From 3af9b3f0f0afeab5ea5080e97ca1b985505ad1a5 Mon Sep 17 00:00:00 2001
From: Olivier Deprez <olivier.deprez@arm.com>
Date: Tue, 1 Jun 2021 15:37:16 +0200
Subject: [PATCH] docs(spmc): threat model document
Signed-off-by: Olivier Deprez <olivier.deprez@arm.com>
Change-Id: Ib5f443a6997239d6ba4655d7df6c3fc61d45f991
---
docs/resources/diagrams/plantuml/spm_dfd.puml | 82 +++
.../spm-threat-model-trust-boundaries.png | Bin 0 -> 66389 bytes
docs/threat_model/index.rst | 10 +-
docs/threat_model/threat_model.rst | 17 +-
docs/threat_model/threat_model_spm.rst | 617 ++++++++++++++++++
5 files changed, 715 insertions(+), 11 deletions(-)
create mode 100644 docs/resources/diagrams/plantuml/spm_dfd.puml
create mode 100644 docs/resources/diagrams/spm-threat-model-trust-boundaries.png
create mode 100644 docs/threat_model/threat_model_spm.rst
diff --git a/docs/resources/diagrams/plantuml/spm_dfd.puml b/docs/resources/diagrams/plantuml/spm_dfd.puml
new file mode 100644
index 000000000..ad4996ec6
--- /dev/null
+++ b/docs/resources/diagrams/plantuml/spm_dfd.puml
@@ -0,0 +1,82 @@
+/'
+ ' Copyright (c) 2021, Arm Limited. All rights reserved.
+ '
+ ' SPDX-License-Identifier: BSD-3-Clause
+ '/
+
+/'
+TF-A SPMC Data Flow Diagram
+'/
+
+@startuml
+digraph tfa_dfd {
+
+ # Allow arrows to end on cluster boundaries
+ compound=true
+
+ # Default settings for edges and nodes
+ edge [minlen=2 color="#8c1b07"]
+ node [fillcolor="#ffb866" style=filled shape=box fixedsize=true width=1.6 height=0.7]
+
+ # Nodes outside of the trust boundary
+ nsec [label="NS Client"]
+ ddr [label="External memory (DDR)"]
+
+ # Trust boundary cluster
+ subgraph cluster_trusted {
+ graph [style=dashed color="#f22430"]
+
+ # HW IPs cluster
+ subgraph cluster_ip {
+ label ="Hardware IPs";
+ graph [style=filled color="#000000" fillcolor="#ffd29e"]
+
+ rank="same"
+ gic [label="GIC" width=1.2 height=0.5]
+ smmu [label="SMMU" width=1.2 height=0.5]
+ uart [label="UART" width=1.2 height=0.5]
+ pe [label="PE" width=1.2 height=0.5]
+ }
+
+ # TF-A cluster
+ subgraph cluster_tfa {
+ label ="EL3 monitor";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ bl31 [label="BL31" fillcolor="#ddffb3"];
+ spmd [label="SPMD" fillcolor="#ddffb3" height=1]
+ }
+
+ # SPMC cluster
+ subgraph cluster_spmc {
+ label ="SPMC";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ spmc [label="SPMC" fillcolor="#ddffb3" height=1]
+ }
+ bl2 [label="BL2" width=1.2 height=0.5]
+ }
+
+ # Secure Partitions cluster
+ subgraph cluster_sp {
+ label ="Secure Partitions";
+ graph [style=filled color="#000000" fillcolor="#faf9cd"]
+
+ sp1 [label="SP1" fillcolor="#ddffb3" height=1]
+ sp2 [label="SP2" fillcolor="#ddffb3" height=1]
+ spn [label="SP..." fillcolor="#ddffb3" height=1]
+ }
+
+ # Interactions between nodes
+ sp1 -> spmc [dir="both" label="DF1"]
+ spmc -> spmd [dir="both" label="DF2"]
+ spmd -> nsec [dir="both" label="DF3"]
+ sp1 -> sp2 [dir="both" label="DF4"]
+ spmc -> smmu [lhead=cluster_spmc label="DF5"]
+ bl2 -> spmc [lhead=cluster_spmc label="DF6"]
+ bl2 -> spn [lhead=cluster_spmc label="DF6"]
+ sp1 -> ddr [dir="both" label="DF7"]
+ spmc -> ddr [dir="both" label="DF7"]
+}
+
+@enduml
diff --git a/docs/resources/diagrams/spm-threat-model-trust-boundaries.png b/docs/resources/diagrams/spm-threat-model-trust-boundaries.png
new file mode 100644
index 0000000000000000000000000000000000000000..58898c531e968c2c5ea29596b561d077e49729f8
GIT binary patch
literal 66389
zcmd?QbyQqU_bv#5K!S$go}eMPTY%v1!QI^&Y200dy9G^fZM<=JcXxM}+vI(}nY(7z
zy=%>#`OP0QwN|flPW7oeReL|RYuA3NLgZvbkrD6^prD|T#l?gaprBy3AV2kYaFCo6
zoujXi3#`3>_>Xsx<o?bu81jtkAgt=3Xk+XE)B_knnONIc8PVDs0E~>R?M-bQPGG>i
zP*9(s#D(~OIHw&h0X3B!UwY1F>f!L^<y%9t*7e_&veZltCa9?;95pvCxT)28I)QGg
zAFO9<8!ZdfQj)g>5)k=?<k93|lV>=<d_uy|Z!zctZZ6JN&%Tt}4_|SLmTg?|W}e&;
zb+AaIqy3XO_h~Zdz6<?Lx%CQPu>Z+E`w#&5_YG9}|KDY%79f5=L*x9o=;9)$?zH>%
z$cg5t9S{5|I%klE26p1xrLVR&PD@LK&QBIZV;4^2<7qBh3s`uA+Xq&FFi8(_2g?EA
z8VgcGEvA+WVI-$LYJFOb397I0i0PxRP-G=xGde?9C`x_WjS=?7%OJXFHi;QZT3Di-
z^KvH_E&l0zm~%RFZ8Y^q&S%rxhTwlv(3iNdf9{-v1?vB6GFjdy<0d<*TOUj>ij=-$
zBKH`hUsxztymzQXV|KZ|syv!HI)wvkQ8;(V_as?y&X{NjNVnD~si9X92sonO61|8J
z782SQ%GQLGMXLwqo(^5Stoz13e8k1`&rC#av_TYTq+qxohj+H|M8TYz21MWgc%vQY
zQ?U~Dwg?E-mY##_*{0QWroq-DI_MDF=+4PWM;+~9U}i?p1#&WqjVG4c>5aw3v*0V1
zt_M91YsfbD*`zLs=CeWI3TbO@OoJ+kXo`57ZvjW1${Xy(7YgR8raeaeZz`Hz=<J$o
zk^I@*w<hx#)*PG(XtB?^y5Nx|I)#LiHnZ9H#IDfT+Rl1gBe30>oN2tYwH3FiiFJ++
zG#$hlJ&`&0$yUJ#F^T!>ERVsFCq74}Ej2Ziz{jS9;!FCv%BMB=BfFoM+eeGfhf)Cd
z$Ze&!XlQ2p82x#B)EUEFB{Vq8InK;Gqe~H?n*}(#7H#w9NH%5m6*@irSi?tN94IZ&
zHzN6w$lc~RIJNJNA1^)(5Ti%F&?RuG0tTs`(}U>KJ5O9nI34>1rcItZMl!v6HOj!<
z2Pd9`H(n)1M`=O0<G;KEWLH|_$d!gMBQa?tsXD5!H$!LmHZDf^Rvs?4KzwJS=4^X>
zk6|sm0W=u^m=W4P%NBh3bxh(?Ut6sX#0A333X05<+LN2^J@JfhVAtPZLe#(6EB_@i
ze}p}QpV7%SzntangO29X!R={=S5@v}B0p+VFDshzwNo*ariN;ZJ9<qIZ!95LN`HK0
z!44)6i1gkg(p<LCC-UZRR}SsSo;nAS>58?=bjOciOqGtxK=D6giFf=!L_2*mnMMM)
zE#SuOTC$Jqb>-E;1zta-GsWn+GVU;<GA2HzB@ZUY`W$??N(%Vx&bh}Va%nA#NKEhU
zH$U-^8|HEu#uEC+aXy{Kiw3Td{AXATo$f~2i2YUXay8<4*8-T9M`XD(sIL)4wPz^O
zh}dq#1t!FDBPdY?D!W;BYdR{1YCc|S9gi|Wx#IFjf63lI$x9TL&BDz(r6zvsr9QRd
zeY)A!Mu4mw<@$(A@E$H}RL1Y#<epSuM$gYe2KC$7GZa(F8J~^1jr4%cBcQKS^tA(D
z6OxULJ7doIqSlH>5y22TOF|S|qaB4b$*}b*&!N%u9$r>(FadOrp!x^SZwV-u#G_~j
zkH|DS2|fpxys8$OqlO3UsArvN0!{ivn_FI2Z76Qs$_c|ByA}4BW&;X^p9nHj*yL-I
zc1~WB(wyWS7NTX8XJGZCf+G8u>69PO=DOw=+VILy5(wND=`?Fl=s{x}zj~ZEy;qcT
zX-KD_Yj-_6U1n-aQA;%7b+g}z3crQNZ#(Y2jk6f8i<D(*+G90-1JYc43;xAAc=u?Z
zk-_1oMs31qGX5U+P%9@bob|v?t;6=k376EEn`5Kf&E*cR_x_GG<LQ>r8s|jvM}HX7
z6*NO%rUy3ZuuJ@pD)bJ@#eOAuAB@t+WLcYU=~jCtmA?i%*%&f*n_={wqHE}|L1Tf{
zJEC^V+BS6HZ8JI>8@-L<8Rz|{our@2y(5x3J8@WU(~NWVr)tBvH#iqg)fCT%i1i!$
z!?&0w3^!r2E?4=<gHkEOkL)r95zul1^XIG_v~8W8PJa%CChb?G;L}Gu)419A2B^VS
zl>6;H^=tm$o7~c+O={SLgf_((gj0Odb<%9$@B;U|jth+Wtq?JX8EuZtnUOWvFA{Ws
z$4@nG6B^rJY&tG+?ZGaxUX5l^UgJ`B)78)g_1jyqgHV!^7n7-U>~8Z&Ra1E@$z6`c
zW6jK6kLzcWL$Pi(%rMPI`Lbb7#${{hL!!L0tcXiWi4I92Q6i~qq^(V-MTFadbBcpS
zB9}}Z>bFVSo>qf}XzVG(WSCQ@D0KD@<G;6;c2F2deLbWbmsXJWSm&FJ%wyD48HNam
zb(0c)S`6v*U(@L5J=?iqPnesTEORi=NImY-T@>HS7)#nT?k)YwnFB8RZG$WZ{xnP8
zb=Pm>1Jf)}j)~0STo<J1U)YQ{y{m>6R-OkI_y2efDr8D9962WoYO7i_>^FOLZC^^N
zr@$rsxI4qUk4aWLYR>(gI@cVPyi&37*$XR3lrY^lbSLFyA0jZ)(eTE5EBobp{RxlV
z8mS3~l%foL)A@=NG~ggRwYkP%MZ0?gc!?$alYM()O~#y5m2>u;Zd#O?vv9JCN3v0Z
zic4S3mc~V;jPk@O&zyVBeo%L`p-gC1G7c7V*2~lO;^WtN?t~=NtJ>t*UqhnkgpFRH
z3+#(~+aj~shLoA7Bo!k*>cMc3Ec?Q&Reo1_N;L4f-p1=IR?3YNC`FfXA?-RPSy`c`
z{A&Av)Lpvc9m~j*!^84X{Y49N*{&fg^2zeHG&5VWl5E%UW9Fa*X>q<@6eID1VxmFC
zovv(Z$PLx@Lh2&&0{aAubXDu)rKZ<JxdV&MUCA^bTGYZab&E`<j}|KL_MSrCdpjC+
z%>pp+j<7L#YXW@ZP*2iBrnM1o{P~mKhcUL;%G|u%Y3DE?=YV!y&<&IHysUeMIO$ET
z(N}I|Wv-q`J>59sQr3_k_%-j7G+H*ZO|})$JeWZ@a}o&yGAI7CDct+;wubKgm@sgF
zF-7KCJjMhKA{XBvYXU*BX$Q#2O;XIbP4%#G`JT9w&k391LQfBVppexb4Ow(KvF*6+
zxvjDU@ApE6DkXAb3bt2Y-h~?Id^h)@zG;Q7rTNUEH1&Mpm`>S2T8jp9otDH8soytS
zescIaqCM$zNStBNZU(%tSZleNtv|)>?u=TWo_Wdrw*BTf=@LnHku&4?E%<C-niR+L
zU<6)@L?wuBy6xIV7T&_}9hT)~lPwc{^Cc5KACn9r&Dl3_tn+<QA_sfB_<0aJ0AToK
z4W=7#L|S$>m6?n&&9&SV7uTu8flR!9FRC~pg=j1e_tN<CHJ`>_|Hze-J%i}SK<%Po
z(+gA?8TYR126vMaKZmxGc8z~V*VM+m0hLDQA~@`(SuU;ryoL@*g9Zq`A)~A*WqQ-~
zQA(`*ZDCfE`;D7r+Vz`E!$vbsYo?Km<v<U~g^;FAJdwKw+YM<4_mgJ9%Rxf3TuWPn
zTjY%~cI$lL6hBwOH4?!rZjoC5{M1~$;6*wa_?aWq%D?wuW%Z7E;fQ^|&(s4!B?CRO
zt0HA($Ep)KiCa;;AE0-HBPxZT1O1@fR}s@0$8;J>@myC&E-oY#NqL_robp!k7U~{U
zRcUKLGGM=yHf#6Nxvl;{chgiyAbP5r;kj)&fA|!+O+w8Wa+J?5c;AgSQ;R)Kub^7n
z-qz(;<f%lr4(f|y-~pqncsXz{^O4EvRg;(61PRJ6%AK=EMS&A!E4l2qs@0mbwj?h)
zfayc=Fm$W2RH#f>p`43YdeA0tzl$UowUQs3oWC(YyEv^R_McT?(DC}1Ob;4Qf29<B
zQ1<LZG&vh}EQ?h~>#KQrNCghhUgX_DTjOy>@`I#}8V4j2>o^3iF%DIw`}+~3R8Xj`
zZWwLWN*-ERGP#k;E;AO{Zoo~P22440)^8VDcCHbL4Yc)8tsjq7w2RII?w+}O>^xp7
z+)tmMnw*|YGiDVN?O6vD2N;ehKdcm-J5O7@_=+XjVixgw!A^YaF2q0Hi9`#!=_QRO
zrTX-&+#=4CdZ**r*`xCumAU;i7$j+Y+BN~&SlAPySiZuLU2^?+^yk^)P_wIY^P`lz
zD(4j(-F>!%sRQ?HjTMjCK#VGQB0%L<Rr~Q=O$7Fb+rg41_3dE}_)A5X?OaXAX<4l|
ze^}OcBztOMVe%wceW*yxklX~HnGh8_rQ#Xrg+-xj3T#zww6QsaZDV71o=k-t)*Vd%
zMH~Dw|2n1+wHJ&;0~#@Y9eX*q3Jv8D^s|X}M;F@ENF3I|@d~b+irD4_{kW~Fn|&Xv
zpv5dUV%z67)m~$_Wv4}lHYrK6A?W2Xk3A(9^TL@HC8mp5@%h#6dGg5F=>}mD2#RQ~
zVsc%|dl<j8!FMFL$G}j!F|%KE`N=ZcsC=U2xwoNPqAyo*Dz;qO!$%iNyycir!dK0R
z1FbxzVh-r6x1d&;vN|!vieMjkE>S0Vjs+nEBk$@@H4fObG^k#k=(eHl>;Lv6@8Mb*
zMrvGVTz;~n!Ut`YKPKL|Jof8VFV%XZp5P7rENc0+@Ar9-P@JsP-lsln%D!bYjJ~Dt
z@h*lQoZhyWtNHkAWPO`zrIO~3+d8a_NcP6s;vn;}qWyj3);A&x?$zWSxIn#vl?iHF
zJnd?fW%MNJbH$k1)!K2#Svf9(Q|Y$F3g2o1_UUUzArNEMrp>deCd#rOhmoo76-hs+
zqGq)7UHIpghm4WJR9Y&k&4$CyC<2kIv;+Nt{F1tgakgq&<<{ms8!Th4idw$p=w^%i
z;zsI@Iv=kvD5S;B{M_<6qdW^uBp>8CkVIs^?Fl-%tZce5#BF#t!ACnT1slUqj$L~a
zBc@)9HG?}ApFL){b4clI=t{Kwl)0IQ-+03JUel;2v{iMzQLO?b{b~N0sBb{wcNWhw
z)G-Zj(}{4xg3RXK4#jwjKHPvZN4dx)dF|9^uCEYba~>>gF@jh;v5TMyX%JVxz0sm^
zEZ?kKN0&HEvIr)$N4{CQ__z_c+)*|`w7!)(vUb-$#vVCol=~yeIsKNT=(#QykJr<2
zd$9l0fSLXQZ)79gv1G{vhx$Cjr9Th*0*9ESREH1om`BbZ4|&^MiWqeWqTXLt_)vS0
zTS!P1qm5mbuBGj0#&?DS(A_lOjJcic*!@hX{#cO5+UyD{TmEcYLg^^{*;?`ok6UdQ
zRN7p!VPorj4ZM~`O34I`?o>a)q6m~c50`!y|NJ>iS|Hz;-O|^a9M6Z^)Kp~gK1=(B
z;E<@cvRZ>LBqZbC5w^yqRQI^D_^fCp)v8!RNPd~Um#g*PIZ2mD$ioJL9kA`-4O@8#
zsoh?j^_$vE(M8?s0_w#>4C`g`f~E`?fKg0$AO+Wzn{Vtl<!e%!BIk6cVbUCiqFb$W
z(;GFkrm)IR6?mgta|>N~b6IrLSzHbk;nFLURem)OK(_`}9+aH0Jc!#IJBZ*E|J@s`
zQWAE1)sln=$J<+0#a3=UL^s%0!eCp)$Qbes6i{1XH^mEcMVC|TuQ1U{1Z0e*kS^qj
zQ`uVnu5iw_SgU$3LR=S^nzm_pzNqZl+4I5Fo0~rI8@uX!;CQWT1I5#fPM@v1DL%Gn
z0Z&=ubZlA!3@8uZN?m0|oY@QdVj>O4#}79_w`?(ysb7l0{qeM9?|z~5?PE*bn@16*
zbyywSyx6!(7!a+`Elwuf(Sr3>E_rFEo*BQCrXj8D2_&Fl#^DhVZ``pA{BX8>aw<8l
zpg@?&FnMfvr2)K<2n{<u&|Y2pJoP}_$gPYeuzr9146xi27AQt7RT~ha3Lxr!li{&z
z58&4BdbmOEgpWPy3o)#->?G?XI!Cm9YJ}K;^SWtvPwWA$6BOkwHv%VYNkSUVYYr^l
z?$ruKRot65)Fvwm54nEBSH%NPKIFk{R_@gF%JI=Lb#H?73S`|g@hDx2P%UiVS<z6q
zEPyJOq-%bj%r+%NKx>5*-hXL3XZfhYRSw(r0o!gBz9DV06O$tXO8+Zg4$9zC6i*@2
z(8C;S6#KGlr`~KxWEqp0)*V8OGIyKS_h%IB2QNaq*o&o|L25=*muF`YmElG+s~I0B
z<=%y)E;wx16QHkc?8O!Q;4BL5NPSYpXSlfh=<5EEJV&GoHxZO6`xPkL5+j#=I;jQS
z^&AUuF9`&pau9@C;*{JoGW2&xQ76X69T*22;h}!3@{SpO|F{xsV5&x2rtDNK#a(b2
zR{B_ei=H})egLE*E2X1!T83##UyiBbOX*BXfLs0KsK$gTVzGW7NL-nta6+dH)9_6+
zC(MYh)C9ihoCgK`7m03%V}g6cr$~}Jylqn>LKl5clxR-h8`yv)YpFrj+YwVT#p&Jl
zW99uL-puJn;=)M@@7DFz?d#YLRoyb$3s3vVURdLAK9(6OfISjR3Ghv9XOgkcW!i*V
zq+O$`zRLQRUJ5CMN?8itD_E%`slbU-3D+Gx-FRA;pz-XQGtbrmu&Sz#3vM!~?Tsw%
z4!aLrfa!?ET6_5TO+YVAi&(LRw``KUeD0@wM8upvPVohJD#M^}r<VkwRy_4L!**_>
z`>HuIJC}u&Vwz`EHY4@vpzcF%-mN`iy9H9ds)+*PSmI{yS~!l0#8?GOeaYFIA0hY0
z_)x<%OqFRkwG8t?reBF5akX<uROPPR$wc=>Syh2qwYk>YW#wBN>VhB6#jt%EvHFC{
zN`GWLYfMW8Ej9R2E#weiQu2mn9821yU((Bf(+*)orudMek-ftG4omY|kF1lR;jhpI
zAwtg%Q+ma3%fI-=dK<aDhk9(hck9KxGlu5iLLPeSpW%RV-Lp<(+>>8JMp<eo84|*3
zNha%l?UklJhs+ihBR*)WcPlgjnn81p@t)B=P6kk|NI%lYic*yCw%c=L$6|9cW1V+g
zuBd7dwUH|luT_6lAqVEsnUoAjm|7k#XEmwVeI1xcSM@d6)8K?{9p8Injr&65<$ev1
z8cxtvc>y<;|1C9-+3R!TiL*#h@y3qU*kuX8OWaPK$wG_mUek^GC|{@Rr=l^V-4B%}
zP{H{?b=e&yyElK7M{AB>k-vf48(^~o;!1>DJg^6q<X{{TmuO8?{F<aClg)3kQjE^!
z#s2u<K&hTs+_0{=Ix1}G;U7%|5_`75Z4YO<xVJkFzCRhMp<nsV=i&DeEt*s)(LE3M
zjKWh+r)jai_}K*k)vFFA^E2wjdi)xz*9XWF=C&tBZfhWyr<Rzp7U9`-+nRT7K6T;Q
zgPG^LNi({=l7(_w=IqkSewS$Gm@WacM@P|xzQPbZ^B1UQc9+2|k+^RgCoY%iWKaAY
zU0jc5w&o_f0HtYNhs9q}MV8CLFg-`<rnkQ`3#uIHYpFmYA4_eOYwE91n`>Dayj0>=
z1*$leI}tDU(<z_eHK;l+@j+(LB*PEi_FryE&9H2ixuf;c35p-wC?>#3-H9th#$yc#
z^Qg(KM=#GQd1h5Ex19+O6sl5M5)$<xC2l(U=5B*(&8nur<%dVk2TW^@v7pH^ZN2kY
z#arELiuv?AsFynnw3p=BynZ8gcxrS-st%dV7LPw#^}tef8FSp(9Q11skqEhAuO00C
zWww;w^DZg3C)Q_XH<)yr$G|%q<PL?^ZoK6%A~zFnhsv*15dimHM%Ry-!?%1Q4clkO
zicx2m3st=b02EY@T5q+e^w#H~)~u^t>}2*Et!GxIU?rWFUi2uw9&SFPiM1wi_X<<S
zmu8O2^YveT@dFcIdct;Fns1hg6i+;0PVt71WVM7cl`)H-p1cO<cDr@#B|?LH(Q*%(
z#=~)7Z}7jX99Vj~?Y-4ZP$lxXOHikTUzn(<?4tOfk*8+xJ|xFR^p=)6@$_JMrv>^!
z+o437?DuG=iSrvrbHG$p*wjzD5&1p+DaZutrW5)7@B9#W7Z|mkPnA>mo9JLRsCkfU
zXF#;>BmPm~N_T39&Bl<RO6&WPf(`eU1X^VGNTtY~Kj04^I=0G&H_ugyz?Xt^m=7=Q
zG@odVc<3}_?=LTN90yC>8BUaW3p+Br16F-z&d+aV0H-;ICbl(CrmHP_1v^ujF|Jny
zj(_AJG3u5{^%&!>X^Rg}zDQ{@yPg{Ziwh$K(?&pGF_Q1b{YPy_vYKYp_Z7UV^Jzny
z;twlf+Hp<c4h0c~{;K=an}1}ni+r>)a>l#<$if!^bRvcRb}9k4yM<V`$+H+xs_T*h
z<L)+2sldz+iP_`in-MuD{tjj_*=Ebnm<q8lzA+phC;x_(Lq7y?Pr}5Mei=U(q)Rlb
z8RfHZ+`uxxk-N&A>3)9M2<G0AmI-MJ;4{cDzT-n3(<n$HH5NUA9sKo6kZ#9guIrZX
zqEo(5ECps~og5>By+URHuIZXYdnep#GgK&&4{wu-<UtWza`SW&BT3r+CGtAj^NC|!
zGrAL@fdBi6>7SvUSEmcf3_>^@_B6A`#|_b0E*b19J?wf$8_1ZNnx-cpBAAcW1x#W=
z%CE>8G<j;;R(<9SAhgDpXKWs2Mu+ePlT_HzFoj{{Jw?5x(HxbPsP&p+VoU9fEO3Zg
zC(mK$jXYXG!NI*1g6ROX-vU}RuN+f!j`;uS=^yUtznXf2@H{^^B(?e9W1@fx20lcK
zU=VEjMI}DFK%6BsPQ1$!$^GKo#Xj5{=>ow8DA`03k_a+N8|<CT$@B+$+}%BeSBfO%
zZ2;gmGiZUVb!HeS8+GA8MKUhdl94FW-A$N5C-_RD%#HGFLHvc+MD$Ar!rk=h_0!Yj
z6)$e>G36#-FiIoIVt)pFSU?=G-8wpVzy%PP;qFF&qn0L&Sh!w^xabatd7c&X7UZ)!
