From e6d817f030b1e1290d64307256f03c3bcdef4a17 Mon Sep 17 00:00:00 2001 From: pareenaverma Date: Wed, 11 Dec 2024 20:53:53 +0000 Subject: [PATCH 1/6] CCA Essentials Attestation LP --- .../cca-essentials/_index.md | 40 ++++ .../cca-essentials/_next-steps.md | 44 +++++ .../cca-essentials/_review.md | 49 +++++ .../cca-essentials/cca-essentials.md | 35 ++++ .../cca-essentials/cca-essentials.png | Bin 0 -> 86143 bytes .../cca-essentials/example.md | 174 ++++++++++++++++++ 6 files changed, 342 insertions(+) create mode 100644 content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md create mode 100644 content/learning-paths/servers-and-cloud-computing/cca-essentials/_next-steps.md create mode 100644 content/learning-paths/servers-and-cloud-computing/cca-essentials/_review.md create mode 100644 content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.md create mode 100644 content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.png create mode 100644 content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md new file mode 100644 index 0000000000..6ad46f3452 --- /dev/null +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md @@ -0,0 +1,40 @@ +--- +title: Run an Attestation with Arm Confidential Compute Architecture (CCA) + +minutes_to_complete: 120 + +who_is_this_for: This is an advanced topic for software developers who want to see a practical example of how attestatio is used with Arm's Confidential Computing Architecture (CCA). + +learning_objectives: + - Understand how attestation is used with Arm's Confidential Computing Architecture (CCA). + - Deploy a simple workload in a CCA realm on an Armv-A AEM Base FVP (Fixed Virtual Platform) with support for RME extensions. + - Connect the workload with additional software services to create an end-to-end example for using attestation to unlock the confidential processing of data. + +prerequisites: + - An AArch64 or x86_64 computer running Linux. You can use cloud instances, refer to the list of [Arm cloud service providers](/learning-paths/servers-and-cloud-computing/csp/). + - Completion of the [Introduction to CCA Attestation with Veraison](/learning-paths/servers-and-cloud-computing/cca-veraison) learning path. + - Completion of the [Run an application in a Realm using the Arm Confidential Computing Architecture (CCA)](learning-paths/servers-and-cloud-computing/cca-container/) learning path. + +author_primary: Arnaud de Grandmaison, Paul Howard and Pareena Verma + +### Tags +skilllevels: Advanced +subjects: Performance and Architecture +armips: + - Neoverse +operatingsystems: + - Linux +tools_software_languages: + - GCC + - FVP + - RME + - CCA + - Docker + - Veraison + +### FIXED, DO NOT MODIFY +# ================================================================================ +weight: 1 # _index.md always has weight of 1 to order correctly +layout: "learningpathall" # All files under learning paths have this same wrapper +learning_path_main_page: "yes" # This should be surfaced when looking for related content. Only set for _index.md of learning path content. +--- diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/_next-steps.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_next-steps.md new file mode 100644 index 0000000000..d45c26908c --- /dev/null +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_next-steps.md @@ -0,0 +1,44 @@ +--- +# ================================================================================ +# Edit +# ================================================================================ + +next_step_guidance: > + You now have an understanding of how attestation is used with Arm's Confidential Computing Architecture (CCA). You can also build the complete Arm CCA software stack yourself and validate your applications on an Arm FVP ahead of silicon availability. + +# 1-3 sentence recommendation outlining how the reader can generally keep learning about these topics, and a specific explanation of why the next step is being recommended. + +recommended_path: "/learning-paths/servers-and-cloud-computing/rme-cca-basics/" +# Link to the next learning path being recommended(For example this could be /learning-paths/servers-and-cloud-computing/mongodb). + + +# further_reading links to references related to this path. Can be: + # Manuals for a tool / software mentioned (type: documentation) + # Blog about related topics (type: blog) + # General online references (type: website) + +further_reading: + - resource: + title: Arm Confidential Compute Architecture + link: https://www.arm.com/architecture/security-features/arm-confidential-compute-architecture + type: website + - resource: + title: Arm Confidential Compute Architecture open source enablement + link: https://www.youtube.com/watch?v=JXrNkYysuXw + type: video + - resource: + title: Learn the architecture - Realm Management Extension + link: https://developer.arm.com/documentation/den0126 + type: documentation + - resource: + title: Realm Management Monitor specification + link: https://developer.arm.com/documentation/den0137/latest/ + type: documentation + +# ================================================================================ +# FIXED, DO NOT MODIFY +# ================================================================================ +weight: 21 # set to always be larger than the content in this path, and one more than 'review' +title: "Next Steps" # Always the same +layout: "learningpathall" # All files under learning paths have this same wrapper +--- diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/_review.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_review.md new file mode 100644 index 0000000000..1e88c3ce4f --- /dev/null +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_review.md @@ -0,0 +1,49 @@ +--- +# ================================================================================ +# Edit +# ================================================================================ + +# Always 3 questions. Should try to test the reader's knowledge, and reinforce the key points you want them to remember. + # question: A one sentence question + # answers: The correct answers (from 2-4 answer options only). Should be surrounded by quotes. + # correct_answer: An integer indicating what answer is correct (index starts from 0) + # explanation: A short (1-3 sentence) explanation of why the correct answer is correct. Can add additional context if desired + + +review: + - questions: + question: > + The Arm Confidential Compute Architecture (CCA) is available on all Arm devices. + answers: + - "True" + - "False" + correct_answer: 2 + explanation: > + CCA requires the Realm Management Extension (RME) to the Armv9-A architecture, as well as support within the software stack running on the device. + - questions: + question: > + kvmtool supports the creation of Realm guests. + answers: + - "True" + - "False" + correct_answer: 1 + explanation: > + kvmtool supports the creation of realm guests that conform with the Arm RME specification. + - questions: + question: > + An application running in the Realm inherits its confidential protection. + answers: + - "True" + - "False" + correct_answer: 1 + explanation: > + The guest VM is the realm and an application running in it inherits the confidential protection of the guest VM. + + +# ================================================================================ +# FIXED, DO NOT MODIFY +# ================================================================================ +title: "Review" # Always the same title +weight: 20 # Set to always be larger than the content in this path +layout: "learningpathall" # All files under learning paths have this same wrapper +--- diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.md new file mode 100644 index 0000000000..5674feed7f --- /dev/null +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.md @@ -0,0 +1,35 @@ +--- +# User change +title: "Overview of the Software Architecture" + +weight: 2 # 1 is first, 2 is second, etc. + +# Do not modify these elements +layout: "learningpathall" +--- + +## Overview +In this learning path you will learn how attestation can control the release of confidential data into a confidential Linux realm for processing. + +The role of attestation is to assess whether the target compute environment (the Linux realm, in this case) offers a provable level of confidential isolation. This assessment needs to occur before the realm can be trusted to receive confidential data or algorithms. This use of attestation to judge the trustworthiness of a compute environment, before allowing it to do any processing, is a common pattern in confidential computing. Here, you will learn about this pattern using a minimal set of software components. + +## Understanding the key software components +In this learning path, you will make use of a key broker service, or KBS. The role of the KBS is to be a repository for encryption keys or other confidential data resources. A KBS will release such secrets for processing in a confidential computing environment, but only when that environment has proved itself trustworthy through attestation. + +The workload that runs inside the realm is a client of the KBS. It calls the KBS to request a secret. The KBS will not return the secret immediately. Instead, it will issue an attestation challenge back to the client. The client must respond with evidence in the form of a [CCA attestation token](/learning-paths/servers-and-cloud-computing/cca-container/cca-container/#obtain-a-cca-attestation-token-from-the-virtual-guest-in-a-realm). + +When the KBS receives an attestation token from the realm, it needs to call a verification service that will check the token's cryptographic signature and verify that it denotes a confidential computing platform. As you saw in the [Introduction to CCA Attestation with Veraison learning path](/learning-paths/servers-and-cloud-computing/cca-veraison), Linaro provides such an attestation verifier for use with pre-silicon CCA platforms. This verifier is built from the open-source [Veraison project](https://github.com/veraison). The KBS calls this verifier to obtain an attestation result. The KBS can then use this result to decide whether to release the secrets into the realm for processing. + +For additional security, the KBS does not release any secrets in clear text, even after a successful verification of the attestation token. Instead, the realm provides an additional public encryption key to the KBS. This is known as a wrapping key. The KBS will use this public key to encrypt(wrap) the secrets. The client workload inside the realm is then able to use its own private key to unwrap the secrets and use them. + +In this learning path example, you will see the secret that is exchanged between the KBS and the realm is a small string value, which the realm will decrypt and echo to its console window once all the attestation steps have succeeded. + +For convenience, both the KBS and the client software are packaged in docker containers, which you can execute on any suitable development machine (aarch64 or x86_64). Since the client software runs in a realm, it makes use of the Fixed Virtual Platform (FVP) and the reference software stack for Arm CCA. If you have not yet familiarised yourself with running applications in realms using FVP and the reference software stack, please refer to the [Run an application in a Realm using the Arm Confidential Computing Architecture (CCA)](/learning-paths/servers-and-cloud-computing/cca-container) learning path. + +The attestation verification service is hosted by Linaro, so it will not be necessary for you to build or deploy this service yourself. + +Shown in this figure below is the software architecture you will construct to run the attestation example in this learning path. + +![cca-essentials](cca-essentials.png) + +You can now proceed to the next section to run the end-to-end attestation example with the software components and architecture as described. diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.png b/content/learning-paths/servers-and-cloud-computing/cca-essentials/cca-essentials.png new file mode 100644 index 0000000000000000000000000000000000000000..7e25a0ec7b45847435dbfd9b0f2a81d0f6614d85 GIT binary patch literal 86143 zcmY&31kH0|1`#X+fb!-C3nnaGE9>tMoL|3kU`w~Pk1J1i z$+cMA`&=H}cG;GhmKm+c3;|x3ErqsoKlWER!5p%m=+R9XDA2koUO>fpFn<7vA_G5A zqFH~n0xY8fs3QZ7@c!R+)C(%W=>K2!1Nhs*bae-#p9Ul9>0D>Tcq8Rn=Nf5ML3;?H zF9#R%8$J3J^qCjPKLB@i{ab|91T#+_qsBL)ARGPA>gcE3(Opx{^Q7a5aFfZ1Hx910 zI%i7s#}jhq_yC9dsez?d# z(cW(W+g-q_HL{F84aYLau-AfH-4pn1HA;0GEAS}=XTBtGSbLpsy3Mz^A0G{sX|$)b zR({b!X8LAO?`zh7%;`Dzq7zSgHU2d}N`Ctp&3aJ)?9Qj-p(K%L({dpenZ4|=rbLkVt|vt{bTm(<`~hnmtQ$gfPh+?m2CD*gto*_AePd3|a# zj7$4pWb6gDre(o?xsOmAYOjbymVX%$X9$m-)pq`R@WJ(|Mv1HSaE{->bZ6(~&g}4| zTJSGYy8%b2A|JBd@_2bpbKYzD@6b5!Y^mYX32aBqF)Q75O0I%#*<+naQSYHHs)J3Z zt_UhEx-XQ~xlg_4kSDyc*?t;{hKcXG&RCjJ?Htcm;Rk*3@M-CS@Ilf)DxGK9ru1oT z&4kln{ddFmB#cELYD@i~^Z;H%z)w_j7lno^t3L_pHrQzusOy_BDpT=_POP0Ouu#S;lg=b zMfG{N)bGve8&m)blM~y5K1qZYtx&g$7I5ulE!D*!`-BT)_V<^Z%O%6tj^IWQD@x;^ zlk53biaYg!&yECIE_dvgT9A(Gc_n+7+d`{(K9w0q?OQ|X@-8hu*<(F=?+R8tx%dlb z8dTSzEvKJpBk`B9){~LzTdlXlqs1Zk;IuvNTmdNok&6RiX4@}{mqP35NNKT}IiR~0 zweO%%zQf?K$OGSsOHt&Sj>AqPRI%L&p>S+PF36PO#b7~h&H!UG&(-pdFT0xjw>q7tz8!jgf7;K z3oa0M{UJv9V93NJRoJbB_Wr^YOL)DGb+OPkM)>9@sT!>vD&iZxI1#|5f5~Ivd@nV2 z=7?!DrNzVPs(D+m%kwlp5$?j>zC(5r5=Fg0jYR;wGE!xd~=xwRuVbEguGp4R!H|J<i ztTVS^@_5F7mTwq5p6bx#0mVEYNf>qC-AruW?zEbGR{^fypL23+YjX*u4vH)WqT0@k zTfEru^FGHtqE*?-dM$C7we>1A>0rU7sru^VrE=5bVTIyTS2p2H11s0@&}=EVztm^3 z3H?K7)unlAqhsLa++F9vUg-g8lsc5R%X{0l67I%d<~sht9R7iSSGLnfql&reKKjLt}_K>lhq28UB*`=7=CTT9LGhtZm@{> zS7sY1s@+B|EiVmr4aHwwri=PCP*3wOx6MWEzM(oULY~g!PTQB*LSW4s~XM{7voua7G@qnUuDG!JZ{vE!_jQe9!9m+XkCa{axN3=!<>4x4kn6o+mVAZ zdq{zb=y#e1|87GB6cGkXPa)|(f%BlPt4HLrTc`>_p0btFDc5d9?O6Ig)aRUxvu>HR zW}9yrwCGc*+pF#1(f$bkC$WnL#{w1M2lR3Yen-9fF$!9Qg(|gNaGbb#&s^61NX%qs1)kakT7l$jyJh^>l+aF$tn-~Y&SQo1$ znp)HaUQqL>6dG1D>8Lc#0RvS{T-INyXPZbJzbcK&RZHYL^7qU2Q|g{MPQp$nK=~Aa z4@b>K?-fUUG_LV<>al!{73mZuyn%sU4RgeA7!`X^^Vb$(A6Hna3zTa51&8j|<^WK= zjCqYPJw-Euw^tWDrMoc7FsZ4#&>W$tBL#gw<~0?FeW9phd?1z~vuw|4 zd5vl&lQZcsFe@XVXKO0ohrjXD@0e-+%Wj1U4LBw>*{(rg&BO;>-qD{c{((^Y`Py$+3MmaHYy@KJqC>Q z-h(_tBdKFlZC_V?=!