From 58b827f97cbf8c425edd5a62450a570d026b9245 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 5 Sep 2024 16:14:50 +0100 Subject: [PATCH 01/17] Expand DEMO_MODE to cover all fastboot commands --- device-provisioner/provisioner.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/device-provisioner/provisioner.sh b/device-provisioner/provisioner.sh index 082d6e0..d1da29f 100755 --- a/device-provisioner/provisioner.sh +++ b/device-provisioner/provisioner.sh @@ -164,7 +164,7 @@ check_command_exists grep check_command_exists sfdisk get_variable() { - fastboot getvar "$1" 2>&1 | grep -oP "${1}"': \K.*' + [ -z "${DEMO_MODE_ONLY}" ] && fastboot getvar "$1" 2>&1 | grep -oP "${1}"': \K.*' } RPI_DEVICE_FAMILY=$(check_pidevice_generation "${RPI_DEVICE_FAMILY}") @@ -219,7 +219,7 @@ ${OPENSSL} dgst -sign $(get_signing_directives) -sha256 "${RPI_SB_WORKDIR}"/boot announce_stop "Finding/generating fastboot image" announce_start "Starting fastboot" -rpiboot -v -d "${RPI_SB_WORKDIR}" -i "${TARGET_DEVICE_SERIAL}" +[ -z "${DEMO_MODE_ONLY}" ] && rpiboot -v -d "${RPI_SB_WORKDIR}" -i "${TARGET_DEVICE_SERIAL}" announce_stop "Starting fastboot" announce_start "Selecting and interrogating device" @@ -468,7 +468,7 @@ fi announce_stop "Cleaning up" announce_start "Set LED status" -fastboot oem led PWR 0 +[ -z "${DEMO_MODE_ONLY}" ] && fastboot oem led PWR 0 announce_stop "Set LED status" mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/ From 87d36767cb3c5fb826c020a075f90698010c336f Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 5 Sep 2024 16:15:26 +0100 Subject: [PATCH 02/17] postinst: Shellcheck fixes --- debian/postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/postinst b/debian/postinst index 3ecbe98..8c18651 100755 --- a/debian/postinst +++ b/debian/postinst @@ -1,6 +1,6 @@ #!/bin/bash -if [ ! $(getent group rpi-sb-provisioner) ]; then +if [ ! "$(getent group rpi-sb-provisioner)" ]; then groupadd rpi-sb-provisioner else echo "Group rpi-sb-provisioner already exists" From c12207a469f1e660329dbc3f36b5e2e9c91d027f Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 5 Sep 2024 16:15:50 +0100 Subject: [PATCH 03/17] copyright: Put the correct license in place --- debian/copyright | 202 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 199 insertions(+), 3 deletions(-) diff --git a/debian/copyright b/debian/copyright index 0d35612..261eeb9 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,5 +1,201 @@ -Copyright (c) 2020, Ben Benson + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ -Some rights reserved. + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION -**TODO** Copy main project's license file here. + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. From 1728aa34f1fa0d20c8ee13e4c9cc0b7bf2f3e5e6 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 5 Sep 2024 16:20:34 +0100 Subject: [PATCH 04/17] postinst: Formatting --- debian/postinst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/debian/postinst b/debian/postinst index 8c18651..d1467e6 100755 --- a/debian/postinst +++ b/debian/postinst @@ -3,21 +3,21 @@ if [ ! "$(getent group rpi-sb-provisioner)" ]; then groupadd rpi-sb-provisioner else - echo "Group rpi-sb-provisioner already exists" + echo "Group rpi-sb-provisioner already exists" fi if id -nGz "pi" | grep -qzxF "rpi-sb-provisioner" then - echo User \`pi\' already belongs to group \`rpi-sb-provisioner\' + echo User \`pi\' already belongs to group \`rpi-sb-provisioner\' else - usermod --append --groups rpi-sb-provisioner pi + usermod --append --groups rpi-sb-provisioner pi fi if id -nGz "root" | grep -qzxF "rpi-sb-provisioner" then - echo User \`root\' already belongs to group \`rpi-sb-provisioner\' + echo User \`root\' already belongs to group \`rpi-sb-provisioner\' else - usermod --append --groups rpi-sb-provisioner root + usermod --append --groups rpi-sb-provisioner root fi if [ -d "/etc/rpi-sb-provisioner/" ]; then @@ -29,7 +29,7 @@ fi if ! [ -f /etc/rpi-sb-provisioner/config ]; then touch /etc/rpi-sb-provisioner/config else - echo "Config file already exists" + echo "Config file already exists" fi chown :rpi-sb-provisioner /etc/rpi-sb-provisioner/config From fa06dd7e74cffd46e76335b5be30437e51eed490 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 5 Sep 2024 16:23:32 +0100 Subject: [PATCH 05/17] SECURITY: Supporting 1.0.3, prune .1, .2 --- SECURITY.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 3d83cfb..c4a6799 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,9 @@ Only listed versions receive active support, and $HEAD may be changed at any tim | Version | Supported | | ------- | ------------------ | -| 1.0.1 | :white_check_mark: | +| 1.0.3 | :white_check_mark: | +| 1.0.2 | | +| 1.0.1 | | ## Reporting a Vulnerability From 365b093ff7feced03e75ace20058ea30e2b9aa4b Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 5 Sep 2024 16:26:27 +0100 Subject: [PATCH 06/17] debian/changes: 1.0.3 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 325bcb9..e841aa9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +rpi-sb-provisioner (1.0.3) unstable; urgency=medium + + * Demo mode: Expand coverage to all Fastboot commands + * Copyright: Correct license + * Config: Prefix DEVICE_SERIAL_STORE with RPI to match docs + + -- Tom Dewey Thu, 05 Sep 2024 18:57:00 +0000 + rpi-sb-provisioner (1.0.2) UNRELEASED; urgency=low * rpi-sb-provisioner: Changed Debian Packaging From 73fee1a9767b68ad86992a70c88113039ee48ef1 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 14:46:39 +0100 Subject: [PATCH 07/17] provisioner: Shellcheck fixes --- device-provisioner/provisioner.sh | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/device-provisioner/provisioner.sh b/device-provisioner/provisioner.sh index d1da29f..fcec637 100755 --- a/device-provisioner/provisioner.sh +++ b/device-provisioner/provisioner.sh @@ -89,8 +89,8 @@ unmount_image() { } cleanup() { - mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/ - echo "PROVISIONER-EXITED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress + mkdir -p /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/ + echo "PROVISIONER-EXITED" >> /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/progress unmount_image "${COPY_OS_COMBINED_FILE}" if [ -d "${TMP_DIR}" ]; then rm -rf "${TMP_DIR}" @@ -279,7 +279,9 @@ if [[ -z $(check_file_is_expected "${RPI_SB_WORKDIR}"/bootfs-temporary.img "img" BOOT_DEV="${LOOP_DEV}"p1 ROOT_DEV="${LOOP_DEV}"p2 + # shellcheck disable=SC2086 mkdir -p "${TMP_DIR}"/rpi-boot-img-mount ${DEBUG} + # shellcheck disable=SC2086 mkdir -p "${TMP_DIR}"/rpi-rootfs-img-mount ${DEBUG} # OS Images are, by convention, packed as a MBR whole-disk file, @@ -289,7 +291,9 @@ if [[ -z $(check_file_is_expected "${RPI_SB_WORKDIR}"/bootfs-temporary.img "img" # Note that this mechanism is _assuming_ Linux. We may revise that in the future, but # to do so would require a concrete support commitment from the vendor - and Raspberry Pi only # support Linux. + # shellcheck disable=SC2086 mount -t vfat "${BOOT_DEV}" "${TMP_DIR}"/rpi-boot-img-mount ${DEBUG} + # shellcheck disable=SC2086 mount -t ext4 "${ROOT_DEV}" "${TMP_DIR}"/rpi-rootfs-img-mount ${DEBUG} announce_stop "OS Image Mounting" @@ -305,11 +309,15 @@ if [[ -z $(check_file_is_expected "${RPI_SB_WORKDIR}"/bootfs-temporary.img "img" augment_initramfs() { local initramfs_compressed_file=$(check_file_is_expected "$1" "") + # shellcheck disable=SC2086 mkdir -p "${TMP_DIR}"/initramfs ${DEBUG} + # shellcheck disable=SC2086 zstd --rm -f -d "${initramfs_compressed_file}" -o "${TMP_DIR}"/initramfs.cpio ${DEBUG} local ROOTFS_MOUNT=$(realpath "${TMP_DIR}"/rpi-rootfs-img-mount) pushd "${TMP_DIR}"/initramfs + # shellcheck disable=SC2086 cpio -id < ../initramfs.cpio ${DEBUG} + # shellcheck disable=SC2086 rm ../initramfs.cpio ${DEBUG} # Insert required kernel modules @@ -456,11 +464,14 @@ announce_stop "Writing OS images" announce_start "Cleaning up" [ -d "${TMP_DIR}/rpi-boot-img-mount" ] && umount "${TMP_DIR}"/rpi-boot-img-mount [ -d "${TMP_DIR}/rpi-rootfs-img-mount" ] && umount "${TMP_DIR}"/rpi-rootfs-img-mount +# shellcheck disable=SC2086 unmount_image "${COPY_OS_COMBINED_FILE}" ${DEBUG} # We also delete the temporary directory - preserving the cached generated asset +# shellcheck disable=SC2086 rm -rf "${TMP_DIR}" ${DEBUG} if [ -n "${DELETE_PRIVATE_TMPDIR}" ]; then announce_start "Deleting customised intermediates" + # shellcheck disable=SC2086 rm -rf "${DELETE_PRIVATE_TMPDIR}" ${DEBUG} DELETE_PRIVATE_TMPDIR= announce_stop "Deleting customised intermediates" @@ -471,7 +482,7 @@ announce_start "Set LED status" [ -z "${DEMO_MODE_ONLY}" ] && fastboot oem led PWR 0 announce_stop "Set LED status" -mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/ -echo "PROVISIONER-FINISHED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress +mkdir -p /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/ +echo "PROVISIONER-FINISHED" >> /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/progress echo "Provisioning completed. Remove the device from this machine." From d2c23e5d3f7a48db19bae311ecb3d0b7a86405ab Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:09:35 +0100 Subject: [PATCH 08/17] Remove 2711 recovery.bin --- host-support/recovery.bin | Bin 97524 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100755 host-support/recovery.bin diff --git a/host-support/recovery.bin b/host-support/recovery.bin deleted file mode 100755 index c762ef7cff8f7f4409835e7309809d2f69c05305..