From 6ee92598cf540ac5746f8af714aa3601ea03ad3d Mon Sep 17 00:00:00 2001 From: johpow01 Date: Wed, 25 Aug 2021 16:32:23 -0500 Subject: [PATCH 1/2] docs(gpt): add documentation page for GPT library This patch adds some documentation for the GPT library as well as adds code owners for it. Signed-off-by: John Powell Change-Id: If1cd79626eadb27e1024d731b26ee2e20af74a66 --- docs/about/maintainers.rst | 19 +- .../granule-protection-tables-design.rst | 235 ++++++++++++++++++ docs/components/index.rst | 1 + 3 files changed, 250 insertions(+), 5 deletions(-) create mode 100644 docs/components/granule-protection-tables-design.rst diff --git a/docs/about/maintainers.rst b/docs/about/maintainers.rst index 337dde617..7a48601b7 100644 --- a/docs/about/maintainers.rst +++ b/docs/about/maintainers.rst @@ -75,7 +75,7 @@ Software Delegated Exception Interface (SDEI) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :|M|: Mark Dykes :|G|: `mardyk01`_ -:|M|: John Powell +:|M|: John Powell :|G|: `john-powell-arm`_ :|F|: services/std_svc/sdei/ @@ -105,7 +105,7 @@ Exception Handling Framework (EHF) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ :|M|: Manish Badarkhe :|G|: `ManishVB-Arm`_ -:|M|: John Powell +:|M|: John Powell :|G|: `john-powell-arm`_ :|F|: bl31/ehf.c @@ -115,7 +115,7 @@ Realm Management Extension (RME) :|G|: `bipinravi-arm`_ :|M|: Mark Dykes :|G|: `mardyk01`_ -:|M|: John Powell +:|M|: John Powell :|G|: `john-powell-arm`_ :|M|: Zelalem Aweke :|G|: `zelalem-aweke`_ @@ -201,7 +201,7 @@ Arm CPU libraries ^^^^^^^^^^^^^^^^^ :|M|: Lauren Wehrmeister :|G|: `laurenw-arm`_ -:|M|: John Powell +:|M|: John Powell :|G|: `john-powell-arm`_ :|F|: lib/cpus/ @@ -255,7 +255,7 @@ Standard C library ^^^^^^^^^^^^^^^^^^ :|M|: Alexei Fedorov :|G|: `AlexeiFedorov`_ -:|M|: John Powell +:|M|: John Powell :|G|: `john-powell-arm`_ :|F|: lib/libc/ @@ -335,6 +335,15 @@ Max Power Mitigation Mechanism (MPMM) :|F|: include/lib/mpmm/ :|F|: lib/mpmm/ +Granule Protection Tables Library (GPT-RME) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +:|M|: Mark Dykes +:|G|: `mardyk01`_ +:|M|: John Powell +:|G|: `john-powell-arm`_ +:|F|: lib/gpt_rme +:|F|: include/lib/gpt_rme + Platform Ports ~~~~~~~~~~~~~~ diff --git a/docs/components/granule-protection-tables-design.rst b/docs/components/granule-protection-tables-design.rst new file mode 100644 index 000000000..07637dd58 --- /dev/null +++ b/docs/components/granule-protection-tables-design.rst @@ -0,0 +1,235 @@ +Granule Protection Tables Library +================================= + +This document describes the design of the granule protection tables (GPT) +library used by Trusted Firmware-A (TF-A). This library provides the APIs needed +to initialize the GPTs based on a data structure containing information about +the systems memory layout, configure the system registers to enable granule +protection checks based on these tables, and transition granules between +different PAS (physical address spaces) at runtime. + +Arm CCA adds two new security states for a total of four: root, realm, secure, and +non-secure. In addition to new security states, corresponding physical address +spaces have been added to control memory access for each state. The PAS access +allowed to each security state can be seen in the table below. + +.. list-table:: Security states and PAS access rights + :widths: 25 25 25 25 25 + :header-rows: 1 + + * - + - Root state + - Realm state + - Secure state + - Non-secure state + * - Root PAS + - yes + - no + - no + - no + * - Realm PAS + - yes + - yes + - no + - no + * - Secure PAS + - yes + - no + - yes + - no + * - Non-secure PAS + - yes + - yes + - yes + - yes + +The GPT can function as either a 1 level or 2 level lookup depending on how a +PAS region is configured. The first step is the level 0 table, each entry in the +level 0 table controls access to a relatively large region in memory (block +descriptor), and the entire region can belong to a single PAS when a one step +mapping is used, or a level 0 entry can link to a level 1 table where relatively +small regions (granules) of memory can be assigned to different PAS with a 2 +step mapping. The type of mapping used for each PAS is determined by the user +when setting up the configuration structure. + +Design Concepts and Interfaces +------------------------------ + +This section covers some important concepts and data structures used in the GPT +library. + +There are three main parameters that determine how the tables are organized and +function: the PPS (protected physical space) which is the total amount of +protected physical address space in the system, PGS (physical granule size) +which is how large