From fcb1398ff1cefe747cd8c5a0e6cef8d11153009e Mon Sep 17 00:00:00 2001 From: Olivier Deprez Date: Thu, 2 Apr 2020 15:38:02 +0200 Subject: [PATCH] doc: secure partition manager design Former EL3 Secure Partition Manager using MM protocol is renamed Secure Partition Manager (MM). A new Secure Partition Manager document covers TF-A support for the PSA FF-A compliant implementation. Signed-off-by: Olivier Deprez Change-Id: I9763359c2e96181e1726c8ad72738de293b80eb4 --- docs/components/index.rst | 3 +- ...gn.rst => secure-partition-manager-mm.rst} | 21 +- docs/components/secure-partition-manager.rst | 867 ++++++++++++++++++ docs/resources/diagrams/ff-a-spm-sel2.png | Bin 0 -> 83369 bytes .../diagrams/plantuml/bl2-loading-sp.puml | 44 + .../plantuml/fip-secure-partitions.puml | 122 +++ 6 files changed, 1054 insertions(+), 3 deletions(-) rename docs/components/{secure-partition-manager-design.rst => secure-partition-manager-mm.rst} (97%) create mode 100644 docs/components/secure-partition-manager.rst create mode 100644 docs/resources/diagrams/ff-a-spm-sel2.png create mode 100644 docs/resources/diagrams/plantuml/bl2-loading-sp.puml create mode 100644 docs/resources/diagrams/plantuml/fip-secure-partitions.puml diff --git a/docs/components/index.rst b/docs/components/index.rst index 18b1e38bb..861a85d96 100644 --- a/docs/components/index.rst +++ b/docs/components/index.rst @@ -16,7 +16,8 @@ Components ras romlib-design sdei - secure-partition-manager-design + secure-partition-manager + secure-partition-manager-mm psa-ffa-manifest-binding xlat-tables-lib-v2-design cot-binding diff --git a/docs/components/secure-partition-manager-design.rst b/docs/components/secure-partition-manager-mm.rst similarity index 97% rename from docs/components/secure-partition-manager-design.rst rename to docs/components/secure-partition-manager-mm.rst index 4f6718594..87fc91df3 100644 --- a/docs/components/secure-partition-manager-design.rst +++ b/docs/components/secure-partition-manager-mm.rst @@ -1,5 +1,22 @@ -Secure Partition Manager -************************ +Secure Partition Manager (MM) +***************************** + +Foreword +======== + +Two implementations of a Secure Partition Manager co-exist in the TF-A codebase: + +- SPM based on the PSA FF-A specification (`Secure Partition Manager`__). +- SPM based on the MM interface. + +.. __: secure-partition-manager.html + +Both implementations differ in their architectures and only one can be selected +at build time. + +This document describes the latter implementation where the Secure Partition Manager +resides at EL3 and management services run from isolated Secure Partitions at S-EL0. +The communication protocol is established through the Management Mode (MM) interface. Background ========== diff --git a/docs/components/secure-partition-manager.rst b/docs/components/secure-partition-manager.rst new file mode 100644 index 000000000..2169f30a0 --- /dev/null +++ b/docs/components/secure-partition-manager.rst @@ -0,0 +1,867 @@ +Secure Partition Manager +************************ + +.. contents:: + +Acronyms +======== + ++--------+-----------------------------------+ +| DTB | Device Tree Blob | ++--------+-----------------------------------+ +| DTS | Device Tree Source | ++--------+-----------------------------------+ +| EC | Execution Context | ++--------+-----------------------------------+ +| FIP | Firmware Image Package | ++--------+-----------------------------------+ +| FF-A | Firmware Framework for A-class | ++--------+-----------------------------------+ +| IPA | Intermediate Physical Address | ++--------+-----------------------------------+ +| NWd | Normal World | ++--------+-----------------------------------+ +| ODM | Original Design Manufacturer | ++--------+-----------------------------------+ +| OEM | Original Equipment Manufacturer | ++--------+-----------------------------------+ +| PA | Physical Address | ++--------+-----------------------------------+ +| PE | Processing Element | ++--------+-----------------------------------+ +| PVM | Primary VM | ++--------+-----------------------------------+ +| PSA | Platform Security Architecture | ++--------+-----------------------------------+ +| SP | Secure Partition | ++--------+-----------------------------------+ +| SPM | Secure Partition Manager | ++--------+-----------------------------------+ +| SPMC | SPM Core | ++--------+-----------------------------------+ +| SPMD | SPM Dispatcher | ++--------+-----------------------------------+ +| SiP | Silicon Provider | ++--------+-----------------------------------+ +| SWd | Secure World | ++--------+-----------------------------------+ +| TLV | Tag-Length-Value | ++--------+-----------------------------------+ +| TOS | Trusted Operating System | ++--------+-----------------------------------+ +| VM | Virtual Machine | ++--------+-----------------------------------+ + +Foreword +======== + +Two implementations of a Secure Partition Manager co-exist in the TF-A codebase: + +- SPM based on the PSA FF-A specification `[1]`_. +- SPM based on the MM interface to communicate with an S-EL0 partition `[2]`_. + +Both implementations differ in their architectures and only one can be selected +at build time. + +This document: + +- describes the PSA FF-A implementation where the Secure Partition Manager + resides at EL3 and S-EL2 (or EL3 and S-EL1). +- is not an architecture specification and it might provide assumptions + on sections mandated as implementation-defined in the specification. +- covers the implications to TF-A used as a bootloader, and Hafnium + used as a reference code base for an S-EL2 secure firmware on + platforms implementing Armv8.4-SecEL2. + +Terminology +----------- + +- Hypervisor refers to the NS-EL2 component managing Virtual Machines (or + partitions) in the Normal World. +- SPMC refers to the S-EL2 component managing Virtual Machines (or Secure + Partitions) in the Secure World when Armv8.4-SecEL2 extension is implemented. +- Alternatively, SPMC can refer to an S-EL1 component, itself being a Secure + Partition and implementing the FF-A ABI on pre-Armv8.4 platforms. +- VM refers to a Normal World Virtual Machine managed by an Hypervisor. +- SP refers to a Secure World "Virtual Machine" managed by the SPMC component. + +Support for legacy platforms +---------------------------- + +In the implementation, the SPM is split into SPMD and SPMC components +(although not strictly mandated by the specification). SPMD is located +at EL3 and principally relays FF-A messages from NWd (Hypervisor or OS +kernel) to SPMC located either at S-EL1 or S-EL2. + +Hence TF-A must support both cases where SPMC is either located at: + +- S-EL1 supporting pre-Armv8.4 platforms. SPMD conveys FF-A protocol + from EL3 to S-EL1. +- S-EL2 supporting platforms implementing Armv8.4-SecEL2 extension. + SPMD conveys FF-A protocol from EL3 to S-EL2. + +The same SPMD component is used to support both configurations. The SPMC +execution level is a build time choice. + +Sample reference stack +====================== + +The following diagram illustrates a possible configuration with SPMD and SPMC, +one or multiple Secure Partitions, with or without an optional Hypervisor: + +.. image:: ../resources/diagrams/ff-a-spm-sel2.png + +TF-A build options +================== + +The following TF-A build options are provisioned: + +- **SPD=spmd**: this option selects the SPMD component to relay FF-A + protocol from NWd to SWd back and forth. It is not possible to + enable another Secure Payload Dispatcher when this option is chosen. +- **SPMD_SPM_AT_SEL2**: this option adjusts the SPMC execution + level to being S-EL1 or S-EL2. It defaults to enabled (value 1) when + SPD=spmd is chosen. +- **CTX_INCLUDE_EL2_REGS**: this option permits saving (resp. + restoring) the EL2 system register context before entering (resp. + after leaving) the SPMC. It is mandatory when ``SPMD_SPM_AT_SEL2`` is + enabled. The context save/restore routine and exhaustive list of + registers is visible at `[4] <#References>`__. +- **SP_LAYOUT_FILE**: this option provides a text description file + providing paths to SP binary images and DTS format manifests + (see `Specifying partition binary image and DT`_). It + is required when ``SPMD_SPM_AT_SEL2`` is enabled hence when multiple + secure partitions are to be loaded on behalf of SPMC. + ++------------------------------+----------------------+------------------+ +| | CTX_INCLUDE_EL2_REGS | SPMD_SPM_AT_SEL2 | ++------------------------------+----------------------+------------------+ +| SPMC at S-EL1 (e.g. OP-TEE) | 0 | 0 | ++------------------------------+----------------------+------------------+ +| SPMC at S-EL2 (e.g. Hafnium) | 1 | 1 (default when | +| | | SPD=spmd) | ++------------------------------+----------------------+------------------+ + +Other combinations of such build options either break the build or are not +supported. + +Note, the ``CTX_INCLUDE_EL2_REGS`` option provides the generic support for +barely saving/restoring EL2 registers from an Arm arch perspective. As such +it is decoupled from the ``SPD=spmd`` option. + +BL32 option is re-purposed to specify the SPMC image. It can specify either the +Hafnium binary path (built for the secure world) or the path to a TEE binary +implementing the FF-A protocol. + +BL33 option can specify either: + +- the TFTF binary or +- the Hafnium binary path (built for the normal world) if VMs were loaded by + TF-A beforehand or +- a minimal loader performing the loading of VMs and Hafnium. + +Sample TF-A build command line when SPMC is located at S-EL1 +(typically pre-Armv8.4): + +.. code:: shell + + make \ + CROSS_COMPILE=aarch64-none-elf- \ + SPD=spmd \ + SPMD_SPM_AT_SEL2=0 \ + BL32= \ + BL33= \ + PLAT=fvp \ + all fip + +Sample TF-A build command line for an Armv8.4-SecEL2 enabled system +where SPMC is located at S-EL2: + +.. code:: shell + + make \ + CROSS_COMPILE=aarch64-none-elf- \ + SPD=spmd \ + CTX_INCLUDE_EL2_REGS=1 \ + ARM_ARCH_MINOR=4 \ + BL32= + BL33= \ + SP_LAYOUT_FILE=sp_layout.json \ + PLAT=fvp \ + all fip + +Build options to enable secure boot: + +.. code:: shell + + make \ + CROSS_COMPILE=aarch64-none-elf- \ + SPD=spmd \ + CTX_INCLUDE_EL2_REGS=1 \ + ARM_ARCH_MINOR=4 \ + BL32= + BL33= \ + SP_LAYOUT_FILE=../tf-a-tests/build/fvp/debug/sp_layout.json \ + MBEDTLS_DIR= \ + TRUSTED_BOARD_BOOT=1 \ + COT=dualroot \ + ARM_ROTPK_LOCATION=devel_rsa \ + ROT_KEY=plat/arm/board/common/rotpk/arm_rotprivk_rsa.pem \ + GENERATE_COT=1 \ + PLAT=fvp \ + all fip + +Boot process +============ + +Loading Hafnium and Secure Partitions in the secure world +--------------------------------------------------------- + +The Hafnium implementation in normal world requires VMs to be loaded in +memory prior to booting. The mechanism upon which VMs are loaded and +exposed to Hafnium are either: + +- by supplying a ramdisk image where VM images are concatenated (1) +- or by providing VM load addresses within Hafnium manifest (2) + +TF-A is the bootlader for the Hafnium and SPs in the secure world. TF-A +does not provide tooling or libraries manipulating ramdisks as required +by (1). Thus BL2 loads SPs payloads independently. +SPs may be signed by different parties (SiP, OEM/ODM, TOS vendor, etc.). +Thus they are supplied as distinct “self-contained” signed entities within +the FIP flash image. The FIP image itself is not signed hence providing +ability to upgrade SPs in the field. + +Booting through TF-A +-------------------- + +SP manifests +~~~~~~~~~~~~ + +An SP manifest describes SP attributes as defined in `[1]`_ +section 3.1 (partition manifest at virtual FF-A instance) in DTS text format. It +is represented as a single file associated with the SP. A sample is +provided by `[5]`_. A binding document is provided by `[6]`_. + +Secure Partition packages +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Secure Partitions are bundled as independent package files consisting +of: + +- a header +- a DTB +- an image payload + +The header starts with a magic value and offset values to SP DTB and +image payload. Each SP package is loaded independently by BL2 loader +and verified for authenticity and integrity. + +The SP package identified by its UUID (matching FF-A uuid) is inserted +as a single entry into the FIP at end of the TF-A build flow as shown: + +.. code:: shell + + Trusted Boot Firmware BL2: offset=0x1F0, size=0x8AE1, cmdline="--tb-fw" + EL3 Runtime Firmware BL31: offset=0x8CD1, size=0x13000, cmdline="--soc-fw" + Secure Payload BL32 (Trusted OS): offset=0x1BCD1, size=0x15270, cmdline="--tos-fw" + Non-Trusted