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 97524 zcmeFZdtg=7ojPH@*o28 z*e40d%gzC@wXKtc4QMP*Z_ptVs8*`9Pzsk=Ux|6Sk=E_cN-~LZ!G`wW3lU3mn!wvyHluZ zeG1Y!>(`dX+m-s*zsVU>w2*~-vrUtt)c?pP)pyxOF3RQ&S*?#n5+nuy~efiftPmS~(yIYK4 z-MzZJV0kRsrY@h7)aSMNjcf_`W~}$6E>A5jC>>8dfbrgmjMqxVc=1%G5+f{Gk?IfI zl=^SkjCAy(JTIlBqEuoV$e0rD=?Z642W?U|5Y)L_so(ZDYgJ?a<~k|$=D#Tw?cWN2 zvqqCr!darBe*fK8N;ilx1y8=V`y==p#B_YI7>_Ntk1 z(!C`?SIm@LCxmQ}@wD!B6sjyeQrgQTX1Y!sWUm%Fbib8pq3DfuxpjGU`E><#g?01m z7St_Fzh+fQR{FJs$kP^i&WJo6k!Nz`nI3u0#C@G z=AIP&vNN95EYd=EM+Jw8-O8Ht$sV>q3mK>H$j4ZVT)@wwA{e<*6h{T-8AxJZnlJ3v* zmA-V+t0=*EZn|~@>l?>h$RW%TNtrY=uX0wA%`Q{$3+_-(D!}$@*HJGu@-(A7;AG@c zml@?!UoMe?3U?}G^atT^SPNY>q#|#JU2@56ObIq>p)aclYf|=gPYs_^jAOUYhr^#G z8nvn1FgAks;^^XmW#ou0s7ns-z`f*vP19uuMV@N2vS>TOj#4t;>Q*{*#o?)UV4mDW zf}e6@qKT(;A`ft*wfpmPqIPrbAS zG%mMni^Yl4C;pvO%&cX3qW}9dy3P=D=NS@X&=OXfM$1zqvcK1qHnjmydkG(LOl>IU zBQ}HfhgF;_X$HF?ILZlgVueAUFy2YMuu#HmKYuhpt1!wGLjbwJYRReeDkkbr?x?4O zgVuOkO~%NDWa4!fyGk;&(3SnQ8Ef6{Yb)~!ugXZsNWNBqH;1ye#8F&cvcQp2=SWZ4 zo+19G)Di7$A)q#9R3;}_)~3W~SEO1!YtrI!HV~3Qk~a`TMsY^Gh0bRj z0GOIaGc&cpXdB8%$(Y)3z!r7TI((QI z&6Y`+*Xo^iGqc#!nAx7ljP?Si*tO8w)tnA8xj!58tHhCZGBJ}?imk!GEoF)=f#vSm zKfG>Jdc!ErD=Au1ekZ?VkJ?aKu0(3Zv$cB)8;Z+GBt^in${MoD&3nF0&E+OuLE6hX zW+!@fDXEct&WP;sq@elrSjOqeJzD55GAJX~O>J;HhYLDwlY*w#$#pteAr^a7&@?3V z_r?qs8tkP1vY8hS&h~yleKBNzl6<}QfJBB0<1zE$ym(t#LzFF{ij1C62)URyh%tY# zGgUG6I|%_BBIHtDyPb@_C=t?PAIFbihBd?55VB2kYBZLangpD`k~@YgibUF9u7zHa z1y%f)ieN^g9p{Bkqs@^vM{V)Wp}~~}0n~f9pWN`E?ttt>-RCNrGg|CQhPVDC^8jD| zGb|5zt)yF*CGwmynf_y9B1TDDYoeEdhf)34(dOayUgXVu_%a<}GSfmwWs#otuvuHf zXE1ZeDG>Fpp_BU}_Q^_RLB^oy?KI5&-DjIKUrOBo)lqy{U#)}W_w5EykTDEF!B@XO% zM{(uKtObs&9VuCbI~>0I)cnH;$C3@ ze~=m+wrBN1YGz%@h6t|V`~ueoB@I{~$EMi5IQ^ho^vZ=w67Koo7b0J9XmQ?Om!{aY zbY;1j4;sERBZXbLkVVd*u13Q>-~FO9S#x!`m7wu2Qhx(c>{5Rt+B~r9fagF?fVvbQ z7&)a_Xvl4&X`s9$IDt#*pAb zy9olWYi)4W5!RclhFQuhjRQuh*LFq(Up z8iGkB&*_C(Dr1{O| zTktE`&2_P}O{_C*D(y=7Utu2KHL)9i19N2U|Ks*Icj+@S#l9afi(UE#%#oTe-_`(g z3+VvNhj-rD8OUdmojH~YiA+!&;F5_++7$j|h9~36v}38AE1XNEpoIg9GBbR-6G z#eO2aI5Nud2reWGTqp}cX9)Kkza7Fj_2f9lxqs)kJ>Lcfxc@KL#=*Y1GSR>h(!Jr) zaoqlYV{OX+W^K0p->gkxWNq3aYjb(Py z=xs3D;$EYFb z^)&w{Gn?$HpCr zx1wa=^u${Cx_TwMG4o7B7F}W~R+V6wLk3`w?{P**UjXO%*k6@C8z~-0CMLem73_^=wI^DxRR;tmEq!;u3@je zv)62Xd9XO9dgWTGaFrI9e{}eh6n6ispj_K?*m{0Xe=8q14zQSlfgEueV z7b6|ME#Mn-%m@CllV^88iV=9I(tk^YgsN|(mh&2EpG^8F=*TDgB>a_WNCjuy_oPaK z#XJiXVNypRn*k^>ay#gDXT=cz zG)B7jl4DM#pUB5uTIk7*q~63|F_Q1Ml0dpKGP2^#Vrv&Rr^h9)S=^HDbo+Q^(dv7i z#Ccjk)-DQ6)-c`+kCN{DNJzbM;YEz~+r1>XkXx?3okzG9l9rM~)HD(GX6i@iPkz%p%x#E!4d_uz+Yk;l=D2ZJn%)zWoFtaZGTr(Ncn$Y-VZpjBC-* z6cSkSH7ov-(LbP0^DHfNaC?G1kU@fz(9erCf%!!H1Aj_QIom}78F4H~TPDl>4-+jk zxt)xDY#@01WjmwmA@xh7vHg)+oO9Ar^+?Uu)@_kJw_v}q>te_A+Vh`^HU_5*X}YzH z1Pl2Im!iMrXvL0PcC_TD*-zRp6zbV^CZ{X zm(&yf3i-AzggG53CBYaT0_@vL19{@_*3v+J3i!YoeK$4OMV+=%A$h7)V4n%F)VM!O z^g5TgrutGEjlt=BJK&l=l*OdcK7$0Fv77qc)y^7MiZj&}aQXPkBH7eIYq8!#8tE>> ztTR_`229fiYurKFnvtxBY}Kw@7RYd)Jxcse*V%*MC%dWK&rtW#?Q>B#Y8di%|00~j z$|5cFllElfxi8kZvRJiKj9BZ=Ee*^{@UM1y=>0B3lWO{8pK-M0C?QoCcLru@;mxzi zC`FDII@e~f3yg^?oo^L97_t_N9=nNiK51+>PF@r5@%v{27>6KkLBQc!C+kZ!_as$2`b zvmpR&x~ihR5SlJdw^)Z&ZTF$CKU~Ba(B9|L=sSlA=|Fznk~{0B9uZ^OCf2Q>jf~b~ zoO>Y~$5GX}cM#)ELcej5*?G4My(4i2kQ_AA1nQp#jNFl>YUV$wn*9dsWGiOdWnIgX zwW-_@O`!1#+ng5qb(@e_>b{VuGWs$Y1;cJ>p)XpeqQ9}_jdn#}m!)7OP6NkJqem@t zxplnd`AEwpVV817u~Cz=Y+wL&RuLV!TVOVpmD`esa#;mfPxVaTl*>OL4m5{kbJxpVO0KFB_;LB(#E* z4SXA7TodW1meJow=KfNNMDO%-vXum@xq|`6vszQOyHAx=x^jJ$o@VDsU+m`Q-0Al5 zvT61tlOO<7m3~Io4R>>?!N8| zVTm~)A&b>aX`2cxT=``<3<`qu#x~eim#4tOIGviE8Fcx;38Ly73+LFD4{Rb+Z6)V_ z9X1>?yiU5i$!YQ}^8LuqgTI^bn~b0MH<_45Z+#IC2e7wo*xLZrX*J-Aoml4%5xrY5@kipucs-4Oa2bUS@=sOCJp@$#0R;5Z> z3`fbK=n`dgB`_#Jy-Y{hf3%R`y<9-B>kBgadyHTJPF-5Y@cf{abW@^5lVJMbo&HOs z{7(6Zn;X$Ta5vI_XDf3Tv;7%zzn?htP_~!ny|VIkVFkyG}nz~ z1J%TA(?ZS5GElE^S-ahzVH$12{sgdsVt<8p_Xy@Tox5=+1Pst7TE%)6x5U^DOcUn> zd4;WFXIn5Tb{6TTR<~jRWh;&zgPqMhNHfMM+0|`LN){w6GDbW?ijn(I5YnAnB=;2( z=iFXJ0>?3p6?!qjF*OGi8Y7ji67ouF-wombJ?>M~pA?cK>OUr$$4;ORqF-D`f_L*) zckw`%B6DSiGDGg~QhWmkK@!TJAAIDl%Sw_5Z+0#tfAi zM$E8z-uA^3YD@iD+r5!oN#qtuV{c)FVEILv&=lzal|g5*r8W` zkt6qiLXIzfaq(2A5%rDzeN{^au4CPduq{l@E=f0NCXSt6DRwe2TY(+rx z7Ks_qfzOE;;d2sL6g@VA(K&YTA9fMV&8LhVg`5a(s@=_pqZMsBpWJD?$SJS@5?{ia zk%f4V@VJk5M$>4FHWV$_ujGU5ZvVah=-~UjQXV{hZf^yL0w^2FC37Dqa{;NH?UYdjjT(T*nVARPLtHH5m3MiEp&SY>^LG^(?agUf7`1stm!7_0%GgW5v41N1@WTC)0d!=94pO<_h4wkC1+I*s=0eED zwuzD=tQF*;UC-(b3!=v=u~W0IX^>du{(qK?V{f6aH4CQOHT}kd@zmN`$hT^Q z?=_QP65a<_m>CJi;qCki5}bm+7w}hL!_W!=Ij{nM6`sg`viSHs8M3l+?I2cJLEekN z{2AkYq2{GbA@RSs_{E|wmFQ6Oktg9?IYj(s0kiUl8WdiD&z)?Kx?XhJ@6k3ObIy zwa|YX{i^80sUNil0ioRQA!*Pl(!epa(ECj;*w(G=vqY)?BGQ{yn5mUX{Z<*a<`pJN zBD&s_rK#Ww5>3PE@N@4;vH_ghYz5xW1RpwAXc%275fXp|r7-jnm~VB04*OQEs`UC+ zF4_NV9j=6?%ZgfYt&p-mo$k#)>nuEgnr3lq1}8;Pb~VlD@7?0;WHw?=FjD z&*?kLC@)#+($9%qf%jGm%~}+qT4;|kO+Q^G%Eb!bU0P=svVz6Ad|*8>Vh;`AUU8+V z_Giy&l6ka4CZxs{pa=CG4lOh%z+4^BlI7r}*ZRA2t#*NH3O;9R zMeb*fMEjU0W5v7!rNrzMyfV=iJyQz0KN4+!(MU#pKq4(f0(aTH0}nt?Vwlq>ycu|q zMWXEi>O{SsCZZqAzLS4H>bskS#QL)(PViwH_;4yM8^|Hh;0j6TUNRjrW7F6PRT%}F z!8&&ch#as3HZGdE0Laeqjz)6m+CU>Nia8D6rT4;_< zLYF$O%9=4EljMdK$Qh@=sRch>)fDde{a->BU{8!gKe!D0s%wRE|6KBv>ejV%VKMkc zW12mrnnu?^#_6Dt1+b1{4YmNLyEyi0mGk^9?9z?}LW&YKu*)c$jPc+h!AgA^St+o4 z%-p-gjhQDv8!)qyf#qW6G}jh0vm^q)pE%Gav5AZxgyf-xRs;GCq-0<%=2l74fK8^+ zKJ*5CaRL$z^<5ZkDR0JcI10nfnf-vr zSRLQ-#nK8$#*oAsMNbzV5i`78BJ}h#@WH4~F*|e6@CoV8klsD_PhsVd;TNRaC!Hdb zNRed2?>v4SKk@Gdkyu1NMqf{1-MS*u=^KrtJ5z#QN1xSqUxx zyrTf;M=tyn`~P97G8zpW5niqq^#8ykL>q-9{YzqEXD*pmb?FAk4Thm*f ziM)6h#*9%Q5jf7Dh(MVRC_M}MoxSUlc0<&=e{mLQTORt) zg}kt@J2gBZ4@WTWnMXt)cPmD{j~bu2D>6owD+QQk)L)`0XI~()4xg6GrT42@5sY1j zSx-T4j=u_M!(S?+KN7ewG3OsNxS-R9mTB~a`s^inm7o!p(GY61M6}B9HAFZx_41N} zaL?dviE4Db$Ch6*Yjjr}N@po%>vOY3D+;j9c z8C`&ruZ5OA5^eX-k+n&@YF@k_XWCblU!523dF*zwB35X8EE~r9j8~`l=R5)qEGVs@ z;c5i>u#a??5=HOI=I6Kstb}9(zffU-W&_JIuwKfj5BiIsX0V=a6Hv>j4Vs=B?pb;} z%??f8=9w)86E8y|kBOgQoJacaAxr#~QSzavijog*!9QlaJH>zF=q+xr53-Y}KXPF@ zpg-0wsNxT{kfm81e-MVWs??# zweJP=2B{ZbLedQ>U7a-gZS>Sje;nBZKYIV(wsEV%M?};4GNNtbNDq?k4@k6rd)bcE zX4n4nL~e7hTVXh~yd?Ty8Jj%%GZlVMaEa;sTe^jfT*#N-NS|UVhMapZU%q9g=~o%^ zO!t`HnDwj7Ri+Z%1esT551SD6)IOJ4`Q#=^CmN@66?}}a*20>QHV-H11?N+I>m%p$pZ9Lq|%QlaZH8x;r8e zk6b8`hEfkgOA01K_D&g2yO@3{1M>IzLagZZ?N=_`CY*LKSXSFwoWcUJKY7W3MyAi` zOer29^0XPnNW~`&LoeJ&VvZc6Ms)=5WulzwS>Cy0+)UvF1DjYtGeD0{J@DxXm-$-V3_t$1Z50f3GLO zoJdc8duoK|Bc%pne)}L$6?>@sBLU(**T|m>n*+v{Ll2kXY@&bWg&e=;-1V@hjYTKQ*^CCjjbCVr6?< zP8;lAM;$`qjT3elXgp)}y|8##xdJ$ZMbU^hl54e3@)+$xUe`j`2ss}j;@yYyb2ML! z^xdt3O8)>caFLiJ*iWv4R;4Z+K`rMj*KEjGQmP)kz^VLDu|TR%;Kcm=^9q5VIwp?G ziHPa3Te%@^6IIzHR?dsxxJ)G;-viSsYLO%Ld>4}%NN5RJ%6)H$k^r5;+EC)>2cDOS zkMG+Qh_pyu(MDb$EGr;K?&FW6B=L!YoEA6mFviL{5k45{4ZawO#^>#Yv#m6^7v)2Q!*($f2U-?3Gx z-pJciw(TyztJPh?jfsYXaVrDPDrW`o^V@l~@O@PH0v;!z{&7(qdh9Q%$MYYGM2iNy z?7BGUODyIFv*00y;G|*6d6n-@RFVzM>5I1*a%C6dC=-pI@d%~;s)$iq5*hWFt;5yn z_Ht9AbTDS6=4_@8pC7Y%Ft5v1XT~dcq)`S+UXb+$oQ-%ST0(<&6JjP@N@JzKRxsof}FCxe!kHIY+R4PQ9QnWE# z7i*$0gGI_#JW8&ND698)iTTo?*PO8TDz7jrw6ff__gzp*iTcWO_Fm~HlDpiycch;f zvdb&>S`i`nyrNzwd9MN?~ zW;{IQQrGa3d0ih8%hP*HT!w~N+v+tNsS~Y)r#|{{H1{}vUF!Ql>zauuAS2sipX#rL zoNMOM^-=sw_!!TTf5vH9PK?)y`t;tl&L;zFvn!lgh;xBWaMIIzCH136Og4jhTKJI5 z3>G>4W2BYzQ<1b%C|{?j<&4xyo~V^-m=lRan-KbLaB?N&rid@y}zcy-Lh;gT3{<1ve`@m%A_2eU7Akh#j-yXU4*UYw>6Nd?a2 zOT%9C=wn7-%3k9WQLso7>(hI4R5zmf{(SUv9#Vh7&J2-)%K35js$_9WuH8knguy5l zWv@=gs-U*4dMrfE%C4FJcwR6C`x4`A7(^6y6q{s!t-)aXyS(oqdh9>&_N}}hVCQ;i z26U&>iYa1Gt)F9HHH$5XF{_>v9JVZ7=8rG0UL2*(=CCUJUL7oXAdxNKMS!E};MEr? z9ekOZIVI`!;#r2gOObS4B)uc@Gzb5K%MpvGtiAKf$b~5+2*|%h@3SW>_cgX|4+NT8 z+Q9b&4|O!P)YP^(Qg%e*8WCY|!?CxQZOMWC0(QJD+0JqM3*?+Cm!uVfvNw2*!ED~8 zKTLt=^$Pcr_}n;n=At<{|1g0ThJEW=TIGs$SuHc*ON$=-I{&*%{VumF%VI@j9kj0@ zt1Heep_LYz7pQS9aZ}KV=gtZ(KntCzbSZ+eg?o5J%m4ez0DM2zEC+OJl~TTOsTm_Z zy!6V2FC~$JC$GtLo=ULx!>i7U9J=OZ_prsJo5AvTr_QP-;b-4c6rch7l?$&VPqn`2(?Un%c1}k+SQc{rzi5WQ14UJdwL?Bj`W|9K01+hAbkz#-ifpg>E9zA zm`Gcj2<%~AGR^jN8&d=#=&IgHfN1$d&A&q5H*>_Jdf6h zzK6r5L~}yxzLWmvQn~LY_Sdmo!VIbwGq`8-c-0(9^Kd_|5X|E>^9;aSSXaD?md>{< zOapvBBccbLg?noMKw#6h^e>L&9K#N82TZ?@j382tjaL8o$OlT5zV}Gha>B$~?d#UU z39M$}1SE({L|lYt%Yx_hSi}s$TuK64v+&Et&x2nMez~OjkzD-E!{0p8*wk1H+Jkh~ zqvL;bGR0riX&q1JW@X_8^&@{FB#NU!{7qFYHFJc92tP97tPRp-w-ra;0uo^k*&1b&|b zOKRcHNQ(=oVM2|>BOk9)>`$lE`82GuM79LBHi@;`+6W!4rgkDy*aSOUxaWb}2P^@X zsWThenUzWhZ@&^Gh7`+`_`4jlG}uvLnW~9_bSmERYoaFJmev?2-kMh6T+;*U!xQQF zl{+Thez>A_;;k^R(e6@u>kT&JOcGRoZe=Dr(Z2j8(Qc237$zYZn3!oY=*pq#JR#bk zC30BcXmK=R#Yc(<_7Y`g=VXK32piG<$u@str@1UXTB$GLkE?