each level 1 granule is, and L0GPTSZ (level 0 GPT size) which +determines how much physical memory is governed by each level 0 entry. A granule +is the smallest unit of memory that can be independently assigned to a PAS. + +L0GPTSZ is determined by the hardware and is read from the GPCCR_EL3 register. +PPS and PGS are passed into the APIs at runtime and can be determined in +whatever way is best for a given platform, either through some algorithm or hard +coded in the firmware. + +GPT setup is split into two parts: table creation and runtime initialization. In +the table creation step, a data structure containing information about the +desired PAS regions is passed into the library which validates the mappings, +creates the tables in memory, and enables granule protection checks. In the +runtime initialization step, the runtime firmware locates the existing tables in +memory using the GPT register configuration and saves important data to a +structure used by the granule transition service which will be covered more +below. + +In the reference implementation for FVP models, you can find an example of PAS +region definitions in the file ``include/plat/arm/common/arm_pas_def.h``. Table +creation API calls can be found in ``plat/arm/common/arm_bl2_setup.c`` and +runtime initialization API calls can be seen in +``plat/arm/common/arm_bl31_setup.c``. + +Defining PAS regions +~~~~~~~~~~~~~~~~~~~~ + +A ``pas_region_t`` structure is a way to represent a physical address space and +its attributes that can be used by the GPT library to initialize the tables. + +This structure is composed of the following: + +#. The base physical address +#. The region size +#. The desired attributes of this memory region (mapping type, PAS type) + +See the ``pas_region_t`` type in ``include/lib/gpt_rme/gpt_rme.h``. + +The programmer should provide the API with an array containing ``pas_region_t`` +structures, then the library will check the desired memory access layout for +validity and create tables to implement it. + +``pas_region_t`` is a public type, however it is recommended that the macros +``GPT_MAP_REGION_BLOCK`` and ``GPT_MAP_REGION_GRANULE`` be used to populate +these structures instead of doing it manually to reduce the risk of future +compatibility issues. These macros take the base physical address, region size, +and PAS type as arguments to generate the pas_region_t structure. As the names +imply, ``GPT_MAP_REGION_BLOCK`` creates a region using only L0 mapping while +``GPT_MAP_REGION_GRANULE`` creates a region using L0 and L1 mappings. + +Level 0 and Level 1 Tables +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The GPT initialization APIs require memory to be passed in for the tables to be +constructed, ``gpt_init_l0_tables`` takes a memory address and size for building +the level 0 tables and ``gpt_init_pas_l1_tables`` takes an address and size for +building the level 1 tables which are linked from level 0 descriptors. The +tables should have PAS type ``GPT_GPI_ROOT`` and a typical system might place +its level 0 table in SRAM and its level 1 table(s) in DRAM. + +Granule Transition Service +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Granule Transition Service allows memory mapped with GPT_MAP_REGION_GRANULE +ownership to be changed using SMC calls. Non-secure granules can be transitioned +to either realm or secure space, and realm and secure granules can be +transitioned back to non-secure. This library only allows memory mapped as +granules to be transitioned, memory mapped as blocks have their GPIs fixed after +table creation. + +Library APIs +------------ + +The public APIs and types can be found in ``include/lib/gpt_rme/gpt_rme.h`` and this +section is intended to provide additional details and clarifications. + +To create the GPTs and enable granule protection checks the APIs need to be +called in the correct order and at the correct time during the system boot +process. + +#. Firmware must enable the MMU. +#. Firmware must call ``gpt_init_l0_tables`` to initialize the level 0 tables to + a default state, that is, initializing all of the L0 descriptors to allow all + accesses to all memory. The PPS is provided to this function as an argument. +#. DDR discovery and initialization by the system, the discovered DDR region(s) + are then added to the L1 PAS regions to be initialized in the next step and + used by the GTSI at runtime. +#. Firmware must call ``gpt_init_pas_l1_tables`` with a pointer to an array of + ``pas_region_t`` structures containing the desired memory access layout. The + PGS is provided to this function as an argument. +#. Firmware must call ``gpt_enable`` to enable