>$1k4X>Io+wnc&5UP<_yt#+E~+qrb02@Dh}G4%LwS#}5`GFm z&d-+zhC>J=WLM4!j68Nc_6oT&yUoXV?Y$Cbl%Jf+la`t1uRGmPbHC+kDE5<}rqz}_ zMyI!G$y9?QV^3}fav|SM?WQ^bpN6vSpuh*{_wnr0u|?y>o~|i-_&{2S_V&XB|ER8~ z9XXz0nPTx&eqFSg%eWG~idffAAjD@~Kx?0ZT8~}3CT?HtmTa|Kgr~kt3WAQFjQiLG z=9r7=V9RqSB}QNtT_T|0w`qCjSPN5^MaFw5Lh>yXoV3=Lsxl@pZ&N`)GQiTKPG7s8 z%euzp-FiZOREM$BG-$5lL;%8jCc3M+_3k)C)LfB)8>u2g5451YB%mma#GjMiB129( zM0yaogo-{Xm=2+Bf5N$ah7WSlfo7N?p!}vLj_y8evY7u15oDe57`8+YBd2L)@jx(u z8HOpt0`T`m@aHrmH@1y9a#sVM!2bdr|MkTw#Q>W-Eiq4K_w@^?3=d`wx=#7qH@Av{ zI^DrFV2(W2=XLJ{x6~t#hl1S zaOB@C``$kH1gv#a$ok>EZFkJV`}O1PuixEkR2&umxA$*PJfpC{YL$#OuOGf|06N_i zVPsau)eVnhLg^5NsxC}iyZ?bnMtE=O(6nSt(uXX0M1PzTM+UM;g(lsut=QCjm%~UW zSIGL`RS?FM9;}=v7yG`QmW8>_NJ0NREQ!@W84SzNYZGii?j-U5cLJ*l6j)IJ8M zL9Z@8@nHU?L6alIqrr!ISaDaWi^eL@LEP9ihfS#1g_Q$idF4`n$dM|PD1b0c);S97 zIB{o>&4A3L*jsW{H(37-?gp-(7hU?3LVZlfeb1Qi_JP9rUz5-bTc`Qs>ZDtP#X1HI z-)H0}Y03bKfZ(OrRws&D0{Mg;cK&1Da;P}36k3zbjk6Tn3#g9HrIX50r^zGJ1JTd# zO{+N(dP%`}UX$82+6tpM&$Pil0mcV`^b)nmR=$50Tbt-e8>t7hQ#lwx=UY zh02cm#(A_LbxD_8s~%z2?B6PfGTH}y>>S^qxJ`ba3+x0q3;19VUzLZX_FGK z>g%s*XRqp#KoT4UPj(U30$rcI&U}ztBeuYD(yoLRU3}rsGbCy?zmU3*CUSEx)v}r( zt`uM(+IUTpw+U>mre!>7%lDi8QCuTu__iZ>Pw;fd{3lo(7#6N`aSkf5x_wvNW(U`2 z(oqn*#2$|qnXis#1vu6<^u6LR1|CZ5D0p#K82yf}CUnls6R7Di8E+ai>F1u@ri!5S z&OmBs8~nQCE3lA{DBgf1;T4Z0Z9Sl`ekr_uWL&0q`DEVgGy|@I%vf6j7n~*46R4-t z^NiA&NnIszt;^h~wnxuH^cUO23Qoz46++L*>yxhkk*VdMR>%9Jj-jFIy^PF&h4;@C zGOzMtjeAAf&idc!GcQ@AbL+PsS&;t*NnmRH`%1>UYZH;`8V@1poG@Y5Gj?L+u7OS4 z*ZuB%eX>?#Q47nM<|qgxuS3$aJ`IuyZBls{9{hGuAKTQylldr8nG~+6b5NGb={_Mq zCNCmF!og9yRRw!=;W!H6$C&u*=WTbi4q_Cv(LZOP>Wa{u`4yBW#&J%U`nUZg{~I4Il|VywwLx*y0& z*h(qF*G+!O*L|&M0Nnt|JO>9ej}+WPN`x+<8UJchg0(OS9?})>eQh)1JN+H%GMcSPr0{9PP+)ehVtRexWWoDz6Rn=euCNzYkXNxN=+qy5duu17 z_evzF@sS})6{`=@Vskd-@B3|IMI~}d_A2NBbp&|?N%`;lN?s5N8p)=ngr5dc4rszm zQm&leaPLJ}FG|c`=p#dT6Mz^P@TSC;QqKfMAP<%s^Y8F>8O%jLB17$T52-sAg*M z6Ee1B^}2ojH|lWcMiZ>P(0JP?lmIGloGyWJ{O45qX7&T}-fuE3k}|&m+YHELdbw;m zu5;Wj6rgMigoqT-Vfq52T8i&+FS(eTZVt}eD01JwdXxt+7qq}YoBvcu)eP2Y$(mb_ z$nW;{;+kGb^M|03uMaz5nf`G@C!_hp2DVh-?I@O5XO#}+*m`-s@}N;t0(GVKcoDW+ zcv^bZa#QxSu5pOmdb9pJh-y6pIQs7w-{*r=AF@%t!o95C%zYuK>!^l-|5q8&OG4Yg zBpGDuEk%Mzfq_h=LAiEu&qjXl$4!REvkLvWLPJd2f$4vg(?-(|$K{&cK3}M;{+%`& z=SuG$g+&K*9_@k2*d1R9A-N(%p6I}DNM2{Osvb=1M5I22K{A>RzMNKCJ6$q)9E{A8 zdF;!OdCbbA;xu}S2a=Ztb4E*%5fMG+7jrBo}<73 zf#l2E;crNW+yk;I17wfx;S+C%1d#TP3lIaxOh|@rsBRps=PO57lVO8tw;|DK-S7EL zG(u{2v;p#mQIkx+U|a>gEQB;sdaFqhM7W)O4Al`CS7#rW`1FrGS{f&iqUwcL>Zp>p zk_SVqY0ht_9J{_!>y!bgnC~2`jUr)$APEq>&zEF6ukhC3AuB4WpxiWDd~It z{8Iohs{S`cHmufOvlDj}hoQ-d33&I^ula&kN%%LBV?-*%~Ow(yf42 zvFKxN_gmStC(u#yK~SX`2!+|QO!WB7>kv&pyb9!uk{X)OiwM`uUB$E;ewF(CvW9y#=7Pn zBS(^r8Gc!2t;g*TgViOdue+SGSqUvL> z%8a9alq{xSiiKgs>`HQINHafb0Ws{+{>n06l_6Z=WB?Q^Ri?Z>0p!2yH#!tkx861nqmoDUf)lhBJz6jZ zVuU9byEEDZLrhG6vf91@$pZqnov8^@GsHg}1o>Db1?zx0qt6y#eP&Pt&rU37<64rW zA1{qfzr=%jMm`*udc0prB_9dTHc7j`$#&ZGd&x^xDje2FN$;fDZs#CJl~a+a)6E zZy)(1pLrU0PCVG#5YC6u22h|OBDwxSjOy5@e;v^OVfSY3n+y#Wj<|wGeLmuCAn`2w z98LgPukPXN*jd2Uh ze*8^g5A~oiO_4}*od9@d$MVhb(VH4Ap@dbf@EDdT|5_xDeO?Z2{B7pf9QwP7# z;&8cfydb^grJkV3$2YA_`6jh>0Z=ZlqhnX?9%Pj=nM0$~qHC9lgLglgnlbZ5FZBy% zN$|&iYm!(L=vgqmN2jS-3;ISab9N`3sMbd}EStZ=#x|-k@tzDyV7DCZ-RzGL zWM3v6&brpWS910JMP;*BCCmCevIW#BZ}TxK0_d35IhKCMf*M8C{b|9_iQqLM!181B z{IwCy`PTryYZ&}3jHy`OtxxV=E*&^U`-!msfr|%y=d-KV_057X#)Z{BvG0$aP&IzQ z+)5tc&uOplX($B>v-i6dh_b9CBk{ptJPpyA8`P+3g7!zdgdr472i1Rv%sTgHa9H4| z#6@^h=nAnv>K7E90POmeUEkMVFj&r%l*Twjm#4HHJ_U#uuKs>VKNJUSz9 zTj8EA?6O{*O=0Hmbf_M74|`3u6(F_dbPT1qjo6`$)?K6Ek+i5L85VjdkA8m-n8?*+ zc3gvUg%Sn+gqAGsS0KZ{BtB`)1F0R@E)%ap$QmU*y%e4 zaCRv#mhf}t-8CIa{-(kFI00xfP9(ZPxyDF)tX4v?F=~oO(vRcT;s|ZWSa%f;W&4}t z?QeBOcS)qdS6!EI5;Zc#R%xk{Tm(PxU`=ki9`M;>M<$3{7X`k$*~hi(KG|a5sHfGa zYQI%6nSic@vr+!Bs8otd~NyiD901uJc#P z$LGW#c6aAXJUfDqT~jN@K+rgUe%Q#k?TR!UMXaI8E%Z&H?pv<5b(g}>ziAl+)F^^_ zN;0?_xJ(#u!#BiTuLM<&Jd_IW$JUsu^IuwLy98UIRU0;a{m5(yCb93H?V70~Ld7DXBOH-6p_+?t7jOn7b8ayelq%(n3m;P}3rIu&(gr(~5N+~66(z}6 z1a(B_(VZjH<8lC-qYp~S6!=v)IhvTVXd|=4Lcz27@ZAeJSN}3ty9)MhVUe#Bs=j^f zKM!%v)i2ZdY&Wo9(<=?<5z^+HMIqaCz?01jIJc^dE5ymajbgNBlMRT z0n6dz0>4j2c6dyz6~waHnO0*cCV}Nux+A*bb^=-qpFLK8J(7q=#lsMzy!8t}ogGV{ zG_IU*saH^irCq-h-T5$Yk9{++{0!Y{sU_eenMnW0hq*U(<{L@Ct6hFW#K5GfQjvS6 ztS?R7r6G!FtY6s2^sTUg3{KrQQYUqK=qlf5nW#O6LrqGS-R#t-#r|+>u z(kYat!!{-+&nU|m1k*tY6a?lb7rI28KhZd0)BrSZkli!88BCcaC1li92NSYotrk>T zpbTJ?((mK=9uw>AQWOZ{27jaLQhUlCDFZnvF9xIPH~9|a;A3e-DRyD$)IxaPHe5@* z^=f%lYJ9%K9thm7#p^13G)9wVW+%(~Sy_p0ZbWEheU75{j)m6emZ?QX5Ts-&5144) zH|jNCmri2^YYrnauS?nvj;z4K_gt3QyJT|&`pk~1UeDw02=v$p>a$ggjx~}pD0s)x zynl2WK;e)-#@6TP{{oajuS$C_DELg`>Ir?slkKMalRQ0`r!=(PZcEepJ@RF>WPk(n z`%o#94%uS*KLymhJA&9OOgDBkY<(Qv2VUp?K?M4O;#M>$a1%b6qIuw0Q@s@@Q@q3< z!aAe66B(!=1Jiu?SL2SpkmhC{{lm#NN90{3Sp}=CmTYfL?vDVaqB$%NE#jBk&Z8>_5d7)+Vl_a z%F<473t}rusiA?f6`AzJjAhho5$OBUnu&M%kz{@y_udPDYCpDOOQ-QX%S%c;_-cfP zb*E|Q-xKg#TTme*;}WZ6B#&%`sM0ctBJ|te_bm>ap%lTlUIu$x&1P1sXXp2Ix|;$J ze{ouSfdNKnZ++}l7mEtrrWz)h)`i56Flakt*~Shd9?Ar}^P#3+C%CxHOOi%8IlJTR zGHpy}k<+B?Zz}Wt2W1WUGA@2vo-i3-uH|6*8Z4eJPlXBph)k^L5*#tMNvXz)WbtNKl~&c?#H)9=4cAxmYoIhr`00s`CQe_`gfmu(Ht zS40=%+j(~>!r48gGPKN6`T5S}edI>|&B{&94>^jqdB%Rg0mH8al5vynU)S7Ze<~>G z`*8|pg#*KXR^yy&C%W%{V%Qoe^FFL>mO{ChFXO8g!Cjvmb9!7yOB<`5t_4Qn zr`E?v}AAUNTbqf;z7lliS zCg-70R@Qk!konGb%Fp8m3MpRE{}9Aahd`C*un_e}v#?Xj$l#|dtryErsw@6etTU5y9}#SJ!(Kq8pIKsBw80&#!L^emLc#^gTD7cP zsgI;>Z0nwXo7|ph+*L_Bw2xj<8y;-;C!b(%Az^q>e;%areZ4YJfzKnnJ&9yJclqHK zz6I7T_gLvbnZS7wZiFXk>!#HtOS~^;^?SA`naJphC5WZq;YCF2Km76BR+kKlyez_K z2fV(rhpx}I1m+4Y`!cxo^r>f3xuY*|mrkOC=Y0PH4@Zmqz7!>TkVYccsgIKjp6sud z%@1ZaWzct&qKkKC@*72NFL0fYCxkZ7-vQo!GJHTn#m|mtiRiaR*$MlJ1tBQq@po-a zwjJciRowNE z1<7mQB8_O>dl%8_ZTtI&sO%}l3;p_DXRZ|!kAq_~i)@B;fN#}7{Oh9!s9rurez%s` z>8;T&h&%G-zWc`soXt9uV2P_i=5Ar(<@zEp0$?T8L;Q5MKZpmw_y&PU;03DZV(2t} z`T5=`8uH=D9ysca#kv#pDke}RRy3hqU0D|?y9+Q&2Qci%h?yRoUB)loZ7yM)KcMR# z^BCEP46Iea?i=?)$E~ofNI75CAXf+j=1x(|HOf)5NU>$^hbx&y0KdpMZ6svy8U@`* zvqh=0AjLZk%A8CuK-ASMZ!Y)!FTK;C2zcrb$b%<2@}lVpxgybErdk!AHsPY4J!-=3 z-M2R9e?};co8@+5#6uqA!BuZh3zEr0Zp9=fPUL3FD8qZPA^B zf8Xv4En*(w4wpWeer9b&hTV~fOcT46=nvKhuDsmF&(y5o#2&vKZ~KG&y0T1i-17rt zC(ElVHF4Q@?XnHlh`GmCg^rUDTt?IoM%TLUS?al)#7OhejHQ~*0pkC7jv!`@*|>4@ zxkaO{eUyB{5#TfXOTw zWddMk7lcMd)TD_OQ%lTL)>-u2(i>FX96$g}fCWQOj^v*nuOo9R5( ze-)EOmo`fcYD4xiZAW$L9Ni)_KTP_L=TZy_Z!hAGHIC`GG}$)2NEWb7*iZeMFOO&o z#!cHs8#>4n-X3k8VACiu!?@6!Ru-BK!K2>FVC~QsYBd`q(Ij6{P6mxKmG~FsDz&$` zC+yk6nyNP^sDd3Pc*lgNFZq?+y$alE1)FZ~2x-g;GyGaezux>u>leY*+~<9{yS{fk zS6c}84vc5j9Bb!4!>8b2(zDZH5Jp{P68!$me|?E#GcQbc3K1;wDgl&F zdH;*Qc*Dk0r~Dt+w#SPrR_!kV6`3Q2RTvhePNv7t7UYG77DNc=8yX2-0RaOZE8BG| zei5}|Pm%Rvk74ys4+#*?y_Kimy&Y<6{PcSFx1AhUo0`o_z5q~HN~?0XGr*B!;J(vE z+1h9Q(B$fl-brV}rPW#6su_ye^R#jKw0&pmK-Q?<2y)rHFF5PGW{WA^KlF%zjcKYc z>q6}ADrzcx#c)18l-O?MDJN`V|&D6})$F4b_&$d^Sz@fa??K-%#=WD<5i@o2@R)5>+-v zRDTK7uCf4HG#oeZs*j`IcA#ak5qpeV5}j+as1T`bt`WJ>Q@^{YZENs&8oc_)d~*mn z+&uhOSb}gL4FXrjH7Lh<9H%n3_V&tTrfnSEZ6VU^2^@=z^slwfw-Cq9FhaJw>G5;8 zNX$$Pl91H({J0FG{lXu`$8dE&Cu-mP6ng-{mO+s zxBW#QDk0;xLqF3@xA_o5NpZ8@b|eh0>)^JE(slliJQH#9hf#l-uW`{NM)Wc+p7^&l zq9eV%$)!~><2|H?ZD?4L&EZ+Cq{Di6JZn2sm1wwNPR`LZ;JiHs-o_aazFQ+JWldDl z^8r7lx{nT#R*dZOS~T4vJPxcN@~;|w==}!lwQ8X#3E^r?i0pB(TG5AF0l;(k(PP0k zM%WI50Tc8%EV=dgc#_C#sniNy$3)U1RfV_5<_%oLc{Gpo8XQmG`0U+mn}1Y+?9Ej= zIM94FN;LGXFZGWG>>T;}l$)1o5M+s5^sP61hu~oSF35CGp}pUDIXepxS#Kv4*|`lB zJUPFb8cPS6T{{jZa%V0*tfE~#%e}@@QM;^SGIr~Dl{_vD-DlOWt_u`38tk+K=Pj=0 z?y$h!InTm2K#hK7Cl}UHRC(JnVm&pZfjxoK?Q)b@%TL{x&l5J0Tdec!gF8GEY~DJ5 ztWM*2bof&F8=;@`@h@|JJO}KZO|uMImFDVfeH8Q72D$7U+VW$Q$c7fkud4a$yOxnw z;MRW$TUQt7@r2wPncp+U1OLSD>%gYDzg353lo@+08?MkznmkOz@*Ot#Q0@7M_~=Jm zx^QdMl?x5q5ObT#Yt~mYXI7dZMZY2pJez;$e|KXJEGTe)%0=~$nQ_XB!tf{!m>Tr} zxl?!VAyVMw9(;A9x_l^^#TNXF@Wm~IsoqVr0I+9PhPW}UuD>Q@>(1F&g9%tZwJ|SM zT$5Ed-`!;#inRw1iYe8H$8qURsf(A@b(v|mJ}lq5M+{~7dy&^S2Z9$gmXExPqS+l{ zL3uv21wu!q$6eD;#iAKrm$wD(!%%5>72AR-Tk5u_*7*2?Fd{h7t$x#c4BR>dyX0?l z^}V{TojpiN)mg}xmv4zW$!4}`@>|GqUn+0uczSKkgr8M!FQLs}xZimEYUEI%ql0g1 zw>2awChecS&lHgriX(;Qx&=XfBA+E!OHS>U4X@DUqMyAIP>I}NX#pgvHO|#u&<=GL zX|-3BZ@moxp?-yY5Y>gLvm@YeL@I1;lh!U&oNS%q#J%4a-|mn$itoyHVJ)Bbuv&3; zG0o?T>AgZZA^$#{YN`L;^C*W523sMFHEaRF4_A?);_2c7t{>c-}VuLug8~ zbCKyk_4LJiVfQRjTM?hldC`>Fu-A(kcz9iy4!4}>G$rbl_D*nH6wU9U*e2@^oW)<$ z(Gy;T6h>*~=Rkf5I!pPN0{5%`uZ})I|FVzyYLw4#w3Uo+~ep>_YPq zEPJ`RHIUp3G}S9D3s~jhjW7A;w2DUbm)U`?o_85&6{oGFKycZ+Wj6k22_+hidbk?& z-hB8Ys3M8t{n?xYY(gpy?Ni_scV0 zCE^@#{k^7@k2z6N5$zOFjj8?L$JmVZ^fHx)4f}+Xa}6%_s!f788Fm%Vd7Gd6;4JN7 zH?s}=q8aU=EW%qrI#g{p(ghP%tILM?##y!x`cQ+5ZUUgoY*oUK`@+ayemMfY> zmo;!)6+~Yg^)%^3N)pI?@ql&_S4fd3&w-MHCiLa(FGK5QFDY4xM{J2I;CB6vLO+r$L{3 za$uKn#xGDTUd$Q(qV=HVia|h7xcd$CRJ!Jwb z$k#6jw-mRC8TilZ>I+|JX@7t<;b4Zb{$yf?RV;;AxxV2}VLD-SEz zEt3E>(bgWQ2{^{(Qx*Vl%xJCD<^N5uaKin)M&!Cse@Fvs(HwaR*d5$1fyJ}0f&W79 zYKMjwy`)0{&|Qe8TSF_K19Y5bZR_N(tzeT6MQ-FaWlHGtp$rMk%Z`;nyfhi8nDxwb zg%W8#ekjMHDFHa(Rvv5wP@nsr))1taUM}e^UVMJ%VU)9s;5&|{wF)kiiV%+hl0<)0 ztz`TWY%Qta6K5&w4VZaZjy$VKk9LlnL18tndjNN-?Zb>qJT0tA*J$%K3Lgjn z<5U_1&?rG-7>*{k0Mi$@)DYSUlfbRFBPL@#9Z!cj4Ub2d1Vl?EYPD|c3Vgo6j$H5J&OcpEY&jemLdQ22UTQjW&l zP7MwnZ!Nmn>MZz$Gh3sbQ!yQSk8)CMV$oH;Bhs8SSkhc9X6!OKT+r1Et$`}Fjd{RB zlTJMY=7@(*R9UoT;66e7l!Qja$#nPEjD?0|FJsHld3HnI+)0szPwC|)dU1%CW+?gb z!TWTh=CI|S=EIR>?<;0)s2yhA$_xA|OIN5*T19V;p2j@+rutO7JzYapG}$jl!pU8R5c;yYbzpG2UP?OV9K{QU6!I zN@5e+(e1K3E_-<^_Z=dO+e4|}(+wW;mU+cX|4@`;MfX@`AODmkSbF=)6h*5t?C9xB zrwEHm)kFMyd)50)*9O4r`xs}zHz;Sh(0I2ZFMP=GnGe>4kkO9OAI}&@Lzjx6j`0xK9;y=B*ES zceh1eE%csaiL`%j)sj$Rp6EGzRafjC+Cny%NNG$S8_P8I|c(Ig>6 z4XP@QqB+RVzU|a+jJ8K}Sj=v}JXl(gCfv0My7j1^(--_WF;k}Ivp?S$5jA=I9W?LZ z=a9d@!RTKpny$YPC*c(*f1~f??wl&rRpt_-1p54(PZN4Xi$S+m{wEI8=k1Jur?{r= z^lWLZb^p~IbN1Nd!(&CQ`8ENl%AZ`*(qVQ%5?nCmxwJjIpg2d9E*wxaBX@~MKQkJ_ z>UOX^_%Ns9_SdrRj6gO0R9~n?FttfgsCAnrOHj9{LJ*ADt!=*>JFW|FP-OL2Z zhh~}dLFVSLckh5?Zu?$2Q^oSG_qaK|HL(V(m}97Hp{2e4fXX38EWRyzZjwxxOp0tr zHsTF6Ab|O6$Lj5*;vL%Lzi^C>snkiFtr&iP)U3;644pqGsy&x^LICqhLeaaKISt(5`ZJ0ezQk5< z$9_IOcC~tMd^Lu@evlmzB3RXZ9FV?E9^-g3pUyiFm`=sE9qA+jM$YEy-DqaajZ@($ z06uUf&&^-$H)>YWfwz_R4q-f9@Dg6EmiGp2c6o|)%f0dVL@nDruPes-$q8yvP&G*} zg%}Q#rF!)r5#zKRCo_{J#bcDYKCm%%^=&uP!xUajEwx!}+z2G0 z7}G!<*FB^8Q7R*cN(xI|ZhG@+najE%Hfj~;ZLc8xbY=bbi-EDfIN>;vuGP%kR~gT8 z4+*`Fl5#kF6-vtvV0CmJHTBtbY)-$p_+qF6)c_qdDz(_NFZe=q+ zowxr>Lzy6odE*%E#*m+eFE&fgm>;TU4A;qCoBy&3*2aLCpO%M@+=C>-;co}pLqG2* z<;t*up&(pj-@Ncj2rn&hWXINFSHCj{`Muz5!hU%=rM69Q$wwoZG!>#-=|>AjBz#4A zF@>7Gz+VEe!VqV#jhP&o=y;~^d;-aSJ^5x392W{P`O4Q5PVD7$67Gn&>g z+MCVKJ($;JPF@llJ&0Db8;tbRkfL_%r=ta*|0TAFQD~&M&oC;CIW*r)sV83DF~LGN zI+&!q$^ac2qqR1#DAO)YcjyXrZ(5!o=iMy~kSiYBx^J^q+_!R3*hP^9kQt2}sijjF zz|N-ca2dS1j;&FceLPzpoQEZae7-wqxDEC^3;YF zAddH$5g4dOo2iXXcnkI@BzyPw&{L3HR*YajPT2Pro3y(JzCg+|l-n_4t$PV1B53+h z4uu!S(&s*(Rv~z-n(m=opE^#t1b6p%YT7Exa22vc!coR`N3Q@Dxp_!qq_RkifLocBEsf!UfA*{h}!VQJWs9>dX%Af zk^^$Nzlz8kIkoOF>a!4SM|>t%KDKOC-*&Otb_F`Bt4rV6JDV~{AM?#(U!(PXWqvc# z3duOVJKXaDP%@B_{qf5=oR5f?h{O3E^x8-JVW^fX4L&a-WHK1M=W_cKiRXy9c$U$W zxP7|f0@*s9t96j^IV!HX+IP6_9wJe{Rl4z4xs_<4yDHQJ-WyJRS^NW#tef|L;BECi z?~FZ2U5R^49PhXhjqp8>aux5;nA%3J^h;gROp1C)Z#?}g{J7g~7LOv{jNabfwa3F7 zP@G%;nl0-cRw~9>@IkcD=d1hk*FIMZ{soGupRYDzU$0MhK92CdMzm=weOmcL-@Fn{ zU-bP{YQX&vhjNo?HsoX_!}E<9p%_g~VP>_O9xNGlSLne67E^^k=i}0kw@2lP}5++HcVNmSn)=bW$npMAeoq{f|VoAMudYMo3 zK0;`YMshERLYZOkt!-NUwslO&WLVhT7l7q0)lLf*gFgFNwahZ*^+tm(CN`5l!X$>8=Uu zYTxnsC>(T|Ec8pi-~(sV-wS#%U%Uhtt`x;uuF>AQK}$1w-AerS6z(&c|6@wt7Ar-; zhT1^Wl!ZRty@e(RDN!=_5RSZ`DWA-!isuO%(6L{uC*V& z=$2bgr@s>BFjrzO`>0iesKQnUx4}sd&&{^(*Og;!aW6e$j7JHn`OVz3P7NIlzlpQk zD&1J)3D3w}^sY_=2Y3o8{o$j%gm42)Gmzs7t z5ec0~>CQjSTX+F;oy2CR3Lm8*{F>G`I6_}oGV-th(Ze10|9ph*+Rne~yY5897X0c? zeoZ{_gQ zcv-gpW-fU`IskR^uh=5$`vpM=>YqfPrg`mkDc!;|`U>8Io9PxMEeT}W;Dwh-sl<~& z?DuhF-?6)jxwas68xAMCSV_6gQy=GI6UJkm^||-bJ5$pw?nl;9I&QUWiYV=;a|Ml( z{|7@syuP;G>RGKiIjwHpkT!^rbsk^M#yoV6&EGS}ZrnfE?)j*J;7R0T z+%y!c*tBaKYtg-pwd&c*ns#q#&6HaAZfP9{w6qTWl=`=kfkJ&NRwB1NAcrhZHl>D5 zt-!KJtklMxR`sr@t=8i&Te+cqtw4?xPS_SBEOhh1Pyzp{rl9P>ptn7y2yP zuqxGWC;;s-nc*o}hDEGwgCGTckis#LQl>7ofmZXDt!&wK*UO`Lt78H-0I*}-;F7wp zZ25B5Sh4@`I-Z*424$u0d-^x^XRX?`TpY$W@ol4Lv~V+zclaWr#Ugb|v_K2i36arX zx1+#4%|2N*K3SmUToNd?>D)@*SDRbc9zi-``k=esRZ3GI2T|DRb({ z^LuTH{Hn_VDNaEv$lG~2c}p*4_dQlzUYm=^L197p&&n@ngC{AJj^d&zz4>-tIVa33 zA5^&&tISL9yq8-(sB+0a7Ad#AdoYLXe=FABd^2Qk?hDx)@8+^szpQAld{xtSep$=5 zf8D^gzERk=zNAn)TfOv>{zvcR@yA1U=ba&2yEbIkUK6rKi$Zqps=9XS=JRaq<|}Q$ zb2nPYd#<-eLmF5`o!$%U6n|2IoL0F(Ljg<=6#78&@TY($Ue*0nNAsgriKjDLxk}; z$~#HAvBU%-s3ZX!BfZdQffk}8ba@_<()IIFR$njo2)@WH@nQk{(WFCLyKZ`U`(SBK zd;f}DLCQ>haJk+`q_j+VRw~`1bdS=bO3x~7Q`)N}p!2>!(EA_evJXDaDF=c$*UWBT zf0s>;1+&WWW)|sE#o2FiRQRVH4o0h}o|gI1HNi3JPru6v;%|BFtN#_S&wegsAAXkI z-g_@(`}c=z@7`E@eP3<`#w{q1)(SW+-SD+?tDt<4{qrT?ebu zsEOq%P}pF?vSiEUQr7Ib6bLw%WzU(AbP&oOp7=fSZ^8HfM4#kRY`U^K6a%9Cbrjb0 zFmQ)KP5}6I+jX?c4VzfDoQZ+fV-9G=+;q^gt$o|_&AiNtmCj*hBqpy`%@gyZpbc_xSfRl;^M_2yW$E@-zurJV8P${FSsCN zvu1^C=FE^yo$Bd6ju_#I7kl*zS$urRnl3b z3#1;u9sGt9bK)!FYcp|~eCIj=r3p<#x#7=1S+q6rb5U+`&zuqOA(}dg-+1NHr7nPW z)H+&37hit;^)7}_q)MX&TE62f z)h$Kv!-?;_lQl}WD?Okjg;$eOs|je>S4uxA{i=io(w|Cl2@nzdNcr4;R{CB^R!8=c z(m^FzGVOgKpFF#lRw$YBcGZfCcG)$R6_>B7oiFxl)&;d}*73ecN*D@Z<(-_vr1`>Dha%_XQnn zfD~~@j`SA&88bpQdv?gqKR;xbU8Z5>{#4w)met|^ zeoxwyI?s*osb7DMm1p-X@^+m~p0TsbyS!L6F>{YTUEHp|?qnM=GON{-4q3s1A&Ut@ zc0^o*BCS#X?(4C3a)l}a>75*)0$@4ubb{U(206{T%9>f?^Zqh289BMS4Ii1)CQtUp z^Hoc;*sXiw?TJs@+4e7L+rDor+gqP262ZY3`#_58A8GDk2=e*o^4PBVjMDmd-(g8B zV-goBA-DbhyADH|;JB9z6WTcd6b=ReM)eeEx=WWXvW%>A#5|*nMhaeCMy{S{ zLq1v8wUq95-@biZ8ZcmhyABxRIsmIp8@VUy-P_g6XIFubN(vh7*U7VWQUK^0Iv9kv z1JFiZ6v|Jux!S#F58J(OuT7aYEqeD3L=z{1c49=D@`2VJv*o~&&HRQ`PT`;-`2R={<@d)b_4$gB{hyNS zf4=iB?opE2w@LhFUn*&#Gyqa^U@dx+a9g0VJBIIDmCgDf7rSc(Of-kG}A}+wuk49uzSxRZc~T%wkpl! zP_}tTd7kfLWotLJP)t~)_43j$S@e?ht0X$PQA+K1{9vJWV-JsC7UsCPkWP^y&4-Xq zl%BF~KAFDf&oA*{ul`ni-3!w3+HPg<+GZ8kK46u5G_jge>}?@s`ys=!+JYse?8aNm zDb`y_d;Xi!AHev?}ZHkvQhr)(;SEw8;cWD_TP%mVe&9)B+8kS-be zW|?^dInfr+6REvfvuCmLH7Z+t-+1dkwu#L+yN=>`R?&DXtAOam6h7)Cg=osDa5iFz z1?<0*>yaORh;e`hfb)muEdJ1vJN$4B5Cy;j=zQ=&$liWCWUsvzvhCYF_XW6kz^%dq zn!}{~@ApLPw`%^b*E~)tVO{v(gI@lJ9`f8b;6~!*mqWIDw^zrz?|O9t@Bm&(St}md z?pQrbRy~&vGMYmGHRcgO5o^cSU-#O{LFufsJZ287Mt~Ue2m_bY)*Fj^~i#iYlSRuh0q4LwKS1)TQwuQW9%a)aUp#Bd0gfmK% zIe743f$qt!>~MyPvZ$kCLUfqgwQDdR)FRSE4hiL}11Qz~xUC3S)WxYp<&mbMy2YYnd-6^x| zSI!ODzKgWb!d}T=jvY{frSbul7UDlxj0L2=(n*Qt zlh`1~gi$8IZKV=G?s_G?7x$Ssab0;=Oe=4V+Q}kS3h_=Pl1Rsi(>yLda8c1*8vfck%pfbM_+o_`+9=Esf=fL4m%S4!V&Cd>yA z0O*%4?YT}s)V6wcjBVdR?7tlH)uwoYze>#hTdZSF|4Ia){!q-oZ@-IkY}L-4A$#o6 zklk`yR$IQkk6o~Pj-C4Qd>ixp71n$C1Z&YYo7Irm5K&#Za$cRqi-#l<3TboK0i!Uk zA98C9ma>wia%-cJK4MsM#wK~ZLqJlA14DRzM1e54SSM08b&#kNQ6cr0FYmca;K0$L zgEt2_fXtZ_vWqVc*^ZqJ?T^2D2?Q2!U=217K$#dwI+4FXCJY*Y494s&ty}lq=an;f zus6484~MIyz*kxwY!C}Jmp)$i?%j{ryb;$88Z^j(6#x++2!<)K$d7pd@aZY$3xMO# z3mCBB!