Firmware BL33: offset=0x30F41, size=0x92E0, cmdline="--nt-fw" + HW_CONFIG: offset=0x3A221, size=0x2348, cmdline="--hw-config" + TB_FW_CONFIG: offset=0x3C569, size=0x37A, cmdline="--tb-fw-config" + SOC_FW_CONFIG: offset=0x3C8E3, size=0x48, cmdline="--soc-fw-config" + TOS_FW_CONFIG: offset=0x3C92B, size=0x427, cmdline="--tos-fw-config" + NT_FW_CONFIG: offset=0x3CD52, size=0x48, cmdline="--nt-fw-config" + B4B5671E-4A90-4FE1-B81F-FB13DAE1DACB: offset=0x3CD9A, size=0xC168, cmdline="--blob" + D1582309-F023-47B9-827C-4464F5578FC8: offset=0x48F02, size=0xC168, cmdline="--blob" + +.. uml:: ../resources/diagrams/plantuml/fip-secure-partitions.puml + +Specifying partition binary image and DT +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A description file (json format) is passed to the build flow specifying +paths to the SP binary image and associated DTS partition manifest file. +The latter is going through the dtc compiler to generate the dtb fed into +the SP package. + +.. code:: shell + + { + "tee1" : { + "image": "tee1.bin", + "pm": "tee1.dts" + }, + + "tee2" : { + "image": "tee2.bin", + "pm": "tee2.dts" + } + } + +SPMC manifest +~~~~~~~~~~~~~ + +This manifest contains an SPMC attributes node consumed by SPMD at boot time. It +is implementing the description from `[1]`_ section 3.2 (SP manifest at physical +FF-A instance). The SP manifest at physical FF-A instance is used by the SPMD to +setup a SP that co-resides with the SPMC and executes at S-EL1 or Secure +Supervisor mode. + +In this implementation its usage is extended to the secure physical FF-A +instance where SPMC executes at S-EL2. + +.. code:: shell + + attribute { + spmc_id = <0x8000>; + maj_ver = <0x1>; + min_ver = <0x0>; + exec_state = <0x0>; + load_address = <0x0 0x6000000>; + entrypoint = <0x0 0x6000000>; + binary_size = <0x60000>; + }; + +- *spmc_id* defines the endpoint ID value that SPMC can query through + ``FFA_ID_GET``. +- *maj_ver/min_ver*. SPMD checks provided version versus its internal + version and aborts if not matching. +- *exec_state* defines SPMC execution state (can be AArch64 for + Hafnium, or AArch64/AArch32 for OP-TEE at S-EL1). +- *load_address* and *binary_size* are mostly used to verify secondary + entry points fit into the loaded binary image. +- *entrypoint* defines the cold boot primary core entry point used by + SPMD (currently matches ``BL32_BASE``) + +Other nodes in the manifest are consumed by Hafnium in the secure world. +A sample can be found at [7]: + +- The *chosen* node is currently unused in SWd. It is meant for NWd to + specify the init ramdisk image. +- The *hypervisor* node describes SPs. *is_ffa_partition* boolean + attribute indicates an SP. Load-addr field specifies the load address + at which TF-A loaded the SP package. +- *cpus* node provide the platform topology and allows MPIDR to VMPIDR + mapping. Notice with current implementation primary cpu is declared + first, then secondary cpus must be declared in reverse order. + +SPMC boot +~~~~~~~~~ + +The SPMC is loaded by BL2 as the BL32 image. + +The SPMC manifest is loaded by BL2 as the ``TOS_FW_CONFIG`` image. + +BL2 passes the SPMC manifest address to BL31 through a register. + +BL31(SPMD) runs from primary core, initializes the core contexts and +launches BL32 passing the SPMC manifest address through a register. + +Loading of SPs +~~~~~~~~~~~~~~ + +.. uml:: ../resources/diagrams/plantuml/bl2-loading-sp.puml + + +Notice this boot flow is an implementation sample on Arm's FVP platform. Platforms +not using FW_CONFIG would adjust to a different implementation. + +Secure boot +~~~~~~~~~~~ + +The SP content certificate is inserted as a separate FIP item so that BL2 loads SPMC, +SPMC manifest and Secure Partitions and verifies them for authenticity and integrity. +Refer to TBBR specification `[3]`_. + +The multiple-signing domain feature (in current state dual signing domain) allows +the use of two root keys namely S-ROTPK and NS-ROTPK (see `[8]`_): + +- SPMC(BL32), SPMC manifest, SPs may be signed by the SiP using the S-ROTPK. +- BL33 may be signed by the OEM using NS-ROTPK. + +Longer term multiple signing domain will allow additional signing keys, e.g. +if SPs originate from different parties. + +See `TF-A build options`_ for a sample build command line. + +Hafnium in the secure world +=========================== + +**NOTE: this section is work in progress. Descriptions and implementation choices +are subject to evolve.** + +General considerations +---------------------- + +Build platform for the secure world +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The implementation might add specific code parts only relevant to the +secure world. Such code parts might be isolated into different files +and/or conditional code enclosed by a ``SECURE_WORLD`` macro. + +Secure Partitions CPU scheduling +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In the normal world, VMs are scheduled by the FFA_RUN ABI invoked from the +primary scheduler (in the primary VM), or by a direct message request or +response. + +With the FF-A EAC specification, Secure Partitions are scheduled by direct +message invocations from a NWd VM or another SP. + +Platform topology +~~~~~~~~~~~~~~~~~ + +As stated in `[1]`_ section 4.4.1 the SPMC implementation assumes the +following SP types: + +- Pinned MP SPs: an Execution Context id matches a physical PE id. MP + SPs must implement the same number of ECs as the number of PEs in the + platform. Hence the *execution-ctx-count* as defined by + `[1]`_ (or NWd-Hafnium *vcpu_count*) can only take the + value of one or the number of physical PEs. +- Migratable UP SPs: a single execution context can run and be migrated + on any physical PE. It declares a single EC in its SP manifest. An UP + SP can receive a direct message request on any physical core. + +Usage of PSCI services in the secure world +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- The normal world Hypervisor (optional) or OS kernel issues PSCI service + invocations e.g. to request PSCI version, wake-up a secondary core, or request + core suspend. This happens at the non-secure physical FF-A instance. In the + example case of Hafnium in the normal world, it boots on the primary core and + one of the first initialization step is to request the PSCI version. It then + launches the primary VM. The primary VM upon initializing performs PSCI service + calls (at non-secure virtual FF-A instance) which are trapped by the + Hypervisor. Invocation from OS Kernel ends straight at EL3. The PVM issues + ``PSCI_CPU_ON`` service calls to wake-up secondary cores by passing an + ``MPIDR``, entry point address and a CPU context address. The EL3 PSCI layer + then performs an exception return to the secondary core entry point on the + targeted core. Other PSCI calls can happen at run-time from the PVM e.g. to + request core suspend. +- In the existing TF-A PSCI standard library, PSCI service calls are filtered at + EL3 to only originate from the NWd. Thus concerning the SPMC (at secure + physical FF-A instance) the PSCI service invocations cannot happen as in the + normal world. For example, a ``PSCI_CPU_ON`` service invocation from the SPMC + does not reach the PSCI layer. + +Parsing SP partition manifests +------------------------------ + +Hafnium must be able to consume SP manifests as defined in +`[1]`_ section 3.1, at least for the mandatory fields. + +The SP manifest may contain memory and device regions nodes. + +- Memory regions shall be mapped in the SP Stage-2 translation regime at + load time. A memory region node can specify RX/TX buffer regions in which + case it is not necessary for an SP to explicitly call the ``FFA_RXTX_MAP`` + service. +- Device regions shall be mapped in SP Stage-2 translation regime as + peripherals and possibly allocate additional resources (e.g. interrupts) + +Base addresses for memory and device region nodes are IPAs provided SPMC +identity maps IPAs to PAs within SP Stage-2 translation regime. + +Note: currently both VTTBR_EL2 and VSTTBR_EL2 resolve to the same set of page +tables. It is still open whether two sets of page tables shall be provided per +SP. The memory region node as defined in the spec (section 3.1 Table 10) +provides a memory security attribute hinting to map either to the secure or +non-secure stage-2 table. + +Passing boot data to the SP +--------------------------- + +`[1]`_ Section 3.4.2 “Protocol for passing data” defines a +method to passing boot data to SPs (not currently implemented). + +Provided that the whole Secure Partition package image (see `Secure +Partition packages`_) is mapped to the SP's secure Stage-2 translation +regime, an SP can access its own manifest DTB blob and extract its partition +manifest properties. + +SP Boot order +------------- + +SP manifests provide an optional boot order attribute meant to resolve +dependencies such as an SP providing a service required to properly boot +another SP. + +Boot phases +----------- + +Primary core boot-up +~~~~~~~~~~~~~~~~~~~~ + +The SPMC performs its platform initializations then loads and creates +secure partitions based on SP packages and manifests. Then each secure +partition is launched in sequence (see `SP Boot order`_) on their primary +Execution Context. + +Notice the primary physical core may not be core 0. Hence if the primary +core linear id is N, the 1:1 mapping requires MP SPs are launched using +EC[N] on PE[N] (see `Platform topology`_). + +The SP's primary Execution Context (or the EC used when the partition is booted) +exits through ``FFA_MSG_WAIT`` to indicate successful initialization. + +Secondary physical core boot-up +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Upon boot-up, the SPMC running on the primary core performs +implementation-defined SPMD service calls at secure physical FF-A instance +to register the secondary physical cores entry points and context information: + +- This is done through a direct message request invocation to the SPMD + (``SET_ENTRY_POINT``). This service call does not wake-up the targeted + core immediately. The secondary core is woken up later by a NWd + ``PSCI_CPU_ON`` service invocation. A notification is passed from EL3 + PSCI layer to the SPMD, and then to SPMC through an implementation-defined + interface. +- The SPMC/SPMD interface can consist of FF-A direct message requests/responses + transporting PM events. + +If there is no Hypervisor in the normal world, the OS Kernel issues +``PSCI_CPU_ON`` calls that are directly trapped to EL3. + +When a secondary physical core wakes-up the SPMD notifies the SPMC which updates +its internal states reflecting current physical core is being turned on. +It might then return straight to the SPMD and then to the NWd. + +*(under discussion)* There may be possibility that an SP registers "PM events" +(during primary EC boot stage) through an ad-hoc interface. Such events would +be relayed by SPMC to one or more registered SPs on need basis +(see `Power management`_). + +Secondary virtual core boot-up +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In the example case where Hafnium exists in the normal world, secondary VMs +issue a ``PSCI_CPU_ON`` service call which is trapped to the Hypervisor. The +latter then enables the vCPU context for the targeted core, and switches to +the PVM down to the kernel driver with an ``HF_WAKE_UP`` message. The NWd +driver in PVM can then schedule the newly woken up vCPU context. + +In the secure world the primary EC of a given SP passes the secondary EC entry +point and context. The SMC service call is trapped into the SPMC. This can be +either *(under discussion)*: + +- a specific interface registering the secondary EC entry point, + similarly to above ``SET_ENTRY_POINT`` service. +- Re-purposing the ``PSCI_CPU_ON`` function id. It is + assumed that even if the input arguments are the same as the ones defined in + the PSCI standard, the usage deviates by the fact the secondary EC is not + woken up immediately. At least for the PSA-FF-A EAC where only + direct messaging is allowed, it is only after the first direct + message invocation that the secondary EC is entered. This option + might be preferred when the same code base is re-used for a VM or + an SP. The ABI to wake-up a secondary EC can remain similar. + +SPs are always scheduled from the NWd, this paradigm did not change from legacy +TEEs. There must always be some logic (or driver) in the NWd to relinquish CPU +cycles to the SWd. If primary core is 0, an SP EC[x>0] entry