&OJ=-grU5be97WZ3t z73TC;c%FS%z^9<*Hc5|>JtsdPe@y#nb9Mlc;7Z>K#M~=ED+irgBEwGZ$7(-Z1UnsM z-3v2f5rcmM(f5dpR&PW&)FGREU0Zi!uX~o#KtQ==#JUTZ&11jL#~3|thgFu!nxiF6 z_-Xo(Co#=8u2Id%KG^`g=BCm1zY?NE%JV%`m$R}gOZ4chylgErosuV_2MuG_ z(YDm%Lz&OwMVU7n>xOxeYZWUclrIfef7Fs?dwJ%w^vrBTnCi1|SM6Bs&i9V)d1X6#XKbhDNJ(E>Lh{`#^t%Elx zHvvcfWxAJ}3#_UZ`a9TwAbHOi&+nZsVsOyQPfnB15^;win8(LyO!h+AU<4)UBan#u zULeK8OA_6E{Uq2}%%0=Mv_3A`ca*F3r}=)zN%##<4tA+fTM(A|FeLt7A)j$(0Y-&B zod>T8UoV0r9SdisGf=rRKWQtv)F@>2-Z5YLh#oz^6U|x~aXrO16*3JAOTm z=ue9DC!s$LryNCO&>nJKb6fXH$s$^uY>;5p`F@p{VZUoSO{ErQI;hg;Tq-ji zvTSUjLZ_NHe}{c4n{4+}wbNQQ;5_BjdexY&Ue!*5e_m^3>wPxA>CnfUwj%B<1@!l{ z5=C`qA|1IOk~LC4Bo@Rb%S=6PyM&?&=fZJ}gz zIZ&Xg^vXpUcQ6huv}h{-y58SyfmJbdt#A|Idbg0-*VINu9M*^A;0gZ((g=9Z+L3ma^U0}2$uCebZF*Eo#;OR+GM&Kh9Tw&$^$qpit-F(7~ZObZa#Rhdul2;a*Uzu!>A#3uvaUYLh9fG1?5el&%vP$Y2qa zW+x50gujtHtv=dM!crZ)Vsi#vU1h`0cwh3VTlVx*x9#TO431kyeu-Yj&RzU+$aR?x z;_c}#MKr3{WYV%xo?ER_6|&zEItO_3O2JyJ+e_en8*n%7SALWQZ=%-E{4$m5e(jmY zE(0HaGKaf}c7paI+J#Mg4<_d5(i7Q0V8B=6FdLKW-*gVoOCY%9^N4EV{D7E+dKaFSR5j< zV>R}vQ^S#{j5aJo|Q?Ke^87qiE(GnA>8^nyjQiNR|DVI z9S8$f>C)iJRmR|dA>9`qx$rHF@&&AWhJyy2P~4@1Enb{Y1J36^&WDAhUIkvt5eyZP zG5fm9!&=C+MWy??%h0|B?a#~~#Lk3!KKbI#4!weSFzIL%PQ_-FKQ%v|xq-hAVZFXZ z${6f!^D~jY54bxQxG99-SprG%-x5R*e0}B#d7uT}lCNmMS9mPk;CIkC;uD{9he+I4 zQR1y!QX=~DL3kE{3D7IYOaBKli}E`q{~J^ml2{~WsyY?-SvfbJzFX0Z9NxXn!e;ns zm6?K$EkKwV@?L24rwZRM;;1A3*Ts!hsbkTWUr2_^}ceUPyX~Gg~-__5rHkRw}oG)@M4Kz~5k7yDn1KKg2T* zHI{B{ibz`{7s@d9t!*SCC2678iota?ZEvzGIgspeyWZt{?QW05HNy9p9Uf=8B&;lv z`*bfBGm0Cf^@KS<_XVvTxuAl_i1*-GGa*ch=#a>v`*pKwM2eEhHk_Y%r;+Z^P3lOm z98(O7*(tn_M}R!8o6AhhMz`Pu??Y`(Hn28x7dJDRU;*wcB;hC(Tk?fPB)amzH7GbPVo7Bjup5G z3;VLMPC3WTd4+iec?efUL~+I zWeSU@@T~daOPP-GCD_}K7E)eW;M8vv2rW+7+LvX*rpkO(pgfs~t~L_nRc~?vcjo79 zwkvKqS#o(w$SkMN>WkbWrPHVrnqs);bXcb2(y2laYeES#=7+Nm~q@QCPg^UF?H~dlp194jb#ljwHA}neDEt7v;2o)1k9MQ|UB+>T(nB zh&A~%?5mqh+br&cwWtPNqb_(LMD)*gCqYWwD`<92L+zj?6|q1;)E{{W(FKuR=zUm7 zx9z#bkvJvc;f;(Oj2V*j{vrt&(CRelFBJJx6yW^J)gK8A!1@H#DyOV}SQPGg`6g_l zkh#dH2R&9gYw}^ecvz!SzwlY~Vy8cO7@09O)tYYH) zXrzMl@$;B_$U1+=LP%ymd6gVEuOYp!zyYk&&Yv?kEjmW$0H-^E8*kri$<)rjYCc9M zv2f3uH*04{G2;`7oMozY7S^VQe2w!4=)EhhqVCX5mib4Yms`v~ueRmc^Q&i1KXPN$ zY<*+h)eF;zVe|!=kjwNt2#B$`R3g7D^~m7Ty(;1hE0+>-nI4O zPY1@jc5_*}BE%*X4er5Q=h(ZV?`i+Tz zDj9Z|XO+9)FUqC1&y)avZ-)_!SU9M2&z1F>^FczloI#QGK(PMz91m~7?FGZ^a z&%W+|36Ib1-3Oyb|2+~7B<3div0`>_;CwD20_xLFgEouzy23q=e|%?k&LkTUDq3C2k(!DhJ3jzV zIhI+xBA~|mvrC9e3f7HNdQBZZ?|iCYAo*BfD){)h$sf$X3iNgv-Ex4PhszZY0B43))kS`V`1!n_E~k(qx-tQ9d-crKW`wTZ$oc@HQ_-a6&tbQBGyS9-aBd`jYK+} zMxbDaMg=YNxm2-6BdNq(|kvxIR+@UOUuj`1EvJnZ2t)efm1Wg9jyxA4a}ack)=M9t2kwV)m%_StxF`K$Yhap}^f z_uy9mYxoHfX-UF8uYCbXaqHWSSOzls3&4uA2T9q1+z@TgIf;JfZb;Q%LaHTsfW|We zIJ6deOA--O8xWNg!YPJbbp3QYE`h-J6pC2E5^x>{uo7ZE^RwFRVy*7Rex*kuq8`{F z_G?bo_+21D=}OMO5JrSAH5^>=au+d_6_u5h6%rF*d=A)H?ee&@T+Nw|6{KTY$@baC zppz#vW%MH8754)PYlY0fax{$cyY>EL4KRqadV8Mmv%eXE^@pDeznYF3x7SU#3t2V_ zCs$C(pRE`5Wws4<-<{VUx#{@IdNR6Ovh)Yp$1}t#Ilu`I?O|&GKO9EH}w$ZGy>vWSG) zr7ptimCUQPhg{|8;XBDfdpPPc`v%;Jn?Jl5ohSuo@}QHVEZp-AH#3o-Z} zHWm1GJxyTUducz;9`?m=Ze9Ij&%ao7jCnpM8a*e@6a6v!ldh-^!^)^bqnk{1jHW5O zECMF6t9`N@feD^oK;(j)EFgrm1Q(!~b1haX@vB@_4!Xn~M9U*zwQNR9BX3g^wBN!q z5{%6C6G@wI>U?cT_>rqnyFR-Z_5&YC%tSPw2(-ez1EDFys~x!uUx+h$@G~2%xhx*pO%6rsE3RBsd>??ACQzia2zzNgoJytzBDsX zaK!u`!PPsFxqE{7~!sEA2W|H71T(&!DKSr4$y-;LE1i?}E zJDXosgVAModREwY-}0B}`A8~%3i?43bk9WIcTcBYQPB@uxc7V(sdaWy#q=clz8I+) z%b~MqCLYaRxaU=Bv8%v8QrCMAzBa;6-UItG{IIFGe;I{%nsiz~OK}43=ROtUoT?qHyK78PK?$h^pbDl0Lvy^2Qd%lzXtX@&p>=7JlDPI=T$&%@k=p~4$ zI&k+Aa3p2slJ@z_`7A8?_oJFy~3 z^cd(tIu$;!PGY9L;0!I;qq<2%E9Iv^SK~%P>M@rI^iZSDUF|ETm4ti#^!9Nl^O<@{ z;>%4QyAqs!`M3(60w>mciLtv1N)u7%owuKI27D!mvmp&quVJ2d__8`USfPTR$Jo#& z@%3ZQ;$iR7oEo)ZKfWtLxf0U>n`#$qtMZ<%-O1&Z9WWni;%A>N05J3qZma{DiAU!2tNW(gYn%qO z)>4%^hu-T5s(z6Pa#c?znBP0~|pPW(`)&6OrBT zNzY#cZm3m=Zd|^JpDRS<=}Kr`ZRFi^r!k)?9&%(Ae-CpG(BjN$%hqgfvJY|Z^^Q zEhCt$g$zz%trAkSkHZR`V}UNRr!cGjD&JcME@3?d+4U@J6%Lf9WI14?_P`_Y&vVw` zE0&V}0<;bbk8_E56RT5VS}4g`m5T35q0aMjhMBnCM7rz92)}m~Y+bWuD)?G(9->5~ zCvE&3!;IT7)Bo~_NOcQ)UU1Cr3fPiC{zC`n+>7xZMqizCmf_7Nwc9HZqu%8!qo;s`V{7)-{H=&GehK^@-*sAxFJ+Px;V+B$*5IWexGyQZla7=ePZ|6V zIN+^Yw>0AOSS`Y|fnrj=wKd}3ShLpa2yFK^Y^`=|tKEq^r9xLi;|T|6VU44%5gB!& zji~!|KaFr&jC(6;K_A2zo8jj}g-A3xY$XBQDyctg#)}GHV=v+sB>Ck4^}2*uTLYnD~TT*@3o1%4Xs=3;6#g&?=jG2C6?U1ui}m$bJb9i4o+3oDj9o@7(>NV-U;A(Y zb}>TJu3oUhVt7>nB?Rujv$k{@?mn(uM}ZV+qjIN(_XYDBM2psr(fYDG&Ha z6R9znFc_HVuN2l0m4j=-_BBWde;mddBUix5ZgA<^3liZ1o0g&$;>oYQql~AEke&qZ z|A&}4Z1TzQL&G`)YQP+ze4@o%)cBlNrHl7;yx-)oO=lDB2JV#Yp&|}af<+qEE_{8* zN^n;Mb*^#_@^|NZHah$$sxyC^;23ivG25$uDPd*eoE@-#;QI^cB?co}^D+^$y#lrg zudtLHPUn75ryaC8b!s%E#6OH&2%!Ie--uS!32ii27JS7IxF)U1u!|lOTqtvl_jnCb zWS0Z?K=J|w*8C}UBg)spTeQPAUjDDVt)MbLkX(_cp@-L2lhOAi^cRxW3SISg=`O`r zUgB`2w7MMPC~R)p-iUK>I&$yGwhh=&I2X4^;qiP;d}|4IxkABHgxw<@U-(!-=HmWl zIp*@r_*W;?F5IycUsFK*1!yf~?@S@f_-BKY<2y@l6)M3!gHdOn2K6P~4-?#kztf-f zBw9(q$FP6l9trp5jz)T{5_3^8mqI!C2#34iF!mL@0RAuev5%#&1;$}U*j3hn8SY$7 zf=!W;WOz1gxOwXHEOCdDjU6W3EKWXq8uuWS(GenA#70^$w74Jj1P^rSr`6+brn=7d zktdU@^W6AGW;&uLy)mKe(?g_)=r1_JJ-@h)Xs5bk;F#0+G3OajR^+FLEJnA%Rk^~T zeZZ?>;W=Ro_Nr+%f4FD&^*TGlt@Ly7!yM=0p6yEPz+#gvJrOa;BNt{PXXHWf zyE3fQ;2`c@?I={BL*Y5=ELzNW zY!a4|RA7a;e_S)GYyRVfk6V<3_5a#Qwr=_6e|K%6TkhF1WlJ=PV;zO#_Ks&(S0zJZ z%zsXwja}LKSHWv)GP^8~XG7|RPH_@29gft&?K1@9DiOQTxb5Uz1;LG0(XuMppDOGY zy=hw_8j1eb*@%+aznEoe=t;yfj`vhM(UT$4(;`?w#(VlZ^pwDb_O06n*+i71yqS_&kisjv}=ISZ+6OR7K|c7`_#f@305m(%~3xfDPtnuvFIM!bRT8Y^``>@-GPxz<&7{#@)J)M=`a0kL zDe~NUh40Y&NAY&}{TJ~(j<#nJvt~ifXHiq9&-)I)e*z`A4L)N@B>w>NE2xf|-<}~# z8&T?ul+>Wa5h*z|qnKMB5MN-cUL6ArmQ|@E;gWaYPf)StYwxIpyQA}$EBpX%3rS4G zO^DdBq_||oF!q*8h}`3i|8~7Uv(HSUw4B9Z%(|gzah~WyKG2bj$3ioC>tM=SJ8ga3%fxMU*S@n75XC- z>plXFLvZhDm|qg9#*J(vXHFqKSE-Sh(XbbBN8#`xo8L(X_a*MPf$CuNH~-*-UtF|0 zoF(qm5X83m3B%p=jw~sXMr1W%+2VW8q|Yk-8-#Bo*ZLT|aYp8}PBn?uGJ-&9p&ud~ zz{nE}!p0(Mm;pJsBRpTdNQuY~tF+$Q1Uyf|iYy&2HeVVnHjDVkbjk3$E232r(LV4we6Zdva7PF@PzYQy6AKpVqN3UXzn=Dp9LC=YF z^SR%K$yhIFs}H>kKil_#QP2_oPrlv*FskF)AD&zG?p@VYK?MU_Bq5rOBm@Fnm|YcQ z!5UFQapUev7#R~G(Sosrc2}Z9EO6ZN5+toe3?@a`;F89bR>rs_#*Xt|oaDW~Y=bPv zg86geT>oIV~{_8(9CYZRbgXrH8EwUtSh@subXSwzDHRAv%q4ES_n+-!D{a= zW}x5AZha=^TE2!;Hr33{JH5JFFGJ2ASVoHlw&{T>z0V(%+41V<0TsO2Yd#(P6YbRv=H+gu zm50=+Nx(dEWHU<9H#urCfoH3Wq1-Ds3|Lx{Y&;}Rb@0561mRmEF5ESvz5H4|EZD5I zev27;ALg1??r-I49enc{=lRBnucXuIM=_(>1p3`<`29t>Hh54;hwNcLU=wL;yU~JQ zIbi9b=gAoDJj{zK;AhM{)zCRbDj5<3!3((rKuz89TI zRAxMr3@d<*D1{S-GubmRcH~#FC-9C{$c3l#({*n%wiQwk););{$X}ED*th8)elNWo zX&#dE>NOG2IeY`q%kvuPLr5z~2SYJ=$FVzi-ng{ubDRVJByzLOyHS^B3u*Jyx5&U% zWaDuam<6-Ng4v>Aw)}<>B+LfvA7NL9CE%1{8xR6Mdr}_i1_%BcONribF_IxwX_k|4cppTPVIc`a6jBeJ}k-q~$<< z?;F+1>3_XR^poIy3Yu}ZDylzD*J5H&Uaeh% z_7${t*$z{`<5uBb#fB4dv;8(#STHBm(hj>HJ1AKds?D~m=H`)C&B5VX%qP3h&ZF9t z+RyqbX5x$lt*?7WXpdc#R~-zqIn7~KAW=UHzA}TQyEpQj}%mt0&|rg^Cc&;DuUmxWxQAWPba5#dp#h=BdqLb8bN~t~0Yd z^DWlx=Vpp>iku@C%D!n;)0f>|eaEwgR=pXLNI`|SuWgn$o0+Q6za+Xar6$29o;e$5 zd_ye@GjG}w6HePAZ706L_rVDzzAd0qdW~UMg{0vvy2pMzqZwrx&g$stlxrfMihk*B zrAFh>qQ=hYH{Qtn%4^JTe?zG$f@ddDH5rzNb5&}gu2#}M>`uJQ8>}8dtF+M9zPdQt zV*ItJhWF{WZb5INZmp0?ow*#VA92 zxn@9U;~?8vq-$vJ>@-F=pk^ZA;h)5|jqk-dHwd(4TB>axxWBs#9JXf7>g_~oBxt6) zAvB78O$ZDgr`pmF)@l2ZmuM>q$y0I40h}&3y5MD^VG=ysE@;8%?=E24l5RN~V_*oI zYy2=U@B=boBh*6rx3a*|H@~6-znh?u21@fzlNEcZoxUG1o?_H}4p>Cv&jEXU=zR{D z;<f62J9V>s5 zQ9V8tcAeD|vf~qN^Brr-iVd&J+cN3t=8UTGDJ$1y)Z1{*B^|(-1KF;0WJ_N1o@B;I zt#=56R!a=qpQDf;=S0}(zs{I?dLyp$^CfMbMbz4}1dAzDIfm#*6K2j+LMW$>%d(e~ zq$oR7X_Z0?tl(f331iwi3u||U zEc~uoe`pw=SKAy);`i59);`cMzxKX{1q}~2-0FGDBYW=h2=FzzyP-K;x%4ld7MzZp z@+>H52_*o_#P9_T?G4=15=!G28f1?@l+0z%0_b%l0_(+c7kZrH353#lPeZ<^Ih4Xv zJUOo)58imIl|fNsy`be(b%Ei zgW+%I@Ea6q$u>q~_XD2WM+L_uX`?MT?ceth69cn*NSbhdlLe4aEa$ycCOoQnv;f-w zTw|e{qFtz`ek_j2pZqw?E+=WwZE1uLF8d2!(~2r^EG`DWF%jvLIy`OVz1~150g<{8 z8w5{!8mrKQ=@FA09GzpatM)Z^IAayjH*t*Rp<+rvBWjVvEwdC=q%!6E=@t2pmmkyB!iV?it@C z9nvG>VC28!e`?mg*1lS`xiJel(x5ew&2l1@tO;tcF-`lhUa$-_nk{m+aG->pst0jY zV=lbVXu91rXr0BjN=2qgV!k*z_fUUC?2bsehfYPZ;T_;SY;=<}c4h;35BW?3u36Aw z&w;LWsU@&pu41s_y`oEldFYF5lq$wLE5w~^3LCWJmt(zU|Z4qW&HKleCyDr6fui3^DlM&&DpHR&7H~LL(9_TX_ zseZfOGBk#tLPG=RnJ{5U*3LKZaB)$x#kwLL_OU&3+T^s263$T4R-_auxMz);$2!F+ z-Q@Y^M0>2UZ7C=G%w(|||KfqAw*eukh(`4j{DO8c=p)i}s&>kNpDQjH66`dBx2{w< z(fr4- zMV`!vMV+_eBW>d&KUZVAMQNBO5BmL#{XO4oe5t<{tmp54?>l{A`|dk!8uxScFOHA9 z1wjhXm-<>)R>bNNh5fvk{ZC;Xf6pOke}UdolezaXV_yfq*=L2{2~Zv62|!vwoScAM zZf(wByFS%Lw8M7E`Yq7!`FlPa44@}}D>!L+*D-gcCFA{Ub@w&BYd>3Ft~bqGZ~Lob z*vf6Nh6Zmj?$T~q|GB!-rlPiam!yxc>E>e$eu1=S>W0Ra~*+|uwn+pZuaID^rm?~n=`*qSwSmm zrtQ;;wuVOBJmyzb*Y<%vGN#~V7_kJf$=p%b!|2Je^|AsYS{ zQVi^n*`^Lv8vGZd^_~F!FPRBH_)u?5WP_PjE9W;B!Sp(fFQ&XW& znh|rP(K&$Fe(+S-FASRuDhG9~(=w;079~#^Hks%HYc^Zim=Qb3#oopiEvNJS2gJbw zD4vb&Jo`W#Xxy=#pFiNzvO_hCO)y5s?}H3fwX@Uupxm8>-_!@)d_t&UG5#JLi&FS| z5S9yz@%La(=RcQ%Qj&Wcb2|H%=5(II-yr@z$KP4}UBKVvr8%L0K9CdY$KNUZ4dU-} z{GG+$1^iupz#h_<;O{>CEwvBm7PgoT%4idIy)LAb-bTCwS2ysLOgS+|4z85*4M$F# zk%KGcoJY?6s4on*;|e_4`YAL-Qt!kl7^DFmj@$~UCJ4#LE6+ES)LpE+r2oY5^@Lrh8EJixWC`4;SSH) z;01B7nA6z@DD*v$)A=@j-^T9={GNCqJH+nG9$*+TQV$>%OK+3!le?YCIRi5CarXdH z$Ttnz^Mxd5DD^)4J>VQj#Zz4IWOPWqPweK_(E}>-aQ6UG$R8WpK!5mZm+u`ra2b6= z>VBlqFGuLwy^euv$V2LWq>v{J#uZ6%V?