-qRC#&0l6Fl4Y#uwQ^5>hSXe9QYj;ir<>Z1A2R{r9SyWy|k5bXz$RWLmhYu zXQ~i$cJJQJF>idWnB8z{Ir%YbD|aBtJIF+Af}04EFG6vaiOB%1xXYfmxOImt z?xq74x8ZAx=`cFtxIYZk+77e0mHRwKmok>^u$bC^o0kK$D%Ni#k&dSf?^{s%R+F__ zd)A0Bb1k}yooid)N@)Wtqm89gC(j2FBFcSY0NEG-U5H)SAQ0!UY1}NfFQZT5C(`10 zqO_HF3VRB`KwoL;QjbM~T|(4`c#iS#e}CyvBmG50)`+9ucsq|h_hMnY^S+X{bX5gA zXJHK+GozvP8qva9b*-oImCLcQ0H9n2b6c)O_gjwJKahUbJC;RrAT)WIg<>Ns!}sbl z*tYL^L;mpwr+B`kcHh%S0MKl*AYO3EdA9%Ht1`lA;dHnFYJfCcx%BKAvQtj+fD{ZH z3>t?P4lh1a_Lut62Vnp-eC^$>L*nVDhpcg9Py9$d4I75U)});X5)mJ)R$W>C(_e_^ zV7LG*uvY+_)-r&IkB@gEyWF{RDdj$_PvrwGfE1t%maDCzya1*EKYp2%$M2K@;{{8V z9MA%&jTtk>)eA84*)P~F%4sUhK)VvZ-x@WlJ1|F^Xb)}h*)f2eulGg$CnC`5+_j7J zZ?`3QhL25d9wa?jpcGN^3a9syn;^#mv~aBXvs^paJyV>U2R1?9cU8FfFwKCLHl{bl z(xmpJ|2LIav$niKYlHtm3(jv^%zxCv{+{UfTeV1y9q0L!;#7)4>S3Q!VJtu)oxFco zmH@O;0-{oqCj!v&9l;VboNz#k@eYGtaAQeMUC5c(J9edbDxuX_L-v9e{W1t8V!w#fjaW z|Ad8Z{amc<2NtvXJr8KfVQHlGtdqo88}GZ~1Vh)dr3b>UyfS2uisb`<0kiWcSV8eU{jJ=&Qt5m7t zeuJ^%9?GT+pV9Kgc>p{>8TSB+&<6uN!GiTu*~x(<^sahJ*Bf>Xv16}ZJssEsY#}a0 zH;m^yQGr%t_1p3lD~>JJA@pDw$#s32@o1AITA<}(?#UxLp=&lMl+H56;;p_J7;spx(_Qn<|1OmoVl`CnQB#Jb=cAKIVX|2 z?|;r$j`tPhQ`?UgOi8XVCMBcC7OW1Nc2dkrq_)xb9BKf$9BMd7qELUmSa|d#VG(&B zfG$4KQG?}*RPM1}N8ugtfvyw(BUgj8*7~bG*Kpf1_%Q9)T~+4JrlqRkQS~t1t3G83U-aQAxf;SC^7&v7_X$B6(EOh z80`e;_36{wy&u}jedv-kXwcw<1zJ1{Vng33Aer}_^gwAQnd^sNd~UPPJ}crtiWX@3 z8%s(YH>M?{6#%W|7m0CVtk}F^PWtrmPJz)b7#Rt)0Ppx|`&ognuU0(Ce-qGx)w=p> zPp9O^1aU4b2kb|*?IP-85|uol70H)Y zY6GpR+BnBfnBZc)WrnddL+*$k-?YhaPn25i!SDoKEqvyMA8ue7(Tz;4dJ>o8i}O$@ z2T%c;d~qE>i|+uTaQ6#-82~MGpkTNF0RS4l`+7v^6~S-;tPtgq_>S%rbpfan1Fgim zV1PgFp$hC6{{>PywXZR_gKe3a9_&jPoqYj z$coJz5f!0nPzsOqPO%U#CDwqko!&rekT&Kw4!mQ7h73LCbs{y#$n?`rwZ}F+C7{(P zRojDNJoC&y*!X}8@RgeF4=)R*q<;PSPA>{2c0h`M9iW964;?L^O@UD%`Bs3vB(C#C ziMVKhfdZIuFJlp2*kd;bEi$1d<-FYKxQE2q%0Z|53Fc` z7P?q16qNYdSp#hCIfHD8bZOGv>M#IWX|_Q4<0B)0mcP+3#&91(@?&LYRvoQqMTd#! zAIiD?`gw8Vj)i$ltBoQkH@Zz2tGY`s4cTonE$LJ zA*o#lU>EC0l;Uw`0oxDQ!ac>Y#$`-N8;cby=2#~5p#U`DK+9K-2aKWTgyK92{c6~- zZUO+|z@={8I*x$?{B)ExHhNo$*)UiqfDvvXCO#dy6 zR-`!@Tuy#0FTWZSnq1Kc|Vj8??=8tJ`9x}Fh0%k!bt&Q2N8 z!)~2B*w&mq$R-W%ahTN#fL7XV3X#S`a6N7MJ|lrvZ;78aZ`)?Q`}Rxo^&}q&_FK=rEEF#qkVy%!l!J6YdH8Sj+RhnPcLNxanBSN$GtV z0knLp!xeJ|%1P=}d6_@Ou9F4gzeyQBrTrh|OZzdN8TvRQfmTn&muorzHQ0k|#?@sys?Dp=A9uW$g2YMXE?qpNd_JA(mqj@f=fhewPAtm%>&{Q{tsi58}mj=LaV%I0WB z0gNmivnUaL~~Br8=qyXDXA#TQJR za95PKSZ+JHaS1EkrM#8uUcpLrC})Lh7Pee@j|}h}esA7#g|tRiu`UA}D_TV(MXhLP zm77Ynd{c8YtL+c!N$pSH_`(f3(#sHpcOCiA&yJi zDzNm4Vs%I)`GpHTu(WZbXO2z(V4+8JdB7CF1XFAP7!L99lujP3#E1#DWQk`XhT}V! zrAn1TQY!TP;sD?PSA6H5-n~P1$t7M041k#*(t`M0+(#Z5FTfL4OZe5{x3cokj-uu& zg{)b;IArH4j1Hg+g=yMJ=ng+$t5$!vk+#;V<#|4)EqGNXE*MInJWHgp5Pm%)fEJ=d zg6Iwz*u@r3?PK#4=4tSNE{B8c2BO30-eENFJII?ceVdU$tAgU-4U)APpPAwP4<9ws zR;{_oYRYOpGqmSe+i-HB+}5y_d|{nZ#=4(h##+rQZ7t@Pv5xcQ{BuqjYtz4kbe#%V zt}svRdFA21LbuA+VrggV^xSakyl1?1etn{K-Z92HJT%Z6p4-YwHY#b^v;GazvKP*0 z@q?S#m1`&3*4+#2vwfG^4||u`M{ite&uzcZ<}V**4ZGE`xO|>Bc~ahdIjw)I2Db6E z$@ck`m)Vb(EVXaXztVoV_$vG2sw-@Rejm`ff%YoT@hOQh+NwfTo2z)U8#@oNdt3Fk z+Z%SWjZM1RgY5^|iuQeNM4cv9zR1ZZ+e) zbQWo_L<_WPw{2&woMvV&DHP?7S zgejMFkv!M~jAqU9KoB7B!V5hBg>yqJ&WLvhfb&5epy~!W0QEh#0|3X5580V#dVmbz zgnq%id0xVloVJ{HnpYMH)(wxz+jn?jC;)Gf#zIB|Er0CPkhNij77B>kqOI|Nq*#Y( z8GE^kb;&U>c_XesHl%bWUb{}k)? z*l?>oq^{-2nZxpzDPl7&9%TFXUTU`cGP7-q?f9c1`6*c1_jBN=;l^uJ0?WHnj~cde{{mC4DG$Vu^iw$q(56_ujJ^GiOS4 z7-a|^tPx@*Z#;?vuEP^6TA<~u4tsQT`ZM;(bo)}`os0;poHx4$3u4Bd0rR@@&TUKuKl|`=wJb!0B1hX;y0X-&Ym5T^SY4T zd1uIG%m~@@&wFgw0}ps04@a1=UIc1grtmqmh2M_FF<(Y7T8tyu(v|}9oi)Zf_2{H1 z1d)SE2S6(_h=!@CX!e zM$z1RBIeCVpjBNKY*S>Nj%j~p=)1y23OjZ!mwZBHhW13;hT=tXTd#=%Qev-a2vpU+ zAn8<7zt@^y&bpjk&RTaVV@)n-V_jdLY@G$DI=^;G(&_b61h}SI$7e@a%?XX{tYxF^ z^WBTgwlB6nw=S|jl1P8)H`}$u_U~9|Qy28ND<==N?-pHcA5Fc~16MPWP9ILY)aAQ! z;!vB`wxiwFrmwB6-psD4(%7!8)-=fk0K2t8dt1>}fwN1NIbq%(R+@w5f}^G^Igb)) zCh3I;-wt-y)0Ygl#}*E=GsgA|tPWE_M~lF` zcPY5|@Zp|WJ7W}vigDSlohQ~tJYJ%NH&y^hJ`0LB`!#F4xdW)@P=eT;IRO}gU4?<- zz`^*$aD%bEVns-1=w47@XBZ;!H3tR0QwOXuVr~vBe%v|cA&fJg@|jcQqaBFh5yA7F zImj4?ZAR>mn4D)p98bFdd4NeDoH zDgKG#u$0Aj{(KK80b~F#M1x0cH(`ReaKj=E8y2!pKJmnQzPQ9^wAf?-X~Z-0Su9=< zn-MxyfT-1q=?CKku!6lJKcYa&<9~ibgviE*7!Y6;?l=#|fXxs+Fc>OW1lsB|TC|;w z^7h-k-vL)_E{HUH^zfADX(t=gWtVwi(ANozH1PcE83D9>tHV|D3UBvKGrMbwt(158 z!0Ir1pq%(U*QntEejGM3F1ZdULX3@w9N-V*1waS%Fy?$6M#dwDjx)~i*w^#V_rMKf zi*d?$BR}6^PytDdN&e?RKti;AwhjWYT+Bh@%+U@GI*f626=@UfD{b^e_Ka(;b1$EO zI_3<1keFjPi;V_ARjJ|~G?>Vylv2 zvW@^>=asYC3o2X7NBfAWnjR5k0m3>cb$e}!J+b?ICnEeyDJdrFh~Kt}?Go7fZpC6d zG)3Sk85S$??;p;*)L!a8&2FgK(w0?e6cJN0^!A( zO#;Bh!Vj~AvO1fRe}bm-IVmFwWbtORU||O+`I{Db*gODI04Gkj7cw$F3F~Au0 zvQbeEb)z^>h={~GDU=0pA}?YdHcBiJX%j#Z5fDrkz>ZJqV#DD&|D%-8v%oU2nR0)m zK^J~KBZ1Z>)B4#*tH#^A*N=5d@pan%dxA>36hv=c^{`3t~Sn(2oYWPqK}c%$e{y9-1GMV5>tNLs2k?wJd2Fe`qf6IhwPjoT+Ojt%*|NRkl*Zb! zO>J%I@;FTPSbDs}e0j24|H&nK4qeg%b8yZXxOelu~4gly6lFx4&APs;7koUnDB1pgwqDR=MJMQqVa}Rot7-pcK zxMz>YPH|Xx!d1hoE4 zV6(niC6IMWNHar8YniaRx61Olh?~iPLz1P?pfKiv-PQ+x-l!$Vt(S)9>1fx za{q0anM6HF54!47ZrpJ1Jx<9hQsbfpT8MGlcI{xBmyEDimXEfFE*k1t9ZJ6@v73k5 zZ3#Tx)=spb(kSGzc|>Dn6{(+3wCfoGwEXc?y>+~m6I%*v%Kw4Y;qh-S=<6XqgF%Iv zf|UgfVI_;G&DY}t1R*vDNcm$Ha0BoHuKi)a!C8Q_QE2~3n<53Dh)m@n!>6v&~6I$?IP2!{RQIzWv3^5*s2u8?5E5Lv=% z`Qmx>xe&3#Kxf7|cq~9`^NasopatO0Oz$yUT#U8rTHNXhJRvqr5zv}j#u`dDtNoUd z)@5I0-7H^hIQZ3R_Tjb#DQB~GEV5spT4bMH937hl(7M0ffE4LvB?YzsXSX%!VrMjL zW1%dWL;o+iF;iNxAp0raXSEvDqu0?w3I63>J8kmRDG>){v_R{y)!_zN9X>kUzPf3` z38M_3nI>pvZ_6r;q zPfr`ryQlk~-^p9OWfv=5vzf+pm@;q~>6cu*UAie>TWIB{7P{>>3$=*sKkjhl^S34B@dlMnuW`V^0rm;T2sR77 zDu4-W7AzAwf3yW)gOzN!lU;PSP?!gpA*O>RLYEP7pszfS4iDAvUttS9lUV!J6rpyMka^=iw1E!X@`f}TlBHb)8S~bruWle8tB_>OjhPZHu zqy(?)Fj{9xZ1_zSV#B`>8{RL5YF2^^hm`1Nox0fGo3_x_H|=UmD>qD$ZdPKj<$zZG z_O_r=JIkLhd8er%nt4+Mc z%Sq{;rK9bj0!lx-c=&$`Xd&J}i5QDRHX9ak-&7vG7k@!V>=-Fj4x8W6te~LDDLW&W zwWxs>AWMqUCUKEHtF$SJq~ABKD`FQes%GabtYPO~d}Nxd-_BoD!`9!>!1g}S!uH(P z!fw5xzVSPG&tFu_=3G!w7PZ+O<1&0`$VQx5*+xEmzKz_x+(tfkm5tnbgN?YPwY%o> zL`WkR$}94wB{uSfrCu42FSHTo)HrLJ3*@lgv&vY#`6&ciT1#q5Kdbre9jxpAlqtb? z638N5|H>TuY3n6YgpVvXM6CGND~s%h4U6nxG-AV3FSWg6&#|@Avsx-E!bp~e$z8vp zS~FYHxV<&3R5eqtCFRPOvtc7g9Gk;ZqG)&Q+{r3ditO<>TA<|u|H|rc$iS{PYH&9j z(7%gkb$9|eEKQ9CA191h6>{R{M818yr+kY7I*P$4nF7S{$j&D3pQtfu2QVSJ!JNI1 zbW2b|#=llh0kqZvR9pj~ajIv-Lv(_Uim$hl8tqSM8Bqf*J&Q@SWCxXgRr)3A^vjQN z_RY6h?Q55^{Ud#&-~RYHhuL4b&Hl`7zw3WLAJ@MACaZn%MT~v^dB{HhOzCTV|2e;X z@oOP3{jacn{%sEL8hIim<^AH9f`8xtO97Rc?eKln_4PMdTpPaqKC8X`ZXTO?ZXL&L zB^H&R=s?SlhTvNOrgW?X`Hmf!rX|q&-~Y1Mx($tO?d?tM`yX@Irp=XX%l2~i__I~* z-S-RG|9;D2pMH_o{!f7HyYF+_XP@V_=U%L6FKn$KK$Xot{xqNcsxlsXwwmqSQ`+6n zZ-AuFzszHQ{uN_C{Fu!FroaA-b)boQzW6GS{r-EbeWtR15y+z+K-y0#^9Nn0zL$5F zwOj9MWG|{cFT7kK#egfb0j&ZBvsuS8OIzLfDYQ0}h!OE(%X_+6*SAuxp9RpmcjsLD zUkdfJ{y;x#`y%^xoq*Ql==8I83_IOc*NvBc*0BSv6>cEDoQMw@Ezt6<4zV^whlY5ECrSvO)Og`o4q~BITb6==p@RYzc$>$n z2~dQ>F8~RPCqNe_>F9`{pMt&$Ix#35WAgsaJDyoRIxWlfJ4(c`SWn1m3q2Idf94ra z4<$9)9!(ih11&^`8`yQ=r_voINca(MY?tiC(5(YvLx9%fQiOL*RZ18wfR^%oyE=MB_?HJw zw;SuUIVMGTpW#{|cMn(AX>F}aS4#K2E1J33q-j%Ixq7wr=+paX282m(z@^VRMV4Q-#&(-89>LI z_n3j!$Nz4i^~G1&?acYL{?$MW1#-ebv8fFh;Q6h>T}a|Fg$swo8y^fU3hj|tSVZuM z#nGk0axghDJ1iTHh4I@JUO#S2s2_c>;~nc6d4E~~t-l0ZUU;d3O*nn1&6(fJZoZ?j zt-h_9ZFr!b-6SA%`@QvT@$wF~;I)#y`)3m7%D z3zu}W#{|l*)U}JR>LgHB&lWB1U>okQXJ;?$W!J4~Y4<-?Q>rywW>PC@c;ET958L2B39Ql%hi^!fzcsXnXXkF+?4=z$Y{H~T z(F3h$7LI6vmebLaXZZcsjIj^bjJFpr8~LBo(ZYHOA3rSen8Bmii|IQc2`emo6|oq= zVBy>mQ}cJ<^*|Nu75;y|{K8W}#_1wHt}wfQ^)=7j9_3^{@%ht2U<)tV8KKA<0Ij3} z<9`8YVM&O8D_C0CSU=&D3MF#y)d{`Gk80fE^-vz#gED->HW~3+^KTUCcrJ*Kv43(LS2>F0uBA%>m2(v3LULKWp()7Em4XNrK7cL_!)Lny?9%896DM~bl9Y$#aFMB zspn_jym_rs<;pVtDHy%gVGYHw+IZi6He}eahz}Vp&^l~&c*kV3ho;$QH=a1L4pU>1 z#n%wNdH`2AHl<895;h@B)>-)RW)0(or4~Mj(AmP55E}#=P$zxIdWsW0Cv%)XvH@W| z#Rh}578@5z$;4Jne40;<=ZI8BY5}d^|A@194;He6hYH$(_Xz+UU@N_`J)1JM>?OBOCQX+ClX`bIz&ubF1Y}r;$r}SF?DEq$vwD3WN zlTUyWhY1{p0=!^k5osgNCiD{kZ2fvq*N}q)zzGHy%S7kgRJx1L>;8$-XS_#%ir)ZM z7>xk5V1bDnx=Dr;h}7|22NO(01j1MC*x?;kUeh6j-*6p)_?@|jh@HAQ=tLUJnfZEJ z0WBCU^sfAI|J66Sr5}~uK9wGpuVeM|FWKzS$I@>UFyeQB62I}CggzGc{P;7!<#Bph z%tJmulFk)#h3h}*`Y*p^HR|O1pVHSNk>``o^4V7sVR8>TW9V&>Xd88L@8|l?I+2n& zn%RI>zI@rN*J-6>b(lgOtpuyXX1BFZu}64-7UILDyJy=E(O4Zy8UDwO39cQE65H^I z&^xj^d}G3Swyt5vW41cPL;UI*Eo@Q4c&kySe5RhC_|R(JvZa-hn}?(L9!+|YY2KoR zefsS;cGkJ)MtsOoW=n{X?>DLw9-Sq zh!8`b5LSo2j#eVk;SaJ>;`Dl^PRB3l&9P%ZdC&eP@$+@QIqX zTzVsS-e2FYmhK38C*d2we*tJ==mEnDvBR1pV0z%0otg~XVD1wPPynX(gwgD;&>P=4j!<>Fv=Wk z_#MV8GXN7kcJBbI1<;zg=QR6jn_?VB;}!lvd4)eqU~5{+6ygufSZwc4zr=2DCa>_v;ojj6 z#XOwfxSiz@V-(GNNbkIzyLQ$3zs<%^ni#!j_*}ViS+(lb<>@)H3;bw-7S@Fgf=j#E_0sPERDJh-4qI?VXD4b{vb?>sjzWjyGJ&q;y654isyk7|l509RYb8$4 zfG@-uDD2Lf*T?2v-qjuwP?~#j59ypVwpU&&VK)o7-Ed0_ci#ijBbk4B7pK^J%f?2o zzIz|3=X_@qP#$Kb9!gpYOfr={2Irj%eI>EQ+5ld}9IPd@(!v zj<9F2Ux)}{k+Ie#4@M`j$XNTrd>!vxOO5+!KWYQCAK(c)9m%~5^#(vII-Snc09shp zqW_8*`gq@cRyizf8DG>I5W6s?Kua+Z>t9*N;-4RCUEWB!!_t1QO|^HoN9VBgf14KB z=Su{%QW#7cb_<84k8~XBTsx#Bm~>(n57*#FOF(T#BRMQp9LVGC4!WlJrtC8$ITpOM_E<1a^P;g^iyVC z*vEYb@bN#&zJRZd57e=To~+>%f3K3#?*jr_H?D7P?;k4gp95O3MR> z(a+)&0}e#o{EsLdQ1R4Lp7(b)F%;AhpL4BrX-{+x2!Vk@=MZP8uv$1IEnL{!>~L%f zQ;ayC*ortp#Us6Qi6T~)ME$T`Fkpz`3Ht;1$_(=bP=%<|XNh3&FmS=B03exM8;=EO zy|nee>lvPC0>|^d8Mla`KNj=OSc;Z`Ok6i1cuJSaD?P0;E(A}CoR;E6{sQS~-P&wEbky;-tkQTUzQiZz@ydL6AsiifrDowx1OnKL6kXtY3!P&-XJwzpa1dfB-X zd)xF;J^xcyhbeu58J&;K5#6tF58u(WDYbysZ&J#A{mqjduzKx{;b=29LT8Vb57=Dz!WL79%1 zbN3-8eDj@RPCw+`_Y2!&vT)k|N@=@dMZDcA77H_Um@vQ^?fClJ+zymIFAJ^Dzszlq z2@G!ARYr_jd1tncKcN4b=n&9@PGL$nA=m*z?j#qq8D^FZ5`Y9S!qIOuW6{scCW(b2 z;0+Llj$=j`iX_)|7`i|IJd&Y7JW7A2CeXV3-aPh&7(&Fg?|%?u?|)a+-v6nTz5ioL zFMU7Q&xw^J1NuaeiZ0g_z|@r`hl5e)0j*{?aG^qr=7TSX1$x{2zQ&z}^tBa`*mU$T>pfnxFWc`zU|ctEKEi zfiHeTN9!%=Y*9YnX^XFm<=6A&*LiG*^tlpmN@=B|g-%{dL`~^6e%PR3ol;UC<0_J0 zE3O}n*-1$~w8w7~pBbUMc(isRPW|@Vzk$|ozj+1#fCE@Q=Hx%;U=};MLRG8RzLV8e zY*^gqkdl%TG*IM$YT6h|mdWEBBm+E)m&;`(uUc=V?%8dn?%Zmn?s&;cp0&V=m(Af= zK`cVCd2lQZsK-YkLCL@V`fq^s;fJ2cJGDT1Oej|UT*SK0_E@bH`O|{c z5-@9dUsw6llKAj-kFh#ha)G6l@3!4ywd9O6rL5Lp%KPIjiw&mggB0p&eJJb0JtJq^ z+IsC$%xWQK#3THTEqhqcx{Xt`cBEw9r)3@h*4Evx*u*KPL?41DPJtZr<;$l5mp$Uc z9t+SyKkI+DPBOc1s(r9>TmZB(spnhVO#l>FNI5a$tse2t(N5Th*#j|RKPbP+wBDo> z6EP*D41cuKb2z|?bjnWdx(~V{-S2}v@}=~ir1GT&&|(w2;tJ1-4qczLTv&p#)2@GE zkPjUS$+}K1T)y9*1UD)uMgIG!;o-HM?l)qpWt5~bDHIac)1L?j3wraO- zZ?#%=@RI)LJMlH^wd-hA8aA<*Ea6N+ZVO%bw1w6wPUnpuTWHmX78-w@#!${9#t|S7 zmiuIlHQZ#NxQ`ATx^MszKoyK63{OS@*sNJkQX5OC-I4b#04snBT|MRx^Jdg2Pb`SY z7SSz$(r2##mb-U*04v%ox|>*@Kncku%IWX2NvAd&^5u75If ziM?~d0=u`@a9dfkrClR;4Mz*d1IW5gX?=_Cc6##;mQ^CTl=NFh=gBF3_7WvaT3+F$ zqqHUIMT7V~3l=T14xKtheAsA#R&7}ww(8u$?mTaZJ-T4HtvYjHhFBfGDeI+-eo2|V z{+<%EK)3rKghl6*PyXp-GO6b%tOe|tfR+}xNTBCLzW&X3+3c)~j^AM^n*=UC2-Aea zTKWWq@>5O;#&u?&SIM=HcZ%XZB2s*cv8iKy$)*qZV*dGw@4WB*5@kK|L_S-+zN|dB zSGB2U*0muM8Y`Y=b8FYPm9_5K+M0K3V@*4^wZ@&>TXm_0WX}}_v|<2SPbC1Yj|8?3 zS!m)lQbIlwXeHI=f(7$R1Y1r_TjsC~Yuu!%jT|#tI!`4WyX(h}MQI&IuvRTk9}oiw ztXDahV3^^9TELXwzp#mbTP$Sf&-V_P0L_%Lw8t_A^XJWOJ%@;;64-Jfc@QPa%Ft)H z_}?V~u?F+YS&!2yShFUjtk(F3)_L=2>1#=ZxKCg!G2qg7#EV^ZE&i^4R;f#M8*)xB z+q-3+{on2-X4@A#Z}ESICD<+p#CBh1&pda&b(kD)GkSNl4;L-A&jg}Al6cSoE+2Fy z{QseT|Lly*?BGS0*z|s#tZ$R%wxU%}TU$5Y0Vx30HP!wGT~1kE3B9cK&AZux_+D1< zq{uOrkEMUp;-1{n&njKEtj5Mk(F3iO2W`II)6hknWkW%#!j ziu%r98FOiNpv)GGE(H4Y4w;wdzh@DcHFQ9Qjb? z4@*nlnbrOxs=~@AHtk@{@_#cbRlaw|Gst7xmGNA8EA$C?6dd<|R(tjK$H7T>9l{pt zTf*+xtETo(&U!aZ?RARGJl|rw8=l}leg$nS$4JZ3_UQAS1TAaw zhHHmnE_+lCW0L92Q@qW77XKLbFKFf?XvRrDl4KwN1h{xOD2yJL(`A$Ul*$a>35E;c zk<~|wN62>ASoi7hSlfF*>_NMhjbaA?Hv!z4W_q|5Z=|{0$1|OM=VU$XLS;V|xJ=N&50%%2Q{CIokRZR$qzq8m%Uz1+kj*WaC8KX>46V`O~l z4Gk-q!P93rPYz<-s~m6Z{W2DZl?3?e2P_vtMZK64FFNwFC>x*;C$%N07SP$-BPvmM z@wB(~cmteNTm1$kgA>J*6&(T9^y;g8>$(-k4tshD4JoR>`gRAutrfUe4rB?fv~SSB zHprF}V-0n-+XI>;9muGJdj4S9TmEg-9-*DLSFhl!Kk06|yG&O+yIx9Ou_`pO%u279 z%2GVN7EE3Vts!2?d^lL@rLt#BI}Qtvs+&(NUb#JcT>c|NY43J6U#|eF*3@(?m|fLe z_-0W;SZ-C;8*Ej7Xoq-3Nm!XTETA}~tz?tQvDUJ5C)#5F8=vyMElujp?nFFe%v_0) z5&YS17`A(4GbF*5eWgHDm=!om;an;-1 zy=e2|i1{0)(m3j-IQ7pGFMHw01sj?@vK9-fcB+fVuiRgA{wT~@6lsq%V|_E>)%7;b z_=5+Twcg5KwilAGof%YSNf{7KxA-e7TVSg-G4(zTK;CWQ_t73N?2l&I72h8@Z)Ii! zksx1YcdNW&lys zf9`>rd-zzf)|lg3NT%H-kAhB(&Q%(3NkW}aZmruN&+0k{t=R~oVc6?9R3M6QlSS>x z+}6ob!`4lf)As3J)%GcGTJlHf1ExXg-J(!ZgIo@LI`~s6(%xwTE7FQ6cBV;7W~Ob0 zqtJpoj6t~eeWQqPx0On>_M3B6TEIdNNvTGDExV{in7tT;V#Q-$#K&bm__1}eK7)Uu zJOecPO_Rkr&$Mw_Q;BVkv`lEl&E9)uxS#Uu(YqSWadO-NC(_MkC3F5OQHb_MJ~Ulu z{ZTc<$bHRi{!BYz%VmG`s40>23)A)wS@hatIkg(E!n=BN86!Raen6UsLe@=#&<($r zy(&@O?h`-;E#8G)y`XPsU2~dw*%ePj!gs)ijKS~$@WBh{0gwkpDEa?ZdjC)mpAWBg zXgjq5X6YpM)`6{*bxe(ku*S{zYQD<|+AjYsn@i$Q$c?rylYC2ZKVB8ON)4VfrV)1H zYB*a;UO4x@H-G3WHhmf3tFkm$5qL=qp%m7glZj%NMMVmG}Y>` zts-x)Qhnma9eCM#(!*?+ymi#Ej_T#G6|0;4>cjS>&TsKWuBXap<@?ZAP zEwyf@8Fw$bLfkN$`DeS;BFwX!Cc?9v;H8XQWenU!w&!-s>rS*^_(JD6zJ77Pro#o- zrCA!^?tun&`b4Y-brHPhv!9sPb?>b0*FyOk!V4D~ycCN^Fy#@0OPSBK%j|_xPW|W_ z&V1%jrXoOO;6K|dbcBnUXEhY?@qFo&KktH`MOXTrbHG#vC{S4)xyt5H-Xp5 zFbIBehrowH0S1sGFVOwF7Ap1d8fh zk>TJsEscN4Xu${wX6$!NLTw^5^1;_jLv_marneE=m&J^F<0695?U|@fd+fg_SQ?5P z2!*t2BF0K|qg$I9F^m~9ODg$;(f1ne`*}+Po*w7RZ9cQ=Hg-;>yC3V8?hVC_kZJz2 zGbo;|$C~@5Gt@237U@56`da;4uf(Y$Xk*F@rZp**c6qul;XE5{I*?j*f+ab$DRVI1 z$cHbWDs_^ie=)Mi#95t5L5lHYol(^qH6k6K6UbjX-Y{kf*B#zG#G{qt-nYf|oW;Q_ z%)EE3V3pUmSib+vD5Geebgp+LXe`tIg8EL$KUT?`5i3lM!}t`7;Ye{&hyjqwR)+QC z!?J`h!1&vNTj7_=X7&}m;Qov<^&Mr7uQtm=h&JU@)w$wIt-RkBy8iTf)c4y9>zyU7 z*L}mAo3mT%8=iCc_IHsh`)hk*FvpVR-?aAHNlbO5_A@Q?Itps%Rq9Mn_E5dkVScui zW+>Z188RE>HjOZ4Nu)B#pi)7|%FAr(*L+Gux*n~{0XWM75OH*Onr=|LfxN`SB^_VG% zn4|L+$-70fOk#i6Btze+8FXKx?Eccg8v*p?k_zw4CqatVGI*Wu;U~M-_)y%O@IxTe zlUb9TsI~xJefVRQzhU!iB%;rLD%A<1*=kAhz@Nk!m)$t@Uo{h=Ynf|T>AXo)x(bgR zgYh7=Wv^pj0WwpK0o7kOn-b zR5wK=W}b+OXlhW{fAMcm+e`WGb~iZhCd*3P3I8uUU9UFmGBqKEU46yZNkS(S_*ehk zYTlwnC@`JRJ+n*Y6>`qAwanu8nA4sIV%8gtg#WDTOL;FbpirnZ5QNH<(yJ#Q#P#Ni zAx=jP&32*RGmOWIIQt?YrbHxuSNod?rn*s#T*;d`UYXP&TZs*ivY))~pAS&NKjA4Z zx+Pg3{g27SQ&3xTG7d3aNMGnHPzi5PhS$|S2xKoiiJhM>&=W0DWlpwwWuMX?s*fsN zjc6%-7Uk4?z~t0^2))zpQ+vrcN7ghJ7%w$g;n9-i#|%voSUqLR*S!%48Fh3h6cO9l zw-cKnIu%?iUl(1S7u8>-@*i{&4`;sT?0DrF-`+T9B7mF~vZ3XreSXwyI;(5D>bvz! zui=m^4P<&R_@@50kI3d(pI{#}B*=EVCUW6L;yQF(SzU@%vxk9CV=?#F>~)8z`PPM! z4^%mM{DbIEt-g?8T;f(}6p7sv)@dDXF0#O8j2wQXxogpH#Y0`1oNIg`Z7!ul3rfhA z$##N`J47-@d(9h@?p&|yUSa7T?eXaFWj0@rA5m(<1pmEC1PDRpV+J|M#q+IbOT7a0)1fLW0c~_hywm31iP1wA-lbsN)(?d+ z+y)l;itcctD${3ud4C%U^7r`P;;Di)z+y;heOc-eZ(9Qbf>>k6H+5Kk2{Y{v+SyQ_ zhk?iTFuzyexE%WMl+7nWJa%hN`w^?O%y5@^eHFAudvE5fwr4fBl?OM>%yB=@?nhKeICq&8BP-_rq{5nhD@|l4a<8oWuF64U=hFaZ}?fb`lE*&_k*^4 z0;+#O68B$f6^=8Xoc!?h`atl z&IT~075=fu(bnMvzU`vQid3fQ13u^2wYt)zXGbQmRxY&skXL{#O+5F%hH&h2J*3V zG?M&{9KAEJa@S(7@LPS`{|3y$rE>D|{^wdgFaL{Q{HEj8u&Gz+rWM{4vc{TG!asUW z7<=={RN;}0`(zKk!s&(e3eY>bBH?=fZ~8q$I7T{%#4f299V?;BDI8Y_V>}P#b&OHx zY!kU@*Y0C-P4VOD^{Mg}C8BY{cE=k{WX*ZchpBv{ol|~h1Zw4uJ|V=VH~EDhHzn2sOxKyvE6E0 z)*&XgcX!nz3kj~5kCubt#-odNd?qp$LUWE08h zKfqG9n!UVC(`2`f?f$Fctg;S~1{eSO%HCiOr&cRxe#**4jU-(rJ@f3~sV_$#EX;9J z1VudQ`j2MwBMDjb1xR?hn&UXkz*R;tts1N9#Xk;an6&LP%+ev56>tozOcE8D0d=*> z>Iq8bbc=!