point is supplied +by the SP EC[0] when the system boots in SWd. But this EC[x] is not immediately +entered at boot. Later in the boot process when NWd is up, a direct message +request issued from physical core 1 ends up in SP EC[1], and only at this stage +this context is effectively scheduled. + +It should be possible for an SP to call into another SP through direct message +provided the latter SP has been booted already. The "boot-order" field in +partition manifests (`SP Boot order`_) fulfills the dependency towards availability +of a service within an SP offered to another SP. + +Mandatory interfaces +-------------------- + +The following interfaces must be exposed to any VM or SP: + +- ``FFA_STATUS`` +- ``FFA_ERROR`` +- ``FFA_INTERRUPT`` +- ``FFA_VERSION`` +- ``FFA_FEATURES`` +- ``FFA_RX_RELEASE`` +- ``FFA_RXTX_MAP`` +- ``FFA_RXTX_UNMAP`` +- ``FFA_PARTITION_INFO_GET`` +- ``FFA_ID_GET`` + +FFA_VERSION +~~~~~~~~~~~ + +Per `[1]`_ section 8.1 ``FFA_VERSION`` requires a +*requested_version* parameter from the caller. + +In the current implementation when ``FFA_VERSION`` is invoked from: + +- Hypervisor in NS-EL2: the SPMD returns the SPMC version specified + in the SPMC manifest. +- OS kernel in NS-EL1 when NS-EL2 is not present: the SPMD returns the + SPMC version specified in the SPMC manifest. +- VM in NWd: the Hypervisor returns its implemented version. +- SP in SWd: the SPMC returns its implemented version. +- SPMC at S-EL1/S-EL2: the SPMD returns its implemented version. + +FFA_FEATURES +~~~~~~~~~~~~ + +FF-A features may be discovered by Secure Partitions while booting +through the SPMC. However, SPMC cannot get features from Hypervisor +early at boot time as NS world is not setup yet. + +The Hypervisor may decide to gather FF-A features from SPMC through SPMD +once at boot time and store the result. Later when a VM requests FF-A +features, the Hypervisor can adjust its own set of features with what +SPMC advertised, if necessary. Another approach is to always forward FF-A +features to the SPMC when a VM requests it to the Hypervisor. Although +the result is not supposed to change over time so there may not be added +value doing the systematic forwarding. + +FFA_RXTX_MAP/FFA_RXTX_UNMAP +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +VM mailboxes are re-purposed to serve as SP RX/TX buffers. The RX/TX +map API maps the send and receive buffer IPAs to the SP Stage-2 translation regime. + +Hafnium in the normal world defines VMs and their attributes as logical structures, +including a mailbox used for FF-A indirect messaging, memory sharing, or the +`FFA_PARTITION_INFO_GET`_ ABI. +This same mailbox structure is re-used in the SPMC. `[1]`_ states only direct +messaging is allowed to SPs. Thus mailbox usage is restricted to implementing +`FFA_PARTITION_INFO_GET`_ and memory sharing ABIs. + +FFA_PARTITION_INFO_GET +~~~~~~~~~~~~~~~~~~~~~~ + +Partition info get service call can originate: + +- from SP to SPM +- from VM to Hypervisor +- from Hypervisor to SPM + +For the latter case, the service call must be forwarded through the SPMD. + +FFA_ID_GET +~~~~~~~~~~ + +The SPMD returns: + +- a default zero value on invocation from the Hypervisor. +- The ``spmc_id`` value specified in the SPMC manifest on invocation from + the SPMC (see `SPMC manifest`_) + +The FF-A id space is split into a non-secure space and secure space: + +- FF-A id with bit 15 clear refer to normal world VMs. +- FF-A id with bit 15 set refer to secure world SPs + +Such convention helps the SPMC discriminating the origin and destination worlds +in an FF-A service invocation. In particular the SPMC shall filter unauthorized +transactions in its world switch routine. It must not be permitted for a VM to +use a secure FF-A id as origin world through spoofing: + +- A VM-to-SP messaging passing shall have an origin world being non-secure + (FF-A id bit 15 clear) and destination world being secure (FF-A id bit 15 + set). +- Similarly, an SP-to-SP message shall have FF-A id bit 15 set for both origin + and destination ids. + +An incoming direct message request arriving at SPMD from NWd is forwarded to +SPMC without a specific check. The SPMC is resumed through eret and "knows" the +message is coming from normal world in this specific code path. Thus the origin +endpoint id must be checked by SPMC for being a normal world id. + +An SP sending a direct message request must have bit 15 set in its origin +endpoint id and this can be checked by the SPMC when the SP invokes the ABI. + +The SPMC shall reject the direct message if the claimed world in origin endpoint +id is not consistent: + +- It is either forwarded by SPMD and thus origin endpoint id must be a "normal + world id", +- or initiated by an SP and thus origin endpoint id must be a "secure world id". + +Direct messaging +---------------- + +This is a mandatory interface for Secure Partitions consisting in direct +message request and responses. + +The ``ffa_handler`` Hafnium function may: + +- trigger a world change e.g. when an SP invokes the direct message + response ABI to a VM. +- handle multiple requests from the NWd without resuming an SP. + +SP-to-SP +~~~~~~~~ + +- An SP can send a direct message request to another SP +- An SP can receive a direct message response from another SP. + +VM-to-SP +~~~~~~~~ + +- A VM can send a direct message request to an SP +- An SP can send a direct message response to a VM + +SPMC-SPMD messaging +~~~~~~~~~~~~~~~~~~~ + +Specific implementation-defined endpoint IDs are allocated to the SPMC and SPMD. +Referring those IDs in source/destination fields of a direct message +request/response permits SPMD to SPMC messaging back and forth. + +Per `[1]`_ Table 114 Config No. 1 (physical FF-A instance): + +- SPMC=>SPMD direct message request uses SMC conduit +- SPMD=>SPMC direct message request uses ERET conduit + +Per `[1]`_ Table 118 Config No. 1 (physical FF-A instance): + +- SPMC=>SPMD direct message response uses SMC conduit +- SPMD=>SPMC direct message response uses ERET conduit + +Memory management +----------------- + +This section only deals with the PE MMU configuration. + +Hafnium in the normal world deals with NS buffers only and provisions +a single root page table directory to VMs. In context of S-EL2 enabled +firmware, two IPA spaces are output from Stage-1 translation (secure +and non-secure). The Stage-2 translation handles: + +- A single secure IPA space when an SP Stage-1 MMU is disabled. +- Two IPA spaces (secure and non-secure) when Stage-1 MMU is enabled. + +``VTCR_EL2`` and ``VSTCR_EL2`` provide additional bits for controlling the +NS/S IPA translations (``VSTCR_EL2.SW``, ``VSTCR_EL2.SA``, ``VTCR_EL2.NSW``, +``VTCR_EL2.NSA``). There may be two approaches: + +- secure and non-secure mappings are rooted as two separate root page + tables +- secure and non-secure mappings use the same root page table. Access + from S-EL1 to an NS region translates to a secure physical address + space access. + +Interrupt management +-------------------- + +Road to a para-virtualized interface +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Current Hafnium implementation uses an ad-hoc mechanism for a VM to get +a pending interrupt number through an hypercall. The PVM injects +interrupts to VMs by delegation from the Hypervisor. The PVM probes a +pending interrupt directly from the GIC distributor. + +The short-term plan is to have Hafnium/SPMC in the secure world owner +of the GIC configuration. + +The SPMC fully owns the GIC configuration at S-EL2. The SPMC manages +interrupt resources and allocates interrupt ID based on SP manifests. +The SPMC acknowledges physical interrupts and injects virtual interrupts +by setting the vIRQ bit when resuming an SP. A Secure Partition gathers +the interrupt number through an hypercall. + +Notice the SPMC/SPMD has to handle Group0 secure interrupts in addition +to Group1 S/NS interrupts. + +Power management +---------------- + +Assumption on the Nwd: + +- NWd is the best candidate to own the platform Power Management + policy. It is master to invoking PSCI service calls from physical + CPUs. +- EL3 monitor is in charge of the PM control part (its PSCI layer + actually writing to platform registers). +- It is fine for the Hypervisor to trap PSCI calls and relay to EL3, or + OS kernel driver to emit PSCI service calls. + +PSCI notification are relayed through the SPMD/SPD PM hooks to the SPMC. +This can either be through re-use of PSCI FIDs or an FF-A direct message +from SPMD to SPMC. + +The SPMD performs an exception return to the SPMC which is resumed to +its ``eret_handler`` routine. It is then either consuming a PSCI FID or +an FF-A FID. Depending on the servicing, the SPMC may return directly to +the SPMD (and then NWd) without resuming an SP at this stage. An example +of this is invocation of ``FFA_PARTITION_INFO_GET`` from NWd relayed by +the SPMD to the SPMC. The SPMC returns the needed partition information +to the SPMD (then NWd) without actually resuming a partition in secure world. + +*(under discussion)* +About using PSCI FIDs from SPMD to SPMC to notify of PM events, it is still +questioned what to use as the return code from the SPMC. +If the function ID used by the SPMC is not an FF-A ID when doing SMC, then the +EL3 std svc handler won't route the response to the SPMD. That's where comes the +idea to embed the notification into an FF-A message. The SPMC can discriminate +this message as being a PSCI event, process it, and reply with an FF-A return +message that the SPMD receives as an acknowledgement. + +SP notification +--------------- + +Power management notifications are conveyed from PSCI library to the +SPMD / SPD hooks. A range of events can be relayed to SPMC. + +SPs may need to be notified about specific PM events. + +- SPs might register PM events to the SPMC +- On SPMD to SPMC notification, a limited range of SPs may be notified + through a direct message. +- This assumes the mentioned SPs supports managed exit. + +The SPMC is the first to be notified about PM events from the SPMD. It is up +to the SPMC to arbitrate to which SP it needs to send PM events. +An SP explicitly registers to receive notifications to specific PM events. +The register operation can either be an implementation-defined service call +to the SPMC when the primary SP EC boots, or be supplied through the SP +manifest. + +References +========== + +.. _[1]: + +[1] `Platform Security Architecture Firmware Framework for Arm® v8-A 1.0 Platform Design Document `__ + +.. _[2]: + +[2] `Secure Partition Manager using MM interface`__ + +.. __: secure-partition-manager-mm.html + +.. _[3]: + +[3] `Trusted Boot Board Requirements +Client `__ + +.. _[4]: + +[4] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/lib/el3_runtime/aarch64/context.S#n45 + +.. _[5]: + +[5] https://git.trustedfirmware.org/TF-A/tf-a-tests.git/tree/spm/cactus/cactus.dts + +.. _[6]: + +[6] https://trustedfirmware-a.readthedocs.io/en/latest/components/psa-ffa-manifest-binding.html + +.. _[7]: + +[7] https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/tree/plat/arm/board/fvp/fdts/fvp_spmc_manifest.dts + +.. _[8]: + +[8] https://developer.trustedfirmware.org/w/tf_a/poc-multiple-signing-domains/ + +-------------- + +*Copyright (c) 2020, Arm Limited and Contributors. All rights reserved.* diff --git a/docs/resources/diagrams/ff-a-spm-sel2.png b/docs/resources/diagrams/ff-a-spm-sel2.png new file mode 100644 index 0000000000000000000000000000000000000000..6479ff55989e8699a0dfe0acf78dc988a121c00f GIT binary patch literal 83369 zcmbTebyyYQ);_%H?rzzDba&TAO6l%y>5`W25*0-{m6q;KK|s1wy1V&i<2mR3{r$~# z0egm-d1Bq`UiVth15qkUvKXkOs2~ssLtYM|1_B}EfIzVL$cVs|?eF@;zz=vgDR~WK z;P6AXhy>0_++}p!)t#)|y-Zy#LDr5=Z!KBf%v~)l9o=l4+>hYe#6X}IAbE(ShWEGq zMK5m+%Q?j3yVuG`)U=`QdP3L`Nf<^mNo;(g(VAR)r{Vy!qqhX^iv-RGEg@=e&zUTw za9_Naco7Q!XP#Dl`6z)F+awu<(T!{M(NMcg@ypfFf;HC{!Lx5$&E>SA*e}4)qv^+w zAJ{lJ?*|7J8ghXTI5-U~VGA&k|2vAj%&EWr?<}&B0BsENzhk0QC-UXhm)@|9QP{ptQ| z@=E#9?n0A_!Px|-jtq(>74{Tld3hP)wlQ2_D$xTR@Nhi18=AsFo|wS+YSL=3e?7jV zM$9t`Lt45=-8&sZCQS+F#Cy5YIe}~wpKtzGmVM<@B})CudrJnP1GgGBX1F_+pbg6K zYtt@{k{fFq)HRw16SkT6AD?_tt40)i|2jFy#wA+w3;&K?ymd$o!{r=^I{x(S;hG6O zPzrB;ENV_*LwFMNd?VBw+` zmKp9Rr|bDPzU-krk%cFZm+>FTLj%UCbZX2H0u0;mkm4yi8|w;a6m;X#ot7h;+E~JE zDj$se2}wiY4^p=(tnQ4j_sTajDMpWe%i0bY-Cu9pT8d_wIT(5jNyQxO;066l8DB1cM{zWJzLHr600_ zNM?7w9BdO;uC6>$_5>Tgl=HV*$uI2fK%;L81-1XwPGFJsvKVZ??-TDZWd_Nq(C2}T zKAAbn4*YL?=`6y>tDVC|VVJoYkFZZ)NwAFn+M4tDbKX8GpX{`RtWJw#ejNmV6Od(N zO03z#E>U?QVv6jy?