%YQQMb4qSW6b-;`bMr289?w?V2PH=2=A+ zDijCDjZjiTlf}U>=4{6lp<6Vy7qP(@2Ak-qUDG;lZ=W8rWT6fGJ*a|;9gF$n=eRzI zs4uxRoBTAVaMzQIeMXW8v0eDHkZ&6N&uHpFY4A8wFBULpi)Dq>2Zccq_eUm?c2FGV zW7zKK~SYy3Q5?y%8EhX!}B29AXUIyi8rettvzcK6~Vg^y{^hdk_d3ydo z*~-ha1$i+3?5|?0)a-%sa;9ewZKF>E-<^Tf z102>iNGjVaHPFBl5d-Ec2c)#c4CQ}4BI?29Hx9D%T2oyG=P-=1F;*X8Q`4C-MX;L9 z0*z8)hHn+&499)5K0Cbxz8T7332A{=!5zq(;(ka~{5d>%=lP`z9SfW;ofQe&>Snp~kfL5$HA-U-no&6kiU|0!rkbxCMSe;*B}!VC&Y_9SH28`Pr0UJ#r4!RO zT7APdPVvw;+mZRPE=)Y7i$$F}x50lGu)1B61`3OqE^FO9i>`>Z-MLt`K@4-%|yaO9Nx(>{fdL<(9J7&}=jRQG+& zMQy>7tRTT+?U>2+JI0*R^4|3wwLg5$={iwwD zq5Fk>O2yl{uL!g`FHZ zQ~T;%b#B<~T1HivM*IwQ*l(U4k)#c;7+&_S?%KZ7H5;w&bn~7#w7Cn;20T%Q|5!UMxdX897eddbPC3Uma?-ce~zocN@K$W-SxP zO23pgLvs4J8xq>de5cS^?8^?RNp9cQyS~xYgChis7I)At#Gl^rOR(JsRU!6ZoRDzP zD#RR26}E=mb6VQXiKV(Zv8555z?kNcI7V!2Zg6|Lcow8d(wKk2yI+B)SU0~@Q1A#( zJeVPv4rU9}ZB(}sxnhXK-*4r?e;_$4d@fg{b@DG}*JZ0e}O`W>c z)*7DK^ot&A(SNzCO4qCN-TQTQ`PVZueXo_?jg>RmT^#l-UFO~resF1y+Z}c<9qkE* z=P%9jxWfyVR+VlES1k2;2K3k;6_j@N#Qvyr<`mCpcQHKMq$vyCiZU9|+?{C&$|sxl zZH!C+RCe(!z~?e=+PA>Cm+?g?CkQ!?>L~HSL!(%gZ$a&3CV8Kc!Z$;XDeo$D#8)gkU@OFJ>6JKZu;z_fy;!h+KUsgk?z)?Kr+ zT$GnZzAY=P`N+4*+E00j?#jN>^jdgnZkKC`yMjvI9q^?E|5lZ1v#MKoilg22guC5s zg^j%{GbMjo1=f9~MWYr2zMt|dP3^#l?H>P?iS;2Hz2WN=Ri#Xlu>s8WS4z6N%NR+TUT+(HmZ=qdvU@!jDH4Ss2{WZmGkJbcy zC1-E1Vv{>Brvt|61YfrS-;026vO`3PVa~o@aiY|DIaltymfMBhiFPJgKaUcM!F6V3 zDBH5jl_36LCu?%1IF~J~S{OQ_M~b`kh+|^j#O&LIipjSnjcCqTP?0b~Ky-FW#b!e5 z3APFw(k}+S)aj(aiW6^EV+Y46X-m@0T0uq2$Q>E=727gXdD@a{PtKAHkCm25wlto@ z6{VnJm@-Uj8MzrHnlnZC5Sqse6q<>pir2aTl1!O>08R(Ke40x)M>};=hO%A0->&A_Qq=Vo_OO&W zKGUwU-HI;ZOZ1SZ4ET~`I~1HEjj|EvsKDcOmNV5^wXk}j8MBz)jXnVC*K&(1;sBLJ z6_ydj6>{dMNPUvYmXJ3j2jsM7Xw#Vew`u_=(OZZaA&s_eaa;s1uJvqoOGd>ny7sTYSQHrJUB%R}!rAoXKSc4c3LU-@gTuFlentX-n!+w*c2%4xRV!yaOl7hXRfeNPZrV z-%}FP(_a3y6?CI?5^w#d)Q{^2$W3}&Kx>hw4@Qct$fcb6Vsi z+evwt7UXpcB~@_DcTIMiEPyclWVG`R)UPqMV>L$F-owZ~*Wnc&d2h>>?VqircG9%H z;o=#~8*sL6-W4vMGZQOel1Vg$-7hT6cjP$o)VUSeDy;*Kb?~0dYUCQXo}6ySO3cPe zL_|HzlvLEFnNkRv2p$~1d0#HU?twD74$Pgu$i;dxtz8>KnQB+H;X#P&Rx@EYJM#W2 zpX8!eswYnb_QV>#Hql$*Eps3p#-0%d78A5AVW`dah!4NuS3H!Q!hEoYS*nq3LH9dj}5 zWyB!90ZL#S3$X((*U4Ay1=p9;{Nubr1q^0w0h2|P} ztCvWp8IrOC9tG20CW?R4^<>SAbb*osI4k;mUf>i1c8qA)Z=l73UL6w7Iq0swfvhko zML6R;#_)#V0LDquTjf;FE&Jut{BD^SsJ2QjsCyLA5mIF55v7iw!+XBGX5!ShdT!dO z=v4c8L9#{K?z$e9DgS*r+Uk>dvK?@^iP>(u-fN8SFY-A=;)FbM74!fsJHzUt_-&S+ zUE%meY6w^kTGS=%oMV?hd#PFDdfd}V7h%Pmmd6lP1C;LMPf9<=Lxp3(Q6u2(&N!`qtxNSi$9tI|6{7I`tQ?8wra*nfDHPS z{8y~zEep9y7Q!8W0H0lpy(b+s2D~2fx~?9@4tB!s%LpM?^oagR`fwj+jUKaVG-m42 zKO|@`_OQ12zTJ&e|JEV8|zx#T^ z+_djkI7N~)U+KrCS)g>z=;bzeGT1%}tToSp9s6!KGai|3!ss1KK~9v9p<#) zz$4%Pj{a7MD#;Wz&V;XL@`Gmr6ilFBht;+NewCo|;&iEo-jszEe-1oJ(&Le~ly732 z5UuG1$C3tNO%^~vqL2GLmi>|FC7M;`cc(zl<4ohUmUnj1T!*x`CFiq;*_XO5&N59_<5%`M?;zn zt=UM>A!vRl)qP5lu;!*1bXhLwvUR*}iOEyF`ve{%%h%Bpp|4>GE6-r%^?x{cj~fAb1|%0ZN4tFs4`Blg2YP{N5c#|yrt zlXo~`P+~JUm6(aN6BDOGbHwT)%ayC393j=$l|?u^i_{H`Wo{$}b82_Ecu|W}fFjd)Hlq)?47a44gN$;!p^exx02?koyCTo z1#wo>gJN0uUY%nE_Jb-8Q95KHa72`<>e6d8@^1q?4K(lTu)-~++uSa=t3HG1Si1m;N2O!C#`O_Am`#9hhFZuv#g`WGN^W5$KJ++2C0Hrn=Jv(#;VrnJ)VdPh}}KALcdaKdFv?cw`I% zS9p=(U2NZBSm2IfC~5d&+A7tnYaFHF2NLreCN<25-S}b~4_Df{;7`sSF1NLZyi-fV zixWd3-_(+DWnyQjYHD$~JaK=hdTJf-3N4%38G2}HM`-!f=v&mGw``(leBs4rUwmn} z(!4(;?r+2l7OnLOK5Ol{oL*~47+2{p4Gs4zCTsg5b zWXXed!o&{fl z=I#$A=XHfr^48{}Zf<)h6)jfgc7%rE4dp1EhNtOyYsX-uD4Q`9e^?eljZp$Mn04z~3V}$ONfck&jfKPM4dL?7~-W5gc z)?&U8$bv4~@&U^Vd2sWum;cUGAPuhms`d^U`YqGHp0i(qE?U#Pgt_8md2m;a=|4Fpv{*4-*tKNBx!Kkl7velPTlgM zk|04NEos=|8gYs|_}t@Hs-c@R*frUL8}$dT*|L3C0;#8Y1#&z#7n$e%t5Zuuy6V-AHmB z`J>PUOODN!xvKP?Ds*_xwyA+;9Qq15%?m_BjDKSVbMC$1j!UtwuJDN=^5O-Xkh5Vf< z95Ke&o^6cl^Ksvt!u*onTF@MdU)&kGqkONUM2|`T$&}6TVe@3sQ&aai9f;Gu=XQEt zd>FCHGKv9HYlh@c?1!gLo4Bp&oghKk8%Yd+++m zovqIHGJBb6*6BWJ;*)p4M;D^2n)^jRykEc`5_f*Jzx2}!5lqt&W_(K%V67dU!1m)A z{0gVEPS=jwF`7K|nMOwGaVf0@PmGg-_TDEan3^+Z-(nLU;XQ97fKwC>DJiW}Q?w_h z`_aae6IeifyA*NpT1Lp;F62zEh}U&tYi9qkJD5jbVYbO=XYpMv_$`4X zV0cCe><35Tx|zjgT-av+a|_EHIWkU-8;O5bD^e^+TNa-VeR|`|Rw(C=k<6TIYuGT|j*ce=AS)+TX!N~3tK$BpRVSM@bE2XZc; zybqB}5VHi5rW3uwoNd9BYWRZz7ngvy`w@{VfV3*LTK42`v26Ek&EM91ZaMi7vT&<& zv=)c&YF1+%rMfcXv|ci?9Oufz8eVa)b5-c(i8!lp)!}$K1X=^K+M`NE(h|)$n~Ub? zM`J*hj@TI2{N;&GL{QFh6}b0WTFP-^;`j-?-jSs0W<)qCB)6vNrirPLOo<`6o6dBH z>2hw$Hl-XqbhjY~gH6^dR?r||KK~FN;^bC~788=6c^v$U6=e=o#OT{f)a^6$SWO72 z?Fk|E870L0hutI9oxTx{_jtb=<{vuD;LRcBJ*v6t-I|-Ev&4l<;G*Fd^(e&>X$Q4U zr;dN&wD#vPwASi3a;o@R6Qslax}PqNHktP`AkC zBHZ^#1@t-@X&>4+b40}nve8G)$0fjZ;0XBwi{^;vH|72Fh{ZSqkJi4K`|gnhSAqdO zyPiODI*X)Lxk~kznWd12PH}Ip5Fwe9^5)_xY(|n~&Cbs^+4Ur|!>Cp5deU9yrm}N& z_V|+(f5j=WoOeMjhJ0Dn^7vOq*?gnydKZ16Y<>%c6S{ioy41v zi{=#`iF4`3xGXqr%;a=pC}>_+iJml*)<&AUr9uMiguHW(C^T@oXp?Zd*yX0OK9qDh z^4z1{T^OI3CuvmbeRs6flWxg?>UyKpdbg*7p)F-~*j7k`S%kdXu z47fm=Is}(Lyr>uupq!74IdaH=6hSi*c?L9_OZ!*!8%_1!GKJ*FkrhF=kOa zSTS2qT24@5^yQQK!b{V8UB&JRMjg%N)-5wBUvUR3-ospCc{Cq}@pDbDxl)WW>ruv) z8f;ptroh!au96iy5_piSqj`#{(OE`#p6Dd9z$@U8Dw^O z+-3tR-+-HG+SeF4uYT=V?ON?VZ~3bM`>*pKFzSeS!_8WdcdlBCGtkd;TIXbc8mn0} zw!K&%<1lI2>Q0)gm9Lax=1%CU=qft_?3!(f(Z=L2Eut+Oh0*W9+S?%!yX;joIKj;62}JI@HaUvG1ZNJqzCq{~bfJNNCRvMN@h_ zgJE_2ae(}`Ao2vB5+@6Z?*K`^h#R+Rt0dV0{w+6|_&4xGf*R$NM70YFXQB!oD7`Br ztKws!kO?01i7!RGQRh0f1W_p#R4AC;Z0~%Q;%EsaO%1l2Z1B_B*TSSpGs;Vt6w;<4 z+Kevx?H{`j-^aFO;A>BO2s#AQY<3=L`^B5YPt@@;4bg2!PP7s3C4PPEoA%JQX=LSA z2fTgj$kCbuwxj#;1|}2VU(7Ny6fNCoqXlhzql}6;J(NolCG;K~MjMeSv5no6@1hc6>AYME->SF|rFKIkL*3!H)=p>AYrA zyS5xL2q&ggW%-;_2|G>wafa7v?*2p)>bwQ*fTbfv%eKPK?$VB{y1B+|Gi#`0L@rEC zA*zkE42#*8Oz}*mi!leh)RCPp#jP33r|@#lH1dn@2khT3QYy?i7e21DLYyKL{&>WT zju)I#b1Xa(?%^v~dhp79vaOqE_*O9D`T}ue8F|EU)F}rqF3KS}`5Dd4*p>7xudyPZ zgQ6=F1&kQCaaz7Ni+m(S@1Kd&CXo&08OhNgfG%!kAHuID!)QhW&H^Jnw~z#lpG0$& zieA>EclFH2{g4Qi%<#89@@@G9=8TqK;ot?lm`fQ=`%VF?z8^UQol;g@*;t~U8hrjM z*dq9c={S)VOt2lUY?L}LkUq;qY48UKWk1(ZnKdtGZf@2rOLp7#_QFN zl20SxqIQryA?i8~Ob{|`{??Q78e3GW=31gtlhFHT<4iKNL0i%OAoEu?=D^a2`La+x zYB5T-)i|q;h{##(9vy3s0ZuhL4s2i!NP(hH!x4t3b#BEXs7XG@fwkXzcGRf(i*|Fm zAAixh4aRdb-vVe+6a}Snx2*K;Ns)E+9*O}Q8L}i;w8VxEZ*hboRN6b|u zVH9i10M|&{F`V>A>;Bg0g-KJ~b#9+3sa7q!{A0b&mR~Notk`Q!xwIRA6P^nA1NH>> zzXI;Rj}X>K!zh;;Ew~TKjQnYa4wnhC?W68jZ-}cP*Tah47;%8wGV>3H38#O$l`(%( z&>LwJuj*Fe^q+Ab^u`*qDbjZNiUH-*t=lMKa;Ys#*2y^Z(s5Y8IT<2-Go{;vA#Ug@2WM%VEdM|*rna$&i0 z<6n22=T_hqc$?@xI{L-jN|(ufbV_uWe6i^Au79GZWCbX8Z)T93K(a}=rU2hap}u!N z!_K2Fi>!u)tI+*3Caww{=F8}mVdIn!k4?qOh_pR>V@WdjKlH4Xzs7A7L@lSn49$hJ z&{#?2^SEd$<}P3Aj$ht)7J4~#HuA^_i^S7U0hYhO7k@P^x;m$t$68yt2#d-suc<{O zn<>AdLI$=>HTe-s+E_D%H`ffEL27K@-2$ReORH@8CQ&QaVr#6R0-!DU8?Dgm^G^O< z<0Df9&07Qw;y3b5{l_+l>LBBljTO*INhr!Q#nr$LN?-%ld5jy8UW^pQd4Udz`|uhE zu80R`g&ufbb3xFVXNt7_f3!WozRpqEBhO>kaNi^4#;=0#V&vF7(8<Bqabye7bU?>De;V0$YYX|85xr`BZ`W@Srt zS%t9wO=Oy8(Qxh?eeddJ2&9DAqvUxhm#1k&zZvpW_#p;OWUML&ydu#~L}$RtZnNIX z$!{=&o7h}iO-TCyQ8LG_Nx)`PV#5iqr|2ho%A3e8w!ATliAObK1ptEp_g?DhDV=eW zpKAzs1cl_n9T9Hycz6c&9~R>oVjxAYby9iF@gWc3*Xkxb7HNyU1peelRRz)x%gOYe ze|f~_n{${6$46EG^Sfl@)s@h;4OOCHQ2Z&jg^Q-I4H$~LXFen z6n}Vj?s2*JF-y%TK8{Ns746^MxRlQfFUX}cJhvBX4RZ)KTF@x)bHp{$UYxXsqh{+L zk#olN3wOHqVqtN3!H?pU8}2gQmA|RtlUc{{yE#02QA>Ds(agu@duDo2*H{;B?Drk& z8qg%vI(d5%WOH|fbt1-jnBx}9`jb;t@cI#afA4}#g zhk|+GfClB3JXkSyf5|MLgtoBDIIlHp8!t7K!j{`!TMVo2)<(03<7*#|l&c(4tV*{l z?6M&SSfk*1?o*L7Aux%P3)8|S%` zH;IjIPq5Ib1@pJuxz*C5%5^Q4Eb5e6{l^wE`ICi6iD&LKF=qPY9;D%~V^I~DJhNO`GO7h?@kP`ANbZiyb{r?jS6evDc8HwK#g`EMYUeNY&}kf>}%H2 z2?6j4Fpe>1Fo47(hTt#B&)BBX6HOW$Xqm{Y=9f1JId>|L*$-R>^qZ#C8M8w`EVdfd z0LGHHz>C=H7uKr8DZu7*jQa9FS=PV_Gt*s8FRN2UhmWmOE3-8=Iy!Fe8u-5SXH+vg zM$O>S%ZTh{tp?2dkv9nWbV;IXW3wet>o{-{l9Z)Fx z^Wr~hci8bg7^K$lUhzl!z%Ma>Shovz6}aoByEDjR!kHtuLPzP6Qv%obu3zQAAugdj zlkNhl5Rm)wG#C1!z8h5M;aM4LYW;0wjmkm|85-<#k3@(kjTx8?tughCA6V_xRN>4s zGq84f)O+uL{?V*ij3-YQJe1tdy&Pv)@T5Oqf5KFJSQY-5K_}}XXm%4u@Dk3Z%Je-> z7oL#k*jRs_&OW)gkzKAxl0G?)Uso~%ot0}Q-J~CzB+Z1?9Ml$!EA+H8qAyXZw9Q z)zfpTAHX^oiqlALm8r-NA71lA@7k)NVut%?NG}XnW~S3l3%y(%t3r1T@zVhh-DTJs zW+p+VG01v9i>26SkESOpS@5D&s&q-u!joGE;PN*`0k(y9ACKa?@PUCo#VmAJW9(}V z{tNLmWzZ^uH^i$j&i75qnGsX4)-}ypp0xj9B94Se8ucp^VO`Bh-jgl~S^@K?>Q&iT zZNgsO|C(fOMqR(^%ND#G(HdcYeNZb*(!7(1-mAy6{W4Kg{?=-Eu_dhcbNN{-*_vmI zAHdQ)KF08S&2sFMs&B(VRJCDyz8$9ypLU;R$9qa<-o42TipxY8P?JN?jHzZf<54!p zSaxUXF@yf$3KMTWw^lQvzt_c34RCd+;Wctr#$4I;B`CK{-7?7IB?CK4@XgD#Dnp;} z{usj70&?J|+Q^w7a}hO|=5H-9sebdDY|!5_3L}^qLt0Og(Y_dZCd0=l-dB=#t|5wZ zZv)N^Nha)HDrVdZzh;5kb@{+aCI^c26b-ngS72GVhg~zi(t8t$_k_PG+)pU*qsAl0 zMeG+PjC4@%cpu8BW89X0A78`>;IlE)zj*=nBS2 zJBJAWu|6hauS4|Q14O5mdsl)k|B?3*I>}vUuUqw_WviF2dgvj#1I!bKqwMz=H>{uE0eL#$B35e(R0dV0lat$`o zy6<^-C&dfnh~8i`7(UB$%zGEBxw1b13iVW z9rw*@o4}*>*uHzA%&vQs*&5iy;5)&H>Jb?xW{0|YlB5ij<%4^k_ z?j|WOMzGjTQd1YAnQ$W}319E8Wjifr*)H=H-hDD+jc15jPLviu>}6X~>LDh>H1%Kv z5<$q0Ny0`xVf}GAT+*07S1;2M_x}HCk?yJPy-e5p6}{(#0uNXi7vk^jOwdg$GJO8H zmT-x!MX!KgONkY`86qc}{gS@Hl4tmkg7*l#hoV|U+R}dq2c;UI@;j!rgk43g1)WZL zn`!pmECp6bYK8(QYzB3OI33L3;2X_d#z;8i%u1vzBd*<+75- zpR?HMn}d?L>+Ho9cB`VlBOC^fu%Ok1v(Ft&VNi3~;pk&>nLhs=);wad0EzNQop!7c z@R>+MQ;54ddX^Hf^p>I3Oh^L1I1c=S zFG(JMyU-r_4sOM)BMIf-&M1iYt;M153bn}(j|b*M&AgCC?|WWqjg66G{C32PA>E$; zfaZ*Akz#oF&zc}`x^wF#bD(<^p|lru){Ljq909bQzx9WpX=GiknQl`RtFN9DB>a*F z&dV&D{a@>A<4Vx#S!#6#>_f&IEzWT3v(X}_7H3e46=?DQ=vJRguSEWjB2UJU{hX=W zGW^L{H`)?$Cw9jS_aTjlMX)+*VtXdh93j4AzciYQpYYY}@&{?R@W3b2kqRm?yyIXt zJ7_K9fW_&Hs~HOcl4H-PS}ay&ch*s-X_hJI>?gcmomJ&5o>dHPenh6(k9Xl5C>DDB zN3*(}m5AT=P(MlcqEysA_*8jNKkVo~_Gg^O%x96dtSb)!