z_OEHTt_|;^{cd*?S)R3zAXRK~M8|@{mbHBEMg$978sbC><mgC90I;Tz_p1pfGFywk
zTsYv8)HGNK@HGwN9=w(~Gm$`98I-<pz!eQRrou*xrqDBK8|I=_QBWA~jeljACevS8
zCYJZq%Eg5f08UQM2+a^kw%8KYe?1TN`u*VlHNtCX;;q;P%iR;FJJ>V~qSW6MzqCH+
z@Y*Fn?q9)XERe1Ft=%dme0QzuXQ>lJsg)|()ZTZv*0PD8Uo|uo99Z^0Alk%Yb*rY1
zB58_*UoIiCfWUY~3Zh<d90uF(=?P(n^EJ`bugLw){r^4o^go;^7QMRE3Kvacax}kt
zj>-fBW+?(fsN^>-k(_cIEcH8h{Tdv2t<phx5k0dx`9J%+=atT5OsyjmM!^KwDd+WB
zzY$Nbdqx(H_n0E75g?;toQxwKg1a3+BYu5MpxbS1S#o1*=l0gA1C?l6RlCehWXbJe
z1v5&+Vm!SJDQQPhACVtr8BzNlrI2$2Mzq1Q61|Lp6*><#i{mf?H}eZm#x$+_H?4j<
z!B-A)6KBmyaHfTNZ=7;zB9FkXh5XD?%FL~ItLbobr_;#aan2dz4_Cw2X-zRZmnAx)
z5EkGyg*%<;zJh1U_kan=;EJSfD1cP-nmPqv$<V*)+h2zBzbaF4*b=g{;Gew!|4)B3
z#ecckZN{t~g^-H{K>iAN$G_%6T0m|f3!;aeotgiA{EN}1QJnyeTy_A*{wB#P3R^eg
zHg-zL;D2@r{HA{eg_+c`)*Max4YwDqw9(K#ttCB8n-4axPszI@9PzSSbPktI-G;Yn
zJX(MLj%pS`$f8LoKKkiFw294;4OiHDkO$0$gw#*9T#-CTnA#_$)+(#xs6V>}wCzX|
zdkhz}nVUCwBirPRNB3xYu#og1hfUGA&D-NxR;qWqabl;K#ykGn4U!&o55Gi;!tn4t
z*^ADe-x$eo*Q?9n1a1@^4>!Lg#XhtsQ#PJgs>O0-W<ImWcGBYCZY=fm(YyHe42N|d
ze9&Nb_uX40zb!oM%dYR$tVsa;YY<3~f638Fhl`7!_cWcF;R)yShb4u%oVJ`@A{EZR
zxglYw#($DI5NQ{uWZbyxlai*<?b<23kY1sZ3jY?#i*+nrEVB|Ko>lPIG@wPpaYT*>
zi4oSZGhR&0S=uG53W(af)qHQ^>tK(mI<AYnY+U(VBuLiM)yQDh*CtZI9lN~VKxr(m
zi{DE~%+o8bL;+xvWIG*^<zsj_F`VAstSV}6EfCh=66s>xoU91nn?cEhsojxq%S<JD
zh<=<lIqh7S8Kd1nZAoJD3!tu?Q$Fl&6#jx%(ZOl5&UuMibMo7_lf6vu{II=0`|j;v
ziUV{Nl*NpsvrGS-!?#VANDA^fuZxQ)aMc%Dzcj0WIL?yWT1&}-LfF7e&d4zjb^Fz&
z>qzo4z!fuCk$@$zXQerYO)~$YEBtM4@q$G3M5xz+%q1R6%0*AqFAc;2y)w#IZH>oK
z#Yx7l_owtMBEjdc2_Dv?2lI)2TIn!lOj=msg)X`}_06KbLDlv;N8YvqcmpN5M7u|q
zX2jRF9Sv!olUc)dm~N^YoevwHtN*AcEJY$S3`oq??;{d<Z6h+#e0D%Uq-=7a=1c{M
zrLspTQM1{vfNczP5n&iir>s6uVwqH(pG<A0I<?;;WobwvCXCA55&=NcPBgAzqB^(n
zX$a-_HQ9>JsBbK{4rl8!ln}utQ@`$L8a<hAGUxTcy4JJJ<uGxO;0fx;X?yh*Y|oX!
z>8@wFJx^a)tlH(1dIIgh=5s-5fzD4m)q~fGGnmB)f_(oZOP%O$3T&KfA|xUl_tD53
zUO43gJ-F{CSQ9$Vu`a3U)#2c9HygfGZ8sB#GTjRuVy3MrHN&U#uQouh5O|RvB}1(Y
z-sej0&mv4E!x^328wT%dq3ftrpFhWD+=W~%Ja0DEV>7KD${`gya9$Z76FpPDfSg(H
zWW4l8z*WcS&G8gWM@yWWKX9sf&Wwq`ju?d3)u&o_G^zI(BTsQ%F;RSLBm6gZ3RB*e
z6}r%aq2%sQ(v&h@m#n4XRuw=mf>f`qfS~2g%!n%IlcH=Podx)l4mH_VTbTRaV%|U~
zUDCM_MA*Twf3@Lu?L}2si;Ry3d=AO^>=<XlyffuxH~e1Szvi_2cuVwP*e<-qoJptb
z%RD=C9RUTl2B3EJO*k8xgPC15R|!QI1V<h7fOmM^SHN^d@}DryW7fSji(Iwn%2mO6
ze1o4Cw6?bTnWTHLLL0QZme8+Z0Z@pv8^b$;rucz-WYjzx!BYFiSP5u2Ji*Urly+^M
zXb*2Vy;+lP!@AK<taPy`t1OL#Y4PpQSq=dd%I~M4uANBhZ^Pde*UdGo0>@Ek>azb;
z9=|kq+=-E{YO!jG<70*D{;VDkOO-CPY+6j~Z(vjR3zkv2pR#|zt$Yh-fDWH)_<I<5
z`-vB}HQvko&7V@Cz<4NKSU9^$CQcM(I(3<7v(*)#7_H#8l>;t|Hv@GY8(D0MPDdUN
zX)rV?yn@waEt=TFH7z599Tt{60Jd};CtI-YF!I6qw!(|CLGWtAdktSi^(S<`pKm%j
zs}2W~`Y2E?)BL8_F93ycth&NmEv_wPsFbuS;}v;g=#x@`Wg72ZW;CapSTG*4v3UW5
zgpUp*T~gXVQLSXxvw<sXEfqZPD!<<)1i0JIU@ktn;GJlB5I!Y7wbrZ+ZQ_ZOR;pfC
zr!R?~2n2CQ9Y%B|eHY%xmh#+uNJ+Fm)-Ax-MdZ|29KH6YnuLtKcigt>HA_v+%?wZz
zTbp7cN>vWj7BPydReFdEh>~`7Qj7WTw`G)1n4r-ov<9N91IK=Q3>AEkOqH8g|1?t*
zzxa*ap@Qhy_0>?2NXs$5-^y51fA~D&UJ0F;N16z}V3m!qr~<*95V9qu@;&-4Dp4|U
z+EI)&pJOLBbNsj&CBi~{_JPKU)5o$bX!S=C-LM+c5B&;b*;OkwUQ4L&k`p(sz)rwX
zR=*aI_+(mhGobo%(Ae}i_H7!w5#I?hU`^KBi?;0UcGU_h->;Gh`$sdu^yt;!sXygY
zz`4i<$wgzCnx?h>feRHVZ7%=*r*kGpDcBlE(K=ah8l-bJVlRk$ycMFJihy{;UDIQ}
zxi(voa9Kj(F;AHO(*g%hH*e$arDq_~q2wB;!XQlCZv97wiyNKB5}N?Lc5mJe3VDOQ
zhWhP%1&+4`@=N^@f6Ib<Fzr;r_R@AsmQDvTzu?T@EqrF?EZPlY7!|u^hH0v%Jcb+<
ztZa`o{>X$fviNmuw3}s)4MEqZIIzM!AFUZ%YZC4*st&$QHqsbCgY!1!2jYz3P2T4U
zfAUUkC*+QLx`Q4h!FqaxccCj6mEMegpkSyraZ|rnf&)Mi{2(w_7OYBIUsu<rrdswm
zX<UoQJb|8h#%uT&W4Ut6s%dJ)!-cJ#5{ZSq>hNpojSiIU#@^I^Qx@r>HJ$mr<DNLA
z56%Wjbkjq(Nu2dTkz2-n2rbS>nA%>CSjSJ!N>3)U?DM1b22gMmUATLj1P3$9i}jX^
zo2{J!J^r56W!WVs%atjt+$eS~Z8af>X(>?&%s}*dy4H^(4{`(1|1m@3pylrM;RPOf
zOsx69+LEX5ZXojNJm_QnTI;2}o*Y8D9NHW@&RE+<AGPXm)J)GHFu(#ltA|y#<@Ms3
zaZ*LNir-a;wuEnsU6q~zbN|uQo7#=8N+oXUQsz+o9OY*DfyHJ-Eax=%g}>2m>Q3Jq
zS;Gi@ehZ-V!fk?eI+Dm2y*Ce%iWnsM_#*K~kIfn0B9Xjm0#?!%)s+aR6#qXGo0Mv~
zYUp)!!O?bf7O7`FbTwu*MY@0<RFH6r>gej3DY#xRKqhwgKx)m+txFJ<6>oMH*6P(#
zp&adhvxV=uwE|oky2u>*%xHn%_*FA0-%ra0m*(ycCZp~`?>SY~+svY;546~(Mu_jk
zUZ(@L$5|M{??@jQoY7t@s8OOX=a|d5N2YIL3=0n@Q^t1LaLYYTtaaVkF!EL#ydRWy
z#4ok65}gtAg7986Nz&$HEfPa9mfPSPj1$8fW7}Lz+t@}s`=K0oB%OXNkKP5aRhH!m
z#Ucio>_&&0hAloDSNb<!B6#gB(@|GCWe?7fhZArnyiQ72zQHpQ^y@+?y1|Ts-3kv!
znOnP7kn(d_;!~l{Z@CYA<A)AhN1hod_x>|0Ptoyj=N_-74j!*Cb#WSrX={P`j4)+C
zJ;T9U#@#)&*0-6>C5SuAj?DO!;5Opa=k2G5k9Ya@u!O#raaIEq7WSV}ieYcSq1-({
zZh(F00?8iX)=*O?6H`7<E3*B<`cbIiIwFX9vaB}VT?~gi;TVz6Kzf+|o8tn4>y2rU
ziW$+t1oPZ+W-DvdvRERgg=$jrz%^&t`DrbYP$qyjF>|z`-|fbDF#yZc<wB<Pi7Te`
z2qxPWW-oc+i=&?n$i7Zb)9@-*%5U0UF)fw<K1EBl|6ZXKHR7*RfHp)Hr|}MKH9Y1a
zQ@<7j&V&x2$jdWIx}932WgqxLyR;;KgL*pSKOq{P?&Mdt{`+=9EaL|M0=uA`i#o`P
zTe7ef@g<ARA^cEyg`biU;7mME<O9Z;E?--Gc88^We1ri%r%T;;*W_A3m3dD)gdg>I
zqnQAv%S&O2`igi(7)VPSlO4;v+M8JKFt)Kr8x*PEppKn_gu{2DDc>Yt-_g^krwh)H
zOW)QWi`}fL02ch2L*CcwXSflXm^Akk$KP2F_GS<C!XSb^aGeunSiQjLc(6xxDjm$K
z>2>hsa-Rtfulk;K?5(Rztn3DszB+&7?=-h8pIOuMs@P*=<vU9Su&q;(S5~3syK70e
zAHTQ)CrD#*&sbvRj-eAi%m=9JhNYIIg4XjLhobtvF12sJL8tNY4|w|}j#w{HmV3Qh
zQ(!UazRV)5KH~=5+;V@iVXeOpVxM~S^i1c_dmKt*XgNMHIP&DQard}uOUPO<D!aHc
zs+pX##+l*c3Ez(=3g_3I#3}W%lqxyEExEVrihZhE&swNJPq8HeQKYGq0n1)oo$i;e
z8CRB-M?lfW<jkb8GLEW{eX^Rqc+Gf_U=dwin7GF|(DOM5!>vH>myDI{!8BWVD8Q+7
z*yt(^^YPRTB{dVbt<V!;dz=HKA3u!NS6jXXN4%?8qd5V=bzP%Ff4GKP9GIeez<=`P
z$qwQ!{;;;TP8YZvP7jFCh6E%Ch|>m?8ErhNmi<1~xdT+xkJ(+v4R_atc-?Gi2bMJj
z2OG!ySuF3fyA2xb8fe@o&*C>?pKtLZ_$ZN1f@WsysctWT2})^QAyagv^}Y8`KqgJy
z1Fmqr^whp4x4$zjk%>ZO%TEOmf5B%$ly{p@aGp;Ow%r{ibC{DUtzXOPKs(X5D@tVa
zgC;#rl!0LSHV>{3Kr<VCH<u&!`>FWGfG$OqnEMeF1gB)@fNBzbDcL}s$&63*Q1HJ|
zJw~F!769{!9U&G<Mq8DZ`I%4bxOPwVW)j$JG8w}_#Cf}Guf~|0Mg0VdMD)Ac`fz;f
z-#{(Ep&WuG3l>*oV{q&vvgQHrM$KOR6r}_8qo2x(megCPdrb$lvj(BR?FYo++*V(8
zSto7M_T`o5_srrfR}+r~6#8S`Dm(QJ9dSMa4!(J&YRL5NF^0R?e#)V6YNe<4O9nm;
zFLrv2lrUaY-ksInJyx{xFEBRa+8Ge*lTfQZjJ@IYU`zewDx+;tqt>d$zx@zWe0JR0
zTJ$iQQzd`WusQn+XEvB7oo*`{Ut8}ujQVar;mqI7qqk$@m#H2jRbNI&5xZ8GhDEw6
zw`TVSsB<6nH7qE!`Q;pMHr@X?_15B9|Ji;3YhC8#yP>;AJC}>%g<q;>@rx|U?*(<h
zIzA~!#Y4u~VR{JeRLtHCjq#paa%c0h-!vAb+KaUQ6r0yQFQ2dCgHrAK$brCaZt`GK
zVt))KA?{eg@s;`^7Sayebo}+kxe2Lh1*rRea_T23dBpGJ&F}07Iy|^5Gy8RQHPpai
z>8-mqrJnLhBYdp+rBg&)n{dM$F-NaJo;zH{@!{2sWW*$<7VNU>ciAOgoC^TNFZMop
zS0UfHj+BPYirUBk?uAxwn!43rmjbzCx3J8Ycd_rB`I5mVCRL|-S2QfGcsOFJmhaF6
zxyDQk-_d$}O$1sRTxI6rprHv>1LT^TC2r=%153x0$FZ&Sp00_iQTk1Wbc{ynLU-%F
z*0-O2-p|jL;=q2xJxvdDs68*SGnW1b_S|)PD&I3m3{MB*B~s)s2uqVHm~XdhS$z@L
zs?}QuG~T?#>*!d&cv3y_CbfqV53P<&URlnY=NJ{hillo|fmXcGb2^$2G?QP=aWDa=
zh#bQiFe>Y0h<ua6ik#a8A3yeD_Er{-)64jD#;xtL5%`WY@U}ft;2cqU@y^WM-BW!C
zzdAv#Zm81%yP|ot^CPa<C^UNKT)Xey$LUsITF+{8@C)3K>!dI~D@+tCWF4_^e=&#v
zKjQ3)f9-_Sd`2F)d^^5o`A=vGFJ$dNboRa0JML^m80f0pq(dEryQ`%u8c)~vZN$jr
zwSxf=M`Gklw>F_j1gbc5F{~qlZjc`WIugAFt>7BIdLib64^Q*`BzaF-KH<OdD!kUy
z3(ChP=(H9`?o7{$_?m(A&g&XIcBmryY?yXa$DiRA3G-)6tu&773~h~{U1p7xGie$q
zS{%zHBY9q<bR<2jvA^~%oOj|&uIi+VV!Bdice(-htuV$<cE_tx7G6er3GcCN?xlGB
zs$`0<i?a-ZBYlEdymP!a*;Ok4d`gNXjwH$LHZ)wt)P<SoJhC;Yw&b_{$$x!+WJwjM
z4E;c_C9mpJ6M(JUYKkd#@ZAp?AE6g0@I78JnA-%gFD&#d3bDW~*QX0%wR?*tyWekM
z@F?$)YxQ^*uc%lQVkO2FUrksKcbJd-hV0e>Tuqa;?&PSn9nA<CZDS?-2A#=K6eq^a
zMFo#&I;3Tji9?9?6Ijzjk_Ok53tvjsn2-C1^u|Ws)*Y4X5*)p~)^$a?>iV+W8FPYQ
ztE^S0iw@R);j#IaB%b|#)^Cq@7XI8`EKQ}MY{N>q{5Y0;(A5fat_!PG;CnfCpau3F
zr&5@0)zyq;?evzpfyaJ~K_u5dQuJ%JqqMuJ+b^q2pn>drW1_09HogtY;mEcp>}F2E
zG<>Y{Ap!A^W-&A+SX0>aaVcA)6nH%tIDX6hE6+92!K3$vD^>oOFL&v{?P_wS7R(a$
zg^IebU;3A2rhmCRCAgt^3ch)tj@&A-Gq4e&UHvoex7X?2_OVdUy&lHlr>7t(ri-WG
z<{ZJT!Cf|z(qQuaOyOeBXZ99}h%8B*Ln&?9{gpgeB>Z0Q-6a*24jD_))tltp=6JE)
z8m)KlZDYW;$YBakX2f-|(%aeN4zHby_<J7Z&}iH0lbPPzd~$E1#Lm?!(!?g#1+k3!
zSpOn*wy@7mTyP{qL3th=1}hfAQ704PT0eWb>n+r(1|rNrYuF#fdi$Dj*h;yZU0qL}
z4)II4ZRag0(eBT_Dqxiw4@<%4N71)6ci=kO5U+1s549Wn`!ip&(hC%nk~l7Zeg48!