{}zZ;3ZW*qxidN&asi9ils-~kPyPdBT2x}fj{7_GAnY{h4@HJW4HgN z27J`BlKj;p4%v$vQ#n5!GUHDRoVx^~@l*?;>_-Y=o86bQawA;Qa-`@A9@p<@BS=eVOnDSZitXgllrIs_byz{G&v{z^&Vj&!dpKf#l zn?LUDlvvK(+;G>ss4?Zhie_utuM*(Lt$tp9&#y%R>Dsxw*fQKMOv$3;!V+eoSky-I z6vM%)0pr)Pl)tZ_>}Vpgf5GUUT3uurAq=>u2OYoPURPePPtbORBJ9@i{Sv>ZOuG(BRjI*r7SCBN>g--m{T%shT72*f&3=FZEz{+-8S`A2VP8oQ7cNRj%jndO zvAkWgrrM7zXZMU5A9%$him<#Wul01}7;KSUy9K}bi+UEx_o9kR-3R7>oDXE*3Fwa0 zW(#;x{cuo#MZiaoZRnLfuu1WPeK_2ox z#dBc5=tdZKYLC-42DL3DxNPO^Tu=WooUumGkXB2~LIg2m9*HC8snyUtqt&aJqajQnNp^MreR=Lf?CuXs7tFtU*wby=JQ8sr!2 zxWfu*QATu^W4`8GtSvvKvLtu;hbfifPToJsa_ffiYQhdtcrD)`#(0Y-K4cUMBVC4ZCzLgfa$F&}L5|#>8YSG7Reb>F8s%(Dd%m!f57rGcEd^BIOvJ+ zE?{lWiCKR^g|;;fk1Zux>N?g>qeN^D98nRyX6%UP!Xz)}nA?-qFx(d8bMgxVMhd2e z`0>wSfq4VwVR1$D{S6T+2JNcH@N`ZO4l@)_czjhjs&@_fFIXipbP^;oRn4A$%BaSc zZ?#0f@xZ+`IK#~#-||>1*kq%&w1G|jgGjAs*^?A&$WY}bTN|v*>C{TOxl(*G@y2dn z%p|N+7-wLtPH$gxB3{s6c9sF=-KCBzN)g}O&=15Cve9iEx`rF1FE2Y;^T3q|B&3|*&_A6ASLF{q9ZB|j*t-Y<_Zxk$1%egUt~=wi>f!`zsleNz;s z-0ueW<>lL1<1&d%#V0JUcn#?Zr>=xwXrx4gwUj|(#iV>;Shyc@Nz3c^R$5_STI3&v zBQT-M$wSE6*q{o8$yK{Es{dnZ_gCLrG&=m8k+;Q=kaV2MwnfIAkJ!m0@F$sYg`Vep zo+$ECUN;dr)vI1E)~QkqQb*Wr=}Q(4#rVuyuaNUM7}>sNGNaoc;yirB{yOFq72^3d zbYvs%cQ&R62Fh6Wzn>jI_{;fiE_>e4&!XTNKx5Rfj+#We%Z9IZHYt&;azh_YGV%z< z%y4<3LDQPP!%8dHX}?*QvstZQTA-(zT=$0Mi@0_yx(2GeT67}w6aDGjer*|1+w!C_ zLpDC=Re7E7J{=_F`q7C}D)^N_^-5v|Dm7#g%d9qmHY=9!s>f`xub-4Y`mtjY61*xRwWT}6*=y>YlZJN9uB^Y7e)B}qP2VA- zDByTJ-4?88Go7q^yqAK>-}bt*Q?>SLi#59$jxz@z=}*@iUQDl%vdc?wziRd`+R3Vr zzGDilu!tfG|AB!2eyzarvW$@i5CLVq@it%~G$z{odb)NiG``J@&7g2v<%Lu%tP!m72Nu5%a%% zVW?%oPDu$J^=!5mEOslBHk6i#5Q-3*_^(2g)fFL!`r&wLu$ix-kx1!3^*$;Gl(=|SLQGlQ=M zqU(;VcRwrYBqdJCgS(3gK($@h4|U`^S-r;t>o^u$uJoowA(EhEHWeWs~AuD zRRICvg87jn8S% z9D6QYtOHKeWP8Cx46a!TjIg8njZUviz61PKwi9c992a<^{pto$v7F$u2hKz?sm zqIWNdsq+!}ZoccxVzxexF zMCM=|ib?Ng)ej%vi!f&?k;mt8+f~8x>XHbUAWTTBC5`&|N+Wt&q`_G7gk$a5^QZll zV8hgd(KJBC6(Kz;cAsV=uT(fzc++L#yUfOll$d7yK5=53iU5-iG(W~-@p%s90e+QN z{WG`ZpOM%JGVBX#LvwaG*!5KGPKEf4-_LZey_Gh z?>rH8liC_!V1HB{k)PV_7F1FQjPdg9vNVPV5vEIr%*_hA=h!nGm;5`=rr0JwHQNGe z17nOSFvKoLup;LVOd|E!sQP?X9b9MNA{ZUdy(CNAM4sH^jor!mT&FE<|bqxb0sOFql;cd{y z5>YlxsfhB0&;7@@h$*IW@)!}YgcgO?9V{u4ib|p76DR%%@Pl4EF8xfBA2`k-s%d~L zHWG=uMs4rgsB?hj1UiCml~BQ?0f9n+Nq|D_4l^dpZP@mJ?HPkj#p zI|qSDU{bbU-?1gzIBoKTW1EySmDk;eEMfdAv}*BNk@8 z3rDtmjhfsX6wV@gspr6Ozc1hX(NVH(&!}6vi;Owz6S?S5blAZeeA;hImTzT${mv$M z1w%b|T}jy!NN+RxGp!&q#PMrZf#cVz9nw>wF<$s@hFdBu;RW8(JYE>K^W(hu3lqE( zDcRrM82%`2srX*iFcLiHU(>jMi;p`OB98AroE>Mr4X^E^)DN?q9}dbB*2NAZnZ0$; zdC|dY%MdOg=C#BYJ<0&Fp_@@~t*GlZ>Z!#H^uOe5m1lpSf0H>hJ8BJ(19~!E^Y4Z3 zZ*k`i+*$hx8+jkJ)8zG7d2m7cjPW05l;-=xbC;VV!)6I3a3b^a0^<5eF=j`PIN>VR zoE<4+3&lSjV7KZtqfSbN!33s-oPCXl(M$@#-g+s?V;sRjLjd80k;;b&~hEM=vI;*g9fos3i=91|JYFAvn>a;ow=6RYvP<+M`v z7h}}y5k84Np-xRP;dtGV)r$`-@#YR2N)@sS6uprcG~q3Y_*q$KA-wd?AK^zc{n|hw zo4uZha+VM?98w9c2%Z}De1?2f`UI2?5FZ`5KVL3dd7ha0CX>$AKYW*lM5HE0& z|FNp{1zgjhL!t<7BDt4U)TE~X+?T(6a*dEYOrdv8T&@giaQHzt?0zR>N)zezJ)yw_ zPZ7mO#?f3b5~A<}CvmdKpZs_FO9)iFy|WG@v^fH;-^R%Pkm(JcKiU7PC)c5V(k&{j zOsReSx^tg7IICj6cWp~dGUK~tyIM)$rH{y?FKdb_|5{vN1`;dCJ^+!6`E8+r;q;h) zSPgarT4_+;d#$eWZlHYgyYoXE#C>W({SS8eBdI>tU(?LTW$(*kaMqDS^L@8W#d7t+ z1fBbBa7Z)7J1;v-N(B#whIJv?fZ-Weop;lD4k8;^vvjL z>RY4j>RWz}V}d+I-`$ED>=~+BEA4H3c5R&&SsTL<`MfY-ScM{R58N?p0*%S2Leixn zkck+1f9HcHW0UEmFWw%%Tt#>-5i+h&q+h!;+%Ke5kTR*H1Y*nnh{cu)-ddT}IbI}7 z9rd%SeMfB~^CDS2x5-h`_&e6)dyV;KgOQ_TiZu*b@D z9ub*C7*vv*DAKNwRvII$a?k%JxV&INL3yKXGikL`xy&T#dy?y|#L_O#{<{72*GsTq ze{imFK+oVo7)K-B3KdmzjIO^vIkP-W{qDun%F%pzSD&I|*J$X7%S}BsvV`E}+ed;x zi;q$`E(A-ur+jQqjef;I|H#p@qLoEmJPaeQG;tzVBv0|4V8Gzd|5LH&X3gDVnoSdu^Hpmzt0p+p}l8%A?~x-Vo=LY=ISQ3BYkbn z{y0sQ7U%~AU2!+(o#59ZbEl5F`GB5aVfHT2ykp7ZuDRdk_)Gko*zRxiVm+G_%d52= z^kNT{#+gy1*+Ir;T;ShDk@^+JnPGa_L0)F4W=ai)an})_OfH)0%sXEwr#KkDr)%3) z#R*_tGHio6La$p(B~a->mw3JY#cyAJBv_RJ=c53LSKuS_Qkw_I5B`9#o|x8lrwEZG z&jS&^)^~7^{_irmQJbSHNUoO)YIM$5G|+1gI{#oj#e`*+_KFQVFC2IBUn@RQ9LhNh zCke}DB7~@b1uAcL8ccM*jX(`r1#V z$51W^M7#RwGPs|khO_k$iE~~XH@Q!9?QBrpiRyt&bN@%QF-iS-{AVQ z&t_w;38k{Fc>KM)q*siGW}Nnii))7sRXuc3l2WYlQe=XL_x$6|3Wsw?WduvOp_@4f z;N`h5{sdAwuHD63wxRIyHd1Omp#z^I?^>C04xUP}aT>~iHKEn@bs8`9oQxhV+NHE2 zg5(Xxvd2cfLmmL)8?ZA|uOQaSr;@wJy*nhdn&ggw>jBl1_v3&#jaHOgvvu<-LMjBS z(o6F1Q#T9H@28Ym@2#TmGu26wd=1UZy1Xh9D0JI)07&Y$J7&7!w2Haovph2NT3I7=$1hnYGb*>48$9?9AY%~sBZB9b@N_r*^`6U!frfx zII0Qinwnvek;ocaT7wi}jUQ-XSldVi@16`}S&xi~MK??xPMRqdVE3dp~ z8lZPb4xDW$cpn14V^s3QM0j3Ad0r{|&1q1Q2>n!q@!t<;DI+3hL)@+rSxZj84#Cam zJA4KK0X(3UHgU_9T!L8vzY;{-5GfEyxwQ>vxqJ~RM$<$kFmQs5wf-qxywdNNB>Y_i z4a+FryReVmr-5Y9D|x*LUB3)NE=a<>4}Kk7bGLv#`~ky&s7m{L*NnN6)K%V}txLmz z*aI2~jGvN1zWQ+E=D@;$yjm`VKRF2^J9)8!rJ7x;s|gcW4HEw9W10aCUi`H4+`iI6+UWD4x^^pOqgiI-p2sM`-GsW)d|lfK^V;nV z^=RMl>T;lyUtIMuVquTCwb@L&80J$zku?WtT&j4W7^Uw% zXG89&uIr_*;jb$v!R5WVIeNkPi~R$24jIH|O13f(o{Yzr$!^>l7%lq9MXW(qDlb;G;*SGtTFAJ}2Ect3Jh*n!7UV=cbXiO@) z_Mzp4gm9e?Akggt9mki_ZL*d3$0qDLZ()U9<6%H%oqpIW2jQe4D885<;Xt@KaI0mS ztKMNSH$9UoOnG?5yJx7(s#=R6b}wE;S$GhL3o9jO$wsmwQy47W3(+&N4!t17x?IK zKFC6Hc>joDTigCwX}(|9ky~ z@0~kepzL%@1+1dc*JuES5#@B?oQ&8o8`tRjH9MUWzHUB>A?zgk`PMpO>c=>wsnQ$3 zY`f@I3%sH|Q3H_%aA;#?VPQ7Y>Ka-RZ**lj&0l|8P~9fio;K+%vHonj^J{z~9#90d z!ba1QN;o8I!(bj&_GCVWJm3Q;6wx~;GlUbe#YC7L)i_;=3a8~L%HV|#4$5WX`|n-= zWS9x!*O+~xH;=CXw-KNQYS~GCfYvXxY3+`T^ohvLuPG|Czf+vdt44lJL9w0(unUCV zb`ll-_7vAMIrCL%`vRjpW*@KeUkQtm;!G!L%Tm=tVhAL?SBgil=f}Z~P9wE4aA88` z@lG9)&ywn+Fk;d#pPi~wSJ@Z4lK_-f{x;VLlh+E7vjVhiW@|U>L+;H zFA|OTLFT{j1M2KCN7IL0g~gt~C_;*4Z(SAx8fdU_lJI6iB~*3OyIc}}lfW1&m*U|j zG20mpB}Vp70viLAIM;Io3<3wR8_cm)iEjF;Eex=!<~CEm`h4ix5sv(=X)2lV+?i8U z=95i+VPJg&UOEJ!DpUWZ7rLv<$g&XXqmdBsFpdW)+SmrZ(IKg~uMKb)#E_O}bbNK$ z-Av;}I3~KM8W=o%Iv%6`H(p|*cyc1GlD_RV(Dwt+dHZ5jHC=XK?*Hv$5R}<`ueLuV z$_8B711~ZM_~TtpaHIhhv_rzK38rp@M0_;6te+hFrE5c!xIfII(r5?L|J*C93-~Myt6EM- zvKBXA_;P?E1X&?0)D-ScfSljlfn3Dhj-D2*UENlJYlWt)ft|Dm?8x{gRjejeyt;-8 z*-B;)SdO_0{GB3NO~$5`DMys1D2z;D#sr5or|h z#ijgRFGHcmYqa-4oi+gH7`=z?A=_tR#D;ptgon_z)Bnfnf(QitVl$VWR*(&$DQohM z_c=fK`cgEfbMunZMIo25ZBP0D7BB2N0uEFCjPiijWhK&{V;nmR9F7Uv0tOZOKj%U| z_mob|OatyIin)Hbw^F8ABe=Qs2I+X1szFHsvZ40_G<+Cs zP-6V<5^&D3;BDKypz2e?NCfG!THif_TrP0Di~I)&T9jkgX#w)9jXSc+>!c{;6EBfC zq;%g)A}w%ELS0u+XH=w*5Mj;$W5BFC2r;)|+;Hp`F06lWirTTefKB1m1ZOfQ@zG{YH=N*q7j1t{z4HyAdCdm&#u;E2VyZ0BtxgzXD_3& zc`h;12LU<}zZ0IJ{A{nA`5w3=TrygK4nAKT!mU3O$X|-m&NSnrM4)LFt@pe>ee|1c z`b}6K7=~^Lj2B{+rmf$oz5*|6{Q&J+J>ZFlUo*gfpr*9#UYXj`rU&ONNq%{|rPn}i2b?sNEMH$qPn3p3uGjM$ zhz0@J0A9FM?-twTlHq8_K&vz?dD(IoLOJR23b_558-Xd9B8??XEv@D2bJ!#wgOuL3 zh3!3$#&$vh{>D{I)0M(l%wI70pAA~ zHl$Pm9qZS}jIPtbYYdozgC~{quHi2L0ivrj=5ca1d?m;RD%9G<*oP6hP2guf8?%*B~KySumFfHE=#YjM|=y&E*vq=BLb?I_~yzxlj(12%`L9zmm( zjIM{M0uu(%LJpgn(fEpUM+!4rWbcp*TzX1me~ow3zt=Dl;4XOB0j){qs+mlMN&>-; z?Ul8s6xdaUs&vEb6J$cT0th-MX9aNAn^>Ot*cXIO{w;8OT=D%BA^n#A&8~G&+N$Z^ zmSCy(`UWKmRc1~vh2$<5z@{q2*B9UR?*fL!CU}n_2sjO50e_(Oy|x^O@jJ7Q2X6Pt z3w%ms^MVHw3s~yWGNq}yLy{PflalSL%dqPv>F*{t;Xq(m9_VK*Fu;!cLWBi{kVlez z9~MNxK_$&xp?FVKP4x%}&ZrC2>fEZyh_^Aj?a*;j9`ry-@{2}qi8lgBBie&5m zF*?YJAO5BhppVE#IVp{-u8&Pfu1RV+S}v7RIft6M_T9#UJ;2=A)gdkEhWxb4XomtY z?muE@pS=VKAwVyhI~5{~Km7;%0FMLgKJe>JTt|`!iNfjlkB{ElbE}wr2ka%Gvu1A4 zIfZ5(e|e!+0q^oa9R~4JMnvqWl2W6#s)-Pw35B$CoZ>7_U)y517zX z!0|LvuHJr9Ne)sb2gv)ERhqzHpEU|pQ?Lil12JykImVsO$9DmA2?onQzi=k9`)jKjhC^uHH0D2e%L zF=!&r4=($-h*|3&;*3wWg1@A4b;%?eK)h8ht@x0yEiHHE6@Mhy2=Wg4w{Rbp3vaU8=(7~ zOn*Gyal=0pYq38_&-n&vPl-ShNXNucE$@R$zxZ$F9J(a};$j+y43G(gDQo;3;|ltm z+gpItIfX`}pu0DfcGtJ!2exE92K>KIyoBWMZztdF%8TsE3X$h(ph9SOa7gQ>QKG)} zb!EL${j~lrttq%kD=Z94c|ZB?^w?3t;#A4|S}0?;>mxckC3;+RoZ{Or7yDd*TagDp zEc^wu@dV>Hny=r$XC{oEo8(Xy_eh$YKTBFSY3%}1ok@?E&r)K1lQjt{lBW3E;kbLd zp&|)2EEHxn0PyYKIHev?9M)V|&A`()(SoO;!wdVI79Qh-eE}9KMYXe>r=ngipN~-1 zK6uuEYC3An|J<{xC)}8i!udb=d)L7=>(!Nia_qWwWeaxohmzkAF#9;;%VwhP;Qt*Pcm@iyh{F+J`2> zihLWukRu!WfeaYPe)EPo{ozEgDfjQQf~`)}aO{<3q~@Q!|wDHJ5>y{G*LST7qLJQCwjQCDJV{bvIIpF>OqQl7_?>r1t zV0M5MSP4_E1;`oMDh8v?!Bs?Nb@1&C&;*n&80h$rNo&-eeZC-B7z6|@ zrK&zG*v}f&Kb<-&9{+KL3Ii=V@|Byw;Ud+!Togud(&z zE(>@Cpy7J%+AM%*3QRYUx3@RO(!7lyEBZM46QGSUKs-G62?P163onq05kN(~y{69f zF{HsfF~;}e?4YQG7y59~I5hHc=#_AME%_I)R2Nr{Psb<(`zi$Qiay}tG<<4ntB2A; z%U8f>BC(x-8K{~6tZW<)WTH@$;XwCL4=@4@5psqn^(@pauCuU1k>1q^zWnDfUO+|z z&iOF-V~@h9L3#rnF&6=-bQJ$b01QA=G}ZtMaIoM1$8=m7IIAyW_^FX^Wt zk!Ie!z;k>#3h3=5`x}d;{AW3e8b7@@uG#b)jo-Ye%j#UMPtdZ;?KN?QdK>j4r3#bx z|1un2M7$q+-X=2cY+pEEVon=#L4XEC|EwSf{>%T0G*Jy)BmrfzTs|Aoh*$*`I=7Cj z##H|e#t)7DEmh3IrK%1It;uvEDpA&RTn5yIRriB0{4LbKPGc z%Jo}5)H}94M{1xB!4hDR48S@|llf${ri(lt?ZhiWt)qO)V!4lbhEo~R0w=x$6xQ@h z#)v9(-b_S)7Mo{+Qoyd{zcA|P+LuKc?G}lr>XZ$jD4h&|WtUlvAmz5j)K9zpr&8i~ z!b~prDx!8wEEUKoc3!+9(xTWr-Be@iQrMrfgqy?()A)4~;thH}=9*)#9gS_K0ugH|`LEq;hPwi+1uRhUi z^})>~;>NpR^}XP$PA9_IZsxf5DKAr6q=R(0I6Q2F2E&VR#G}G&c2lb*sWJPYC5WZ* zwNM^Nne|C@4#V#>AV$EaL73g9cihLc4})!cWn^Gi?R_AR#iK~tQ`R+k{l-z=5y%!{oMzb2O=7m9Rj0KxgZAiuG_6M6_Z3? zdLij73nz>c1JNX*9iZT7qJF6gIAjCMZ=5$1Er_9at5IzUP_@LvL}&Gec*A*NyIWq&K9ma<34)zpNYf)7&aG z3|3E^0v7Rx=JJm-ZJc|=?RlJC^znGC133pXHn$Ucfs#s=RiCNDLnATL)l_yFrOLZK z>{R^FyxAmT+(O4Wm8|2%H`kj@K0MP|rA@9C-hP-M6iV%awJD_gu|p%LG!nW!)T9%A zM%1gx?8ZN^F$Wfp^~`rPw)OKQP8@6AFs!P5Zk*PSr zSHn;uli&nryLIA_0zV+$I|A{)QFK_+MB&vKHO zx3?D&iiojO*;6wM$x>~){MZ12fPktAEjL@V{WnBurCOi;$4h}-2T;nPTmVPe0oa{e zK4iNggk!K6k#Y-xMrc41XO5aV{wXmm|L9}Z+`>6F6GBQd21dRIgMo2GCq`I5F*mY0 z6`G91uj2A*)S|DH3l1FF8xiF9*O_V)we`^>8jkH_yb;dsih_g2WbtEBaY!tvfQR3+ za7?C}{sgIfU)jtLf=4+#jJ`bjP>Cp=Zo|KybUlfJG_>kvpW=FV2YDCFMQ&e_JF@m1TW;A)sbw)u?4-{J*yUE`$} zwt}Fnf~5&)&XsQJ9Qu#d042^cn;L;+jrlt^UL;a9pqcfw;BL$k; zH^TobdA%hn`6fxu-qG5^2MXe9rBcKDog=Y>7gQ|_+XzP3o!akJKKhiU#jqmEg=_AJ zDXmdL$RywHU5$I!I-lU7_(P?^ll{|elj(2K0D+Tzd0bkV^#`8qvkEhHg60DB-VIwx zWE54&iHX(z(}(Mab*>4%36rg-c<|1!vo|yCd5bOl=8{SKWfQ;o10~GgL}G(0ErI6W zKWt~ha}ug50@85!7;xNe$$JgRLK8VKG_=ruxG5&JauD4*aL4;sk&&s%nyp0=I&q_Z z|GvViawm%!@T&&wt_90hKS3oash|TWmz6$)l80>63r&KVb33uyHlh%*UADQ5#@9Ak zg=N<|@nXyN0LgX+l31I!U>*@WWt(%=^(-`C%U*>v~VrZxJ}*+@Sm zIx91krS4)PI22veVSNcJtW8$L1tF6gyOBrRt2tlzn{HEOzkgL6#5an@Io-G3sT$W~ z{40YCf5P1~Kpo+y7KsT#keLK6n{N@-t*lM9s=SKL? z1$|>K0@Kw*yS*n@!6ISsXaH$Zjl#B+KgY&zd;`}gOk7|O0`+;IZj+<$E*DUu%w6%G zXDnmXJ@w;l>v7F=3hQ_5fH&gj zny?(2)Lst*@6we?Hph{+Mov3OhFg`85i%C6?a;oOl3t1Ku zBOH*@t$5!AOL`P5G0JR9zenzrg|7jv% zeF0D-0_0v7sRG{H0-5Bq{N^mripV+sUx9Xj0wy`9!GXy_Phc#1Fc%|karmO|_-w=c zVE#un3?f;UV7?=(BvD>i<42#yJT0DdOI#o+9-Vwx?nT6R6bOgAwM!xRGHO!MX$ME@ zrIgh=I)=y6!8(M|IAzA@af}JCf)MFSgAOZDv$-&P@V%R;zzj3!L88#JUO<3A02=B1w-ET{!vqQ zq~xfaUS%OoY1ZY3Lq#yUo7#`*xRdlvt9Ul%z0d!SWspbo5B z4%E>G7=d&v$tzE73VrZ>E3ztFki=xcIz#2R#mi4jc(LiWhbbDP?|8Ii!aC5W?f>8~ z7`hN6F(YJ+zBpVpO?5R#?#y)`waq6CGlkI?o+{)fnIp9bYsjvQ({)vsG%rkr+R^QC zPCqs{`72-Fzoof(b6^c+{pd;SnG}Hq!Izmt(9A^+cdiC`HP`JAu%-v3(7@ynVZyA@sUY zI#*39-z7rX89qEVHB|SiCAz$ppku=F&ZSn|j#i`rkI?rjKP~7g-qTMBMtVtMsLf00 z6$WNlc^au*DSdEG#9DG%W{>tQs=!(B%_vCu9PQF|jb?5YFA_$YOh550LfFi01kOQ# zXWZn>s09tm~^rR4z0+h9Vaaw6)=g-a7oVDQvp?# zlR>T#ZV)u$=w1D%`5F>c!zm!_XJKYoH>*Rvvt(34`P#esA>VHD(hne;t$#`NXafxv z*e-3rLFOMvnsDh?Zf_Z4_QffohbXO^eO62!2bKX5mMEWbSB~`28h+QSIox;Yw_{7a zJ0YoSTRR1fS(4C!QSp2&?~$L+%6X5&j>4PG4+&dKa^6Ctg@Yjms3&#}cz!$BSLQ7`jlOm?@4 z=|%OJX)zFo_R+-YKxriJo)+WI;SOvTYrZ(IEIK$WJB6L7ki?UJ77}Qx4sEA3-o^)& zAd=7M%-;@x^hHm#$)!z`@*jFm9j!z18ywfZhnIb%@2Jm3zKiG0ccf|da6*W$J>|C+ zHV8B4jf-LN>GPJdFI-!E1{o(S$yQ$kknHwbE{ck3Lcuk6DE-&lZwy+i?y#s_{k424 zL|(XT4Ev#hV)@PXH=h4ngDSUf`4A=K;Bz9z(ria?7=Lgr<(jikv>kj&E~d|JGg`7{#$D(aQkOs$ECpOAXBTH#u& zvT+Xq%t2=R6gN|u;^$%enG8ciPPReL~4S!fBA&_@$BCInzIlj zzAR3G1##;0{d}9rJ-+?pLoVmxDHqGlEXdxHWJ)YGzA+-)WW&a*=s*M|r;)U2>38p( z_^t^7ZZ#ukD#vh3*T`q48g|5U#^6@Dtn)$&JCuJY$Nj z0{^-<*hA5IE9k@Lkv??N=oohSt^=CFwTI@A>*KMTdjC#0;va`gI?$ag(jg?%#^5s| zC;7Pkreqfv8KK9SQINeRU9ETvLX$ZhHuoTv|DEmXCR>M^W04^Sj-^L0Ki{)Wa=%A26c&}Nr;uEi3;aH}%dsz2NQk`u z-3uV5mlOxAqW}dmTaVYio6@vG+612_z%2bProoXyFJDd|VHpWS7qp$Hzn}D|e+DwG z|7YFJM~+$#)T(}b@AlH6$(~?PYp6@w*f843D#Fv`Fj3E8IR&K(M4S1``G~@rFk4?O z+#ve1aYo28)iqj&G$L%zN9+?Aws~rY;X6{QM_n}P?@8`g%&EdFLsE(O-i#Ukez>iT z9)fnBfw5TpLtUdTi^9tqZ(2}1!YO|WW%j~FDHnEJ%^Tc5?zp6oITX!n2OHign0Q_C zeIzv1?ltW!rABt%+YeDZCg+D&|5c*XScK0jLpO7-fx;&r7xRFkuYOlVD@jE4o|*Cp zX_-xQr&OvngaU-V-u?HKB=j#ZK-Q{z+8sVK_F?u7!3J=tH2S83kxqLB}Z?Wyt7PIq?7zb!s@rM zwd+$^jAHrm(3iVJ#x0R8(W98vC!&Z7tIM{Ugu*F7RgJi9=Pjg8LHb{&m2+e4j0y!B zkU`GBCzJg?zMr;t9w6OaAa`LQCHi_@@epJELXl*g|qPZ2sr;|`&0e7!=sx^)X zKDc>A*7L+g;wo10{0&>B8xmA@Fly^9d!9)c<_s5fTt+NfjH9ouxf-mCVCW8-yLsA0 zned?%&xjvwMVM*ICYPZn8_QCYq{0bGmE@F5o5XR!QIe{;Jego(M8RQ`wb=h9oZyoi z76J*=BHDkvNzFfBWGf@#lLs-@J2xH0ST-#7LWR!L&14%cH>D z*=Qp1-<_Sph=Qf-a@wv|WBw$_SdJG(3}EnT^H%Y^S+LAFMd1Bb?zQ_U-gTJ`38mk? zSHHJCxfFZhXWB6EcVC_fGUYC?@kq8`q_u~Rh64Cx(>ASXwS(qZJTk00yvo<5f z5~^D-P4fq8GE_{9+|H!QZ^R-7UMOko%24Q{(-kYsR(pJzS!@H9PI% zPTs4(5!b?ZYw^a@6Oa2(6hwPMujM+sQRF{ouA@>N@&CX&r1H2?mThxCi#*Js!DgIG zzM+wkeQ|1wK*#HCe<68p%%L~6rCIpWWcL?Enojxb``tIPm6qyo>9aiPnwTluG z(k;>@NJw{xz@k)A0qK@Tx=V6Nr%0!Obc1wAw{*8ONJz(?3xDtXz2CRbx%N5xKQ3iG z>v`s!;~w|8?=c?uI?U~}vTbGmSBPDMj$b2UXU zf(vb!@SzwODv^iuJ_$gkDen39jr_N0_QwY;)ZcLDXfaZvHF?o~IAs$D9h3XeKlo&5 zkTJy8@+sy0S`l;CaOLT+`v|6x4}PnA7)5~`Q>-x1QunvYQ4k*cM)Y7beJK-2@s;iv*6srskI z5(xZ%vy;=ood$DW|7MR+ucLnSO7*?