granule protection checks by + setting the correct register values. +#. In systems that make use of the granule transition service, runtime + firmware must call ``gpt_runtime_init`` to set up the data structures needed + by the GTSI to find the tables and transition granules between PAS types. + +API Constraints +~~~~~~~~~~~~~~~ + +The values allowed by the API for PPS and PGS are enumerated types +defined in the file ``include/lib/gpt_rme/gpt_rme.h``. + +Allowable values for PPS along with their corresponding size. + +* ``GPCCR_PPS_4GB`` (4GB protected space, 0x100000000 bytes) +* ``GPCCR_PPS_64GB`` (64GB protected space, 0x1000000000 bytes) +* ``GPCCR_PPS_1TB`` (1TB protected space, 0x10000000000 bytes) +* ``GPCCR_PPS_4TB`` (4TB protected space, 0x40000000000 bytes) +* ``GPCCR_PPS_16TB`` (16TB protected space, 0x100000000000 bytes) +* ``GPCCR_PPS_256TB`` (256TB protected space, 0x1000000000000 bytes) +* ``GPCCR_PPS_4PB`` (4PB protected space, 0x10000000000000 bytes) + +Allowable values for PGS along with their corresponding size. + +* ``GPCCR_PGS_4K`` (4KB granules, 0x1000 bytes) +* ``GPCCR_PGS_16K`` (16KB granules, 0x4000 bytes) +* ``GPCCR_PGS_64K`` (64KB granules, 0x10000 bytes) + +Allowable values for L0GPTSZ along with the corresponding size. + +* ``GPCCR_L0GPTSZ_30BITS`` (1GB regions, 0x40000000 bytes) +* ``GPCCR_L0GPTSZ_34BITS`` (16GB regions, 0x400000000 bytes) +* ``GPCCR_L0GPTSZ_36BITS`` (64GB regions, 0x1000000000 bytes) +* ``GPCCR_L0GPTSZ_39BITS`` (512GB regions, 0x8000000000 bytes) + +Note that the value of the PPS, PGS, and L0GPTSZ definitions is an encoded value +corresponding to the size, not the size itself. The decoded hex representations +of the sizes have been provided for convenience. + +The L0 table memory has some constraints that must be taken into account. + +* The L0 table must be aligned to either the table size or 4096 bytes, whichever + is greater. L0 table size is the total protected space (PPS) divided by the + size of each L0 region (L0GPTSZ) multiplied by the size of each L0 descriptor + (8 bytes). ((PPS / L0GPTSZ) * 8) +* The L0 memory size must be greater than or equal to the table size. +* The L0 memory must fall within a PAS of type GPT_GPI_ROOT. + +The L1 memory also has some constraints. + +* The L1 tables must be aligned to their size. The size of each L1 table is the + size of each L0 region (L0GPTSZ) divided by the granule size (PGS) divided by + the granules controlled in each byte (2). ((L0GPTSZ / PGS) / 2) +* There must be enough L1 memory supplied to build all requested L1 tables. +* The L1 memory must fall within a PAS of type GPT_GPI_ROOT. + +If an invalid combination of parameters is supplied, the APIs will print an +error message and return a negative value. The return values of APIs should be +checked to ensure successful configuration. + +Sample Calculation for L0 memory size and alignment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Let PPS=GPCCR_PPS_4GB and L0GPTSZ=GPCCR_L0GPTSZ_30BITS + +We can find the total L0 table size with ((PPS / L0GPTSZ) * 8) + +Substitute values to get this: ((0x100000000 / 0x40000000) * 8) + +And solve to get 32 bytes. In this case, 4096 is greater than 32, so the L0 +tables must be aligned to 4096 bytes. + +Sample calculation for L1 table size and alignment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Let PGS=GPCCR_PGS_4K and L0GPTSZ=GPCCR_L0GPTSZ_30BITS + +We can find the size of each L1 table with ((L0GPTSZ / PGS) / 2). + +Substitute values: ((0x40000000 / 0x1000) / 2) + +And solve to get 0x20000 bytes per L1 table. diff --git a/docs/components/index.rst b/docs/components/index.rst index 754526daf..95fe42cff 100644 --- a/docs/components/index.rst +++ b/docs/components/index.rst @@ -25,3 +25,4 @@ Components xlat-tables-lib-v2-design cot-binding realm-management-extension + granule-protection-tables-design From 7446c266c91bc28c87fca634df57bdcf15b32a5b Mon Sep 17 00:00:00 2001 From: Zelalem Aweke Date: Thu, 21 Oct 2021 13:59:45 -0500 Subject: [PATCH 2/2] docs(rme): add description of TF-A changes for RME This patch expands the RME documentation with description of TF-A changes for RME. It also modifies some other parts of TF-A documentation to account for RME changes. Signed-off-by: Zelalem Aweke Change-Id: I9e6feeee235f0ba4b767d239f15840f1e0c540bb --- .../components/realm-management-extension.rst | 89 ++++++++++++++++-- docs/design/firmware-design.rst | 10 +- docs/getting_started/image-terminology.rst | 8 ++ docs/getting_started/rt-svc-writers-guide.rst | 10 +- .../diagrams/arm-cca-software-arch.png | Bin 0 -> 20577 bytes docs/threat_model/threat_model.rst | 7 ++ 6 files changed, 108 