=v7>52@JfE(%6y>+kO$ zt-K^T)*@^yNAu+RdmxheoLkOsy+gNprxht^CPkd8La{QPfR|?CHqYKlDs^+qC&iB zU&3KTAWWzB)$-=%rU{oR`mQpp1EPRLBGnUae|DW~0R#=0R#Q_Gh!VhOQfoWp1FT@! zMP_DR?T5aCBPdH37wo48K|m&DfB72i9{MHHc#JKJf*`(b4d$mM}chpf@c>lU%t%FZj`St1WXJd?w|Ve&s(Oo;^UZ1SF$g4V(r>Ca< z5hP}X1LoNA1Q<{@tC-^S*w|P|h6AREOfd%ty7P3N8$s$Xv+m4Pj=Co;Ef+}g?u--a zPL^V%r#G%~v(DEq1YoICxZ!rh0TZbviveKbwC*u>JyJ}=~^jwfqDUY$gtcdfUukcwh`Bp zy0g8l?cSYQ`FGDeWdwj>IMYzmwV$Y@Rt9B-gN^%zz z%pV#Wf<6oZ0Wj3uys(d-Fe;P`?M^S}q7g^~<>%`cd1ej1K-22?mM|+G&Bthsqg>K~ zlI!x|SsBXR0dSp_lXHNdkb=P|tHo#-2pC|>Vo$1Zf;Hgk*5gyEKmPawh|7;@X^p;n zEB;TTgT8(H29}$cn0N-N8ZRv8G%gPP8ObRFtW|z@`EynL4P6`XLdMyMHsf`_#;YezoB+Oi!r$H1-3`CDMPD!^(fLg0$eRm1Br>_!96ep*4)<8M1+mNv z1mC>qMJ6Upp|KP|o`Y$>Vgwa<{{UNI7Xz6EqWb9Tb=r+aV$qCRfPUA|`s%76^39t! zk5yGWDncjExldF%DZBxuf#|uszc!Q`lam9tw_jPGs@oagId$|ai1D2H_~__Rk*P7A zD}KE4A8UQK%1slN3*3tx}i#$Y`34^hsIyv;sTDtef|0sVDl1)z0%Us<>lpjshX+g zsz4xm$&Hm&R(20%^xKv>8EhPO`%XAHhp=&TyNsq)mXAZVC$0g-Wab$&gpN@t;(=`cCZ zwP%I;bv`>bUS0=4bo(Dnc?BD`0C|XnXe5cZ4+ZWn^%tZL*NDt@bl=X`%jZK@znoFX zPP>=74lq)Ij(j$zX5&WFC_}qG0NgXbFEk`^nnCDU$$h$hu*4K8usLf}bzUGomijX% zDjiTjKSd~s`R*=V;o>*_W&Kr}e{kgu$a9m@7m6c2K;zqw9SIbFnzu>7PoP*89LFn` zfs721lX4or1PVrH=V?%w)bD?^SPQYrr=Pf4TmwMHz%G7S$~gs+VKyuH11G*inOPHCFnwglSQr?8M_!6pIJ>>z+t)ztiUx}`QIYceI%?s=#Nm>mIF z8uox~59x-KazqybEV&5M?}@rbqNp`U?4qI~@G&=ccaA$RkdPNZ{)a^M_Sl1hi=O3H zNoA#JrF|^HL=^h-i%JZDf4`X@!2m9pHQ9jU4)*pU!ozoVcJj3|LqGu*8rnKm4o4p? zCKsgo?XB=4FH1T;1K$o(8Qd7TWD_v=(shMHYkc?YwX}MHnclv>Be}Y*t*ytwa^b=S zjbzDGSb#6gx8t_w!?NL%_p=1f#tV1817kMLL&h!*mDZgs+}!E!-@iXRJY4KfcEL6V z^nH3D?Rb%svrzcL(Uccfuh2*j3s@iEo4td>D&PV9Xz83{{AVs#P@QrI9)1oF?