z5mcRfutmxAxPI*>SgG>DF<d{ic~i#D@ZckLdQ-4;N|g4jim1F;9U_f#^Vw$Px2zVx
z^6%NEXbFnDDyBX<c*z}^%R@r{kwRq}u@RGnV#iI*kFo`L1(#M54oE^NgfCb^(ubmx
zoegFB@2w@l-1Flnk%IIVRx^=ps5J(sZCFf))!aZR>`d;gc}cwqI$gspFHjwj;AY9q
z5F(}^y6aE~YhWGeuHZ@48WB*N!-a0lZ0Z8wAZ%(K9HKC*=$OD{<0XWF_!IqqL(Q<>
zp?L?Y6@9R73}ZPOx=<owl==?~sY8Y)5Mh!4s{c|k?~=B1U&^DktWPC&1<K0%@d=S_
z8q$}E_z>gh)q47eq&cGZaUiA*{_g>zciY?j*>hO*4H?VOFJGB2T~T)hqH5uOSdzL-
z%j}=_E^fp?kQVIh`>Ip1Dw7y?=GZg@26Z5r@hCKNvI~gZ_y-i$;8JY5l5>84cb>r~
z5|WJUSHfw0F@7hSrRoDa9IdEhcGZXvqUt;D8pO|R3?R!-^;9xW`LFL1{Sy5J35T)R
zZ@m~+njaiL<O1E#@L!(SbtMy{pA}Ka1shgP2rTP2!u~cR^dAx`J3ISlyhrbrudg~m
zfO#aTF;$V*qEHAv60yyjHz-WO!&_N(t>Sm<j>U@~Wx!6-WUpQBW$YMAp#&S;KTd}~
zUy^+kaELTR`R6=S@F8AE4odbnGP27rKkOeF*h?wRlF^a4qd`$?j}t`^3(Ezjq<oqU
zKQROD$VL{$ALD6LJ3VY6QU}nS9bicqnnBSvVf3aVK5;|L&bVd$-1!ApEk~>ATt?j*
z{QDdzpQB)&IqVLHSa#|#Y3cP^bBI<s6I6Gd&q6d$EeV#?T^q1C)&D9vrKqxmY-m0J
z-w%tFG~|?T5<!_O9ap9tbC7n9jMj-L;wygQ>)>abh)^s*;CzRy0|~#I<x9Nu8(uk~
zThfN`=18ZvV5l|-f0(dm1sB9eKO3Ns`*lPe^bNnlwmwuVS60&C%tm9bp&kjI?QtGN
z;{F3ekltKY@}Wg|Y2iZb@#Jd^_I8y)BYMY5;wmp;aAP%lMRU`v2cB)!eczrtD2veK
z1w`#KLThXW;4I<dx0bPxx!W|n4><N}XJ9Y5nA-}m+>32>q!+F<0$jQEYt?J0esd)M
z{c@P4n;4=ZMorRvX?QDq^#1&hO$4A={*_Y6<z$jnWi?<nvM#?0`9x6}sWU|beaTCT
zK@ZcPXjsWKW4XwM9~<c-c44gi^Q>Pp|HTAxI0Fr-*#oNJr3iH_8q-iptF=0jU0(U_
zj19DNI#6<PYh}&(xuAz(yUiy&WfmG-jAXog#%+&&voxUpfAHNtuz$lzwdb~Y{%Z8X
z94Nl#8)4}*zw00YuRdvu$Miq-1mPyX^k6x@&aEk5EMA@$?=@ahbRdVqyzIW6A<tU3
zCU?|b40e1yDjZ|{5UtL6p~eb^mDGH*!#f($%Hwl8_>L=xb~7`Lq?S9YIWg?&MV!o0
zLsG`w0G84Tq)a!PoFq@1>^Y>L(2^*=c)(+71s%5JySCWfFz%`OY}t97)jSk-Ne`;j
zd!`5--m9f|PbJTNiH;gz4_~Ide{&2IMs@%eFP`6)UD*+}H3#=kKe=eVOJ|A2y--lA
z{6$K7pLF#{K9ctDybb{`jT#aR&>C6;m;zf{EY%;F9()jlUSaaNhfVoKEffunUx*sM
zYoW*?jn--x&x+h*3~Sovg#Uo;2MQW!+{K~5V~x8G;&9BXCMF4rc&e-~9D24bR)$Pb
zOE(2Ml)C7%i}FH*?B^se)T4weX><F*aYBwF4bg`X*>-cPNQATY--C@}7Y3-=E1hh`
zF6^;3^aD8)tJgxEK_7TO`IoazH-{y2BlOX;*zFXYo!yzS+6<@*tg%4?zS?2LCG#f>
zaDk{=qJgVVvUGch1Hr@x1IyV5blf~5H5~={*$3RAv)ZQmAxLDs4KEh8<+=_2N_3za
zUe^8L^M5BVh(!`q7NEl$#?)d~ebi#xyO=5WoHj3?HJt)eQ$A6r5D}KhZMU2G=9yp^
zl%aGK<xAr#`*Puw??l>lgf6+g2tUf~O4Y3xPY<mOmR6Cx*S#5a1j?DXqL!;HkU<%t
ze3fEoDxO72$U9KVA+Y$DNX$*H90z>I$blDPoR^n*4%KAZHY~p_m~!_5r@lYwnV6di
zT!JcY@ke==qa<i=rOWM#TpioO5H#p3rr+;`s)fqIlV-c3K7Cg48nfB&)bj;eop|J$
zV?>QwJ^x)2kvQ4-Zg4T5mac_!vqRb2qwHBM;?Qb*ATV6j2B*_@O{o-pDQ;CtJi>P(
z5%FJBjP98y--;KUc?!mxs-2ekJ@)nIv=7`d^4m?~(_(wzFjj)>$S0l&mrckw<o-Dr
z9Btf_oHXb~e;a+W6GwO&>Z6wpc-H{^-@8z=^!V78>oW)7od|els^X3bwB`q3zQxZl
zWG|B{K%3LxHR0aW!>8y$BB`4;-k+I*>rG#y6q%`2Z~8tOH`j(9>JOlm$Vc-2HGQun
ze$O;%cw~!(>iMHh9C-lx+!88%8b(Rq=etDxre7Po6GKqN4lUm@c7+kelked(ZH{Fe
ziit(qP{zG_$(UE7X1UEhyPa7*KVK3Y4u!s$oV0A@6r%G+dYL#)xP2!3An^wFeRIeq
zg)fHuhYv!su+4&*jThere&09)*)GpQ0U0WXpQMG*Fgo7^fB6)AN%U!QR6syr|9JQU
zJ`GN+_l>wQI`7Ghg-*-t)6igIo#l2T^F?YI$lTFKbS!6|Iy-!zZzTW6_=q}{(G+n0
zd0l^KIW9NwOyN4v!Ad>3Z1i~Mk3kr7UQ0XEuYUP{XvpDlO%LCV$%8T;3|^x~wzB0s
zBgD{6rZj}eD7h#3^hp;7kFE?WNf8Gv<Xbn{sf-3`d=<-?#IR7Kw{TPxH9q&ei<(v%
z@S5%#e1JdvCtL`34j{mwSj_>t+VSrJ5ltB6yGF1%xJEj)Wj^1CGvRTaWNLS~be}PQ
zI7+y2o$1$~e_IhhILqPa%pgP9gp02zc|=^8ca5s)5Eny4^hcD4&dtBd0DcKnS4^8C
z;Q~k^;yF<h74YTa%g7qWj6rJ&wD{W<sPgxD1duL4L8Z$5&obml4NZ*PSn25L%VJ_7
zZ#zdRpg<L()mqN2Pu2OsqbdVFLUK?3Y1w~QDaR3tcTs#cNz`X-8~)p$0-(>Jo=Wc5
zgZZT-EF`nP`1PB3wbQdB;Hkc!5*D0SPBqxkHX1<wUi~US6-0a7P*MN-TVjM{LA5Gt
zDx$pJcuRkQobZRFS${|~AnE^wj6$?Dndg={$N%gFC{WoTpa9=PzI~!Q0t+Qa>d;i1
zqp}f$&-!PR4AP|KoH&@*rs<+faK2ul*s}kVabnyB{dIJ{#^P$(?PPEAx1y6Mv^i42
z#BZmgd9%aW3T;{ER|!2->;!(Tak(&lTE_<e?AfT`Mv&WZe>ehhIiF@_IIq8N%z?bs
zDw)<2`St3ohgh-KN8+-NGV|012?{C;FFP(rVrz4AmJqsdEHpGUE-}#r2>AobIpjYw
ztIH?g{S4X0as2Lk4LTm)pV3jde`Jp!*RR(&I4DK<&3W_~=bu0GrBmk#VK57w<OFFo
z^u&9(X9@G#j|O^GN_rmwJ#W>|?$_|WFmr)rzCV<xk6O(fZOms0VG6O#&rSHHftQ<R
z$#9vDiN26;dq*WXE5al1xkoH9ewDTqlB+k!02hEF(~9daNXW?j7a%Rh$^e5vk%rTY
zBfcqvdkh%Zn3lkB^MJpl-yvSBRKblo^^_|)IA{IpfH{hUZZ#g$^9e=SsDe^~r*Qo%
z_*RNI0HnK6P?iEz@UPeZs~MB;iohC2Q*}#bX7OpTkn(Pj3cp9J0_vOacCMYja=wQs
z|K@)IiD^#oQ2igVu=1f{;2<(8UrM0WsD|kIukf=z%Jr{R!6D=2;xZeXULVduz+pL2
zqQRb5P*7yQGYolzg8ELL71v>sod0`oqTt|q!3M;Qpqt9?2WPh48RFCf>Fam$wUqyR
zz5gEy?0dw|l$8Ccx(3IC|8CT?3J4kct8DoC`BDFGa&gb_I`P`|UWkc*iSBltX@pei
zZQf=Egn}aH;NGoAroL2V7If3u&x>23QL+0CL->dNk=29oh%WDTXa9k3r5HMjZrZLW
z^x_TFpBk7Rfa8N=W+A_O-IDz3#<g+UI5p~}e33}aVdR@hjyOQpJR>HbZ6%gevn18C
zi#nf+KiqSq018x{Lr>KOCdO_-Pq$MgH-h^jv!e3;XvhSl1Vq$6=3R19nLAf!#UbWs
zs#!xX4btqqbz-7CPCIX)eyCiT2mDd<Gi@|z?IEYMeZrAbgAAHNHY8yO7ln)MN97|y
zgqov>1=iI>;sb_&S4&!0`(^7pE86_?XOGjd*!_?4#afD9`OxTmlhDAqjfm49$Zn6U
zw5qZBIrRa6dW1L+=SF4sOVlSPIfH<>%5bktX7oSx<CH}v-@_aD&NHTo`sMA;w3`<@
zWMejG>?_B$5;Py4OSL@}Ov4!O!JI{LPKVW@q37`)reO&(Pt9<Y@IO@PAnnM?{}l%_
z^<6IPf#qOBe4lV*IwN^w%B$T?0vOM;Oz#rDtkx`Y!pE)sl=_xxBZyr6a*lmIK|}H=
zXt98AM5o9`2e;V&f)~2@mjI?(3>wZa*A9w<W^vL<w$DFgayqlx1u(^#1luuYwovcg
z?|$%%HYNbBEhoE|<^a<zB0N33d8mnx8iE$MJH;;m``2lc6|=F$JL<v)keE;Btj0cF
z>#*vVS@fbcQQde+H8(;xsvb4yENzf_OT96%^4mngqh_D?yC2-OQUQfyJlDC-{7>RP
z%IGW8d?$r&$3fl$v>-Cly5HST4d6)GW}O+3ltQyeGwa?1^U5351W_VM1u>PUvn#i_
z8xVdRMrJYFjCR5G%%swJgx5^BK%d$P8xITHUcr@)_+N1a>VvUQ)dC;!!pHFuUrO|@
zq>MbDv*5x#B)P-rTBJ5tMK8Yx>8gnu?>;Z+OrGbEqyFBpn0WwCFVR~i41|xh!gm+d
zZxpD|jwH8R`8&uLw41P6win$4CbS8~R&v58ObUQ}55%OO)EHOz3ddwUe*5tm0}gt3
zM$FE~1=Iq;>Ok{?EQH>-5J^q`hy%2Wa_%qZs$jL0Ea2Y_{LBuvXed<DbdhG2Te5E8
zAIr}x9x<_yH#WNwryjpY-LXiNJeNEwS`NwcK-x6xOI55nASvh_u$Q`6$tcL#v1#w0
z93~XqivIjEt166xnT+@fRkb>DywzBOKkVzDBQ7>gJ0@RDRc1mO$X(*J-MkXV%e)k*
zW#a7=0iqtPHdvn(739kJ%-6=@mG;G6V5iu~llvsZoy7Kbq}Ps@iyZMQC3LQP7~QIQ
zN~$k*X}7kv24W0v?=tI&mWs19zau9kduZwu-~Zq&s5**#llt}^{*PN@%b(2A(c>>M
zxiuQ#i9kY&t!qs~C;1;1fk>><5=t{{&5*&Z8UJO=JE{`EZqZ+6J@L|1BYw;lRBhU4
zzrVc3IOJ(j&=8gKizkn;i!BEO-%5fB<40ME>m;=esU89<^;U58POeNEO~D6^xBc{A
za%wYQ9E7*t{5RI#GAgdFOBW>}Kp;p2*Cbf*1cG}A5Zv9}-L;4S3GS{z3ai4U&;TL0
zLsf8xV1*VgXOs8)y8GPQW1M?>+%-o1V6*pfne&;?oXfTdU3!fBV)TW8&(;@UKcT%5
zSkq~_xGdh9s49i<8>Sz5wFvF{=yBz2&GIZ-U0k;ePf?*aY*ip0ozc~wwD@EreeB|0
z>DS8rRO%x^T7I*ITl0rXgFbbkFC$fnt66=7lIW7_L=fVEAum=;3Aj|fhFDlFB-vri
zhe02LfeI8B)3k}d=;p@>e}vkb;+V=>GUBlkn@p><4&#iX0c0fSNkCu_={rmiQr#WR
zB|wh%h(br0FiLkNs^41pKReHCi`n=Rm03ZT8WtHHKRl4QUJ65_aasJ(IQL}nGd|^%
z)%FQjb#!S((GNIok#3U3=13(va5z8(?)FMP2zR{HW)|7yD(5n{_aSAAcR<7tzcG?O
zXHZY6k5)}(w_HQb2qxC0<#tb`ql#VNGdfhYnFDQc>j(6Wa;7)_pO)-sb=$mQlsP!*
zV(r+gwt8dmq8omjwPldwv<@nK<`t;{A@=%{MGYF|Alb;Oe=4E!`8HP)R0Q5z2vAW{
zG%PerY+cv@D!oAbgv8eCfqLvt-Uf)_f_>cN6)VF}Bx%Dt=*wh9D;I_bi;sX!)g!)1
zRw+88Xu@fJ6!PsFl}vC`I46umbX4P=OnegEF5vDw9;ofT=+aZG2{?Pu(#W7@r5JLm
zm1#(@2|*w=LZ{i!Ij-XS(t29HpWCwk(BigE%t>mY00vfrE}+xIK|jvY3%A_84HDU5
z%Ct6_SvpdnbXz-yBt`qVxh+<^I?rqHOsXZP7F-Zy7YOyT63I#WXl2BzTTaqFTWTYS
zvswfSXDFX8zouv%UFJx#o;>+H-EyWgr#zGQnMSmzG9F&kSEzP0sSm8Zph%!awdR`>
z^`Mcjmm6CZGwSYp8{8X->4cyYBX^hSw{ugKpB)2$vqC@pMO!}p)@W&Xn)HV4Hi_Et
zac1V^dXiQxQ=6^YrS0AJ^@Ba5760rhf?POj3*6m8Q6{{HtCr~{3z`(Dm86kx)B=8A
z20^DqX&1u2!Djlp*T1<B{mPbIiP&I9-=Z#CjL@_S=4_fYhQnQ?qp4Ni7l45+dmmpK
zPzty^VriwD$&)h!O8!&!ziYz(uTuC=KrUD`{S`r$heyG4Clw9mh<_%0{Mh)f(5n7a
zmfs)Vm&k%T?B`%%X6{423UbgaH-r$eXaX+-wMhh2f$UnpQ%B+bA9vIIu7a|i-2Wpz
zA&5K|5XB86!@oW(|4(7w_RFeNFYqw@2-*yksE+Y(!QN$>Dn}It|8t<3$!$}*9Y_3#
z@-Pa2xJfN`qpVZ46D!HKd!ey+uc|{^pmvE$_$^>8UI}GQ9lX^l1$oOl*q+>eWEm^d
z;c7V^lj|EAs=E{B78i}#v@68QTQ5rHRDiZ9V?*O)t$SW8q=tCqQ57<Ag!*;|s2kln
zd`AWzO6>O4)47Cw;+?K@C<SW1*?Nhr{<lbY{Act|5Dp^WVrE(^B){5{jdC?=?GQdX
z4s{Vl7$s4~=CwyQ)(^6`@Ow!Ufs0y2E_b*FvxH}mq(Kgchlg)nmf!y)nZ`N)s8fa2
z1oXvU^jE3LQXj;%UIap^o7t;OqdWe}+$C(XJ_VfSUus8&Z;l|E!&iv{l1D3d$_(1o
zDl>n;96Nrkw{eN#>4~Z5-NPRm!4ma}1358&zwQ(Jx1g>i!{lYRCpWj|M9SIc!?(OQ
zX(j2oad$ML>El7;?E3J?@I}uB`$ZFHk58L)TZ`}hgZ6vppB5g<=^_776vcG-Uft<D
z|A)DngL7VtSUByq(CN$e0>9jix~tCL+^7qbkOj}dYKl(O_Y_e3Vaxs6p>11pZQ7#q
z>q1UZ$gk1r=Bpr@H(O`mT2~oYrvMdUQ@LhhzsxMdjgo1aM<qeUKQBp2N2<&XwmJjk
zopAR>tI4gfgzF2=;t(#12avCTLJ6G2%38f_qpUjA^|OZ2Uj1eULjtTY;jE`1R!u|C
zx~fOAGw(mT%C;^JsC+!VrxK}69X*R2n-?sU4}H;DwR+&~-mW*alGHSDnhQ=iwc4C5
zfYiT(-^pA#FDG_X15bJu-8><*t2~3fZM(8{QMSW*pKqHD+i#oqiEaaLH7~%Y%=0Z$
zN;O+$8}&X%kbzV#9@W5V{f+E?7p7FGKUL6P?@*s+1<4999|%=8ZGfDc-4cN<2d!xH
zzrg_1E6}(}_rK1cndaeV45+CrF<ICfLCKV&RgYfh4HR5mUP)lhCh2d+PjWq%nxpYi
zvLje4YVa;MMCurw`lqo(uZ<SNyk6CnO_IJL=VFwj?$4VIewLtovVPZD*}ybW{&<z(
zI&2R)JM)>FtB0B5jMcdIx;pStLqrIa5Qj=MT1{d~#d5lm!OT^3w6EWzLKNVB@lr(&
z?}{=)=vX9Z2DQud`<1QtOvoRr`Off|I!^R#cUowJkEfd465G4>fpYd;fOSLkt4vT6
z<YN-^R6f~Lfh=!bhHcX9huGW*w+1Q=7rq^3v_(L>B73{&l9`G-{Lrz)r43oWqPB-X
zvBj&Gt2ilKv}$*YWEBrrvyqtuyln>6u$Qfcm|{h#XTO%n8o)?9>2+Z!0_I!LFaQ`7
zJulo^5Kz2+so=vYI`NEPXbkz3m-N+in{u?mS-K|%Mv`g~Y9(S{>H~=fv%h91LvslS
z@9yNsW8pqNhhBk7F)k5drsyYyBAr;TF0K+uUC4#1>fhl-M-8PHO6nw@d)+M|X3PT0
zB27x$vmXfN!{wW0WW?<s%-cR)X`6TM2B)5fysSh}?HmqH4k5+e>5E*E-+!2`gne`m
z*VT6$jkS}A2d~~U3WaoB;A`C;>B3a}Vx*37VwXgU2*7Nb(E7@|X-6@+qxbzDcNBfU
zLD@^Kb4E+QurQ5ZlQTpWQL238MJ`osxIPJ$EDHPukogupJuku@+YPM~-&wy}M+wbh
zaMp(Z8;PT+S?IyRU6&<T$`1<(4k=&7#BPz<_q1#TC>Uk!IoJZbqNL(RHvIN_!^L5$
zMV!5!xBio)LegVBtraJj5kz%*nySkakalzrUS016lwXOgX*EZwrkI31<f7N<>lM-X
zg_?ED?CVP`s0jZlSp1B!|BQL@SamSPPuWXBUVUNdnuyyhgp*Cil4|bl_oh#{$#sKi
z(8OS^t9qc7MD~4GAUn%;d_X&twwIa7aYBF!U>t0ka}B<p-IYY(a$r0|<T)J0*PR9W
z$d=+t2RMe0YW>$kr#E;A=e-&nzY0~0R}U$WkFtG`I$#*gIQZNrC{7I=EiJ-WUH}Xt
z!qE0yNv>7T+zWRGfY#J;S+w}UY%(DoFFWKi2NZDB<?XG>%6-7jUGjrdyGc(1TO4<3
zm?R3HhDIqP#ESo1Zl=M4$CrQsDGC4d{nH`Vr1RaB?yNPk@e8-;RrimV!r_4UTo#ll
z90jp3uQ3}!QmgCxExwfQ4I)@(V~bvN3bKd=>%Ix7^BnC3nyeh@tiT_H<0@;X>6o-#
zh>!C}Nc-Bf(0cvAt(=tr$*J2J*Dn~*BE$~K=GN1rKL4zH+^RAcZ{~jFaZh#LDvgJ6
z?(*9vFxhv>>tvOcwS(r~C`;A_RwIxPMF3bT=Tk$i*~wdo|M!+gX}n3d@`&*eY$qEz
zD1EQG`F0a(YkP$-)<-r=cS);;9<i>IR*Q70wV%;4qn1<O5M#2Me>*6we-m*C94uaM
zw_-jpwS`gs4wUEbR+^#e+;F}SP==(~?w1zydBIi>*Hsz}I6OsePt1raqsCxf*U|)v
zy2bYWN-}wdh>*{l(+$3fa7WR63A<Ye1wmU*==>~8G+n2OFZUb$O^WH<scLx9?=rB8
z*NH}jhw7t+%<>iYJIF<y>u$!qF;Btgr<@mMXKe+tuUfSkbi1B(*r6LVgy}J6V#_+r
z>3>@X#Jdh{6zNrSt4NyLI^j{!a}2|i;dV&Psg<oouDO7`PWQUq^!KqnhdY$>j8oAF
z%U<>Pd^mCO4CeLO!0y<)B%8V|4o~x^K(oo3^>{=#x2qJH-h~}6#ucgqY_K3)QWzNR
z+d?)x-@8Tj_MB7VK9EoAN1&%W5`|0+ro~T6e6PbSeeUqF60`zJv0wo=u<OD(7x4FD
zKLB-z1v5b&Q&?r!+xt=hr-`k1%|=)BF$e+5O}y+&-~5$Fr4*1ua=|t^oi`BXR=e^6
zm>p`GFWAdpX`O7}mBrBD;y}L<$~>DboLWi+V9m<3e3^<e!D~@&DH(K_Xcg(jKi?Q|
zcOXgkv3F9@&}_d%Av}+5^<DF%{sp>G{uK&>!kPLehse@veGgQqg!OYw`HA!yW$`Ww
zi)I`=2sgD{D_%%oObdEswx(t0nx#7Oo4rhY+fZ;ZZ>X1B=)MkkyIt&WTcgt9YP-v<
zyS^v1gXbl6Ap`P>ep><%-L&E|eTf&5&n6B))5QUK_Z<SvGBw#npaW_lpW>G%Z-A$2
zrD%SE3`MW+WGOVXSK%7@HOa|aoxzS>r*`>{v=T(tM4LaSTXaw1ywlmE8Y|Q#c|T}4
z@J|2qB&=P$pjBm)s#9grf{uyI7dSWtmM;IfM=tWJXyV*iUQ{h)qo(d^;gnNN&Aro&
zZEYT=Cuca9*QKN<F!ff8aXGzcczn=;S|F#Kac@LR>AV;|fiH_+(vgkDO!*Ib-?uD~
z>tM9eYd@!0e+8}VxS1)!qAw1-!hr~+<PDe>N8L_s%;`+W&uMzKPH3xG&1i0);I~|d
zv&k9-z7IyHNP4v|`UY19%4)%IGS(ny*Q*ql7F=pQcW=<ZUu-7L3;xB3j=3i$fxN&_
z5Z`wCl5DzqJa1J~KT$vPAIN|4rF>`1#)qUROFf)$p_w8)QTn+V37HK7o~uc7@3H7$
z{kVaU(XdAeistLvH3h12=cymXWw(g)vWG&vn7=E=$kQsJn!2)?R;@6ZzdL@F-);aD
zKe^hisJ~z}jS17`b%F10qM2*5|8$JJs3->G`;x%nUt9iq!d;khRXDXvUPq`+I3~FW
zIFI~1v2t2&sc&*US<_}JF20ZLP^;ex(@u;r>Yd@_)$&B3dzt5zRlP{VO3Ic8G%vr-
z#dhS4;z4E9qwe(fun5sxVY9wXrw@*DS>X=-xXRY6u*kWkxAdJx?J674ad+}KdY_^5
z?oV4^0hMFTvx(bsfV8WtYl;e^LIJFpS>v)I1qjSylbrJOvlE&SwLoUZtnqV!lWP%&
zK(F92_^S1Uky@g2@R6QQXr0~k99F`i6pex2=|J5qMcsBOMrsw*0opE+M>O}v??Y#9
z!;J4AtH`k$U!=(Hm2c>n=nQ+RqNIm)epZ`pZs9ljepqgQ+hyU4ya)@t`7mzc0!oqX
zyl4^CY>|Lf=Y&H%I%lG(I*0VRCuligWMS6X`EcPOJ4Ra7gp2a7w1asbwp&gaT1>;K
zCp#U3-5wKc1quF~^&c>jit_`RY~klPUWo?OJ{b(B&!JB!!*)`>2U4j`ls70d)={cV
zC)?<@7&om8Z;kdKW=ihGLzXyI0QedQ2dBoo_vv4?!N}ySSh1}!%m-A8@6;FPXY9`O
zdA3i#PNRQeraYiYiKVSaSq$=!{zO(KI(t&fJ||FUH(;rRi}5K3ETAsw3th<^cWBMY
zCD-t-_XT>(euP@F(n8sbIo!<oltQQZIY<o~e;?ax!pF}F1q|XQ*Q|O=o|$CmY~&r)
zzM_@PqsAWbim$UCKA0xIQX%1f^lGfId);O!mvHU`{9)JIBfQRjKqHq{%q6p2rEP(Z
z#d?=G;C#q%cR}kF3#-0N=S<1%A6<Iri;&^{N6PZs7hyIAS|0a_Z7woCPs8$R$!qEa
zNlRG%s)8kWoeM8QO?p?@16)g+E$rT|L|>ZMv`GnPeN|JB(Mw&}9YIuUZnnhZNBY%3
zKjDH3t{Te+yjn*;aa>O>6-U{|E|v!csn?$QelEP-F4~%((F=fjFu$HxZ$A~a{$<wW
z-l$U5C_F25Fsh1#yF<MFAeN3j<3(D!C5|~v<0d`Ke8n2K?3(*IJmiEl-yev|{F*{k
zan>B~`N+29l_F&mqCkf&>k2yHbDdD4<p>pU_eBZFxpmCYsCd}Ws9@2~aRP6b&uqjI
zO2cD);dV)M9^Tqm>}32+YbeXsk#Cj6_=9N&w?6eht;LpuQA9J1JCtbV?W-z2I(@bM
zwP1ReqI7MAZSw8bKs9Pws<-<3S-=TOWY;eTnubY^Q}!&k=!06EL@wS-BCnIQ!x1hv
z-H!*cVRoxALj1ZYsWi^dTekadyNSM@nYJo&*nwcw#cHN*Wy3c|sy_*vF=b|qtFV9|
zOnf|%Q^Sc6^EKjEmhYWvo%}4N8Y^bfibgZ?rki_JyNio$_4{K8%aZE3M^5GHw|-nu
z`b<l@UNjA6D6Axs)=1bH>X&^&;U&z{Y2UaqS#^s$oE_I(>D6c+{Yr4v7x~*j|0ou)
z7?=xGl9%=AK9x~?VY!ju_hns_hr_Kh8MBZRlbVN=K3GpW<Fw{U&esQ`Wa(iEUb?C|
z&B+1sn}Wiwo{H*uMR6RYINR#dwN%m`&IX10=);Qg+YzcO+n?08bT)>pC!KUm!@R9>
z-gV%nidV`;+}L2#GAoN0CM2r)V~eZU{GSZXV<pZQ-j~3E^rK$eao6|2ti|=_D5Q8~
zy_fu0*{<My$uWAo&(t)JT{@gi6uKgfqoHlyTg9s57|kk8*02ACkxL0iEg@d}$^C{3
z5%K4FaLU-yz<r_{ua+pWV5vlx7Y&_Ew?~!{yz;#d595u#buNWOa23oi_mq~uHd~ok
zYUlH4ID17eETkSSq~9kOctF0t^bqgW8=kdZ6W`-*Q3?xIyCS#&@1Lb6c72Qe9BN<d
z7z7C8?DaoA9BxuF|C_xLx;9m4`=M~Wc=5}_u3wjl0Rr_Nx)fQuB}!W9wy&##F+C&I