insertions(+), 16 deletions(-) create mode 100755 docs/resources/diagrams/arm-cca-software-arch.png diff --git a/docs/components/realm-management-extension.rst b/docs/components/realm-management-extension.rst index 5c580f36d..2c4e0b8a7 100644 --- a/docs/components/realm-management-extension.rst +++ b/docs/components/realm-management-extension.rst @@ -4,8 +4,82 @@ Realm Management Extension (RME) FEAT_RME (or RME for short) is an Armv9-A extension and is one component of the `Arm Confidential Compute Architecture (Arm CCA)`_. TF-A supports RME starting -from version 2.6. This document provides instructions on how to build and run -TF-A with RME. +from version 2.6. This chapter discusses the changes to TF-A to support RME and +provides instructions on how to build and run TF-A with RME. + +RME support in TF-A +--------------------- + +The following diagram shows an Arm CCA software architecture with TF-A as the +EL3 firmware. In the Arm CCA architecture there are two additional security +states and address spaces: ``Root`` and ``Realm``. TF-A firmware runs in the +Root world. In the realm world, a Realm Management Monitor firmware (RMM) +manages the execution of Realm VMs and their interaction with the hypervisor. + +.. image:: ../resources/diagrams/arm-cca-software-arch.png + +RME is the hardware extension to support Arm CCA. To support RME, various +changes have been introduced to TF-A. We discuss those changes below. + +Changes to translation tables library +*************************************** +RME adds Root and Realm Physical address spaces. To support this, two new +memory type macros, ``MT_ROOT`` and ``MT_REALM``, have been added to the +:ref:`Translation (XLAT) Tables Library`. These macros are used to configure +memory regions as Root or Realm respectively. + +.. note:: + + Only version 2 of the translation tables library supports the new memory + types. + +Changes to context management +******************************* +A new CPU context for the Realm world has been added. The existing +:ref:`CPU context management API` can be used to manage Realm context. + +Boot flow changes +******************* +In a typical TF-A boot flow, BL2 runs at Secure-EL1. However when RME is +enabled, TF-A runs in the Root world at EL3. Therefore, the boot flow is +modified to run BL2 at EL3 when RME is enabled. In addition to this, a +Realm-world firmware (RMM) is loaded by BL2 in the Realm physical address +space. + +The boot flow when RME is enabled looks like the following: + +1. BL1 loads and executes BL2 at EL3 +2. BL2 loads images including RMM +3. BL2 transfers control to BL31 +4. BL31 initializes SPM (if SPM is enabled) +5. BL31 initializes RMM +6. BL31 transfers control to Normal-world software + +Granule Protection Tables (GPT) library +***************************************** +Isolation between the four physical address spaces is enforced by a process +called Granule Protection Check (GPC) performed by the MMU downstream any +address translation. GPC makes use of Granule Protection Table (GPT) in the +Root world that describes the physical address space assignment of every +page (granule). A GPT library that provides APIs to initialize GPTs and to +transition granules between different physical address spaces has been added. +More information about the GPT library can be found in the +:ref:`Granule Protection Tables Library` chapter. + +RMM Dispatcher (RMMD) +************************ +RMMD is a new standard runtime service that handles the switch to the Realm +world. It initializes the RMM and handles Realm Management Interface (RMI) +SMC calls from Non-secure and Realm worlds. + +Test Realm Payload (TRP) +************************* +TRP is a small test payload that runs at R-EL2 and implements a subset of +the Realm Management Interface (RMI) commands to primarily test EL3 firmware +and the interface between R-EL2 and EL3. When building TF-A with RME enabled, +if a path to an RMM image is not provided, TF-A builds the TRP by default +and uses it as RMM image. Building and running TF-A with RME ------------------------------------ @@ -25,11 +99,8 @@ TF-A. You can use the following command to clone TF-A. git clone https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git -To run the tests, you need an FVP model. You can download a model that supports -RME from the `Arm Architecture Models website`_. Please select the -*Base RevC AEM FVP* model. After extracting the downloaded file, you should be able to -find the *FVP_Base_RevC-2xAEMvA* binary. The instructions below have been tested -with model version 11.15 revision 18. +To run the tests, you need an FVP model. Please use the :ref:`latest