>)NkW*+NdW`JVE2M@zeE z&hW{Bt8WI -+gq+2N@`Q2{x;Jq(tg(?2e^mfM{zE|_Rp>OtO$jJg9BktBSKGMz! zmUTk|4sxznJDlA-O9rhj1jqp9ffyBN>UuKG5Vb}{2+sMW^{L@ z^P69~u^|B>XJ664;YGP#V>JPWD(3K3jqF=|yaE;#Pmjz%OvEeT2#Oe434o3sN%Mz% zwzIeZJeIOm_p)Z-Tk`8pxy_9%?)$j+e|x7R+-*=|2QmauURIYOQ@fH*_6q&Sw%}`= z9#3+!_E(6``8j$C{{*iDK<6`IUq-dF1oUlt#zPLG)}hCIjdqL?`d){|n;ktzm|&7g z-y|)O_~{a+K;kXD%;1lKVzflsnyxA}aY(z_M$EtdOV!}BP0Y6>(zg04ohd>ZVZ=i* zBA`4f}HfOBDF1h&9 zdO+m|mp0m{hZ}?saH7zlFmScfpcZY7YkSAc zTe%1RWRt%k-)kKE3p6mnnZ#xJv8O=GyR!x5_KZn_2PnCY>g*lUQu~qKm>vRs!tUKW zHMKU{c8jI|*xM)xJ6D|0uILP^0>0*(m>d6v`{kGFRCY*b8mm|Py%J(yRDt7;;Z{nI zsRDm(;dZYa@`KKoQ192^()MCbyo$P;ZfKL3whsJo`UNyO8+Xgbo9dR`4oMcgQ!Po#27efb zlC!UDgv?~Yyd^|lvr5m>dGi;{|5i**;)|$^!jLI1eYo}^#3Uw3E@Q+KeqVCogBIiJ zRX-%MJZA#~?S<&v4yWCL^$ZCGuE4y4zeuMYMF>pSi3{NBR_F>8LQ^lvM>=jId_~A{ zGFC|ncGpb3#Gpz_K$Z0A{iFMOPK>7LY+FZCbhfbGKPudFVwCLvXpXK+xk;db{z1`X z@ZFOUkxbUDni+8$-qk5K%b#I;O|%#AidKC1R#1m7rr?h>9+egLupd$=$<_fHm2CBC z?~m18c-N(o6xDR?DA)QxZM}^o^I2Tx(j%eJvVWXjiZ{q_U{~u;^=-77u-lvb zrq4_P(-&!4st->C!_IC7O;d^%HycsuL`0=4J-h*NCM3Y&B;@}tR-(J@oJZQmd~>r$ zsakVb$o0JmBasuLnVl#%+u=J8upIpT+7uV4TFhzx3{hK#T*+2)Vo9$5gemvhsA{CL z-{iUEFGhlI+s<||F&R|i$9=MS*^xZ9ANR#2$-Yy46}i%^JT3<=V3M{Ym-qmz($M=V z$9LNx7#N=$6n(#e|Jn19jXau4+?E-8rHr$rXCRb`w2gcziswFsU&%yXdYIeU-pAQl z4yvo0+v7EyxqNo(foldvpL>Zc6{v12i%W(EpcOVSM>z}f*WukW_a&12k_{$N*7lcH zBz*{d;CACK^QGIYC~58IK|D)-$$DmjjE*L=5c3DHa#mxfeMo=NAIBOv#owq~O(ZnOpJKs$v#e2v_9 z&|0qEkGp99KKK_4+^W+!ske!rGl8|PUTE4^ z6M^*_e(NKM)P?u;A9J#g&}O8q`H~4(e*#jQF8!f^)x4TAPRdzh$Q2Cn%fAU&unupc z_W!@QR{c!SIHC$@j|jlV0#+h}=N_yFo(c+-o&HHB_Ib_S$o9d*n?z^kIlPdw)B0>? zaMJTJZizXhUr8~XeNtTmAM9xz$`szMlqdBn7ESP*^knzJ&Pe(!oc*Tx{0_zVx|ann zC|df?UkNQvdHY#cnh#}9`yrC6wP|s2_|EYfxZBUtd?Ph2j>8|NpzqQ)XP_MBE#=rj z*~RGrm8e<`P>!_CFnrfClUdiHr<>-(JN$|+?3B+6yRTjm{4-AH9C;;T+Ag0Z&qDiI znXs6p3;*B$<^R7vO%Xm}qm5dcaL2!u(2U&SxJpI}j{L02dfal@?+AV_bmw4`YudLd zGRt>sQex+|r3o6WLYm&iTo`+UD3)HnhQE)ymM;@_C}FB`8)`h>Fly%)eNFp(s3&Ox z>TTBIwJ7wCF|uC-#(}%1m=pJ4ohAenJ=qtm6?a}e0o<0Ju-n}8aRu<@G^-x=wDyhKfTszd3-q3nt(C@;onN$Ltr^eo zzO(#$b(^AfHxAWBouQoip&W6C<#mo$sK*IL`_WMzJ>k(aSA7tFyKR>5&sKtJ;to|O z*xd@)MV6Rt@t6a2KOXmIvGzbG!ICWs?NdA+^}eve7IP_mhh^VBq3@u7(X{Wm8?$@_ z^FXbiH|=xa8^GdnDS0(Hb*vg+HQLS!v|`rc@WccvS3n?^V+zF zkpwm)i&=U-NGN<(Br7)SDz2nga=NJnx75bUqZamrhWI` zNXAOQ+n|ryZAJTd?*_cr8|OM)$4nWn!{w}LPtT35THOEB-kZlqRo#E%=Pt8_Kqeu} zpvcT5lZ`bAfdpK*ne32|n1n^E=FTKxGms$(h>CD00S$sRuC>*YFn|WJHCQOxTDcHZ zL|bv!RxvDr(4v4#1q9~z{@h7IOxy3%Kc3(7dY;!S12ehj+_Qep_Bo$b&VV=ZCd+#F zFjojH9S*0OP~*>Kf*0v{50yh{v>vjn!|vqO&sn2|Z@&T1f@OvlaCtXocHFl5v5u@3 zwy0?3@Ae8U*hJ+<%TTZ3O<=jFTeq@@N6Oc&KX&gn=rW#Pi8;ybz zq^^z5R##8ZP1mVR+y=QkLBr)l4TH<8nR_vTi=fRbe55S7NJ5`iX0`&VKM~2;X6>~X4-LBNC znDB=4a~?3}o}xOQvVeoI4s>fRjT>F-+q}Jdxik)Kfvg04S!mkppj7sTEKKk< z=M8tq;Fn<6aIP9HTYb)B&Fshyxp_&_EItO5&H@IU=T>$#F06!~_>*ukg)t|FJhjSh z+(ekS#cpyWY|)+^>4FbFJGJK+Jn4M0d8-zR#S;gdx+e#oM0jN7+HGP_PJ{%X+Lu>F z-p;xVowhX?d%h5-kw63@YBcB>TFTLF@Z3c-pr&3A(=8(>|QYBss~j_X2-FyB|JL z1FDxrnk<~gCw2D_9!F6+@O7w9e5oFMPygx@SThDGZe?RjQqT`6&{V(96q>k?!Rt9#X_vDnAWU+fkc+H`*|-rs&ok?=(XP(F2;CB$K410d^KL z+4>QDTLMQ^SfRSzl2(&^xTMtgt@Th)~nfCL`u6W#y0oj}XJ}(a1jW1yy zP)WwfXhUPd+%S8lycRN*QEr22^Y&1t!+nU~zJR0CI~(|rwD+xqYD@Nx+wpWTVTc87 zG;H;av{5@_kxsYna914*j@=6)>m7-)DkWGv>tu+XPq+iV3sPN<#$lat+7a(4b1t=>u|5N7Ngw^d-Ljz z9p4a)8_Am@Zc2Z)7%eAuD!3ge%`Y+8Zn9Dc^1Tn9?xew4F$u%v9FZ zzyon2{Vh<<*?tH&W|H%T%$00EF*1{>`ZKDNF`G|GI=Ux; ziCuZ1Az(F1f~+*#AiKOEhr(R@DwL#-03U^26${{cXhcT24PFZ4cd5*i7~tOQ+~=7R zhdWNy1Rc1a{+1t~lc&`tq84-gI1w?hUJ>iLu?{g!mdXj8dzNDtRq|qdiVf5d*g=PU zLo}~FElYGR0r$GYE}NlSd0&DD-qhRh7qr!vILWrFi8)>5Uk~z6$7RfG*BM@<_-8O` zcfTl0al6{_^!slqmfqLAxI8&PPa+~fc~J>m%7Q$&fW}n6dnD&J8YF&0#J*k#=Ahpf zqgYpxNRa)5MK%I*@Gfe0!>9sghZ&{Y&PlSrrR&^0Ye`i_4d_yL+vaJ6Mh!lCIbM1e z@UcjB*pY0i18~ZnD%qXr{R`&o#5iAjf-~`1--qUmvE~??ug#n>dbsfs2`7qKO56tt zr$0m~61=Nf=zJ;pTDD@Rvcsy;8$58JdsqT!JGo!8jZU;Ac&m7(GZ^=qGv~1nI(+67 zb*BYOTR{87mxQhZ5P00Tvx&v{woK%@MC{7ZJ_ra%JW|q#7xAO4>dto7u~TJ9$;s40 zqf1InjP|wLCMEiOA11I9&B0h1E}O48At@2G8NlX4ZPtyo(C!!}aduuYec{}Z5B&k$ z|Gr`yb1=Fq;T3X)1s+#H<2h~=z}pqpPsEI!j21y!6`B>VT9Tnhw$cc%mu7gqG(sI& zg&$XQ4B8@|QP8VNH>6H2iJ64fv?WMJtp#?SoJy^<{l|1Del#wZe+l zN@#fkS}uvWA+uc;p2Mu8)9SSy6av@tMgBwrc#-J03N5oAxD#6tQkwVK*cl}Sqd}vk z>Y_;oRg57#8|^dmC+f94k>F|*{pd+MWbG{s(qxa=NxqeId0jb2_6s3Ob3ESVp^flM z6oqk;>ZW+Hy6-_hUx+Q61Y~#ai#&c?mm-njrXsr@)@w_X+qLXU*7gGh>fr!b>jYYlPoj!5jPbG0=pQ zV?y1@6GfDn5o1SLN92E38kIURhOi8I0_|zVEJ)*M|KjpBpm-ToilbE;9~oxlwAK($ z9Q4vNtUU|7W9Z_Xfdny6{N&%Ajuv|NFUTxRti(Zl6(+S+OI(Y=Yp)}^0LD!B1!&x- z;R^&X=$V!2WR*Trj?=~)T897Z9qV_jalX%C#X)KQ9cKqFK~U7&ZI+RvGInIMKUuJ! zBsHM#@DL17@ncm%c439DNuoVEW_uIb|7Ha1+INXo!vm4=fZ8hNv(S!JbXoMBPZBYM zSeH?Ie^(@Ywnss`1!cO>`z+*cix^5iW0N`|v*~a7w&WrrDR`)nw(W?}? zjthrGAZ{fXrK4ZpWrZhjN~;(o;Y_QR>rX|L?km7_3vMJPd9<_*D=|v)87E6H;H2`{ zO-E0SyB_zbLnV`vF-2iS+oSEr~hf1)we|vOK7RPp(Ij;R8tB{hcT&UT_%S!Xh=0@=-Xmc@$ zA-OY(`>htY9~3h#v{Os9Rf~B8UZ9ami+RS}ARYyt4o=RZqkEbdbZb?K_0|9xuy6H% z#c-`ur&emCR>t$7K80h?aQHsOjZS5dKWDBu4tJQk7#+2*>+6et|8RHRL{F^Fq)4@~ zkUYOMC6w^$(S;eAgGF7v!BF#gytw z;k;og*A;i!@8`8S2ygS4Qyz@Y->x7<3fs7rRm2FO8M)&vGS_tpt4lc3jx;nsd2KF= z@IXj2k#eb57EELt?_|0YMp(epK^n&2a{70K@t9?K63MovFn`ODujKJe8KV-6;p^rE zP5_(?Bs~G%1uQMiVDh-Y&E|Fcf*WyLKd}-iI`=#ZUnWGcgx<|*QHv85ot7&aQZV^! zytOJ`=LL3rVg;2*vK`u~xKyf`y3ZBZIjgV+niFK46RpF6vtV46W;s06S{W+>GNk3z zx#t?x@aAa=w>41TasLNx?nfHynKiv<1@S`b`tZD|w#=f!;)3k5?5VbrY#JL#rVy5` zomva*klWC-6^6ZN(DW;a7I7D3a)ELFV8-)O?fJnUWV@0hX>v|yAXC!#Vl{X%n=y`e zN9i$!u%;TW_a-Bk?`xApQsfGFZX}C-0;B71dF*+2V&~3h*b$65{B-%Ym>VP!rN6NQ z3QT_?zpoh4Nd(z(=x0|jQzn5wN*v-5Uj@b`;wuYQ`%9;aKyj``eD>+8z7iWGl$apM z;VALfD6#u5O!*9Ve1FR$UsF%My*S(o90X^1Chm}C)fof1PiUcXkhY>!tF%UQv@{}L+8lHGR*ciGA-HrzE*@aCb@%LtQ{aO?hxmx%Z3lHkE( zBxL3=K6iaZQdN=F!z}tUt-uqHxM){f|2E2Ty^p)^3-9QyNti=)6Z2aKY54GGf$Cnq&X6(fn8ZZCiwOj820VM)p}WaTE7(Siamroid>7Q*AEBj z6={SX^~r)oy}BqQG9SdUI~Z4uw55LQ<#a8mH%~Z;8_02Vmjz?&Ia9w0T>7oSdUN=hNNE&uXRRxRc*?c+pVY+tP+WN8pImfY#<7 zZiW4^1VL<1VwtFIi;qisAJ#wkB$vF!CnQN~Zko?0COwL~k1mPMmfygx6Fe;)E|oJh zDCqg4-5E%+j^Kduao`B)&%B%tJQ%Z(Xt40I_JyuH zv#>B*)Z(*Ed>4dunKPMW*-}?!PFZe}?66~o8&*GG7d>TA39C20_XXqtac{ZJ5-Hh@ zHhXwn&e<5EeoXFK2#6Ve%R zu}9ISaCshMU1M=0gQjXIc^@KMG6p+5Ankg_uSZ_iwCo*)Ev%)FLHkW)6-L?4`6P=A zx2LisPV!*Jz`v-Od0lFS5wa<~Y)?sWvr6MKS+>J&tDfr0iEYF#rlT4+7BZO3L1mJ; z;wNQXk20pImBzh0=Q0`kJ_^f^IzLwLfkgHUqn((qjbdw|rxM4z);v1RF zpg+a6fpfKpxVX^qOL8G~#8~Kft+ZVP)w2(m6iuO;TOL(7rd zEtDlxLcX9v_Si8p`hDp8oY)FERbDI2N8j@xMd0ayA14W2$I&WTlQ(!Zgn6ex_TFR9 zNObj5hSGJY%VV!K>J+mYjov6{FY<0+7g_0C*KFKTY4@Hd)so{&I~7of-Ws1MRgX6o?@^f;zx%=30sG8*xbmb@L1UBnG};R(By##+Q! zLo%Y@SkFgG!&TI83_!H$O0ZQY+a$upA%l-vhH16b0G=Fn%#o7G9@K?H-#}JDLh}RCSu^s|5?^FR;~ls;Vk6u9%-jdz_RHz7uArG}dzMsQeu=+X^lP(E{qm z2@ly+-q$2~#`0bZ&L$UXo*Pnc^hzE(kJe_!Q~-O=-%-!jTez-yLopvPhjw44J4a2| z0{m8Y#lT`9Qu`!GwqWGbIh6A#%2|XSeXHtGI`MpUz73MT>B~8k|IzRJr<*;DDd*JN z!L5nZ_7j}_uqQrlmuY_(_dWJRZT^OY(7o%up@G%&)-X_ofU|=OA3~$`*>PGu zTZC&c9!#6viBdLZH-}M)$Ex>C(ly=o##&Z<%a~ilTZ$QU$HBLvF_In7|JqvNa2qE^ z3r!Jugi$KZ_YYI>JKaF@N0EGZ{vFzMBi301#)vGqwjRF|TqS6jT>?c)D-E}Htu*`A zN=HVF6kTOB&(JkRAU~COyH=vTUx^Q*L|VCv0HdFw#Jf-;&CH*nZ?|f9_$P)@-|jpf zpwZKgAj+hRfKY5Fx!#@(8Rc|unT@ajd}bf+-JLv<0QOW zI~zV2%DSd&y%?&&m1`JO-!F(1q7e>bJjM&G9mFB!U_s+rtwp!I{f96jx_1*^JX}9eihdqzt(MBeoT( zBGmxo1vxgF%C2I8nOcw5Z_w^oza2`Wx#k$jDQ*G&b9a={j@t^I?GkIM0OaS$^wHxR zt+gMpG4`IyxO1Z>4{9m~3}bPcdvTi69x^#LMt1a^=1whNf7l1|l_6g$PV+>wY=1<` z9t{f(XV_%MPC%x%idF6{g7#yUIwC$rFojxyNF}2XfnzHUK?&g`B_tKjQVS#JDi`)+%u>x}5|+0bOlwlh)6V&LOtF6gP-s z1}m_SxB5n;^X)}QYsc*DMEII?uDuZ9FoZuv_}X;Ju^Ks6A;-Iqo1|7qb6HgKB+s|s zgt*rq_e`QR$p}wC_)o}XN#D0O&+s5h_rwmfa?p7tuj~Gn7m>C>_Tl}n~9K?3{EoFn*b(G;V?O?LrhdB{XW7r86;0 zoipg8$JfpXL+U#(`c9_nhLBFwG9!=i@k+clOJ~OlvZ&3{an?E`(RsBI1~yX>+k2vM z$Y)he@;2Y-bXSZf!_?Kp(SFMXP671Ba&h6rK-=FO!n#tlwsTtBKRFWM*=*5H<$kT! z=Gxy5BE$X_+bCERY6k0x{rE2LYBd`2v$4yY-CDv zVZ=hyqLf68+TGKFt*&UI6?E>|fHzXaA``_gOrie1u_R~5^V}1bHK<7h#fnN=WLlKU zbuFON5pCXZp%!(yjIk4{m{l8Z$T~p2LTR2IM5&o_N(J4oYdoFENMC;;07VC&c=~&q z0e1|c8ITGnI)v=P!b}v5JIw54+{rK#0w;yga~Babm~Lj9*)IUs-hV^zl!@=H4AiX+ zwhp=@a9G7I^nNDrpyDLwj_)}3OdiAf1hsk;c2)s98A%qHfuGa985z4&8ZHM@50ZNK z*Y8aXlB{gw;=nCw<3h%Dd4Mm{X;F58ZFGSbCE-j@c2EhEqQNmp)h%)vvvCsYa07{q z?Yd9YXD?kU3GIpOj($5m-5jWtn=jpDrF&2;P9~G&?8q;2F1fJShkZTPt)#;1gJ$#&xA)e}`qtel30mE&f^!*LVOtHR0);A(o{YJr;{W}ijF3AHnp z##)B0s}fZQ=;{{fa7!005wh;Ss#MwT!ahmRaTzD#?nh9b$8NAz8V?{&yZ_lLSR+=V zN5d^|Ksn=Kbw;+A;oR%tj3)u(_YT212mAsvy%VE`9VV6T0d#)v#9Aa+=4$;l115p~ zersY~4}MGi9jEnI=;<$EA9TCxcP6~UHa?H}vyna5_irek#`J`yYI{3+XTcp3_q9}% z8ra>BqYZR2JcM=W#k$PG$-#BC_T0&w=h;RD>%10ch5%2>9$=xob{mX}b!j)jrT^j7 zco{veP-%w<)$V~AYTh(yNi=S{qtoe(DvhgPu$(;2-?H&|CaiC>do!2BEE3dxoUMAZ zFEL$b$-+$_Azg$QOdtLR(l#A8N|1#@uEyhy^j2Dnw4Hlombs`AtClFdv5TT*vVj7R zaKjb6B^v^@xHs8eeGTo89ZR?9JFr4&hyVExG{g2`rwl-RDj;t8h9F*Vq8T>*OTw6F zOLs4;8+X^j%6d|MsibR6h4xUI3I6s^%r$GcA&rjMb7G54^1(H%>~{L-Zy$O4cnxBG zGqCTRwE|*=m<{`SV87-Ey3r}^$5)iLZ-B?3n51pj)M%FbKGq>^v_-!@Pt!AE~w`CV12;O=- z;Yi{-5$j0L0K+PJK*ax%QQS+Sv3XE5;YO_Z%?W^mXJ*i`F z(4ZZbz=2lc#(Y{P>+~*ZnKnK&9&=(NFeXGHxq8CWiraUlcg2lC9Yi4^T#9!QZHU%G z33^JDpPn5foz5i3ShA_Zb+d8F9IeVW+}mi@PW-3E+K8DAP2GI~TFO$gB?Jo5Vr~3B zF|e)@)CV6>+W4LPVoF$G{Aga%_z{#QSVBe-y@Wkd!w92!6}d)gx&CQj8|SmU9kqDp z>bGK!5NZ5W{+;hDhjE>;Td!NQW|29&=ZWmx)hEU~Wb$d7VP zTndX5v_@!