zy;IaemPSAFCRvZx6J;E=Wx~v{cyS#KFc#zfTCNw(aD(4|(>kn8_T;YhSk2)HG%5<B
z&h$8HK@sjRxY`pjb*{CRu>=mLJPzh(wXj$%)>iFBpMxI=tu^4CcVk}Hu%R`)AD{rF
zTw6k~3-%UX_d3IiNggWU+qjiS(%U^XUB1P`(rLoH(#VpBU;ES+RVyueL^;KVp3=j-
zHxvVITlC`S`;XMPMY(>)ZJ6G!&@LyqM@m5PuxgIp_mZ$?UajXu`Ch5Fnc+$|qUrO9
zh@zo2FzX1MoNV}B?y~wc>vw#Wg?~L2c-5<PxbwTHp22a_#Ywk}EJt&gU^LPy+SjnR
zYK@sMcTEX`Fr*dd6&Y1`p~tt&%DPRwIrkF9OG8Kw24?)}&z;T_EFLc8INmH}sSzrO
z_ARXPQ#T;<uq`&sIKGZ!yC|&9WvCVEo32r^BPL=g1|>ud48xK1-3h;0bX{txaKdn6
zmWJR_Fh8O>h7T&c%O35S!;z0`$rrRKsONGyXpHhc&1|!XbU=3S{Ax_6vH5lDR1wIV
zIDMY0$a@nHuHYYsITh3Z7_UYU)40j3JBo>su^UNR^zr@{LUjfDVk2YB&cf36w9a2A
zHda;^Po-Coj>04shrgVHqTNK+o+9v|w+s(#D{biQxR=PPCs2>y)+AMWnj-64k*PZ&
z;>B;3BN37<5xB8%GKH(sZ&W{0cVJh0F|3z(Se_)if9e{)&vsKgu^YXs&gYX37im&2
z&G-mx+(rgB6N(B{SP7_3-Cb|1#MWbXMA2w$*bYK|HwiM@crN;<dJ=o<z;ySK9E|Q3
z4soB!mZ<UHatt_q*QiJ$d(S1dM6@hEBnncld%F4j)4#a@8^dT=Xvsl<G~jVG$ZI#0
z!9U&NR}bKJGjxoMc2iXrTT|8GIThs<Qk=bU&H7{hQ=QYp#I&on%T>o&ZS-sz%@6zm
zzl#!!M3idPug)bA=?}Cj>}|?A{f;NGrmDz!)J|`#kWUP1Y+KgZ-zK=KRjFQ4aiUXl
zx>Y6Cnb*T_9~TXQ><b@&&3`f$Uk)}MBabt6>t5^7hK3{r%CV?(N<67QflJi;3JQrq
z3>!2cvO+{LV;|6sZ1O*n;5z2KP$SQ{RF|hh1)vyEZ0Gv^R@a`r!LUzyZ{c_xz|SJY
zg&CE)B-@gJ$au4bLOw(Z+@AlIYTP}NvT(!}8w98t!#KFO6UUq59soaK1`veq(A$3@
zhm%3lp&PpsH~!$Qh1n0a*L1zAhFN;kAhB?oX(+uoJ`ss5P2@anGS>$e2nDmKv}yui
z(r7D=-5S&>4R9MvcvF%1l<xvty>aETija_4`9^Hw;a`=mo$*fi6hmqGztc-v?R)mP
z+;Z;IF!dS_;Z#$m)QKY_BKBJMxHNG(!HU^eog<P`OHO=a7lX{@n=Rb7Wel-{fIF}y
zjKrNgf9$Kf3D5MDMzimBq5y3C6&FpDhLJOwNt(Sf##qByxCJ!TtJbP|c;AOWlLZmc
zb+%1{D#B9IOh@q!(=KHR>1Jg2Y=6Iz#aGHYfr_l59(V&lC3X}*_^^GD+~1TMJx5)l
zDOnXoGcqQ+_G<qniLs!bLEgvCJPy96&h-6R<;EK_7CyMa`R|!_no(;IZLpH%M)3{$
zoV!7rKM_RxJN@vU@|-BI#tuKYhyq9Mo9b5|eMYYg^<1Lj=j^OlL9%P^$};D7goJ*}
z%psMFs_+G>=RewVW%=0yB>S`K88QVD7^5v-eIE*bR&!4Oiv<NI<)(Se+WDkR@svB6
zMOgP^!P|g5&!P@0RYxhPqECJfPTCjzAVMN)w#}lsH;WRuoytv?nLAM?f_GbYgT3Wv
z%f^+#{&ewc*(BlQf~%dEI-G=rn;;XW^5i0<=<Vk4N2>H<r|vO?`4_BLJuzh&FW3C&
zRQf*RxOK<))dX&1O~<xQB46#_i#1WXnA~ksD@~~Ll&-wf5z*BBvP|n)J7YTcaKQZs
zTx)OXOMkO@b-hP-)-=@@4shNhVSY8BrQ#Ah=VDAd{+5WG60qE4i{ELAlUbV^F(yR)
zyN7?m)+^agde&lb!Jj{`iqT`^K2$XpivhSq+3h=ka+;IIMM${BA(3=g9oF1{*<!D$
zn2W>O`|y+lmF5P(WaMp*0Fi>*>Q%F1g?#5&u>`ohEWv7(d4?^uR)T2AP_;Jkw3qW5
zHY}}sX29>ISAkQ5TslR8>dQv6mP>ju(Kc3&0d&`SN=W*2yPvU&P<e>2TILyEqoCnE
zdP|e0IE!JD-*mFEmLZDB0ad7m+)}a!3zr<fpwd=Nx3aqIs-)9o2ziHdiRLMTEl8o}
zWrN|pe{3#`hie;KKl)}}L-}Vt*5ZcP7PYE&d<OEpxxda8uFP;HWKF(j%j+}P4K90E
zP~ICigR9wz5Ac_?<6%OFd<v<qB}fH`MtxuXBQ()FR#FfRf1?3-ffWXwb+MF{i@dE`
zvv63EO=62Tics|n-3ry|uJQ0`)y2hbT!dS%RYuWF)OoO{dQcSWFxM9AR)o3le@5vF
zY~*l8HLiaBral&v1P~uw<#Tz21dPHtRo`yKq6P5Ugr88BL)vLPRH}pSL;P0F0_sY0
zr3Pdtd!<RX!ZWeSIa|Whg0rh%Q2DHIDWqza@ql0|*V6*(4Q}PF0anR%PJ9Kk{!Gu=
z-=TbYR1lRY4VH$CT};j0XzU=T6<+)xmQ}DJXn`@=f(bOA8P@!T{`&G-FLW-c>?-;#
z&-beXG-Vz&Y+h~^(;T@?w{iF5xN?G%KYy;?7LW*NIBA>FpJ_-*sk6#W9cgV{gYsDz
znIzGT{uJoZ$g0dj@pNDFo`PW*xN3!+F&fUQr8g}`;-9CjNAe1;M0q|Xx(2ZEA4OTu
zcx}u<`#n@=S_SAQA?53ARLt{@I@N(Kx)f2;B`ckCZ!eq-Cie<oXI@z+7TyMe6&u)1
zn$V!W0A?gKgzxJpSIOFcc%jmKz*Os^IdYiXU*3{6=kM8sq)p>YfIrHy<l3Su-e7ye
zd9pKBHGIf!)4{vlW5{;-T2DH$w9wO4w|1l=nMKFt5U<2N1Zc0rxnj;8cy6l(JP
z6jAbxR!LOhz_Q2v1HAItq5gs-dN&<Yty0EIIar8LjUGBTt}D}ZX=fkD0p_9oLisLM
z{_j>4(O%E^uUmUHDdm8<vv*jvd(_}YHrwqq6)J9jQwJZo!)TaBS8|O3nij7t|01_s
zQa4-uOnN9dA+w#u;AZT>X<Ck8T9(6!B^w?UsM_}Ox1r@h7}z7Asm^w0^IkxlnHM?Q
zWVVC{(!M-O#&Orj0m4Ida2P+)H(uCFQ44<kjtVp*?{US#OV8ZXD^De0-dir|K%XQ;
zHA@Elg$Ooii2o~6_rc0ue2+>q+5msA#j3fS0A(Nl8Hq#hbA4ZWj(WoB7G--%Tz{p9
zP`Q3yuP=EU;7vFyB7P9{a@QyxHJ*Hb-k#)#MkGLsEcZzefhFJBKa#x=2|x>;l8%xK
zndEN?%uZK3$GVo&6cJzlvU49(Z>ed@nCVo1!EzeJQ!aXEspOV1E^EAYvZFdj5nLQj
z?Ur0GbB8tkIYv5CrB<pML1V~o4h1~yhM+1QOTB$sS>4LY?m<JsXZEl7c$7nMh75i@
zDH<s{EUC<ngO=wl(qq*)SmdUi62yc>*=-|yTx;x0?6%0OPS%;a*@)N;bCXGuTZuO+
z{b7V2*fSW;+$+2U%IK-zXg!8=UZo=62E5+Hw)lk_=h_wAMrPNJv4FH0ljrW;%X!LA
z&I9j>CifH6t?fP@MK@#Se#-p0fOCks+T2Ihr|Y%3_h{tx47akZeIpNta9J}2c^_yc
za93zu`LoM69A3Kq7+f+O<dkN8L>M!wMva#B7@TR(QU7Rhs|&D|N3M);d&w&g8%sc`
zs=4jfqz1EKQe8=E#a<C=i2k$#ZZSMeq3^t{zl+crkJQz@Wyxle?S75tO$e3k2;<#~
z+>YF<r`NhLN8x@|IhCFtpO)ZfW}h!j_B%7+8%<Y{{@;v58WjJVk;pXTNmhwTbXy^Y
z-I)8^dS!O4k5vRth_L9J+y#8wvY7rJY_xr0Des_9@^a^lIBOysL~>yK<mSSwrx+8e
zw!_9SIF+()lH6r7rK+R#C*6!|4BMYyUJck3H~cRCZTY4o-gk*M*APu`3a$Cq28QzZ
z1NX5xuiDt`uv(X2?hrOl7Kf9!0cys*ql-L|do+eO0z*sS1V2l=uI}M&Wa}W2T1;W0
zT#{Yqfi=p<yD<rL(J+mX)Vgg(L{!of7xClqBn6Moo&tGp9d@p3l13e*^TPU<>6&iH
zJ3oT)pp-Ez@;AJ;tEeT;GPR4HIanW`pV-g;&vdSHc78^*AD&Y3HBXmuiJbaIZknHR
z5SrU|*MrNA9f{REF5p_~2X6`>LixKaIE1scxpAFCt(3ZQy@Q#q5G4dW!mWOJzDe5X
z%A>k&?<iBQ3+)WhmX$ld7>J6Sk@K4qK}Q7l9Aow3tQPEBP&!ep)kz^yZEJB1{#@Hp
zlSYQ5`47em4Ag!V`KZdFNM9@Sx+`e3FnmTet|VV{_B4!%%IiDA=*ij@xRHo!5C5&}
z##W2CE$%Id%tEr~)0P4=n&F9!sicSs5%PJ_#)NM!xLx>^#UdslLaC45?#8cJc{X3^
zZO4+8+t@z?S@>TFqU1};HRrIbM}D+!P2@vWrElaY4kadSmuD_Es62)T{d)QDq1Cxb
zl}?V3o>MK9N`ijppp0lVr{fHCuYQtKMSSHu;s>P;&dL{;TjI@5Um_WH2k=$LDVC2{
zu0T>1y7JZ~-rGe<LRIe;SOv-gwxg}Pn^9>;e@-u!n#MUhe|KRn3X8l6O8fbBeDD-k
zt=Wd@w7;I)Zg0wI3zC<1dLl%13P1$BhV}G5mr4uj*LvN>M)^!i>!H5O?K;y2rt=x!
zuOFd)e`&MPQZ_EG?$f1?7D_Vz?-*tl`q<v4A1(cTRjFy^140OtkIz|nmfw1tI|Y+d
zQ)Tihgjdn^D*wNkZ2j)7o-Ma_bJt^*umMs$f8*w~<P@SmuCDjdb}Rvag#@pOQ6=|s
z{P>)vZS)F+R8gGqY_xIDzgmmkc5Tz*?ws7Ycm=~>D|x;&(9$b+Xb0ENGeiQhhK_0u
zXclbYPOb1yUYx5oh<Ej^v*HThp;t~=i(BpQoqiO&rg9a?T=PE&Jb_ykWWqcP`jbgG
zY-$*e36ht3Cm5ZEHF}%wS#bF3?a`1zzM+6!Oi*u&2Bg2&^~LE$Bh*juoFWNFlXZk7
zm4v~|;aZu--d}Zh+F)mTTZqlat;Ex()-9nxl1p^-TP$Et-g8DpXF)d^1E-<?VYbZq
zYqq3g`rl}EO#B5eA-B%0p2B1A5cww>dq1se-dtbN92TrTK>I!PQ2p~8#AehZhOO}N
za!>}@ocb15XQJ+}LkGiV4F`6A@zK1?t=v%yCxILp2~=QXu5U7bht7%Ty_^StPGIO(
zv{ar1xbSOtkpvK0A5~KUm%ePfCh@M(5PlyS89AbUfpaK&n_aF33FI*}xR2+956Y=0
z$r7r++Ta+U;qvUG2d6E(Q8Z{y-5(qki;Tav=*f#Pu<2uhY&Uw@ZAX0y2aPWNW#l!B
zgumVhCrk7C>2^YRQuI`M39pNQtT?MZWOj4U?&9#Ont!|0r<x1QjETC)BW5=!DJT$X
zO%c+sRgf7nFQ5}-pWUZl|KcR0fO16CJI*!!2NC*5GQZyD>4F8I+HW*VCus`7muHu0
zCKOio<P+5#ceBpxk}^a<7F`#CeNDPX_PwL~Jdthf;n)iUuO+{v#<8xMXEW!OHF_|!
zoGwek-BcMB4Lfpg$K|-qkm9gNXB5@Ek?8#VWLaLil)F~U(pZ$vcx}~w+pshf&vb(M
zt0F@^)SoFeVL3l{MU@1m-iK=5Hi%0DTg9`4uRRaTe_>!@Y5j*wLOHDVv;cX?i%Uil
zaJHG&t(oj<dzQ!!dK2=}saZO2OOTF#;;eq52w-Vso;o`OO6^|b_C}149PqM0XR#M>
zQw`;DHk^}OC(bF^VY6$v{L-yS!&l0evmqUq_z1jMt9L0Lj$>aP#W}-xZPp`b0x!sP
zl7y(`;^g$Qx1YBi2L7_lM`mbg_jz(~GXhwhvjsqC<Zy$G$Fp6_vLPLAYL>vNwsh8K
zUtWZ9v%!>T5bd9_`U5EkWBWM?13SIv;1wCsX#cJ4*Pyk7h>P2*UQg-_)mRJ4$4!-`
z6nJNVUhsVnY`32Dba%?_UALlkoP5`>?&9Y1hj+FsBS25GMU(E+R`~ObxwCH++-6_w
z`|X=7>x#-=noC+h2Q6(*HL|t3tINvIeOGIG-V_LjzK|c=A!j!qSZq5kl+z&x3)8Y&
z-`RB~TiWtFLg9GP+4k%Y;V9>7%4b6i=%cOu@U4&F@rOO?>X&wt2~4bawqu1mw)L>m
z?jAW9|6Yht_xdJ^fRo)fpx(pv<9tehm}93B8<G+{bdN;ulnJ5((_tt3$G*&7Hs5X_
zWv6WuUuf_q89tl_VPltAYH?COUH#a2-iXGu$D)uP4|OZQVjtl>5*^2mUbS}#MQ%RP
z?YqF0#0%6|fMk_}ZW=>vHO}hqy5L6vz_pk(_&}r3koPUal_g+(`{Hd=Gsa=<PNY}u
zTtW4-)?fqkGCe^{rSZP;q=BMbUu2?-EZ(&XoLjOkD+ggj1O7UoRuZu}s-JFU18+1X
zdlSIDUTLyL`D)Goje;A2(OGS0F$M@OXLo4MABPIBFZ=@%050+fIs)j3(KhRLrzH}X
zfm@XEU^V&5JL4`5Kx!%BmUtt<@CW`Nv}{=+?Qor!dEc~n*~4iYG8tSoFx?2tz+RYb
zy2-<0gs9i8f%8?$?K<1t9rRmd?doa9a%*qlk)cK-5>CiO>A0oWEor1fc1Wr;VY|q%
zL0@tYD<cd&#@hY4a{<FGhaSXs*PBz@>8ShsTMOTNOHb@>L!4^P!s&HuuX8*(0yTLj
zPW~)*6WH$Lb2B@n@d7o>0sM|WZVdny?^9g$e4FCM8D7+o6vu|W*WOqSFEPvM&KIXV
za{ZmW=Sp^2+vSdCj5a5Ia{`<4%C_6<vTwb%S4e)9bT4k8P@@@K(tYTkRtI;7TQ)SO
zFS%-~lsTyi%gm0r9aN@HpKvIq7YYh`jz9n*F4&H1HF-i@*w;hl=#Rd`wP{#ZYjySX
z>|qJdnwIqkpk9krZ>XLsQ~!(lxT||(Ds*{lyYRThxA&2*z|}9Y;I^gReM*P4g9fRg
zS1V2j2uGZ=?O>&*RzG!xYic&PTFLBN0IbP2av#rX0Vqk<RmtM?+Y`iq@N5|Hx_4W$
zZx8@h(A0_V@EjohHy%BI(d_@~;`2Xv0G_)S6fPq#ukPwv1z;3+&|&|=!UB?XvIAK&
zSF+L7kS87e>igI@PzCSMJF=tGf(Yu*s6;mC2KE<gq@%O$OJMTsE+USi<X_fc8XgkS
z*wg`DZ<YiAI^9-(7;b09U*{_{b#myxxpw~;wExFmGC=nKw~jUc=T9acdThf{w)*Po
z>hz4j-my>pmpL%uq`Xk-QdwE~AIA`o)&JbV=fAIqViP*r=;-L7w-CT0Ey=udilPPH
zT*Ltko6k(m%yy&h%0$zM8b<&%L;LIOroqg~IR>~<MG_Md<^$BtzlP5ratW^L#kmrp
z%&%YHxlu)OoBn*5%0ROVd^CxH0Nk^<ZN}a^wVoHQ4`r4D?p94JXxt%fZEXVXe{x<(
zg#4zuV`~AhaujoNT-<kQY9D|TeOIEf;E)U8kM#fS_=$&8I#Y&`{r&x=|CO}LrdQ|9
zja+R1{D0kP%Qb>PAq~nGA)T@d&cBhQKQLO;PCnlmlBJeD{1>k_V=nOLX9(vPp@Vym
z#*KLoY*$}X0bnXrz<>HansGG)9<);MzQ6K#$e{gPpuIVpWU%y1+C7c_;Z5)bw#>gc
z>A*PhIR1HGYd;1D$RIB~Z0Wb!1wl@Bn4z7;qI0KK7?=;H($F<JH=VZ*u!r|0agEW3
zlF`wASmw5yq@7#|In1=kOx^hwpr>P;V-@?Xzz^Lnrl=$Xpu6Q9MtXTve)WB8E>l!k
zi9g@UbC)3ASH`*k&Qws@y9MAMWRoK6Fwu9{#+UDCCo3hb?o9ZRfHHg6(f`HKkS~BL
znU1$jn}&VH0#Nu9S34~PC(G`|Ujc8a6Up*76H_iu>}M&|cr4sG=oQg1eN)+*Y5n-u
zg%L`g;Oag27VjE)Vh4Dw-Q~=UiTL-na<{)I-%D{q_uSq((T7LPH5zn#-+tFOg3f`V
zkS)Ve0Zpg=5tVtn{jtMHERSXN*10z&5B{!<2bh?$=K!hZ=;)|)-+^Fr`s+E5anlg>
zc3g5X4M`z|0MFuexGTzDO{rLm@5!Is71(sIAD$r&_MuvRlEO}u3O(S*2GE`zn(CNu
zTy0=0<UID;OEZCoRtSwVfsb+?hy0;spXBry1ca1_=f@$g_wQ|xO+zZLoR9!H?Z*Z{
z3%hH~e{pjB_YU}mwZHLLM;utgFM_$OSe(Yft2mXC1mO>{ld28UnLl8tLzbPiWE{O<
zD+6D=`N<iz#9!*;mF-Z%c<hgD%kpf(1{!|LDt<|OwHkcq9Nd{#gx~?3gT2Nd<&Wt7
z84GuRA5-}0`@^pZ=)__wOFfm%C$2vOcV2$NkW_!Kl7DKLe>yMt<;#Qnn@vYImG_=j
z$?&9@qr*fIwImgSf=2_mf?UJpt-%HFe3U|Co!*Y5fBmX|x)X}ulo*4aLb4*GQ^%Q2
z`;@7fl2K`i&!=zP<iiv5g%+$!q;M9#1XN<ZD?AJTg;DYOe_jm?L~#F`4j$9r#hJNF
z)Zg>}BW`uVe}-(21H#GwO#~{cK+ul6wERN$KjK>dT;D_k;y2we$!)5Vii@YXxbU;v
zon4qh3?XRWp8~GeLQC7*n-32YP0|WCH=p0VTHJtz6<=lS64kHcR3cO9Gkzrc{H_Gv
zqW`vnC?=A6Dq-J*Fd~+xPoFMtD!*S9Ab$2t;@!LZt-Rj1ukSwfdIh}H_3M{vfh-Xm
zqPOw)CCw6brntB`$CP}b$*jK3qGu`AUx7=OW1Cm^D8#HQoq@jGOGuD|K6vn;s8Ij?
z%@Ys^q!b!smE@@16P}IF$ix0?JQs+AGV6@nnImx|=mYxss=1|Em`br#B^&4!*o!iQ
zYB*#Ke`g_^aYjyFb`cg$t@RG*q&Ow{ar2u6E;3PvGO$Fi)?Ih4hTOR%!d*Q>X_e~g
z_x?Dt|J)GbxEqlxF1=I7WA}&WvNCs}{<%LW%AB}A1o~O>ovdvbSfc0e_dw6Re=qbN
zy#)w{viidB-Gdb7BcL@fV&d#^QaCWcd16d=quMJ`xLI&FlB?vY_#C*U;JjDbzP5Lv
z?1A)uGu*Js_`?a0X6>0rov&R{hub_^zvZ_pRD6EALM^6!k2)L+179aNve_yZrqIlb
z-20LMkqK|2S!rqWbZH;x3;^l|q}Xk#C#g>de^h8!kRsU}YPFr+Mk(p{(tqSYqd85K
zgcvXl#pz!?v1B|MFw|69=-eU`J-n6>eeGqh#7tP3d;3p}tFT6jrot=EM~NXE3@^A7
z)p-p`3Xj3shW0!z!cKFdU$Fh2?uY&P)#P^a?3rKM3gdS^FI#j`5%|~V%TuW9JlxxJ
z!jjkj%y=f<un($8vJETHKyv!CAEng8HzzE&2pH!*8|hhMc+8EF{Bo^kD`^zzx_pLA
zLe)RBKlY`hj8AK&+xol53Ntl}>rI&BZLv=4l4Vcat&Q+l7??s&+<qGFs{rA8?$QQf
ztjJoHae?ja=)g|)wJLrnI$9?O+HLbz&%c%s0%J14FD^jzXk)K4DlyDqMn&WA$O0b|
zGRgJ{GXx8pg&fUKn@7Yb3h|a<%xB>P7dzf19Q7wMeY=zw`FQh=11gSe!e3y$=Tu5K
zp&(F%<87*Rgi6$<$Yq%H%dno}e?~pFKkP%cD|+Wva6Q|G;ta7<`4wC7Ycrk8O)*~)
z-pD*lvPOTQ&wH0z@7NIk>hG+VaS3`wZ|(2-iL_#HD22o}M1NEAv>Nf6`FdJD2;5?@
z){j-PywaQU{=MU4)HWh?(#}mEYTAW^@%V3)O1}xq#-Nl@xpSvv`0=fyV6VmA>YPvi
zxfC|+>xV4thq%sm{4_KqYU+0#=KbMGG1DpQ(T=Ji(wBD++A5|z4&pL7#G2I*4>kPT
z==>rz%aq}PhRNoDy_V*ti~CDd3l<lvR@UTY*uDSM`TZc`D4A@q419Tbaj1Qj-tsd+
zG$H1niy3-|Wc!X(uEOfQZD;T81hV;9%(B$rs@^TtyQD=Jn?KvWG(5dzRc+$7v8EPp
zrB$HcDbQTJ|MOkOct$su*Rj`*97Y_^>naWGFcOX|6w8&S$Zs2teOlUovdB_<f02-$
zf-i^!H+xd9*OqnuL^|hR&x!l{KV=9Kj%{%JHsv(7eP5>UU)2pu0H*XT{7b!8zHyo*
z(y;jQtRfM?UDi4DZItQ&^Lb1wh@qiva22mvAF<W`nLbYEuvwbPjQjN!(xii5NjlzZ
znYUGXMwtcv)a$jaRTa3iH<+#t1W$D?O{|!?=`MVr)cv<^w-b?>338(ec*)7Z|K<WT
zMv>V0nUL}@M{5sFQa#~xp<Jr26Cn)={viU2QGfg<tUDzZbYLExtV2xFPAe+Ec%TbR
zKqeCZBCZ|ARtoJ{H#x)n?)}a87Pgar3qd>sj*&R}@}%<DpiU_s=*<_Xcvchx0bdl?
zL2vGr^TQHho+JV!Zg+JjM_R`90rh=|g|~ZFI`@ebHu7el1ykz{KOa&h>uQ%SDx>Z1
zEd#*`z{%4a_e48O0FQjEBGBR;^s+QqW?(?;yiHW`U9n;FwXI*6kN>+bggj7vX-B<W
ziWiwa0p?z^DU4^=Fht6;(yhD28@oN}aht;Sa+&xNU#jiRM>BjUast0pB)w2p?B@W2
zQq62wNSfnkRbiv0Ud(yEsECco$|korF$G_HPy^4;)}IVy!h#Ikh^y@2<;@F?4WW9%
z27}LYT&1&oP;%=EX}$1Nx2faqy#Y#iT#%4<Q|$$<d^T(ZcI&pjkD>~8xGgs&1dqG5
zRRs*a^BmOqak3XO&YYtx&8oTxoU#qee7{nLK5FAW>e{<xN)K#ux#G^D)9n0o>tN*E
zb5CZRhHk>tnC*!4D2~0#?$GYIrIy&@Q^3I?-gooKb$8GO1zgG^Qz~`CYrlKu^X6DS
zGd+4h#gspjW+4OHp3f%&tDTi)jebTB|4)aS=z0Z9tTJJiQ<taX4fc->4WC^3^*(8B
z?Syf(pWdVZR~3$4&F1kDcfMQ9TyP#62+ZL<n&k-u*}XPMN95SMfSMf)&xklAA}tNb
zuHbw2f*ZaP#j$p0O9eOX*2>@Z(VXmgj6TU}fprisnuUD?Hw^sQX0G+pR*LSS(XpP#
zy`hMIk%JyBtR7w#qA}p$kML}bPvvT$)6^3-oJzSLr53Tf^Vx*do7ab;-cq_|a%m~I
zeo5)+b}RWH4qnJ}Rd2F;>JIanR#^ebMr~O=eWF&C4k!2PhEsaej2QMeu$=aN+h$<=
zvn=CUE#$YMYt<a|#_WdGBozVE?n%*?VS8B=@_Qi#`yNj|m7?r#T}TzUoDMnlcDqvq
zSysF}udWE$sxq3o-#K?B9s8Z}w_cnH5-X$)t&<&1i8x@Ef^I%8%=@I0_|_D7R)Stv
zK#T&i{F@&Um0=n`ZMkBZ*CPv0wV~NKl+KpbG2DI=Hfpw-!E(vtKsR^z(hQT;gvxtk
zj)ZjLf`OUvsH@+$llOUo>yo%mw;L^&S?Vo{biFGr=wt1ULGx@mwEq_TQZf-(0a~nU
zf4GZSUJ%D0xq*xizp-v{4i8(64Oml3J*J}Bk)(e_+8TI9Zk!cuKG{9jP_UP5Phcw*
z-5z~pU7qwss(ht9I>dP!(wRb*%8#zVzt4r9&Xc<#x4>y-b-#dO?$>Uno}1bt8C>Zy
z&I;)$U&;t}<23jXQcp0CnevT<|DxL&30mUi$!ZoW!6q$$ftCF3<HbJ;zcKc#**2ew
z$m+^J-*^*gEO6SEJT^sWnyyk!Hs8p9+IEFk%_Ft+Y&1sGL3gy`I|-O~XgNK35A3sT
zG9VD|qDR6T*fAHWdo(g5T50X|lAfY2&kYQpB_!=C)G<0zEiZga#uqD5Oje(~djq5Y
zXwjy)lrs0D&4B|sWV!*RZ?zL#AeQBANxt-}%Wo!n?O!|%C28?HE!5hWe$b@x(KvT!
zuEl!A%2<>$Scb(l1qdc3)bVue%M+Rit1XI7(uqnkJmw_2i3O~56XV+Rr<A%$x~Q4`
zA3?V(-Q{hoC^)@aaswHrrW2^6AD*KTD$;y_<YN$>`S#U5Zda~siS3UvS1Im{EQFZt
z)y8`K_a&`hYFa5Sr-2WKn*mt6w$gx9Br3x5NYhC)ELbDQa0R&I`H;B{bj!Wx1yMAH
zvdBTyoBUp%CRdxHS$1gt@^AaX>S#x8s$8W(GHtL$V^Qe5x@Y9Q7e0JujBFJmlZOkn
zC1V_IytbI9EF4Jh?_235ERk6JL{^=m#Na^N4#Zzf+#{FIK9rSs&pui%{*(UmNE7C0
zX&Dh$AkzvXwe!@^v)NghfhZSa?51$6J+?J_5zD*V8orP<Un6xe2WH!Uk%{hih0+{!