*w54 z>OrjcTm*pAkvu&?2OL0>-c%VB$YzjyjAxH;wFqipT9|)e&6R9mT6+w?augTv$8cX? zACMA60s&}wKTzT&>RYv2Yq7OBKd$nn`Ske7vp80tEDD>=;4_{pwQ~jvC2``%H;U^?z+D+O&X?spmRBe*9>p5LQ!&^@NptQ0xh(_?GEi5A%Nz zwljL-)0^XIqq74Ieg^n@zUFC=I>`^J!u3ofI9POVZRPkUp7+W@%2{n ze|akD1;cS|_wCVFuk160#E(TI4NZ)~Q?Wb$SjwaKBkC6&$j5K^UpZRUob=CL zrYvZ&9WU|U+wA@Ai~o9~`FF?w2i;kIbq~z0rQH5c3i`L-x{#3LM(nwHh8+xe;{KiQ zvj3P}Tg6H|9tl>uTzY<9N6N*(GXB`KPn-Yx`F|N{Ta{15Z;!=H)te4ePmBB7wUiui zO@`~B_t0CJwLW!bcRlZ7l?j&ZBb>aP(U62{E7`df^S$E67y6%UU*orqi8aGFR6In&md=zbE;-fX{q^&WMsWh zz@vB?HHXzxGUv_Zylj5F=F)Q*PTby6DwIr~%Dbt*2Mc(c$y^G3o)I0r!@#8x&F)Pi;l+U`23Z z%~9gR2P|=MgMm|PD~3mQwB7n>?YWDyv-`kA@Z|^mftiw&M%(?ON{5cxSOmlarScr- zl#lp2Tz!;N&LUsv27R=YI~U#>QP0gb?bKHyQJxc*_M1suDIlYgI zb%&2P_8W9NF5BhCVDX$DIDL#)C?7AMvr(gf^c~m3cc70G-Wt@fdZ^EFTVSQ9TRyJK ze5?EChn+Yf!uH@B4vUS*a?snHU?UC}N z-C*WH@s7=D7iuTU`dcG|1Fip^{{D99i4NVEm>k5RrvF;gc^3xR3hReTzP>$8z1YV9 zUuY7d9k++qv50Aa-3o71VImD;o^Cx8sI~E(U5ealeAnReD{g;@OcO;$=+CC5uP!0y zpUQm9|K*$zY)_Dwu6HxcE$b;tiye-mZ;hO+@yr@tb*WmFyHDqOwALPEEO|b0JGCZj zK^fasSta-(4YXjR%lz<34p1Bt0*V_uyWFT3FIL1I`U@;kCXs`KIg4#RouC76o+jh} z3vA}+Lr0H5_-3TJfp3FJvBiYJfzvY%KWbWLjC)mVXxcq44yLJG;g#+efRIu@%%g+o?>iuBkQ&tOj`{)oc*sG?Hh(J`3;Kne%<4j7m%x!ld0@i@z{BN?#co&eS>I4A%mu3YoUz zVM;v6$66Z0)>c-=M@>rtP-MQc_3{6*;QG<%-=TJ!cg#vMXPY^IJV6KTq2)d|O~K&v z4P@&B(y9X7bY=%sGVxbbVS$&3O+#B?XCBhc%FK)wm>*8Mg#==qvW+zPX>}y3)Gg!H&p| zjiXWHVZ)h0B*duD(APH!GTT0PxOSeH9{Bo@|tDz#6p&@FVp8VT`ond+mu^u)?K zeF5&K35#+Ro!C=@BFNR^l6-_AikwklVy3$^8ATy16Mx~8hl}eP4?btQ*D&kyBSTHe z-isNQb*Octx)zk;eRA9hpS*85Y3bp0xb}d$j@sJTo2yqi*#h@SiS7B6C+O8BlO7Nq z0A^y+t|u6SiKfMOq>>kUF05WryYJ3Hk-@RCOgzBr9upS}Y9?v(9A z?E=U(LJxie&8}PMIR!T>NT_t%sNGZhc&pN-$z?w>tC#DnuMMvj#|>b|>sg-UF3+vQ z58|aEx3DpiavS(aXDYEdj zM?dzKspmuzbLqi`p^>qa?QqqqA9o(nXSKYP${}yxz2>qa;gY%$1nUMEHfza!7W%?6 z164$U-ho0xyY?