_sVr26cgXXcyn0uNRuDPL!0OjkP_1kp)(Q(sx-}pX(Hli_eohc|X4nKjyvs6D;l9uFp;Y#bgcOW1u;^s*Fca@jx<_UNL+*qWxuAa`4?o2BT8c9d4!Tb3$hA;UC1&!}hJ zy4DWGicCLio`O1Y6OSz2blE`GBuV5{-&qcd@;h%3(H_6Zc>M_)yFT>6>Jj9PtRdT|L0q8%G+UMm{$i8$N$L%$m>ThD98f;O&N+wl9EUUy$1E@969=G2Ygi z(|n!Pp`x&VH;vFFI{Vp+V1cFS=mY!eC(QG%n^E>`X$KcV}0n=Yg+TWWG1}$x5uau(*5>zCHMZ=h5uR)pYw_ z$Z3BrKwDi}(V#Np@S584_BRf%_X%g}%SKFZ_XEl=qkQK<M0UnOejDTHBd z;j?Gk*3 z2nBf-LdpagbD?B$Rxpes&NS1Mh>{$jJy z9Hn`1-Z9jtK;Dw`2Icp7*Ma_Yfko+V>hs^7eMt*fanB_6elF^?orG1CW*YIO*5Ap! zo_C0=*Ph%9}kgc(8E_l%YD-s%~nhKGZ_|_iWp(IHkxs3*nW2%8;;z(TFGwN z)5KWZyxeW@FOIN%nuAv9I|AHJA3|kR+b{WbL-FBgd~XCI$d$ONuUDl2(0I&TFwydQ zIKP|@Gu0%wo7D9gr>533MWMT{vy0{NFs517w(EV^# zIHLM#=blVr|E&O>A&1tr_QSQ*H9MSq^M2?yRJ zFdv@o+_e_3ka*l32(h;gQ@9gFKnkqdHbFp=Q_!D6XBhfu@+WIw71qK#Gf=Ca} z`Ru}ca&FlB-LJ*^`(?x`tBH`VCYE%En*7u3P1#LqyfwN-!e&YF=V?BeyS#u@X2>+S(cqP&LIom3{63^M;*O@y2lnSbcl~Q#DI$5&RhQk{Wsii%Sa93jPa!TY(Vv48k*D^sAb~Ec ze~6>y6fttFgK^JX?2>wCq&9E3V3)l`1xMMC&K{H2q64Q(!QMb}q2J=#Psi=JM~Il&wT zUqqMd7ghZU^!fH^U#+nh*2$*BLVHH##vb2%2{u)=+jt zyDqMj#i~{YsOZa3@SZFWe^`v)@+YiDu{K;{! z-Q#lhgR$YRTa^977}w^8agfA(Y{8N#lEyl;wOI8P1g5i;Tp9Cxn}wj^VemRknE6 z@(F<%?qQ-oox|a8Dqo&@d4rBg*HlkDn&^Sd^{djoCG`;wD8bI3I1~sh;|J>&4(qq} zRBb4kpuDx+i?SOpk)M4FFVnx`4a)!iG~+91wAcHw174frUj4l%Q`x>^+eah9q|(=X)_eQh{2$!Q7V~K7$$klu-;tA-UZbGJPxk2&ye|CD>!Z$ipW5mlAV0~sGmjij(E(~6!<_vVfHLtE(KV% z)PTh~HD)HV34N zGX_|(UX2f@iBQt_KYbfjPE1%47eDdeBF>M8)8uHHITuMhzzEKODsWm2T^-Kc{qfT& z&oG^qaIwsKh%E7jjgt9P)SLWLo9kiCy!|7h+cT{`ESdfw+uz+Cx?%aA7&FYL;+6iT zxRZvFItYafrFIt-+@5>wfve2VB|jti(BrNaA1qG@SR``V+913Sl{xxdffJ==O&RZd zvUVzO(Q84Xs5(ydhK9!YQ8ImJ{@eY;AgwnHj4}Z1(iAB}v zQua&6tSS|Nd$&`17BxS$vqF8EiAN?F>4UWuOs-@vOFDm7uQTJnv4JIFggOMq;1hE? z(!V>?-pq@xYObn#*zM@Wnmqeqc${M>BOcj>@(yi1Ph3olXBV!Ld=+=2Ff4Z;dd|;d z(~UN}h0kw=IODE#HW`vxt4HkLbtiz$EZrQw%AmS58iU2nldhTK!M5P?o?MEh8)EEA zPZTcG8EngCdwj0HnM4+`iG#>}imdfi#4qcrMt_fiQeWGe&=Tw6j6aZB50_2H)tVde zq-#EO{vs;L1XX+R8nxNx`Hmx_M%^GD4NrXuUVkSlsq8EtxAMIJ1|R<2PuO0&Ndn15`@i?a6H6?O!m^(nJV3B~e+=`! zL!^mD)|=vy;4u14g;95DezHTcb$fs~N;F4a&^G^!Wpc5UEG})pR6F8O`t)V2iq>^_ zWE&06FU!SjD*vD@s@4bYl8>1hb_*m005FL?R#>I1@%|)xklN%D&>-t};`;lQ$NWD0 z++jCLcX8p544zlNe=f+D_*UxJC z_SJ^we_ENjEq`mgI&?@2X_l9(sXsi-HDTZS6@RF`uEU~j!}a-gn_5}%L%((%o&7Wlean7VB}xU6Q6wAX z)^1XK4>k!sELdINdMWX+sIu+Q<37v~yAC}oty$!5xNTcJ{AD7fsAwU6QMPx!GUeoP zhy^F>`Q|YaeGjX!*{+=KSZJ*2u8#|`LxZB& z3GM$Kr9VL7LUSr?Ux?1R3^sR=N%NsjNpfj6yINfy(&<}w5!fo9qwR5OYptsqS!n>Px9Hl`=VC+T zeJ>tF=jNG9t12SwLa0ZdVGWkQRMAOaFJuK{6Ze@QLX?7#T^+*Rw95mwesU(kUSped zOQ4k`z~^DgP~iW}jNwt4#M&I$OU=Wy@xBbz^mAzpe&!>T%sHS@_Z`sdvJ#?fE5lP5x ze(F1=mu28$!9{z+T{jlu53nNO;%f7Hryy&D9hXG5GIDfp?p&(A&8&uw+Tpl(wjK!x5FI-wGdr zo*9|xztr}Z@C7|D* z8nQ_ozrI4&1;j$?_mG(L=06E2+2=t`3K_YsUK>OaT;4v^JdBtb)gkRy61~KV9?mb$f+aotG-*W%*o7w zH-1SPCPf#+7*TSc{~S@VTVO?Em#IMgLsyHw5j~W2Y>6R^yFQ_ZSf3z61yzwtFIJs9 z_*H*Nrc8bQy?mo4iznz`uQPW60uL2yxF-@Cn^)Y5P~YyZGYO%2XMq+~;feX&;~0I7 zyZX1-J*hKbn6S;j8xPh#eiNdDcqz^XA3npfD`;d@{Zr@UnNwOd{4ka43li~$!h(It z3X>?d5Y*Ekv95U1sFL9w?%}#Gv~B~%F`(kldn{?}cwa6g&BKEUFuw&&qBB7B+^HzO z%=haSIBedWS&Uo-^OcDGjA@TLS&Or78J*d`O)BE`NOdLSl71poL@Gq3llmfC2GkE! z-AfDrVPB~3dfy6SxE>N0=G(l+Y#>Qn{Mq_P^3}0EnXp}%S%EpF->D9-VC_1ce^@Pr z-^ott*X0MQtc!lRqbRF2@oZN7O)GDV)Zt9=IQB0oephS%f|^Em__sd%Vr%6LXnMCC zMYAK7RE{Gaxt~ng`-nY8SdjJ!sE3Q**cSl#nO$?&#eLw6b>}D~U%!mWDUZT+3bVbQ zy2XOE5cgBM*vy`Nq;({m`(JKU*N7pnhEy7-ztbkV945>R$FoBJTFM)#IqWU@haYpY zxQea8*ENrp;t-n~ucngkC@9gcqcwnX3m^Y zQ3>GAK%)88{P`11&fa979CcBgeWR=%(T#&R#>7_Nl`12(z2<({$+g37AV$yB$5mzn z;ZzMx`jpg#EwQ-f0tq5cFXLMh-+D|o-;8M?dV#uQSD2udfn`3L=o?M4_DH2K z7F5Yn&wnR?9eVzZPBG|qeiop{m_f*X-wT&gXI@Mwv>}kd|GE8w#Kb4ELic0Y{*=!j zz2*&YiIz~R=)}H`(DIjax#@@yRZzI#Qhpd}FDprHKbJ>Kjahy47D{qM({$m5e#_%6 z7)a;*qEsHUN|$QJnH1V{#@cpQ?z}o+meSy~R#x+ih7zBWJXES;blM#%BUaZLNG1I4 zppqVl!hpr#eTU6E^%PE+c21XToNSV@3Zhln(uZJ{l=OE>@O>31dKHQp#fZx|QehuR z#nOFI#;2s2`R^2$>P1i9*{lnHb+u6SOuGwX?#3Ksx~f03(WKIl7#2?D)ml96DD3Z^ zT4+CGvLw5xlnWpI!o-JB_>`wjK5Fp?pbA7KDj>ITPO(w1(N};Er7ytvB=bobpLRJ{ z1uPg)I>~Us>y0T6>!W&XpjcvSU!}f+kOcOwQM$6MOfb5mdX14WFZckEeF;*$ETrXe zFP%SNH&TM0qHIg>;qrIY7f%j);&BH8vbH! zGQQAa+0^OlaDjJD^mtn0a;X8X>{pmkeo(5F@J*xkiGlD5#8v17B&*xm;fx8E~ z4j6dLQn|e0pKyGzc&=Y3)hKXayWY^9dBq8aK-dJ4UB7Lz1C*=&0F}8o zmz63fj-iNryxnw!EN{ zFXR=%GnCM%N(mhsoT}qTb_!~j>wy+0H|x&cpo##)GmU#k$>Y=Kv^)$71&m8=mKAy*}Z{yonm(ggD z{-NEEtou8;K*tvmRwOu3>SSAjc_r{52GhT?T%4`K!3OGVg;-sHC&!J#*mXiVLMzak z5aG0dlde~;_|NFI1UTTu$NAWv{uCrq=-k>qqbEE6lTNd+9&^7>V9Jr_oAd_z{bAM7 zC%nB(`v73Vcf_cpA-)-WfM9>Rfsx?wU%dbV68zr$xEBv#T**s=$DzUZ)f$%p4FWFN z(nclyvu`5E+UpJKa$~AD8;7>{lq0Jrc=QPmI6_rZ{kfAFmHB(D{s2#`5Mi;H9J4-^ zrp5#V2HA-bJc7>?f<;?#I3K-amHr+WI^lN_7MBhL0HtmPF?DWNZQ>olQDE(sAE?{; zD)+R&8k`|$-uM)hULEFv&Ibj9+o$2Xu|A{ zRDqDpQ^EULSL3YC=dOk3i!pe>n^j$q{S!55o)z4XQb8Gju3=z|T!5*l%<8q6XVQoJ zB&@13W3jZk%)l|Ep?Uny%E{>cqq@R+eHTzIR&mnNJV{J#okYRCK!&XlU`~dE55Py( zm{U`@9vGth0GO2h?oEj-0StnTH{zFz<9Pvw_)Aq_Dl|9G8f(iMi=5n8!=PZsHZ z{HPB=tOff{L(79@hz#SsYjG6y#_4}~$G+PZbF7MenYcO01`Y#_ZYuyL8jx6k4+p)c z+HPPKQth5gJ9s#-gM)8$KaDK=+668LTLEk?D!kjXCJ+7KP2y}Dt~8yXpG-P=R5a@_ zm{n3#_QN+RxL?d^_sRzW##QnbK%dVl9dpH0(u{k4W_Z7vZ}Z>{UDdE$;bp}`a^AW) z4dVDCZ5hje;Gx5U?eLf1FC0SA?oS>aJq^wtLUP($tA3`Icp-UEIYObEcwiQ;d>a`= zfL`^~@6*Hs?TN4SQf&%-9rNGJBKluS%cO%m@DKQN2sU!v(-l}InSXPsr}z>Ey`Z=W(X zQ+d<--dS%n6(L#J86K;c__c%N7!zT%Pylt-2Qs>?-kRgid_S2zqAiEF4zEDpjCnzL zaxo-gP#@gHMPV_=-tQ$jGw^e3`s7MXZZW8~2=;rNomWzjCaDEkUN{hdr`Ct<#jKuG zJyk8g2s8CA-!P()<(l}y6upC)74EL0%;0cbf62-(WcR>*10Hx{0SqnTuKovRPjggd#w-?Jr(Yb)AlkypK_`qCnJ*;#7HKKWoR6<^7foLt*nb;Icq!u@c8|i zrlAnoA}@IqbyJn;Jot32aiz8cM#<@*?+(smga3-{?5ZQW^a)dBlT|9aw7S5F`HbP{ z4rxacoJ-V~G!f}lKLe)_Fdvj98u&Ud6}M&4%uJ57WO7n6Qb6Cz&}JzQj% zH=1}?Z^mxjn-|9z)i4v(J33Y|O+Mwk+t61Blo5`bL~Hq6Ud_XJ*{99JOM@;tS@sS< zAlC_dV}}z}0%Flfzj|s3E`2m#Qkt43p`R>{1$^z~%Jnd$7k4p`)CfeBXo-ew*5`W_ zY5%x?l~{;s!Hiar^9N-V_3eJBG}__6`v9~fk{M`@-oqgJ`LrDY;Dh@KpSP>6Iyzz8|Yt&o0Cq?Ei>dD1%+kYL?FY74LzNpORS$AmT^rjd(Pr=eHIx z=w49p3jpsYQ3negkk7*`8>4Wg=gAs)8VrsSlmIXUWtK20%&TT#B&YRc+%Puh{@Pp9iM%kVE{Vguw6m`o<<#uJc zCm*{$L4Rp(vtn5VjA5)9(YL7snvCE~we z1n!%L@9_i!k+xu^y#_u$1vFeq44}U9=Vy1duvkoUYU+hzE~dbM3ahIlU{c!^Sc7@R zT%dS{LS@Kc2usL=`LuxdURO|7pGD2;*{*!=;AZlgVn*ejHtia5FwvNcq`)Q}VdU-i zXg>SBkpqBX#MH^lQqpSj-qm;Z6!U|2&%!YOUBwQasz(Z_aRJEuKiNhif-SWS_^h(f3RAm%Psk6)~2Wy--*2gEas=;pJ4kU!lxAl9J*n*sVTd zrmK19po`q*cLM`$a~|08EVtf5*MvO*S%xY3e#=102O2c%f1{{Yen`@2OyH}`%U~*f zxw#IQ(5G31kzAURQnc^6E}Spcn6Xlr{+3r_FlC7p#&T&gUx_0)ZZ3*w0DRuO8GGl_ zMHTP(Bu;8-*9k^%2fUx*6Y>C65YpQPE@q(i9~zKHABWLKJji_6@6K3eXg~}pghXI< zHuN;YR#mD1R2WH^1OIdO`W4|l6)Mw2F)(VD2N29Sk;mQS z4He$%-a@;+*dqu3l+kL`(SCQ?X{@d7hvXC_5eUhKfKN)=z_Ee%;T(aJ0)fO2=;nS@ zUA<;DV&8z$n@^x02Y!N;GOvk*dJDq9MgAc@!6oW6G)GpjKzFhSuR%{MXWZcilr4FJ zt|Nfv>#N$o!DB{g-ZJ%38|;OzSV=2`LKrM1Sg&LiXu;lUk^SJF9|KJ)0JM5#(SGvy zaq4HH@BD*?k+pI<@n7CCvC(U(Yz$h;a}3Q}+bnSApBG5L68-@!fxV6P$6AJG-JwW` z3y*w}g7K+4es74mBTyt44lZJz69=vo)PScODbjDD@b>g42yh;?hwNy5=23W*AA2O~ z5#V&xo3QCa2q#a&+S6l+$HtNlFCU@6!EqJuh5wksSxe1t*-p8D^9i!v#!gWU>qiWj ziqi~rLY`L`wJn}Z+UV!+i}h_gWgiIex=Xc@ss8$R6c{TZ@YRnif*Zz6zCqreH@jX1;klp)ro>naoU z=7+hMSYg2}O^k@(J|bKz^SnGYzKGYQLN&yi*aYIa<4YMyKjGjC zoReQzi+%4p>lxqi=^llh5y*q9_Vm@hux>SfKgZi0u5O?oVT+%cWOGNPIDE!A}Dcs2>!EJ~@ zj*v78?eHQt2W~uTG^{7F!(7^>R21$-meNgS(Tlr~w6Cr3UZOXzpUA@b01?T}0WGNc z_UCsoKwB%#c{1DCFlDx8I38ezO{5`z%cI-MwYvE-kUn{R!j+=BYM0hFyXAeU9*?yL zO0t|tQV*4@UmiFuDHE%`&I4c!4SKXX`aLvq-kdptfqo|&bH4oI(lPcNd2Nvr9I zQeGJ7Y|&fE($(8pc`UzEe%v=)VNVQ{frRL&67~8Wy5g767akx3Kh0Kz8C@r#)(z}Z z6fn96?WU#2l5Yvcl?7qu`h+(Fa3W+`1YZm<)}2%jX9gwn|AeBal^ z#jmN#{D$U8(yw^?cgV;jB(((wOMAsJq5~nI#;$SjWGxT>%wO~n`*Z^&^Z{VdKvD^T zc;gy#1pwV2u8~N$iCq$=N?eo}XJ+QKn#s8ciJW*PW5pEDMI3A3yW+t(?@=Ohtct+h z3LVWlKd32#Nj9>aK(NDvWmr<;Jo-3v-+n;-QSjtoLB|0jlStD+w^PCX7*G2XgLQpk znmc6e59}m@10wk{-exiYl8vfuD1k#!=&Vrz{I3KQG~>TqzGx(rHrJIS_J;*{3&hD) zz4pYD&cJJfWzNhr_j@ufAbLt~UIgyfKw3U(lXz|QTu!>2I2O+jbUlHUi%Ob%&Wg0v zGXj2Q{5O8d6X>=S^qm2Geo!#*vEOp?(J#Jxz2P2<%?+~q0$9LScZ_hw!RoX+&cB)N zzreMdIqc;Q-CxC`C^~Y&cMA`MyOdm`EDT2PS-F!}#>&zmXRPj$!xx8jV8#PgXU#Ub zC)KFTL4tKV?6WH0*Rg6ht?os%mX8f@GziYk=J6xDyAt}}e;H5(ubPC)JVvk5-66vD zaO`*v7LsD}WNS0WA7a&)O8bO(*w2{|$MxmVpuUS2>wz%U;k6@4!!>w0KcFLx=e9%( z>Nez=?TH_jVF*m8$Y98H#N(%I0Fh4T^#L4-;5eXyzi#ghM*X1|&=3eDDQym$rA4n8 z5CpTS*z4R2s?}6RH;+z7Ji7+lEvpWF0`ne%Oy Ib?t1vtZyK$~SgG@1SY9!L5bn;Y9o7r*Lt!YRhF8;uFio zNR!4o56T=9hxTEevdpYV>{T*wGIbu}g6aSi1c2FWo(#g&I}QA`gP@&tznIHuVwWlgx(;OLO6*VkBW_ z;uYUo=EUZ;N8O5eRv!}Pr)1aPIo#Rwc5u|LM6jS5sv++RBE<$3FvR-kI%rY9@0RQS z%%YH-wT0s3f_%9YHvQXkK60MQ;4B|#z^c`159m&q|K9P}A@d+Jsb^5Xw*`KscA$NdX-JZC zl7 zZ^=UgJFfxPz^A-H(0nvxszOvh|1oBRwblyW<%lBs!4GK^iGxWG_g_FU)3)w1EpJoE z@|Bu*XrEbzLwm`ZK4MwFQn&^NYZF~T*VC8O5lkR_TECP$(S-31LH}dF&M`|)syKYL`LF!@63;jFC^qqU4Esc_@6`#FF>V7O)E1dTHb7Rt32BxJ z3vpHNsc{U$Y)!%r6PHOJ%o^glt9mWW;jR~xmB}`iWOK%>X>(n;BZ)1W0Fusmm*-@r ziN`tNhtoqogvwHv#iny} zV_G=lhM*;#FsHwDsbxei0u<3GgPV(@y?Z$_yH-)yc6PjIM#^{~j?c5Z=B<{E*Wvu* z`=gJqHF3{Ni??RCLG@mIejzK6e3M#n+^1K~-#lt_T1!CZjAn6kz@#zqgMNMKdNBI| z2>uJEzK3KUt2&lKT1Y`mWQSbwdTmwO0+iT2@Bc#=G&^qM`VU=DJK}wli3XD|B6w95 zj}_?D&b608d;!C79xZ4xEXktPvLd(=yDQU$EQY-f3@NK$lb_(~_Po-uylEoC^3NO% zD=}Qjv-W6@nFXrqz-x9fx&-Zh~loyE0;J3;H09bc2gU{DxD3I!l-X-{N7 zsoLn>hYY;q^v;IaJ_DxZE0syojsXG4)SSr-8&<8hRV1oO4Ua|{p4Xuru+(CW=ode7 zoy;5ecy{TtqKC*jMm%5L2>yznrBhj34kQqz0=LKpG}UF*X8*LBMgNfNEHDMlt2#%c zRo@kIqIh3`d7m*3txlEKylt>~z1)d-AJ97WT72OyX1Jy^!M1C8d&1MSSdM%ljg^tv zKtdEmRJTOz&w%k_r8H@z-r2;|yD==0t@J3vL{aaLM2)DCfx*EW{_~#2GUq$}F>a^M zmS&drC4L^oX5<127c_<OgXnm=MZJKEtCq%1kZZ2~;^qyg$m0tz23-4BOL3mx_W)fCWTg{cCgw zCLrJvn&XfMczmfp0LnGmy+r$FJ&#Xg3VKQ>jfD1jKIG1d&4*BIll_qLi*VT^2YJ#8 zsaR_-3|-d6K#~GPp9iw5C{;#MhJR!U_JlrV-Z0y;-wb`ZzG6hZyQp;Zax?XssvdX1 za;1FkQ{o)2o$M<)?vV1ejKnzUE|Bf>9wg=Fr_r-t=txfoHG)?TnkCmI4)jfHbSd?! zXuuQY6e3`3k?&OEYFlu(FT-sJ(V4ed4Hb3W%RfNn3JyVQD>8HgwDUpSOL1kbyuP~W zRb?EbB@TR^qI@ndwB0R4RB48{2g5;h z@0fDrx6m6$z3qgy&xHL{`l`Vn^^&wn6XNjLc5v7tfDbeB`^HV$#dm{0+cYTVIB|Sl zuFdlPhLv2DoT7k7^dyO#JxwRPun-+}_cLFD$$brq-~xRgC# zwp=|CJZq{N8cBfIs@sjzGUOY%AU%T^CR{bm+c;fwx_VlMPaO0j6fuELKx61;7J)fE zxS(+$WbV&TwWkG6i*1f;ni`xuT{GGYN{V)3IgquGO9xPY2!$6i3>km}Sq8KL)dPNN z!N3SJ$n-Cy^OfU9QwKO7@;^ap)OX3>ks_)xg%6fGy3E{Za^4)*xXLa!j!<8(bZ;ER zNb8wpO3j-+U1`_yOqNk}Cij2m`Nlif*V_h_b#UP)T*y|JAIsSImkCKvn{9;Xww}4s`;x zv5bZ8iF8f%=B`#pxG|;8*r>qHc~V701o9*Q1h9f!)$O2hB_&`)Hv(5eWnY z{V>n6`$;&s-5>ranY7YUbqNntx?fc zoDEWp+LzGM>tFhK*Vl+6(Wxab3#^pp73LCS<{1CF7(;L36SSdWi-g_yFc-rll%82W zehgHJ4}hOhGwE?q&dS4q=cQ2vbJPD(TVMx~!rcU=NyGzK8b`J;Z=5(~LEYiOV%GjA zvAZ)t?pFU*}0!88uPVAaa# z3uX81#Lw>b(N}XKUn4+-1b4!m5N4p;y;7xU5ki*=2^Y6Yo;L3)ACQK1u;<=8BF*mZ zn>Q|{ubO#)T+x?Es2P!=tL(lICZkrEF@jbwuwNIMN61f;DDy2F?wr(%*IXP8vRfI? z&dEa--5$K1f?oE1Z#ie<FfW`N@~^Bo6a~O1J9quAM%kk0Z-%;=O-u;QQ<)Mkbe8C1^ z`e@XBZ{o5R#W(7kly`t@Gro=w$cgXx}J zfXtGSv%t>ov-=q>;DyPwQq(bGf?)$tt@;8Y4!Au)6Av<2LI!TlaEW{DCb3mu{>|Ia z6lX4)N<2M5Uy)a-;?`Si()bo`q0-9!Xg-+hnmX+nKXaOFcJrniQAuwb;rb{WAJ2yO zd2@(?n@YUx8G(j4G{J2(H5^ZQc3=^|iBG-{$z1o`U^X!uB=%4BF}`>XbY_qXp_{!nvO3WL(*}NsKJtAzu^yGE11?yTkLEwB=%)Er{WdIg zug8Bs=Zx6K4VNyyaaypk$|Q~NFB0He>$`CS?u#<8mMsi9!YcugJ$^3JdZ%8VWo(&kVDgju~rNo!b2xw z``d7~_&xFV2*fP#x){nv;+mWF17fE=8wY5(k31qA$vIM2hG&Uv?d91k+pDazj5m=j znn-cc6_~D|?wKmheF00Pmj;?mutZt}+E<7cy^DZ6JbYzVdf!x@*^Z%DaNh``*SLdw z3{)~7AX_HjMX|jMMwh&|VUH-03hw^Z3jo8f?5AEb=brQw*Ehz(kQkpPY%9sd_vmz+ z2GTS))lo9d$xjn;Yi|c`Y`!DApzn;`q;@slc`e9x5dOmW;{Wa7bzQP_WD>B@Ge<1j zr{E9oTaq_KFR|_|a=&g9*np$F6c(Oqk~2{#P+l9}z50cd1{wqtenyt`4zfvfb-#dA z9)rdT4`R0O(Xfsu_V;=X;IY=|K?;_9*>Eh7`TxP70+E;chCZ^(v-J5R>7loPKt2!u zA6AvDLb#OH+sM&Gn5FHYBr&FH+$i$ufBIA?8kMNaz^Q{6TV(-tT@7Y}0J#h1AhjloHuWTPOn9qbK8*nEU$y>m5IPLB+Cg2=hlhMFp8<;IH z!+W(oEC^ih=%ub@ADBG_?O%G%{5Hjz3&!)b706UTL4(~N=r1}q8<)2LSU?3VY#6SC z8C)1414tIJ`V}j>D9P1f;@lvAJ$iab83qp*G~vc2AeYNI7n3wDhe@y0vYTS zSZk~nXs;}ANwTHWMTercdSN!4peT*n>OjAc?vT=u_H{7~3 zq=X20ru4zmzpOPh9ZMt~J>2@wsR4}^W%9{39(+ZdJvkna@wk1={ls_`CJ`B99&oAi zI`-Yn@Ke)-Fo4Gk)Hd<|F20Fh?C=cd3D_e1m9qYA(~sxxZO%&4y8aZ0dl5glhx>?h zIot*E{9tVB_$dpM^Xw_ib%O|b=hobPwaq}Mp~0iO?_|{UUXIJF`bW_GXBuShzWL-% zgC2G+mRn(j?f6<-OY@^}M7*F3(bdtQ;TbinrPLbiFXaS+KBinA@LF4X@M^QMYBN$aVB9^?c#Vh`$fvh4FB>;#G4U8_UG>0>+V~%Soy|)O&dW}a z7-ZCSzVN+<1<3mfAwA1VK;gy={x-t^^DJABvT(yx6}%HZpFse$Ka>M<5!#Pf{6UtM z#u(N=3kG}SEkNfY$WmHB+z0hF;F)@tzhP~CdczjKd)};qs0m0q-(-q?I|0kJ`*<4&QJ|m7w3GrlrPFL6QJbM`Wk(pM z@4gBffwe0raA{gTE%+rIPnSAv-VT_d_5|i0A$nulu_3d0Jx=ERFhWV&F|rI>BZG=GIyto7LtF-Bma*E-S@NBX%`AzyB$;;nfcE`Ff>BGDI$S(cHR$y&ELbIMTcscuyC^fRHPWHu_Q40>Y#o(6)yzyAxSt)9w7 zO0lo6-QLqb+&C5%j)*>65YV@#KTADp*swC*WA`^Lr%0O`pP@z_DI^z)Z=X}BRu{sc zemY5VZnVB^-qpcitXw>LBZn}5cw`YoohTp+K@WLXwTkhIFQw9nSR9I6?jncau3+?5 zpmTH_{)4kLx+EQBH2Sl;=^l>1>4fi%maB_aY*jlB0)soLY6Hi@j6Rg!`qX#8XhUt@ zx_fj$XQm$N_IOmtUr$u+-`~*P%SO$mc6st}L@Qaok5;I8J3r-3x$HNbIFh?Iwh1gT z==*{B>F|BrrU@(wD9M$>AbUc~qd!M0A|mVd3S+Nq6R=X6wtL;Fw_o9nw9(KYh(Ik@ z&A_VSVA65^KyM~eIe=@XrA`?@dGm}Q3P&9EFy42?E<7!!M^WGN>$;%Mje$wk>a_-c zhAJZwREAsfV2A{oTi^$tV_*(F?MKA`lB{t5qTg^=Epe>eqYv%1=wxT zTP*KV-{0$=!=>@Ul~*%t8B!Lyf1PhL{PLcQmQngPfq?rd=P7p!IjP+ERuXnR<;vzX z3s^#b97o!}J7>GtEklts)iI-wI`Xum`mDkURUDO?