$1XSd*>z>qOZh>Hc%zCRDhL%QPS|S{(2Rglo`Q4Qru;RBRGNL{}7Ld!Y zHB?<*BR)O`CoDO-uKKE%fP7JJ5dxk^0#;MN$=xO#hpGL(cPdODY5Ujw@8EXNbf#B8 zba@V58RBqr?o*xh+Mzf)RcGme?xgmX+#*6W5=akhv+9d&%lBT`kB1~&x7o(H??0=|GkZ^SzV%~Sgd`_49I0fO6t>nb7TD=nYq%R)m~q-W^uXHm6ygoYOaDl z@OUWH*@r5S`ginlWHI?!{AD$2P~GFQ@C-K|Ua&EDTXw(K`x(F4CamAuLt)J{vG$dm z_xIJe{l!Mwv6oHn{;XOaJnP%@g#}pK^c$>g8r7(hH=wQ4sNJ3cdg)#6AFztJ%NyW9 zb~8VvIAt^Luz2Dl7qcNv#3U@jFrdBwuYL<^udXA;C4{%>LLHD%e@SL)eg>iF7Oqpx2-BT@Hicv!PH z$efIcnIETf>{)JLR64+$P#hlpJg^s3p{gFzw z;F0#3-bwu-^nu8F%jKr|Ye}hWg&{2EEdj~vENdknoq}U8#S*^5p>sJf=N6tZ7?tEB zTLsZu)_>rggxzkg*aCCxsN{q^I~e=nDb~K~y^|R}<rYXuw2;4I?>S~}2Nnyv zOGt$sW@-(I=y)i*&SEva@CP-i{D-r9UDE~&Fd+9UEdP_ zOF3p|JFh-qcUYrgSIxpqC-C(k*7C+8P>AGf1_`1sac_oqg5NQXBa zsVq{VVb^>LoM_p7x56x8UcXb~5Xf))F-_a^Wczr zP@Qjvqc%A} zI%#R>Gnex>eYj1-+e7?JbVetQ}BVD^ROzW=3ws1W-{`711hiRkcNPhR(o(MM`t(bO26dvok!Nf?92RO=+H|%wm zhfb95xGFP~1cw--Qv2}BCHe3TQ%6s%ecB0-zc+|eLF?qm#L%DMG>dWv$Zq6&sLc-S zWPJ24B~w~Hg9`%iFXpy$7-V5s@|^Z{pUSaPRtY3;aA95&F;G3V>mJv z<@YT#GqYV!-XrH^*HDv!FyUtbk@|w*xxeCHANK7_?P~ZmtEAKLRY=!8j=&B{)Rym= zJuqJ#!Gs%U@Ew<;UBJSbKs0FL-ifbTc>w#Wo8-OY)~yEBhJ3pN{@b;WX#<8o)tlh6 z$W}Ss^IbjyAYUt!0IrOI=W$7k|8r%GBZ*aH;cX(VH=vewZ0A?|dUoK!P>a{~A+fUr zAucjb5^HW2UE2xlYke(~aZB?YX4Wk8zEzrn1V<87MI^Eas;nKoPz61{`nbe+M9-ap zKmEYi$d&!itU5l_w@09k|1a)FhZZv%R!13NlWUzRl4U$uuc>M6^$_9?)btLF%+Blx zG^M9x2YPN>-JPv0?f*KlunJ>8%Y7qt0p=z)5lfiz;-TEnYKU4!E_(EON@1f9R1vax z(tL5EM`!9mBf#AmjLSs1%!!0Ggudjk+HEJ> zEy{KHxA%HNz2F~TShT$iao6YWoGpGux&I9~Is6<+E?%OT9BVP*Z>~2rC-G6czI5Ol z?m^rIM>z54lnU_FW8t2AqlLro%&nLn6B~&C%ZEhjGAv5rC73Z%fOE~JstC!#^3{#L zZA0y(-u~9mp>-+f|}PE>(gVsGC1CrI?+0l%)R>s-%wub?BKAd$e9c7@M?7)MJ7DkY5wwm>x@5EV| zyGOd1AG$}b0&&g?Mbq-6Vy0V--d@IT(phKgOIi=aX~bIXUtij(QYuDnm(^8J#q?Fi zIyf1`Kaj;rucL^gOGe75hh(uzMxL1}8qF>W`A9&-Wls=PF_5gcNcbv(C<|R*XgJxl zW(qO|xQ%P4iT~$s9{$Qy;gQ7O2Vu*H@C_zkc{$PEeC>;%I`M72Wb>M5`PxcSEAVUl z&`Q=^yH=aK?_Q)h{wR-JS5h++ijt2>2@=`<0Yd{+a`b+%8=XAo^YX+d2mLFta!WD9 zQUt;^YINoUHGiBCt|LKFJZ%QH$B9c!1n-yUGU2DR5K5g^Dm68OeGjm+L#T_N5Y(NL z!EbEfDPldue@=JI#xji*V9e~ECY9J7^-=<$UZWepS2VBra$I?BHk^}PWT0XQ;^jL4 zJkDJcnK=J>*i|v#Pev8neT4&%OYcJ_C`OJs2MeC(+xZ8Sww!-<(rs27*D#8$U_Ty6 zErN8|MzY<2e1_oTJpT;vBD{b{!V33Z1KlrQKFtLNlt*3R_d}u7H~uXenhDw<(2~)F z{(Mb2!cG29-d{*|`KqM;iKf<%nxU-lB|Tv-0=dMj$H>-y;}cV+gmhO>R51i3LnEbq zmur6+dCs(O@~FFNYes+axj9d?q4;@6DbUH$a?DbqTc+C_?Zx+s&WWKjk`xdl7G#Sr zu!2l<9}-DK(%TNmb3D=z2ftD>PrFUHeZWH0p9c&j@K^`{Z*$ zp8nzCYctAu$H`7Ze~V<83zFe~Kc=r17NNO)7}n?fq$7%xNg%8o*t;UsX<8$Wvk|0_We0}n`B!VSlKIz@EwWbO#O9WZ_2MlpZ8Q zEGv$|6*hvrD%I+pe^7!B{`o^q`y*i4!_muPGb!*6hc?WI?}+T2{sL*D#+M$sm~${R z8N1fW)%y^4qO4cXR`eoNg+tKYu9bui2-*-sKv0O}+)Yu0PX-H?506!>e`d+b}mU@%~Pj5dKj z*?c=6yY^3x;uR7_7W^LxfzR1=c=+~~85kK!9BLOu+X7e>z=4TjkvpUF{Ti5LI8bF+ z890oi^P{cLkCtFsn1z%yZkK{pVW}fobRi5`ed`(7;*T&>P;RiNmGK(~pOT&ChJOYR zcnZ#Xi2J|=js#5FiM$DioK-0kc7DNw7=IfGKv|#1#s0?a!M0!vCsZLnTJQB6Dh~n^ zkIMtOg~#z{=rtqmL%>*4-($iPg>F&?%z+8#$u2WbeUHA6LEt!XbQ2%rzWIm;Z<+OF zRJNC^)aEx+?8>g+esu%a+pjywncCMGD2^d*v2IlWV-i*31P3ZYo1$FI<(>CTw> zDt3psdGKswbTlET776>V6vb-dj>!BKvaz87KKMBL#?)B@%Z&dK|dCN1E2(u;>BTEJ64&}wCw(lEz>*LgD>^FQ5%F6ll%Gn zw~1hH7JeRsh-Cv%3S2zU%PhJ#c8Ls|=03t%_Na1(g!{~ADkszP&dNlNv$3-4@oRDP z+nIPIGefj}yiN??5# z@2;O)f-eWyZBIbamHc?=6v|ElXDpK{07e)hb>e-rKq#2#yiLOxs{lQ;;OFd=%>cJ9 zfb8ZUP8+Zv2mV~O36=pwyMV9h^Ye^DMgYyOUtdH!%rlyH;AlQm%TE-r##!bK*bnOg2W=0}$o4#%alETArpve+j=QR=4&7FH$&K zNoVmPf+%jx+mb?fDOu)V^HiRvCoVf-WKjD8@f+<9#5vSi}?pTv$u3g67Z-NR&rE2pn{x zBC zI(Rq`C1!DUrb_vln0qF|2|#vo9iXIYqzmd9pboV=(^WwM2(dUBXg~Q{flr3wt$w<@TrGy4TUO*i-6Wu&3?056xx>pag_CK=8AAFY}gtw?V~T8NJ`-bTj;ytAjLtT{AE0{V^!!Mcqe$MaCF z0)wRRWtz@MrIdiSMGGMU1*=WgVj4>-6lSLe2m_YUO?P~=Z(CnwNi*Hg<8nX~LH@)T zE1+P^Zq^q%7WjQMRm7)Y8sN4BNm&CT0M}wV)R9Sy_KQ^X&nJ1=Y($s2cU`h8|GL)f zdb1to<^7j~v_n&=tsh|3gL3(8w@`e3#v)#5X8Xgbu{{AO?%KZ*$=TAkvtFHRi2g^Zau{C%mSdzR- z!7A$vhzcOG=%fNV0gP7%0^u$Yw7u_iuxBrxFoh;(u(Al@H`S2D!|JSsJv3xM4gG~jwbP=A` zSV}5i7NY84Oc+HY8T2GnhVKcRQx@H0z#P65s>SRy0{?!kkBlG3%bNQ|E59}zzO5h@ z+|!R@nt0CdUg}c-sw=jwOBNm#4Kfyiy_lq_}Ri zA|*YMdzi12!_MyFJGNa3ojks}93P9m);q!yYm*AanQ(|AijvxJeAzJCi63d%UpkpZ z;6s^0_|%tgQSrGj8ucNLp8Ja%o=Sd9p*I+3lyI9(93FrGa}EC_!EXCxbmTLV6brM^ zpEVq0l2^khw6MAjADF-xX^NCqRQsPI=PktzoH|aC3w8E(AhJkyAPKfi=mu_8+y=5P z00%se7Kau_i#y|tS%5r`(kc4_AO%m3@iUGg#ZW`IrMVQjRKi4@F)-wQ1m~R9SbEWl zEDDm)OBK!by{#hmAQY=C@2K8uC zMI|=ffQ!p!^Sx=zXGLtv^6|CiWkunJmHVOi9Aw>hHQK=&f@l)LtEjMPh6H+lYENf$zHdtSDwd-xY?Ruv6ujuf@EtViww+) zD2^UEPw3K{w?q*6%9C_7Os zz~5?Xz)E35M|WScK_Eu|v-uDnjDg-|!ZC_xN3es;a(P8}`B=*&Z-x5$SVYWa-2l-T|-zu(x@oECKYxNQ1F4A`FV&w2B0W zKzbF?J)qb=3IO?1XmqyTK66_H4O;0WAHIfb1DBT2C9ia-;fp_5U)DBiIb znotAJDQV_u_UJE~3gtYSuxjc-s1Dq{aV1a=hyjq9vjZs;Ljeu~^Z+O+ zES=-gtQ^lUU=2S`jT4!m9bOmUs4uGm6V)9$9VlZ{06kSnLJ@Q9 z0Srb`DB4QTqhN`fOf0G!0Nw&ns+O`+O0R;LNrDkm71?Z`bz;UpMHoOoN(B!4f$MF_ zr865f1!%Uc4fYo&K&6w(05s>3uxG~kmZIKZb|%$NCWA-VbXq|L=Vop+albtv2h2J5 zf5!Cc@#NSjMRVs$rP2Qjn%IpC9!RB&!~Ot#ZSN^pRuXX6&R~=#`_;;G7$lZ*a@yGS zmtyQ|i(fYWWHD?qUIPmpxv$&}9p}{^&UWdLyQ_X%KZ5uM&YA2Z>Z!gl0c!5uA?M+$ zIHK9lBk%jVBRvBV3D)pQ;0b)yKJND_TW5;9rnHNfymbcFpWH5#zJUXAq2bni6=q{T zUDDTQQScBF6Se5NU)JaF#`NyeK_G%rj8THuI+6*%doUu5&;n2I6f3?O^%vRnqd4Xs zFvtlWD3`+ydbb4{{)CKrnNndSO_f6B9~wv-Fr*&v0|SixkZJ_d`-Orf6W)UsZgp{@ z`1~w_U8>(GA!r_Ej8{g<*G%gS?Ys&&F_Xr;+k%g1@ZJ&nso9X9TQ1;Utr8mMI? zKb}*nhB$IgTx1PyU$m^e7d(;F=J2Hq4vpM=YrZ_ocfofgRw@0qLQGUSc8!L3B({po z$;o7W5LHGK+Hgt6IRwwXZG*Q{8KO@4Laj|{X$aoqbYQDzdZ_k%H1SxhloNRW6Y*Ul z^EK3wt@*Wx(DvVdxAQLB_)FF-%Ub#h%sx32_nzyU62`V-3}eID~aot-NRVstY)b#C=GwXx z3#ff)@plz{5-nkChS-`n(dNlQ%b>`KbByjB|EOwf0(8Q*Ld&h}-RvP3bAWa%r&sAJ z^0HFtO!vP+Or1}|At^gWqM_dy?|hkTOc?%uCSA{N9}kTq8(s|wBUZtXZBKtkcBE3X z3d>K!y?&GG5T+uM|H@5dHlX&FR1;+aJd5Hqs+f|H;X}^(sPYFt+p@LX`VR*Hr*^mA7MvYbm*{I;<=u z(O~;}lz%pruX7r{=X|$V{m!BQbg?nCG&7=it2xvH4RhDO*9_&cFuxoO`s=>YO5Yx&z6{SCNh~5+mqGHe`u~Gb2 zS)iE6jq*pgJbF$y`h&!bjrd|=_LcbGe6nfC|1}~Mq^8l8yn+3kz1@n$dZEf0w947A znrE6Jk4}&QS5u6ENLv=ny349l(qql9D`w0qZaZ~~cbEPwY@bwgcKzWKruzO7{9A^; zlWyu4MBP`eY{x!JZafM zCGA@(*PX;-3-$u7%3UY}ylX=@E*V3d z(K~pcej_`z-!yc8p*~wD&QXMIDsmk46{*F)A6L4Yol%JqForE>nR?9J->%uw4t*g6 z!i}bOQm|1SAbG;tK%^wkzL~E-u*_<=mq#wO5c}EV`+AYZ41zTSzad<<+cp?idCz}S zhc7d4I)G3=*zrG5JQ8clc^ah6*0-SVJ&}FtfuU#Mnb!`c?NagA0&5k8W$cSi!J{5* zpLZw$+TijFpQ_&54jx9l(1Oc~uA6Q4j7mNME{0#2L@nSyYPli}sJ*=Ozu~ZgF4w6X zeBnCfN13+NX^N@-+mhd2qEMhQ;Nh)2I}xCYQ_{aba!PtKX^-~MnT-FH)L zG+^z-tBO9KvwrAN?+m$2dwbd#zFK#Dg>dP983@U}~gqWm*U zc(6oiGzXnH^W~=>ADGbnq>t~Ue+rOGLvgd=Cuzln+iP$dG?0u-jKn5PSd^+E+?lar zp4P~DTb98eE)hc-Gu`8|AX|?K&)CMjKZLja+Tn8mUIHX*En4<*Z(Lxq+wHfA@6NRf z&$5}6p%u(WEu*o8Cb=@xRz?m6&6Gbr_?E9W5pWiV5X!?tvF>@lO*Q=}1G!||w;KN| z6ZDCNdvpKt+!KA3%7DG@2~FD57JgW!eaF?opMVlJhKK0w>*RJkHKbdF(MkN^tct2A zBRD4H?j)pp1gzyVpyO;%sI=I6qvrHM(*C|DgX&2!*bJIqYp`kh4a%A?+Ov6uu8`i5 zcRbne1zdq#43s2cUw|#3%d?xIhFEUrC{U=_ZumdK>ZZo~!C=;{Z z{IaE~)&p8it?Oss7RJ<3GNUw3-yE{+7SgGHZVq9ft51g1E{S}=v$m-Bh$so)o=%nz zcW}0}5f(>>>;ou&357WUR^S1FYs(EPv@XFNpGrMP*w@`snBWB9Q@XR@JHB(7dFq7{ zUa@&5!klI4;~Ao0#F-E+kMk~gkP?~UQouu>EnVhT zcv~3Bv?KCn1m6xRZ0iLKT4d`!p(lz`=eV6xehkc>@n^~!y~_M;i~JYO*)hoQNexEQ z*>#-HY4W?e)pDN~bfKdif$d8MxX|BVHS4k-U{oG(P@0gBlbf#jxK)2E+b*+$jJp@M zJ0?AaCPwHXFBY#>mqn3Ik5Q$I&GH$6rV+6mil0hY-b$U@PMr}83n+XU=OQ7-=rg*m zOr2NVQH)FbX=qC|3j<5&CFqU2;_7g$yYK}8fD8njUHDqMa&#Qg4wjfUS4ABkcjcSc{{i+of9kOp~ z`q}nx7m(w>(OM8@ucJ3yzos_hZf6$@Xr4y01J+W_m{wgqE7aeWZk>x7iTPy1FPw{F zpIJgDW_;!$#42Ye{ir)Z(C0d#jj5w6&62X-s^I#M>XE+^4#_M8l8oee6$e8!I3V~-&hsVdqwKbB8s{H)Qle;1< z9D;T0e*$}iMl$*Ua7*#Gm85alijxbr@d(-vS~1T zdV9M~5GMKT980~mEgh0aUB%5BRi;A)C*=;DO0xZWe_!PjzHH&+%T{EFkY{_N_N1wZOl!zpGu6Y_(`3t&r16MGJ0t`TfIzatT-0< zD46^jbrRtEU079eop>S98H}8L+kO1pY&aeGaX`u-ZO*W%qpa=nMjLsXuY%({365xh zqyw<>I~LfPbI%3h!dlZ(?XkA73|jPSI`gWGY-{r>u$>w3aja}G5|~@}wQN0!F@T~- zbyO|yJ$Y`htP!7_zilRtob`xmEv++#Ec@t9EI4|drXmoXdXhHxLg8zvbjhlPIm<0W zHI>{U*K;MZdeC)Lh?lzK)0rkjRE*wuO&8LX10cy>(2u&@TK6cZiTcC0yHLCi(+L`R@5ARl`Kd&Z$t9o`)M>nL?LjymdA+pb@Q7=KX5F zXAT2=fADQ=d+BCtQXdXpz1Z3=I$^k7h2k~ELfM+)X zAc&@hWhoV0D)%vTuQcya>d~F{V;liX2U%V&Xqsp{alOBYguZB>e-|@mp|JjI7W`eP zgLmqn2Tq>Ln&h7}*W&Ou3ZcB+@CnXd`X|bT z2re5AE@^wKZQNuXyG8{TC^tZZTkS9+F3G`k+XQoP zFkM(p?|3UI5t`Bf=6+3yp0Xdg`n@kO9n*o&7_9sbW6loUwBL0NJC~;;YCIN@PcA?8 zz5^yG+E2h|oW5ibujox=m_pip>&+tF*Vn#?m&Q=8@~L!Wm^q4y%~dH?h_0@zdz*xu z`T540C1E*qOd4#woznX}%%hpcAFueVa8zb^@K$M^+nxYsGLeNA6&o~b+f=Y>pbbX! zfH|#E4L1Yfv2{P2a(Ht<2edxZszMAT4y~)=+-RF<_q6&kZ1dh}ZW`qCv3^Zw!2kK!O}O?6ZKeEeW6is~)6n-%l`f!6w%58W&8W|?(Y4ek zD<-Vym@N(_Xf*Ri0iTGTyj0BlI21wkrGbOQN21jFf1$oJo&%;2v=;qvG#Ts3CVfTC zP$v|ssH%4eD*MRHV78#~??G5rmD<)*8e3$H5bOE;H-+_I2)cXb_HzvZVys&2`WFre zBGDG3K!4*}0QnX)_X(i{A!Xa+CI^R`_D(V|vnQ1LdZHudJ~Rx$B#7DZ%^z~DOS$PB z7-SvSY&^jAeosOa>t*3#w^ov$);ote`Yp`$1N zwNm7l5P}M7>OiJ@|IxfsW&j=Uqc$w-tnZz$STci<-5(h&-VyS-I#Fcc+OL3bEY7s) zkAfAtvCLtnJetfH1pd*(T}X6Sc2>a699s)(d%$~oO2KxD=258v{lfQkJOeA+*Xx1? zSjKD`=}^5ued3sP+A_7i_;J4d;ZO&d>mM!cy>rBUx5lVPasPNT##{fE3IqE6Wjvch z_E`c3mSMXa6pQ4ZvL@aZoQqyer`{dCrr9sFl~In|tlxRTeLg#l=U+HpUTUr%zY`Ud zIMpo0fAgaa`F5~2rvLcR(r{V=J@)`$sBI4vzugYNXuv*Ni_w_32=(K&F-Arv)Td3; zb;<5+x6dDaS<#+BH;O%Z;E`ts*9)u;t8l*E#J*0&g+ADeUJ0N!8}66HBMJi^BuX)I9y&9PJr22Lo+ht{)E zt!4RCm`#umOldk=QgH{M8=Vh{GR)XTwd!LczGSo?WP>m_x#Rd3!q`~fGt>@A+-ln& z)vE_wXhDatcT1y$p28ZUc#=4k4WZEnj$IEv!ws@3<&}=>h55Hv$a73zYO)cqm~ft< zEO85{`-C6^kkp$e!XNy@vib2-c2Oi?k{wP}WhuIaY{|-T?Rb&7b8*GA+W+C)K$xDJ zGJ8L&P(}!Fm-2p$71~gf)!{V*WEu9d8e#L12Asr#CuzcOKmi9FjBvhN{pv6#%TgC5 z`pwHnVD1N4M@)(v4{_bN<=o-#;~ycw{ahC^WtjJQ2nC$qPOq`3Ep>bSsG+`|zTM(c zH15;g4)JU~>n()~LgjvO>$K_6c$FU>4JcnePE$Pc`vHtuWO^Nq3Sn=Co^}NEgMHq- zp}&CrVdO^sc$;WJ3Rdfgk(eRUN%6dqVv%<04&;NOv>c4b7rRf3S1hJ7C= zf|ZGWX~56zy&=W#Q=1!S6=4IC8#%4T9yJeR9=27*us3l-usV?^;kiP1mPCk6g0^~Kdku6 zVltZgYGfl6T1T1fKE$=dU2Jkau*Rc4eG5#wu)g6O z*Pi820h%3KCy)%uX>k-qQT5&_Qe$ZdZ!3FlfjBx+w>OU-eW$@gus%y7!3#MV`)rmj zciCo7+{|ZBJksX~?*3sqZrIe2FS=KXqapTiPC1^gxvs!}oMdSh$gL@TPDkPr=o32H zWc_zH@*FwxgOHAZS}#;ZJ(3Pxh-ydYpI-e9ku@LE8$TZsk^eA)9Zja(h%_HhLPnf; zujB|E6ACpdh}yGqOo-kZgrP(=_bbA#FR1m78Ty z7%pptRl&T~rU2}{f@_bw4SffiRjeGP=34r(Nb*T`$yr8Ae1`tN&Ac){!)I@nB4*?p z(lF;{vF+Um1SXp*BcD8cZ92V%Cr8vj7V5j_#9C!XyzUxi++^Il8dLX{4fj7Vh@xbY zBvA1Q54XsReEZM%vuRp&2>L=?=73_J{qxqm24QRkN)S(4y zeS#)CML_i&OWwarSz&H7Tn$4Ex5bGAR#!x-4om$26uUrbMAeY{ym%h zRaaNPe-N{9FlA>n*xziDl3ZL*C9=k(53WKZ7}Jmu0=J1$?zd!PE%;#cyW%v%@LY) zYJ<{ogl1{Cg#TgbQxC$TYaUvET~7P!BKnA5)#*_fuv%@w9K+PhqG4F=`Xu!W2&X5@A%qw>2rr>jDA+fxX~QY; zL7&ip`9Lb;H|508{c|o75d~fkBI z=pb)Um0gVLXMLI>%;cMe*6H$zh{d1`Y(~TuY(-Y35)Q#)LMp#=G1qtkBTqw$IVPKL zAnmqU^M#v;WdWCaW}kyW7H63mE_EOs=dCO_!-xImSMts6G9}^cR=1g%hnAL~l%+zO zUWeAH1RrcoAnYe=L{E+?yL=0jK&_&JWm0|}%`n%IOxc=$y(M6_4hL%u9;Hw+6FTgc zZnGe#GmhtI2HytpSl9d8M=3!h_%*6Dsx8gv6dD*ctEJcI)XZum8KG?lzzkzV-@`GS z^QeW5h3@z!0q^KpPtD;gdM5;SGTF0D#+FquBww#_JhxOH@bUHeOqT6?C_A6U3Kw;| zYsu7Tji_ypf;QsKHO|I7W;QIt{B6*O652@37ZYHA4b?}8Xv`g~v3P@K8V)Op!pX0)Mw?6>=A-~|%`AO}Gi!x(as4A^l>fSzi>$QEd0*Mgx7NOy zTHfHZ#`4i~f~68!ykwmUTLGWDE2b$d^8SIr@DH$}rwAg(AF2g|JBZYZ>hu5~8u zCJh+qJNEp|EDf2ZLSUP%ATHEwI+nN0w@;$Hu{&%-`J8U~ELACHgF_$i1iQu=(JDm7 zgCq$n<#K{kXnn{kUx;5o0fFTAB@mV8bV@+TgQ1T^pp`qkv2{Do$8IZ8Y&Hf>S@_Ak z96_1u_G`!|btsl&|F;^*hshMNu?fG+7(ApDVZ*GW<@Zp&<;>6(h&AHGEQ)s207+88FX}d$T|NmM39b!m~WVCnDtB=Ze)y?!F(BLmAZ+gliOIL zD!uUEf+QAn1sovs?dp@3#c&8_*FdTBH)&Z3t~N&r!!gUOn0RFG+cKdn1|i(NRCf{9LnW;^;*u}Wyo5=)4!#2L^IQ7 z<>pZZS^C6O+)skQ?CNN~fO!{Hq!YO}bw9AjHd&18O$&GJQvmJC2&~@V(VCbt*qW;r ztHG@sC5xVPB(eMJ{(~*Q^TswSeQ9`gFi0jm5 zQfSQ4@H*FGxIbT^V(tzoKu*0L{=8MI7wq-`(QYPYf1u$4)oocJYayLOS2Ddi@V)73 zpQ(z+Sq#f!Q3(Wf^3H4}K@C8o0l3z?G(#S*lZ8l99B}-#w1C=jJL_eF(8D}*kY>{m zdmC;;1UH=!F+PaE3k#Y{M98>9r;>rZg!%PAH z&@g4|437QaOZxnu3Vp!I9{L-bFeD)GXG#BU$?%V_r~KZx7ZyI7{^L?Kk#SKRFz9up zi7toJ`64^wq!6_b01Lf)uu3QRwe{E}#h!-YOQ`OQ!B$^!JNZgy6MscmnS1QiWj>m$ z_3L|XKo>oBFHB%2$NorT7y+hMmDO}&A3vp9=pqzNpAF;;1~wK#762(Q|K-!Ogb1?V z*It4%f=0x{sk=aYc6dmw&!+DJlBw(kw-8*3jML33l>GiLV1dYaojkYA_btC{28Z$_ zB(QEK1Q1+a`3A+(S-xvZI@>>pAAz!t?t2T7`e=SNxQrH$p<4oJUIWk0P9{2*G5tbL ziUL9W;gV}IML)4q)i*uuHfFoN(yZ{UPljeYhH>ODMEIn{uE+Oc_jeq%S~5sIMltZi zn(dk4adU_Np)eqr8^>txt;x?YDJZ0*fawa!tAdln-fFjL3Fe56oL zs-<#Q`DZ%tO%CpBb0U&Tx_f&N%GXSx^PyWgt^atD{AHI}p3vz3_R;2nH{(Py{%iSS zg@d!1g;U=$^Z))RTX+8`kx1-({v&o6ela<@FVg8@)CD?Sq__3i$33&rRy)r5QoWve zd~sZN@vf-p)^Z~Vukma)1JlR5G?klcZO}zTgN)A)&ES6-EBm}MwC=lknJ^QeZH5c%a*3?i^;zbP zVxGgXOk-^BU9Vz2;Z~Bxw_KHw-bG`dMDqDXvPN+42#);)%JfsUFCL6aAs#r8f!l^e<^5^6@+@A2d{v z^tKCN>3RcU(Z&n&EL??*-h~RkY*Z&K*}gd3ohW^M9yiWG1BPM`{r%}Njfl%7WygqTRQhy=x8h{xe*^QrnsHbYW|9wHEi(%DqnEV~E8PueeFt&8e~@@DO% z_vVM1NIw=?MjvBjRXi2)M6NI#D5Bz1#t|`!Cs{xh9z-8{fvobs^u_71iKBj4iAp~Q z&)D@lWA!6^?F^qD_(1%IGB^MLk5-PG=6Ka!^}V6y%}4<8g1XfzNw66fT&Wg zVhxUx-(U*7mEOvVruwmlLZK^a1p!}xa~1VrIIa7^xhWIalD`!BdY&}`%8+^o{y_}M z=NWonqUy=Tda^0tOb~@FKT4MuJ8gN(n9%@MxVT|V2CeBQ9!T<6&MQavpSX6=D+F;5p)>Gm?7sQCNNjPXC2BI63@_yJabf6%@u9{m`{RbAuD zm>#=53h2Mh#LJJHR?5e=0UqV|qq^%VrH3tF`j?Hq{166}q9e7T?0oqiAg)NFSP7$T zG~mo0V6037-h?4^@9Sf_xo$JMd=V>+6Q}1I-Rr)?eAyQI_D;!9LR~`-*TkErKgtH$ z$c0khL*S%EIDDJTM?ae!#LZ<#2W#>Dcs)lImB;SYU`!&%gNhG_02b^&H*oY?2ahxh zLofm2H`pRUW>Vb%P-yukThwcl)Sj#?-Jak`;LD-Fc67lVefEgeq@*ws_EUS^2rsqM z_a7s>Iebmf3pN7tZxzWS@TF414nfmR5Wvon;#};BjYjH^ZmIy`*xPHq`Zo)KIVcQ& z0kRK}q#i^^1R*w>Ip!D+@EaE-79WDf?J8BIhWRciG4R1##8U*O~U|} zHz9tD1i5!MWi(eD%Rp(HhML7#g<-?LokER|*uW|+mr#iqYSgd3EaRT{KBa$r)hAW}`RR{NKP0;$9&e>k8t zZviRM8BG4>^zH{Fl}KGEo;56m4H}nxHKfIiIcDU0uup}dH;f}kL7LItlieD$N(g#% zr?Jl7FNP_ucW0PoR+j^bbLaG+E;WnsROev0- zGE}dPJVSu;A|E}cSL&vauG!MHMee=RNNn8fBhJo*l136Z6YvxfIbh}W*67PjgC=t1_2bDG?)Bc|6kJBFRBqxW z`CZG&qWW1R1`QRhIzuK!$L4Zr%^7EQQh&8!M2>~8v#yU`@_>9ai1;x9ZZ#1H*ZxI( z2&QLAKe&$yP#Hhux$tWX3ZM_=EB!O1${htvpcd|jgzcbho&>Qp%U^W}+@5)jryH%3 zd4#7ku{;S#@Ah|4o8;npalmgcyFxyrauioRd7+q@`|X3QhvF8m@g0JDnW}+9nrb$Eg&)w>#rE|9_|RrCzS<1hH| zpG7nvUxv_8bj`Z=6w=04JH6ut3?LYGW}w|}DuR0+;9_$F4-mWc7J_G)A8|!bWL4>U zg$5lKblyh)9 zxnCu;B6HB6y1O#SE)~|}|J$2CP8?!QQNFD_GnT_$tx=(Yh)mf8BPqmL1Fgu1qKq?Q zUuGfC_m+HclJmvId*y!g4f+rrF)2(w<70QfIQ5YZZP9;KP_*cnB;c?;ntDFWV*h)?YH& zxm7cLt>cyXa+PawSuT>scC8hcKKx!C;{Qr^`-Z4zjUiA0ae#!*9=f9dSFKt9T`Pcn zt98unHU0E)&cAZLgne6*qo4Qlim)E;Rr>YSJe$SuqggUoEiopNcq+~|sZXL6zkG^` z*v1W?@qq0yoBOQm6$kss1lJZ>NP1*14!(plz?=&@CGf$tk_`RWS#>CJS+0Ymw3@dP z7!c5?KlYNrPNRcmcNh`9NoO$y%TI;J6R`65a4ANV0Flxd<&@6CFDgGH=^^(1K9K)& zWwr9}vGwKewTI9?;@5P5McWxsG?Fh=Zo~`d2w#{ICRdMnhbBukzeDSP$Ci812%M-5 z7V#-AQ!ECdOkbjbMS#+4h&Cv(3%$l}ue!)^_j+4=JBBmTEp zW?6=bKd!i-^gjzXmtCU%Zet4s_R@Tj9-z%Uk&nQEc0*JIt&KFd6+PW~0y`){x7jj9 z51cLw-v$93`cja`&4v|oBI8V}ee7WV^X}mHC#^9P))_9l03YJYLa)hew){&@p6RVx zpJVN{B2A`I@F?F6InKgTbxfig;Vz$X0!bVK5&zCFa1zAx1VOx1c#0-UAz>k5 zNciconcpxrC{gqYUa#9WCoQA$U=+pV|Fg#D`3evHpud4XSkr6u$7_8aN-V0E$PT00 z0Uw{3(#NNJJ~U7IVaV~H2FnGJ@R;eb8%sBqCbKPu@6W+EJXR(Y`I#=K)!4J!srgNr z;z65q9Fg_96m%;QmmPiE#fFsmWA`jCspVLz?4PJ;Jhp?zIb0ylf7Z@?NlN0_iSo?O zJvH5QF1A0MczD)Z|8hPh9io!W<&PUiEBT*|*#|+gH6DPsr6@qz zIaJM&1`$Ps{MP{MTKMpQnooj@o_KO8l~nYI>TmvRq;uT1n5$bmw?