zMY~Nkd$OJ;@O+r%Pcm_0qZhfxiRV2E%x;(eoer=@=Pi2MY3+4*(#g0;Dtz}`Jmq~O
zE&@q@b6$vt+<0Hf%JZ;j{)ku@Y*5;Gd{eG6u;3e$cS&;4F=&|3uzgQ}i0kzVF{jUv
z4hgSQd{Jt=HmQ{<_U^kj=oDU1QeV<=_Dbn4w)bRU1k<IWtMj-laDh-q37a$@%#O2@
z{5-xQ0GC!o-_PRsGF;B5VAySde<|mTjf2zb_Kjy*O8<b)Bkk%vQoU}1oDi><evCqW
zv_`wb-p$o>ZLFpC&<|4sSCU|t#je53nP*7b4Jdc3oxlPQIWAd0#{vO3mBg43+!_8X
zh0o=sXiGr(B|$s=%s8x)<hN3V^9_%x+fCS4LOMC0i<UETiLGE`ZZ!Fw1MpPkrqeo`
zUf(B=89r}z)FJoOvQgsvaO=-DW^<1xuVobYq}}BQ5)rURbkpMolXylYp593u)Fq*y
zsDs4iI$~~TAEH{#^*YP7S(fMfP2Z%Y0|(N*)WIqA*BJ1h?)h=1yyJ6TxU4r%+$l~(
zrA|w-nx<863x)ih*!=O(u)xIEKli#H%_t`m%O>H<2`-3jN&WIa##<>=FzE<G_lZjo
zRODD&iJk{;5NPQ>y1k5X(OYr5iR<R)d%JCA`Cf21c}Xq(qj37Fj9XwV#m6{TSZ-=@
zFC7EJ`o65I!OGS`l=KDShb2ShdUy73Pmg$0t|b1p!56<w3hbk?V0qfpm&uMl3p3*g
zn!7=Q2|fD~N5wbKX|t`rl6c}PkPpZ8pQ^_H-rPItZS;;%4Io90SI??)UgyQpO!@})
zc_~e{uYa{%XI!WfW@G3yZ8r__aiK2_FkFsyq6SOMJ?zsek>5l^r!9LFfPC0)`m56U
z(0<6UrOlFVoRMw$lTEI9ec-I2P*a}o$3cqIxUj^nIjr%5?@GTqHERWF`~}034gJEG
z>K_!)uQ9~Ni>}THGc6+0w7Oelz^<F6F87P3ZXbzIDN~pFWEB`iSQs>FZu0LMDN=$F
z)yN8}vNfBr{Ic*z3!-25(uTdLD-ysq@m1QDZpOO;Lxd+KPh(&H(mZ0nK;V67l23UL
zx%otWec`%r+tO1JTYmIYt`k;$D;A<8DrP#phuAOe{Nadl5!T7e6mApgf)E_%pb8Mz
zbJnwYH0W)*14{{VER`y?a-v8aw}1e5x(r&L-UqA+PNQMz`sVZSLpE!zcAOM_A+M~}
zGAKugC>u@SHxrLf>_(TA*rBPyfph`Xjmek>0&3;kR5kwQ4~B0Kd8OmnyGY;1-y7!4
z4`~`#B~P&S<M8@YxU05xFEG3DV@Glnxi;%2^1kJLl4TDU%;$krqJ#VyJeXm@s=LTs
zx33pT;X!vZVv7Gt66@3T)qX#cNcl538I~5+7ygSt_`@@&&l9_%TqX{`ECy1h<kKj^
zZAxXcv1Tlxu@zs&&*$~92WkvixE<}}Fj)A$!z+FF3N8lUCn;t2>x7CQD7G{RPfSMk
zrDM+R6{g{-da@diR+id5yn^j6fmGPkYNcHqK{+fY#PJOn@u_YanvPjn?M~qwrn>#3
zEk=GMZ>)sa#l>4mfAcpOGgGW^irSyOCGSZu7wum0nv@k}C(#kH!**ftuKlAh%nW50
z7O!b4=UO8EAYAb^_|m|mY{>Su%1X2$`LpK_&0z9Gg8+Vl<$l!p&?8M|t?~$>_=(S#
zd_^U$vG0C9uXsn_r{9>7QptK{N8SWg9EnrnblM@2|LqerNTJ0U00(Xz=VgNM{1%S-
zqE>cuBy5=OadDUv9pYr53->f2aHvQ|31%o{K`ivfS`R06V8J+pda9kkIcq-+6YXCg
zg;yDnc}h?9b9Y*HDE?~Zi+Cc+X1?-`&x+Hj@Ufpgms%_6+ojQYq=C&h*pfz~$SHR>
zgp4=xsk<!#t*wR_i|LY>bHzCj-^J#!egReV%_SQ{AlEl;(4fU-gihJ{xnH0UO6G!>
z*+--OTVy)TW$LcmI%lO-BQfT@!?}B7^}@wEufQ{0Z*KDTF}Z*Rs|XY8FBtapHj~>r
zt+y9mJOe5Hg$p2)!|mwtJYVI)Bs(2~W6Q_B-A(qe38lbwJ}LFKi&@>`soU)uaReYR
zU-%s}2U<LWnsQy0IPZ;krSiBi%vcVXu6bqeJC=tee7J0LVA4zm38P+cF$@`RN2HdW
zozO~omP@a5z7X^y<}lZqZt2^17%*UyNR0Rzv`sAca@iaL&kmhw>)o2VOyvtCbE^3h
zM1#g)Wu;_#!@qC)JNur3LBjD&iHcx2IhtJ;vwBU($AnHwKGRT4o(dY1%ON+upf6qJ
zZdOgv`n)fcM0#zo7WsZ;p?el3AU!Q3b4&sdc@>x*I}-J(q6fRh!SY$pB(hs`lkJ=o
z71Dpkc|WsT%Q|l9;t0)qDh7T*pk{a2y>oWiRs*x)ITafD49%P#hk8gbW5SADD`_md
zv%KZY5=zuURdr@Rw%AP+mf$IZcgzqs>YN%2=GCC7%4`vte01Ce&IAvQ-?1bIYbX92
z*pHSh`WMZ91dlUj+;Y6nj{!~)h4v-N8JvBvD$KcTTgf7e?S;*=TZ%V-XdF4d4bGgz
zxO&-GeX{pfd)Z7%{FKw9jk8R~e!e-K2XA}D0U~y}o=94|_am_(Lbb-uaBj-sl?TDL
z7vp$-aH)gt*M?ejR11fJ*6vRFA(IiZAx844)6*s&N?H(pfz_gjro;4)63FE@H?zHn
zMX6cec&};HLi<M#JH9k0gpgB-M?hjZjgt)E(&-lxxmXeQ*47|41R^l%(IJO>ZbQM|
zS6FSqz>trEV6uLEfTgwAnk=$7n6#vo)`FGzU9mqa!d^Stl_O%YIunD-v1hUph?bFf
z6W!ANC^F1QF-xL<a${b4eyK3%cK-(*g~Wny@{7r9_J#D$|Ha!|N5%Ct?V>or-Q9x(
zcMt9m2=4CgPJ%nZ-GT>qx4}I)!QB}oI1Fc!-}}iu_g(9r@2+)k|25Myd+*-0tGatv
zJ@wQWPtoCb;3q~WnAd<c#ix<;;icNMhv4~gGgv@Ym?9x2ukDxdj|P%am^ezKC=+r6
zYU488iW6rBcK|;hTinS*CiA1m5&aPDGvd4#XxHh|E=MU2*IB5kUGecRujS_zb2*=~
zXLhRRq^ZagAfQ>3TAe7WNE)fa${J96ske`$Qkk{;F*R${eIuM9EQk+xt9>ZzLeNte
zLUtg}k6a!3Di6GI6>`NViiz@fVblV3rM_B!mjZS-UOK<t{)SrZ9$qW2aaEoqS5>OE
zn3bMpyPTqx2uUl{c!uo!J&74t)Pp2o!b`LZfgBYcW|r}pXizNMH9QMpV5t4bJ8d0g
zPQ@ln8jcVa2mz|*&izMqzR5qEl?-74EBeACycGJo*Ux(9H&-tUR`Ty3e;blm>Cuvt
zNo{jqUf=D=r8y++?J>bYaM%qv=ne}D1jX8X&{gGIFJ8dh$X>PKg;#4J)0uv{(O6oN
zq>2c0r>s7cKY_GhT9dxhY@=RO^vgQz$rvy^y~D`ZGvGc@uVTLSV^$v?u6JJj=9h&y
ztMeGJLF7YE!Nb>MiTn0^+4J(euKZ}BPhC!nFNKcsEDZS0qknQ@c6d4K=)K!8{a_(}
zmhv@WUPyuPmaQi6j?GbV^&^zgFSQ!CERL5lZ=hP|Og%nZICs6*qz0;ft?T|Sp&)x1
zBMxF&%Kbu}dXMFMz-b>y@yFw{kzM<=UzxY3At~7<HJZBY{#NQj<yzpK91lDo?UxXo
z)8WG8+<CZG%dX$AE4Isya#HuGy@cPC1mz`q)VgpK`tU!0yg0@P^T%GzeLq^{A)cDp
zY6*2l_o9RLl{Wj-Zf;_6Te<C|*KJG`=6uYe#RO;ceK9()VZSP?W*goHkh(uP8Lvxv
zq%>HU=WNwyb}%H|3rztRho$yt?+sO=2~B!5H!^Ae>;2NBddb-XTDZof$*;<`i7b)4
z;#0H++n@2BT~<(e{@3qzEdnH`qcoga90UN6uD3a7che}^VSgryYrp6bl<5FBTGQ0E
z$>DQ(6RzG%dgWmd%g?&J93)HBTK6SpZs6Kfn0=O34@+Y7ThYPN`>CoAr+RH+0);D{
z4}Q2@i?|b5r`pao<W1wcb?Od^9rZo6!1M+u_DX9;LN9`#94ewk=K;GdpRCl`&rI$#
z#-4g>!*NNEpZx7r7$|qfCa}xHSKO&flh>rq;fL#9`_>%B#U6Dqib#Krdq7B22l~HY
z?4t3v@OYkkGrU}~x4;wPFJ7+&*eVLIw8ef_C<L$ev#3NU<9AyHL)O6!yh`;Zi<}2V
zjODeN$8g;oQF9e3DLp+zLrFd7+g}kDG0(l<cJYpN`l0Z>mh5Ct6GYO}twq!QoZRg`
z$Xy*~1$&t<XrHAfx&_`cZrB`Ga`8ava_r^4w|H}WH_gPWSb-r{YAJmq3x9|V73K)-
zP`(Su8=p&?Ev<j+H9iY5f@B(`1hYZbjt$yzQc6bJj7hrecrwPnoYLAI@Ew2zV`b*{
ze*czbYBxgvwNKHWHbyzhZW<XmSqQn=rZtrjG?=%w)u`$rk5AK&-1~99e8jID^3wVd
zLa0KEZF>6fp06&Qm-lYTu~G&GnDu-eG|up5rv(*hwH|Fu)njq83D1YsmgH?HBn#%}
zVRm>+?NfdkL4Y?xpb?yh;*E&(;CkvvqPnYWzzL#Bs8!*qI9uO41p<lRGlM9ZhgV0V
zA6$I9Z$^s!+3i3N9RdckC?~xjXonAY1m664R2Z_RL#+36hYvl+0uf3gg=NMxwPx-*
z8$LYoLQjIGB5$GUBJumtefm}^f@w>}04b;AcDF!3>Y7Hx?iV9Vk-FrJjs^m&{_Z>)
z+qny_MH@FOgI|yO-|<@-E2HBfd6gRWfUnw1encP`cs=iA&Rvtp$u!!14Y@RAWu62*
zYP#utP0Yis%ZYEl1FqS81RwE*!g_r8DBxMKl$;)}l?aoW+}$^?*VtuOo*5mLJZSeI
z?l|Nhd@c$YccHc9)yf;`Dv}fvn-%sNdZzhJoh8_94=NZxoU_WVKhxzg^PgwG0%DAR
z#uV%2N-kcO=pEPoNJL3Gn)^0Idkv9_nf#%k!UY5DrsTUW+zv+jIRVei3`()4i{rRm
z8r0()bJ`5{Ox*7+DED1y9>3kAqldrah2O8&C>Sb+^kCXAS7U@hLN!^eq3EzIx7|!B
z5uEu!%Y7q=R5Eec`HDYBTSJLJrgL{L*%aty_#3fYc34`(^eJ69xiLLkmos?(DyRw5
z-3Hcpi`?Z@qdxOa$oWvi(p63u<;0B7)8Rr}KCQS2b|NGxJHq*jJndf_0r*dJO5e=B
z7Jpu0dhW-=DOK)Bv&$3k6g~`<xR#s6C<$bXiHm;;KOBA?t^5!kA;(_B@WOG4S}rx5
zt9)~l<~ZA;s$p%Qa}F&2*nYrdwsh83`MAxoajX$Nu4Y=AyI12#ThF)Zu}5#G{n+Bl
zgb0w!N&P@?8iX+)g6i&{t++&`S!bkt$MZb~C4y;B*_1qZXD~`Xz=~^n*eq9)I$m4c
z#&t88<?<YFSNmzzjaxBmGWFPX`FiP4(8YU04!W{AaQSS$?+e!tzT^Vxjj4iQX&JdC
z>@^YKSh;K8)R#$Jj)}8xE<5jsS%z&~{7w&${h!b2;#@e_yC0q&%xp9dc*$I8>Ug3s
za4T`mC?#Jolm>(rEBw8S#K{L(c9(t{Uf;~ZFsb`+)cSLC*zp%;+&ufS;~mh|dn`gx
zk{Eqhids}>rm^mB?C#(&#+6yWqcUXa+A=AoWt$@_)t>7hcsic7O@|tn3f|}{v*+OJ
zvBDikoiH2Ql-=4)4G>~zbN}c>oHq`ye79e1KvuhGj%tIh(jL>0Q9zY~4Ie~ie{mw}
zj8s(ln6i1-W(9AQYkpDV%6rOsS>a2U!??e`KT7y1c1(l(mfRP$)u(qN_`$`$drqF_
zHWShKjCjo#T>!2*!lsp2%RmAVGATqYD}(*YRZ8%gwPnqdB`4P}wN(1GcR<}YQm!q#
zzzD^5>P=`aS|Qk?WAvL-0zFwzZ=mL&#mdQH;vV>Iiul~F{zAP0*1jJZim16TBd=j$
z@pxf;C2_rJG=_?MeVI0OOGWIacy=x<K7M};IayYAZw+UCDpyu{uG`S@SDVi**?@1B
zJ}}#HAvcEPmEQ68SmN|#pPt|>zNUp|!@$7Hccu2gdNeq=?5H6FZnuGs)+~K)jYB9;
z!Ng?RJYrHoP7W_E_~<A-CXbHJAa?@|Ijsx8o-G0ht7)0Vz<5QJSTjy87|wSHAwpmR
zZHcGSXqV49l210+Hdr9+?aX5!leFx*ByrZd`t;ep9G<=|qd3~U*@}jJS@_x^2vAde
zVLO9=I4OYit7CqR<<G#1-rWAuXR6&2K>DNbwJo*ZTsLRqx5H5=L03@T=3}sWB>H?E
z*?p?Bqj{<c+;gd-$<Q7TzTl3ghd$R?<?b48xBnX+>N1L7R`YjoO~a2zLes2`)o9e9
zNnNzAv9C$Tq+t`Tc273%r~+aKjOhpcr%|Tnz8EqUXU!BP;+#oq_khew!t(?pfrL{$
z%@9z2C{Ed?<6&KzTo{VR`&l{GD}}IC&#~t5KS0QFyOp|u!~z-&Jhoy8>f8}}WU9No
z&7MLWC7|BZ8WFkSzBlvPZTaAOf``xNGMZ^sHVUfDLr(k*4C{=ESafI&_BZUbae-+8
z!KAyPkJ3)Il^4n96NbB;)A$BWR{AW-Qan85GZ4g|m~`rb?S|tU^UU5N8G}a&KwMTT
z6o=6*+nO=xz?W{LjH02ueYbf6r8YlF*Nug}(^R?NWWo^|6jR;T7PA2X-k$I5FU}RJ
zR##os(h6cm>qLAnc!`;JMut-%2o63?f1#Q)q9@SxHUsHNREM6ZORRl9i~IPyn)e$E
zDvjwwqs3OwiNzcAb$3dsVH2y53^YUMdU}>^NM8m?<%(AbuK)~}cNj~aLv|fYrYCgn
zt2dKC2l7FwP#}BfBk@N0TtX&ISDTj`QP#cGw-CI2;8O$w3+HyGPJ_1X%nwhj4Xrnx
zo;Z;(>ky~Fw+;l)`^WdSRBt3g$vF4%CO1dI^N#_%3pSdicC~o)hsw2{!@^V4=~{B`
zdsWKeDz~#;n=J%2FE0pS=D4ZG6yQwT$^E>&PW&}UHv3my?xggt6MjLX-!`7qx*@~T
zT(0@JMxN5S{LS_TR%KpC#1S35g_6;mwcnCUcNgJYi8ln+fu7N;?T2!~0!m2w*hgU4
z)o)Y}bXOyxADVfCK6MS_-IoU$p%beKP>a`%z;wWyGzPs_7+xREm|ByGH`MpVh8LC2
zaXrSXJyj4-Imf-=-0Vu)s_NHknhy!(3voGJJ+I*gJ;YProuw03YF)T~>bI-*Uw${<
z?TD;6w4=S??Z|``P#Xy#pYY<gTa$G8AvM)ng>y99MrwLzPf0Njd~mr5ntrTq2yPlb
z;4la29oWY!Xm*^)G04hJVT_{mUS9Rl<+=FCmmh!$N32h{k{aZ@_q!yYtFc}1K`@Va
z8~jx<>j-|A<8Jv(A>rmi<1!ydoIn%Um`PlDr83)H6%p9n0aZsE#hkdvP!7Hc@D+Q%
zZ|YPZ`wX?&&K27=+efBwkhJP)2sa}Re)|OojvvPFrJ7_oMjNO<vjv><2L$@EdU7)>
zj`g`S>31fcTSAvFI78IL7!H<*kd-<p%|%*bX)ffV&Gf?)d%#OYb{u>9Ivjww->>X*
zXjEtQKP#_^k245M0CmReX~wmC?uq-{`PsHooGX{vlQ2*?;Er_<*+9#!Ux9{a@~aiN
zag`a<XWl=S^K^1Ggz_xrzfLj{uEf;}2I^eyral7;Iv4hK5@i(x&YzBfd4rxPhpVb_
zU-IJ3t+L*ItwN9>iKeEhL^gIXU!tWeeI1$wI|K$Vemk6Jjhj+ZK8~s$7<51T)BXs2
zNj2Q?$(hb=O_E#rObHM3P?|Nx^zGrSVO}t))tyh?H0RhsD=XKH(H>HvaFN+kJZ_FD
zGh0VEt2iwSUb}3@oOha&K6enh<fBy*MQ4B~Unew}Lw711pRWjd-=*^)YhWO^hdo--
z>0QBNN^*D@h6kS)yrq(~h1H;0l}g^wF?<sJ=MTvWm{?eCdRGo1s#U6WF%(bp#rofk
z;%OmLw-Ok4uhI`ArdmEeOH`9pXniA!uR?GH%52+vrnP)Fdq|`PGydrH+muWSg#uK+
z`iA|cK3v?O-ICuI$UE#1$n)eOgoxStwRYdHb>Z9BwQoPUVd^>N>rk_a$(Bunz<0s6
zku&5pD?Fqg0<%6JYuR%&)ZpN_FiN<Q4C$z7)T?_DNZ0aw7`0gy&r!6^(^+pUY#6&b
z+KXq?kxloYv*X&{d~>efh4wx5&iHeQvfmLuGvRP6Q@7P-UuzAn3kF%HFn{tQDFKX(
zMEwqLSDbmcs<rkK--jZ@u8%PRsG#Rp1&us~*4fx0OwoOdF0UqKf9A<aBib{QSI|pl
z=re<CRz}Mm@wx!s@Xnz!L=XX>K1FxU2Fh`WX{SMU-Rjke<OPMblk({K<o(#|74+tm
z?%)uXb5SNPl-y#``T46?g{C}%Pw|3yDd}ztu*8LYI7(HZlyZ72A6uh$M>Da05IJJ%
z*=#DNX9O1BdO-v1oM#T@fzRf8Tby0vxFoeH>hRWjfkxom@}n4KOj6F<N`|Ja4BD2Q
zbLg^eH{-NrPB)@g`VmfADlMyAvIkdCEVtw7P1?ml9M6#dc1jtV4tC436_a5Mst1<p
z1?Ki&u+?0j2f!ON!Lx05C)o7_PC!yCh3-g^+8gE_p15k-H4!}Nhzz-r4NI$qr~C&N
z;AvXw`Y=E5$a~$RpF1-9g*MMoVMx^&y+%Z5&Kxp0!Yg4HzbED~RA7@##$N;)nT(;u
z_p7r#84dFjHk~O}?dl5xi*}S#;A+Y*1&&Dlz}JCns2@TKX6Iu~*{AczF6YI&YdQz^
z&O%ud7UgF-FSs?IK?$CYjKOJ;Vaf!*ZoP9o{1u47;f9r}2d~xHCK!l`o66U1d*NSh
zKVvWEXiL#Zb~?3}R#ZndA~SKS&~xtRl9%Hh%}ry1b*x=O!W&7(1csq9-1!s2axO{@
zO_7MWfu$c`E4&DdemDyR^XFKM_USXN5}lh&Bz`p)x#W?j0@4-6a0Jvukow&yQY`}c
zf~)LE2-D<EM#o4Rt@Q<}&_@!lI`;$^)fqKA{ia<8NG%LMPV_LVj(`z#YhE#p5)ZSd
zClvBE+c!BPLQ?T~Y3P>86yDFP=_`Jl9j|H0EkWC>u?ThE4gUVQlZOr*@6MlSfgUU<
zrGdMHOLz%`jXR;a1RU{8hM5Y~=Eskqz_zZ3Tb)*N7gPDQ8!B-_lHu7A#^3_u<#&iI
z%CR;J<v5?>Fpn`^IJm-YdwTk2$UNJ5RCGz(TD=JvnbCe(yEweMEbh@lJkwjeIP%7W
zTBE)bgh}$$F8f{H$mS(vEwh~M-^YUhGn*b*zyn&<dwcVnVt1lJYrPs(5VjPpqs5xC
zEwg4n(Z+t;ZUNrI??+?7`Bq+O%dY9Uyh(FgFi<m0+5JiQ)o=r-(d9JnM&r1D>WJq=
zc{>&X+MrOkUg?BY9DjB)TO96e+C#n@C)2ING22=kThn`<{p~@E(9u#aj<Zi0y8A?t
zXvs`tcdVbY-1gY!zlr~JOEkWC-Dd}UBUy#u?b8mIwc_4XHhAE5d$}faG|cOG^mfo1
z`)N6^Iib6hL^dQm#-Xoq<Gys+zd*xEcR)}ga)WOO<SBc()btAoBuJ@_!q%bvsY}ah
zHY1q1@hg&fl4vg926ikQhiYaO@y?7nJO1F|3fgYHJ+%!9xAt1guWzY&$kA+L2+7T!