version +` of *FVP_Base_RevC-2xAEMvA* model. .. note:: @@ -64,9 +135,7 @@ This produces a TF-A Tests binary (*tftf.bin*) in the *build/fvp/debug* director all fip This produces *bl1.bin* and *fip.bin* binaries in the *build/fvp/debug* directory. -The above command also builds a Test Realm Payload (TRP), which is a small test -payload that implements Realm Monitor Management (RMM) functionalities and runs -in the realm world (R-EL2). The TRP binary is packaged in *fip.bin*. +The above command also builds TRP. The TRP binary is packaged in *fip.bin*. Four-world execution with Hafnium and TF-A Tests **************************************************** diff --git a/docs/design/firmware-design.rst b/docs/design/firmware-design.rst index ef500ff05..0831dc056 100644 --- a/docs/design/firmware-design.rst +++ b/docs/design/firmware-design.rst @@ -26,6 +26,13 @@ tables. The details of this library can be found in TF-A can be built to support either AArch64 or AArch32 execution state. +.. note:: + + The descriptions in this chapter are for the Arm TrustZone architecture. + For changes to the firmware design for the + `Arm Confidential Compute Architecture (Arm CCA)`_ please refer to the + chapter :ref:`Realm Management Extension (RME)`. + Cold boot --------- @@ -2722,7 +2729,7 @@ kernel at boot time. These can be found in the ``fdts`` directory. -------------- -*Copyright (c) 2013-2020, Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2013-2021, Arm Limited and Contributors. All rights reserved.* .. _Power State Coordination Interface PDD: http://infocenter.arm.com/help/topic/com.arm.doc.den0022d/Power_State_Coordination_Interface_PDD_v1_1_DEN0022D.pdf .. _SMCCC: https://developer.arm.com/docs/den0028/latest @@ -2731,5 +2738,6 @@ kernel at boot time. These can be found in the ``fdts`` directory. .. _Arm ARM: https://developer.arm.com/docs/ddi0487/latest .. _SMC Calling Convention: https://developer.arm.com/docs/den0028/latest .. _Trusted Board Boot Requirements CLIENT (TBBR-CLIENT) Armv8-A (ARM DEN0006D): https://developer.arm.com/docs/den0006/latest/trusted-board-boot-requirements-client-tbbr-client-armv8-a +.. _Arm Confidential Compute Architecture (Arm CCA): https://www.arm.com/why-arm/architecture/security-features/arm-confidential-compute-architecture .. |Image 1| image:: ../resources/diagrams/rt-svc-descs-layout.png diff --git a/docs/getting_started/image-terminology.rst b/docs/getting_started/image-terminology.rst index 5993d6e7a..a90ec0b3f 100644 --- a/docs/getting_started/image-terminology.rst +++ b/docs/getting_started/image-terminology.rst @@ -92,6 +92,14 @@ In systems where 3rd level images are provided by different vendors, the abbreviated name should identify the vendor as well as the image function. For example, ``AP_BL3_ARM_RAS``. +Realm Monitor Management Firmware: ``RMM`` +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This is the Realm-EL2 firmware. It is required if +:ref:`Realm Management Extension (RME)` feature is enabled. If a path to RMM +image is not provided, TF-A builds Test Realm Payload (TRP) image by default +and uses it as the RMM image. + SCP Boot ROM: ``SCP_BL1`` (previously ``BL0``) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/getting_started/rt-svc-writers-guide.rst b/docs/getting_started/rt-svc-writers-guide.rst index b3758b824..5a4be4d48 100644 --- a/docs/getting_started/rt-svc-writers-guide.rst +++ b/docs/getting_started/rt-svc-writers-guide.rst @@ -200,13 +200,13 @@ The handler is responsible for: SMC_RET1(handle, SMC_UNK); #. Determining if the requested function is valid for the calling security - state. SMC Calls can be made from both the normal and trusted worlds and + state. SMC Calls can be made from Non-secure, Secure or Realm worlds and the framework will forward all calls to the service handler. The ``flags`` parameter to this function indicates the caller security state - in bit[0], where a value of ``1`` indicates a non-secure caller. The - ``is_caller_secure(flags)`` and ``is_caller_non_secure(flags)`` can be used to - test this condition. + in bits 0 and 5. The ``is_caller_secure(flags)``, ``is_caller_non_secure(flags)`` + and ``is_caller_realm(flags)`` helper functions can be used to determine whether + the caller's security state is Secure, Non-secure or Realm respectively. If invalid, the request should be completed with: @@ -314,7 +314,7 @@ provide this information.... -------------- -*Copyright (c) 2014-2020, Arm Limited and Contributors. All rights reserved.* +*Copyright (c) 2014-2021, Arm Limited and Contributors. All rights reserved.