>o0y(nxB$1Tx> zWp6q8X&FG{dUf-7Dia+qXd|f`8qTxE?!Ws53f6M|-8e5c##`1Js#WjatMpx=3>QOi zVZLhV`g0|C*oRtv52r+crA-%eXHPG`@0Bm((SewRduNJ`tPa9^SxPUdAE2@&pA znw1^?`kCaXGOE*3jO~K>3!4R6bU3XhBGbdG&~koN{|U4Z)k0PNP}b70D*xFW=%OIV?Odyi(g23|CSL9i$Z86re_j%MM!nGj!Z9_7c0}mLpiK03?WSwS25e80_STHkH()@W)Nf0LO?WMdT0>*sBs;v z{D=R3slvIpB?pJYEo(?fH;haaoIqck(EBpU#VXb4`2+hntwO4>QUNYf1GjzayvUdv zu&4w(@vHQpBp&|$l?NH|Qhi2WU{S@yE?Wk-L^z6cwk8muDx1NYJ8Pa6-gy_|ZVSp2 z;;>y}9xc=-1tV!c!(K@77@qZN>wIR$k~qsz$aoZvj`n4BilFuOPZkDC@EJu66j*yU zzcTh1qAy9D_F8dVw&~06H>X%%x@%GT2jXpr68=dQ)xos!1{ZJaVc3iiXo6Yh)UxZ9sE`V{P$s*?JMK0zNZnjH=(l8%p#WLLU zYdSOG31wEc+_LEIYg^<*@YsxcsU$9tnLK!9(q;^zcPTMw-~1BdpRwtnCE(N3g#E_k zYs zZi!E-?@B%3!g);A5x;-W6K5QNIUfPP7|}=ba5=rd8-!^ z8#@NWb$<+(A?W14jv&Gj<91yRJzvduAM@yVsmf4ZDMyGpx5GUsL5qu9Z`P~5 zB3R4ohs4-oEnRN5Rx*=N(^&0B=Drr&f4wrXaem$T>kF-BiCwPeR&gm&Eq!J$7AN!I z!QZah*`iUJfS}hQSFGGG|KfkN-gB`cgn@I~R_bUI< zA>)2gL85GheIAvR^Jt#Xukv-wHD11qVWSRzMQ&7fIlh;Y50aSL~}(snXf2zsLNm%j^KbGeDPA@I9?{H1_R*#qIoBgOtt!Q-SyM5 zv1~c3q0khz6MNEBriile`!zE29uXr;<6k$h##!8#a z9(^`~k5SHQu``9Lx9m3xV8IZmqS0EuGJrip{?l%)UR=9X^~;@<|Em54kP|r|y;lC=`}NTPy7|bZ>Fj3kuy;d+icJwzt!W_C>E$OH4)o<)ZC}?GD54-8Zkxb~UupJKjC55N=jQlWR zbC@z}I^_}B-(h>->0mNF@;lkqAsBLw5(at>Hi{$qXD~u5BEXt4yL8GNjxFX-9A3M% ztDh6_60Z@yKHdIuumDr?4|M62a~Tsvp1<~g-p1>FV&eTiLIm(=@0x6vP1*Z$?GWh) zji_DDW{@~Q7oRPNU<>O0AQLSJDUr?AnlkR9;svdK|l@)pm`doVFNwE~=dPTvJ+E$M>V6<6IY*`X!E z6NTK*R&A%81}yt8A9~)Ys2d1*#(%l*O7D{E;IQvi5OjpNmQ7}vZn-^WEgrxYc#bCb zBOrNPZ1UO<@Q@1Ilvq3PHy%Pp-UPIw&Y!Jx{qlW2%d{>=A>3f_f^M2n$_ic2A4y~{rhKY^;a8uDE|R9@55yw`3|bvs z$^8BA;h-|_T`d@lN~bVO@NG#mrU=AlquUdo5ytS<8*qq9p`%+74?~s(`TLd9&~DSn zCVzvnXN#p*o|JJ9)XRT=E8+0XPNqc-=P9n6)p0EPRKmWO)MDzk*znoK9()5i3U@h$ ze}`!JmV5cWO)WztYW4;M{pm{$^1@-z!g+dN55z!GRD7ArEwN1?I|#7Z@}`>e-(DUz z=WrWa^ygZ2x-(V~8^wQ^H9q~_Xf_9HY2e|**m01FbUsTOq`F#c|0pmZjY1&!RW6kg zkwwe7*na2d-et&+3mP z127S$Kh~s_excZBrV2*v>3Y?{{I=bR3|scHKx@w01 zuVi?r?a%P=0C0-Yb9emwGE$-x_v7@-souLV#BdP@RYXLj!uYX*j|Ns!%U#j~{cC*Z zAujIUHF5Lrm`Op~UROqCyB8)#bwupTuQi*sFEzHcpt|EB8J4Wz^nYs_JY|k(^O@x_ zvOjd!N%%^dD3nyGJ$)L5+Fd{8ef-dl^)R>~$+2tN%l=WWDPs;e*ElwQTJuUZ6;>~P zliGu7VZqNsQuowT$0}_)XWZ%Olsf6UQL$W6CU&!}^aB%_(zB-A=dm-XEv}g~*X`z8 zcDLR~0MJ8Ysky>u5W@LdrTQ$qW2j1lo)4w-m3Vjs@I?{U*#J=c!-x%0@%Iz8E{i8PXZ(S1t+<1ibjFCl( zKmR@APMTMdaqoSkZL3g^jj@^lOAw$N z$br)P-UmLR=W4X`_fX zomOVphld^s1;<3p&Q{3Rd_i2`PqXD{Uth7kF0&~PLtTW=zipIl`Zrc0xta?nB&6Kk zFuw?mdQIE!v7_#<%uDQ*D?_Hm@MJ58-N7etEY*`gpOxS;} zeBuZdg~|kUp^@B9?g)o+MZkU|wO{YhTp3^{jXCq(1`v(0 z?6A;;;0BifNbTKydp!dRA_SV`rv{4tt ze3t0-`Y5>}={uwsjr$BN&mQSEq5@sW=)6O16S4H-_IyAT_}FHTr~#Hdr>B&t$a9=F z1dyHroJXyl*A_MRnwh9hA;Q|6)>%uuETc!B2q9YUs5U!y7h)Tko00j09Er!IRaU`Z z&LoZ(%nWgo=H3BgQX6FAuSa*WlDSrf zBX=v@wop9bi{JTT+WPyU(~t*rz%D)IJDnH6W`=<|s(dVQtpa`U2`$u&yh%;yh=p_Z*_@frjY2zo!qs*q;cK+O@@u9ubv|=q9S8VM-@JfeU z_0D+`%fuA4kf2?{qzx7-&2%7R6!vJay(*uhx2SO)`njVnr-mHYW{y-|DN#@Z{9tA% zYi7@6?D4tfi7#Ki0Y+FS-Lj~>R93mE9ryr!6CU=JBkAc%1x3cVH|w)~m4#G*y8#dv zF^6*Sl76`aeX*HrW)>3$w;`+j6!s>ZJDJF2`&j9%M+bxJYf~WpA%Coq@;upN$ z`By9@az-e^fO3YU{VW)D>h0)<`l@Z1diI&3#+rq6#Q{!|AUu1df~X!4#2MzueZd5> z{FmH!FY*@a+tF_w+ISE%D`MH{&)_4?KKps_PN-^DtzA7XeVR+pmr^;K$1v5`OK6hX zTiBb3rFgHG@uyNCGk@O0=^+Yt-=k(IYhKKF$TkCkr76aaf@-$r7r}<=)>B(9y;#ia z@}5^+T7}G_0$fc#3Qx@7cK&I%Fmi4cEdtm&xmX>G$kU%i(|WLgFz^K>QspJH&+owm zSGze;_4^Vxg$-VAA5^y=D`yns9QXgdmr+3iya`xS`22;^U&Q{x$ zrK$Y2%aw9VKD`$2>;Qsvv}-YryU}-4?Kis(@6Xqn(l9$0^rzEB=bYF`P=clr+T$?M z2j)X)iQ>{>(d&A#(hx4#j2-+u@GXR!Ms6;y8^0NK)fv=}uignSn^dvEYqfl{9&DRI z^A-Lt!jd1P<)d(P!`ni8uqaKr6s^1gq>n0a6lNbJ$&zrb2#boP zxO`YbuHLJJd8VZ8X|drRUuP1xk{|`ygYy#17b$s{UmwTWsCgWH4W*>;fgRkn^d3G| zsWN`^r-g1?E`;qHoH4F8db(pvm2|ib*DVC*0UoF1wFJ= z;qeXKDykvPei41Hy8wd(PUOAyc>#1_x=W06z^trxAv5M!;ES|!NE`v8{+CAFgmSqk zMu1cDZeTwK`k*cEjKnF0l6e8lNhXKPU-cO^`e>#K#NWQ1sNh^=A&J!I;cIP2Kq%)G zm+_GoY^@|c^aXM5Dkyc3bx}1c1k-S42SP&$y*7j|71DMN{PP(kNr>ob4liOL)^_Nz z>Q#YT5yi1I+?sYY?uKa*{(yiEQEfYs1{Zm*hH*M1EK6F{Z$Va1VxU|aD@*ZEd{XkG zMz2b*3Sp!M+*&@p8nEI_QX!s4^$!jQEm7@n!9T~%FAh!GGuOuJ)oU+37hR}&>tM_a zIlE=r<`PUiiTL_sM`-0Zn>PwW;Ru0`Xh`XI7Wa1MIysjm)@J%mwT5Ow~PPMGbVifb` zQ<)hAJ7?3^g37Q8rira#0Yn#w%*q>`9BxA>mAb#uhaf* zqgct)uu4DuP$wI1V-CE8ZKL-_Kl#Ly@HNRdVhvKyF&UIZrVejZuF-<_`N5<1+Rh}+ z-NVmm8cuR@GxMlmFyH4CJ%k?C@9yvJl&W-WoagJERq*25*D(p^utEua7Cjf%rw9Pi* zqRD!dXB0d#7ihDprB$QLB(KfN%Ovq)!Y0{2U1TA@KVP3W3LXMg3b^{l;kCl0+h(1@ zpdKO}S7JDfMn8_F+u~k3@k3x3rWln$17klc>QB~q30>=o^+HLb!A~!V?>#rID4~c= zfX1D&Sf9o|?r|A{9DbK@je6CA5vjN=Zj0OYMz}pj?OMiaOj-ZMXEzR)3xmo~5Ez{M zEP#SS#*gz^Tekw%ZmB8kXB(z_IiY}QaEWXRp4UVATLe1skDB0@XgnsyX4OMq+V8M~ zuTTp(CuG2{QIic3s-}-NUMCbtdi-8bF4vJt8%TPL)w4+%q3*S9Vlj}l3He{BQQ5_O zvgoh|ygUk8JO`aKv zQT1QtoGe&49+8R>xzwYUEGsXvFi`%_iLju6r%f*F3Xnv^Ss( z3@tQ6ij+^~^A<=?&ayJc>-Sj1K++fqAYbx%Y>VFn5dC;i$`yfU(aVl>oigYQ9CSUO zcvzaLtA(dYgB0EHf63MM{e|$&2aW9W^4#m!^OZo#kjV!y!aLrY`wIn7yV@yBtCWjn zswU{S9ZVwVz3@0#`?rBiub)&p8$YmVj|@20tL1xhL3+Fz5I8K(1n{!DW{il}#HyOc z(!uO6#@S$&+ZGTpgkPU)v5~cY)hcthXF$YetKavtxLU^#aS@kO7aJF7%1Sh+Vi$@5 z`)pY?n1s^xtskj3YHC;TAdUlD36DkpTHJ^&5Kpwy)Qqme6$(%rHX2VvYV&hQInNx( z8(N?j$v$Gz5So^{Ev)|rkDjdl_#Jt3GOREIfK`%tWf7MSSv#5%N0{62_1Wu+ERa5wWMtp3nYDuMTw{ zS9{zp$UX+VnTiX$TonP&XDFf40Z{vX4&8p!fVvtE>^Yyib2Bc(*EkEqpWkc2mCp%Z zPy+womVh2emMju$={?XfX9@3JGuh=Jf9-NXcPg{yNmv-d20)#ybejyQvo()D)g{`I zWKmIo`!X7nsDWFx9p6y=KrW;Q7e`D-+Mre{(bGK#b+X72$fShuY6syHz*O_Sa=9$d z6>1bc)V`B5kPpW}Owicq0T_eBhYS41Rvm??fVI->O$>a#1=00<9B$4L@1|$amU!l( zy@h>W|3z&^8_Nr3hb>@L6xx7C4PXmn5SiV?lMX3(g5hL{nC(j!B6|fh zx5B$B?VfIf5cim=ts_`vDANWV%+1?dZG;ZQ!_&Db9f6ECtqx}gU=DTQ|}N`w0`Rz|>;7>W`I zAl~^W5nl%=yKgu0UVw|@FLCh)3-2=-QSaKQS6I1Fmi+y4SB~)aNHZrGYVFB&q(*s& z)&{;qmnf8BNQBs%DuL41mnxW}!6}4^KhR~|`iUi^%_mZ?!VYV6eqxav{L0iZLM_<0 zp6et$xZJZ0+c~=04JBeC;}XF7n!HP*7-9f9a=+UWx1GX`elQiKPDkAEt%jw);O6In zESP0t;;itAi(So($N3DvfMDgtKbpa!%~K>8TA%5Xt5;tbI6~ItO?a-q-7jSh2VqNj zz}t^EK7<=OZ#9|Rh)wsy{^Rj%!uGi)bLecP+e~J`m=XG$FRT30_1>h}7#}|EvURg% zZ)VRnGEp}~vg|`a8mBg^#Ik08mG?jHz@WbgGm0r0k9D%|^&mb6d~U^fV9<;~OUg0E z9Jj_-Eu%OavnJM|oS)!y< z-x?FFb!MTt&-lJn*e1plNXwCMqhXMmwvB~=2182Lcj;!Sz~T=l1}*VthnpE$(GrHV z+CaC-lDk`p76rPluqi}XBfWB_BcAEuNaXy&E4kk)zCqGn*|EvQ<+HK>VU-Ni?+{tu zSC9Vbabb6^%~E*~N_{U^ZdnHkCM9l7XD*}~XO`8s$7t|H(W%0kSAGz?+>BO(8{~VD zksoxI`pGsu(pE?N*4RZD8CRG`-S{B0f3kduZos5r!fAGhePTce;I!W-^6?O04tLg& z2j=udzxB#1;)B25)Zzer9M}2D!=#fX%0$3jG!Fi^SuI5a1kK2*`%+8z-znII^*pUSTtL6+`^Ak$NP(MsiO?z1zv>cjbU&<(^lyjgKR0-3VNUK@;Llw2=QSgYwqZdH#kWHXLuET&&DDv2@OL-UKppk0#pDzwAtQ^y7wb`YoE z;0=N#wsfAR1|m3!nZzpk^dkRIJ~c49BH8^R4|xBX(~qUSF^?<;8XKTAYSB$R^sWlEsZ-|)g@ora2}oZs&4t>YF+T+8U}J^`cpR;R&q z6^o{0*uUr!<%zXurJYhpN9c&I*QX;lmKI?EyIlzlrsUkG;7jmw z4VZA_Q4*gF{9KRD9u&(Flh1ZLw^0ap4K4@sfmfj#q$%XSlb-P&c>DPhJ??hYfOkG) zvHd&e&SJu;QAN&v<2#;+@!AU}Iqe7;n(ZCnDdKmSEj7|R- z(zam+z+jSWJOplLLYmtYxA4+w-LkBjHfa?Kji5@jeKz>^YR9~4oG&jCdwlncvb(ZC>0=<1{8fYOT6{ zmFOZ_xFc#e(Maue6Pf1>&giDj#h-A06F-^5OtUODP&JIYq{Twoe#SxVv)W8F36S~k zHlC7}pSmS;=7Sb-dzm6(%X2!Lk*JP4*#@hRuj2G-K^nW6Gy|-Rr@wa=-EC*E4plnj zL!2=tCG5ZAuAT6g6*Ks2cmOW^BMJeh^Z~0e?Oh`sh4#5-D76>$8JQ9EuVNoFioM_J zn4dMtXA|@vju>jaZxgfrP^3b8P@mxmyY=~6|Lyt($?oxliDf|ghuGtS=CpzER_#n( z2RD#F-G2HsFV1>N!i$iy+a9z*3x{u-+NZ30|6>W6Zd3XXg9+m|kCw=OPM6>VPIrlk z`m8_F^!!gv!ursc_;p4Wt<+Ro(ueQMhSddkStfNyB6q7TX$@tHady`gVXdcvCV?6Q z{XhN$ci8^=Y(FN0{Uc|kpjO{Rlf`0j)h~Geu*$%p{FKEj_S6-erLXlqj)S@frHB62 zxT8Fi7dvJz(J#c97!)EhIjnfHO}tMioKW>hxDfTqS&bwODhIIi>g#aOkyC{K9KSw+ zS+QM_+=F7BTobOHOP%Zywj~wd;aR>ZmPG04W3S|76bnSJk6ozZ^lKd++WxOkR!^^g z)xV&!7`rGS<@kQ@yu&MMRZa{JR5Lowg6k`xqiW%Nq@QLVTI@Jqour+K4Ul>?-RO*f z-;PrmYV)o(fI%a{fZBq9P%)F06w@eHL|#_9B7EwiL3^K`#^?S(Mbn`CS`b6dSq(jZ9?Y zob%>6FA{R8(OAUAuULt6aw86UIG)=&(>X$<9=3c5Gdw~@%Z?{^g0)Zfe6~s=Vx6*2HuzKJz|UhBg@lTB z_(3lFuIT|hK`<#gY3xYw=k?yzpTK{9u&1}9cyhn$FdjP?GkGwc^T&gfpGM^Mw%8Zt zP(cZW1j9PmCi+q1{P{MWED)l*meU9~VFRK$ef<}qB04u4DJE<_gn1t_h>jVvqHHRk zE)Ehc-}mb0nV@4YAo5Y5Fk~6K;u%c2`=;*{=rGgWWzgsTWw?=z(#*I~(1D`;C~3Yt z&N3F-bABqf6jY%)XR!rQiPo@Hpx8?>;s#OkS#fB=CiwJGgtCl>mTF_!=g~2>JY{rz zPWaMg_1!Np`(+LzOUMSf0|Ft_U1V4h`aOR8{Q-lzT#UD7Sf1O4bwEuVF|{hnJ?%tqr%`@zM3a_qyM=nam<0v@r5jH8Hj%-@a);S9$*> zTIPdBY~ydW`R%)rY;<7mv>zzAeNBbUWhSu$kMr<|)%3@@NNCs6V|jEkel zkSBA4vpyD(EkmR|LG^{R6z3PqHE<5h7X0KA`n4JBuEgvo+FX^Ve&r7)g{G1TN}g<% zId^)a&UOt6+wzhjM4cr zubS6(I2Q3mzBAabj>jQl@gY3${qT|IJtRbl4~?@N50HBh(|x%wkiu^Vw#~*S5&nMr z*uFhphw;Aew+vH$mJo3(`E1?Ka+YlRc&1fNqNgXd`W#5uqIGknldY0#y_qVGs6E&; z-n#+f%f)oc5MKG2LdfN;IurrV$8=9O4n3pUGgvCwck^sLBl!h{s~rycL2TmVR)0jZ z;CbT@U^wxn?_P(=8xObXnoch%)mxP>TLZB5xHo*>Pc#)sGWJ#vH;K>HUjj$myUx8MYK zcL=UQg9LYXSlpf99yGYS2De3n6Wm>c1b274lXJeWZrwk(x{BSZ9d>4CdV2bO`jH7d z|1QdhBDm9FMWGZlp;t8pgZ2O+S4}_3F1=2tU@shN-_}*Az-z2%loQtE%lalr8vhX* zQ0i5O`KSivM(TPC%a1soV-N-u5`3F*TC->c!$8iiji#)+Wg#}W08WQnL~Y!ee&=^D z(baZ3#npD1^VMm7hjD}fUUKkN{Qwwl`&tYY&{kIT2sIJjquy+se^yw+INPy50JzD@2@p`%?_Q9 zlFmCrKrdees$!}yDV16*C~Vr^M$CsEVuoX<1J8RS9TuTnq82#>fS&}n@Xj$m;8oDD_A5Su%- zYfWI`4iwD@UXp$~QRq!G4e)p;Hh2+EC3qorjc4;^=e1EZk{s|4K*7g4OYdHAU9c!`=v0iw@i5UH> zyyzA~G74Swdi$~^2H)XTdRg7}m)Wc?vlByPp+4(yk6tFoon4p zTjg$(Bv;&du@}R4+rK;9&J7BU$so?92>4`^dy51{c0SwAP}QWP0aq1Ohcoq-lmqD% znw8G?IXz}n7$(m(C?(163fm~^^y{ZL#2z zFG?Ep4L3DDk*S0k-@5{sga<}Nye-3)G?%)5+Hvo>cN^NI{a!}%5Cle61D~4xyx#aEO)S-N#W03znaeec)=<@Vlk*)1FNsYxW zDp~7J@|bIs6r<;gS~p@=*q7(Ut~Y8gqcRFxUwCHrccBpHpbacp!iO!sKdQXyacc0Z zr#YtsKqp>%cGxY6F(=zGGJtqypV8}Y{`1JFIf9sW+!;79*o`I^VrcS-79D-a67!kU zXKH8l+}<*}3Az@6izAhZEm265StqZ*Cpn|M=2MGGgM=!`>mfvWRE(}xB+B8>oXlla zYJh|x7F1uG-D-3$);MEGS7?PsIy;6|3A3Kj6*aPccek*`p$fFBgZQ;ZsT<>P%)B5B zR|eVPwuDRmbb+x6Vvn!SdMgB8hJ@aD_KkXaz}N4IfBTOYDU8DMxKMRpl(q-?cS62u z?G!+nn)7+7a6=~iEH=&Y8F;}Ky9|3b2SQ6CoUgz2Qs>(e=A_@c08Rjq3308EiIj~v zl{O2sq6wYsgL%{JO5dMW+dR;^uY=fH9j~^3XX6rDT@y4Jp0O9lq+fE=h*e8;+ph&^8;)nh;!Jm!%LQ?7g=mEC{?sVCUKyIm8nlwCM*axChJln#5WXTD3$Zh zZKUyV6#kA7h1c*qf{~B1v0u_-<^ePebBWaQ2C8O|i)QtZ#1LCPBM=C=$D~~(Xcn65 zm)8DQKZja8VZ__JeyGcSFWHb4C#h5_aWaXyb%=`Nq^&_VFvMt$Sq@0G8XCO+9;XKsZuNDF(B z7e2SA+_%W)KDIGp`HtYJQ01go{0Y`T;M9@Ttd5g}fKeo-s}_xd<_?TBr>@re3!`}5 z;|=j$6?cMgHe(uzS>NP^o;P5YC)lxP_}#^)v?S7@-$#5sFfhSt0`34^K~FR)@v}Ul zkM{&F0RhHQPnsHpj-Wr1IcldJmdHWjmxDa*ZFC_-C*%kbyA>--@I#3r3f9I24^#mH zI@74Y6hSmhoLujhOP2KnzU7_J$7n3Htw^#jQ*Cd1%-w(Rwxizy38yGLoo{hy39Tm| z1YOtO(Yt4{?yvcTeiPDV$Meq=Fy8=BJ5wpF0f-&#adb`TM zu!6QUR+&JYBH*+KmWNRS9|v?%FOhWOgK=JONqWt=O{Y!hksisI?nyaTEbS0<=B!nk z=nXlC{ZV3YM5Fw^xmwmN7Zhtpi=Iv;G}^>$%m!i&?&4Z1A&w=<+rZL4uO_(J?8rQf zV&+HJ4++(qALA7MDL71<5?==S?QZ>&I>j{fv}Di=beZE+?kwAC)PTJ%?t`idru_k3 zK7k+_WiFJ#!GXPG5%++UfEkN20PznsVHJ# zF>#-DJ2d3Y%7>dIWzx*n5W&Z-tC>p&`MBE`6qQ4*7-=h_@a{)3KFEYdYh<+P-`h^T7N-aA}vIgCT|>ujL9ZK1cUW(HX=9 zTV~YCx$0r``|z>dK)PO_WYS<}kUb2@A8gh;E5Ky697Ks>eb_j9l$76~7n{Ngz|@?_ z0JsBx&u2GRZz1+ZrA3dqMQthrC85yAS?4UZFYCFxk)=1P=XIO#YV(D)7+tA=v8oUx z@&OC?b!{yWXJZGk+9zj}XZ;gR{QJwka6Q5bybUCj?~J8NE8KxDIBfDICy-N!BR9O0 zdk#GPA~r=qR!?jxNu@W_9Ihk4zdc)*ktacW@B*P7g!AfBUvPb~%nLbVyv)wm?+*1J z9O>XeVU`c%gumk=WB?xMqf!*Eh_x4qa+E+pe|@4;g(tsHg3j2X+i1A>>wMqyOH$X0 z874nV@M&)rSueU(+LEoGUxPNr^T@CpAIVsy*sS{yZ zPuj5NR=^`oNY0K=AA#;T%8|JyH=3=NNiL$0`IpHIE&%K3PY-sz&AMz^m_QT*>WBeX zZZ8ihxW^41m(iMiakKlR_5_Lt^(f^nJ$y5nK>}wVL5=oFJZ1-lTn0_ri6lyK^Pv-* zVCqVvpQ~-v8HI&om5!==$$k{7QN9$gs`C*a0pwUNnITy)cqY(4*Enl0C)r0xY*M5> z#6Kc6E%jX?-#@jF$Yvh;oZQGay7geU%VRoRK(uVL+^ZlZa#47I*Yx!jdBZeFZ6b>g zgk=!IyV3IYdhh?Q zbJ@nv_KIFB!)_tF{R_8j-|BUuN0zuI1DBG7jlJK!#2B_H+!^l4Hn@^9`x? z{T_}ztnT0G-!I;ah4>;*;A_Z>c%^-y*lS_*Em~Cay-Io3s6@OIhBCvB8*&Z7A!`o7 zXzuCK%j*PgD!U`vBCNy|CKvy9_z8Fr^pnl*?+p2r#RH+s#|IxZ0_!HCG^$KALY#XG z_Tn$3(2JHiNclPPqX^(K%11ou4~l|Pyr&9Ilq$X&@>?hWECxN_5pu1hjUuW+8`YDb zl)6>#P$wy0e-V}**^|DZWWmg*&#C==mkn{sB=1G;$x)*E=zJsaw3S>IsziF=pobuO zP1abLqTOrkIJnB%3>W>xm`Y#~D$+eDeq)vuJXuslV5?dZy^> zW-pb?ap!Pae1aRitF!X~?2;V(HKt?S{EIHP%;Nc4zFx3IJNP7_B@!8uWyagGe+E6B z3Vj-WGze#j3mY363pW~gwzEwmkphzmt#@2l3;{Si*UosV$91` z-!R2Y+W@Ifh9-@xWkfkHVtk;R&Ct&Qc{Aw_nwcV3>ftzcyQ15y&meMqHM7()*4r{U zhP#-LiqC(Wq^nEBgEVA9?CT*85t+oI&lFWjG%4PmH{Q7`ul?U9-{U7QgI*|KLaMrK zYK^qs^kB*iH=)P7-k<&7YkXjNh(D}9tQx*u;TGoC=lsav$Y7}wew)1cX}pS>igo-0 z^*OhfK%CU%`25oo5tn8L*8uN8NSN!6pHRrZ#IDG#zajoRmZW} zY|dGpgFoATt)A?@sq)kp9P}x3+iaBk@pyq>nI>N2ZN6u>JNR71j*hB-JX8)}L6Xio z+UT7G`6Vd9pwQf_X z4HFZkBCi88yRoj$Ys`Jx%Y{`{PU8zDGhe;g_d^{ot%~O~mQm|!lvFNFZR1uZ7wYqU z4)iB||K`6gm-vP$HYpK#wR1eKoqHgvPOc_xLU*1``-{Jo4doA)FSe(%%eD%_7Ar0IBrsWBEvAr*JF*-S z*GudrJ&4iZyy?gk`%a&a5Cb&i3Z(b-aPzb{3Dpa$v9gzEpewN0T(TQtnfgn$b8Z9; zuR}3dC;Y@{s4fnE#cBV@)hp`+JvR7kj9+JD$BGkkp_75fx&?~%2gIuHjI>7B`Brg& zK3(>M|Mmv1XMBE2WIo+bZAzG{A4&@!G%7q9TmVja;6cv&Qg{PT&%&YkS1&SwyeI1^xu1uaM?XP?0;X+{)k75LgFBDdVAqa8?xr%A5*pI?~>vmJs3{=Iw;O8`9pg{ax?Xdbr)XwQ}uCT6GYz0Q%!uZwEx{)80;<3uWHq<%2 zE@~<<&VZ&VZ{XwY2Mir(mUw>MAH41#Dy%MeySy^q3%&{Aztl}Ijnn#fD9LmR6EJ9| zrX<(H8qQhoj-*MpEg~iB_kHUYwkg*m5KvV>&8C%tXNd=Jv7wY$!Xl~APRxX|p%1$X z@l;jdF#*kz)EBLik3KYgS3YE|3F;Btme|ZXYJRV`ntfajCUxn@=3C50cklbc?^YAc zeWQ|YmX5*!KPcWU7rec?Mw>Bc6Z|=$ot=n%yZpqmB;KaYtcu4s%Q!YQdWEffB#oV7 zY_gleSA%W`eF}9pAl>!nf+{nnR9u4Kc)|?gqtwFhErOz^G4$YdsSf09ld?C zALqIAjg6b26j}sP+rLUYhNId4PK%Y^{vT!d!;+ufQ^0?8;qIglGj1$HnLIU|p&Rlf zK5$FFapHCl7kQ(6+shWk-eo&@TEIw zxUmLUX@jfK3q|@Wip>4*bZS0l#Y3if8>GDFX$5Flx7VUKJseu)OkIm6aEIz^{1}3s zHO784cOdp^E3EUWFKb-WolziRK4(5>Az{+AKuzW;QB1lnEFB8s_BC^?YGQ9PAk|(q zk3TsD8*(=b(h+86#iO89kM`C^v6ueMWUqO_O4s-+p02#(eVBY*ZidKmE93nI7L4Z} zNI<8U*NE{!wbUI$r)qm@6fIm)clc=x|Bm!Njy za6M$`&TRJW?x=p%P9e(aPKUbwPIkZVZZ<6C&cc{eeYu5)m2!2^&P1Fx(bPkcY`o;i zE(_%=BT9;!{M|@OiKdxXwoUy{08X{X`XqpWwqwm-loGi@|Hd{{1}mM4fi?Xn7euqudUnwYie{=7 z+aZ;Yt9cUM&nsRaKr+eq zxgk_9d)^>c{*XrYTVpB2J16%aTW4&fWq=i3) zd2PywpLGp+d)cXm2t@8@8vHsRtK4MLZb$>A=kO0P=D8hM)P*M9dghk8-ue)sfIC;E zIShsZszmUem^yYplU8w|{nltvY4>zLHC-7T1BQb32!A|%QsxOPtC^Arht+%-xs9<5 z^5hVl5f-k<-2|l2Yw1`y)+cp|1z}YxS?WjjkBJnAE#QFw9^FX?khN2{w7?CpKDgBq-v&eaf9EN@Dsg=vQ z)}Y-BR$jmPK0-G~1h>O)o|N+Pee{_u6;&oEIxt*ku|_+FAj4xak|Bt} zZm83H>aT&MX|1p}UQmLU%x{gFU%X9z46(kG*$$H5JUdVmda1CZ5eNAb97X27-N_RZ zy=N{F+}zRKYjoAl_ZZ}^3TZyx=L?p<3{JPS?F-D7o`^3<(8s2fwu(+x;K+iyheUR^ zi2a@yg+UAyP2bAtbYt%RYWYbK5w7#}5Zqok6Ic3aCiI@u;z1jIf?)LASN+=C7B<_s z(3pCharJ9kwr>9DMEQ(Tq(Vo)sj`JO_V(P$`{Cz1?eYt`**pFdgduOv*Mt~FaJ8@U z;xS43x5j$|I#H6lg~Ases|932Yr}XzoiEwi<(Z*))84BMl?0GWMn1>tG+9yh*UEHn zi9F+1oJG5 z)i^I);(+%krTg>cS&rn?Zb0UfA@|*Tz~qm9)R@9pu1-RmVD{YvvfuvKoOjIwL{9gA zJc`vv!?vC7J@$|h?;-Lh262 zhj@q(#R#0QrveP+L$j^oVG8c-?rGx!7}EC&EO6d>Gj2usDJH}zW+wN%ccBp7ijA8S zWEEP!MpMp+Kg5u~A54qwd{dRC>*YQzR&3=7FIa9NSUEzCnQY_gnT3*t}^Ne6N@ z&^0I`SP0GW^sW@~K%ApNdW z;bM{#P=atJgRSyh?E$}g=D*Wf!j`-=A5V#r2zpTft_zxc_d!`w#=Q&QVsmd#I-zH! zqUyjZC30mbgb*lz4P+Wt3~IE~EDMs3lj`Jjvc&{enQAF_en5eDjR9$zUHR$XM0clL zx@^Kp{Z^(w-gk5V{DauhA=u;6;6-4WbCKWb&K3cd4^FkxWD>PY<*dxuRn;U(+SO^l zyVHBXE~8r9AgM2%co^Cu>PLvgN^3BtkJOysU4~!Dzf-!=DCP0EHz@pd@$8SfAGA@< z1qGg^_qXQHe>^q;)xUHYGCs9L%BI&Ou~$=5^|}6iqXY{Tk&d%cB$P_U%jFzzE3X zRhS~oEruqO`8CKHJ0)*T;_}^w$dzM%z|9_l#lxu%yKIM3djR}LwKy>kdHKC1mqsat z+UhE;6o0lpkEp5smYPoDsAW>11my0L8w7w=Ca3)FNrR;RRKO}<^x_rvcITM{{vtaJ zpsOj<$GqvIPMgS`;?ik~WB;q=u6v^TPE7`=QAGxX)(#oTuNx9a25 zAK9zODleU(5OBk1r&x2xcOMb@k%^9Rp)!6zKC^riK47y8LI?0N`z%be3qhw@IU2_w zyo995xx(~36=QPFWoWyXMtdg|)xYkaz9dGNVH1>4nvmB{jS{jv!sB!M=(H|m9lo@p z_)&NGNZO%eNy;{!Od#t}wJ4d)x(+ERKCf~r4l*dMlwLUN)UGuu0%hNpn6}TXRW3-S zG?h#W6IxiZFS$7c1~j(SPO`!RtsFYig(TTS|9io!oVUrJC02Pg%W9uK*4a)x-I^C5 zEM29i!*N--hc6M_aZO^YVP!z3a8PoZNJlNMK70ld>~~ZKNAvZ~iW-D6Y>M!y{C%th zKl&_-M{7)Kl$R{glK+uwmHXC|6$(*y$;zG6A!CEMev=PF`Y`RIvW;)EEQ|0uI5`=Y zzC~OsmYusoVvwEIDD=v-YLH@a->Y2b40_x-RK@4}2IlsJ;PeEdSsoYUIAggB`wi;S zmlz+fEm`hHn5n*()Z;B+aIwVB-}eh$1}s6q#K!CX7Q$R1^NU@kZ<-c}(HO1!n**~8 zi46H^{FXx@qH10mkpUi