zD8zWE&SX%kC24>B>}Tc6F-`kawPI-;$<cBva}#4~!RJ~LgCcY?yut0@4y_Iggup4o
z(cIRx^J0RQNOOUtwyJMva2gey)>4BA&wS~J@Z)_ywH;?fs>uMp9{J`em@otg*@CT+
zD{6GC9(@K=S;Czla~!EVNAYtNmYwgYwKkq+q$u6@${E?(caX2lq-M*|EpsJO+G2L2
z5@hRBF9f>;T&D2OvAWI}PH_@D(m{D2yHW3R<C^T$96sb}WSh`7IG@w*AX>~(hGrUP
zW{!)lHGnH1Jl&oSgUdGvlE{6j1wMu-eaN+3k!0!r(Ny$Y`z^+=Q9CYpoSMbwD+5W-
zUaKchfZ#3OYc!5R=T7$n3eZJ5JWb2^bih)+^jf0o?4Wtvpf49l?co=|W1puJ)HT_`
zl>Nwr@_OUy`}p1KYKK_ZFWqGD`p#&w>Qfpm0v}JCkWtgj-poZ{XBUdV66;p+MaG75
zYz=Bjl$^wM>c_~{O^d0Bg9oCZSBURnLSu)p3-<=sK`A=WLzlii3|f#J0XQszzuDEQ
zmn>`(9ho*t>%0anynu^Y0+;*pyF%EXKx&F@GPspoxhC5yr7o{Rz*Q;diCphxW_rOF
zB9ZCY^fi?3w3M$xo5J&?+-V#DL@QUy>-h7`j-%^M#}mIS;prV$%{+567mF2a3luA<
zcqiyejNfM-9J|5>fKcLY`p}R-tfzGYzN*zP!D`W^teOaI@AChGWvLC%GCSUj*Ov!c
zz5$5`Yj#)Z1&*I&?EO%XXdF+KYc?0zF49ZGHIuTn%ls@wF66S*<`vea9!5`HHx<S9
z;Qj(NC8*=u<aog&(QW1$mVCX*Ug2Xsw+-mp4McwLICxnO$PafgeHwwy{uF9kU=gx0
zq;|j5w*)cq8FlI*%<ywMrAr1FDDnqto2uTQp+>1QFEagU2Up6UFKKn7GdfBmxK<<n
zTJOiLU<+k)P#8m!9@w$wJcG`U>xuf_QiLz(n}|K*3;~=3qQF03V3!<Lz8;V%zvtuf
z+?R-s39W;!%`ASPFF!gszX|~O7s$~o;_p@epgjLQG+5#fob_)D2g7qQz7dJFx$Lj$
zFjG@ggS}DU=A8HE3~dyjD?k6N+V2MdZul_&^xyvlvi|w>Kf$a1TX^#SHikdv{69G9
z<Q(M4t@-I<Rp<SNFBn2CQEhrSm2>kKluH>Jmgs_3=eQ|5JAa(^W)A~rqE&TKL*7dU
zNR6I5JdNJo-346>Z-8Mr1RE9E$s;_$VF{hCo+X1MxWUPK1Ez#<vIYhh!_d?|hYpX_
zEG!Cukp)i)>bI`PgDe<WSZ{u0@EE^|eUxnrU%tPfx*D&`MWtG5_vH@)M|9zW7GCp0
zwhxguHZE9zyTM>^b%5xG0X`^zkHs@`FbV_v2y`9x1%vnubRC324Ab`hXvEz(sfSF;
z0nzq4zm{GgEDZ(fW!-S2mN)(rGyb59H|p1~y@k2bp&1K@FzNi#U_9eef9;?*e+X1*
zksfud_qNGJswS3R8!A2|$jG%Pf7gfEuHJF|0_1b^&3JOX=?_3NikoJi)P$DShaU!m
z9%>@`s!i7*RPhfq5?1c~RFH;da1H|uZ5C1C?*s#)!LU?%%zkk>AN~-(;><rPV65FQ
zR+l`PE~rb%us_;9p88%n{J^u`=(bW&I}fZvW(T|b0BBF--){K-prqGom6mG8e?t1R
zcjDpW%R~$6yoFEu4eoi1G(69sDohCK`~V*Y0rLRsGHu^gW^hHT9G+N%JjZ#9y$vZV
z0-6}aGrV!br=;X*tiv<$rr>4(_}-o@n2x7@AdQj%-w`zx7<UfVS&h!I95BGNC_(Mt
zq2Ix9Z0`tVV6K<vY38v%2Mx~7dY<NT<0>1Ao>L&8B+{FC>UAHIgBg_=^**h~3qw_H
z-B4JVLQ`!ZBQi2wR@Q+<SuV<z=t54>{UW%781;~C4E9Ekc&|{q%6l8C1T18@o!y+b
zv^D)eF(_)fj-G(O8a#>xh6oR?5&>2P=2qb#jA2P)WiF`c1hBk$%4<hs_mdJ?v9Q(+
zz>gpU%=!2&^Md%1Anf_{4<!4qMJ4)bV>6gbhAOI}w>Mb>uJ^}<NW#GKlBq6J{=eAl
z->dz1BQ#03V3ykdMoGiBFa_UJX*!iDPEFk=(wp+v&Se~yD{%>z-jCX%H5Zvh^ppbV
zRVwJynEVC&iPTch)&2#zePmd;Fq)iF>wH?5Qx5-wgOpFz016%-qyGc;eYes|m$)~t
zr;y<Tt)j}TEhopUBLer&SeU}C6SH?N-SA=mqUHZyHhfu-BuLM23jWE7L9lnu_;2Tk
zJ2R_rM*TNDL6WdxdipdyKC-RJM^Q56aEiZ>-6g*8K^4`w%$k27!Vz9E|Fh}r|0bG$
zpFRPeO8yQ9+oJ(!J#wBR29`9~BF~z!1lyg`N&&47f96JT8~s>e?XomKIl+s44o+V{
zY$~`N`@|wRGiR))Iq#?cS27X<;(s$Uu-%7g`;kbt2M@R1DoVeP`gVwfmGbv;)QEni
zgO>e5Gu@{~vV9|)ursO!R^3{a8+Y)GQpxK9=m2ar3VCk+cn)N3y-`19Em$9(>2kQ(
zjaWsHFX@e|a-t<9HbB=xq;v?=xc@jg+h%yU?_LuG><%87Wqp8sUo0K`vJ2bN{cbof
zh-<TdFKVU(7C$#m9-NsV>uCVK2r+>X{so<~lmV9n$M%-;<+)cxgTT@$9#k_muO~h?
z$=At-g7a}F$A&dJPYdi95PdeR!z0=}L#nhh9y`YC_DV<JJD5#*$IRM0^#^M_WH7G<
z?hMtpPsA7gh<80OKSaJ}elPf>)n}&*M#9tlU9R}p^Ut{!UEZ+3wV+$c$frUgNSy*j
z-lwJV=4~RVZHBu`8;w4z><d_-XGf=G)$aN(W1@UK-;R^wafq!_MtHBeQ^9lY<kTYF
z-`9iS)&)Dn@}*p)SCOh0C?)g&&gH=RGZA3WCo5>Z31oYU8WG`h{+1I%Mb|@m>U?Kj
zX*AT|-qfbswaYq@3txibaE|sxl8N4pI23Rw*ys#R2tpcLA-7<z6g(;51wRZ{6~#Yw
zatqAh<q68Hzg&BMOo%R8(IKb^?TeI&;6p)OV{zEz!HFyW>d9ec@N@9cu(wQv;=#b{
zR+g8Oz(OgUimvZ>@a$~?fZXachRjz*ETe5PUJO_%h-6#j9C-0_)r=*Q7Npb{$ki6H
zd2Jak@_g#gR_{Js1V3S9*q(C?a3E9S^;U`)ZGM#Dq{!!-KZ4Nr5l`0~0$zadrIg`y
z8NF_}9)9ptMkzjDGWmIT+|=NZetG*n>4oe{becQ8HQtl&<>}=O!So1&Tk{2}?{d$p
zEc5QjJTgd^u&>6}c#zZTIV5)sye7QY2Z3i!L>i*TM-i(efXQ9s$D<c0*Pkzf2;9u@
z;gAcz+La#ctt0JS1kXrOc0pfz<y6`QvxT9gHG3cYw}cQ2H@}GRh+DxV--W43Z*NgP
zScnMn5mr1HXanm;Sv`=m8-lBNKU+a`qw+T3c}xZ6+!Ty9%-lD}j5<Ggp~i(f4h4Tg
z?EfLUL(l7qz37kj91q}_HdniG6dhbla6)fBgP0?#Xm%qFzLX<~-)<VPxpAqc;=<q#
zgq%waLeQ$d&@mFtY2Io=HAw}0=~Dr$RyELpSBz950eWTq;pki4>#3<VMc|I_Jz91)
zf6xxWqA}*xyvd!P9};-8xOKuxsmZZD$CA!!N|1Gzv*%aA^O1(}Q>izd56UA?uz=)N
z){PC=uGyoWiJFIlwqbd=+(hVGfZ<(iK{z%RKhxG^d^x-sUyf1k15p&`Z01=UzJ8hp
zT*;(AVGckC(~9Oa2CN=x_F2~OVeR9b7Ra48y4!yt8|vqS|9p&uh8kj$Mk<MEyk2@a
zE~s^n@wo!QeylyhQsAW?@>dsH4q-4(FJy-lU@1`Sj8cmS;#bP3$zj#ZiO7r@hTSG)
z`Ini;!3pRtecQ^^#xudk_e^|His9nV2V2lEIvfsEWf;jV{a>t>UD0jkCnznzi}*Jj
zaMlZ4*kIJc$-%hE==VAY1rv?9BG)cmuZMF4re&8HFCeR2*m8tOcd&U+VE?56;jGU9
zlTwy<{YUWOKQmBUy)e1opbR_V>u5g{K-lYXew>zDGvGaikVhy>2aIf%mlhn<G9vJa
zib7jy6R~dp4zRlYof1M!-pa>Wwe#}wU|`wcqp<u!lr0Ne(>?>-c9UfeV&No!Qv~$I
zgcr~CEhxB^)8+T8w7#l}p&EV3^e@Q7OD}h_s(BvnFAhYved>qS6*+Q6OQuIDDDHc%
zC`F<oW(b2u<*gsq{tnI-k(`RvR}07pl>^jNr9S7ePAeEcyw)_lpQSDuREr^e#S|h6
z+l8gh(V2XB^Nk36YfVDQ6B>xnZN5>9uO;%>(gmj@WI^M;5#e^!S*d7x?TQ>@4hfp%
z2G?~NOGn*ohVdlZ!>j{?7ZpbqP?(>zbdpZk(No3qQ(3LFfE7F_?--$nELa(MpVcj2
zFq7Y-oP|EzSdUszo-Lof_zu{kADqM;qM>B=ZZ?qnU`g=h&#T|UOF3I@Fu0y~W5Ccv
z1FB_Oy{6i7Y`e?B$xFgBg=(k^WQ&cvZit2P0!S>^PjBG#9c&-TqLMW%V&bPq(*P0U
zVbvXBDaFSKVQU1wAm!r&WRMS(@>0_mszhs%$v!pH-lzx}CFI)W?AK6NAMKkTovTh$
zY7VmU=#$tH{16?Q{o7@0RSXxE9NWJUq2GwvHNSI)w2xrh3r~rBC?+2m+zm-<;h^^@
za;I?34jZBFg({}1S4x+c;>}YcrXwGdRBtOr4(Z?@g7YdJG*ce62wzLUt0OEfurop>
zV$at~cYSsKSplA+=?kM|6x-;QBkR;lT<I9`2+_84Rhci2Hg1oWtC@gyLSnPu#Iqa4
zom0SBLD*t&Yfr{~(`vaCAx8M@SgaI}#Mx`8KLWxQ)Qp!9k6tkv-yd$Yt76V2x@>0K
zCZVt_HMK~!Pun|umd(N=@7sPc5#=7OaQqeIZh=W%l+cC{gy*&I+EL#bvG5Kikmp3W
za~4cZOU;+ndpfF6?RjUV^^9ky15c;aJLq*d9}S{VseqgBz|!Fg9^WM_=`ZT8rR2Y9
zM~3c%A}^wxw?aC<2y-IC+hofhT%9S^K5)-|h2D6=RGpLSszljZKr3kdcH4}C<n<_C
z=b}<4%-M}~^7#qA%2A@eR6el#s_+U+<Z=mX<%4NrcJ_|lM=ik+6Pp%rHFZAr-VWZ+
zHYh2XqE{HKzB~%As3$$yu9NrbKN$R~OHX#rOqwc$3bBPESB)p+omej_^1?}Wl=uvv
zQ~SaKE+2xovH+4JoD`2x*&Ew_RT=Q{ooHOp)duJuOrd+fM+1I6uWAMfr7hviZLeKq
ztWPb4iIDFI<FmdKOA(gcn0sSDW2drY4UnQn1%!v?I0Dqo!5NS;i+=gCzUduAJ1za6
zd=EYi=(l|q&&}3y;;Y3ttK^Go1`M`Vrpe3rrt`e?Zi=gg;Fwj?M}pNy_(Yj`i4UHM
zC?z$4NTrU^?HI9Gyw4djjw!TUq;KUjFFQtRWAG}YVG}B2V*uPqDDRu~uk9B|EiMAo
zVX;}^hg)f{?K(!oI<H_F*qy~*5OvwU>plkuV)L2X(C$7g{piYoW3X;+@Dqh7gPtHX
zyk`F|t^}j-;2yw{gxAR?dVaXasIJ@?Ql>TC_L*@rQ|<s=P1j`2u!7hsn0HHgt;n|y
zoT|IMj3g2h#&KA1D`Tb4{{waoq~I>3)5h3m{hF>;NU;&J1?AP-nEX{Wz=;!8i5P+-
zntn}*#O)%nSTOl|Ca12~glk(*=M9u!EB4Ff<A8po(}R)DNA-7Z{+JH!^Tkxe{gmX(
zAsHRyMcCM`Dda>d6~gm!fnBzcC>6Z|EC4<%lf~YvkH_7rC=6%e!Is81xMd5!$1D#u
z0R?7<3RwFnyk7jz`tP;jZAw->cB^L`*!&(*C5pxNkkeO5+n1&%zhI1h!m!pdKb)bn
zzvM=aAvRc?6;IF7r})*x{{5jknk8&7EYM3`=eJMrU^BPi-A|^)Y5y-Jnl1g{En(s0
zyU;x$rx*0fbQI=cX4l@ko*L>fnso(a@$q7mevdJ2B0ciX0teGWk9ejqj<|{Fbmv;<
zss@c83LNj~BbXL03R%DBn=}D3l7hAc=_L2c6&yZuU$)JgP@~?RO|4;;o`~Y#q5cj;
z)R}h+T<FF?2YZw`SVYCzr;!cIG)R!Knpr}}r>|(wv{313VYt7lG6xJ_yt9Sxx{!JH
z=Qny?b6Z6pC6e5`b~MuJy1Kd=ecV4!QHCGvHK{XcBAoi_#1UBrt*gcL#!^xxeDS0W
z-t9&)Q(^yd_t+>`eu3Hz2vIxERHe)Lx=+^o`@_`0Wr;vTdi!|j79qL~q%<|LP!`L!
zrG@DFb3qJV(OFR5aNncbO074Bh93-(Nlud;Nyh<DEoyLyPc+9HBaY-oq0$1II2MXY
zr98}LY@h!SHg=Ua5Xl0O$&YZum$U?gsN2%t7DBv~P#hwJo^eOim`n~3RVX2;;Bs}~
zao{4Bk@FQ<Y}20$BAo2?iIwFOZE8kOzJu;+MVi9?Y+QnkBU$v=4qn1=u^$BY3Gj^t
zd0#2fOcDvn2Dhsi)1S@-I>Cr^kkCB~Zk+anBbp{7106V<nBTNN5u<i~axk`@^+h*A
zCQ#kek_6Z4mif0048Dph>zXeiNC)L@dc$8@`csoL@!OOG16T44RKdLg_AyB^a|Adp
z`cdLj?N`{3-jb3k$x26GlV!fCD2VdUe&U}Mr%O&)&$*A6C@yNDxO~oTIHb<FTgw=o
z5_AQwby%{W<v`_T^sOT-0eW$`@I7;JXF#J5bneY!Dol(a20^cZqE$oXN$BlqK^H85
zRyHRyT4Y^RP-yQicQzkHnj-{3!OspA3i+`i6BfkBE~7U^ttSS%QOK#n%Y)Ue6uG)E
z`}i~X-c*vP^=F4F868v6^0fR(MXgTUeiA1i*FE^&TJh9El@j53Yq*uJLc_^6q07Va
zGQ(`ATl5!hqH0P1&HXC)whM2>16>>!r7voD+wuA;g@}5a$nXFvX|ea3kRS!IpLTo{
z(InNpy`50T*5%@IvPj9$CH&AWZr#|`zrb7*St>k^Bo%?J8Ir*p<^iV}f?4YE;B-+^
zK?^gM-m5OOhPJ{C9^uo7%tONsl|$3_xKI>5{a<>vW{XFN#DHfBrJTuuh`D7h%JBf_
zs}Mx4t@}_XClo!~WPV@@^qvi5a8%z(p3%J$Z#Pc1$4ENSm}aPseL;ld*s!r#xTQgO
z2G*9<d%bSr6^ezN`zLzB9|#>wQruOOI!K7x^W`}*F6^@(tM2n%JeO|-h?h}@?*MJ`
zTQ2>Bua~O<%a=&MABg2FyDVW*-#ucB73%Yu`4ICrxAmAubwMPLldZrHY#2q9AwP?6
zH6v`qf2{j0D?jE8TJjH<(n!G0FIrRGNCvKbk;}8QcrD)4>iY22lIWz6iSoL)7AKs7
zk;xz&vd#8mhmLIYu7RY^S3~mbWkjNQ@$WC5%F}Peevf(+<9O%r-=7BsyUx(@g{Ysb
zkE6wJC}sp9uZD2YJgnFVbR;;+A0Y6Bwm?14i{Sycrkf68rm-AT@2gE~9R#*e7j%!}
z6iAtmU$)r-y(<0pfIP~8zD?s>CSE^C2eMFaNR=~n6Z;_>e50E%JJ<p@)3P^gvwG+_
zUyDZZw#?ccR=ri^;p*OM5z4IUG;qqctl!ZQ@1x-xQS+G<v8k*>J4_MwFn9OK13w3<
z9yu^NI{n$N?})4-qq<Bk>7B#rAlMTo`=R;e(o8(P7C9gbbs<a?u4z$@g!U{Qj*fV1
z4%=q0fuH=FnMr@FO2i06#@y?@C2&op86}wsf$ABcO{celgs11U)QjmbV}UpyY26s9
zwO0+>2DLTsz1#qUx)x#AZqV&AJKpGNz9)kNp*<!F_S+?Px=9sd`#P}eZH^s~_-b9R
zQ#Wr$IndHc2O^kB!{9p%zSmcn2K&UQoA6cI>5|70mlpeH&&zo%9=~4<X=q_0n+0nK
zB^pH2U6b?j6KvSSiSzd@TceXs3VP<8H1ADH*gY2bLH5F)9!k;v+)xKghfeYcQR`B7
zUd560av<riaOB3+qP|6Y)OdbRAX?kFBCyYWjF9wY2Ca^_GoHP-9lk4ENN8GPwSV9|
zQSA82PYixBkBT|FoUl!R)p`?I_8mNlAPqP$*LtAQW6eK-C`*_;iI7MP-`q{uAXs4;
zTJgTTby}`PjXMkf-eL4SeYrdQsjG}=OP4RhHv4;K?W#g64lWmir2S<a@R~Mz9pRZ9
z(5+Z&3d{6_F6ED!rvHuY&=$=dk=k^E@*C;53T?dM?&|1!o~!J2gLFt+j~nkM0YjI_
zX@0xCfB=H<?y7irxD3KLql>cLMjwuZ-7mnolQgueiS$^e4W(*>)&Uf0GnPbxaiQrV
zpl^aQAJ`{Q)EvW=@2QN>0SOf*{uWPhNaf<2a6(D`ptkIVi+CT}yugW^DJZxmFBzwG
z3D9cAhosZ!pGf&RVI?|*I8!cuy~KN10ow+>RYZlMxRg`t08<%lk!T#=e_r6*0^?CZ
zk0}yAqP{fX#uxb(@pWqClLclcDpu*~6dO8+O5G-<$AV$6=Wa=z)h+HFiHNjS8Ip2d
zXEMERtdza)jT~?YTMlnm4*Wu|s<9DwsV)8EyBAEW`1v=L)e~L`RhisW)-pjbnAO*#
zKV!~m7cSic%(ccBEf&eI(#341@P&J;`9-A~B3lrD#jVTBB&(Xp$Tb+bt+xkCa1nD1
zZ&sXBmMzRW(<fM=aKYJ%9A4R=`_z%n#bPhU5iXkYPgtOCC^2=PpydYUi!_TCNz@4R
z`CxrO@?`FpG>u^)RQ)ib7JBCg&|CR}p^!WraJl^;uvL(f>mPQL#MucD3g~s^f#Iki
zhjg9u+koo7+_|zAcaBb)^-r~L%!zvcqCJsGlt`;3G=v@0xyfEEji$!?CoDplNX<r5
z=}c2^?cXlrGDEKS*N;d^iTj_C2a`Ye(tq0jV<$=^?Vo>QhF9h~2x<<Y^&sbJgi~IN
z`c}t~bufo$lSpO$%cDq*Y6#^0X!=(9dFtEfiHZcNmB5st=|-Q*4}gr?zlJ<uyl7~d
zal54b1AzW5JYnM>pCVXj{}rT({+FZif9o7Ep8(e)BZrWc`1tw%{HTBT&sJ@cprQ{M
z)td)lo~;Z2cwuD-)3%4~e~5dLzo$=w8O6p`Dq;N(8I69N{1@MZ1QYmHP4<qBTfp&y
zKg~O285tVwUYb$Szfq16;o56-O(Puq`T}n835b&ZS5Cf-4Dcz*@-a`GjN+%6l9$&i
zOVEFRPjors4jz`<GtsIc)Cf;J0sH(Fe*}X=4zd+&rbD&1OVzxGU<RVy*ZWQ7(1<^7
z)t!<*u{=`5$t)f^R#w)j$FbB8<5M{TY7~^<p?quoFWwx<e@QzcLhHW*OaGsA{<l%r
z*0O?cY$to#p(Tl4t>kmW-|&RPe^T%;6&{@az4QOKn)n~j<A0*a&JFw!vc4Mu&-P;C
z;?Ayf$5fQp`K`{oa43YF`QYNbU{wY;1f%p4YaNo1q7Pxlms0}3Eg;a*{XJOeX;@hk
zz@%l1HHLq`Qzk-GoFv2C+}|Iz9p?Utv|K}6-Q1Y2wK`wrzMZW!WP|f@VW}_~i{;be
z5^3azc-N2J>P?4HKl4zbaR6A$R0^QDS6>~^K(|YVdL15<U&~1KJvws0felmqu!RCa
zr@s$Q@N2u<aX+{~Z@FGu{X&5Z;&QvYZ6(6}P%KgTr|)12V8QujhxM^A6rwVnrW5};
zFw=)pBqohao^TiJH=)cwzvT+~zE`hE{%@yr*&F#NDhiRq?_ST3Eeq+qAkn7BY_nJ?
z>*VCbAW5D0WV2B5hoPi#j@@!<0(|a~Y(7^8>Dwa)&1zz$(zz2>QkfI~|M2fq{<p{a
zpL9(Be|FNS^Ko}cI(tF`B3?}!+P1$jbMPUhe%JUR+<E`%0_r@GyY?}CYgIG3v>+~T
z75QU75_><v7DOsja!kE*pgu*iE;&+&;P=w6mQ1f2tZ4}v1=}CiU$d5_b<lt(k7uUR
zhvo0yh$_6ZqHU*abw0+1_pG#>41?B-Vs#F2*jlZ2=W}sKxyfURlU6vrWd_Vm^As4l
zoyMlb5;wUV%cexgn6y>97)^@d!c<e6-Jsr)JY{j<)i~cYBV}3o_|+c{^*G6n2^l0w
zO|H%qT6|>3cdneP3#HhvVDrm^j)`&0B$E@hoqibH?HuS%L3*HP$Q6mt-do#0UE>y#
zN&5-E=_mPKyBV=5t1(}3oF97%Uy~KHE9<2zfWkGvV9GJeqZYX3Jf+t<7Q3p1?CHq<
z@Q_Fs_(@K)S}E9K`cff@-7I<=b-wQSgWMASsNtu{MdbT2zu&`B8}uo?(e2)u2$NAi
zJ+1L+Asny+eT6#0MLd=!9Zwvl_hyq*_b%!}oO-)X-g(pzNz}pEF_^rH$}NJ(!n2LW
zSJH}yhv#@ph$v+}FnVrFtzK*R4iui+V~|N6k6(~;?_gRd=2P2_yB{<Pmn_F`D0@f=
z<o$EdtP>Mm>SDI_zfA%CW#)Lh1s#YH_8Nq{9^G!Wv!^&-u7{BPmW*g#qa*@xIA(>U
zfEb1YZQyv0EUg8;?_t20E--dG4SLBb<9>Rl(>rCRrv~%sKF?17h9gNhFspL^*Ugk>
z-i=MpS}UEcsPS3WGlF9`M_4gDpfGZ{Zvly?)n^+!9P|)NGuLe<vsmBgy^AD;Vkcps
zFS2v~lzZIy`a(WbBQkkz6(_L0)aG}`pEgZu4lFUucwU!AW>|>aPU_hnWDp*>#UF@S
z?rWsi#pf)v`8tKM^le2!+dt<>%qO9ljuJ|4j0QzUvz9;{55}p^1*===XaE^$yCZVd
z`*@Cl|BIwVrH3n7Ql2A#aqiyrH7{nMHmR?MDPEIaoTA6h%*hiY;2f$n?#%KzHRr{D
z;fpnYYb#X{4`DUMQMBa5iDsl(c^Rt6$V8gX&03LA$U1@YhRf$F)v*2mZCT5X$)*{s
zmnKsxu&bYHjni3gZ8Y06*JPpoKD}ql-^N_M%3IID?k)QOWz%AEa75S;`Ti`qaxMf;
zIk_Oh(1YE(W4qHkv|;$JLCB16e2Hv7b9`_?XwJLo=cnqI_Lx5P+2L9b=&Z?JH$Glo
zS9V*GGC6?TRqVv*27%fNx`WBG9exSpFL=pC2jy8x-R>vB`*s05)1!kCciMD%4j$*9
zIG*E*fQB8CD#@<*>+K@Y(KPv%R5!$@C2+Odok+Fcs#I|hPltFXXA6=z`$j&e;dP{$
zzWA<2_VyLHpYk17hy^rp;bGJ%4Sb~auo-bhQr_l-1Vq2Y8kir2zginkqSYLwB8UJM
z^M<dkp5IKj4UN;|l9))AqlCLpGk(&OAq3nUDNXH8Tr5OfaKvL8Lxl;n*>?5L#BUbK
zPx^UnrdbNK)jQH}26BcdTL5<|#z!AF!+sVj!ilA#6)6bnj*28^`#wH}-fR1^u~Urb
z?4r;rJqBrnnvR*}=&e0b)wub@Y6q_OyL*#}=e>QUTM85%w7PG|dBGWXv48fM%F7-e
zC<a*1a9?D)LpV4Z|N5;jk<MM8$`E=FTF;JYXmhr41dGnMPXn1?g<<G8PSFvASAc<D
zS!G<2h2j1wX6!0%kNbI;)ACvp&uGh_3|>U(sQh_{Qz2Yw_MJeeJkBu3$;lDFYa$1m
z=MXqpK!3q4&~qgB7KrJh>v7_bJ<x1Ubxf)zhPsszJ$4?>9(Y42?3fKrWW=w`>ewrK
zkS!~BTNvCkbhj6({RyG%16DkW-bAyy;arP`8`$-pGeMKZVKpSh9pfk;zys~%yx($v
z^xCsd7)ym4r{9oKcaBSIWEK!LeTW=SLjhl#)O3BLpv{^6ivXpU`X%1kuW3gI`6g?b
z%r{YL#cr#;H&GUemuPx!*Wwb}g2XLoGTf(We6V4Wzo~^TQHxeHc=J0TKSj^!%eQXC
zU`s#6ablbGq*QPuofEL{bm>Uy&_Y+m4PMz22i#2vgQXo}>?j>t)y_f*CWusX9-5!H
z+0_qjwbi_j>t^Sz?-9jCj-?3h2P`=b+PpiTe-bixK%DKJ@_xya=A_W<WX9b{J`>6y
zs7dPsKmaaAQ$A1-tJqt{P@-P!s?39&SvJ$*+IBqUj}1Cm$oyy0(l(w#*ph~C{8rM_
zT)pPEj%l^)j4^RJBUhw%Za6^<j3qAv2z2-vCv%0FL@hhsI>mQ)5|{vY7g81vg2AaQ
z+GUrS-{Tpbnp`DIqSRI32)Qg3G4b+^<!3r}I0q2yXlbP$^(Vb>sZT%V(bsx-dn+_w
zZ{0L7`$jipH?L1qM$Q1K9aK~z4*0;37c!|-TEB*JS@wb59jD$FCSkG+iIw`My*ZX&
ziF6<7JmD(3UZLmY3=8Jf-063JY;2gAFN5rV*&Coe*NA-KEiPT`1(xF+`q5&bI-a!H
zi!BmBW}|KP?j8Gj?Z4L72`BSRvsjE3s^~3`%(jv!vNK0nMu*RD<jPQn04?0o4%6M&
zBCT81il(V)Z|N&TE-3PS*<`UMe%L+)JZ+31<!md3!nu!t@|$LzL+ZUxeBEsIGWz*A
zw!tw5X?`*noN|R-QZm-vc=@Z7lv^E9+fEc{s_J-6@ooY0jk*{CoUn_SrOBY(-#Xpi
z<@7kO4O{2ivQKBQ<+Fuko3EsDCX8XA*wqW^P4gww436xCC8S*oeEbdj40j>ER8MEC
z&+dXKEQJ1nv<I(#&v-uOExV~bWVTe8YI2x<**P5|C5ho*H0L6-d6K?Y{>-7`KD#h5
z8~c=S?Y??-GLpCK%vM5W?Gj**9++NSX1E0Gi5B%6H_tVf8=qKSL;M+NPb}UN63&`m
zOVq3|neO#VVZQAH+WSLDT$W!XD+<IsQEma>O0=0?R6R&6N54*nWI=dbyL+Wry3h!c
zQpv05o-b-4cnf+ZGs#DmDfHHvVt!A{qiWk^aFyU4naLMYY*_7$F<NS*x9cQX#bj0j
zafa?|D%L*E){m<_v=U!+SN~P5fzFAF76DeXb8|g>v$7{rjvl)xV6cY>Q)D4L<8^O`
zKYIj*PzO6mX3u;owE?BZlZ9|M$#yAJmh&b%xwmSW{#uIFSEMGj)z~{*I{jB2s(%2#
z<kJp{^?DQRpsV>nz^Pz(OSKVbBL0ZoQaB5@YJWUTd-tbv49X@Q|7@MjUHYLrqf{F*
z0@}juJyZL_#ZV<yM)^zy67;y`urpJ78^`da>I@+&i|+8qF9NJ?69@nb&nf|~g8tB<
z;;$Vn{Y#!;gmhnIz~niop2qz#IW>EjZ`8c$+jk2zpZUu{2)!0StJ@R#s(32<-FY7V
zy(AZ$LMFg+^5x>u5P`~UAI{;~{ks8zFXdQDQmJo?iHZ?~D{al*F8^fYv0YoY4Y;;V
zrWtTKyt(a-{^MBAYNF2sW7dPe<2;q9E;FI9Hho4or+oftmUhps$6hd%t_LA^4epJ=
zc_Pyp4gXx}#-W|AGwhsm0$E=9(D9eN%f4}CH5$$9-wB88iZL;<M~{^vkfw1vf`ZYq
zKf+XBNAWXH_|e#G#~jx<`z|))E@IhDU^1^rOPIjZ8)l$V-1L$BlH(n^!`Ba%^4+;?