* .. _SMCCC: https://developer.arm.com/docs/den0028/latest .. _PSCI: http://infocenter.arm.com/help/topic/com.arm.doc.den0022c/DEN0022C_Power_State_Coordination_Interface.pdf diff --git a/docs/resources/diagrams/arm-cca-software-arch.png b/docs/resources/diagrams/arm-cca-software-arch.png new file mode 100755 index 0000000000000000000000000000000000000000..979e083876715b485fa775eec5f0438b07b8c9b5 GIT binary patch literal 20577 zcmeIa1yodT*EbAEmqR#!fD9-lB_JizC?c(Nhk$fR*C;iFV2~mpARygcN=k`zrw$#` z4c{3Ctowi8&+~ro^R4y0YrU-H!WquFu6^y^zrD{1RFsz@z`cx%f`URIeNXZM3d#k2 z6ckh_HX87aBuk_^@C()9fs{B(&KIhA-~+m;n4B02N`4sLp#cW)8OQdXh64%;VLjp> zYO~FUM<^%?+tQL^$}YOg)i!zbDlxe&jJ3NhHb=(zBJ#56G?5Al- zy)BUnyqiL8#m?J0NmF5#^;i>R)$4!P4D$zCm+$k?4}DSQ9O`Nrd%2|Qk7>hIpsLgv z=(v)stq*Nygl0W0ULJI4vuu3VjVb5e*=QiSQCK?^$W4ov*I`9ihfek}^ym0}Q2=UwGfB5E0Svglk z79Y;mt`K)kW*rE+q*`rt}2@rD>cSoDpZ z!^Z;@rU{g(VcBFlb?H~A&>NH<5W+I3W-Gn-UtD_QBYa^x2g}K3JFfIYL7ukDl%JNo z?M4UR$gs3S^Oy*J<)T&Tgt5gyzpl$v^opZi_5Lj_j2l!W!n`b|FA6)y%sIj$=@aA% zBt)s`-CP1ZHP=T8Cd!zLZ{J^6mQSehp-4J5FW7E2;Aup z_V$_)XmtO&zVMvS%6)bIL_^PW;6T21#oxv^N?Ww*djZRLshINBy)O1_I<0|q=g}jH z(o|xzjcE=Y_D0E}{?HNYsEA=pC4#cR9dIVyd+&+HM`jn2LefKfx3!$++|Z_P-{3JZ z&1jzCxR^7S7{&k9yfcL*fG}Xgm473Ok+78Eu*~X!t-FTx@R;Ustw$>Kam$RU4RgC? z_XU9BSJ*Iv6GDq1|Laqtjtk6Js}|420bb7pTsQ4o-Q@ap#35JpIngD6s1T<@dM`jYMRRag&zn z3lxTj(TZogL7Zcm25PxN;Ad{EmJ3VN7QRE*1d&Xmx^Qa^Mw>97L(}?sG__eeTHt## zAb$JFNs|4HD;HO85H`E=zj$Af#T*YAy=*l>q}#VA&AStoa7Y<Stn&%`!ep_iNgDjfbvxi8Hs7)QI7Qv#SXpa!-gflcX1&j;I?qhxm2VYO+@W> zudJS*>Q18?ym^@9lUp!G9W9$w!IckB8FtD?``c7B4{Px1xUeKCz5h(sGFvk?6Fi_<;sI3+A+7N z)KpjO8^^dvRUM7ty$=NGebFw+2LY;L!`hP1EGRvg{yi^4C~Di4wc*QnH({alMG#0z zniJ9*HbstIX#wQ#ryReW%wHU0@jyBHa-~T|b85&z z!rSesY1aok3eM_{Us4*;DrP@tCh)JK2_-BFgWq)1G&bZbR^GuXl(s>zKmg*;?YWUt(m}akx!Q_7oVplRq$q$8ej}QXY|#CsqqZ>F=R+~JqP=#`{wJ4wbs8zQpSFTW zy~ulW#bv1Q#FxRr;dtD!PtXCs9eyF{9ZRF_+r=26rMXqNiFqy+-@u2uM_;8nyQ02} zg!7FT$$>`=s6vwjE+j!>30L3mE`>v8!+*T0*=ukQRw3%HT{RRJRjwOn@kh;m8&GGh zSKii#*^uY{f#5`f9$%38y6kgLu0ErOPM-x=jt$mWEaAR~g;HMD95#yX>=8%T-X;Z4 z5?cNA~TXJx$b{WSY3ut+F zN0gNKVcRo>p!?HD+&nYJIAL;7I&?`WtpPEbx-37hK?^P7{@0+7hIRQkGK8o^`uC!J zQNSdja_aU#q?9Ny?Tn{pRM*hRFGjg>lPWgv`~QouI`?9uQ)D7i|2E=Yu8*YHpl|PA zV^eJ+jiYdudEUIs zpDgBm!zWT;F{`lTt^PocP6_xf_QT1B$w6QG036DFABv)ocA;0X5!8ZCgPJJhm(Nd8 zcMUx++Sby|tWrXPj4J@!X^Q zN2H8=xi4=9yfwALkrx$xi!b|>#3-aWwMs<`Et=AaVeX>IS1v#TjQ|}ogn}d=UjR%2 zlb{*iExUE&E`sIa$eWVK@?HA}BfGpW0MA6k{Pj}Vhm8j+V#Ori;3ThFWj>$1Y*z9Kfz^|iNuKJ})NL30A`55+$EgpW&- zx<`sl($q0JW;T*pe|ix*nqeB^0)X>a+)T3MPBx&?_OZB<>RZ~`D@Dt9AP^_S9!LeM z^EKGP{B(MItg(R&=LY_tH^;w2Is0phN2p_Q1wiNdS)%h2Mc#aQ=lu32&xYN&X)W}E zc|8i~>}o$~*;{~!)J&(uD^awm24L-2k{dMax%!>MH;U?b{OZk;JwZKht%ez1@iU!_<6X$~`$DrLlISxlv%m3v{hv$$F& z@E@W#B6{DE?D)A6u{CFBSnT&aQ!Da}4{>NZ5Balrub10#I|GWbV2d~a*;D9XIv}O_ z44n_n#xS$!_wxdE#R8}sQw#!28kGLmv0>l3@6z*~@?Mu3sZt=2VBbDFpH4B}RvA7g z!D|p`w)u=a5U4rj`F(37k2S#CVD3&Nhbzp<7VIbtFEh|WB3(P(#|z=;EG#S~yrF00 zO;R-2nI#jO7B;6&o2&q$>3AUAT%id_GL~|HmAC8n{eIvZ#tc-=@Yu_%ZLdz)SbQs! zCUo!jPrQWW41cT;?J1JZ7OEJt@ITjRGQ6n;3*Hp^RbNMneqKC)^7;;5J+4C zTo&o4Q^g}r>x8;&7w5VxsX3n67L^*ob5f|`jM%6Jd!iSm=f>l*#0=oSfwh07guHhq!u zljZ`IgjsB7o~lQsQZcLz)N=!;6B0=a36-JrS1n7mRku=}-UNe;;Q()f0~OZ|mtT7W zgdoL+;7~EfnFBi4Ns~{2#-Fi<<($iS0GBh46CCziL|ASH177;p(@gl%tvt-K#?e14 z24i3bJp`zpq5$i(4R+NY{?IVb2vHUOo<_FZt#CZFZNj|jn-f{M`0?@!;i8mV+J%FX zznQme9oq~SI-vaZihe+dxnnCgm4{pcoUqNJdGI~KDwj~LZOBod;CEMkPCJ8{Td1v- z{73$OyTo<+F;CqzHw|)Nf8IoTLOTwFe@$k}ZA3&zc(@%&%+~y;(caTBB-icaWYw|B6 zB#swjMe;8D?BE*y&}gM!;p3+UpR(CuHqLp4|5I18l$8|~UyH#n2l~6`D9A&7sns55 z{+rfnAb8|)<|lBiIm2ZB!GpH8@c94KcIqH9UHyT#KV>azl^3!g(UOkt-1D(o?eh2Cw)fqGI;)SjFo6{FX@PH`}AJepMe| zZ1CY3!giGZ?b==67xXLIfin0WUAUUWJ8c~yul}?zQ6am1nYleYuC_>b{N+4CKoBPM zGp?{Mv6;k+Eg>V(ieftrh@*Td$R6C=8@)%DbZT~}c3z{`0)#B;6)`&hxHr5r|1?s} zH1Pz>6`h(rVIxo@aDZ!$R~$MEwPk+%Ob&Fxo=n!m0g;mP|F zs&4eZ5@*K}@A=k>0#N}_f|uvc^uH-kPE*m4>IQC@oE(q~p6eJ;3`hNp>Lwb4TJ1mW zb1d;QF~}&vP@b>S?3B~kFyj)^JQe9b#m4WXZmpkrdGg=JT|rU@Ov%J`)pY=9YP(;9 zl|O#%wvYN<`8iarhz4ZjKR4g}dix7neJE$y%(~W}Y0{}6FT&nn1m`-f6PbKMWE`i4 zo!k>+5E_qk_H&!bgBjP(%}A>qk>rF@M^X-EVE#*9wUcO35;w4V zd+X!F9j#ysi-7o{jgHFBC&sDokK%#MX)Fw7R%LfYZpMadbFADhmMvU zfwN;t5Gfy^AyHlPQu#kwe`gsR=^3Wyl+u6h>R5)zc!IxHUDPRLt8!i~?(b)HC$w~? zXG}iwKTpyoC06s$LXEHn;&)qzg>u*7Bd)V7{qdFV%YL3imz7`N6p||A_4&3O!%tZl zX7H1%LBm8(kg=sJ`9Z$Q)du=NL^MZR<|P6o0N722FV+|1YCHtfNI?;IR{rxQcnTX*M{cR5rXZW~;+jNz zQ19gKhJ@hQzS#$zsJO1B9g+rP*t@28M>IQ&Gy;yxjk5!~nmQvJPA3oWnkhlegWPsc z_LVGEh|f)w`!pRzO3Kev(uT)BSU7eoV>MTSL@tNaYh{G-WH;Yt{;r;f+17SIjs1#9 zZR@44i=lO&u2yo4)Z7_J@LXoOa?m%XAY953&XLn)ES+>&MJ8 zZb%#GlR7>z35QibE!uPy;M_`0r+-(O$9@*L0e$Bx^OF#jjhLd1AD^^pU3X&gL8)Y< zj=@i-w;JtH1KqT2Jc_G&uR(+lMtn4N)cUQh<+B?{L%d8cbFxdI^Ih^;5pi8+K2T`c zr!QJhc5xTU+paqfLSx4~TJYb3yL)$PzJA4WqTeWfAXPG8n#y`6;af*cCD#LyIke^! zGG-eEz%fhAr!)pjhey~d{fPdv4zgMwQKEHn({tiTFd8fqJ$1 zFu^O@69z%KsTT}CWTx`*)pjeBg_zVPKmgK=I6rt?