$BD^*&w$U{o7DXTr_XW)n0s1UFIKj#BVbhajrm7-z9uSwA0J{4ormF ztp^{D_&(QlvIQjTR9988thTD0iY^CZW%4}%M^stKYq!TEKTW3~6iJrdu^T3%D&vowk6;Ig1Y_mbW(>&cAj5`2vukM$j zKr8w1M&$x&O`O*;NsK6jHO5(a?vd_)ZaAyzaUPI%EW_B*xIN#K_FKk_q}9VV{uM5s z%`RZtc>8qE+v6-${QI5~9$FWkP}m``m_tP~_}B0Ey#E~UTTyc`;%$h3qbL3l3zB=R zZ8);s0<3LR?69$^nzaqwG*H_fHXTxF?5RJpU{J4jNUBzEIrrd_Kp&oCNn&eZkoQ@s zbI;Flr-JRb5LKeTk3-wdfHTdYoz+h>+%387X!F4kShA8g?F)KW+BJcNI$*t}CndaX z9WW?*b;zO_>gw{vqXIcsA!i#$5dBSvc%m8OE-ER&n^$trp|s5*0a%#u91g|ua`>G) zSKVYe=b`?Wpkx!;VC#Vw1|PU-Zwi7$Mo$V8>NPAPNz%EaOx`S2II#gW2}&wzdXlxF z^d%vrW6WGjH3%HW+)7kAv2#xo$Gc3jCT$zc0rt0sa3Vv=Xbmu>5poc?i#E{FBM)2f z^dtl4HiT+3!rI~LT&is-_N323<1n*tVAV+TF|bcaN`KM0$H?gyKx+02k9AJ%La+;I z(SRk$7%Kn|ke1Qx%yGnV*Ywde69Dr9a%M<5ZVt}*dDX7@uoj?k-iw#Hs~1-M)RYN| z(#q;B$X2(kq5=j6D89E0S}5a)pV(7QN!9Y2JF7@$q^i2cvltfo1C65AEz|g#m9}{> z-$cyIfYvQ&17KI8a^h9?_M-1yFLSeJm6y}5p&4Q!LvHw7^+V8;5?oJO!GX;IwIWT1 z8wTcR3%N@J6m^(FwKaFyYU(}Z;Fdx?4;F_i!4r*?M2VAmMNsYVA2qZ~*sd^1s=x-v zWa8z3lMOEO-BGX|A_c6iG<<0Ut_+zFjLV#-jo57hQt}s%lWedAN%~IkhTxy^3;lwC z4OeLEeV+ELx5r+LCTD{(-#*T7|CE9L%JdTH4uPkN*)WU|C-dUx zcY~MOI~LR-NN)9vGABWjTw1-+@Ow@w)}Hv^+ zo0nG0w5BooV#+ z2q$(kGrJXX^=9)b$B7N6{b^KkOmrPe=DML4e5)O{1i7|m%mdCVqhuClUZrcl#46$p zUHoKFC;*u!Gxy4yPbo-U0sk?~ymwWSo$R0`C8K4{Y?Ush)&W>W$p=IOg}vi9GT00nV^j1{eOAAjuNfEo$i?@8++Krc{xc zfszBMmLL`DHfkjXok7dXo&&kFm};NwNaWVEsa@gZFo<=zJ~-ttB@iC(y+DMD!U=MbMFaGZiVF` z7wil!J7JUM6%(V)d7T?BgOn-7^Do$wBk%tkv+LmKS2`ZmzZTY;XEqkv} zx_gi=(3bbKG@V+S<2`9!)Y2%^2>yGu_vf|um+(up!&OkvC6JR3I(NLqfFJ z-npMQaO(_`d4_^8#Z?sDXY&m;U+q+zbYie^<>iX+UElA7ueJ*lbwmW)@;vJG&x zfeUMt;92*JHFgfNb#l*a%m77r>e0q%UAM>-tQ`^aUN22D+2j=Lpj*2XyEg{9io*RP zSa%%WnN35jM47yQgxDR6aJWeak4iCkiZC@eI`)>O1y*;?y)mX|mw02JJwxyvdu$DIxHSEP?W&B+CWoDw!5axpSlUXPw>m&J9s7HdP8rUa{!vNK3)VqFZkqdWbAlK zlN>1cc$C$swH=y*t_P%Aj4FKEYvcHsGYLFpwgI*+;ZGu9oiy#8x7=^y-tm7h1^5YdaE6)hPJKEMTRsn6~R@PPtOc!#Eh&i$+ zj7e&7loR%Iz-eu*5o{2io;tO%YTme;z!xGr8t{WC?c?(on z?>THju5~68thO{8sRX+3#iNv8n4XB&De>wPlYf!+m_tya)kmXAmh*|&5>vCIIYqQS zmhyP);}g+?B2I3Q;Z5~z0T5cJ?KWJO6EhXPEQ&_Yv75B4Gg1hei!HoFtyYZoU=j2c z#i)QQx4VUTcdM&6zT}^8dVnmjvH(06F7W`Kq!ULzX${p6SQKfgLqUKfn6fS<#DI3CEnpuXF=F$5wH#A{C@J@?EobdJ}4D~^Sdee3u znONIS%pA4>eQf>*Pa(RCZxVRg&J_m)X^HZz4WSWnItfXa(~cjfu1;u&-e+*W*qq>5SJ= zezIXm7=8XHzzczWlN?r$azw!XY{i0wo^hI91Stg3e%}0HQQZb)srnp+cUABQLkN6SWgcZA?;|i{H)m1 za$stL#_50OZ)6pTN_iKhSX63#xO5!#iJ*AEuB9%}9~)DeuQ6g?;})5~PGVI4_Oa3& z^V7a%&M6K^V={bt`n#~M=i-DLR((}PeN`o#wn1PM6c=7*8}Alrzr@}q*;d7xVu6#@ z9u^Zx+uSViawUW9m%~CLYfoStZW+8>ftX`|Bfp{vuwFGYft?>AjfhH?!t_CsaMFoz zuB4Y^^ajPC%H~?htoOHUe_XG3m|G?CAX+EsWb8<61T3|1Y`ZWHrFq~ z@i$1(+l>4SlywlXz@!NOIk^wd#@)AZG24Q9;1XzS^fog;45=>RO^`eWc|>^|;vjQb z6SGa^C+s%zW4AHhZ5P_+at)@s6q0?bHL<2RHK@TM!G6u+*FX_<6dw$c>Wndq zhge9@XH~M^>Qu#$Mp%oeOAdDjJ!rr#9ky7o)Y-3byHQh2PfbTh&al3O{X1Pv+Rb{T%t%=Adz|G%pt!q(+r(e(oIR#WO(6zEwr^McmM?hFMwHJ4VK$cQcMCePWlz zggJ$L-%HS4e2lH%sG7V(_UdI3(nQdrevGy1%gLily|KQw-qZ?7+i-piU{4A|Jwj2S z;^F4m??1!t5`jH*E>{ICaN!sHcsJw=9k^w1ZF51#3|r|o0UwQLO_y?`+rmKune#>O ztVz*kP0<$uW>ErWQHnNaa=*|aoT!DXFo&jT???B%XE^_#Be^E5;wh1^b+$m-tEP*V zWx+bHPQ4aB)LufK-S9oJlZj14y=r441$yk~g8Q$D}pDXkWU*9;8$o zm}VVMlMDXs0b3|&o1d8V68=8_$#Bu8Pmzwchn#hu3OW1yEcVDM#z{vAQ}uJ+6>8=w z>p8?eJ(tB=NRmHOotwMZ+^Bbj9+JMn93G;J5qYfhYgs0&71rr()(kC$w=cy-FxV9(F zTDMJHtItxa4fQB3^VEcIo}ZO%$vidf+vjJkZf^JM5J!D+TR1>Uah`Q|t1Aq~#?Y(+ z(E3KYS3kYTA7mY}z-R>>!ps9MLuAk)-ULnRa=UaPG#>MUXhLL%bi8}v5{8rF*z-7P zcE1ex|8Rx1w`luug_MeX{>$t^y$V?h*s?UCM1RZQ{WjE#yUAr5QD76;QH$kG*wZqx zr_xSNQuoI$D~Oq5HZQ69k7?fPNzK|yd)8v1a`k%8|~a7aIaXF+SmGcSY1v> z8@646Zsuj?orLGjSFY~UkY2w`dvD-$xlSPaS8TmQ4X?H%zfI=b1&&T3(x4(Q0<5b5 zrzf2*WJOj${Ewfq^{}%l4+oaC?!6rR-v3^nmCC6Dy?i8tV{9L1X@uVZ_-BVs`z@CP zo{{>WH&c6Q(BnL03OwMfN$2N;GlxS>2k(zLr_a)q* z9@!MH;7O2oI9*QiCLJtwYVTyLWQV+ZbUya1&)#_4D58y|-v&-C@WrYR3P59jB`g8+ zGq$eJ7PIDK>9eS7q;?}|&gY_roJTPJmwC*>3^k}IN48JbtC?cNNQZfoBuQ(LqV-3E zUXVA#A8v-!E<3Sf>_qIVmo$1GykXpZNrr6<&11BzM>(%V!H>@6EOUmsB27X{<;M&_ zcEr0$a*Di0_P4COME(&YMNV|*fp(F%ToSFYW0>-*QEQ(wNgBw5#oo$%_ZaRoou=~>s_z0 zReH-TwlglHo%!{s?ZJz^rwX(NejF+XPL;LHpd_lpu$$@HSFkm$e37K`MOm<+dcUO+ zSaBwvf-Jwm6DM!N+i3Uquuwh3+7UcTKGr_XU*Xw|*q4F{gC6EhfsW|}E5jbd!zx-v zyth>-!o9s{l=L;y9%)zEUxsGvkl4?CT*7NZ*H~tv^am}!K`7kqL)xqzD_G?Sy_I5s zcOr(g)c!Q|&qI@}^zOY8dL;_C4+(yKFwd_vOJuv{EQ2P^>jouA-4}cm^|(Ec4&50H zos>M%u-_!fSk(f~^*=wHB-%x8Myq7kdyNDa?E4pJuTR4)K6dezb_|I1-))#ScH+6S_R!h32L|;s=Hx14#Nvl7y0+Um+)IE5iuUXo*&41EGP1%rd~uzn(#~YZ(BVe1|1#VpC^}V6 zCY!QE!GN_dJIV(Z1Po}x=6(7Je2f_F%z;H~HPtSH8Wfq#7|}x_lN)_T+%WZfX@#8m zxxuQlLryRLxmIxkmqKDSt%4xwiqOT}LVugA``54-Av7uqr#!UtzaSn1baSRPVs83G8)zkYQz6ym4Lg_u`I5Y; z(C_sI|CzYa;sN~vy>+RB@_n&gk8!bs-lW6M3z`@xLWaCeXeB(n#0$x!pF%hkjRFp_ z)i{qkcuBAA+AgU!2YR;%+fV|miDzvMcmSRtc(YX<===h-eRR;|^_})#xpE~X^Juq% z5B%w2JlMtx1}Vo0@TmxEga(OUmn98H>|Dk}2C+;^l8$Sdft}hfD0Pz9bS^X5Dk{fR z-D+Vq<=w00)n)Nb$8#Mh_baB&=TG|q`=wkr*^bcE565F z`A>e75w#!XaEiW|Yf?*v1(A5(p&sp5Qp}8C>l&2Oh*B_{3SiF`d0YIMum>2>;E4o; zFu!|XG`B;}aY;_dWfF|*JILNO-L0=eF&8OpLhqfNlR>}eV2hSYZ>UW;*>cpqNp9rK z=pap(fNvrNxj|`1DzCI$OGl}irTI9G3{xnz)L~d>nk%V#&=U5k`e|4#9nDePKl@Q~rHOn7v}$XP|J8@3f2miPeGjFnsQ``v~!D)9>lN~B{ZU>>^!(B;s^`e!-l zm_e*#0aGPLSRi!28BXR;#Kcbd9M%urDyMxSjG<7NT*09EDRAJl*j9zzz-06F<|*c> z@b@_Hn3J=xK!$t*Fyl5RDcv>{qx~q6HYWzb=PF&jFEOy-S>ts0KJMtqG001V8XokCx+$Kiwbw5l>-8)}z86^iSmMwufPh8)4beS4Sf%yg zUeHAdW)*g`42?}hqVT&J1`OPB$8fCm^?Tg`ySfy&bR9y8-s z_ES5;m*W?>f=vZ{qqDC->wq zQNsLn)k;LUd*(w^_3A!vdBa@`nS%24y?G=jbgZt_Pf z$FfDRp2~(Op{mc$!+!j-F>9SA$y2IhOXg4Odi9uwaSH5hLC!LH9>048KS8UQx}U(PH%3uT~*l$XUc_oH@uI zp^SK>#Ji_f*(OHFyY7oU!G@r`6U@ZS&|0SVHb6>5shfjSS$iAq!X2Lumm!z+M-X*Q zuH=A^lp|P|0o=|Y>ADq^7bzDP{xbuA25(CoJZywHWU>}E zoUDbx=Ge`t#g1Y;3$D`C5{DB{Xc>55XghCXHi#$LlIF|W<1l(u4@gXY$H+Cf_JR0bQP!K&N-XpZxgG^2p&MmGBLO9byf z4nXGvH%N!J<6ej|$nn0FGa!eGl5D$H@?Kys!3&&S;jN^C>f2C~uusGR@z3 zl&n`9eEHLPZ})*rc{841V`Ih?GlO32Y8J4_bs-8=F5k*h(6*-=)rQc9oM?oMO1v5+ zQ(Y(*ZKjfM>uWP`VU!$b=eajIUqMN$^r+N`G)>LeFOiFSmbIQFO7ly2s~%?&^@QlL zWX~g>_>=@kd#Hy?hVLwhOcj;olI9v@9hLw|CqgYG8E_*uo>_1`L!M)PU7Lr~d2MRA z4C@bgrggFgIM_rLGmeir(RL$K2@^2O(EEIherL9e+Q>VjiI*lYX9~s|^%}G?!EaRW zGZZJYGy9B~DezDP&G<`=z)b{Y_D;K^iMXf?hoO4GbPBIPbUnoxo%Ar}9=K z+Cvg=I;=P1?vX~FIUxx6jecJ=(wGxOYa^g_uqP3-B; zpr=-qrW0mxKdkt@ahjO`d(65@EeFN|B~+$H$+9WdTD8;9nVtJP@+L&d_4k%JA77Pv zU#hb*b-a*QdK=qvUs>_mj@cn)g^+z{FtSRMD6d5d-69dY#}+(gtC?1K z(+lb7$e1ARWaeY{u0d^RhcjjsPF|I5WpHKv?S{*0LkBmFYkQU13+?nPursfM0~Q#6 zvU~=L@Lh@o`@n2|GI$({uE$1n8ho!1=VR#=Ihmxj-q4YsVwyGmbItjeT!~t)*;l}` zcqmGBMGudOh%U|Hn=A#P_7q7m-i%v&J-uBYrNY}#w8JT;xRZxLSFCf7gU!dhdiZSv zXw+jNq5c3uO>a}ZWG7(-?rcjS@;9$$*^)|-sUf>miOqo3*VNdmUA6OJqoyyepS)9F zES;P(q>}a89QIz3!KV~<*Mn(A5Q#Zq$pg<^dp?T0qS!SaWeYMq2z&#Z45iMj?AcTw zO2JG-IXGQ#8@kNNE|h~!o#YsM;1g-rBeyJV_N_>=V|Kf~k@1`3C$1(vdEjLl zHv_3Re6#lcX1~Wu{;_S^&d-#Q@D4#Xx35t%c95r&4A|TjG@IKQJ6voH!uPN`KN`-?%eiEqq!}~hYo31N@w*g%moVZhG@NWlnqw*#1sfv;uFPhQ zLg8Hk>ZTA#cdM2zGFR^n0X-&;p(O{gsu$oEiJA@p|0S)5&OH{qdGsLN%V!s)Crz?} z6#@9qF6c8#^*`_-0R7!fG$yEn$>5=WB%4C<_vanGk~OZ6WTQ4p5^S&S1D@HQ$%wKL z-$7oU6<;Q(GZ}_WZ8Ar`5D9yY05(yeBJ)z(7l(SRIV}wH*y19|JF|0(?Y=^ZZwtXeWh{KLd z{%By^iP2aP#tz*(e_$kLpapWSUWo-}1uajWe%)Lk%{G5vB;t@JFcM(}u0ll{33#zW zS}N&DE!AueuKGIqOS_h48G!aed`2^@J4$%Jl89VYCh-ACnkJS<@ zVV{^WS7_8g*@IpSWUiP%Hx3?W18ms<)93WS73hr(EyaBVt$B^3aByGv_Z-cZK)uu} zkB7&M3AEtXTH5nS+aQxXnjNdt0NBP!QzX5jSNH98rjevW@j|w7j&}e5J=#H*nLHZw z#`_yiLSMdbhN90-W6vzD;RuqD^G2OsDF8(Yy{_Qs#sV8dA3y_ookOM8(i{cubcNEA z4$EUhGdhY5n?TXY?#MH2_3?RL>{dcvzMJ~ezXvyPSq+^(Lm7b4Nx+J*Zic%cDAHQo z7gr>dPvgj=hq0W56y3PX5OhN!+eL3c(Y(@da#qOIe!xC2C-k-6CDnOSdgg%0k^Q7f zM2_J_!aVNK2*v***%P%zYsMNvIo~o z{uYz}5Po-QzcrVQ$`aVyJA~E+X>D9F{g7l(jT!Le$qq?G-)lumn!(j*`>#;aA>vWq zw-0piml)_yNJY@xBrWrlpzSo@o@Iu0Y3ggzySTF#EecWhb4??NR!^2+oG9tuKT_z3 z^o>Nf&B8w(308cZ2iyUV_r3<7;9>Wf3maDog;Y}t=JqN^5a_L^-ZRrpD}`!W%5ob1 zQhrG5@5n2Mq4c=XU0A5P^%uoNJ9qG4yxOuP9kUl*~y#hUv0%pXM#8`7K1I_y% zxNn@bts?KrxpJ$Fd%^pUVl&T>^WE;rpkBZB11KN{yomz$Va)rvJGzCqQ7(tQ`YubW zY(jeb`wJ#hzU$t8tOnsvt$MxLlLOCIt%;C}5fxMS0-W01H=r!9MF&thUE&YI$uHaT>3N7gyE0AVKXy z3<;r^LkOJ&;(G+c%lnIvvt{t#Ql7G;vW`6K_7$OVEIkVYE%|8x!t1Q>4IBco<<-Da zv^0Syio^8^hPTGoufPq9v8=qz;_{;6vizc%Q_|Snyv+RatZe73TsAYiEVF24X;DEo z%buCxEXXb|%`V6(pH-ZdQI<`pW_clO1{KdKDKE;&DJMI^EHA5&au;OWLgs`t!+M1o zb74QLtRz3Xlu9hmpIKU#QBY7GC^G9OaWIG%Ft#@*BOlIeN@tZ*?#x*wCD}8}SfC{2 zE-5S3JoT2(!XulLF(bRYXl6O-;IQJNIWVk8?LkalMnRcY{=YPY8V^MIUt8GwA}1f+ z?KO?u+f}XVS;aja?2XOJFV%bs|4Z_MSu_77E_-ff!K|$8^4a--Tz*yn_`UULBT8qoU-EbpERX-F8ZpCRqDh53^Z%MOiNi@lAV)3xBqi_X;}&27O;1iU0T}zxt!Dv z(0FZRY2a99K|bJIo?pyzO0u(WMJuyQN--^1X@2g^9vg-j_iUt?J((2)`1v$zSY8>L zNw%W`PsK$T6)mnfqbx7*l$nv4T~el5J7hCw7iO1ZW|fsdk}7mYPgTR*<4dLEm%aK$puc&s6&#id@2Ox0q0m)_O*^4g02Z~Euxd83t7UQyXE z4+2-~=>I0Q|C{nkcfULcT+P$}O=|x)?zxdQZeBWaJ$;u{?g}yicX_;#a ze!(*L)z!baVwo1Gu9;t>JuI#5lYp29{Sqxs1Ng$l^ECm9@l<&4C{SeYGsRO%8Z2$p z`U2VxWPdgrxKd$*GLi-&9+23X)7s0&!+menFPD2C?7^ zi*HO$OPM$s|I*XhQxhI^K9ZHT^xYrTU0eUQ>(tNo&7N{D^xQ358m2w^(H$eVKlQxf zQ|@PtVXv)Cc68hqJgffp*J`iqIIKLU|NQCtb5HNxyYT7b_vgNL=8a$P4S8o%u%l+| zsd3M*sh|G&w)Wfp+H_%g$;~%CwfK$Xwgd4(`TMl=UqFt_R&qncb?Wo=E%KUMi{HpMitxz)8?$`1;4?q_wr2c- zuNxk&uc_F&B7DVxHAenT7=n4N`5)EATYlJl;k9p8EPX?1=M-A6|IH@^iGW`N-C+zy zi2j!!