{^cNlOGZurxnFmCyAvO0~cXT;fKV2(& ze`zDD$TUjo{(OlYqJHm%nb-R}c3_xDL3%hsn8fwkh+{}zw-lqHHttgQido0&ByP@+ur#}xRlA?ea_hVnVT zqHR=pgYm>s^XG zZZEmD#XSrEy;tkuTr4-*`O5yLtiL=PlfqDpDtM^3xBIHP3dwzO1~hVU*nWv}bc4J4 zSQM5R)ag|0q-E+O#7p8T{3z$9QXnexXFdaXy#p5YRLM4Bi1^zl!(B)wC<#9Ze?4j5 z0xwni(veSY@~&(>PKfsz1Pa}{txsYk>r zqY2eADV*rDW1`*|{R1)jxQ6aQ?5;Moe^;4Nf@TwMTYLRW;WZwo{VNs_Vsaq`Sw&S6 zIGO6N2D>*_b+I&IXvQ>dx3d@zejNGXDQLpKu&<)?>rW5gh4m29_GCtL==i9J5+mBnqPwZ# zLrRq41i|Ak1O1-_a zzojx0`hxQ#+xC8df>DJy^{t}YwkE|V%&$A= z3@*ogHEO3cg$PDM8$~VBt0YWu zI(JospC9Qw7cFSdv&(8f5BehDNGBpx-MZM0TU87#90NJJAynb{c`*6b1=+2Kpdp#( zG?zE3^-B?*xg2H%uN!(pVGB1rqzzvEyq&{nzMoOISF^%LEf$4>nt?NXfy7;YyCN3r z%A3shFk|n*B-x=M&frw$^b{nCQjjD(1yR^Jd8cMFP)F!sxX^HDBMMd>QZdfkl9J0H z4LcB}BYDK5LfJF6w1$4Rl`(Q{{$_`=39%M`RKmYIzs&}qfFP3l{E9)BL5(g0rRjUz z_>j}D%Rd)hMdF)N76hX?3QLD#_~+*kflq0|Lv2CM9DL;zX8J1VGk-{Xhd=-6c|RGk z|65op!Y#n1=$TlS&T7aI#qu@n$GKSMYYXzC)_yWdI|&Uy`2Yz7u)? zQYeugJF!4qqUK(07rj&Kxa=u5PR^gbF+BI#{2kPKf49|jdQzR>I?cK*Bd$$c?d}C~ z>0uHv+r|I}itii`J$b4YpDwrLn!a2}D!p@#@EKg;~V8aul%`{Sbu8)vQY zYQC7Y)(G_d&LH((;w^Rs&Wb`sE=0|pODkvejjE30dLRy8!PKeO->h=}-Lgr;Ihl`Q z+hR}ghg@;(>#p{LLX*+!o(U{TZv7#-kRqr4Z(~{>!eqA2)fF#5DxYyZL3q}foaFRM z#qjZ0W8_eu-UY&V^Nlltxi0U)Z-+$C0r9t9hUd<6=%Jgt!GE^PnHdN{2DP*ro0{gf zoFt|8|5IsG)-_VR4RLU&Wos0CnPy7;TAkk=dLP`(qa@wE%++A&#-^q=;{SmN{L|$l z2{Mr+z-u7*6TJY0g6Nw#B@U^C+pu}`y0r#Y2p`o>*Buo2UUHO2(PxN(q%D4$*3doZ z@9;M;XR*H8p0=$sbvd9NW@`Q~&fYRAuBLnQPC|kuSb*RV+}%CF-CcvbySrO(cXx-z zgA?4{-Q8*6J>2*6{O6rn^JzY^RfuaHkfUN-kW%IyP`n5>uExKZ# zFu8+|>41-?fQl`$=JH}r-Tlr_EX-?+_>OTrKDlXy#BG_cJL zuHf)fklZ-oSPo0P0>E|5(Uo&JwK4*HOw=aH0l;JcrtK$V2S}w8Hu)1!bam%U12-~j zrJJze=BCQcRb62zf4v(BS~lLP1K1no3V@*c4%3&ER#zJ=w%Y3T&O&3FtdF5a%5rN@ zdTo8-pmDO$j~4eO9o=#4iV9HHTT{!uf>8e!##IH2LUg@tJ~{8(tep_vqGPP%nMm<8 zN>|!uEQ2cO_+xej@lfGVvh(2_=Ck6SX`tJ2$!3n91wuyI=Pb%lT7+h51^$AC6m8tZZ4~^`8(MM>3((}ui+ODwWZ~I;?z^Fr*60Kt1{If z!+2%4v)naQNLX*t=fUVIxW7X8JGi39hqg03ke;C$UZzY|K=1Opa+Fi=n3>sk8I*VC7O(l zbH2*tMgN~U54ENyZKySqipnu>Hm)$mAst*Ifs69I}wo`zM#cc}s4(cDd*0-g2YsA`kTQO}-4ZiHJma)4vO?KF^Cw=%z=#&m9T2 z9rasgfn{mIGqnKfYxlVEon z){EC;$DI+-p@t*>{rRvfZn3hc7kOb~$8dP^Sv50%Q1kQJf{Qcm3N?5X>ZwUi&9bCX z>STW~6dL-h4@A0Z)hHlj zY)qQZp@qDk=1{>i=DW%ov+;|{meGN@O;8$IKO`ny< z7#3K|b!xjqn^z=bf?ef=@P`qEWuZ$tS*?zK>p+$?ed3bv>Ip*9JV7YWIv5J}dJPgG z%{Q!87K_-MuWWMDeWDb1!@AVil`WXL>a20jNdBt1!9?S?^xgt3g3ZDpuLwlTN0#}fW9+mlCsTI>R6eFprm2BVK5bSC`hID` z!KpLLE&AQk_`?SZrj}bvWmRD8LeGr;ga|kC@l}=f9O^-WO0uw4yC;$5OBi)^_}smf zu}S8xQp*sz-1mMB!JEVKC`K6s4r>Uqj;pMTBz01aP$9v+drt&?fPeS;R zRqx@#i8?()wR?Qv(J;{xmpH$fq`f~X65=XwVs9jNUm-)n`t+}~)5F?)|AXsJKbw84 zZi(W~(pT;J1&Fp{=884jJ_5(q7a}}qmHw@42d}+|g;Hnt?KXE$r6AcIp`Z%{db>jr zS4VTdjvzu)O(fM~K%H^H$aFtP<(#}?2S3>Nu|3upy&x_h%6pqn#gle;#?mt{<0GS_ zE%{GW%{4_{udVGyLuu*FEHF&B)Az99>Ypue%+UeIner9(JWU*>5NI2_q;cM9U|r%< z6GsN=`H_3#D91R*v+uy}}pgo|cPo9-wZBwuEmlF+9Us0Q`atBiIiX^Ys zM+aP~J)~In`%Zpyo|v%PW98#z#%LQ4E;BGSS%uEWl;tPcDE=Hm*k3)kb1dA@u*JP+ zUcK?(Hn^cnh;G$P2JD!>3vL`#&Z|-k)RGTO>sP)3ktyk2AoOf&G=2CHn zT=$?JbG7*id9$W@%;` zt7*P&sZZGzYe0uYv@sy54+i*mr%{4j)hd2ZHKD#*QHk#DpK9(`JSvu78jCkVTZIt^ zV~G+hLZ9kA?3wKxyO`rFm}#vip9xi8k0v$V*n*Z}BWY>TNE7t78ev6;N1kKD=g4H;e32wYME-dD_HZGD>pk+0_no@+HJ zH)mK?E*F{p+9q4NY+nB22Gg`Z<*gv?cU+ko<`OAOtPkAro;kIjoj4{Fz`#_q<AcKk`wuxpvU&as^(c4qGu`8fTR&W4o7@G2pDnWt=q znb)l(p?jZwqQ@a`Y<+r4k%N0{#`8?9DM2<%P1;TK5to) zm+(3j-?X!3YqrIwt=va4e&hSCHRfe&y3BcjM&!(56{}ZMSXy4UjSb-5cM(3Umzq`gPP$ zxyiPl;F^@Z)e_A>=uZPO_i0PVA<=cF0-Mt_mfzFK&K@-yoqomkpA3wTH&-QgWE5*6 z?%0YN6m(fbO+TumDOmVX;PQdv`thgKlJZbTM>;EtTJV6d`HCA-Yaiob@}5Kkoh)|u zzV#TN`QWMU%xJy2Dm{>++3#Na{sg;bVSBfp^MVj-lp__g znrMZq%~R3Zw95t4X2oh4Wr40B_4Yl3#KFGUk>p81tmBxtVfU>JO(Z#5RrBs3bs-M{uCjP6Br z&wvnrHUonTK`bgBqTUcUWi%>pYTs2Z>6Jsm9at9?u~HxI~Ggkv8keG=oSMmt(I5u z+Ys(;^yUqVzMTEnCtKE7$iRt4dG80Up06lqIk+l4t4kR>jc18f;6{sM&KMC}SCYiA zdh{7bHn)2KJa%io#qObQlr-SW{6Q&Qx59-fNr3s%Po?x38?~FQ%e1`cz}D`Y0?bxMBsD;k>URPPfw#xDW{nl z7`@4}-J~1Hckj_|dh?FMazSU#*hk>fnE^bH&nSX3#;{5$oPM1H#na2C{nT2ifAU^* zKx`?wQfWGryfz)+>~sr>B)jI`$x|BSf^t&c%1uC=42L7`z5+3X4dw*r8QSy?gQMq zQ!mnIesJ}K)}}6)0iHJbZ?b$PgTbz`hT=O|(+D_p@qyKINa4vvM3*CIY_R&8!q~0X zxtXko!$r&5nURRSOau!{88@nBn`Pk$?FG?^me6I7F<<4_V*KgmKm}8HB*eioW!5HR z!MC#}wcPixBH9;ULUuHR+qX0yIZXaa-=|Oyb?8eLKsGAlJ=qbmdkpF(bUeMs@JD0; ztMaLF$YoTA>EUq)lcqtW zi}vZz_QYh_!$t;!oU7h1EMM~+xb@RWVrMBRvfbgn(8<163up#F&avQKs5E_gf^lhk5XZbJt74@`a)=_V!VWTn;jIxs?Fjl6%s2bwNcefo}h zvm4DrugL}ojyr7!^zOBn;pQM^;aEt2n>*-OIN|`%fvA@;z9pnkC?Iauyq7V*h&uEM zSr&*#=~(^vRPvtiu{H>#5Vd5|9gwR*#qy5A+}+nQW3?Q(cT^V8Yi^M5c`c;!il(pS z4qc}*clm6Qin@$fItv#?p?gb7%OR%G#UpL-SAy-V@zfe^g?|R5dws!|^)T6Sa?oW8 z+7_@1Y`uT)*DsZSweEKCy6^5O?h#~f;xdr0+dw+b8b!3XPs_%2Ai zt=G^;%HZLHsp7a-2Hi>Q0M>`=8VvNUUtN*4_3mo zxZNhHyIN*h{bneZ28Q3EGMce1zcifvebBM3)&6jP(uWMlIWFe9K&>P?e{;5vnl;Z5o zbs^OcN~n_P!3!ovWLY4vuA%wk-xV;@R_=eC&H8ZfrlD~DI@a-8kc?x;6e zN?NYDy*{!r6xi7w!4JkEHp7RP?>m^YX@%XjF2#4utgpF!$xwd%MR8hpZslW373Ryu zU8m$n;}eJc3H>B!yghY}8AdntcZfaoOJKQC1vub^ECgzbe(^fn?seQu-K^+?@f>S{ zMSr6;%M0|Qltb&SLZ`h8_;Z?)*Pn_Jb@t0E+(>X));wqfcRs`$-oqG+)0f5Pl(`I& zIg561eR2XX~MCoZhjR3zf${il7_34oK72dB0YCIbf9iH0N zjN#kF7TK#dcBYTgT0QNS$PeogjSu@lY%!k)2RND{GNs>S-uHr?tE4gQ-NKBXgKZL6 zGpon7;yD-NdpP(ebFQP+cRbud~~W34r!mipdq!;Uras3 zmagTEgbJUIo3E^Z6SLV>Hq2?0!zU{{k&;is+R(>qDjJ_so~>kVbJx~Bsn*#y3s2US z1tm5blb+vS^b`<329`T0o?gHJjvFsq`k{~ruRm(nqDtMLkY<=cmsZNC;fd+Rj-MSk zD;m;p%w-g(E-f#!f?YeL929)E_OV}xv7}%4x|&R`E##x+7}B)=P6$w^1Orz7=9t6s z9XEJy-7vc_tjvySOspT;Hq`G?@@<+1ya!1U8;_6$DYVt@*}L#U_H*pEw=rZ~>U*yO z^S{G3cy@xwQbF$Y@p5{{+NFY~ZYK+$kXbHpy86(5I~nrsAtTt~A0Qrxx{0W?MdX(5 zZQo$@ojJJ~{WkOLHJvjicb3HoIz3xTO1E*XHQ^+cME(_U>ofu8pTYV-1QfHOElpQtChmUkG0~t*l-hRuaF{bAeHNhvkOM+YgJW z&KXCUneNr&lb-uG)1`M5DdIyMnzr(_V!xU6j<4JPk7a(S$!Y=>*s%(u*Sj;D^>IEW z51c>TQQ@G1wT?kA=oP)nl368%B6AJv%cCDM`bHX9zZh~!+BIUwxqzc`gc_lw07NKS zNqK7DWO#b(OOLR`y~Q^jhk0COn{z_bdrbkjjzkP8K39 zlD%~_E(WH6Nf7g}sTD+@yJseAJcikzMA}3oeHd-krWSI13IChk54f7q^&8%16Os?(gyV#41z;ntI3nMS$dxuqNMd*H7c}oqgm$t} zIp1VNu=VIXd#^5|(GAV?K$YK*KY{d#PB+Rd758Jnw4t!0vYP+h_oAP;?=a6ba%9EF zD0&t;zbO|EIyvIuPA&Q(z14!eZ0e@Q7Y_pvDVD(yvgCi!zo_aL80vkwE7vsb{w*;Z z5Q>@-DsILlA$e=2i}83XY@hH{DfD+%sFz=l6L5R*kjL8ATAZH#km-;Goq!Xr>pzQz zd!(Na4$4Qcr)gbKqg|VFxk`Vpx>Rpd3qYW@9)@>j&8c?5xqpe1tD^*GDXJ37#n*a$!kd*PBo94Mlc) zCZ*XjcKH*9Gjk*jG^vl5tLDgL3c6)pn{aBKpR?QNP4grql9UNMx)eUHJn>Y*+w#+I zS2>!5pOMxhKxkL`=pIv&1+YC`agM5_Zl;$+{+J&$}xSkDB*f*G9|jtTf}va#}KuIha1)+_Ws!=^5slVP6Bmc zF3y5XR=!}f91>V$xIEq%cTAS6Vqe)Wrmoz1oyhRG=F`1+xqgpnxun4zIYw*G=)1m* zQMpx7o=Ki{4z3W(*oO0m71ZumuP=%teH4q{bW3VKTCVEooO%SL5%D+6E3N zDj^`6I##>EPc4_L;nn7%t)8nZBC3l*x1KjB;xAfAuTKcqn;p{9n@@`A)JvY(D_;1`&6^GwklV&K3pM(V}G||HF7R5}vRubu2>P zXHNFSVki{z?&dA^pqcEMpaZG?g%+2`Fh7!)V-{`ZYsoI9T*Je0$C=2ZrDEdShTT%+ zDSzHSf7;7sE@!Jx)4gJTr+De5+x=CQda?R;R-{>ooUsPt&a6{~k%era%W@MhcnwG=N`F7`qKcs>j+f0^% z^KH67mIX|4i`T|}g=XAR-*}VPk{PnZuKU;w4$K!j@0vF3HLrsbvjvfZi8HnY$C=vb zW{8ayKN*ud8)xy&derIWS|am>Fe#YtR0Vn~U-d&d4~N`Dr0x?W*T7;G#X;_R?=d<& z1m&`kQpa)cS*JfrL)g_#Wy!K$GG!ZIVmb&iy*re_eH{Bt72*+jl9+I{Y&V4Q;=<n}3zp%!fZ=FfX7!O`R$a(5kzATJWh?4+W)Er=8Xr_)`u;2mU%4chj8t_Z z5cPE0-zbFqmm;m@C8G2B_VOy>GdhE^?XR&fzK?rY8L_CocG^ps~I~rN@BB-hO zu(6ko)feUL*kUcV$Yn(`rD9|f3!NKr=|s30Bl9Y~*8NFJcei>Z74=t@}R9)yHsd-I`Gm&PJ#DDXR+C_()Cn=K&W`V(%BfffZp}h zEYa@jO!u4lU|8Y;L&7-~;jajVup3w%J`Gp$bsV!ni|(7P<@1=rcDDL>gON0*$tj;g z=PxE(`a*QCv68!4XUmji)*0Yf*yM&!=#l`plu&yLT%H1ZAoYXN>zJ8CtTtAJ*Tui} zE8(rh>2`u}Cc*xg5*=(qhUYxFYt1IluNDg?M{3t`YL>ij?~Ttf9=Pa(GJoBTqTN@V zvv3GEc1L3~Y$e(d@qB8D97D!1O%K)Xeo!=jz9mx}y(v;h;@E{()2!dn)Ql=E2Ryj* ziwfMxGn6$3>0{dJp-<2`%^o6yr_%GqlbeWkSV*i23v;{Nl?I%=y%ANiPE}|7dub25 zKNAYW3nMzX4GuWj8b}e&BB}rK$~hXWNn(M8d4&_ZYuT&7vYx~3vG7Rm=i>^jJ@@3k z#(b$mzs9c4b^!Y;F2kfgVy-Y`Z2gHudpO)r{3ztuJJj;2fdXeIQ66M(i?&C*o$Cyz zGqAE{W0A-1t;jh#PTx~%Q>TPFqO>I~0KtNj@vC#Kz3{H|NmTvvi(MgDgfsSe!X7(` zHJryPL!j_d-`7ssvw5iFad78S51T{lqO|eJB$wupNd0;X@2%sWb5(91QUXOnH)LZvCh8K3P95RaHl1gel+z@fC9cwjmGMalh z&q#c|pp7HLuxg@+I_|KA%WkN$j$=Jn-tYChVxzMn4^3waEq4r~NXWs*Un6q|aVy2n zpi$DA!@mz$au$kTiL5pvSSawua<_&jvP8$_Kup&K<3x^SCZ_u2a938l|5bvGU;zoO zjCsSv8Y6E92u;X4l4ta+y>!p6Mg4Ac!lhjPkmP7Itc{T75V^ty6f(LNvJX@1ePb>| zM_>aGS&i441O73bai%Bq(=JJ0U2hv7LFT{`*>2OpQ)x(MzfeJ;jTPQp*%@n|cw$0^ zB6Rc@fWCy28T+1nZ?3HsBn@Oms7ZZShU)g6gqF+5~ z|L%FF=IB-HZ<|Xv>WKrLdHsbu@UC}6Y-}@7oRh82Q+URYNz(?0YiCiw9tW7IUOeN4 zi}Zm1`5f@oEp&cJ4@5;<{L=iXaRumV15IQqqb+e-Xw-M7f&55@oMBI3`7oBYa;ZJK z;cs^I0>}uczEZ=R!_iFFkCX^&QrsBlV1ia9uhD3TwJHNQ9>{vE3ZIpI$5(sZC;KAc z?p|Kdt>K?#JmZ!t;mFga-hizRTTf{uSEhM3m#uH(el!r4_$6LmT!%M&yY)6+u%|SR zfM?2ZhUn|WFX6ck>h-^PP?xh4c2pV9@Ub2e5mSgBYY;tDN!_EH=AOwOq_1p*^zeNjCP0@E35Sy%TCTSpR=rQuaujE>zpf*MoOkw;A_&fnQ@X ziWC&d%O3byxJgB0LaVQjG}v`HY&kAGnR20nwlHVRX}Wfq!-C0+tDhYHeH|uUVhByX zd#!c+fk0i3kSw`(#xZw?4jN|^Cmy<7?OkUR9#XVa+N!q5-wDaQ_&dV;z@fz-t3GQ@ zd91!1;lcCg9ij0%fboSDWPQtH8!PSwYEcH5ROw8DWj z1dGCouk#~W`N}s4-RXX;4fv{PQ~<@;!CSKBaNj4GgzJNKmn<#G^Z`qxS^oEIpsn6OILsQ z#Bim4nB6>^Yfwb4lLfpy)PzpoSB_!OZRK-e*{@p^c_?EEuMzyX^NUJkp7v(6vh91! zDMUI4=GsCfZn2dE14GXj+ww83xvk-YwzE6+U$tEwMco-2FM?wVyj4PHE{bPP2HNr) z%Q_r{oDv-uzpJcVOpoim^4XlSw&I-jRZf_JBjQ+Jl+rU^q2g=5nY)NyOC;CI@yH^9 z2(&Rni1D9lG+OYUP6FJkch8jg!)Z8@{L#eB3GQC^oD!q+sG)5Q%hlz&BNYyFJg3lI zu35`3@G{N>x){ivJOCN0q2_SON+tbw*lN))WLws=4mxiN4k+cZ-`yb=So7a6dvdh**w)nbGn*gHEvDa%wKHWUpHT|d7PRRlEaRq`Tl?{*XZ-d{4|KxCkvRc% zeWivpqsB*#SoO1d?rRNt+&IyyG!LN5bt-gvzUs()*vwjJw>&h1>wR>i3{L%-JK#4H zH}psO;m(5+bW>}$Px*{vAw4}sdB1W(Uch@te8J9+t=aS&O_`<)-1EPcf=8633OeCFC5CCBm)dc>dL&rRciE8yL^b7{v;SlY0)GQq@CPo6F#YYP!- zJr6T?TLyi3voG>!UR34d^ux=SMcuP)e?AN$JtPBS@BSNFdA^^I zq6}A+Pr^)?;`y+4OCn9uJ45u*z8^7v}9{qYaH$MGdVS@yQ@gj5<26rqvY$e z6+viXVu2wvmtL|^H^d-8iwdYuPf~=?j*9~!UFM^>!NPOZ{mghdUJW}k=I2NB$0ho; zk!A8hWXvBLaEvh&9%?@K)-t|iz?z`l=%=$sCS+kf{+#8x4QwPhWdh`Rh2&tGxkLI7 zjx*P_$eV`tV@GCr6l&0nu(x(Q8#d|XIDOj3OUTdLbIuhmVUnedzttU+%lLVJJM2SE zZK0~Cb(2nWR|vV%I84dWHBO4j z&{7dWy~Jqw@Ku=`LnUeHkiPExWGOXf+cT*%S4rRb zIPzSP0PeBS*I+@-g56_zHaRdUz*BaBYUaKDVqvDjox>KS@X|T)d#^d8I;m^GN6egZ>o8pu0Fn(zQjusnRVVZy-R-2!5et&p7d`cH>=k2pK zfm~}UG1}=sS5UXr9ETE5OF1`jYEP4?I@N zHVKx&9G}iUDZ3t|I8N7)8R#<}&IeWH@YTTJxm-?^?wRr@m@=MHxqhcA1YLB0=0rVQ zFfMUgr}#|=CA8KgXtu0oElV*^BJeL-_J7I#mvIl#8TOzFM`Lu0 zpxHgD2LIvt;VH%vJQFRz2H`O#zh!DC!QZ#4@`6L5tX8o%L+i+3?Ku;&AD%|gx`HEH zTIP{RikbT)B&5V?XvD{10bV&bn+R8yW#Wq`4k;DKox3~QwI-vF9e?K()=>d!8X#&h z-crb-v-N4wiu^qMySY1-W)8`3d^Al5t%5Txf?5```kD!o0bUC zv(_In+&msfm@WBm$6te`tkUBFZq3o|>`>>Q^x_(lus6RzeFkO%o%?>)6)4$B!~}Qc z0U= zZVItV1=v*myjD=v;LG@pE|#Q#vQ?yIvxq0ykY;r?A|VA>Q*75cnu$k-(Ws=yI21Ac zeUn^bH%t%GYucMq$e8O=`dDLP{U4u_i$k>maG^*@T$+>w4*HErT-Uei4rT582MCk& zaHyA1fUZqt=NVkY4^I6tMOKO|sbwp~Q#iJ#x>Jvu+3DX{{VCiy%4^7HDxaBmUS*)^ zhF3m1$nxh>2DjBbo0LlMrhjb<1ne)Wp{%T`8im?~<GEt{Utz9=P;b+Pzq<3knsP3?KU45n*BkvEF3RcmK(0O$fGke_1TaXyH3bgyOZuU0 zYB4Vrh_T{e@GY%?A z-;Ymb5dqHQpy+{R)yDfP7X1w$e0v)BvVf(EyXO&D8(!ESp`%BX+nPLz zA*t&hfAR%$a5~ZiHD#LD0#i+OG+W}1A9XtCs$c`s^I)h$Tl6=w4H9s@Jex>B=%XLn%tr#KvssGYFEeXk)I zFgMPGHjm`s=-9%`(a&YRrCf22NO(GF)oRGK`D|zK?I-rXNAua75vxUA^-ItnDAZj{ zuq2Q3vWYyvSOEb`3)iEyDAF$ekvQEp4UBRb9%*|EYWa#3+Dfq-zm6M>xy`iw|1(I^-vQ?hYNwv ziEoTostHRC1PZl+;5y>yO*v|(sH#oBMh~}~OfcpcvsJap%{SX2nphw~sexCVER?VA zWq1GjeCiT@`+np;Q0D(kQSy5oSoz>wXyj3N3C>(2?X23nijQ?`99u_faICa%98e>p zz4VUPW5IRnY#jFJBMR8%rrhClua)!Zj^TB+-X*9y+|3FX*(F`eX&W7p7D{zqPzn5mP!Cu_0d_p zg%p1{-$I-eS(23N2;du!m9OGqPM= zhX;n1R7^WZJ!KU3&Fm%xhOb<{!iSonq!+de?-j>?f%ZswLgV(>S~G*R8xn>pY9Q%# z_<+otE;I6-d37uCa{B&ot1ZD-^ADo#DF&Z}1$?Q=@wcxSn~Eos6VHV-atdYfZvZ-U z*bpTZAvtx_Kdk`-m$$`+99kbb+FH5Vl;gMZh=Ym-fw;VRaQN$uT)yifwUNL?7XqT( z8!@TJFoI8&1Aw-Wj&T1rH?Zwrhi>+FeGBd>WdXHsuNbiB0TpGQm!020p!}ESpEm7( z1`z|awNRC>0+U$w`%}f+Ajo^`2mHv4ks1KggO+9e4|sML5x!j=q6uJ7h!Jw;PlHdT zfUVS+XPP2lA5&r1tBJ%1=tJ;XfG8!W-YtflW=fHLSHYCVCBOgxzyNo0WN4nI%;z`W z>)%EUtt>tPL!1A09%y~Jv1B=w{s&uC#oFEzhORwC+3W?ALcTSQu&$aqAI*g*!Pz_h zf|rBmoEOIB zlG3j+&=Rt$9p7#4B5Fx?l@tty*|OUiV`YwD`1yXQag_{Cq4z~1d`LENcA_f2J9rdS z?1-%a$o@#jOEV#8`TqrQXK40Ft4q<>2v-4EH7mOx5{*8Z66fj2>&eE3jVy?BN%cF$ z1op@?Q>6M+UA_^N*PCGqG5*o(_LP$=w8U-w-pP@*?M~?H2Ok;Y>u+?h1khx@1oMd6 zJ%OR=nUC#`y{kVyeV&&^k^T8oHupOjB8(hz&PTrQd3Oy4o?bE^C0Q(LYgI@0TrRo9 zPM5iB-543&c1N3H@DUwlRg@xnbG~k_HTREbaJkFcySjd9`y&($V`KPmGsHUH0%~l| z%(=u|)`U|+9zhOtFugf~-Y9eD)~pA(&q9)XcK=*!=KUm|X7$_?mSeWza2xLTq5@%F z>L7xM($O=YO6Bf3gc)WMiHNvSNU^mKyUnBRjpM&LIf-t^FAefE{dADC%Ea%X+JV&dFx5iTP$usuw$;=cK!BBy0;Am3~W5l$STE zkr(K~@VMlMOlBwkpD+0M;9A$rQ-|1PV;^~Gb*&4utn|*X`RNEizPAQDTWBW0nNX@c zFDIe=pb7XVfmqGE>&ETG0XX*w+o-lHEcL0Vw=v^WAr3LtLBm++Jzmr<0-gdIYoVzl zYofm)@HU*N$*L~>U$%L7YlH7D(w0%dcx**+%#SgMWs#<_2)0)6TMF_`%X2&m?9jGQ zfU!F5a*TxB8CiKZqLdWC3)8Tia!3p|m;-{*%l zRWCWW58T+ha*PsfEtCmPqG8SvOpOJA>oBvv+il?Uz*G2FML$(w4i|aSzYSXpbCDb9 zpXa>ACfk1fW;G7H(V_}wo4Hb6696CGJ8jdI$ratL8+L~k%XbelZj$7TVp0Qokj&P2 zic12&FI@f1V4`$Qu8_r!KgveqeiON;Ww9aio4nn^#il{oQ|=ekai^9e&(#bUE z+Oe*fEn4vfrCJ$(5yC3&rGB8XIs+lFrbvpBPP~Uv3{JYIm$&J&!uG|+|8nJ(Kbnxo zmrN%vfO4^WN09wKB=EQVWo>BC)){#`VL#@TGyP|%T>Jj=$pRyNOiT4Aw%Tv24nW(v zR^Z(4J1&6dSZq2#s3fUWv8)JbaM&|=77a(3;P|q!tuF)&==HHKMQJ$EorQZgybh@; z#=`=;$~&$=25=yT0MkKmR@S{^-)oNrmHN$;+)V019ax_Y_+EipT%mj}_^Xq3N9?