-FiBZlWRvx)97Bc5Pkbe-@Z%) z=iL0NCIviSAvcOS$&mywD+(%`&W1mf9HTTEQ4UZEvhwAr0J=cc&)sqG^-esF^FLTyiB?+7=)=36x*UOUwjMR36?DDGaM%Bab<~uoTWY+3C-7TC@ z07cP0yX<2~HFRt*-NIfsWuaHIN#FMD?uSa<^6koc3yv!~?zX`ZQG?ekZtjO0y?}_A z8$8!;s_nK-u3&@6xug)Pkmn@ZHnE8(Flt$M3 zmwRNOmp@;(*}Z;wy-0M8Sig$_HGkK9d8TOawx&b5K`jj-Ku$jSlcmXhzf470j#uSj zE9PZ(EY2qZ#R=Yzms=>8L(N$+FXeum&m>Ot+FXd?nJ2%7%-ArSN4V{HO=#->3o_)= z)sC+}jGE!C&WpNd*@z~D-Z1Uglks5F>TV37@eeNjM#Xt8iwr>T+_g7{vi5oSR@@&6 z?<~KjFKTh?@OU%zzTHaXC_r(>e?$brnWHY+YID$)w$-=j9DiB&(v}3{n?3Oz&|@ig2Z zh%ig^LN$oFTI+gSdn2=IS*vPOon6sG#pto9rmn!cJ}X4Egn^Xu?L!MrzNMY|DK5!8 zE=<2ITG(UuF3K$0H%mt!-FUkhmy4=c7c+MfsYP;RuK1R?D@lyTz@QM zQySeTW8?MhY1+!gn5ChKD_MtEmZnRmZhQRb|DiIND7u?u83FCCO%T4Y6~P8yV+4+3prL6UR^P4CjeU zk`pd6xQKH6jSifKBSwAU^PB@w(SG>X%l-xta5u#}J0a|`zk?ILP=1l~m~Dzc8gN<3 z+4uDkuoX~50M?jl@X9qoj4F4}7HQgN)m)x_*_;m|5hXyi1GFRB|DWdM%FAY$>^#>9H)PF!qJP<2#+;U}TKe=`{MN4lpq1Nsp)73VPn%(K+ zW^cPr&mC|0!eUV4vxL1-vXg__iE<$A=cuw>+NZ2l@tCKa*vn-JSgO395|<#dKiD_m zU9GOqw8f@U7ogk(cvIogx7C)K9Fk|y)z3n3O5*y)H-_@@-XDw_9rWc%#B>s)ZG6W;2v<1zBrZ_oJf z)l9U?Yc?G#zG7k_H=Ekcq?2z|xF@2;c{+ZC1m;f-Me(IKYnKPpE!Zp9Eh^^w`uaGu zw-qYvnc!9p>W5JB{gQxiy&~xw%X*$86m|~V1!mQt#7a}p>X>_W-&^C(r^`8yz&Nn4 zc6$O21PZ!JJ*#iMaJIYIrPwy6#j_e%j zA>EDA2i*)UG$6s{n0LGn_Q(FLuRX~4PDrSB_I8D`3YcBPE-|NNN zJX#;>Bz-I1cO6RO!JYJYU zBlPxHH+;cbo9DeeAZQviFVjqzQ<}_qj|Df(a~OBjyC6Fdo~>CpIV?MJrxTq~5E#48wjVfKy zbb+*XEqRaY4TZ`$vHMt$*-VNP!Z{ohT(<{K_N%oV%k6{fD}=8BKum0(8|||v$!vX7 zZ{#wE&XByxUWabiaR4AYAA zDBo&Qv&i0bYCPDEE6a66Ba@{xk8n7H%!H5YtG>HQoO6lJIn8l~sjhR>9JvbG zkR>jNlYOwpQj+O=now$W_i2_zGKMY8o2Z<}pjdPaGE|9@7xxlNdD_;L`ftj5%~K|O zUbngGkDr8qt_X}zm=mC7_<(zQVSS2q72h|+i<%2xPmAUW7^~dTlyh_&lkcBPX@0>a zLD#$J$KGPL&VnharsOrcHo5P0Dd%x&DP_)me{C(oRDuXiov%ocuh{&F!_I>?79Pyy z{RG~epi5k@v!V<|Tpi>@dvAm@z2KGZaqzV$?9XxchpOjAA3l-8#!U=SXI1@zMXSh* z1Jm>*Vy6jOmpA+j8Ge91(5tweu-+#4k&elR8JNE){6#N8#FFFk#pBImDI1T4@}uF< z%Fna$QoWXGERN+aa0UE8#mHb+B|M97a4L-=r%KJE#wb-9VVA{$)!nZX-aC$suVNo~ z!6fYW%&E>gMtdAJ4WwoQ_PoTJ21a$oaDAS>o)7UrVC$;lQ$KE$lx9=H>8t+q2!cxgBk zTBearM)zbB-!O%^Zu5TpOkV3j)%`Vb{k8k?>K+yOW!kJ+Y|ZSueb#ENa}UFwu1f?F z6z`w=Z-$D1h0QfV0-;1%m>98zxCw4sAo+U^72)=Q(QEb@r!Xyp(=a!Bg9bgtXF;5e z>O=LA%NfBC%{vnDHSgQzEfdwUiCdDr;YSVRZQL-!@{wSGLc%0fv$*vX>QftzrW~-W zTW1@7*Ti3q9*u1duWZV}2#j9oV@1t(DPHf6otU$JsdjwVEZYPCdk~$1q(JtaGUfOF zkWrXSGZv+E#;U>qD^Nt1`OV$QueA*8MnfQUEV5E zUsE+<)$*8e(Ce*DD^Q$Q)TZ$%DNFS)E)C}(21SW2`jy*tq*mKZ5JV&_Fkv+`_;^O3 zDpk1->~+@xn7V1cTfXgUt@aKYro*Mu<7Obw)I3IU{FP)}&XAU`5Auy&$EXGQ+~k(t z-00PU~=nE+m9kzJ{se7gs&%iP4hhRYqcaA z_MREivk29u8fbpUmXmI959vFj`TSNX8|wYSd&c8|x}qDTlX{6&5pJ{m?E9TsA)_po$mnb(RviOo#uoli2PRg)8Y6ArZIqxbc$}3&Pv#?jD+~WF8_-@VOmuZmWkSt=FTYpIZ~G%r z%1gIqofOwM>gI;D|L*vX&1-Gqf_nm5_oS;Is0=Ml=7fp)5{(&xE9Lj@Ac;nwzpIr| z&!d&;9>QV!oi8k4q%6YOU4k$eqv6F#5J!0(JTiEVy;?^}WM=8>ZW;40F_&L{vV8(~ zy9!J{gos^s3l*Lo@FlInF*Sw44g$FsSTW@>+QBMf3@+N(igC% zC1+1!*)g8f3$daU?40yZeVhw)aKS%l8fiGsr)qh*q|eq8Dj7YxyJ;VEkz z{}Q_%hu&cP^{0nFZDO8vk>14CaA=2!?I#0UablXSq(6F(%Bj}Lj{{R#AZQ-U()$9Y z4J9pvwSj3Rn;?*x;^1(-NTkc1o1>6a{#BIq+z5PYZpHi@Xdm7scNEo@2ih#;1Kcok zGUi%VR6B|yUBE2=YOOsv#-Fac{1nQ6%ZmIQPY@Ly%{omF&U&qg0ztMOC}tS-eUqia z06adsMCGA9ykS2@>-?YZy*}HxAF1 z4jN|uifor&MCL3+*swof{(r_(*QaKdjCPnB|R^TkS*u)+6jqw0(8ae1wzA)7FHM&MrOO?-6m?bM8Ix<{d#Y# za7#P|JYR+VcQK6<0J4*4;qcfgZdOh3UQ6klrmt^1S?_*lAlpcSIp{()t z&qD2DdI-=~K$J{gB&bTz{L-bvobhy(eU{!3Szy3%QR*#24Jms@T94Cm_r@&$S>bVZ0vU#K=8vKzRl zw>R2VKd)84vs`JgwcC}=SEK12p6YctSi1Dw`eRyj+WXTU#<@OINH&L33tqd)!gX;7 zQEVVuIp?|}9&FUpF|-lO3CZZ5EEd`AIiRUtOP}3dbeGrmAI%z`JUr{{{%%a5*|D~qIMsMf>nvQ1}o$nn&nBm67^f`D_>)oQGb-yO3 zUrEv54NDU&RJ$jLwzSXBwlop=HpF_t!rIX66_lUicPDh3nE@^cXfMeF0|m%T<`g}x zdxj;cWSC&7T+1Ywm35e8dGv;|1y(Au8S%Auw#Kty=ChYIrwre(`4vR_02pH()KU=G za_t7Z;*?YlrKhhKd%CVX=wnQc%~t&UZTpm6RryYlvC>b;&A;95Qmb( zZMS5(PVg-|t&Z@=6(fstlf~0bFdR8&9C00?|Ow11r=~3+*7^WyBk-R>e6CpMr zLYTrY&y6k_R^tZDbkPX8JsG%Ai35w}Ml`klQVFCB|K*5Pf9!G)&Y_{&^_;dt&M6-? zyaKe608af@eVoUp06G~_d=QAw3TR~r{wpufc6d+u`y7KH>E+|rv+f%@(DOtFN=AKj zwCTAbgAd}EU6FLijy)Z)awgz-k$J?=rXix+=J+L7*E22xfIG}zrOsj_y6vK(RB=GJ z9hu9YHVlCkO@LDIBlmecpblb~3WE+NN`F_jkTF9HEC8oP=*^_e;aYzr4d4-bAEH6^o1ybU*#DteEI%(I2?e zUtp3gG0lVd2d9$(D~ccx7B5a|^v}7PpJPAg(37a>&(`eY-ONL+c3>J@F+b#5t#kG2 zCSqRs6JlN%7&2$J{U$e3)Cx@TW;Sj%TjZQnl)S(?Maq!OJP$4z$oB6)tnd3njn|_` zF00*L#Kj-Ip|9_ospo>n&Z`WJqL=vpJOFf#Q2|pO2*2}d?Bh3wj5L$8*lchf_s*xD zWb3$L0GxF?gmgC5@%N?wMTm@&TlB*|o2B}vOEV_H8)re~^iq#|DQA7fv+UqE_Wz)b zIEx+#q~u?+j(?0)r;Gk~0@CS{E|}*d0q40%mmM(0ZzJ%@k4*RR&*Ta>UJTLg{iR^% zn)!>xw|(ZyX5Lr;@g*(J=}orW^dC$_1}+4Ec&_`DXw$X`DFTSiTj-gWJcGo65Yb^? z4SI?krue4|&vf|gLa~ajpL2x2rgKW8sga?^4+#<==34;t(pnXePxtfFkx5DH{IQ*-__LW#NZmBxDNdIr7U&y(aQQdi@dF=`Q3L`H ze?ZRCQecV*K-Um4;^*llQT`)ussOk*=T8Kln)4sgn- zr+C=e5aQjzTJMuklBJ=-=AZe{ZyxUjRI42^MH?I-qecRXL^++Z0h$Z10rS8%0On