  • AiqHG{r9zxd+A;!$}LfeRb%|9$(Aviqkev~))V8bZ7 zODJ$|(aOlpML_3$9%_>7J>9LZL;yin-EbdjZaZb2T*9C2g8Uw1wa$Jcl1!erCbe?I6K~iOD8j;d!oa&Wq7S z`)*5h$1+R(-7(^7`I!}0H``tTn4`4dk>_ytwY-BX#2(>0AQ zmYSzuql}MJ(hIqA34%W43*lLvM<#VsL2}Gp_@)>KY0sEOAvD+!`#0Nu`_c%6j?5hT z^B4!FT4CW5M0)J}xwH~nYVj!yGelO$tXe5PRxKV(cY*u3MlBK8GN8>XmFg!H*y{Eh z1#_AtBacVWX3HN;m|8@cRBa-xyQmIje-RzOI@VU|J4E>C+*IEKxH>L;vL>DEezw<; z+1wZ%#voe1554cPG3Nr;69yu-0n~&zAJd*hI=)!W3*K5-0!$tu+MYrG`&^&ak-PPC zDo-A>T=p7*sec#jZqy$?F0s)P68uqHT>#Ap-;Q+%o*1@=u%@)wp9M7hBOi680;sQ~zMtQT&7 z-J>ZqYLm4ckneD*jRhlTGPkqzT=R*5jL>MD4KV;}Han2iGOyAG#Zp-}w4RU|muw>K zkl@zEx(-37j|Xo&q3X~G+5t}QCv}F8R*(+l=FjvDS9C|!;~(tk;FVZx?@^2aIg8v{ zv^Ntv0kDcF1fOnVpoyWUevq|WJef7MlnC@7EJS~ARt6{kWdjj0O+?3_poPu_z6(=} zwa5=LOGcGx%UV6(G25y^yed4=Iib_vq?3rV1=%Hgx96|7DTj2tRvRH73FM0T*JC{ALQcR4RH99I<4pS#ru!bgRW^SJzKrfZjF)I4(F z^Oj4A6Z058rO$kn9tz=OGnr`?`4C{{({AmKIk+$>$1i$QYApzn=O!PNmh0xv{-6-r ztH+D*2(>3CBvBEGGIgNkg{H%sHfecRv}bprV~W%0k-@~>ZT|cE#=s2hE((G)RaF*B z!3W%2jKI%8nlW1WvZe+g5>ymIaL_Cj!z- zBw=iy*LSgMJM>z+%}yiO54b6fncOlBIB7~ydE&Hp>`PlUrnF2-+n99lT>PA-{f?nI zPMEp=5=5Uc_}qoA9es9TnA6^)vDyUEizICXn+b=;N)*1 z$>VEyrX83dTkBm*_{&6O^k@h+xI81A$d64Bc&HCSd`8XyYR$ ziMbu8Ey7^C{yqb}GObD^u*yaF-!IWqm@t5lE~Kv|W*=|x0|6lSJ1hketwNfJqVg7r zKbt{>!xPO=YP_&94~zxfMRlrTC}|=vA|nzm8N4d665nkcjF{c z8V&~S1h!u9#7oL&APBn=-Olo6KtKuGb3|5noFQ{F!-9x?;{#HVtO(FQ`Hrs<9`Mp zceE6=@9=(0n$A6H1vL$zvKH(C4{A+M9kod4C7s#`yAZRfz7u?PKSGz$oT_ZG>r~<} zHnvqzTL~~2A?;kPOH-m~Iys&6!diR`#u@E*83X4$Mi;7f7CL^-6kv`%2$ zzytN4%B;l@*)0J#IvmTbXh}v1s!YuYgwaR}E+fn#5SnqMZ4_%%tL(pk&85W&|I~n- z(Y)XvFaptRDd2onH0SU$1&x^Uol5_p4?y26vv0rjBp#}GECTv(+oZ-f(h4W_fBw)b za5K|3{g%&;-iq7;Uq$ta*nBKaS*6I)-nIhp7aR%rZ>vE5R4Kk)BG1(xJP|*FP?HLI z4-GFc)$$dqm_UQ{XtO-H;(s^&&#OqZS@)~FdY$$GU>7@Y3n+F73nS;h%{B`rLna5p zFhj5L?Tm~QE{VdBYk{j8QPtom5+U!=)O5OvD6F2DPr#fUXlV^bw)_luj>4fWpcX+_ z{?BjfW@MkLlf`|!`ByLF>#AA3S`z<6{xT`W_%(qlLCE*p*BrrCq#sB>{_plm<(yC{ zfPuh^+7uuj0u()5I??&_M2s?X_yz($+)4g>s2=QbOxo^>8Etz#q_fH1*&*9ud`CmRuXV7BDNNc_fbTqi_Yp+J|8p*q(kLIw^78Y5 z?jS!)o=wQA*Fo|5+o5?rgCKvvPvn2CodFt9G$zZaGXNF6ANU7w5Ln<5^7cM~AEd)% zF@?p@-#dpZ{HPY5-Q>;;?vxg#R z*y*EEYb1&oxUirpC0aD@gP>{rU0$l2G4HvT8o?{FPn6&2xPlnmd+vKxccFSL-Xj4b z%b2*(F>^nA&%8bdaZGx(A}QU2zi9{m_Sb*3a#(Fsf4V!Q zq>jW*O=i@T0apCnRAy3BVaTD=jgio*v_#o0hO@|WX!B#do&+H|e*9vU?hy+$1I!|3 zz+Nt=BK-7J2>5jB{)o!{ zP{Ch&%CI`C#T6Pz!rS}~qGl0#5?7817m5cd)WI__Xs!UG1SBSZU-+pA`$#TPo!Xb_zAHbK9 z%I=|6E}cF7d@U0mojQjXW*xqsc<oZ%-kM0j zb_*7K@EJ~|mC|TG_OlB`Zg z(X0JQ)=;28c$GpOO^d)9+hlXyLE!WG+u{hKgnub4RV1&1HUC?zx_jARQKXU0Z$7nL zZ~BW#ukClyGT4iw)$2Z%({5o5St}})b?}kc{L{~fCF#;Q|4jGOvBqm0<^=!z zFT)AW2TN@DfbajX|JcK2{rQD4htegl%O%u^K;N2Ft)Sl?ID{O6bnE6Bo2p0XnuvqX3jbCO-9BTq(|OFcw_}wobKuQC%uo1XL{ybnPZy%Vb!i% zLte4ly6`1}Pgp1jAboAJi| z!Pyh)bm(g)t60(@5Xg|mO~UK?J^oNk0*SB{ZM16TmKSj>7Jm zPxe43uy%29<3G<8l_|8IPXB5i?)o;KQ6j8jZ$6P7{G!DDWvuIMFZ1BMk-YgU2>WTy zJd5^Zu1s_BCexfb1Ntd(3p3zu~d-*WSZOJd>y7%ttNQgBG!}AM z(g|;*3|GS(>_SAC_BPUJLq+`badq!v7)u4(lrT5llzcU|R;xopp3i?b()Dz@5B#3> zcrCxY%=*Zb>d=lcT{8Lp5Ba6zHI}(1&0iz~*(L*Arhx!@}q2;is6jqM7 zc}P1Kywh(iv*(FtE~YJX`+XbNvM5>9Ar0Y7h;&Q*_xIQ%5OrD}t&b>tDb2GMOv zb4RPCpYf1Y%XoSkTY~To3K#Hk{vYII+THn6=3J(X2#CG_cZ4Zf*dta;6BOrz%wq zX%24=%jL=R9w6kA%1i(|AwZ|Ltm{N2`fNgDYmII`mTm`k0!$csc9eSLf+{^el(<8Q z@sWS(rdzE#4}in~QHnVBejm;wAr-CA4@aHB!xDO4H5(#-hBKxhCChT-us+eE{NN*+ zCl~$^nT>t?m?_P2wz?`%v$I`E1ChxV`i`d)FRMS~YnoAZ{b%~?IfIK`E8Lxw*X%{i zDUZAjc9bTx=S6gpPvmA~J7M)QF^tB4r!Gy|X^5sCuYkvNkkPHx@ov7|v-=jh#-D(N z-r`ZS`LNprd{%NUn??55uzLBaj4rdfK$H=sukB>DUH7mDpZt4~4Oz6#DB=jARyMaL zQo{{?5<*dcV%!?+XKAkM`(5TN=(A6Fp9bi=HR ze5zit&JKYmx^2S3{Am;;C&bhc&miX^nwZ~%{Ztq^l+USl#C`kSXCr4$ox!&}DJ*HmBj!gB}ylsH8|`@ab}FE*~_W zEp}liUgBHDJ>5{hDgO8NOUsqNgc-$q`w-&T;Np=|#IdvqOa9+v{h|}>9FA9|8MzLI zM0h{53o>%EGlLPju00gUs`uE|b3aSDbEHkX4)HjS0(p;`dk$q++JL1CU&tZ{@#t8u zcN*$!9$)CAc8Neru(iXetL2#KR=H2-@N}ic7;;N$3G(Pz977|A|L9l`;vjqWbk>k- z^dV|6vDZ@q@3#4I+S1&sx@ErzyuAXSev5Ual1r%DOlo)f=J-fM=fw8Tz zT#)G-5Q@mm0dJf%X)c#)NobnW{m$9&Nq*Edm4)~SZgD1QbH!dRF}MQ+wbdaPY}fs+ zT4`iRq}EhCFkPN~{=rPwy5EQh9UEWH75*@%yx zCkeKqD^m!YWp=oCd?iWu4%S+|s&0s#PqzdhJ2)38_7qv%T2&}&S0kmY)o*C|X85MR zhWV}z2|Rz?#VK(bVa|=e*DaB)SUV92F&=dtbarHNy`zt&_YC{~7W?eQoIBV8-Eu?U zgmTUE`nkQU?o=*UCZ~68unqJK>{bYeilZ87!lgtpG}BF+wM3Ef{relL2i#~(-dx$VyFzwm56~=BmC|oI!tX7{n&?<|2!9b`z94fL5>cZ2M<1SjSu22@ z%1IUxY*zm+s|n|n0=DZ|ZPLlr$^C~4Kr%tE@ItQf@{@Zje^4P1C0_)r_jWOsb85L@ zmFJo9u3#95Fy#XjE&F!*o7q`RkYyGyWHdGogZJYx_zY`305v zvaW%Rz@6C^-b@1a$FYS`(Ot%p&PXH@$>O7pAOFJtTn7obmxQvQjG&B3v+fm^Vu-sn z#*moNs^H8_+@2i!7uVNUxA*In_9d5u)tq)gk=+5f{%QG9{kJv$iIqDEcv0dX|L{LG zILs_$suuXGWti$-Qem^u=Nh}U7UgxXXS>!Al!~hDzo8$TAqf$#XK(KpU;VLBuRYG! zf$DZeI!Dk8SqmfD+VuL22e4MqZMK)-WA=D#5F`cCV{Hc{2N#5#87wZvC&1a@?0-8d zpo7*?R<5LjZSgD!-8OHZEmh=Ud=<-^FW943ltb&rer-b#|3UgWK?;p@gwm(;ecij> z`1KpTMx|Etta+=Ln3!C2ReuytdQ7A`j+@|rp(kla_P9+FY1#@;s4tyFat9ZFH$xcO z^`3Qd{YSl4s-*)DXQ?Fe!D#?TPt5H|4+}R zlEYV;y4nq?v3geQ1ZqN>D&0m*IONlnV%g{)6WRP)HLi9? zOM`8CiS!!v8}QNb}!w{_pP#E%ZNM z^8W>-{`)GF09mC)s$SXo`QiLj^w{9o;C~QQG9@#S|J+vp3#tBl?UrKC!#*yIMERJo z;C!H){XcLZfT6zsf3}`)h9~X(4Dda^{3{<&!zridIqscz;FcpUmm6!2JgWeR4jm07 zLdZoHAog&GD_Q1eln*5zMz+a2lQl+V8wXQJJf*K7sH zIjsd<{NoyLP}=klCP>D5c*z&YeVA7mdh|%ty&LCXCSTmJ2{VL!*rm^R^3ayE|anc)w~GOXGMBb*ZXVzP%>(Pg=g- zmpH~pu)ik}OltSK?sPN+piHx~URafSwKB_M+*OOkXE)^k!k?a1$Ug&q26!660a4y` z=YoDrpwV!dg-Y#wt3yVQ^$u3R1eg;&?t{`Nvj<1~$U>uhu>?2>jS2?% z#HU2ZE5#=vA94KlblUQ4U6@&;VI7kss;D-L#eLt#^R$ zb*SEQm?H>PuVDe)Xt)R(%je6#s-&?AxSdiM`aQ=~YBdn(luKgdi8C9JCLJzzy~_jH zL#AL|Ia(lLiXHx$`VHXbrvNxs+D0S}Gfi+9YBFGkC!Jib9=fM|%m*Yd(TQIohhDU= zML#{A@)Ya-ASprBHaCz$(WbTKN}`s|UD=i_1|_5UWR2X0+YW*X6c2d*4aYRE2T9r`pR6=1-Vv>_rbCj?+bqDq2(drf zZ8Yez82nFbPyg^h#)l^rg3 z&|WJbCzid$q%PtadG4{u{Rd(caow?k%_1kqEn0oHQM9|f5~Cr;F7;;j#xH#vh=jbv zQu2M~zPrItjq8G?_e?4OPg`dn&*a|6@i9$wa3pH8QiO`h$wNrDqC}gg7J1C`(>hM) zIf*X#P@y8gYs zpYP}U{k=aQQ_@wPt)&!r&|`uyV&G=n&Wg@e3~)6ZhXA_8b#&OXO8Sl>+zuQ4P?}M# zh~rO%C4dB6(|SG!EXM4Ky6GF zlUBl;`Z-M3N;U#UWtp+djddfY~$+Bh*=zdXLfFK18sG5gA7`PVD)|StH{%$h- z^$isW%?F@f1L~935qw(>rq_(k{O}(-+8P1blG-rC(e%+1-qhzorT5O#5F4({vDa4< znQ(mhjZqu>ttWN)_+;ypx$-v~BCg+sVZx&Ol!z0_1syf&&g{5$``9ol`jsVTV0hD*abXY zJom&&U5QjDTOM4=(n0~J5cU@Iy-`!|-;JRiul79)M?>>LmgJF@J>)Urgy$Kw({wbh7S+51J zRbqY+lbIeiI@&z$t&A!PpRY(@D`H6T)BQzy-TRr%zn!K6lhH?Sw@v(!evWqotT7C` z8RxXgZVMfrwu`#;rm2rqSZRs5-JpgvmF&Cd7NhQxZ*Eqa&Z;`=P1y-E!ttY2{WIc( zg+_*JIY>)t{p(|OP~;_TjXm_fh;4bQv^JOZJM zE5S6%vP14Dw-k?&1v&w7MQX`^Bo*co!qPz?k6d?;I%0%8X{xZ)glA#s z5wEHjH5*o6T7=sCsN&R+G~=s)=Q>D0gKxI-kt{&CWE9uMPynM9@qMq-NkfIdB^bS( z*tK2Ud`vyf-}HTyhmi=7U8A99{*;HN6}3E@BkL?l{KvgRHOjYHwz#^a9B{8N?kx%b zjFZdWRqKixGOJ3(^n2E*%@%9p%>%!8@9==;jTudRzyG4oDcu<8^7%_zEwHzkmsRT zmEB^%%?dABzu!9DU7vqGEw*u~#8{h78Mobd$-AIbg~Mcjxwwnq>4ikKXwS0SZ^Z{) z&twF8vAF?E4fDun2Kwf4o>evfqJs%gpv4+X4Pfn+;q0XAbJq}?SrPBM;KtAm-%fv{P(gF(0RfluY1dO+`=HeS0Pn4vdjJ3c literal 0 HcmV?d00001 diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md new file mode 100644 index 0000000000..f7d04fd898 --- /dev/null +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md @@ -0,0 +1,174 @@ +--- +# User change +title: "Run an end-to-end Attestation with Arm CCA" + +weight: 3 # 1 is first, 2 is second, etc. + +# Do not modify these elements +layout: "learningpathall" +--- + +## Run the Key Broker Server + +The concept of a KBS is a common one in confidential computing, and there are multiple open-source implementations, including the [Trustee](https://github.com/confidential-containers/trustee) from the [CNCF Confidential Containers](https://confidentialcontainers.org/) project. The KBS in this learning path is part of the [Veraison](https://github.com/veraison) project. It has been created specifically for educational purposes and not designed for production use. Its aim is to be small and simple to understand. + +First, pull the docker container image with the pre-built KBS and then run the container: + +```bash +docker pull armswdev/cca-learning-path:cca-key-broker-v1 +docker run --rm -it armswdev/cca-learning-path:cca-key-broker-v1 +``` + +Now within your running docker container, get a list of network interfaces: + +```bash +ip -c a +``` + +The output should look like: + +```output +1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +20: eth0@if21: mtu 1500 qdisc noqueue state UP group default + link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0 + inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0 + valid_lft forever preferred_lft forever +``` +Start the key broker server on the `eth0` network interface: + +```bash +./keybroker-server -v --addr 172.17.0.2 +``` + +The output should look like: + +```output +INFO starting 16 workers +INFO Actix runtime found; starting in Actix runtime +INFO starting service: "actix-web-service-172.17.0.2:8088", workers: 16, listening on: 172.17.0.2:8088 +``` + +With the key broker server running in one terminal, open up a new terminal in which you will the key broker client. + +## Run the Key Broker Client + +In a new terminal, pull the docker container image which contains the FVP and pre-built software binaries to run the key broker client in a realm. + +```bash +docker pull armswdev/cca-learning-path:cca-simulation-v1 +``` + +Now run this docker container: +```bash +docker run --rm -it armswdev/cca-learning-path:cca-simulation-v1 +``` + +Within you running container, launch the `run-cca-fvp.sh` script to run the Arm CCA pre-built binaries on the FVP: + +```bash +./run-cca-fvp.sh +``` +The run-cca-fvp.sh script uses the screen command to connect to the different UARTs in the FVP. + +You should see the host Linux kernel boot on your terminal. You will be prompted to log in to the host. Enter root as the username: + +```output +[ 4.169458] Run /sbin/init as init process +[ 4.273748] EXT4-fs (vda): re-mounted 64d1bcff-5d03-412c-83c6-48ec4253590e r/w. Quota mode: none. +Starting syslogd: OK +Starting klogd: OK +Running sysctl: OK +Starting network: [ 5.254843] smc91x 1a000000.ethernet eth0: link up, 10Mbps, half-duplex, lpa 0x0000 +udhcpc: started, v1.36.1 +udhcpc: broadcasting discover +udhcpc: broadcasting select for 172.20.51.1, server 172.20.51.254 +udhcpc: lease of 172.20.51.1 obtained from 172.20.51.254, lease time 86400 +deleting routers +adding dns 172.20.51.254 +OK + +Welcome to the CCA host +host login: root +(host) # +``` +Use kvmtool to launch guest Linux in a Realm: +```bash +cd /cca +./lkvm run --realm --disable-sve --irqchip=gicv3-its --firmware KVMTOOL_EFI.fd -c 1 -m 512 --no-pvtime --force-pci --disk guest-disk.img --measurement-algo=sha256 --restricted_mem +``` +You should see the realm boot. After boot up, you will be prompted to log in at the guest Linux prompt. Use root again as the username: + +```output +Starting syslogd: OK +Starting klogd: OK +Running sysctl: OK +Starting network: udhcpc: started, v1.36.1 +udhcpc: broadcasting discover +udhcpc: broadcasting select for 192.168.33.15, server 192.168.33.1 +udhcpc: lease of 192.168.33.15 obtained from 192.168.33.1, lease time 14400 +deleting routers +adding dns 172.20.51.254 +OK + +Welcome to the CCA realm +realm login: root +(realm) # +``` + +Now run the key broker client application in the realm. Use the endpoint address that the key broker server is listening on in the other terminal: +```bash +cd /cca +./keybroker-app -v --endpoint http://172.17.0.2:8088 skywalker +``` +In the command above `skywalker` is the key name that is requested from the key broker server. After some time, you should see the following output: +``` +INFO Requesting key named 'skywalker' from the keybroker server with URL http://172.17.0.2:8088/keys/v1/key/skywalker +INFO Challenge (64 bytes) = [0f, ea, c4, e2, 24, 4e, fa, dc, 1d, ea, ea, 3d, 60, eb, a6, 8f, f1, ed, 1a, 07, 35, cb, 5b, 1b, cf, 5b, 21, a4, bc, 14, 65, c2, 21, 3f, bf, 33, a0, b0, 7c, 78, 3a, a6, 32, c6, 34, be, ff, 45, 98, f4, 17, b1, 24, 71, 4f, 9c, 75, 58, 37, 3a, 28, ea, 97, 33] +INFO Submitting evidence to URL http://172.17.0.2:8088/keys/v1/evidence/3974368321 +INFO Attestation failure :-( ! AttestationFailure: No attestation result was obtained. No known-good reference values. +``` +You can see from the key broker client application output that the `skywalker` key is requested from the key broker server, which did send a challenge. The key broker client application uses the challenge to submit its evidence back to the key broker server, but it gets an attestation failure. This is because the server does not have any known good reference values. + +Now look at the key broker server output on the terminal where the server is running. It will look like: + +```output +INFO Known-good RIM values are missing. If you trust the client that submitted +evidence for challenge 1302147796, you should restart the keybroker-server with the following +command-line option to populate it with known-good RIM values: +--reference-values <(echo '{ "reference-values": [ "tiA66VOokO071FfsCHr7es02vUbtVH5FpLLqTzT7jps=" ] }') +INFO Evidence submitted for challenge 1302147796: no attestation result was obtained. No known-good reference values. +``` +From the server output you will notice that it did create the challenge for the key broker application, but it complains that it has no known good reference values. It does however provide a way to provision the key broker server with known good values if the client is trusted. +In a production environment, the known good reference value would be generated, but for demonstration purposes and simplification, you will use the value proposed by the key broker server. + +Now go ahead and terminate the running instance of the key broker server(ctrl+C) and restart it with the known good reference value: + +```bash +./keybroker-server -v --addr 172.17.0.2 --reference-values <(echo '{ "reference-values": [ "tiA66VOokO071FfsCHr7es02vUbtVH5FpLLqTzT7jps=" ] }') +``` + +On the terminal with the running realm, re-run the key broker client application with the exact same command line parameters as before: + +```bash +./keybroker-app -v --endpoint http://172.17.0.2:8088 skywalker +``` + +You should now get a successful attestion as shown: + +```output +INFO Requesting key named 'skywalker' from the keybroker server with URL http://172.17.0.2:8088/keys/v1/key/skywalker +INFO Challenge (64 bytes) = [05, 9e, ef, af, 59, e5, 2d, 0f, db, d8, 24, 40, 1e, 0d, 09, c9, d4, 3c, 9e, 99, c5, 64, cf, e6, b9, 20, 29, be, d7, ec, ea, 9a, a3, 91, dc, 16, e6, b7, 0f, 39, 0f, 06, b6, cc, b6, 9f, 0e, 3a, da, 26, 57, 5c, ed, 7f, 11, 1f, 2b, 3c, 9e, aa, 8c, d6, bc, b8] +INFO Submitting evidence to URL http://172.17.0.2:8088/keys/v1/evidence/2828132982 +INFO Attestation success :-) ! The key returned from the keybroker is 'May the force be with you.' +``` + +You have successfully run an end-to-end attestation flow with Arm CCA. + + + + From 0590c575131bdbfe768e0f99753a96e1e65c70df Mon Sep 17 00:00:00 2001 From: pareenaverma Date: Mon, 16 Dec 2024 18:01:38 +0000 Subject: [PATCH 2/6] Tech review of .NET Aspire LP --- .../net-aspire/_index.md | 15 +++--- .../net-aspire/aws.md | 39 ++++++---------- .../net-aspire/background.md | 8 ++-- .../net-aspire/gcp.md | 35 ++++++-------- .../net-aspire/project.md | 46 ++++++++++++++----- 5 files changed, 74 insertions(+), 69 deletions(-) diff --git a/content/learning-paths/servers-and-cloud-computing/net-aspire/_index.md b/content/learning-paths/servers-and-cloud-computing/net-aspire/_index.md index 4a1ea97eec..1ee31d81c8 100644 --- a/content/learning-paths/servers-and-cloud-computing/net-aspire/_index.md +++ b/content/learning-paths/servers-and-cloud-computing/net-aspire/_index.md @@ -1,24 +1,25 @@ --- -title: Using Arm-powered Virtual Machines in Amazon Web Services and Google Cloud Platform for running .NET Aspire applications +title: Run .NET Aspire applications on Arm-based Virtual Machines in AWS and GCP minutes_to_complete: 60 -who_is_this_for: This learning path is for software developers interested in learning how to deploy .NET Aspire applications in AWS and GCP +who_is_this_for: This is an introductory learning path for software developers interested in learning how to deploy .NET Aspire applications in AWS and GCP learning_objectives: - - Learn about the .NET Aspire. - - Create a project and deploy it to the ARM-powered Virtual Machines in the Cloud. + - Learn about .NET Aspire. + - Create a .NET Aspire project and deploy it to the Arm-powered Virtual Machines in the Cloud. prerequisites: - - A Windows on Arm computer such as [Windows Dev Kit 2023](https://learn.microsoft.com/en-us/windows/arm/dev-kit), a Lenovo Thinkpad X13s running Windows 11 or a Windows on Arm [virtual machine](/learning-paths/cross-platform/woa_azure/). + - A Windows on Arm computer such as [Windows Dev Kit 2023](https://learn.microsoft.com/en-us/windows/arm/dev-kit), a Lenovo Thinkpad X13s running Windows 11 to build the .NET Aspire project. + - An [Arm based instance](/learning-paths/servers-and-cloud-computing/csp/) from AWS or GCP to deploy the application. - Any code editor. [Visual Studio Code for Arm64](https://code.visualstudio.com/docs/?dv=win32arm64user) is suitable. author_primary: Dawid Borycki ### Tags skilllevels: Introductory -subjects: Cloud -cloud_service_providers: AWS, GCP +subjects: Containers and Virtualization +cloud_service_providers: AWS, Google Cloud armips: - Neoverse diff --git a/content/learning-paths/servers-and-cloud-computing/net-aspire/aws.md b/content/learning-paths/servers-and-cloud-computing/net-aspire/aws.md index e0e121721f..a152286050 100644 --- a/content/learning-paths/servers-and-cloud-computing/net-aspire/aws.md +++ b/content/learning-paths/servers-and-cloud-computing/net-aspire/aws.md @@ -7,11 +7,9 @@ layout: learningpathall --- ### Objective -The goal of this task is to deploy a .NET Aspire application onto an AWS Virtual Machine (using Amazon Elastic Compute Cloud (EC2)) powered by Arm-based processors, such as AWS Graviton. This involves leveraging the cost and performance benefits of Arm architecture while demonstrating the seamless deployment of cloud-native applications on modern infrastructure. +In this section you will learn how to deploy the .NET Aspire application onto an AWS EC2 Virtual Machine powered by Arm-based processors, such as AWS Graviton. This involves leveraging the cost and performance benefits of Arm architecture while demonstrating the seamless deployment of cloud-native applications on modern infrastructure. -Amazon Elastic Compute Cloud (EC2) is a highly scalable and flexible cloud computing service provided by AWS that allows users to run virtual servers, known as instances, on demand. EC2 offers a wide variety of instance types optimized for different workloads, including general-purpose, compute-intensive, memory-intensive, and GPU-enabled tasks. It supports both x86 and Arm architectures, with Arm-powered Graviton instances providing significant cost and performance advantages for specific workloads. EC2 integrates seamlessly with other AWS services, enabling applications to scale automatically, handle varying traffic loads, and maintain high availability. - -### EC2 Instance +### Setup your AWS EC2 Instance Follow these steps to deploy an app to an Arm-powered EC2 instance:: 1. Log in to AWS Management Console [here](http://console.aws.amazon.com) 2. Navigate to EC2 Service. In the search box type "EC2". Then, click EC2: @@ -47,7 +45,7 @@ The configuration should look as follows: ![fig8](figures/08.png) -5. Configure "Inbound Security Group Rules". Specifically, click "Add Rule" and set the following details: +6. Configure "Inbound Security Group Rules". Specifically, click "Add Rule" and set the following details: * Type: Custom TCP * Protocol: TCP * Port Range: 7133. @@ -58,13 +56,13 @@ The configuration should look as follows: ![fig9](figures/09.png) -6. Launch an instance by clicking "Launch instance" button. You should see the green box with the Success label. This box also contains a link to the EC2 instance. Click it. It will take you to the instance dashboard, which looks like the one below: +7. Launch an instance by clicking "Launch instance" button. You should see the green box with the Success label. This box also contains a link to the EC2 instance. Click it. It will take you to the instance dashboard, which looks like the one below: ![fig10](figures/10.png) -### Deploying an app -Once the EC2 instance is ready, we can connect to it and deploy the application. Follow these steps to connect: -1. Locate the instance public IP (e.g. 98.83.137.101 in my case). +### Deploy the application +Once the EC2 instance is ready, you can connect to it and deploy the application. Follow these steps to connect: +1. Locate the instance public IP (e.g. 98.83.137.101 in this case). 2. Use an SSH client to connect: * Open the terminal * Set appropriate permissions for the key pair file (remember to use your IP address) @@ -75,15 +73,15 @@ ssh -i arm-key-pair.pem ubuntu@98.83.137.101 ![fig11](figures/11.png) -We can now install required components, pull the application code from git, and launch the app: -1. In the EC2 terminal type +You can now install required components, pull the application code from git, and launch the app: +In the EC2 terminal run: ```console sudo apt update && sudo apt upgrade -y ``` This will update the package list and upgrade the installed packages. -2. Install .NET SDK using the following commands: +Install .NET SDK using the following commands: ```console wget https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb @@ -95,29 +93,20 @@ Verify the installation: ```console dotnet --version ``` - -3. Install the Aspire workload using the dotnet CLI +Install the Aspire workload using the dotnet CLI ```console dotnet workload install aspire ``` - -4. Install git: -```console -sudo apt install -y git -``` - -5. Clone the repository: +Clone the repository which contains the application you created in the previous section: ```console git clone https://github.com/dawidborycki/NetAspire.Arm.git cd NetAspire.Arm/ ``` - -6. Trust trust the development certificate: +Trust the development certificate: ```console dotnet dev-certs https --trust ``` - -7. Build and run the project + Build and run the project ```console dotnet restore dotnet run --project NetAspire.Arm.AppHost diff --git a/content/learning-paths/servers-and-cloud-computing/net-aspire/background.md b/content/learning-paths/servers-and-cloud-computing/net-aspire/background.md index b5c93ba49c..3f8efcbccc 100644 --- a/content/learning-paths/servers-and-cloud-computing/net-aspire/background.md +++ b/content/learning-paths/servers-and-cloud-computing/net-aspire/background.md @@ -9,14 +9,14 @@ layout: learningpathall ### What is the .NET Aspire .NET Aspire is a comprehensive suite of powerful tools, templates, and packages designed to simplify the development of cloud-native applications using the .NET platform. Delivered through a collection of NuGet packages, .NET Aspire addresses specific cloud-native concerns, enabling developers to build observable and production-ready apps efficiently. -Cloud-native applications are typically composed of small, interconnected services or microservices rather than a single monolithic codebase. These applications often consume a variety of services such as databases, messaging systems, and caching mechanisms. .NET Aspire provides a consistent and opinionated set of tools and patterns that help developers build and run distributed applications, taking full advantage of the scalability, resilience, and manageability of cloud infrastructures. +Cloud-native applications are typically composed of small, interconnected services or microservices rather than a single monolithic codebase. These applications often consume a variety of services such as databases, messaging systems, and caching mechanisms. With .NET Aspire you get a consistent set of tools and patterns that help you build and run distributed applications, taking full advantage of the scalability, resilience, and manageability of cloud infrastructures. -.NET Aspire enhances the local development experience by simplifying the management of your app’s configuration and interconnections. It abstracts low-level implementation details, streamlining the setup of service discovery, environment variables, and container configurations. Specifically, with a few helper method calls, you can create local resources (like a Redis container), wait for them to become available, and configure appropriate connection strings in your projects. +.NET Aspire enhances the local development experience by simplifying the management of your application's configuration and interconnections. It abstracts low-level implementation details, streamlining the setup of service discovery, environment variables, and container configurations. Specifically, with a few helper method calls, you can create local resources (like a Redis container), wait for them to become available, and configure appropriate connection strings in your projects. .NET Aspire offers integrations for popular services like Redis and PostgreSQL, ensuring standardized interfaces and seamless connections with your app. These integrations handle cloud-native concerns such as health checks and telemetry through consistent configuration patterns. By referencing named resources, configurations are injected automatically, simplifying the process of connecting services. -.NET Aspire provides project templates that include boilerplate code and configurations common to cloud-native apps, such as telemetry, health checks, and service discovery. It offers tooling experiences for Visual Studio, Visual Studio Code, and the .NET CLI to help you create and interact with .NET Aspire projects. The templates come with opinionated defaults to help you get started quickly, reducing setup time and increasing productivity. +.NET Aspire provides project templates that include boilerplate code and configurations common to cloud-native apps, such as telemetry, health checks, and service discovery. It offers tooling experiences for Visual Studio, Visual Studio Code, and the .NET CLI to help you create and interact with .NET Aspire projects. The templates come with defaults to help you get started quickly, reducing setup time and increasing productivity. By providing a consistent set of tools and patterns, .NET Aspire streamlines the development process of cloud-native applications. It manages complex applications during the development phase without dealing with low-level implementation details. .NET Aspire easily connects to commonly used services with standardized interfaces and configurations. There are also various templates and tooling to accelerate project setup and development cycles. Finally, with .NET Aspire, you can create applications that are ready for production with built-in support for telemetry, health checks, and service discovery. -Here, we will explain how to create a .NET Aspire application, describe the project, and modify the code. Finally, we will deploy the application to AWS and then to GCP using virtual machines. \ No newline at end of file +In this Learning Path, you will learn how to create a .NET Aspire application, describe the project, and modify the code on a Windows on Arm development machine. You will then deploy the application to AWS and GCP Arm-powered virtual machines. diff --git a/content/learning-paths/servers-and-cloud-computing/net-aspire/gcp.md b/content/learning-paths/servers-and-cloud-computing/net-aspire/gcp.md index 2583f0b13f..3a12230e09 100644 --- a/content/learning-paths/servers-and-cloud-computing/net-aspire/gcp.md +++ b/content/learning-paths/servers-and-cloud-computing/net-aspire/gcp.md @@ -7,9 +7,8 @@ layout: learningpathall --- ### Objective -The goal of this task is to deploy a .NET Aspire application onto Google Cloud Platform (GCP). GCP is a suite of cloud computing services that provides scalable, secure, and highly available infrastructure for a wide range of applications. One of its core offerings is the Compute Engine service, which enables users