zAq-cf6r!YVa$|$+2b1~}uP+=PQfc}f;O*%?a=2$Toz*1jltfp)xmQa5^utfV8*t#y
z*>>R_+_Z>nN$F6%bKebi_m9MVtgsJ(DZf4pv3YE1{$A!!Msx-pu8iF5kxTijFlW5U
z0<_rd$Q$A<OIAFIGB#UO=3^U2vy|_P<$grQkg&z`*xXWo>R29;+aG3c_~674Ew(!I
zAu~l!moMk>5K*=6g{JvJ_F!L4tDf|bI&DGfBJA~XZ^L!KIkzea{^!l@XpGGg@^h4t
z@DFe4U&P%RDSb<q<(olc7m-YwNgHk>BEgQhN)(r39Q<a{2WD(6SL4aB*=#S~<@ZTu
zaMhB7IqZkcMYM-Mp@~73DmM43$t?EPa&b4n9$q&N2GW+q&rIJlFR(2cMe~5e7;E|P
z9B7+Eo!;p*WS-QQ4GMcTpTnPSZPb29xmO5%iZtmqkoAf<k&GqHp$Dzgow;XQfQm$=
zIK8=lY0?mPK&LnJ5o7U0xt}O0vS5Dl&HJ^A6}dVoB3wErFXB9g5GKu*n<w~%lr6T2
z);jSba)A9H_Jcxzr@Y`H_vLTLi7kXAuNLDeEtZQgPw!v%j!N4w{+cTz8XS(40`acS
z9-G2b9c$(5^*Esy9e9n~t6uMuN`$89H-|^E%IvAJG~a8^Y8E?3gVWQhW=Obn;Z_Kn
zz8g2oDm>Y;gp(vteY#(!rOCCK+MnFyum{PucP89lc$!VfGv#!rM?dn<b}S<|uccYh
zf^8*vZI~}~>?Ad3%%AqscJUplFLzK4T!4Jbt)m*l$)3j<s>vjQas^LioTth7zIw31
zx*UhcvMTMHTa;zqO$Si_{mldv?VAgN?r7SP`nW)DpS;d?JNj5?*%{z+Ot#u8%SQ`4
zUYgm(a%t7Oyst`Bx&(Bgyzue$(QAlXj7mXaSUt``XJSAxI^!LF7@c<X=OUe0o%!me
zbc@Lo6$agYX4VUw_SvrM!_KZN?zDi6ftR`Sqol(P*9&f<Qn=b-$S`TxcDJes0rcDm
zmp}8FiK&6s6cLHA(W^REOw8wJBiiq|6RA&Cur!k39RPfiv5~91bgJGXy+Hv#imrR1
z<**NSgfs^Ul|D^7>ML*Vt{5#mk@oA0jH5)Y?O;vz(Rzv>xIQGoig%&^{XF7(i{`J5
zWI}m&KNUOtb56Hun<unKvX`H==OE4VO5C>{@rCTU!=F)$Mo5(TCuSrS41H3>SQ@|g
zN79e>_(jPb>}D65bB(M#i9c!P0J5?ySbdj>kgK-fT6x=jxWesHybC;1%aD9b#`dLF
z9J<Q5O(1MbCU%^F9j5Sj(uWGh>gjaqz8<BW)tqQ~5l$fQg~iLuUaIO2z@@j~>0Df!
zvzxflePBv{u%Q~=7c|((h}BQP7U+xIH`F|O`sv*7aIdtECHLVyY%E6HA}rcNCsopI
znC_wq9N9?l+_ihXaH$HQ?3PZK8?Dte{Fe>eMuuF9fXL9U_c=a`#z!TFZO;B&NfxAq
zhrN`ZA~HSQne+{4y92!)KA!w|%3>c(z*|vj+BhnOi}f5Js53S)cCBidb+=0H=+iww
zIzDlbz1dC(0hxzw(n^>aZ)(*zTckVOJvzY13iv>?r!o5QInbc|XtE8qt6a4U2^g29
zJOY~G<YbCUqT&cJTH#`0XmJ$(U%h>GP+Q&GZLv~{mEztOE5)5cfVZ?j@fIlV5}>#{
z6e#Xe+=^42;O-%K2@WA>aCgm3``+Koojdo=-1%m{yZ<_q$xP1Kd!Hw3KhIk0sb*Z%
zNwNL0wOGPmF#=7kz8pQU)y>F|$js4U+8%FuY70CQWhogd%3l{BWz|;K@!gr>3Wj-n
z<5;Nt;4(orIG-cIEkBu80rxXNhOs7>8)Dz^j}GiBs;1QMW*uN<-abjW5nZ9A8gEfG
z(zBqG&RRmYgKU<XyA&f9_NcZekU|6=S1uK$MdfP1*!F*Dn>+ZDusY}wch`B=Iy?z>
zA?HO_&|f5woiHL7?_r&yIg%qfn>XsYr@cOlkux_oS7OkFB5yqIo;iLqDmTCV6kUD6
zpz9(%L(_bt7}qP7?Fg1Xu|9Lx`k|KLo-DI3$ln~2oO)uSak6_o_FmTD<txZby)WXr
z4{Rnk;{Kaisopm#I$wVbhQ-)9d<ERU>S3-}wZ8*LpwaAIRRIooE<VvBv!>U8j>jnE
zeS~<L@dduJpdrWTfafkG=dveBx?l^$wBCR#jq1syh>B6j^o=^dA=a6)R7qBT2l35N
zttoSL+#HF5IXgZqUJqQ-^hjzpy$k@j?5duOPB9niN-Jq!+A0#v=%W|fHkLvV`y8sN
z?a(m0Qt{fRO6<K!Km$|3tP_G+W|BOJ(l=nue05-OAFBkOC)DO8bGoe`gD%?&sWl%9
zJCr#7kg+@~Yqp{8IJB<ZCr#_V-S%4nf3eg5l>BYeJ$buVDTf(op6Agi0u9(U9xkMz
zAEp7ekgg{?v(6-@UY-@rWbJ?-mz!jntR()!+1!~_P6^Z5_~-~-LIKYKn8GNBM^rSu
z-K$|t9Yh*l`rCME99lP(2|R%}B(lu)dsFV)w{Ul(Nw~ERb#Gd%OBpT!v-|dC8S>go
zoazqc*ptySK;}`cr`cCbh_FA39_}f(@Ct6z=h_joqi&yS8LvyT!z1?;_4swo+@o5j
zLz6KTBk058*gE+S;vSG92N`D`)Nd5iv-0UI1r-vVtgKC*qHjKEVOsMR3;q(5+JCmd
zHX*Ag&cw7X3}zYo*i@5-N>mvdFC*yYyu7aZe_)1~75WAaUY;jrrZ}2?T}&syLcaoD
zkf{5pB@|6yEHb(eDiEYSv{FoUEr{vJ6*%dr#J3q*$`$fmt%c)6i&-!EVm$4gFl*N_
z)2FyJIfGV=<?ioI(I`sN*$nB#8&lfc`F3GNw^=Vb;)9A~o)=&T#YHb}WUpSIDF1Fj
zIzATg3;w;(&CNi->oCjsc+xMb+u;Ffo?|pdK$0So)-#$noK_oeRF@V<WKWwtl=x$Y
zyLxS=P{tJBExw@l0?)c0+3yD4R&WQ~6A>ZBI$bV1^;oXov#xf!d!D5Y{Cq;Z=V5Vb
z^9W<eN+B!+B@l@-1rEi=yczNQRG>w;^hkGx00cb2ZoP4RWZ>!(9p92X&SuPl>vxqE
zE7~t{UaS}X4r3>d$&q8-5)ezoI`_VAm!>qNuBZpRdt@yVp0j;loWYt}aZuk{yFVY>
z;5A~RJ#N1vaB2*WOx-&x9-1{jF=3eYHz02EHr)eSE4C?;b0*^i$E~NIU(sxed#uH2
zGrJh{4M2Ve%GguUU2Tkn;bV&iPTNm|MDTxs?>IjO3~qeM)Q1gnyUuzuBYERl7R<UD
zn=>G%O2&zvAxi>zE&d;aP|Kp<%u=i~6`{puYuwCvx;yqx*Qc2@wJaQb>aZieGBVk@
zn*yXL_0=BiBcKhlHT>4tXuHJNy^y|6IVpdzk<^0I)8UcDgz}l|v~;wRf40kcS!56R
z`bezQrAWSn2XA3xc`rbg{koNv7SwcQg;1M@@pkEl5{T`@>)N%TmZFu{theWz4$u@k
zXj3mX7Gc?-lzr2n`d%lg%=EL$!%<Ux7NKbCXw4^bimXIm7b*$o!Q@``$depZv+p0D
zg3Q=I+-tCKuWaPbR#q4tr<Kk=ZI?b0JA{T*?k9U5=D$_0ISOj#zqi1~GPq5JZ(b_5
zf2Vnb0Z)QiAczOME#;d?+QTS8NJgJE&f50Mw@!}icCjx_Jn?jOo9%h})38tHwMLh?
zd3eoVI`P5>KDcG9q53bsdEC%YZ8|5bOZTH#OMq55rV4oe()tJ0Cl<63xG`5UwOR9d
zZW@@$Hx-c0S17xc%gWxq+(j(bqN=2I*)uet7-7B}*Y(Jr=mv^RaqsMAUXylBt1XxB
zFLvkTqU@W^40F%f5a}jVCeQzLo)xLtn9N26e?z8Jkv%ttXfv1Hio0aj%ZmRz;-aw0
z#Hky$X(eI1u{EFfChKvEhB`M&pQZp-LIu;!dK_Cb5$O4`>E4C_R{f@Wqi|4eJGCB5
zL-oD0q*9H2eZ|7_DR_v#TUZUr^yOYppGz=Sr898-f;wgPsN@s}BwiZRhoSrN4N6E5
zueRdHef;ABFz3rJ`pP&BqQsmXNl_RPx)AN&CXsABj9canqReF0&zTN2xIRBEyejCF
zf*pCpSCl*1Z_HqoY2Fj##$1n=Svl2!PrKu*Ht=hbO22i$y4rK5GD0utz>LlwFQ^%;
zO-t{DrHHi=B!E#_n8u}({So+*!mm>n(cfmVY1f0N_kLXIwSFb1+m~gQYTbHt+AWwc
zv5@*0@OKypb5tKvhljrntB&R5CKL!<+{d0MH=Mlfnt4xgG10Imuh2t~%-1EWS9@H$
zD+Bh9bCCsJ2}+Ag1aQm{*F@{=(ZSLi{KSSz;4FOW*GB9T*+9=-g)cLHK7n!`-bWDC
z_^%_u)y(g1DKpHKotSrWs0Hb3`fpiFqPl54KXJ980V%AK%Mhy-Sa+>(v|yGmEiOM5
zYSdYnkr#V?JE~(6JAkO!&NE8C{uV;~(>vq-v3t=IWZy^S%tDvYjRGQBCtJ|rLd99C
zFG+}{;n*!ZT#^1CN`VCr#;xl#fb%eQdg{?Mb(!37&|Ffc2p3_l)B|Qd@xh!ut^R2E
z23zCjny07mN=V!L^(FE8Z(}U`ohw?Y%~K%FtE@c8-1YtT@p(3hhYyw$wtDn0t?+kO
zZy)CU!gaP!Rcbz7+%CP3*7MwPu?ay=rbgay^MQSIP8HW~;oM3U8?e%|e7mXY*18K5
z{i|OhAcN9gzaL0uje4K=l|tkWb8YO0?Tbeph~Q%mlW@At{DV@_M$YQ}kmPM{dnOIO
zDWggA%mJIusn{2S((8p*_wjCi$1HWa(gfO<mLoY#PAQ_6=vh{_@%P)}fXqbg2T`VN
znnaQxKk4WrcZPG#3y&M1eFZr}mP=w75q^78C1=MvL2GAUr7wKb4dPAgH}UX2{M@a4
z4{nIf^_Y#)gC~CZFq4gK$rLndqo>Zy@>Ga&!1a5~$PI_yL6t+Gf+4?(auX`7Der7`
z&0BD2(tFc;M5=Z`+Q+3Me3eHF4a9SZN8I*Y8WAkd$DJVqu;463xN%=bgsxWGcUCD^
z5FAZ9*wgv&6ZahbW9Hinz^{oGH>UnJP^u14SVy{jSVIwmQj;^9K<^a+-+ckv@LTfh
z$+@gb;>y}D*iM9m32Ys0??V~_8n@7UO4%{c+t;)t#Fl*3P=(%*Xb&f$Q<+1h#qNvl
zlyYolcGiZCJa7t6neAe7YR`^}Gtee&vQpu<E~P_6V>jfU`r76CkftRy^CsJ8XozX`
zw6?Ra#EgN`oz;t-Tvzlutqt-`x@omKGBcn&WV{k#)b8mfScK;{2zzRJwcKf;zN-wK
zG01ln#Mq1rbM~<27X9VZ=RbvGr+@gRjg2-u((I}~f@JHG;e6F2FROS1CO6@CLQ&7}
z;opRjoimVs!~aVi&tOa^V~)Ceu<o|W;<V^oh>t?$`p<6QGzq8K{E$TYh`dO{w@*|k
zPeg$)bFtO_`@WTW&BM``NSZniHw4Yi4@d0oxkla;D^%7oXHZO$BjKlRD%EA7iT`%w
z^&YV`(Y1TKMuLTi`z_bO_lyPL^RaibvX9%#+l{7|eE`=GU`1-fTR<t7@}6#gPR!Cu
z5ZMNV4yH<SO163N(BEyjMsW{&b)n~g%ABXuE939UZhVmNsE#XIb5pqXp)c=%4RJsr
zC7o!Kzgoln={v^Qlr@;aJ{(cBx{Gz8b`libq1njwW*my8L{A4^VlT2u(F`7LN0;Tm
z2l%tI--5PjLMJ&pWdGp;%soiq?quD5uM9rVRccR37z!OPAEvl@UKw*s9D+0JcyhKY
z_FNFJDDDSPY$4uji7*2|KQM5}wbB_pmH@L%7sYCS5%1$=o9KHke>3uRU{lm?rMWh^
zfl3fDsR2J31#Jv?!rSfb9l!u-Joijw`P(QcX3v3g5m(4>VH4g&Wx6L72~O@mPm}kW
zEdw}k&n40!EOmUlKZh7lwfB#__H2_u+d6E=!<Qy0%@!QHh)A=pANC3{c&1|-8Bh0@
z%w{7h$B%j7?hnwWC$MLoGt|cE;7qypHjn-2d;r1>P@Htgq+jkD87M=W65Ydo55$zu
z)7vLDJ-i0gfnW~i_U3lgI4k;bqnU%pedD{ehq_`bv@A^a9x=IMDNO|c4jDg4Z;+Ly
zh(IVC0b$J*X`V_l;np1T%e=+_mCuMYU@+wl{Px%ki+od(nU|MwN24dW#f|Jv4)AW~
zvgPPxh_-l@nl#9S<(<{&idH$=@AKoNbw>~NB8|%$@7opn#zE&ijau5)dvdq#F`MUp
z1agDCyq|q$d6NnbKeSwG*uUxSt7~)esN4sL52`1=QC2Hd>smBD=52Dg2K+RS0ok1b
zFEZNvci~AZkC(90dEM{a9}5j9)KU{Oh$>1~n)=T`op0dGoJ|V0G`hVqv}C7RNs?-w
zt<RZo*BKL90;_OYuB>jQ1(B3;?rQA8V$@#@vit8=lvhfLImz_ZJlq7=E`$(GO)`!9
z&E3(E%1>O&dQa6WWY5EySl5%I6t)4&7cQKcV*Li9f>o|Cy3u<O$R@S;?uNe~kj~eI
zT-e^d%z3{O7Aaz%1^W4ogS^~}pQS)LLhfSUthh_&)NlDiLi;el8Q0w63369A&H-cS
za~_Z>d~-<J6LojvCVLCb(QvoyD9;!gJU59n-|EoAc}DLJ2*#jC=%Ht8X9ls7LMK8s
zQ5Ve2yB_tua<E)YMttuJ<vBF#aq26abrc(cPSkaHhnw+-ZsyeV@RCSptF_Au)~(O4
zO|%Qwh$ZBc*m=?gtjG?pMO}7GA7f%NLZ>qk*NST+$-4+4C}qmC>=>iM(@L9*2f#SM
zT`cK~jI|(kvU7xP|A2+7wmlo&@%MDFhBwf)EEeV*qYMa6Pc8TMI)!e4M~+PA8Pp?o
z$+(1tXUnuezzM-sVXMb62SD}F10dD02qF#)6ZOM5J^uzn2+Z7<M$QTkup@$T1fdOM
zH5AbyJ&SK^yF0+s`c>IY2;kYvrL@bkZ5zXYbgjF6Md0_og_Z<9=ge!DnQ)+b3sH>I
zBoO#!YLuq^<U`qRV#`#S78H+wAlg+MF`POwl$>xmcmluvZaFj!#fuyxmvfK3Hm1`7
zApMMy?sX}~`f}6HnJR0{hSEgc4r)arvExzRh>SplSpd4w=i2!qLOXNb7)i=C<HgVL
z=df5ub)}hOSriWPD&sOyzg+Io>o_^>F2F2b=s&o}e(Uh?#z^Q@l}7;!$WH$$39D=$
zxKy=BRz7WtT@pcJ$#C$lUD}SvWP#0_swOm>jML=2P-6CW#$i;CU@d7V5HA%JSM-tf
z4M0D+D9cu6cRmPGJj3w3KPxcpzNo6{Q0A`PT|7eLp}&9M>#h48-X>Rw!;q1&(<QT0
zea00jyL77DRPn8;)jU5Z`F$z=F`T=g<sxVP2<^^wNa<J!R-BdlC6E;)rgO2=D&m3*
zgB$cMQsQdXyJCo5(63Ael`c9ruVnI2`v!%pUR2NXTTc1AM#(MbxxM*7Cl_qlFIZeT
zaDTEnrfhG|{qXRBqQbE5_tOtw0dcQy&kCiDAKxkB(gpGM_j4a8eW$O5)1R*;Jo5MV
zkE9lgW|B|pwR%92kDz5*d?GG8iQREwq<B3q>UCOUW1l@Hq*M4qE0Jc3Z${Bd`i@q5
zO0+--AE>vtx3KFTMJgXljma0;D#wjMqG!+knX54?C)n`MLrJW|w3?qfdzJ=Fea<hF
z`5DR6B!m_`05>UbQYzR+-rau|7bk4SZVHleRMcpb8m9ZcmbcBLoSbNOemr&TxAliP
z=AqW-{4!=2-R|7EI%|sKwaTqqQ~DJ6eaEhMUHlYS1C0Ec|Ch0{dic)PC{6{sArZ5B
ztjq>=St@L;b$^gg``0pIm8-nI>Jx6%`f)KGvQ}I#UPfCCx#3^rEB%KhgBpLhVE<nA
z{@;i%8*wWl{NYqtS(En&Vb0RPu#j4^%D*yO#*BDJS%DdJ?KK+;3O8?SL7`UO8<iYg
zF_Ct$IK`i%#Z3%X_anKDFg`y8`Y{m$r$ww$7`-Z_r?YhX!zg@;r~q<Z_wLRpDc4s|
z!kVYoghJ5T7FCY=lE|WcX>NUFNptyQU6A@QDHz6GwYfJqrm_0Earc$q@Iy-b2wjmy
zg@Sui%UbI1<N#8t39|uANhMe`@TcZ#-R*C;xpPfH3Z;SFAco6KHyxm!@?v|WFY?3b
z@z(*jqRHK&KM(NH*y1C<teK$W<leg&s&<M;g$X(uN;T&DsNA>i&{%|P&H5#mW$c{N
zfwtHdInj*)N41B)BA@xuZ2>y}_CmmOI%N4&`9~>Us!O|l38U|2i=8$dwv%i|F>mQQ
zoxeLARN}K6Jm6Pij+#&P!c$;%FOZz1_2D>Z*bej76h9+Uu1>YIUB+ac(}lRoO|C%u
zSKM28qj(Ph^#;;&T+^Ple#?t89Z1HQI?w4XJ%zBz%WMIN2UxX+VpU+#9+YX+HEHI(
zl+Pjl+vW_&jph_%)Yv4|mzd~d*>f2d?Oc{7Hh&_;`6<$o(l`x81VfE#6nnB{_}@ZC
zprc#1cl4UVSDjSx2$rLf)yon%6C0Lxdk<23i6_R1yvH|v<Zxzi-0aGt*|gnnfAkhf
z!s^Y(7FfBW+JW{1wnjwAtRY0W2Dy2!b%fwf5*G_YP`*O?8bL69MNEpk50^|+F2vYa
zMi3S=z9g*;u&`5Z30KPzuXh>)3yvgw;10QS8aL~{*8VKZdyk7gNaW6Jl%!75iR4S2
zy<;k^k~>XcJ(iN$XAA1)jYf$t?e&f#r(>k~#@F)JFk-F#-n}8K&$ldN34s(Y@Q1&g
zr?~YT#O{fq{g6xo%g~x_uoL1e$kZ=nzFIU?z#LGrR3)->tlj+rYEpSDm*<?a`ChYy
z?bXRx1@Um|5pME6sRi8c8SO7G2djJ2!o#*phi{M#Ci;`58eDgE-()O4?8VGj3<^qC
z*uEFS_l#uY&Bn@f3ELg?2>{`)C<mCzkQ7qqwRwQtUM6^i6+p?IcnpZC$eeyk|4URQ
zL=nJGzBTq4+!Cx+nH5=UN$fdr#XjPUuFxNOsbfYpIr`j*Z|~N9ZEY>cXlcEFWZ-PN
z$&ZTI57nh&N(rD-^GMmP?7awBsZeQY0A?3#U?$c1YBVmY2>UY6I8qsXk@ej3#e#;?