`TjhvN)UM*>;Lj0KZySlIWPhlDQ|B=dZzFHt)D(Wj{h4P2rTA*{@8jy3H0d= zT>YD8{^@5;-=`8}Z# z431-J3f_fr3^7c)Ehsb|D~K17)}U+PDb}Flw7(`SY`$mCiGoQC6P&D;)i4)>eH{E< zi~_DfTqY}IDJ+d8N zG3t;|hlDyL)Det2VAq*>P{(x8g1^J}U@%jDI~0G1F~wnG%BzT56~dH_K}<=~~<*wwEE?-cab z%w({~I*}m=V{S(t`rLpo)$!k?saxQJ6I>QRd4ac<&T`_8!E$lJ&%qreYi227vl_LK zEv^V)Lb$Zps2&C#(=VV$^)ES*{rMIsWAJwn0)r43guoyK1|cvAfk6li zLSPUAgAf>mz#s$$AutGmK?n>&U=RX>5Ez8OAOr>>FbIJ`2n<4C5CVe`7=*we1O_26 z2!TNe3_@TK0)r43guoyK1|cvAfk6liLSPUAgAf>mz#s$$AutGmK?n>&U=RX>5Ez8O zAOr>>FbIJ`2n<4C5CVe``2QOMh_=!KM_A+#adm~8anZDi2 zIfd+TeolJClC)~9Zk&#X$MN2DWD7%6j_!>Z{QEBuAm7j<^#R>;Rt!twnJM{su+_yR zMSCuw=Q{%Nl-U!1bsQ*s-+*w_fbio3!W##K+XjSxHz54lfbiP`!k-QZcMS-CGa&3A z5DrfGX@5ox2*(WwPaF`I280U-gl`=Xo;M&|J0QGjK)7kkPuus@fbfF@(*I&Wc*}tB zjsf964hX+KApHJ-@RtL^-2=kk4hUZw5Qe`lh2~A~XV`%7H3PzN1Huyrgrx!D83V!} z4zMvWd%*jO0b$R8@O=Zq4-N?bVnBGyfbfn1;nxO)ouy^jr(vCe>^nGNJW0V{`u5sS za=YEB6-lmnNlD4+l~YpF(x=RuJlQobEd^HXDwAM8skW-R%2ijz`dL^)cEQ?hwXsr zV&SKE6KvJsnLd=xjJVc*=_oD+ar^tVh2qi?SBAWJ?E7RQ?&SgL<{<9C=Bw!_@12PI za6sHz#I^RzONBmxxPpFlP+lM6p6Qp4;$A@93j^X_L0o&kI4bXL#O)jq*NM1S2gF@K z+=u<*sE%QAfN#GzD$jwqPY1-^h`7)D#SxruMqDT25-1ZsRNg|w9q5;i;+7-sodIzV zAns7VI4Z9l^JOmJ(z|Xc?=O+ghH;bdOdpDS7IAq4;I{*D3;M-Td4ED&HR2RJ(}&{z zjJVT?vrz;-6!#h8f>B5RdQTy)ctCmoM4a3&9p!x)ZT1X^+k-gR815^N(!Ghe=6-S1 z4+eY+{=F1>qz}b~Ant_$aeqPHode>oMY@;!#Zi6-;@;^u|ES*ah4j5mr&o^n#fs^dCx&=7=)%)J zy5{^Z|2X3psZ(!GyDRtMLm#jF+1)z}rlA4s_NPJQc+hu7~fj*727I&{{!X}`Xhc4nQcajO1j8)kY;FHc&w>q5oF z`?E&P8L@GF+oJJ5g#SJ3t%^zO9}4+w<=MjZpN+dqD0$I#KKX{5-ci;hzVOv`ZF?SW VnXz+w`Tm4Ijy)Ih%)C##|34I|jI#g$ From 88382a7291cfe3b67f03a248e6616927cd8742a7 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:26:57 +0100 Subject: [PATCH 09/17] keywriter: Shellcheck fixes --- key-writer/keywriter.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/key-writer/keywriter.sh b/key-writer/keywriter.sh index 5d1f005..486b02b 100755 --- a/key-writer/keywriter.sh +++ b/key-writer/keywriter.sh @@ -9,14 +9,15 @@ read_config TARGET_DEVICE_SERIAL="$1" die() { + # shellcheck disable=SC2086 echo "$@" ${DEBUG} exit 1 } TMP_DIR="" cleanup() { - mkdir -p /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/ - echo "KEYWRITER-EXITED" >> /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/progress + mkdir -p /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/ + echo "KEYWRITER-EXITED" >> /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/progress if [ -d "${TMP_DIR}" ]; then rm -rf "${TMP_DIR}" fi @@ -81,9 +82,10 @@ update_eeprom() { #update_version=$(strings "${src_image}" | grep BUILD_TIMESTAMP | sed 's/.*=//g') TMP_CONFIG_SIG="$(mktemp)" - echo "Signing bootloader config" ${DEBUG} + echo "Signing bootloader config" writeSig "${RPI_DEVICE_BOOTLOADER_CONFIG_FILE}" "${TMP_CONFIG_SIG}" + # shellcheck disable=SC2086 cat "${TMP_CONFIG_SIG}" ${DEBUG} # rpi-eeprom-config extracts the public key args from the specified From 9333518cdc95d80bffb7656a5bd2fea04a31049a Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:27:55 +0100 Subject: [PATCH 10/17] keywriter: 2712 support --- key-writer/keywriter.sh | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/key-writer/keywriter.sh b/key-writer/keywriter.sh index 486b02b..12f1ff5 100755 --- a/key-writer/keywriter.sh +++ b/key-writer/keywriter.sh @@ -97,17 +97,17 @@ update_eeprom() { # 2711 does _not_ require a signed bootcode binary cp "${src_image}" "${dst_image}.intermediate" ;; - # 5) - # customer_signed_bootcode_binary_workdir=$(mktemp -d) - # cd "${customer_signed_bootcode_binary_workdir}" || return - # rpi-eeprom-config -x "${src_image}" - # rpi-sign-bootcode --debug -c 2712 -i bootcode.bin -o bootcode.bin.signed -k "${pem_file}" -v 0 -n 16 - # rpi-eeprom-config \ - # --out "${dst_image}.intermediate" --bootcode "${customer_signed_bootcode_binary_workdir}/bootcode.bin.signed" \ - # "${src_image}" || die "Failed to update signed bootcode in the EEPROM image" - # cd - || return - # rm -rf "${customer_signed_bootcode_binary_workdir}" - # ;; + 5) + customer_signed_bootcode_binary_workdir=$(mktemp -d) + cd "${customer_signed_bootcode_binary_workdir}" || return + rpi-eeprom-config -x "${src_image}" + rpi-sign-bootcode --debug -c 2712 -i bootcode.bin -o bootcode.bin.signed -k "${pem_file}" -v 0 -n 16 + rpi-eeprom-config \ + --out "${dst_image}.intermediate" --bootcode "${customer_signed_bootcode_binary_workdir}/bootcode.bin.signed" \ + "${src_image}" || die "Failed to update signed bootcode in the EEPROM image" + cd - || return + rm -rf "${customer_signed_bootcode_binary_workdir}" + ;; esac fi @@ -161,15 +161,15 @@ BOOTCODE_BINARY_IMAGE= BOOTCODE_FLASHING_NAME= case ${RPI_DEVICE_FAMILY} in 4) - SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/pieeprom-2024-05-17.bin" - BOOTCODE_BINARY_IMAGE="/var/lib/rpi-sb-provisioner/recovery.bin" + SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/pieeprom-2024-07-30.bin" + BOOTCODE_BINARY_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/recovery.bin" BOOTCODE_FLASHING_NAME="${FLASHING_DIR}/bootcode4.bin" ;; - # 5) - # SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/pieeprom-2024-05-17.bin" - # BOOTCODE_BINARY_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/recovery.bin" - # BOOTCODE_FLASHING_NAME="${FLASHING_DIR}/bootcode5.bin" - # ;; + 5) + SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/pieeprom-2024-07-30.bin" + BOOTCODE_BINARY_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/recovery.bin" + BOOTCODE_FLASHING_NAME="${FLASHING_DIR}/bootcode5.bin" + ;; *) die "Unable to identify Raspberry Pi HW Family. Aborting key writing." esac From 31578d26890d8995411348206d02ccce8a848244 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:29:29 +0100 Subject: [PATCH 11/17] keywriter: Only print metadata in real runs --- key-writer/keywriter.sh | 100 ++++++++++++++++++++-------------------- 1 file changed, 51 insertions(+), 49 deletions(-) diff --git a/key-writer/keywriter.sh b/key-writer/keywriter.sh index 12f1ff5..b836be3 100755 --- a/key-writer/keywriter.sh +++ b/key-writer/keywriter.sh @@ -219,59 +219,61 @@ mkdir -p "/var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/" touch "${RPI_DEVICE_SERIAL_STORE}/${TARGET_DEVICE_SERIAL}" -USER_BOARDREV="0x$(cat /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/${TARGET_DEVICE_SERIAL}.json | jq -r '.USER_BOARDREV')" -MAC_ADDRESS=$(cat /var/log/rpi-sb-provisioner/${TARGET_DEVICE_SERIAL}/metadata/${TARGET_DEVICE_SERIAL}.json | jq -r '.MAC_ADDR') - -TYPE=$(printf "0x%X\n" $(((USER_BOARDREV & 0xFF0) >> 4))) -PROCESSOR=$(printf "0x%X\n" $(((USER_BOARDREV & 0xF000) >> 12))) -MEMORY=$(printf "0x%X\n" $(((USER_BOARDREV & 0x700000) >> 20))) -MANUFACTURER=$(printf "0x%X\n" $(((USER_BOARDREV & 0xF0000) >> 16))) -REVISION=$(((USER_BOARDREV & 0xF))) - -case ${TYPE} in - "0x11") BOARD_STR="CM4" ;; - "0x12") BOARD_STR="Zero 2 W" ;; - "0x13") BOARD_STR="400" ;; - "0x14") BOARD_STR="CM4" ;; - "0x15") BOARD_STR="CM4S" ;; - "0x17") BOARD_STR="5" ;; - *) - BOARD_STR="Unsupported Board" -esac +if [ -z "${DEMO_MODE_ONLY}" ]; then + USER_BOARDREV="0x$(jq -r '.USER_BOARDREV' < /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/metadata/"${TARGET_DEVICE_SERIAL}".json)" + MAC_ADDRESS=$(jq -r '.MAC_ADDR' < /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/metadata/"${TARGET_DEVICE_SERIAL}".json) + + TYPE=$(printf "0x%X\n" $(((USER_BOARDREV & 0xFF0) >> 4))) + PROCESSOR=$(printf "0x%X\n" $(((USER_BOARDREV & 0xF000) >> 12))) + MEMORY=$(printf "0x%X\n" $(((USER_BOARDREV & 0x700000) >> 20))) + MANUFACTURER=$(printf "0x%X\n" $(((USER_BOARDREV & 0xF0000) >> 16))) + REVISION=$((USER_BOARDREV & 0xF)) + + case ${TYPE} in + "0x11") BOARD_STR="CM4" ;; + "0x12") BOARD_STR="Zero 2 W" ;; + "0x13") BOARD_STR="400" ;; + "0x14") BOARD_STR="CM4" ;; + "0x15") BOARD_STR="CM4S" ;; + "0x17") BOARD_STR="5" ;; + *) + BOARD_STR="Unsupported Board" + esac -case ${PROCESSOR} in - "0x0") PROCESSOR_STR="BCM2835" ;; - "0x1") PROCESSOR_STR="BCM2836" ;; - "0x2") PROCESSOR_STR="BCM2837" ;; - "0x3") PROCESSOR_STR="BCM2711" ;; - "0x4") PROCESSOR_STR="BCM2712" ;; - *) - PROCESSOR_STR="Unknown" -esac + case ${PROCESSOR} in + "0x0") PROCESSOR_STR="BCM2835" ;; + "0x1") PROCESSOR_STR="BCM2836" ;; + "0x2") PROCESSOR_STR="BCM2837" ;; + "0x3") PROCESSOR_STR="BCM2711" ;; + "0x4") PROCESSOR_STR="BCM2712" ;; + *) + PROCESSOR_STR="Unknown" + esac -case ${MEMORY} in - "0x0") MEMORY_STR="256MB" ;; - "0x1") MEMORY_STR="512MB" ;; - "0x2") MEMORY_STR="1GB" ;; - "0x3") MEMORY_STR="2GB" ;; - "0x4") MEMORY_STR="4GB" ;; - "0x5") MEMORY_STR="8GB" ;; - *) - MEMORY_STR="Unknown" -esac + case ${MEMORY} in + "0x0") MEMORY_STR="256MB" ;; + "0x1") MEMORY_STR="512MB" ;; + "0x2") MEMORY_STR="1GB" ;; + "0x3") MEMORY_STR="2GB" ;; + "0x4") MEMORY_STR="4GB" ;; + "0x5") MEMORY_STR="8GB" ;; + *) + MEMORY_STR="Unknown" + esac -case ${MANUFACTURER} in - "0x0") MANUFACTURER_STR="Sony UK" ;; - "0x1") MANUFACTURER_STR="Egoman" ;; - "0x2") MANUFACTURER_STR="Embest" ;; - "0x3") MANUFACTURER_STR="Sony Japan" ;; - "0x4") MANUFACTURER_STR="Embest" ;; - "0x5") MANUFACTURER_STR="Stadium" ;; - *) - MANUFACTURER_STR="Unknown" -esac + case ${MANUFACTURER} in + "0x0") MANUFACTURER_STR="Sony UK" ;; + "0x1") MANUFACTURER_STR="Egoman" ;; + "0x2") MANUFACTURER_STR="Embest" ;; + "0x3") MANUFACTURER_STR="Sony Japan" ;; + "0x4") MANUFACTURER_STR="Embest" ;; + "0x5") MANUFACTURER_STR="Stadium" ;; + *) + MANUFACTURER_STR="Unknown" + esac -echo "Board is: ${BOARD_STR}, with revision number ${REVISION}. Has Processor ${PROCESSOR_STR} with Memory ${MEMORY_STR}. Was manufactured by ${MANUFACTURER_STR}" + echo "Board is: ${BOARD_STR}, with revision number ${REVISION}. Has Processor ${PROCESSOR_STR} with Memory ${MEMORY_STR}. Was manufactured by ${MANUFACTURER_STR}" +fi echo "Keywriting completed. Rebooting for next phase." mkdir -p /var/log/rpi-sb-provisioner/"${TARGET_DEVICE_SERIAL}"/ From eff8515ef7afe05af9e012ea7eb2341f25e3a858 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:42:40 +0100 Subject: [PATCH 12/17] provisioner: 2712 support --- device-provisioner/provisioner.