1o zm*tYGQ}qMyc05$Odzwq=Xe?wN#v6+S5zET2#*;qYR~^2t%BxlGed48~A#LmkO?d_k z6O+q|qXgqLGoS#&(>KnBr%}-8KI-4VL1ks2ibVmYeLv|V=dA%gqxgJ6P9viMY{&GG z#@6SY8U(Zx4IlGt3>!E*IX(j|Fd}S30{!3Jz^F4`NKifxAQ^ZJNuoX<2QZaqVQ+mO zlA!2YEwh=v^&KoM*?{{8T48IKe8d@~KiN3huB9`S8a9Z;;d8jU{chQ#9LPeSwt@Lk zD;qjYVbMy0?OanP)(uyR;yC!w8)$8Z&=~cj%J%SyxXlAJ7)INl5BeaMgz}@aYfYjr z5%VR`8s1&L(dHXlPUQa8sRq%$0)UdYP@U-+Zpro!)Fv^u+@1aT%iMH|<3jKYK-3+e&0!xEDP81f(4 z?KUXrOnM0mWy@kH^RcXE5$&C`b6E>ZG=%&w9*Tv%>PHEl1QR(g8`7w8TIqva?;j5$gwqUG4sjf7uWS9bpc&Ng)ViC;2<~E}=^{d@8QD1f$V~ z-usPrCC{KR{xYZN4sp>2BD3E(rwRfQVGR%#YGA|o>3-)MkS>`V^<4Cxo5SOv5_DP; zIhs!>i|Rf3(SNeJ$t@L1BXS(&?V00lM(VXy>mhg7V_=1*a%(WoEnMJ_rPM`h_X*uI zjR{2xoO;qsacu;>mt%Y^M2^19_V$RGRwo_s4ED3~m0M9V5E))sVqDZVtC>UH+=A6$^>z*Z9ugcGzES z0qh#v?<-xrPXKHD`~ktrtf#A=ss$b8uwji0pYrZJg+|AjVKxlZ&Rfk|SO0j{>0LfI z?imJdYe1V`Nm%N7%=Ekpn7Zl-VeCGPXTf>R9y};Nd$g zR34h!Ep}h2Tg@gB*@%)GpA&9?Kw9L%o=G!RKOQ7~KUvFH6W$n|vL#Yt zS@HUgMU37ChpRB}eG3?1#6vT5N~HjisA2g%iP5>ZB)s}8SmMq3{3JBm+QFgBG9Q|H zVY-?xt9GG#TxTF>g3PHjWXoi2JdWbmIU7#kBFC$hJ4?)ZiccEFB`cS|2o`l-crdeC zYwwzGjjbMP$Z7RM>f&wC{Z{wmLlIpDJoqeLuu>m}>Yk*Q zE+5ZJl$gtFm#B-9lt!P7koD{Bk98H-x)o>l7BTu6e;VWJk8LDgzkXpl^_*~UX*7?0 z1W7~|z8ZK-3Lfgd+7+=XeB?vSZY*c#Fzl5d{phR334F02wXEywJ4^B0??-wxd$q+m z?i(uvmCz4EN?uP!uJaO$KN{>8R5;+SexrU6xtT(*R@o>fYMD6xL+E&VVW8${etqNF z9RL){h4=%Fe4*B7m2FwEueI-qYENw3f}$6^V+JI6RqYD#Tm~84 zGuUA^Y4LND5YX1Z--$AgftGby?ZudgvU=ZxmyE0y5XWAGMQJr>{_hv z;9Bhip87`*CVIluJRA(}xfigevyXBS@&!9qD-yywGFi)j;9F>{>Yz>sSJrjx>4oQz zfjP<}2GE1GdYc9Uu8F%C z0+;w?9E?%4P9dqI;jypCmMX-SoG#xVP!|Xt%maMdsl-PxBy}hXURKt!Zi7L0hTL4- z*$Gv1_7;PME1gf;8_B2Q4_102+laX5bm<^Xz3d%+vE@pAZ^>$^7@UI3Ejc0PYy{7y zjtf{%<@gNnZ%^Vau7K1Csr$=fHUzEF5q=Dqsxg1;kRZsOT3zb_A9e^BSS2E}0SEs@ z2xmh?!N>=YvL}3J@a&EU(Y(>~GS8aS1M&(RJ>b9~!BVMq#!d{s0 zeh|lD)Wfah4%+%+LYU?nuvJjhbsX6GqBAOLJ{t2^gIlDhZVXk)1|4roH&4cW>bemV z1ejXoEOQr^m6O4u$=rThIME zA|^~ZA^tDaMpbv6nqC~X+AyyP!SYLs+V7V>YUmhkOPwjde~riAF#AH%xN#&8pfmSG z!}V(Muwn6EdJ+-A_zgBJ$*W)e>*h?i?!6a{mQjQ-Ilz&gT9H#cl-w|;@-dn2e&0id z1-*Kf2iEs-Eg%k~cB?{-Tm=k~O`CG6VB6AYiCu@XD<3>$*1rUk-S4q6i|Jcw1(Y`G zYwd33>s6OYt;XE)y+#uEnsp9Sa9a@}Y=1K`i@8Y*E$MJy=SBxqeXlgSen8uTA`psr z4t4e9bMrGTj*9PdUCH|?yoPJ^D!7mFHm1*#;UO+T1yTHb*0r+n*omVYtBHg0ySceo ztUGaBVn_AOw67y-)AD$q&wCm;OKGu+_{^1Da#wqhwM!J~e&74f8z}ihcUH3V{F}Q2 z`T?htA_u#vwQ9%5l=On32HU&m?SAKl!Js?=EMn@_kD~SkrAWN(F`vxGz82-#4S4ZTiKO2DRyF+}mhb;h9ikCv7cx79*?<2`q@`7NRydlNxmZTp{VewW zKY2BW{td){m!-g`*4ChG3~1t6dEI28yYc4rpQZ4Br_eU!UDEC*&x~vc;%&;H&rf=u zZ!Vqn*eFYrm}U6SuPGZCXtnzO{O;de`ft9bw6%=pl$5m0ZVb)>ng<`Bv(VAe8CtOEKJtU|qgZPb0Y6$6YjiB=4XC!? zf`A(bHG|1C000L{sRrEG(63qb85h+KWwZ>qk*=hF`i?3#?80QzCE&*VVlYPm@EQmd zz8u7s*~S0A-O}!I&2#~^v&dQ&^{lkh6@EInp6i~s$l=JuPzJVCSncjYrVWQR{gj1G z+3a55w+D+E2~f#BFkO<&7?uKiP+Xty0zU~pO`c^WsTucSXuOWTdRMexngr;rYc%rbjZxQD9 zl9(v!({tOGG5@gy-<>s$zgjH3+2wGP!E0+_F{@$pe7UMAQ-#m-aNwA|j6~&aA!WDC zD?Yc~ykI!J@a_eB;o{S=Ssh!ud#~%{MoMHv5ziX(yFEE->NrF$pe4%6d+Cbb_vGs^ znWWTUfE9~-@J|uIgNZ4wdzyf*Oe-(5L4eFLcYonxs|ek6(HJ&a3@xNT8TBO#3|6KQ zi!Le1q1^RDpw71ChQ|$hqfN<%Mzv0ISKykw3b(^7g}6>`KpE@2&?uC*PNIA*lpn8qs?2c}k@QL}WLN zAPfYev}-X|17J0~LMLjFg-Br102v?{ek;DZJ0{pLZs0{xCk?J-mcaXOj;h3V+wbpM zd~ujQJ?Q{y{&uBhU45{JGKO8q~v`fB@7;Q>!Ozm zyV4izmsA2e1{YRk^vyP((j`gzwZMt_%Z@o+bIqRIKz)aj}^g;GpE$e1zDJ2U_a(0)_JHr-Q`NA zT?Gu&YwD-p!+QM7Sw--o+5ykyX(Zgz>sD9;n+rfP@-rVV-_wi9Ou4hwuO&PB%=x!{ zNkA+dVP>NEV)w7X5dq?%th#r! z1fJ{yFRIGvYh2gMmm$UWrWYU&jwe=-xQa;1hsCohNNa$%3attqi7eh{_6D?g@G(R2 zopeWFXaNEARp^eVRmSKJ$prnejk>E9D-lTI!#-eoFFpkMV@I%my#etToD}m^Ehum+ z&&wc_GSb4Y)l?dwopNRt@t^yRLktje%j;g^cbFy&Yk*fI@d%hz;VH3(YY041H;Uv{ z(Gu;ySw2PiDn=JO{OIS9mAhoSz`b#! zhLM(}!gW;ag?%%%!)Q~@!%!xh$h#j25D5onM7hyz6z{9S6t;^w-P) zoy&br&&~pt$)URC(KIx>a6kXB`HcnMy&t$!tWK|;N4B-ZDRwUP!xst~5yK}s8;oh5 zyG^krE#la)2o?0|N96srz$372cO@<*7DynH3~&N3D(9#XTPhQiI2rKHyN@owHW=(- zDL8zoMg#nax8Q*zBT-+Xg!`iq03W`k7>kl_a?IP|70Z^@Rsj#STV4Xb{^;_U286g+ n{}tjrJ-=R^N2;!MaDsY0hp>t05mpEA2NdZ$@{&2?`p^C!PdpL$ literal 0 HcmV?d00001 diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst index 9f26487e9..4a31e7988 100644 --- a/docs/threat_model/threat_model.rst +++ b/docs/threat_model/threat_model.rst @@ -6,6 +6,11 @@ Introduction ************************ This document provides a generic threat model for TF-A firmware. +.. note:: + + This threat model doesn't consider Root and Realm worlds introduced by + :ref:`Realm Management Extension (RME)`. + ************************ Target of Evaluation ************************ @@ -22,8 +27,10 @@ assumptions: - All TF-A images are run from either ROM or on-chip trusted SRAM. This means TF-A is not vulnerable to an attacker that can probe or tamper with off-chip memory. + - Trusted boot is enabled. This means an attacker can't boot arbitrary images that are not approved by platform providers. + - There is no Secure-EL2. We don't consider threats that may come with Secure-EL2 software.