$5vMO#PU+nQwS zhz88H59v9GNYnRJdwR?{`R$cO+Jf~+VWu9tV-SpxTRSwLwP5kFQ{R^9y)!6BIZw)$ zzZxvMijVxRc>tg28gscOuL>BUXb#&B&&c$LZyGJHK{|wb^Q~gSQU^aHaf`h717q`Y z9F|wUfcDG1#dz~>h;BTF0T`j*}NH53p4g>5(MoQ6RPCywhe*l6^L)=EGMr?NebVg`G%n z1S|frpnZLd0y0K*RrjU5m==l2@&smP!H}A^j)_7>oL-r(zxi!*)$6*lTWu*y%J;tc z8&d-`%7oNG_vX3$yZXS%)(@EOGUC*RYsz>rMsl5ch<>E--IDLGvfEHn-uM2HG3TPD z*3~KXOp)a7s)$o$Zva8j8kqoP#qfZp|U=bNH#gUYLIEfBr+cht1I1)$ZM>lK;=bwra#) z4}yJWCe1+cZMyxKjjEy5yPx$G;(l50D=3X%T zO|`rLUmdN1qOJGW9BPLzcRP<^kH$chb#?=tZ;8v-!}HhK&2c~DJP^;KQC?fK{xZ(9 z&p@1&;3oCCCv)>CL^Gmb7lUbG(@^OI#<#rNnx>-qTa#!X1aam=9j`AL|G=} z+{%4de}FwgzeJkBI9|~KJ3w7hw@3nPKR|@#1lnXhF_@m(mh&Ta6+gJO(0|950HUgK z4VtBB0%k{!Vg`sN1fQGWEdbz`#q`1k05`?mYqpa`$qc*j5uVDap!4{59`0hW-vZ8c@1XG-Im$C5Y*yHM?fo zQZUR{hhkn>a{e6__6WgqsRZPITT)_5uRg4xpbjnFI$*jaYy?L--v3zd6dR{6W5a~w zy$0`+_5YFfmQitaLDwLGKp?ogh2ZWkL4!kZ4-h1{yCt}GaCdii3-0dPxVt-Z$@9MR z&97Or*8J%Ox4Um2tEydl*FA?yiVPoCLRCpCaKbbzt14o=ngX&^E93S??OQ_BvVYF1 zVjY}9kQ=~k&5PL?)Xb7{kvcrRf>JV7VuvmU`}Zn zrWzw@?}wz?TQ;X!J!dtNbrI{yCR5Zgu;HJG1Y8h|^yoSC$Ma9do!1T*4-%9_sc>+! z=X3h#&>FZ2aCLes2dw?M+=&@p&0;g$y|<=}Oo_1B+XaLg zziO8JSG0NUWLv~amFEM8*X)64&BPD=nO;GFH7j38>FF0BJaaI=qkSMQ*2|QBwTC-F z0T(6s8QR?PsCHVNUc|%g+Y*hRjRbYy{SklEYBI(aaT6VN-Q;9hF)Ro0QJC*4dU zEVto1=^Nrc)p=p@BK+`6p3)KuEej6VhexzIw@;7-Cbfz<^qh%Y3=8(Pc~NeqjNC%9 z9I_{U6kA7Rnp*N88Xh6bV9+JGoF(bP?PGudGV5a<&eDxiyzEVcL(w5MebydXkj&A* zfOfT;Un+6CtQFxNuMFAG9~iHLMu!Hl5e~jxD$@k>V!=i@U%vT$MUMv^%$|Kp5>8nc zzXknliA3onZE$sAJ^P&qgs>wzUVH4om*tfMF9#m~vWa)$b#F+u`wpcz*c7}*1*2<& z*g@D-!^5!7#o={soNdW*)UPijjB`?k2m&2HUf`!{obGJPgY7A#KP?VCy=+P)U$I^< zmjS_QA%~F^@6#K)A}(E$HVTi_KzB1I3{kR$19eH<2OA9OOTmwLQ)ba?Je~K@4AOrL zkW*u|P#CAy(x4g|E#N#iPep1^xKlD_UdkgLdI70F9!SJ!9Q?#}BviZNjto*QT)aR_ zc8bfU5fG&e?`9Va&GNQ15xBiSph~f6#K-OuK|dw&3!gV&{SI zwx%ZjtZ8LB_7(6FCJ=zvZ!Ta@ER4mQ;K+v$Cle}Hu%OHT+>QVXsccr)DtVAzn-Q9| z8&mk2fT}Is@$0z{8;77b!32AJsGhvG!(syDKPZx@JR9u?109b9cb6X2`k=<)^*|U) zBgCySWL)8(LAHWF#qHKFdRt~!P+hxGg;!)I3%G(j;@r_6aqxJg2ey~+;A*3DAmWnx zOJ%?vLfN`b zu_i!*?%lhOTZvS>ZaDB?_J$wlZ)WP1i+GmDl6o>ubn~qZ2R@xDutPMhz5m^+)ga_A z`!KQ2YQ|h2ZdS4ahR5Jw?1hXl-p+Iie{zOHo}eLnaL6zu(>rrMV$7%-r24mSo|Bro z>PXqMziRq2Y9|rUi{+O=&|9P*lt7N?o6?!&%(CQvwJoAkrCLlO7yz1gf>GiKJ1U7S zqLA?JB1{>BpjU>`td7oj=?fVS+MfHli^ogiuhK;cua`<_7(~J*^!dq$0U+wb(Qy+; zU96-hs1OQ}>24JzlG)V9X>eF>HS=2QOC$z&mN*QH4t9+8_9BE?)`WusY27q}wSwGA zJ)S=ObN)uVDrc*UD*!`~RIRSeQWc7CS#KkTr^` zE-s~YD_L1c{<{UX=EHb6;OAo85>kia{%GZAxgZ(!i*=P!X1=?!eJ`>1F187(nL29V zjzdky-0X@vklMs~z3394o<5N-#uuPi1C0g(!UqNzLLeKps#yUtJ>?m^V}MZr#g#3H zxyD|fPWk7uPfu$wrc(N`bIKivlyfDDQZ2^GpkX+jFN{4Fl(5)cZi$wP*s{1ikr|HL z;z(-Tn&ovtwvRG7!C~83C z*im(R&%XYWh$f?uBPiu25cjmQrBdKmSAbM!+K+zv+-A}C}rRQYrV`We#pdToViv^>*C#`i`Pn7-Y~H*Xr9QnT#mWK9w>Dj(dT;FGe%X7 z6O{0PJJs96Wkk)+iOmm0wDt+7bH$eioD`$9gfM=sM>->7!w-(#ebwu@m)Q?}-{KhX$QRxEy%pw(!M{6tfm~3XOAfPO;{+!E2!3e|X_@ z`Zn8#zL=SNnP531Pgca4s-2+#*Z3!gS!aUtrwG)q3ERE?K8ryT&Lz?Ew5qk=t)9)> z5HqzD3{qwuSbtDVlAvkp-iVut-Xbb48;H=XK1zmQ1wq=MXgaVuJdZVY&Bg^wqt-)h zIV=TaUj84bp3E7=4Y;C1zqQy%SIv^n{{cD!k9;LsUhS1_&{-kp6w*ud1K}qrJ!?7= zDe&N+t0`fKjRCMsoorwJMkEY>BhI9!(zkuTm(k+J8HoIAgEK;Z({1Lp&vJl5uo)6l z0TLbdUhUmJMU{%6>Wtlw8TdXdD&?m=zMmY-vI4|3F5*tT()Ecf(r~UC+y(r+JUu#Q z61EEke&UP@NZ6_h8swmak3e$Re$-<3tr&7#R~k=y?j?=I_enP za=!)VzLG1!j{mwJC;B*?aXKD4ZmdjYzV9TPMPxKqB}TyFWYkZNy-_@cI!*d<<;HW1 zh)p;nIb2V{z0XV(*|bJS(^$Y!yqfTn83nF8(t05>hyAmd=h>~(5!WHPVZn-vhZ98=k{i6L;yGqszJPZzvbGO`f(kM{~QgzvQ1~;4z zcKnNG2Y7^kq14_IYWzub6kK09ZkeB}k=~!}lxe)(Q!N*a`93WF{p;fVS9qZV!AzM@ zpc2l7{l2mam;Ea zWVX(Z-Q~M1Hv}C4gn^07Wt8JKRrUvsI>Di)C!Ov$B!&g8XAbt=hJS20SO)z}^V5!K&WAjHn3KG(V`5B zI&kBj@`|%WW;5^kQY;jafwZ4B-wyyQs!J>GJtVwh)7n78zW@%jjA2$<7U3B8XTE8Y zbgzQ@8e1>ey^nG*-b?o zhePRrjAbg6fB}sk)E*Ij0g!5P)rK7z2;4KT6dH>icJi#3D^W9YeNBWGc7VW=nrk18 z$fkM8-WjLda5?CS5?js0QyBTdfH!a%ig%#WF@CFP3}zv6&IKHJQQUHQx{*ZNuL^4W zJ)$$`kgst2!hi6$h?m9MT+x{2ZV+pWX1lM)yynWVX=5t$TY&_`x<=MXm;0T-iHrMu z6NT8}0FD`Pn>>F|I|v{y#FEW+y(zLU?RxuS`;VF^E@HPOsR!~qi=kq&UtT;&7(`ja9(<8Xt-&LD);)W% z!{g`A+=*UA!z7GgNGnBAhv3=^rgo&$Hh%fh6Z01*kBU5iq0U)}B=l{mF zHu`;VLnS76bh1BM=r0Ut%6uB%6ws#{!nM2zzOg@&~G*{H5jBkO1Y zjqK1H-XjhjoJuc@O+cxjtlo{B+;n%1{H^9pT`_GAF(bp8`I1f=TbbW@nD!D!X$&Ii z28$djXo~kLG_T3Xqr&z5qgM-YB??Pe>UdBsfhR=FAKls>O*6wkp>GU-i>eMh^C~^v z9YXYeqqU2J_js~#V-1UY;7R42uQ$Q{B|xxNa40|q0GJ3cW76kjB%e@>#`L8=4zHzk zmV-}v3HbbT6!S+Xs}*dSe9cq>O#&H4H1~=ZmZ%l4+O1ii@hvjGHExS>oD>NW^8_*I zbQY9rNv~o}-flB!etbsn#Ixiy)Ry<)D~;!$3Jc>O0q7O|I(6^K zvxuPw076^k2PH|qd2FsXo3dfuV{WW_LVXq@cGgDVIcOn+J7tZ0%9gOiNkuV<2lP%-{)W^{tfUD8j6j-^x|HHVj1FIs&%)H7_Rla)o(^AcN0N{Tor** z?3DwoBuh}y3!MRk+@C4MwJeGEih zfZ|n1G^Li{yoBz~~xVXfzPRu1BNdl;11CftJ>xAbDUik;(CKfN`=mupbcYnsGO!hU9?AV&o zVoZPYvKe+10{%I}%&yHNZAEO2)q}xz6Tc0v>@7gcWj>8FT!gJ{W}y3OW#x?ycS&}%d)}a|D0l8%eBuFH5jW@;;EuEd#>}^ASu+3F zgkh`?@hSg1q&Rts>w>mmkH(TvH zT{~k*x4X8FZ(T=X>bWi7(8|@de1-@Sj>aPOaG14$By`N={!=-J^dBZxr!@Qu`wO70 zQ$=B1m5wbZ|A|YYFz%ZG`7S-PNUu?)o(W__veURDF{-l*Mz*@{ZdS(N=vU9(C`*&& z)1_>l?8IDiCua8z4b>&`-oSb4thkAX>iW4;LV(P6?-6=x)#9B|(~7vjHNSqmS!?6u zuvtGFMc7BpbfoGG{wLBU{HlD5A{CkVl(klsBBY}Z-vCjyuJ%zVa*AH{Zh5#ZpPV!0 z`88E6b)Zw?@P;EPXtjbY@Ex3fLo?5+nnP*d?=b$a2ZS@G$?{$@`Fe9q8`)3CD2kV+ z&xwOLW=RKl(Iw|(iz%C_+W?s3@~0+i&M4B9AoVkBa{1BnZ@or7L=iYMEEqe&=(@kQ zR*zG^k^P@0LjiQR-R?%gyT@=dbT5ar-sQNHDkhiYVE;>~v2VbgkG~lc#5nJp`rQcLOw;l!`Ium)Vr!KN#>Fa5!^2vj7 zLnVVkx3WL<%`NpV-f^urf|PJ)1oKu|7}H;BK=}gmGERd-4NZ-xb90)x#uKYgPpiIH zDHoqf6;toda|<;C$^29z9Gig?<}MDJ3_~$LlBRS5KzZZSb4lI8x!ODNXn!vqkz>HS z9rw+Eyvcx1OayrF>1f6J!JOULyi0`_h~%F?ADZI`k*UE3sMQV~35c~7zaAK^L!ecg z`?{}lmk?mXP@I6KD5_gthvVJ@jw&( z)$LHbX9(*zX?SR5TRtF|1o}C$K3X z3`6dsE^fA9-I5W+%PBV8{MIc!*nH{12OL+fB>RBBDfPc*fhQ=?y2amvF~JdOk*@XWw5zA z0}v{wKpcxFz&c>IvXN+6eog&@1Uz^d9Y}fR{-7v>Ramkg=H`U(=~Kaa75=Q0UCQ@T zw!r-4U$?LB@3d~Vz8S{A8H`dfEXR)`sS;}kJ^W*zQzybcHfU&Qe}P@s&I4Jws0N~# zG<{j=dJ9?;?+Jxl_E9G9gzbgdx--37{W-Ds=wQ8f*%oC$ARu$gv8tku&Eo zVXl(@z_)@Yw@xrfo1fKG)&XvA+>_*yHf{y$#rai;q+>c=WJhmld)m( zU7uRPcLLWLfNV2iRT|w+OuDFiD%a8CaL5g$Ht$c$V2Dz*gnn^5-ltB zzFq9_UntI-qjuq7s#b=TxSH_YghMoSMf^^hmliG55@U=~`X^FHM$-QppGdd{h>iX_ z06wsPS&MkfvnnE)p?ITE2mxsr$UnV_Xx=0oSki8A1cvIxg8bu~;6Y;^rhVs4`%k^m z8%h6Mohp|6mb5vYFamCVeG6#dQI=st`En{|XK>gax|p_K`V2?pmsJPY|51d%?JkA? zvg-&ewaT6P=eJ=f`nauvICsqdmOBo~h)&SlwpRYqb0!8dKA>4rfY9+)jWL2;xbXh2 zDLQ5Tov*Hhu^gO6qftZif#iXw#f0BK(YYAz=8~&%@f5&4)6!WM?1^A5OH^rgZOWY!?8{)Ydy`1Z|AWdr(@dL%{TL!dix9BRjOjk;IcB+tu|PmYt*xy zC<(&56Okn~%UiO0J-4n{+@zU#F4qFDuFICA%)mN#TGn=W|42-0Kd!o~;htKa21>ys%S*Qqw|x&_|Z@!Jjx zcvcET_mxX`&JEReFgxUAL?!W{`|Ql6ls<uGwFSI)R@{KECc*Je_I z)%u4heIrrt|`Cg9YnAH|8~ zMU(Hn4&SZKOYKm~MNqz23JK4jM;lUut@(YLi`QeK4M~@7wvbdm1@DK= zSP*a%bWd0J1_D9u+0>`{JF3@BY$g@T*W+p5XY1w&;Nfh?i|^@8w^SO9xmWvWZWr%w zrs_n1wZgO)yGdD5w~&v1nmAy=y`WZ+-Zy|gAMAaIiS6+8UUl{0|7BKcsv@i^zc}oV z-$f(6hAm;GJ4$Z~Tvu1@GG{eDPOENma&*oapBB#c>6o7u#`Uf25TW~_SZ2FhpvaHP zK`x%~nU`OxD3uc~9?Tz{9-k=mP1m)>S?&vHJU-=vPGu4GgZ~z8R@1+<)!gYC7GL_w#Gu?{ z6ciP4tjYjo-2f}Zs`T?Gb!BB`Ow896_qQuR9f_3L+eV6SfByGks`SQR{O^Cj^@+TH z-sk^Z%98z8j`n}PBbxm0teOAwogfY%<@+-~=}qzx9Ch+X(P5T{k6S^8 zkKF>?gYyEF^2a|d9v>g48tqMhRnqlMWu(n=KY^|Ypv!@wJpL^}7glzTy5|rAT%gP= zD56m_$r|CmUAA9#oYN`MYfsC``8->q(FKLf2O%US^%3YcoqB~&u5>&a5z%OoN-;zN zuQLNahXn~WbuhM`2dWPoI>n#l3JZ)z4$h+EOn))(PRP18GoNcpz(8IJ7X*SD8O_5Ue;sB&-T zKQI6vFDNY32i7D2jo++bf-Wk^%KO`#l|jb`eAo4H?EkLUz$2&G^Tx~JiM~~Xi2&c0 zvWIQvVwV2T8vipF+nva_N`mR>X$2h}pq%5)%tW{pc|`wvn{*W8EjK*h2xYwJCj-3| zQV7GYqsYnonS2D`*qg1*FB~mYzafGD4Daa8u$vRuexiwID*|;4!1n?xOefwH zuKzLR<|tgCH%*R*;-{+sd--@X4j-P| zm%%L4eoP%_DIly9^{-5-q=Zg}0v%Xm{|%d|oFayDZ7z1)f6WXE znEv6>zr1hnVz0%# z!ppd3)uG&qD_O1t3$Rs;?+BRAXgwLZa^vz5_oRHDo$n39zAbHF1@PT(MgPxC{x59HxD8FtZoJToMnOc;#`c?6l?eNo5~4noZc60P3;R!LRlj@SSB*B;SzcV+DbV@4 z=AS01o;0K59ruSUPx*WNGV+|V)(GdIJ!y3>9E@48bwB~R^AS~BNudBPO%dJ?vZsMFgv z27df#BLLrO?WFm1_6?Q+wFARx{Qp&k0&TKk!L(RtfXeSw>s5KW|AwOuuwYgT`=hS^5ZFzAjsM{Ga8x^r*I&1>SXYGzE(3cH|Ksl0<1&~xaasX z;HUtZ>Ay+0kc7)H7v_4X{lK(aZoD5a!F3xIfL1lyM_z(Gu<6D=DV0md87~DCDrP8^ zgz^jX?#tZM`MvoL^=jkr|83;Id*yF+jxTVsj4QpnBo$~e!@*u|j!A!|>1(_6B23tZ z7!rI+#KS~LWi*x&1ePJ?*2zgkU|`^Xw?JBNK5d%23^!+FCMdeIU|SOD&Tx(E8} zVViTB5B@7I)z}>$R^QudJBQjcz<$>@a1|&Oi7%Kk{DtUS~ zf_ARE=%0ras28re$Cf>qCHZ+!_Krh3deC3{-@|~?d&r0_$idStjCCx|C)zK!?XL@` z(Eh-}{=ngOW%|EvsS^%&kL#MgF3+<^X)aAR1w88dQHRvk=el0nV?KUa{%N_DiJ4xe#f*82Cu}r5POzNky83jTzvl7<_iDM zteai{8aYjC4U_ju_HEh!9Er5^ec8UG(# ziS?;IB`{Md3vrBkqq*_A03r9E+u|Z0yE|XLoOLfuz|t(Z|4PZRWlmi~)gT7i2ynMD zzBqd?tWDFu@WOv8aEm~kgBcxvffB#67+T{@QG36p)o4eqqN1Yhb-!)-C=3jcC@+)a zfij@@{WI+#jyxB?DU;#YD_nc>dMKRG0U1EpbuPZYdNwLqQj?mfBVT5EAYsRETaP`GB9g(7+D z*=YhwkuDHtXCe5ETDr#J06CCYtdaamhCHG(*v*J1O?ep*ORY*5`a!y05gi*A`-$>eyfFQL}MNXEJDYMzWE; zB{Ic2P@FM|tz41^BE3)LZ*_ffJQZ0KC3nxJZ#0n@z5PMN?SGQ9mz>_8tTe|1NRh)6 z@jp}lXYY7hXhKhag1eCu`%4~)*7GG8jV`hUm6Wf@KztX_YF;jI?=<^N$$Ft^8_fsV z>Aup7T_23jl$Wj57B^>Zf3!jZ*w2qI=&o0hm$2g+R8KozC)!R4aj~X_--mh$aa0sM z7}sX;UsC-9Vg)=1Oci#?WO#N+=6Y`2Do3 z34RqrnjLd+SX);N){XcD2BKqP&g_(v0Zp#?ASNdE#`nAhsP05r;=u)Ex*t}=*nfo; z2YJ4Q`=AZi>dj>onehvj(Ern%X3YvK7=) zd@A=0ehokSQb}O6&3}6#<^}()(~O?I7E4*k_O>T~Vul#=iLzC;_eF5N;=%I-A9L%> zcL49%hgYM`44Rn1H93${jP2|l?fahYwQLA8cFfr8nU=~@^RmVOZu^~@`$O1FcJ@=* z-X>bA5ZY&AuIjt%3^VTsUh#`%eY6Q2b7nlWhW%|l z7M5qWs0kYn!pWEajPL0P>Z_GGwC@vQ$%4eWAK2^V-GgK?HTyoxu><)0|8}~;33t!I zmwTKS!ewpuJVZ}dU#Dn@rjLyuiGX_Wim#m(^+CxL(;KG^_LKA_JO&-rW2GK9E07dD zTym>pU(7_Iu;8)&UY9JnZb!)DoZmSi(IpOv#8aMstCDBsvD4o>!pFVac|A9u`4qCtq*&=!4kAJkvg$EFLu?|CpQJ=8w?Xal(bCMG6O9mZN)l7>6bohw#g zmF;p|e%g=;=Quo)I2JX%Y30R!5S&&WA*d(WYm1~8A$fk#7mLi-j}o2MA4!VjP(S80 zT}9mRx@fWhoEoxOqUO5Z$rRX7?H2VDIi3F!u9>XY?l7z)pI*qF!b5;^zccY^L%2-W zn^}4?ZGG{>=w>~3^!W@A!@Ivq^87td_m}@cWOUZ#qPrJUqTxmuJ75EGtXlLXCasGO@ zv7(?SKnj<0{gJ$)V^ziJ7%Xn5N}i|ms$sjk(+1@-T%K910N-fj?~$a|{ZJ)!qdFI5 z&0;7Tn7=CI7f9La@r;X)*ZE$MbGh_13nfd3Y5X-w1HogPh(iVQqUSjNQvHZ>ne$W5 zx^@P4Ix%re_#BIjPudreCCfP3fV*}ANgN>|G^PS7;NokKmOQ%c*H!t@z+|JFAg(H@OoDO zi$g!k1G(Rt)!~uk@$E8B?q)9qhjaUuVMv^OtzkG88E&ZchPR+{#=)nAi+)0cx-QY) zrY|4*Vq$%>|5PzFYyB`5D|ziq&a7&*W=x;? zho{C;cgRafZT!}KJw@%WA=EJgh(;9CX0uqTscC*zqK+y8Ad{or(hbd*=O1l}ETM@k zo57xfLdrs)0V`-k^@Z|LhC z)yI=een~vmG|BjpwGi8tbLWRkIr>Cm-9EoYb1H?EecLHCEE&Z5q3_Z%GC566i%8|4 z{Y<6fo~`X)J6CXQP5KFunaQU+s>TaqUfL2{NABx3fKv+d1-dO6OE%iIoU7J;ycs(`b{0J4{TqU$Md4kl*hWwAfs*-U2ur{Z!jk>`i<)@zhad^+1D(O%0I zHcJFXb`$)$AG!liY1|X9F2{K{MtdW#buXh`p5Gty(<|o+AjO?pdBWGrIbJSq(nt;y zfNh+g#05Jq)k+Koc^95uhUr@zBtPC>S*$*}{QrZ9^hUXq25avF=G3$nj3Aupz0*RI zTy90MmsbQp?=(KD3%=ShxZ4m)44*i(-{`b?oqPN~juFA*bt>`H{R%q~V0O2?jeS=r zEQalYTK`Jf@otDP@y_s)!%T&Mi6b1xjpgy?oX>gYV~DrMFX(oiAy$#xy!y8piJ>#1 zo7Z#EL|X(?rZgLNagELS!uleGF7)ed_jov*kyyu16Q*01L`BE<6che-nXmuF7##8; zzNe36^f(4wj74)`Hm@4fM=3TFL+q_HquoK9D3P#O4|RU+u$wofXi}MB@F_PV=3<=W zfVMwTNxd6sNU**zy>W+%^Z3aGO|xTe3UuD_^4YCnBU_!SsL()K@tyh5f!t^U#~kM6 zS{a=i@}6jvw&=%+Hfn*Z#A_@qhQ?59!Iz*|aGA+rgy#>!(fpdhpd#lkUXn1R)aEJY zer|1>0S5*mBFjE0XiKr4EDq;P{zv=eB~K|P>{0I|>UEy!L0LYp!^5LuM#|-wGQQ4z z)*UG;Zx7V;yrVT6NdesCwyki9vfZaLuRUg^8cR6Nu(aXd{Jn{i(?g5Un~X4G)nJ$#ijyTc7C1q*S?Q(0MmTK(i1N6T@64% z8jb40H*B4t{`fFXd%tYfg9*O?FR`Afq<~O4e4hy;eM9@XnVKqu7adG3UW-w6U)r3& zQbW7mW(6=VaAC(o4TtGQmT|R4Rw`1?UcE}3y4~Y`uusc6Obu?RI4jYpN>G`2dku}Crex0EYVUSmnWK2dVGI=(C}!Rt9*uUOkylyI5Vc$+$U|= z$G{LVIhj{*mU=C_^7i1&C$2l_*LbD4)nN~KIbXkXZTN0;{+BX`tW`p8J#M${yLDnM zdSK+Ttn}S!*yTQ$8-th=3Pw#HlE=YhUX1f>>q3yKEI&Xm`>~}pSV^2__WVZTkvW^} zX(Lgl!mX>+sItz(182d;odBjM)*kDJA#4Z3JMCFkx3dM^iT1enV?D_W-;c#n`Dwe*M+-ZAAKdb-_s%F<@PyUkJ#D$H`Ny!Kv#7(V2^%R_HJ15wgHRko1eG|nWvo?VaYq-};>auFSb{~J$d!2~E+7WFr{9O8DWdV(u zw3nGTpAm-x`~%BNN0%pp54=eFLSSKHxt`^mT}MPp5KPQjA>ZX4^!t6~!EZzcCzDWY zRdT{p4ewC|e|)NbdE_y7GC6yG6-O(8lAZuEmws#v-WNna3RWWZf#t2pvOuNo^lPM&gbZI+`x7uI_P3oZ^tiPlI%mIZBG_twKO<9 zdcCodCsbBMedg80G4VexdJwy~ADed7&kqG6;^y=@RFpiJ!r4Pl*MI-obm6J3N{gVK zzZv}efY1=*TJAki4pgBj=-5on099wnh_t%vqwtS^xQ^+aUdhb!U0gP7pRS8(kM?Az4Z)1NcV1f13qGU&bVyGwxX8!!h_-&G1G_7a_r*8&Q48HX zv@h^?s64E`e#cz{!J}$+!vh)`mbkh)4r!ZJIQYt3Y&qqENG%Tg576&`i00%T^C>QM z?eGb85e+Mzb~^7QbMdf^7sTu3^@7D-X>@ni?~9%-FFlM$gA6%Yy?zVoV&|DF7V76L z_I>0m8)=RhY`1*do*dD=@3Xo(C&~p)e3hjpmjT}Re@vk&VK^rJ;?+$}zKJcSb;gys zSQSWC*J2` zywLl+qdNrCRBR|uycaa{!hzlJrzWK`OUJ8-;yAc1jyZQO7We-neFYT zd2MM)GItt48Q&)0K}F;-FmCzVwR@MT9-?j!PW5n@huj-qFvF`9h^Z!4?_U;R@bS-z zam>McN1kBbUiNb>;tQhQ2yBHG>1kZi;yq7%M8Y6#q0wG;-{tUad&Sm)mE2jwukkqH zaX<3}j3TJonA+1)i;9<&?eTbzra~-CsFi%34hS`&azR~|4&l)%t%mhfy8!T`06t5^ zH(ix4Uv?PjQhCF^r-tONQNHln3uu|kAI6fUYxi|8wQmTe(h~LwcIOvzD^DvcYAA_J zv|+5Ku*Q(&#tFuQySH3{ZEg>C7#R8(%T#FU=zqNA`-`UXhrS9tvXt}LF7%T!f;LB;v%D~PgUOiXL@IJ; zZ~BS22O4F%p9A1WG)FtoCwv6b78t=}OpMUdt5PSe&gAz+v{qKv>7=s%4+f!xf5w|e zgf7((lq)bj`AN!x7SW?>-Ts82MCZZ-5Tdj_&U^4$n<}_Z z6^9e>LWyFFVs7uRggm|3u#i0OaocB$sLEc!tDb!lio4zf-XkY@)&~@%C_H`W*Zdml5F_&Usv@HM25 z2rVFch5Kop_%e~Z(&CXEUvD?onkI~hUcFOENx&d|=`Zt!SX(M@EbXX;rq_f8S<#B? z^3_KCa3eh&KDov7t)8o)mOm<1Kq()SL*;rG_m2qobiFq3)V|YJ-vQ^9ZdW+0uzAHW zVys`k0&B$VH4bV)zmkvb1&u5V;ohy_3Z8_~B%L(RUu?%)*eBvd#xq;)U@)9S2Ccw+ zC;i+8-({8D(W%BjHj5SJIE4HZN99scziKzY07l!)21IIQZ3{0!LM*U9!k_-RpUL^ls|ha$VM;2&u+Q; zHanUq{deW^erG$GyWJjgos?9R;$|%>5WKx0{fU{0`eB7Qt1ylSJJwE@A{Z$9%VXid#V0(9Dhsv`j7IZ!1~vw(0LtA{l@@A37=c} zjGnv>pM;>UOY&SJLyXqziWGc<9j@#@#eTk@ zNn;3v`nY@2FoC$QF;coW~rVy64<$=z&g7tFFlduQp9_aA=fgXn{l$UPW*R=83_%csMi--?