$OgbJNt$#t*Ve~MI5NtX9}8!cFS9mJEa-1Hg$o#dCe!EvXq%dT%4 z{U0CH*p`>s3-#%?1Qsb15e~z<4zgRVl|JJS0fRx2uG~&Jly8op&G^uZq)KPWc&tbS z)TIkMqy9j7lO9JX&CRa+yub=W9~CNT{DXhOWcEb1NromyR#ggmBbB78VZmAM=D1tB zd?g#-FoXv9TG(-bJdWtn|60pPsV4r4iuirN_WIf!wkvyDAo$vY_T9C=Ut}j7U+$OU zuS;s0pwhBjV?X{Jjn>|VEXS(SwfJ{1-p<~efPqiw^se7+j*g%dB>(qzK#wo*|Mv*m z+Gg#T4QMV8*7ni;mz2W4F#Z3!+4d&|9y^}+MZEpm&CRF(4f*r$c=@|CD10?OPNl(CcxW{`HDePO9)C|@%c=rWM1%x%-}h#@C|`ucI)AijTMqS{}3Acp_1 z0NQcskK&#}z`kA(0dHTCZW>GhVaL)o1H|H`w!o{&8l5byEsvx&M)8VpNwg$>j_c>> zM}aMcsN=&EX;AXc555-RW3L0Qcur_@eE)vEnOnhUD-?XC0Q*pQLiL|2MplyFe)9fo zb~35jTv~TJSf3oQ@1DG=XE#!6JRvnLDkdeh=DDhBySd*DXFR1CiVfWT^;cm-Ky19( z`8Ao%1wM-5!O_)~^-OF9{ zf$x@wZ|n|jZFM3FhrccZAYzH&{9MI&#`epGm_23tbm0V>vj^b(N_rbpm^(Ns8f!4x z>)AN(lcf<_&m#ZTI%w&Qj5})0EB~pY)3RQUs@rUgHEr)B6Gmb{|5`p2j)a(btQ>IO z$p)AX{TV#>eU+uR!IPqHZ=dHiMIb9hx*z1FMM*vKkQXK4q_IE-9kkDR}fzmvMZ}eZBN1?9k+y~F8LV?759=N&&4HdX`Z&&v1Z zy7Eg1K$P6*#NBD69U)DqZg*{`ed(r1LxGF5pTJU`7VMeC&g$vH@tSJCyoh_L&in9( zmX;Y{gSNK16sz|472eRd2IU0y$xCmkz;1RexVpFJPy}In=F;xZT^!wBVS5{I8T9i^ zIAgWA2A%qpO|hKz&UT4uakZ}omQvA$6g$E^;9vGv z>4V;gEzhAy&FrAH(wBCYmkfvv`NK)ga{jj$8ej&!=|=%uDc@t@E2wTV?H#ZAP!RM( zE^N2gCVWObd65uAI&5o?7{J7IQFOT6>IV)Nb!B%qSK6xMR_}@g5U_8x;xyUI52DQB z=efll2Avg~+|7^ageuRFQ1Cu8lmc_t$(JC`*D2bA0pzDehQx*~-C#&vAa!i>j&=7v zPqD5u3U9_ElF?iJaKOtz7!Zd&*yod&R63V&RS9Tl2Gg0>yW|`bvo?~tK7!)NEU?@ zxl2!b(Rw*3`6m;2HR=5$s|s-XOpyzjSlnhfBki^{9_$W;P-yS7Pp2iJNCQsniA?