to create and manage virtual machines (VMs) with customizable configurations, including CPU, memory, storage, and operating systems. Compute Engine supports various architectures, such as x86 and Arm-based processors like Google’s Axion or Ampere Altra Arm. - -We will start by creating an Arm64 virtual machine. Then, we will connect to it, install the required software, and run the application. +In this section, you will learn how to deploy a .NET Aspire application onto an Arm-based instance running on Google Cloud Platform (GCP). +You will start by creating an instance of an Arm64 virtual machine on GCP. You will then connect to it, install the required software, and run the application. ### Create an Arm64 Virtual Machine Follow these steps to create an Arm64 VM: @@ -21,7 +20,7 @@ Follow these steps to create an Arm64 VM: * Name: arm-server * Region/Zone: Choose a region and zone where Arm64 processors are available (e.g., us-central1). * Machine Family: Select General-purpose. -* Series: T2A (Ampere Altra Arm). +* Series: T2A * Machine Type: Select t2a-standard-1. The configuration should resemble the following: @@ -53,50 +52,42 @@ After creating the VM, connect to it as follows: ### Installing dependencies and deploying an app Once the connection is established, you can install the required dependencies (.NET SDK, Aspire workload, Git), fetch the application code, and deploy it: -1. Update the Package List: +Update the Package List: ```console sudo apt update && sudo apt upgrade -y ``` - -2. Install .NET SDK 8.0 or later: +Install .NET SDK 8.0 or later: ```console wget https://dot.net/v1/dotnet-install.sh bash dotnet-install.sh --channel 8.0 ``` - -3. Add .NET to PATH: +Add .NET to PATH: ```console export DOTNET_ROOT=$HOME/.dotnet export PATH=$PATH:$HOME/.dotnet:$HOME/.dotnet/tools ``` - -4. Verify the installation: +Verify the installation: ```console dotnet --version ``` - -5. Install the .NET Aspire workload: +Install the .NET Aspire workload: ```console dotnet workload install aspire ``` - -6. Install git: +Install git: ```console sudo apt install -y git ``` - -7. Clone the repository: +Clone the repository: ```console git clone https://github.com/dawidborycki/NetAspire.Arm.git cd NetAspire.Arm/ ``` - -7. Trust trust the development certificate: +Trust the development certificate: ```console dotnet dev-certs https --trust ``` - -8. Build and run the project +Build and run the project ```console dotnet restore dotnet run --project NetAspire.Arm.AppHost @@ -119,4 +110,4 @@ To make your application accessible publicly, configure firewall rules: 5. Click the Save button. ### Summary -You have successfully deployed the Aspire app onto an Arm-powered GCP Virtual Machine. This deployment demonstrates the compatibility of .NET applications with Arm architecture and GCP, offering high performance and cost-efficiency. \ No newline at end of file +You have successfully deployed the Aspire app onto an Arm-powered GCP Virtual Machine. This deployment demonstrates the compatibility of .NET applications with Arm architecture and GCP, offering high performance and cost-efficiency. diff --git a/content/learning-paths/servers-and-cloud-computing/net-aspire/project.md b/content/learning-paths/servers-and-cloud-computing/net-aspire/project.md index e49578decd..7d170687f7 100644 --- a/content/learning-paths/servers-and-cloud-computing/net-aspire/project.md +++ b/content/learning-paths/servers-and-cloud-computing/net-aspire/project.md @@ -9,12 +9,29 @@ layout: learningpathall In this section, you will set up the project. This involves several steps, including installing the Aspire workload. Then, you will learn about the project structure and launch it locally. Finally, you will modify the project to add additional computations to mimic computationally intensive work. ## Create a Project -To create a .NET Aspire application, first ensure that you have .NET 8.0 or later installed on your system. Next, install the Aspire workload by opening your terminal and running: +To create a .NET Aspire application, first ensure that you have [.NET 8.0 or later installed](https://dotnet.microsoft.com/en-us/download/dotnet) on your Windows on Arm development machine. + +Open a Powershell terminal and run: +```console +dotnet --version +``` +The output should return the version of .NET SDK installed on your machine. + +Next, install the Aspire workload: ```console dotnet workload install aspire ``` +You should see the following output: + +```output +Downloading Aspire.Hosting.Sdk.Msi.arm64 (8.2.2) +Installing Aspire.Hosting.Sdk.Msi.arm64 ..... Done +Downloading Aspire.ProjectTemplates.Msi.arm64 (8.2.2) +Installing Aspire.ProjectTemplates.Msi.arm64 ..... Done +Successfully installed workload(s) aspire. +``` Once the Aspire workload is installed, you can create a new application by executing: ```console @@ -42,9 +59,16 @@ The architecture is also tailored to improve the development experience. Develop This thoughtfully crafted architecture embodies microservices best practices, promoting scalability, maintainability, and service isolation. It not only simplifies deployment and monitoring but also fosters developer productivity by streamlining workflows and providing intuitive tools for building modern, distributed applications. -## Running the Project -To run the project, type the following +## Run the Project +The application will issue a certificate. Before you run the application, add support to trust the HTTPS development certificate by running: + +```console +dotnet dev-certs https --trust +``` + +Now run the project: ```console +cd .\NetAspire.Arm\ dotnet run --project NetAspire.Arm.AppHost ``` @@ -63,22 +87,22 @@ info: Aspire.Hosting.DistributedApplication[0] Login to the dashboard at https://localhost:17222/login?t=81f99566c9ec462e66f5eab5aa9307b0 ``` -Click on the link provided: https://localhost:17222/login?t=81f99566c9ec462e66f5eab5aa9307b0. This will direct you to the application dashboard, as shown below: +Click on the link generated for the dashboard. In this case it is: https://localhost:17222/login?t=81f99566c9ec462e66f5eab5aa9307b0. This will direct you to the application dashboard, as shown below: ![fig1](figures/01.png) -Once on the dashboard, locate and click the endpoint link for NetAspire.Arm.Web. This will take you to the Blazor-based web application. In the Blazor app, navigate to the Weather section to access and display data retrieved from the WeatherForecast API: +On the dashboard, locate and click the endpoint link for `NetAspire.Arm.Web`. This will take you to the Blazor based web application. In the Blazor app, navigate to the Weather section to access and display data retrieved from the WeatherForecast API: ![fig2](figures/02.png) -Finally, return to the dashboard and select the Traces option. This section provides detailed telemetry tracing, allowing you to view the flow of requests, track service dependencies, and analyze performance metrics for your application: +Return to the dashboard and select the Traces option. This section provides detailed telemetry tracing, allowing you to view the flow of requests, track service dependencies, and analyze performance metrics for your application: ![fig3](figures/03.png) -By following these steps, you’ll explore the key components of the .NET Aspire application, including its dashboard, data interaction through APIs, and telemetry tracing capabilities. +By following these steps, you will explore the key components of the .NET Aspire application, including its dashboard, data interaction through APIs, and telemetry tracing capabilities. ## Modify the Project -You will now include the additional code that will mimic computation intense work. Go to NetAspire.Arm.ApiService project, and create a new file ComputationService.cs. Modify this file as follows: +You will now include additional code for the purpose of demonstrating computation intense work. Go to the `NetAspire.Arm.ApiService` project, and create a new file `ComputationService.cs`. Add the code shown below to this file: ```cs static class ComputationService @@ -119,12 +143,12 @@ The public method PerformIntensiveCalculations multiplies two matrices (matrix1 This code is provided for demonstrating heavy computational operations, such as large matrix manipulations, and can simulate workloads in scenarios that mimic intensive data processing or scientific calculations. -Then, open the Program.cs of the NetAspire.Arm.ApiService, and use the above code: +Then, open the `Program.cs` file in the `NetAspire.Arm.ApiService` directory and add modify the `MapGet` function of the app as shown: ```cs app.MapGet("/weatherforecast", () => { - ComputationService.PerformIntensiveCalculations(matrixSize: 1000); + ComputationService.PerformIntensiveCalculations(matrixSize: 800); var forecast = Enumerable.Range(1, 5).Select(index => new WeatherForecast @@ -150,4 +174,4 @@ Next, navigate to the web frontend, click Weather, and then return to the dashbo ![fig4](figures/04.png) -Now, when project is ready, and we can deploy it to the cloud. \ No newline at end of file +You are now ready to deploy the application to the cloud. From aa5c42fba0b28e1b73f9f41fa40b74cb4c5d89ef Mon Sep 17 00:00:00 2001 From: pareenaverma Date: Mon, 16 Dec 2024 13:03:38 -0500 Subject: [PATCH 3/6] Update _index.md --- .../servers-and-cloud-computing/cca-essentials/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md index 6ad46f3452..08affd0cb0 100644 --- a/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/_index.md @@ -3,7 +3,7 @@ title: Run an Attestation with Arm Confidential Compute Architecture (CCA) minutes_to_complete: 120 -who_is_this_for: This is an advanced topic for software developers who want to see a practical example of how attestatio is used with Arm's Confidential Computing Architecture (CCA). +who_is_this_for: This is an advanced topic for software developers who want to see a practical example of how attestation is used with Arm's Confidential Computing Architecture (CCA). learning_objectives: - Understand how attestation is used with Arm's Confidential Computing Architecture (CCA). From c490acfdd1356f536cbcbe42f3b2ae06181f2225 Mon Sep 17 00:00:00 2001 From: pareenaverma Date: Mon, 16 Dec 2024 13:05:36 -0500 Subject: [PATCH 4/6] Update example.md --- .../servers-and-cloud-computing/cca-essentials/example.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md index f7d04fd898..6b2bc57f77 100644 --- a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md @@ -53,7 +53,7 @@ INFO Actix runtime found; starting in Actix runtime INFO starting service: "actix-web-service-172.17.0.2:8088", workers: 16, listening on: 172.17.0.2:8088 ``` -With the key broker server running in one terminal, open up a new terminal in which you will the key broker client. +With the key broker server running in one terminal, open up a new terminal in which you will run the key broker client. ## Run the Key Broker Client From 81db6c985df7b94a62d04a42a6496a5175e708dc Mon Sep 17 00:00:00 2001 From: pareenaverma Date: Mon, 16 Dec 2024 13:07:48 -0500 Subject: [PATCH 5/6] Update example.md --- .../servers-and-cloud-computing/cca-essentials/example.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md index 6b2bc57f77..ad54573a73 100644 --- a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md @@ -146,7 +146,7 @@ INFO Evidence submitted for challenge 1302147796: no attestation result was obta From the server output you will notice that it did create the challenge for the key broker application, but it complains that it has no known good reference values. It does however provide a way to provision the key broker server with known good values if the client is trusted. In a production environment, the known good reference value would be generated, but for demonstration purposes and simplification, you will use the value proposed by the key broker server. -Now go ahead and terminate the running instance of the key broker server(ctrl+C) and restart it with the known good reference value: +Now go ahead and terminate the running instance of the key broker server(ctrl+C) and restart it with the known good reference value. Notice here that you need to copy the `--reference-values` argument directly from the previous error message reported by the key broker. When running this next command, ensure that you are using exactly that value, for example:: ```bash ./keybroker-server -v --addr 172.17.0.2 --reference-values <(echo '{ "reference-values": [ "tiA66VOokO071FfsCHr7es02vUbtVH5FpLLqTzT7jps=" ] }') From b03b5c61d560a033935a63f6450e2c78f4838999 Mon Sep 17 00:00:00 2001 From: pareenaverma Date: Mon, 16 Dec 2024 13:09:59 -0500 Subject: [PATCH 6/6] Update example.md --- .../servers-and-cloud-computing/cca-essentials/example.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md index ad54573a73..377f589210 100644 --- a/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md +++ b/content/learning-paths/servers-and-cloud-computing/cca-essentials/example.md @@ -144,7 +144,7 @@ command-line option to populate it with known-good RIM values: INFO Evidence submitted for challenge 1302147796: no attestation result was obtained. No known-good reference values. ``` From the server output you will notice that it did create the challenge for the key broker application, but it complains that it has no known good reference values. It does however provide a way to provision the key broker server with known good values if the client is trusted. -In a production environment, the known good reference value would be generated, but for demonstration purposes and simplification, you will use the value proposed by the key broker server. +In a production environment, the known good reference value would be generated using a deployment specific process, but for demonstration purposes and simplification, you will use the value proposed by the key broker server. Now go ahead and terminate the running instance of the key broker server(ctrl+C) and restart it with the known good reference value. Notice here that you need to copy the `--reference-values` argument directly from the previous error message reported by the key broker. When running this next command, ensure that you are using exactly that value, for example::