#}Kx)3=MCcVf~T= ztVr_$1iHxuh0|QsugqFmPM)Qqwm#ZO*f0#e7HaKle1Xq=G@UA9-#|OPOtfvWRZ=Of+tCLdoCv} zN(O63xu83?2V3K$YV1-RLWJO^%ABfP%Rcg(@;Mj6;=G6>WkpcGWP#%Q2^7)tN8OFl zvR^nSE5j|1+_Nsv#Qox@!O>i_(-877mnUsWl<|2g{0lz3;XO*HTQk5&NQF+sPv$dw zW18i$zNSgGBx#4CdNVV6-4I}NIEa`s0!raRy>)u~&>uI9@k^dEURIPYI{lGH;)?YI z<)LU6kh~W|FIy*$-EnLU-w7KVET1`!Z+5F*%3{+^zI6<=O>~njSs))oZprI9B@6#| zzpFg&u|anhEzPTZZ(8^@gRT&ET}l)9Jy+DOWOsK@98nO?SP%}p3(`f8i6D`4@!EPF zfjEhYJdX4uP5a-fi86DE--u^9BkLXR#?|-pL|qVZB)_3Ro&r+$*L|2q=!`H|TfZ+2 zXj`jEE9P9UKveK}(P||WOG6Aaf;&ZtiSF~!yYEWatXBw51GUm?XSd%bzm&HD%rtt< zamw0EyDN?CDQW>5avw6HsDy!wJcwA%9P()%H? zthoN{s>7ow#g_nrQ>&Wgo+i5!*gIW-zasv_T)ENkNlSKFVsbY*Q&q^=Y+Qz^xF3Gt zlD&tgi-E9>vB?Ga0{J4&2S;2?+4kA2X@K7>r~ZqBPidte;ipgeu}RA%c6PAGVJ zo%z^p!>3ETOzwff^#m)6KUvBJ+WuUg>IoY^pyj23gSpAd4LS?HTpdg&`4uQwqzT(0 z9qSJz5v!lQ&|z5(cUt1TuW60gCFVKpZsWfGQDwAW?{QclhK?Z3mI`x~cVC(P*}REf zn#=O>Cbx7Y!*m<$de(}u{C@m;uz26W22+r@WM@4BDJ2$TbE=Mz)nxQDC1s#Vnrm;M zdn6tlm#>xy-{6@PWLpT|hnxTp6$(R85{pm z;w_wDd;(5nSEH58@A%6h5{^QC=Ga($bGc$s_#F4MoRi&*4`}rMNAqpi$lrMcw+1Va z%^muC9=~zz{mS0uWQMf_M`Fe5WQyzd--Qx*+@-T2c`(Os_lV%y-Lbpn&np=!|Bz8h6*;Zf{)R`c;P`=)O@v?&`M z9j-XX%3MKVp}l&)_n2D%jsxE5a&sA^aRyegSgcGBYY~=OCXzw_E7n_wj`L_~i?U0_ zTlf0x-phW$>w{Mf6nA*XlK@lBB=O@D>%-?WAt#>nT$9Srw8<*axfq1@_xc;8?405I z$&-nm1%$*-mQuTe4F1EA#^lxps)#q%@DaQFbB(XE_mm*1u&9%qIvOy~9tu7;ek^>rWf`uNi? zfsMA8&;Ih33=RM2dQx+7d7+K9o`=or8FzQN9+ALRiPkMtq1G7^q}1*gG`~#v+tE^U z%u7L>j5On*Rd>QyWrhg4_R$l3@uSbBP#Em>mi_*>y$I}i7E2s;Kf$%qnJz;o< z)5}&Y5aeXN)O#hRRy}TTM2vH@b~`+@FdA4LcRs%$GWgKq>co1wsYk_3->vIGnBC%) zXh6!sQ*;3_SAkBXD)3NEk`9S}wiOw@S*S6T`f=EU^4{n&g{b!RtUrhba?6GRhcl$% z*4WMl3@PwTE>M@8kH!Bt%p=UiXiqgaN=h{viTWdzM|yV8w~8c53N`!_ese4DJd?;2%_ ztKpq&Ze;j$1SfO47%|jRm(5!wwAjtFS4Re_rDzDPQr}|R$B!F|*T^+0O9q~8Hq{tgC9g8|*HcxS=}YG(10=9qR#;*4FE zabVOdUN$`xO!~OzvfdRcmB}-=VkE}PyiRAd-d(P08+X?4K{G;s-)wTt!>1BL*R%yjM4FLXK#; z%Oh>)&clRyT{`U^_nJ*A0Zzqo8MtnP8{tjgMxcQj+EJY<3w!*JE}E13xsi7X(b22N z7+n;^IDDrP82qjY@d4*4m9zbQokNgkgC0BY zu53Gy+dxEI6JK5>yWtupLL}6N@&V2g#-|D6rpI~htD&sH0TWn8qB22^$Uek+bH}a6 zKx)jz0~)%<$Cn>*%Hj2EofhMxM*7o-p)8K*tJkvHUi8f~t=-+@Fsj6%ACE)9{e$E) z$O$sLhy5fJrA2BLWK3Uvs_#xEqGL$R>8i(d_zM!<-6ZT)PjjUcI&EEpXS;)IGr?gj zsH*Gr4=Z6Q4${o@D{mU@rp^M^B>V+5GJ=9 z@)W&ldUQOIILvROr|m|~7e$?gEKE+)e2L54;r4Jquqc;>jV?k-vLWa;of3r@hdjsm zusLFEb1STC7#`qIh%c%)Mmr%h+oFFq;G+DM`AK=4>sP$C$n+sI3YiN#BbYOTOC>2WCl^%ge~3A zR<0o9sA6i!JCg`8SjDO9lHsbH8c*9eF&;_jv_u3k*goK-wmva6x(u5v&zs>r;h@)nPx$zDGL~gd~dW7c+y)n{~zRW&KVeniqbay38M}UVCI9}tWP;}6h z(V9{0!8_Ixdr@f!yC6T1S?Q~MXet+VO{|`SFQfq>#Wcx$IyN*|9C@i`p*0fKaCYus zxm{sw#AMyJj?*2HfM=PY^EAP4&f63BOt`Jok#pw9|Jw6r{8hw zbmU0U+ZHPtDD@sW@mKy8Z-7SOPNm)~q?tK$n^Rt~@F~1Bq?QH@z5zbz;ebgcJQ*i! zinivbxwlaf?d5W=8L#hfa#!<3rIK&D<&>3 zm*`IM&1}eiDQ^InQ0?;_HsSe_jn=KH5j<3S|CGvg(Yka`o@=*$BDUtB7=1v#mWH>U zQX*{Gc!Q|Rz_xPLxYZbEmz3;wGe_`3rX2XmwjCV4 zQK4LV))ATEdAUWN>FC*MVj;;$d#dR<6{IBFW}h6=QDs%6Q=4^CIhtEJqld+&u5C|c zvc#7q+%5cmHY+s5mIi9f;4dFyokj8deU%n1&uEVY_De2=#vSnS?YNmgdLQoV`{|vW z=KS#F#44oPPvvRNjaTdWX-VKJK8xbPTRD{{@5nGpnvWK&`k`OQ@?){3M{18x`ZLcy zj63zyFL}&0k0PsrEXV!7E4Wrg0iyA4Us>vb7Eoot9mvEM{6!qcpn3hcy9?Y`wYzt8@%tI50?V;1(Z0aW?ab3CarkqYZ;lS)j5H-8)b;)bb z*qGt7bWQL6k@dlVdpGm*()8L730l(%xmf>-1$bLRbuf-XXSx#xMG`I-xw=sz4g3u= zQ-_6UQf=N#*hwP_gPBaHTwuALt}|_aIIZ>IaQteS*Vb3X*~(;nF9B)M)pzA%6)z&3 z_-Z{{Okn!St5A@b(HkMjfMg~kgi)UJ@YX>z!tyGDQNod016QUSvt1Yo__alg-tmS3 z7aZzgZdQY>M{K)G2b~JeT$;a}!IoQL1w9T+tu<>ML`5rxPb^;reWJ$Blg}>RvQ+v~ zJW4+C93T)pJJQ~tFZqTo@=_8ArmcHGrjXpsl|YQi5GKA*7rmky`Y<4fKjs%C01(VycA+=TOp_J0jcD4L^6U$z( zTJ*8*a^K;-;4^waC`%j7&6nQe8+Hq(fpr&`Cj#%g(Ev>zT}VRKTmH<}AIQpW8FxBZ z#rD(Y^tTquW&O~qn4J4XLRt_vbF<|Jk6Qj9P`bZ5yQIFl=9pZzwYMG?vx~LCgw1}v z>2PVdYNKBvyA`6UXxz?R^xEw}yr zI4oJe&Zw5`n0C^rcUL3?B~MRlGU`DnRV{F*qW6Qq%O-pEcB-29Y7Y;?NXK(ulF{(6 zEQr>mxtMex6t|CQ+TZyQ_;@`Zhjab3@ei72AKJ`q&6G^<{=64!QvXwyxx@c6JTl5R z@!IjlXE`S5z{$s`V}|Q-?_UfgrNfnxd-Zmng;s)%XtJuj^L6@O1 z?{U#Z7C#M)R@JQUskNSThI`aC>1YtsTJua3@4l zs|#*|@HkKna%lt=ahPIc^$}Kdl9eys*B6Z#Gj?aG_I1qEV-$E4%<-N3dgwW34pmlH zx0igDmW(3|(rn&UJBPk0HCa0Pod+`QsWu(t_PRT9xK2cZpV-7DCPr>&U^QxF@im*w zf02Ez-WM>;*hJYWXZ5Ort$PSt#kN;EJDW;Oj7JO|EAeh}W<{bzRVvN*aQBoJOy8V# zW@vFfcjG79sW4L9@|JLvt3gKPo_AtPF>OnI-B5DqV~DK-x9;EG`(m1@kX*JiAUVQM zy8=05V?ULsD=I5rWZ|*B(!}#K5B}4KWw$3fVZcanDiw#w(WuJ~23wuGP|1IuscH!Z zUyqP1D>c@5Ix#x+ErsJxCiyL4dbQAVdhMP!vw*&Tr!1OQaJ^gWY5R_bg^T*#e6dA!niZctrp9d1YWtzV7zwzz9NqP z?WsP_4JcRCe}NOIV~g#Q{@1AE5Bh~#o9o|<^~)Fari+u6$`GW9GcLO88mV_Oaw1Gx z(}W#^Jj+Hja#F`L85S9=8aDFCbbd=g_w}Az&fW|pDb828i}D-V;l%O^2sz&b7Tx!Y zpXk;ujB!LmqAu?$;S+J@VR0;7gc;6O@NS69&Mt?CQfM3(Z7-~R_=;uuRqh>VRp*zw z6l$9XR>5qQ564lA*LP}~a)gJnz!~N!UT2igs&Y_%OLdPw@P4KUDZZ0fsImH+{^wxP z^M3p^HA-<+c@x$@(gc}4d#f-rt+`5D&jh)Pt~z;XUNMTXeI%wQ4az`)zAbWaCsM^8 zA-RN?z zKV!c_S1M2WNa!A_u^qXYVC7KvTsq^>Uf3BbkL4xL#N4`>4a>Lv757uGhR){mUGPmK zDb@8s<>=XOlL!)E5(#oelmnLcr#)0zqDr&oLwBdK$%o9Z<*~1d9b#Uqik=imiuCx1U1X`5Qc^JQnVE&h>S-wrGX4b_9e%-R!PoBMJy&|Y(C}k z#i6_Cae)(IyIXpDX-JKzjj8J+?lUU~)&=(O`LHMOzY4Z4%bE~GHlcYQubOG_fD^-7 zZYhrHcTAR>NSA%$7CP6k!U9zw(67P)!C!kF zO0+6Bi_weFR7hI&Q6ujSY7Q6LExN~fesQIWbxN3cz#TpCu$gI_#kd#z5_>09Ad^8! zNqOReE3cE&!?fR~YCN@;Eixp8g(Y2d{3Wj)dSWdRI&WFNRb%Q_P6u+=aUm&hY5SNf zj|s?@{7n&s^88XP9kvxdp|LydwBgHbO=d2nG4PpV*Mc`IrX0se__K!d1!kf@Ni14N z;-Bg3ewa01Em?C{ifFrdQ*gRtO|hhYx&GyAg=lqc2!`VNX01NXS9nC>y##+#Gc<#q z@ZVxG;OQYIUT3Fc+kC4(t6~2+ue#$H+48Nr#e3WBIBWMCayRJVxTqBgT|*7!3yH4p zYwpEJar(7sIh`cw$o@sj{>a!X$BW%Ae$pvfIQASwhzN)zp)}Lx9fH6@5UC3R_6WZS zJoZQ+#Qvrcz-{!HU<0hOX)_EwJejmFycxs#&Tmsx1N=?DgdmSVF4o{=9!&c$YuoE; ze4?a9M%9@y_Yp$EDOcF)GQrMguEPFoU-5!Sta)YkZKSUT2 z+KbVaogmV7U4sVlh21t|L?5)i0Ki@Gx)>Mzdr<}4zGOToBS;58{@@^(ry1S?Lz<@G z$Y6fCAzBGyrTG$;OFZCjXfp&kJ!8lVL6Y7$y3;Nl;-i}wVChF(@6jH{ z(dBpMaH7P$g3unat?0Mx__|j^Pt2Nc%sxQ`gGw+2LMM693I@=(q*o7G^WMKadz02Ln5T!z8K>qrTKWqIa#gkp=76l%PZUBVA(j@^39ze&bhLRaO|Mh~gI+@Mn z-jIg5&oD}ykhg}abi|jUFE*FyVvYM3OZe}08aE)gwAZ2SLysMEXK?EB%HDmp+5#Kk zWaln`tU^oy-T8g#;pk-)fR8rg1>-7BMz@FAS1x{E|8rp-)_nK_a))^}kR6Q$QDe2x z69|t9;kpsQzB5-z5r##(z7|3VquU=#Hhbu-?R{%xJd!RhC#^u0B4yS~T;$TJQ1MEU2!U`$?j>34V4PQ;@>N_8{}2JVA^k7{0Woz@z2kC)rNi&lYbpli(ggIDnv z8CR`+k^uYngxGK&`2OUoX~MDW#fCO;shZ+GO=^j?vLane_RaUS!9vz^h(UVt!Uf%a zZ*Xuh_xpDcko}K={dZZ{#-*h6k7RJadI5-XVS?BFRZMECgsv_TP;UTs zK=1&lc|c4;Vz$!43$Z^_T9B6)7#Iizs7F9`B|TsdLR8tTWcKxm0SJv!3$wf2%ncMg z$ji^Kuvy_NQl{qhxPsCJk7NL~67*{qc4x~;Akx^Za>~kH$`Gj6Si-mMO%=W}1;G5R zHy%jm2f`>Ic9t61Av~@QKG4!eL`S1FIPOAzvbSfFDTqr>#+k1&d))>E_SrTrk&=_g zMo0g3-0OJYuB@TD|ZS-DmT5^Xf5TzNYr8 zq+dJ;X-dPGT`q5g!d~{VqQHv`0?@(G$(i?m_QK2WbwJ`226)k*)>ZKL-7j~7K(bUI ztiN|3@R22tM*B}kzHh&I*xwyJCH_49PrsXZf75^Zol^aw6My>tSH4gQ4gn#ju5Nb4 z==Zo-%!AER^IO9J0tAqt6x?7xy0qVO-;*Kvf3XO9srkFd#GAir4NeiTo?UW(lRoqx zarCX4U41cs*pgz0x?)?VBL#VIt0X$-F3y@W#yUxv+D9KR)%mKe*qCMzJgRluz^0?Y z`3uFn@$MHfeh+837-{sP4FNL5^ax7S2ZuQXpQI1O#0e)*uuQFLIz1-EfNn%gk(JJ3 zf34g+5VDZ%1x`dd$ed+h?Kcw#XlwE*ccPuaSuKDxe?Tb1h=(y>PL@v=$K-tq^o@`o zzy$+-NKWLJt^V)!-vzY4k?Fq@m;Mi4IQO9C`>%!ig<4zadyGP$uV+lRe+C@TX%_=N z)z$w%L*$#^p6wV0GIaIiNfLrVcO2Rnj#ccTd(JrKQ9AB5FUKH26KgE9h3V;Wuo7fB zEM{F$cGVP}b_%1&pD0eVT&z!QZ#=V8dZG0c<8Ri_OOA}Wli`$`mhuyzp@ zxfWYT8EYvr1xry-rjNBe79M6|tUrBM&ep*9fViK@QOWaHaar+KL|3O?_Qm-k6mVjS z=vfE5+adqCYLh+*w|pfPlOQPEN}yN!H7=(f27A=u=S8aM^-RbRAS&T^vu`+$PH)Ia z^WpDvPue9jJdf6pm$DXT?5|hztZ+e{+*mkOE`VxKYql(TXC0Mxur8>Kja|WYj#hdU zxjr(2pMrs}dU$v}QiPOPw_e{=p*TRZSs3o0`+0}!B$)s~i|oKIp^Sn*>KNq+yla&m zZaE%Ypx!ek;RV?>I#jgvaF}{3r4=uDDn~yrKcT=Dn^_S<2yX31q+jYRlFia{72M!6 zd;5p-0U%+qzego!HkRc2!Ah{byLSC~Az63!ro@3pTE;foR@{zlw0H%McXYKK^fS(C zGGVww3OlLSBkJ3taEfP&&i(06)-}7gWwv0EM3b7;!=qwO_BM*fm>#09*e*|CH4$!e z_cOfN1yZ??W2>g~1LJK%x~+ElNx;Zkh3k#z@_Z^kvK#*?nIfqf&qsG8Y|`x>{5g-_ zC$f;jN%s)UK3;)tGX4)4e#b0JM}IuT@i8zGL3Xu8SsDimT~HwnI;t@q-%ZW4%mmfO zC@DUQjcv}w6#LoyXtf+9(ZN9yczUS8$n?F#elnmk4^*8Jk{qWdrhV%zT^pBFgRiSu zx?Oc$QBM>Wgb@Xci7h$d&==-{c4U-v&%~s5%z4GgsvBslByS;-Fk_xdVE-j-Ha@Mp z!)}^ z9ee@JAbBpQti=R8a+LK_$=1Bt=73`E#jpRc!iV+^dqNcdS4Do=q)OBF9T+`8 zg(2c|WOXRm$&aMT$^x$v0>`Gx$H*9C)*2mdZhVk4h6UN)CfjPFA%Dw`LHamkAOr8J zIY%?(%sgS|_}w_s_;l-8&|VV9BnZ!P=!b%xC_G%ap?$4&;KLR5wMn8p+vBAJyT`Uc@PzL7Ex zwNfjgrVQq~d^}56G|>!4RAD{epM$*XC(Wj(Ch2*q;&)##gPQ)~x;w zex=gbg-KQ(+$spMLY46O6*YM@x!Nb_-W%# zobg;cc2<>t%McSFHUC^(0^^fbj@gS%=8am`@cD|6Yo_!Ar+eddeuzck1G?feug+kS zHjfG|%XdhiP@=jAaMci!H{ZwCbo=;Psx=={dxa(=?~p^Svh6g{waZtk!=~z?>puE` z#5&L7S9z);bohK?`ag%*9IGOHzfT9P(Jb$`(6XKGc_+1-ZP9twLiEKjua)=|$puND zNg}ExWDfW+Aw-#%j+4^)#V9$VmO%+K6EEtzMTVLso;bM^$O?;Mz;RSE-`cpX{f*`!p|RviD4^447<`-F@y#8>?e z9QhM}`k^rYel3l>IM@1WUaHej6k8-D>XM%jCp<#WVEH@pT?R((( zW-O%D^8%I5=@-p%b(b^WqH+&5jdbZ|w~c$OmU=j|0lkKb&uDKYpWah=R`T<-h2}#C zr16R~%m==r_L&PV%)jMTP9>cGb=Ti^6I&_Nf=hgIj||6BUUcL?FPuA{g$Fmx?2sx_13?#o`BSco7~596vB6Ne@Tf z^|cvO^mA;iZeMWK-o|A0E_LyuE_I%7h}f;DPz|+uKq`2YY}$O*jq za1j{_-ex;=ZB!v-yWH=IPtNrqefD032(y?Yo%^2!8zuL@1RLpXt!1h8O%xG-Ij>Na zmv6DsV9CubPOw=ON)9R-a8QEFL7oo|GR@0Rj}HeeFJ2yt;$WETCX${{7wW_vALq#U zYMcCvmK4B6^>!KjXqpldvt_w4mbT7!^>we^D&GlBbRb0TIn7j*>h@^Z3aOcw6}RNsrC~UEO>owSIRB- z!@@`Tmk0Jb?!UV7B0~QeKt%lRfWh|FO8x1K4sIEc>Y7vxj>!2*Xz&s+Qiwy7_QvC* z))FidR}YuiNBV41Fwx{BBIRJW6;fmb@gjEP<>q8~d9KIRsEe&&$wD7k#^$xDy z``&CyG0NYJ2=wJnV_2pc{LSze%k+w9huZtbD!kk^>uFpPrwo9w2YiKR_LD{l2RFM; zn9LD7!j$i0aH~0q(z`$3tG`PnL%4cwThE#TQk44KUv$A)#ic4EuLG#;Ixcr4F$ybH@+* zA>{fW{&wXD_Q4s%lO$uGBMyoR68S*UE3X{ z!gkNGg_@-uZX-SBGswJ)qUhhMVT?$TQzdD>(PK}BS$D|irH2k0ar_vCq}G+OVq|CAZk5igOXbsI z^**4nmS{r#(_Z4%kk3X|Q#mPgk{Q~sEoFlG65(8Ho9urx_dG^s|N4eOT%n_fjQcBN zhp!@!naKJbX(y@$HJTe%u^ljIx-JYnu7uAYX>108^P(K3d}T!`@uqcyYfO7Dlo_kc zhe9*c>n5rn96Ev?D%qmo-w#PHv>4cj8OUU&S`SWVh$@K99R_=yD{p&I=^mh>T-~J4=kIMM7AoubSPdMPQ zd(luMCVqWzVRn|%fpM0-aG|nCm<0XHau6dzXMQ@-=`%{eBsRETx46KB{)6y8q~!AN z-I7rVe_fu3KGG1k{0Ed`&aiTfQE?Tw;B;wA-RnU&!T*7BKP%9x8*G&Z-|~gAu!OZD z{ZH9Gm|_F@*u=AYJ|iL6(uWP88N386=0%`VQ?g3mM?l3tBC@v z5kUJ<4TPfS*4?a literal 0 HcmV?d00001 diff --git a/docs/resources/diagrams/plantuml/bl2-loading-sp.puml b/docs/resources/diagrams/plantuml/bl2-loading-sp.puml new file mode 100644 index 000000000..3cf7c3620 --- /dev/null +++ b/docs/resources/diagrams/plantuml/bl2-loading-sp.puml @@ -0,0 +1,44 @@ +/' + ' Copyright (c) 2020, ARM Limited and Contributors. All rights reserved. + ' + ' SPDX-License-Identifier: BSD-3-Clause + '/ + +@startuml +participant bl1 +participant FIP + +bl1 -> FIP : read(FW_CONFIG) +create FW_CONFIG +bl1 -> FW_CONFIG : load + +bl1 -> FIP : read(bl2) +create bl2 +bl1 -> bl2 : load +bl1 --> bl2 : hand off (FW_CONFIG) + +bl2 -> FW_CONFIG : read_node(SPKs) +loop for each spkg subnode + bl2 -> FW_CONFIG : read(UUID) + bl2 -> FW_CONFIG : read(load_address) + bl2 -> FIP : read(spkg@UUID) + create SPKG + bl2 -> SPKG : load +end loop + +bl2 -> FW_CONFIG : read_node(TOS_FW_CONFIG) +create TOS_FW_CONFIG +bl2 -> TOS_FW_CONFIG : load + +bl2 -> FIP : read(bl32/SPMC) +create SPMC +bl2 -> SPMC : load + +bl2 -> FIP : read(bl31) +create bl31 +bl2 -> bl31 : load +bl2 --> bl31 : hand off (TOS_FW_CONFIG) + +bl31 --> SPMC : hand off (TOS_FW_CONFIG) + +@enduml diff --git a/docs/resources/diagrams/plantuml/fip-secure-partitions.puml b/docs/resources/diagrams/plantuml/fip-secure-partitions.puml new file mode 100644 index 000000000..40621dbed --- /dev/null +++ b/docs/resources/diagrams/plantuml/fip-secure-partitions.puml @@ -0,0 +1,122 @@ +/' + ' Copyright (c) 2020, ARM Limited and Contributors. All rights reserved. + ' + ' SPDX-License-Identifier: BSD-3-Clause + '/ + +@startuml + +folder SP_vendor_1 { + artifact sp_binary_1 + artifact sp_manifest_1 [ + sp_manifest_1 + === + UUID = xxx + load_address = 0xaaa + ... + ] +} + +folder SP_vendor_2 { + artifact sp_binary_2 + artifact sp_manifest_2 [ + sp_manifest_2 + === + UUID = yyy + load_address = 0xbbb + ] +} + +artifact config.json [ + SP_LAYOUT.json + === + path to sp_binary_1 + path to sp_manifest_1 + --- + path to sp_binary_2 + path to sp_manifest_2 + --- + ... +] + +control sp_mk_generator + +artifact fconf_node [ + fconf_sp.dts + === + spkg_1 UUID + spkg_1 load_address + --- + spkg_2 UUID + spkg_2 load_address +] + +artifact sp_gen [ + sp_gen.mk + === + FDT_SOURCE = ... + SPTOOL_ARGS = ... + FIP_ARG = ... +] + +control dtc +control sptool + +artifact FW_CONFIG + +artifact spkg_1 [ + spkg_1.bin + === + header + --- + manifest + --- + binary +] + +artifact spkg_2 [ + spkg_2.bin + === + header + --- + manifest + --- + binary +] + +control fiptool + +artifact fip [ + fip.bin + === + FW_CONFIG.dtb + --- + ... + --- + SPKG1 + --- + SPKG2 + --- + ... +] + +config.json .up.> SP_vendor_1 +config.json .up.> SP_vendor_2 +config.json --> sp_mk_generator +sp_mk_generator --> fconf_node +sp_mk_generator --> sp_gen + +sp_gen --> sptool +sptool --> spkg_1 +sptool --> spkg_2 + +fconf_node -down-> dtc +dtc --> FW_CONFIG + +sp_gen --> fiptool +FW_CONFIG --> fiptool +spkg_1 -down-> fiptool +spkg_2 -down-> fiptool +fiptool -down-> fip + +@enduml