_N zoE$diz*W^Hiacgwd;(FrsVo5+;I|5$PHUyj%;4RLE7%;0F+ipF3_Fgm+jY2IOwrb_ z0gyE96AH)g#TI*S^c1>(r%i4c(Zi-ie|%+6T`!@>&2hDS$^LQ{%B7@y2I_qII@=zp z(KR#@h*Hr>cyd~Re!zi;k-a@^rK{VOUVlQ0$ktdTw)={Bk{@ zv!Bx#327AiLp9$0&RTB2z4;ls`U}2WKT3c3QVP>8tAPe-1|1?k!C9pQNQT02mzUs; zFrCscOoI&ST9Nsn6ev!f_xuj!@^yaL{tTK}AE-g6-RL%~9#G)u$eC)oK2;No`Mp`O zd(oZI)*WY|(P>tVdAAXwrZFIqEiJ5Lqdz|FAt zNaBdd1%+b)TI~lAEV^-Fap4K{XKH>tE&wL0i>pHw(L-NkT-y=92aadkz=%S-s=D_r zB|jybzb%l8Ov+I^ew#|{di%E!m}a}g4uG(1MbhC0@@^x%wPAB21mAkF_NF#K z*TKdt--4;KdGd!2okjIKFxTNanc09KCE2B~SSB$#jeT6UDFzz?jEnjUfgzGuT@G;&S``{$a0+`c80}si!|^yogQk0rr5NLYT9Q4>Qs1x zM;8pGkH{Yf!%OPVTdrS~f|T^ke5IvtxPmC=Zk5yFco@k=@Sv!BoFU4#lU;)$9?7VS z3M6r|Ao-al9=kJFaVA7iIM3v!FCA1NlB>r-PAQ%!^<_~oLhz`57gQ2!7apelY|V{` z*W@D3tZo^Jxi_Vy!6ZQ9OYq2%Cm6BX-1&tA%dbFXB0}|@jOYs&dHERRS&geapqG%| zXSW;84?5vmfqfmtFC>bGK3>`@YguUwbcwi>FE2()-dHbo^ zdXyk?33fQgBU3d=*KiovN$6P+_<~Ig&_@qtIqnR9RK_kXj}Ef7~|mORg{+>m4}tFSH{9% zLs{vVB=G$)e5B3f8TWD1Fmn(KlWl-52pXg|2Kw!278{R`PF7!v{_vsS z;qdE+o%mdg()i^903X)mqYUQsZqt=jtPAY zj}9^nKoz2=jgd8iSYUFB5%f2JEQ|!HO{d+9mN@QNgQ1g?Prh-F(>gW$$9n zmGb9bd+Oh8Z^lV`?jBKL<75!H-7<~Sc@rEV;Yxqdyv~U1I{oRjUcPDZ z()3RgWSEFyOD^`SYfBN(`}Hq>mo=ZB3Eo5$->N#E3jw$P;SKVuexTu8=Tpc2d!YD| z*KyPPeIzWekUrwJGw<;w6B!O!nU1G_-ZLaJK(5tQv|K-Kb6efFdFa|Yd0dKHDcL;S zihXEg84Vml6Agy1#-4Bg{^#>T1b7B0A5h0Nf+|PW2^MiY(Q|+6bJ_)03Xjm@*pmWq zskVI#6GkcH@#Uei2cW3hEXi*XzTWFQoIB7xA+b-9vt<3l@@B34H^68hK`2N07o{1R zJ3!wmI!*S>noM8M=P#uWHyoRN)__yrbe$&g=(?>g;yalCxNVUfClnd+)_JGi)Ko{CF9Mv_M$B$i~fgjFkNbqPK43a>42wo+U4+LRrLQ+S`lD% zBSnVdo=C#p``1c@eeIoiDcdPwEk&jOR=GnRuiM!a$bYys2QQ;JBT)9{*3C~>|1i^j z;7Tj?bKsh4DT{Wg*=nPSBAzjvsQ>+xu~V_W!