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/device-provisioner/provisioner.sh b/device-provisioner/provisioner.sh index fcec637..19620ae 100755 --- a/device-provisioner/provisioner.sh +++ b/device-provisioner/provisioner.sh @@ -188,7 +188,7 @@ fi announce_start "Finding/generating fastboot image" -case ${RPI_DEVICE_FAMILY} in +case "${RPI_DEVICE_FAMILY}" in 4) # Raspberry Pi 4-class devices do not use signed bootcode files, so just copy the file into the relevant place. cp /usr/share/rpiboot/mass-storage-gadget64/bootfiles.bin "${RPI_SB_WORKDIR}/bootfiles.bin" @@ -308,11 +308,13 @@ if [[ -z $(check_file_is_expected "${RPI_SB_WORKDIR}"/bootfs-temporary.img "img" announce_start "Initramfs modification" augment_initramfs() { + # shellcheck disable=SC2155 local initramfs_compressed_file=$(check_file_is_expected "$1" "") # shellcheck disable=SC2086 mkdir -p "${TMP_DIR}"/initramfs ${DEBUG} # shellcheck disable=SC2086 zstd --rm -f -d "${initramfs_compressed_file}" -o "${TMP_DIR}"/initramfs.cpio ${DEBUG} + # shellcheck disable=SC2155 local ROOTFS_MOUNT=$(realpath "${TMP_DIR}"/rpi-rootfs-img-mount) pushd "${TMP_DIR}"/initramfs # shellcheck disable=SC2086 @@ -371,9 +373,9 @@ if [[ -z $(check_file_is_expected "${RPI_SB_WORKDIR}"/bootfs-temporary.img "img" 4) echo 'initramfs initramfs8' >> "${TMP_DIR}"/rpi-boot-img-mount/config.txt ;; - # 5) - # echo 'initramfs initramfs_2712' >> "${TMP_DIR}"/rpi-boot-img-mount/config.txt - # ;; + 5) + echo 'initramfs initramfs_2712' >> "${TMP_DIR}"/rpi-boot-img-mount/config.txt + ;; esac announce_stop "config.txt modification" From d67111b780a682c908112a9fda905ae267b7139f Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:42:56 +0100 Subject: [PATCH 13/17] check_pidevice_generation: Support 5. --- host-support/terminal-functions.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/host-support/terminal-functions.sh b/host-support/terminal-functions.sh index 1e76379..19c40d9 100644 --- a/host-support/terminal-functions.sh +++ b/host-support/terminal-functions.sh @@ -92,6 +92,9 @@ check_pidevice_generation() { 4) echo "$1" ;; + 5) + echo "$1" + ;; ?) echo "Unexpected Raspberry Pi Generation. Wanted 4, got $1" >&2 exit 1 From c19a5fc9cb21c8e611e0b3d2bddcbfa12aa9bce2 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:43:36 +0100 Subject: [PATCH 14/17] debian/install: Remove included recovery.bin --- debian/install | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/install b/debian/install index a0a0349..a17ba63 100644 --- a/debian/install +++ b/debian/install @@ -22,7 +22,6 @@ host-support/fastboot-gadget.img /var/lib/rpi-sb-provisioner host-support/make-boot-image /usr/local/bin host-support/rpi-sb-provisioner /etc/default/ host-support/bootloader.config /var/lib/rpi-sb-provisioner/ -host-support/recovery.bin /var/lib/rpi-sb-provisioner device-provisioner/provisioner.sh /usr/local/bin device-provisioner/rpi-sb-provisioner@.service /usr/local/lib/systemd/system From e759495e3e4758b84188bff85f7bbfe37d7689dd Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Wed, 11 Sep 2024 15:48:16 +0100 Subject: [PATCH 15/17] v1.1.0 --- SECURITY.md | 2 +- debian/changelog | 4 +++- debian/control | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c4a6799..b0c24ff 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,7 +6,7 @@ Only listed versions receive active support, and $HEAD may be changed at any tim | Version | Supported | | ------- | ------------------ | -| 1.0.3 | :white_check_mark: | +| 1.1.0 | :white_check_mark: | | 1.0.2 | | | 1.0.1 | | diff --git a/debian/changelog b/debian/changelog index e841aa9..5a511fd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,7 @@ -rpi-sb-provisioner (1.0.3) unstable; urgency=medium +rpi-sb-provisioner (1.1.0) unstable; urgency=medium + * Add 2712 support + * Add metadata gathering support for 2711, 2712 * Demo mode: Expand coverage to all Fastboot commands * Copyright: Correct license * Config: Prefix DEVICE_SERIAL_STORE with RPI to match docs diff --git a/debian/control b/debian/control index 54e82d8..c3dd902 100644 --- a/debian/control +++ b/debian/control @@ -9,5 +9,5 @@ homepage: https://www.raspberrypi.com/software Package: rpi-sb-provisioner Architecture: arm64 Pre-Depends: dpkg (>= 1.16.1), python3, ${misc:Pre-Depends} -Depends: ${misc:Depends}, fastboot (>= 33.0.3), python3, python3-pycryptodome, openssl, cpio, sed, android-sdk-platform-tools, awk, xxd, rpi-eeprom, rpiboot, coreutils, curl, bash, gzip, dctrl-tools, diffutils, findutils, libengine-pkcs11-openssl, libp11-kit-dev, gnutls-bin, jq +Depends: ${misc:Depends}, fastboot (>= 33.0.3), python3, python3-pycryptodome, openssl, cpio, sed, android-sdk-platform-tools, awk, xxd, rpi-eeprom (>= 24.0-1), rpiboot, coreutils, curl, bash, gzip, dctrl-tools, diffutils, findutils, libengine-pkcs11-openssl, libp11-kit-dev, gnutls-bin, jq Description: Automated provisioning of secure boot for Raspberry Pi Devices From 8a0e42887ad899ae0b9eedee199035cf2eecacc1 Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 12 Sep 2024 15:36:51 +0100 Subject: [PATCH 16/17] debian/control: Use September EEPROM releases for 2711, 2712 --- debian/control | 2 +- key-writer/keywriter.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index c3dd902..068af56 100644 --- a/debian/control +++ b/debian/control @@ -9,5 +9,5 @@ homepage: https://www.raspberrypi.com/software Package: rpi-sb-provisioner Architecture: arm64 Pre-Depends: dpkg (>= 1.16.1), python3, ${misc:Pre-Depends} -Depends: ${misc:Depends}, fastboot (>= 33.0.3), python3, python3-pycryptodome, openssl, cpio, sed, android-sdk-platform-tools, awk, xxd, rpi-eeprom (>= 24.0-1), rpiboot, coreutils, curl, bash, gzip, dctrl-tools, diffutils, findutils, libengine-pkcs11-openssl, libp11-kit-dev, gnutls-bin, jq +Depends: ${misc:Depends}, fastboot (>= 33.0.3), python3, python3-pycryptodome, openssl, cpio, sed, android-sdk-platform-tools, awk, xxd, rpi-eeprom (>= 25.1-1), rpiboot, coreutils, curl, bash, gzip, dctrl-tools, diffutils, findutils, libengine-pkcs11-openssl, libp11-kit-dev, gnutls-bin, jq Description: Automated provisioning of secure boot for Raspberry Pi Devices diff --git a/key-writer/keywriter.sh b/key-writer/keywriter.sh index b836be3..00a4ac8 100755 --- a/key-writer/keywriter.sh +++ b/key-writer/keywriter.sh @@ -161,12 +161,12 @@ BOOTCODE_BINARY_IMAGE= BOOTCODE_FLASHING_NAME= case ${RPI_DEVICE_FAMILY} in 4) - SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/pieeprom-2024-07-30.bin" + SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/pieeprom-2024-09-05.bin" BOOTCODE_BINARY_IMAGE="/lib/firmware/raspberrypi/bootloader-2711/latest/recovery.bin" BOOTCODE_FLASHING_NAME="${FLASHING_DIR}/bootcode4.bin" ;; 5) - SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/pieeprom-2024-07-30.bin" + SOURCE_EEPROM_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/pieeprom-2024-09-10.bin" BOOTCODE_BINARY_IMAGE="/lib/firmware/raspberrypi/bootloader-2712/latest/recovery.bin" BOOTCODE_FLASHING_NAME="${FLASHING_DIR}/bootcode5.bin" ;; From ff5c90375051bcfc66abb1e7877ac377aae43bcb Mon Sep 17 00:00:00 2001 From: Tom Dewey Date: Thu, 12 Sep 2024 15:38:35 +0100 Subject: [PATCH 17/17] keywriter: Remove extraneous log line --- key-writer/keywriter.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/key-writer/keywriter.sh b/key-writer/keywriter.sh index 00a4ac8..2978148 100755 --- a/key-writer/keywriter.sh +++ b/key-writer/keywriter.sh @@ -105,7 +105,7 @@ update_eeprom() { rpi-eeprom-config \ --out "${dst_image}.intermediate" --bootcode "${customer_signed_bootcode_binary_workdir}/bootcode.bin.signed" \ "${src_image}" || die "Failed to update signed bootcode in the EEPROM image" - cd - || return + cd - > /dev/null || return rm -rf "${customer_signed_bootcode_binary_workdir}" ;; esac