|Hfu#<$4-m<2E@Y!-Za>BgID8K3C> zzDDHBrwh4HgF9%gsHr*e{$N1I|(hncZk%cKC5~e=;^6he$ps)wESQhXZAiO*|^9~rtu)PlDr}1 zLcuwRPlGa_5o&OI79*)TYa>yNPoo~cEYIz`cE;Fw(?yH2 znBNOC-09AnJ+oXOs}Y~-KeXLU&&>&|8aq+wIZ~-X%?O6*-!j~t?W5&G%lJ-tIUJ06 zQHvUSmXFHSHkPO{c1*3*?RFfa{LGixL>X5M4fCflnhY_*Fj|(n8Q`%h<=CH%9|+#b z2{@!wFk;bbJ>PRu-Oa`r{Rz{?@*MI-`hj=?QM?Fs026F9leO#ms$!{R`f~7-7{b%X zUUQIz_7&cv$B&27=-L#LsYQHHIPRe{$B-;3h`GjJFEM-IMJ=;23v3AS6EVGw7)a1I z58U25iQoj&%|Ef{NX4^TT3C*q&Oo@_A?icK{uKJfgh`d{cPG|;73)z7ZRL&ek{RHG zqm^9Td@MKC1>nl*oO;Z`0>SD?r3J57! zTPqi?S((hIwX%lu$Fx&@7T>}HJ(M+_*PEKA?Z&si&9)m)XJ3|Ci_I2dbll?(W$r!N zZMef|ia4s>7=hjMcZ^vS3U3vG6*aBIc5-tZ1 zC*7Bi#N< zZq)kApRbkEY)8M?(OHZPX>HWiQ>8lN(*oB|$)m{>H;sw!4I3Zvj160PrN!v+vMH#+ z^v=u9D*Qt_j|1ojce;M=8EO71f!zj6#md{#?8>Mjj zm)&`>8;x5=Q9B|OjCmXtX6zinp0h7qyx}2*+bG3lACEFPwdI@gcgN<~86S*!&W~sN z^hdYPcgw>pM=EY8r%mF=X#-OY;8BnttTFPn2Ln6w^k*eqrk`%ZCVHkMezqT!H{aN+ zy&j{2=%9Io`?ept->|+2{0~vM_TjK!F`mnHwmn(W*`J)q-x2uht(;%HKZ;#p>7_}$ zdvVPcu{*i7k+RZbYSk*7ljhMLJ2oZ_Mau2xc~KZnKBP-;l*+cm==PAt7IL@bR);sd z$loA8=1VsmkIpSSy00J)z~4!jTU$$6IqT~88R=Ng#(w|zS>`^c zhgL|}4=SGA7_IlwZ4ce30^#}{&T}GTu)&3@!vjz8>i<%@;V-(LJ`v#9PuPoTiA<8i zmrGy^CZAQ@L2h<$XF-uQgE{MyigAQLEw?xp1_`@@(t*FAp&<}`A>&#A0+UG+YLvoP zRnkXO{ZJ&2*80fTu|Qrpmruts$Zy2hk0afdD48u~c#d@89}|;tXI&6K+GarY#qZ(J zSFO^XXgD^e?6rEws|7a*yMirU&CUJ(%B(viA~_gxoSz@~)6G`SZuFf-3=|JNuF-FN zNL}J2_N(GDG`J3WAwTZqP)h)4MfdtlvcV|_c(i~Ky3yMTg=hbCE{WmlJtEg=?a9=e99-7P-Hd+{yVxYDrdC1qB+d?3AwNza?O)0lEW z;o0GEJetz%k(IWydgQJ^Cm1iRLbgsSwn4e~a&P_Mo~E|0>P~a}jh^AJ#Cs1xQ==xf z$KwpbCGn~e|Ji2py2FDZRk9p>D4TA+ZsQ)}3*W6a=Lw1XY~mdEU#&>mKC`zf4)M#O zMD4Aftr~XBj|&W-#qK%dEj0c!p3(#aSsr`&o3rln!ai0-pbauq9iHj;XG@i4XeySPE)+)aO{ zL9}h~>RAOkA1Vx){Y59J&Iv}ItWhM1BP*wZeGZaL>?{cxrh zkjwX8=bHTaLoaO6G;{c*>$0QR-f6-_tYFplCbM7|{}*YY)47GI^1r}erdWAaWKiDx z9Ur)LD8@0u8Yp4CUBTFjmU=N-FOrRQw?jjVBPUVA4`vV(i$o#rxU5wc3Ir^2jG3=yDa*0;y!o4h}yV3x7gjEmR2y zn8Pc7GO?`mt8II|G_Ue3R^kb#t>o(^(p2e*+I+h%Ymyxtmu8)ROmgl< z9fPqDKjy2RAhHCS$-SxyPgYLxcB8YHmEnmOGJ4{+_|r>C*z~rD4F5r&Wuz9uNY&;b zP#whuMMf#1B^*|AtknfE`G%_31Xq9YM4qF<{CJS>jmvFTCeqOfB*eJou7gMpB3-Ea z_d4;Lb9EsQK-fyTc(fF$GMe^1vZKV|)4k(8PL%WLpl8IU-*cBuR6kE_+Te>|i;YPp zHqndRnA6ThExR=CI&LL*>Zzd{!4G|djs0||LF7V_xlGg8rM-)0@_KFj6B1V_fi&NN8EhFax(t_2Ar1**T3tzm^vx zBngM^)GeQg`uZJO()P07>DVOyA5lGoU2>@wR?K!jJ-yJl_yOHa4rXf7Gn_FNuVd%D zQwxon^0Y`7ktZK+>)zWyJV}mFRLo`6tHKW*{hfR|*30P4^Nsi^3Gb=#N^bH_;RG?g z+#smoz`1H8J3>*7Rrqmp)0SM%Ip7g=is(@UJiVi*$8I3QI-~hj(SdLcZivf;* zWuH!!6G!(lQ}@2N&A7w;1DD&C*UL93tMq5}i%kLvHLP7kH^Ms=Ca>8JF#&RT+~ey- zoTTIjw*dYHRmI1$lxA zok%`{w_BBwKeX;Pt|gss^|(RQ9+R%|lHG}C_x4*E@~CkS}b6~ zQ7QfdhVnOV30&U8u(I@~Hf-jLJfw3#8&;}GmOI%wmur`kPooKoB{_jIGx!Via71is zs{1b}XYKA<06|NntG!!jqXP1M+F_)F*zA&?xH+=fUrbp5Y7{JI=$^-_gOTIp0(uop`0DOH|5nZGi!d&SHBlG9{u1!Cy~~dj#+og z5#0#(do@~+Hf=%-`QCiCFRASqrQTYJCf?IriDffBVq&NoBL2#TA}zA0g=EdX9dp`% zSQx~gbyH013m5{i2T+>R5&(V-?*DE51BpVUk8(CBvFX;`2&e_IAl7hYG(cx#yLg4uU`W1K@$Bz;N)3kJ@)7kIa#4xc{fPa}S3)Z~ypItEMB{?@3PwNvIZ4 z*;M4vPzgznQK(Jn;P9lzF^9I%i3nlIX}4rXIp-8ZlxifCj2uT9h9ykSgz0&I?LOD; z^}F`B+jCu8KYx5LhiSgw&wcvb_dTE2-8@v34N)UygBg!-+}PA~+s2+pBff5pd!%T} zl?7|hyqjJ(2bNEkq9x94XZF7dj!;iBsjUuD%^vTyWcQlJjuf3S`$>Kb)vUJjgAcj6 z&2{d@;?!l|66yadkpT)>q9880-mmVs3W-8)X*84HIXP68+0k8-zHgo&$L&E^;YjS= zh1RS|(Ua8!KRwsDx!#E%S{883*X*vVPorUM!Qe#SH%#_AkK;00^J2DB^0yMb2G?w! zvhIWiN`0-uZ~yXYYR(jOidOwPPOicYT#gpsJjSueCr9rU4oDj9xST7u8`9A-GwGiZ z_8}#+n)q#a{+N0F35>!hPM=FMmFJ~|x;V*@NTy1{7gRn^V_8k4@1w6srmp-HC4sM; z^a~(9W-+FBImE-5?m2PCs_R&6YCr@|Ir_=%@HX2JjgEtydaSws3BXVEd$+BqZ||Y| z;O9>K{CTc?J5PLEt+krD@yO{rky@5b1j&9mk~nzz1+RW5Q$|Ymcu6*WTYdM?&A-;w zr|9#)d5z0PCfXz`!)&55wp8mUC=iZ7daVC9UFFwQ&-Gg;J9UrC{^PJ5QlCrwwafFC z-H)BE4$zinaZI6kegN8u|I8y!Xo@KjrtjKua?rQ>h@(e zFZ8^ZOp|+v;AM1e-ja=N1%jf2_UKbx;JiAsyPecBN2u>!$DVz)8_2bD!~GMHiq@IH z#8n(0$cxW@7y+-Vd3Ie&8{~Qe;F_*_hegffxM4dx{tb8$z`H<9bKMJp_=t#zjE#*g zI`GQUJ~sQ@SU-qY^X?W>4Gm!DJlj2KhZATUo6hEiy`6Ba7og~{ZfR8k@~2& z3h9vAoVjzg$>6P`Y{**F+t@jzcLx3p(wh5#I?{B89cHLHg}(M`r{?jl>a425{c-v~ ze7SFn|Kf#LbS})C5905JaQfA~;q-@k6f)$;oE&ZpR_o0>_9D6l&=fcXb(A^O_5p~pX5kfZ zS~RiVyw;${uWzVcxIIeoeqS<6bF@U1&_(=|I4x|wvpHeT9y3|}{O4)K!VfBr4Q+fr zzoTO_lGppyhF)*a&&qj_)1#rORdZdJFsm8i2CG8wY2~sT=Y7wz3n=6g(RJMlc;s)^ zuFV751k$DsD}SAGfE}g0rp9XTw!X)*kq3=kTmr<`frr=(*z$s?#ul2<{{8Nczur{= zN)dd7TeFA#$x0A&n5*!LbHy&027jRsN{RV z^ZsHp!E79Q=*Nl4IPz3ua7t?%TJg^dUQR7l+O{)=tu(D?<2 zJq+x_xba*+YfTz#si~<6cH%6Y7-OhWLDx7G`%GT7kMP_Ssbt&CFi9F4=%@vz5hrSOUyhL^lw7HG89+KyUfYpR$N~@`Pfjno~xd7&VD(QQU{3A%U0w>u6iqcUA z;C-@yp&Vv~Y<_bt3u~^guLnwZl-1`wT)&349yEJ@YPx#}K$8c+2{$`6{a~=#;@*D3 zL&PYUiU18MgQ?<-!mNU~^*<9UEn94RFvD@hnTickG>DZQuc^6d<7wVwkbX2V#e(k4 zPyvA0Z~bPh@E)w<7KUQ&iAx##v83L@fl62}UO2Gm zKt&GFuGaRO&Xp|IY$@=PZ-wImQK`V?TQdRR%$PY(_u6KMy7xuny>q3A;SkU5>v~o2 z7qG0OF)=ZbHl8PnF}HQTYZs@p@2RAy)V3jxNtx}Q2w?>m7U+ZtAYR~6DP&;%ke}}4 zhoMLX%Z(oWZI0?~0ZK(=se>*oS=qgzO?cw8{PyVB{s~g}jbk(Dy{U!$<;Kz$)>Jd{ zj~u}T#~QzBGak71sA8@J;tTimQwb=Otv+(FZn6wm#R(PtQ|ikTovHiZz1F*}{>C~TGdNR}GJuCOCOTsA4z zqdf|AFU+bH0iay%%t*mR|8sreQBbDv2?`mm+wfZ3xPGj*SV(;ykYf@jnGovoS`&H# zxoj-WuvLs!bL+i0f7!{`_bi_r$;!+W4kl?*e}35#>()G5s>$RDeGqd@=KWQ>U5=B#k(OpMeRt~;VsJkj6iT+9W| z)QTW-JIt`5-^FZnY?|CRs5g=eKtqNv-95=O(G~PKW0A(JknnIS!by)XT*2x-9g!Ww z9+=n#fjZs-GnW)}PnY{$0|XVMa6(^}{ZSVaK^nT;yB^21_%Cwz@zc}Gnr7<8 zkQUdMD>|IbZ{)25ylOWw+GlBL`NsF7ch|FPFzt>wuhfKux7}In6{=^CgEj_Gchgf) z1VPS8vx{u#RWXrNYlHjo3_+3lP2|m+qDje}kx=srk<(lpnTv^aDf3c28h!aJ%AxN;OgS!Iw@p zEU>ZKWQMf7e)Rgor4eCA+)XmMjw{Z-+%81}ZWtaNVX)ey^A+Y~aCAQ?YcKcOYXYkR z*ydc&lY@wf!6M$kywxTZmiX!EOf6q|roLx)##0Iz7@*Sld4GTZj#xLFefz3F8)ANd z5DUk=nfc4Nqz4K@n-|INrW!J4EF{oC`#6td&sj(e7~vKU{%U2exgJlJ;QS;EQ^l>f zDYTmS20$&sxQXG`#6seEl+utAwFapv($ei%p$2IpE03T@N*#fBClx6w(5@S-#!Q!z zmPeOr>HAtAyi1iIKfk%zy%p(Huxb~bQ+qP@U!}7*bI+P!9s!WS>a8Qr_9-$$aYDD^ zaqccj?;A@k?;o#|4EuP% zyDCp1FSb2*x-0#f%ZquZyO|EP$T<){_V@eW1OXop_Y$K-zwugNBzr=|ud6rCt2ZBe zICe4O4OLFPc6jJFO^WuT_N6<9;`I?CNvjw$&4-hDB<{I^ z7X^;8*kw97jB2!#R3R)RDTo`{$E$eN7*A7^=9A5D!|yJNr80*bz>m9uVurE9>+U`@ zcGFR9JSQCM!0tPS4eY){egFGMqRvn=%yTgYp_I;EgV_psZCQz$$`_fDj-|BOm`IQU z2ZIcPu)l+i%y!~>wpTJ%uZEJ60HJE=S%|dTBR%7fFOkk!dk@tB?v2`drae?v zzY^IOkygCa7UjCQAb3h*+gKo>3Tw6}5}PN1mf&(dYV$9kPmBCVLpa)ce#WdEJRdNLX0qKy*+V% zo1$^-$O5A)TQ1OC&di*RRs?Te=(928)4#R`=!3>1<@C_0hKH$0S$(@nkXhg_y@kSG zdJD;``^-0?$3mj>^n^J#eeRx}>O@F86`83Mzsh;^n=U?2v*wS>b9xa9U34oy8Eiox#Saiou0-3$QJJ zG4cPV>Vyw^DE)O-Ro_ie_**RP6Uz4AY;|jt4HkWU1Iun>wf-TsKksK)ly2W}!vgB+ zo<8vse&zjZ$LANp@jta&`Dfj&sHsMX&K-+sBqOeeg}CPb?k4@dv-DZMPtzgHfjC%I zr~3b45zhku6BS5)U6loyqkrr-<0N>3tT-|EF`f^VpO_gmjvr z)$G