zYF!$#mrTC35MxkWakskxCrdEB=MsR+{hpl1XZy?3I!hU>SF3s|f2XV(<**^^vO<nT
zjCTdn0Ni5(v604?2!qrceNoS738@DHgCpBKXGqICzQnqBeuhcKGI|}D87D+uvsD{U
z3%!WsNE|S1L6#FF51}7rV76l_oxs@JZCk+h+Un787-kTxX-{0xju0aTY^f>ggieRq
zOIx|E9yXdOw>A&Rq;#7aZxMd$C-SaAZsMmC>7v3^!e5gBz!u7>;Ehuiau<>KT01dU
zDng~!!eLN+DTOZk@!I{_N1!(>>kgu$NMQ7`Z1LH<tmbo8%53tyOrf{P%{ToQ+k?e0
zPDk;3-u=_L7wn-pd<3h*i{EW+98EAHtw*+(c(F55$MQQPkOJgxL5>%#xC~DECqTJR
za&$57u-8-7xL>SWQi-b0J8tY}h!9GI{hzD(G6xxFsFw*`y*24BDZC8ain_-$f1iEg
z`ulDj|7=fZ{4obX?mdyNAEH11FwpC<`?Tnya&xo9?lb6$eJQ0bR+;*Sxy<z~*$TDB
zbDE^o8~itGzVON7{L>x_GX7T9Sz|^%u-JQop7py`oM8$4cD?4`fCY))X8E5R%m+k$
z*gF(5z$LC@E9Mw@)UMRaj{S?*y1A=Srd*3z6?NjvQ(Dj`*GCRJ9{x^9c632XHR`FX
zT-Vuz&VA{zV7qfp=W;UWaaBT5T4mM&s<mNgC?kriCTsRsynyOABGt?5^x!>GBW<Ei
z4qN(yLZQ4(VuD}Q(R!?FG)Exgyi6%@=eIyaLmcS9381l=y)uA@*CM(NLgYD*^z*;Y
zCMJ9|<A6}m95iEKv#}yyUF-_XxHTtjvQm+_bW_mc3;Pz>MyWPTP_MfVF#`jf6B#xY
z2Z-S^cn*EH%CjDp3w1B;F4MrZIV+P^h`wk_zPats$<<@)U}<NQY?k0CKomBwWZS<M
z68TSH=0g}gNu_UTcg&3ukuTKuLUSz3Q+C3LJ3YP&loA@1o}s(cNGDS)41BqiT8d%V
zzAFk8g1Q8H_zdxI%{SF^n+?+AUFGv0*fJGs&taRunaQ}sMo!yKdv(+IM0(oqUBi=3
z`Zz}2kw(i4HPj>C=vu-ytjSb2JSG>}`F4Pm>8AM7DE~i`7@E&tC-MXPBc_lovt7&z
zaEmIyRr1)=1(Lo6x)-EoQCcAkp*Fkm24^%mrFtEjPm}@>8|!1=WWO(BepC*uusH?=
z9q*d=XrkB`N;5PxcR$JN21$ReX!xyu{HGOl!gIFC3}oxzH0;~S)^r~Z0qUhE=>1VK
zp#H+rex^Bk80x}#k{sA7P==s6>T~OF1uBCut9f1t>Fp*f+(GEbdV5nt?9D8?t=`{G
za4Pf9)o2lJa`A1QL1~ydk>5Sb`4ZZ@M7`&~zJzTe|0x1erU?5`l;gsGGs0ZLY$Vzh
zz%xk>bEsSdKqry<B|YPdrL)Q1c>-h!ALY3bF#5J0k=~z5tRwetJV7-uku~E~s=Nz#
zvwfIxNZD>w+Ugp)Yc?ikVK^B-x&2vtA{)K4WG`5OhtMv(;V)i|8*oX<FgRn7$P8XY
zb%vYUdhYm$fttf$FBExar^SD4K3cz{q@*J*qO3bGr!&TFy8U`SF-xu_&BdeDf}qtl
z6FAoVVw$!!T;``aMT;R|Y(08;2D5+nf6GQpu+*gRI68ct`}kOYkWL=#<$5CEm4FuI
zShD@MkK#vkRJBzNv8p@pK|1*Ew8ej9Bq6dL>-B>5qr(foge3tdrm?W?S=sS4CwFzL
zf2@59`{)iFfXbTvq+YW6z9mGICaF^`)2C-|F2(4}GJ5y&^tLs|gX69p9&;|qCSbvN
zfG1;R^EHu_R<?$PLrM=SF7CFbb~h66fK^I-dut{4)&tV*#S$6=yf&rV(WzqvQyvq<
zE9du*4D3P$p1irfK-5V$#rynAKqnOK;U7uScO?x|f4IBGAt2~S^#(@?7Ctb_85+J=
z>yI*l#4{bIbvSK~@>@+uDrJfk*qa(-^>ByolW{RJe(wszMybv-!as-QS7_IL<?+6<
zM-iz#;QaLT^wG4U(uiTtbFR8XHjU_S-yWez`c^Kl32CMh<#%`wEHG(dBa(8;%DZJt
zeuTFVq<<D()(k}mJ*Vi0h3S4p74Ed!kaQRKY=0u7F&awuB$6w?tiX4XHnX1gz|9z~
ze$dgY^w)|dP8c=olSHcBWE!uMC!o-9Y!{>$`>n<wRNDKBs_PE{|L^7hk*w`mgo3Z@
zM9#;nQvEUX%9@%fQ$ItcBqb#&Bz#*@vWWbY*w|Q#BE2TZpyM^LRmO>0t<?-CN+MzS
z*Y?T-^L%eE0Y!ALK{>aTzK<h8WeT{!B5j)0#?FUJdSC;(uWg>^xgWxw|5ozaEpHIE
zUw+h|$pHBnzB5%yj`ftJ>d*1aC~Zev>p8RE!yP6z_S*kSyLVXYuQr7|FMW@ipg7EN
z(f?<`%6~;B@Ly8K{CE72P$@=i?dH|-S|kMzI;zj_pU01TjXHFF4++uv>wUx+iwY7|
zD2d3?CEU+xdxGiTuS}I{6nUQSsQ+~h!ZH0<&+sSAq3o>kJ|6z3Px61a9^}7Wcmkl&
zHP@UhqR6_~<ELqh&~a1XRrXV6;3A}>ZYSLA@N4U<KnlD_hb64~kULE)+{e<>%)EVm
zhH-fDwV#;jG+v;M<p9Oo8$M9prYd*0-7*b8wv(Q&Y7{~T7dp9fuV?q%O$WjaAXK%!
zW+eW8K}1Ns{nhc}9e3%5rCIT;Itrg&Qa9`0zKbQ?&MeVai5%iXe=%2Y*T~MJ5Ag?r
zx9tZXE@eX?Q)ZlK_d}~LU^NCkkyiY`P`quPhx<};Gi*$5--Wf>?Agpwvl&pW0nVbT
zguDFPv9i^KEHTRVJK+WeZfiQzfuun1xA+wX!r%uud9~a9D_@#pq7is@@Ar3g$5Gp#
zvsR=ko);X;yMf^f*g{;{s{;ldAbX@InPTe4%CL?jpO(AXHKJ^p={piO-?-402db`u
zju`uc$N58Aq2A(`-ce1r34Lozvw(pegJ%X@tIN{<)>&>DERfpPKfC6mf<hcWr}w7)
zY1mn?<rsWO*L%q<t<X~BLP-$rxrxoUH7)>kamtz#&n&v0{Qe2*ai2m7IA?GgNQ4#k
z@GEL;NrGg=TP#hBZKG#>7Ul!;d1smm5JLrRiWoh$X5|*HwAY}f`$>H0`5~Uru<8O?
zO18@z^P5?2o{7{Alq!*2@3L&`gdbEu&TQK^{EnI-7dAc8F_U6Y&uZ#Pks@6fjA#hS
z2qRqd7@+ym(}PI}n%-gnmRW_%SXayKocslr4u1%<3%cNxJH!*grL&b1!r%%1bTkzE
z#`w93xKDI&-^u5iKB2o6#~QmkP~ruf!oKYx-%X2w@G>TYms4;XJY`r&@Mum)^?Jd~
z#a|_ia_|nVjj~~rtRBE|<!bXp6>cpRw77(vI-y!xub541K%cJOiC|vmwyiR8=6cN0
zmiUc%E3WlqdZo@%)x9Z{8ZjjhnO%Pyt%375Hq+^$Lce0m`R$B%^$Bl%0E}{y$8HkG
zCeI%ECF9<UO`fIgec*zh<55yzN6gz22~+eAYq8O}SRq!Um<%C<&3DctcJ`Ln$c2{E
z;$ORWF>7OoZRCyY=rRm(YK|<Q%_q@R)Lw&WMh3SVO}85pqs&z2bNNhgr)F6vOA04y
z_{RZJ(ei2EUCZq4#|p6=y6_htQEE&_EZ*MV8*K``exhNIaNR!_4v`S{?#Mn&_By!C
zy1ijP9J5|}n0NT$w!CURt)fpO`pw|O(m%u!^m{KkLU;HAEOF~qo$DabIQg5>wZ=9l
z%$E=CS3*`Yho8A>5QbPksF{h31dimds6C?g0QSI+p<%P@#xkNs<fx=CoGB+dFK|no
zDQM;pzh@QDEyG9dnDa7B<VAGL!4q&mLWZ4RPX14!zb6Mr+Rv}axzq>Aag*%FEg3w|
zggy0YmS!ZE6=6+lLZ5}BGhdeJ2z8IHuk8qa_ZQQCu6Cb!2oE_XTns3G6B0vao4>ff
ztKs0jjcFT2Ej6)Po?-W+GZdSJ*VB+>w2X8(Yc?k3a|w-e!%i|=43o)?<7KugWT5Vu
z3-~o%W2xx$KB!U1m*UXJDcqPC&p^VPy3S$_lJ$jc&ZVn&+LB!v&r%&pWx<ePq}o5;
z|5fGq+)@1PWUQL)v*%QiSi~Aylp7MetDb+iDmiOn#O1Hq-kq~oy7dH$ZyB3`Q<CPK
zCB*cv>fE^@Rx?L~-&DPimh;#}9j>`SQ59}*S<&=}fLi5Q?d_$FOl$<N(dsKl&JT|8
z+{0OrB^EAXbR*Erpqj-Ci&&&HZX@P&;I^reuSzfD;W<>DriXGef}GbCWaILNKA)Y%
zX^haDpF3pJyigU0PL}6DSm6=v=hGJRhMiw|Pgz4~NbKffPr0Lzta#9PVRYiLZe#qK
z46cLGvY&~Qq#C~B-`zYl)93YNAJ$#(*HZPppNQV)T4!#3@dj0!S6AwoNoeZ$!icbf
zdPpF&vJ^+xD}<gGiyJLW7Z5fC4;#ZFHr5aaN3Z0YuYm@JU@yBkE$eaTtJ2o{e{SX9
zv@d8c^^~Pv)_AVNuXkW1u8In|I+@Bktdv93pO$MJp~Z|@VfYVYTXhDglHl7A7wX`6
z?Y$){RTd3#nHUWtV}=^N{9Af-aT^Qx{8OnPG@>fs5)2#O6eE#l%4O?4W24Kw0ilQV
zGHpS_l}zSzta*NYH_gCpjQR>y%~X-->EugK{tNFvXf2NI(`)j|je)t5mn@p1AE1!K
zlMbrycv(aB9E7UZLl@*dCYxZ{IeY3Z9-heo_4drr1H+(w?19me@0<@V28$lwA|nAA
z!CY+zH2*-;yex?3{kYrq<+VUU35r3S%`i0?6(_pYg~PEG-o0MtCGE9`$Z@nqiTt+_
zo0~H}1_#`1CH5)buu$OOvf+^T4(Cau=Eut1*2NKHJI*&_n;>(jM9OK==Jh(9*;kKl
zMVX-+*{~3tN}zOr%t|<?L6}I$O4%SaO~(FW$R_k4$72=Fr!kq!0hWdl7E%$~rxk=m
zJUmmr4bW;01sm)DfdF+PK|E+zn2A)Qh2ABJ!zK~I##=PDTk*8+tIDr$=fC_z@Qp7y
zut}+yFOl57wG$_aTf45T{C#KgC@i<i0bjC-=$}u^efD}PD&e?`)W?GItQ-Ppft@*>
zX_d-f2p|sPj0V+cxQfkUy|--o%;Hr)h2a0xM=LC3j969U-wjypUH^SWG;-`xRtps5
z<OjLYygn@pxHBv~d0K<Pl$ew_E%DS^{nG(=SD7I)xNom=S5qEmQ+~(tH+xapB4$r?
zM_WCQDek+jcbdz;8W>8usJceV@3~zQ9V`yfILEu%KKZ^(zV}e#4hXfT{>+z1{qW&~
zTfrB@x?3Uk**(R^pDz4ukE2cZs)W0JN*k_~3&GJq+1~}F2OKLMYis3|&kmtgexLt>
zZJpPNLoS^dq&<<3&@u2{<Css}=pydt8y=i?tjEYDBrxRI9Mq;o{L*UZMPE{J#m+8u
z^qTiEEBU34UWC76Y^?5Vaoi*~&2lliy2w{n;9$|z;qmN3lu|1SvI!^nWvm4y2RWXy
z6DVT*S--e!v>y!5xy+tDBl(7=mYBGFP+_8>E@f$nMP3BNo}@o5kE@NS4e$tVW!R*m
zPvQ`=U&AM}Cw0hOmgK-zs}ZuIuS1p0$r(->7`AML?CG?+_hMqE3}}}CkY5c+vAg_F
z6lnU!n+sPB@Zq8<2FtztBl5l(;7vy_hTFG)-}zR5$tHJJ+z}n=Ws?-OOkufpQLpH!
zzH1XH$DWwbB%^Z)is^br=K4OM$ZYGIsP1`{CKJNlWZzLjEL##OP+ie3#{&hBQnbNa
zCQ5H^)DHsAMzqw`rHQf&#hCS93C<2fy)T9-^kMoMU`fgrgxJ6&DGQHJZpzsrh6`uR
z-%U((xm{Z4&fx{tv9QA0e6V(0T-3P>e{&h<(}`2>x;XJun)On9cI$fF^hVJCbbE|<
z8^$ijX?gg>DvJhUCxicLWu+k5m8$XSHQ*YD&T9`xU&r9cWSn5-qQ#D3*51+mw*uLo
zlbRJ<%!X=VO(CH10=s_tVux4(siBfO4Z=Z`;AK&dr{C&p^|@h@PIWg0=IUAAxp*5q
ze~6WCr<A*ki1-*@X>P#%Cw>q)q)#VC%+yHr5zh=uPM6SHk5(Alj|F#RmevS??#poH
zHEG&Jn;UNH>+TuYQ#umf5tD&D9r0)pEb+5#q-fFJu4cfa^WVJQ^O5WOLf~hg#T3(v
z=9;YO4!tqNwC}Qtu!Aukj~vPy-*{0D&!&x<RO@MpzmAK3w>g&{*H1R{385$oUf<51
zrukh_*LFks(&uXE#)aR<f_==dCf$thV1s^a4hKKx1^YmLe(|?%(1x%gcbYSB(kjBk
zO@;7bCJ0)IW6nt*xz+tuXnK^||Gm4_t~Dns@%ZfN-`YsUKR<O_liLX2V+U1pGlkUF
zwRn`63tj#So%tknG0%UYq1EUxE_UW<o<sA9+UDRk*5-Ghhtnv!x=&q#a<X-&5q_c6
zt>ys|CS0gQt2hR<Rr+|mJ4!#}`))QuwiV>ar=wn2m8T_R+qP>qz1a&kee?)D<c}`^
zlVTw_xhDnBP_tr=ggnpEE=xPLZ$Qz{yes#Mcl)-%9z?XiOR_2?n3xnE*xo_e--sPT
zOn%VE3N2fAUJ_SoaVRF53|t*TaX-D<|A62DQi?*$o!vb5@^D4v34vo5f(DQHC@rT@
zHxot>kRerJ-;vsGy>0^%NuL7Ek$zavrSWNz*hf|oEgTh)a8O4x$NfDWxJ#6?l2-x`
z?}e4m3A<cg2dx*dP<?tb(pMdmAS<@_sul?aEDbsNxAG!I#SP-RTQ}hP&EmA*j9slE
zxlh?>b46D!4FBFy=v_VvD7b+Zhreq<!_Fn%Yfs>oiTbz@OAM=KA4{r;nBT9ZBmts7
zDvJ|^kezM~94pX?#w817{hIFjB;|X97q6bxe|C%26XIgK%<uDeLtdBsK67azP^-B;
z_wSX+lpRRf*t@cSEi~QoTiB4S=BqVcPcjMAZ4@}Iyd5c{p_tC1b^8&$XY;Vn$Vyr*
z+t;}R60_PPI@`F<y*ct})j%73Ls`9~W&JNG`1<K}@@^no_7out_i7LH?AGdWw)pR$
zW|mxys@<rUjDR1qpyQ!gVI-aQ9SI_;QR#SOb#7R@F>Uye(5Ys!myYUP(JWe|`xzx&
z3#e^6{_lk9%8(5H&pI4ny@*@z-x|%U6Hxvql%ny^Sbh2QKPdyc-2Y!6p7>3^rez5f
SH7|aI8nRMKA1Wjb1O5lP<YJou
literal 0
HcmV?d00001
diff --git a/docs/threat_model/index.rst b/docs/threat_model/index.rst
index e8f09b928..b5ede6900 100644
--- a/docs/threat_model/index.rst
+++ b/docs/threat_model/index.rst
@@ -1,5 +1,12 @@
Threat Model
-=============
+============
+
+Threat modeling is an important part of Secure Development Lifecycle (SDL)
+that helps us identify potential threats and mitigations affecting a system.
+
+In the next sections, we first give a description of the target of evaluation
+using a data flow diagram. Then we provide a list of threats we have identified
+based on the data flow diagram and potential threat mitigations.
.. toctree::
:maxdepth: 1
@@ -7,6 +14,7 @@ Threat Model
:numbered:
threat_model
+ threat_model_spm
--------------
diff --git a/docs/threat_model/threat_model.rst b/docs/threat_model/threat_model.rst
index 9cee10415..9f26487e9 100644
--- a/docs/threat_model/threat_model.rst
+++ b/docs/threat_model/threat_model.rst
@@ -1,13 +1,10 @@
-*****************
-Introduction
-*****************
-Threat modeling is an important part of Secure Development Lifecycle (SDL)
-that helps us identify potential threats and mitigations affecting a system.
+Generic threat model
+********************
-This document provides a generic threat model for TF-A firmware. In the
-next sections, we first give a description of the target of evaluation
-using a data flow diagram. Then we provide a list of threats we have
-identified based on the data flow diagram and potential threat mitigations.
+************************
+Introduction
+************************
+This document provides a generic threat model for TF-A firmware.
************************
Target of Evaluation
@@ -781,4 +778,4 @@ each diagram element of the data flow diagram.
.. _Trusted Board Boot (TBB): https://trustedfirmware-a.readthedocs.io/en/latest/design/trusted-board-boot.html
.. _TF-A error handling policy: https://trustedfirmware-a.readthedocs.io/en/latest/process/coding-guidelines.html#error-handling-and-robustness
.. _Secure Development Guidelines: https://trustedfirmware-a.readthedocs.io/en/latest/process/security-hardening.html#secure-development-guidelines
-.. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/
\ No newline at end of file
+.. _Trusted Firmware-A Tests: https://git.trustedfirmware.org/TF-A/tf-a-tests.git/about/
diff --git a/docs/threat_model/threat_model_spm.rst b/docs/threat_model/threat_model_spm.rst
new file mode 100644
index 000000000..96d33a2f3
--- /dev/null
+++ b/docs/threat_model/threat_model_spm.rst
@@ -0,0 +1,617 @@
+SPMC threat model
+*****************
+
+************************
+Introduction
+************************
+This document provides a threat model for the TF-A `Secure Partition Manager`_
+(SPM) implementation or more generally the S-EL2 reference firmware running on
+systems implementing the FEAT_SEL2 (formerly Armv8.4 Secure EL2) architecture
+extension. The SPM implementation is based on the `Arm Firmware Framework for
+Armv8-A`_ specification.
+
+In brief, the broad FF-A specification and S-EL2 firmware implementation
+provide:
+
+- Isolation of mutually mistrusting SW components, or endpoints in the FF-A
+ terminology.
+- Distinct sandboxes in the secure world called secure partitions. This permits
+ isolation of services from multiple vendors.
+- A standard protocol for communication and memory sharing between FF-A
+ endpoints.
+- Mutual isolation of the normal world and the secure world (e.g. a Trusted OS
+ is prevented to map an arbitrary NS physical memory region such as the kernel
+ or the Hypervisor).
+
+************************
+Target of Evaluation
+************************
+In this threat model, the target of evaluation is the S-EL2 firmware or the
+``Secure Partition Manager Core`` component (SPMC).
+The monitor and SPMD at EL3 are covered by the `Generic TF-A threat model`_.
+
+The scope for this threat model is:
+
+- The TF-A implementation for the S-EL2 SPMC based on the Hafnium hypervisor
+ running in the secure world of TrustZone (at S-EL2 exception level).
+ The threat model is not related to the normal world Hypervisor or VMs.
+ The S-EL1 SPMC solution is not covered.
+- The implementation complies with the FF-A v1.0 specification.
+- Secure partitions are statically provisioned at boot time.
+- Focus on the run-time part of the life-cycle (no specific emphasis on boot
+ time, factory firmware provisioning, firmware udpate etc.)
+- Not covering advanced or invasive physical attacks such as decapsulation,
+ FIB etc.
+- Assumes secure boot or in particular TF-A trusted boot (TBBR or dual CoT) is
+ enabled. An attacker cannot boot arbitrary images that are not approved by the
+ SiP or platform providers.
+
+Data Flow Diagram
+======================
+Figure 1 shows a high-level data flow diagram for the SPM split into an SPMD
+component at EL3 and an SPMC component at S-EL2. The SPMD mostly acts as a
+relayer/pass-through between the normal world and the secure world. It is
+assumed to expose small attack surface.
+
+A description of each diagram element is given in Table 1. In the diagram, the
+red broken lines indicate trust boundaries.
+
+Components outside of the broken lines are considered untrusted.
+
+.. uml:: ../resources/diagrams/plantuml/spm_dfd.puml
+ :caption: Figure 1: SPMC Data Flow Diagram
+
+.. table:: Table 1: SPMC Data Flow Diagram Description
+
+ +---------------------+--------------------------------------------------------+
+ | Diagram Element | Description |
+ +=====================+========================================================+
+ | ``DF1`` | SP to SPMC communication. FF-A function invocation or |
+ | | implementation-defined Hypervisor call. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF2`` | SPMC to SPMD FF-A call. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF3`` | SPMD to NS forwarding. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF4`` | SP to SP FF-A direct message request/response. |
+ | | Note as a matter of simplifying the diagram |
+ | | the SP to SP communication happens through the SPMC |
+ | | (SP1 performs a direct message request to the |
+ | | SPMC targeting SP2 as destination. And similarly for |
+ | | the direct message response from SP2 to SP1). |
+ +---------------------+--------------------------------------------------------+
+ | ``DF5`` | HW control. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF6`` | Bootloader image loading. |
+ +---------------------+--------------------------------------------------------+
+ | ``DF7`` | External memory access. |
+ +---------------------+--------------------------------------------------------+
+
+*********************
+Threat Analysis
+*********************
+
+This threat model follows a similar methodology to the `Generic TF-A threat model`_.
+The following sections define:
+
+- Trust boundaries
+- Assets
+- Theat agents
+- Threat types
+
+Trust boundaries
+============================
+
+- Normal world is untrusted.
+- Secure world and normal world are separate trust boundaries.
+- EL3 monitor, SPMD and SPMC are trusted.
+- Bootloaders (in particular BL1/BL2 if using TF-A) and run-time BL31 are
+ implicitely trusted by the usage of secure boot.
+- EL3 monitor, SPMD, SPMC do not trust SPs.
+
+.. figure:: ../resources/diagrams/spm-threat-model-trust-boundaries.png
+
+ Figure 2: Trust boundaries
+
+Assets
+============================
+
+The following assets are identified:
+
+- SPMC state.
+- SP state.
+- Information exchange between endpoints (partition messages).
+- SPMC secrets (e.g. pointer authentication key when enabled)
+- SP secrets (e.g. application keys).
+- Scheduling cycles.
+- Shared memory.
+
+Threat Agents
+============================
+
+The following threat agents are identified:
+
+- NS-Endpoint identifies a non-secure endpoint: normal world client at NS-EL2
+ (Hypervisor) or NS-EL1 (VM or OS kernel).
+- S-Endpoint identifies a secure endpoint typically a secure partition.
+- Hardware attacks (non-invasive) requiring a physical access to the device,
+ such as bus probing or DRAM stress.
+
+Threat types
+============================
+
+The following threat categories as exposed in the `Generic TF-A threat model`_
+are re-used:
+
+- Spoofing
+- Tampering
+- Repudiation
+- Information disclosure
+- Denial of service
+- Elevation of privileges
+
+Similarly this threat model re-uses the same threat risk ratings. The risk
+analysis is evaluated based on the environment being ``Server`` or ``Mobile``.
+
+Threat Assessment
+============================
+
+The following threats are identified by applying STRIDE analysis on each diagram
+element of the data flow diagram.
+
++------------------------+----------------------------------------------------+
+| ID | 01 |
++========================+====================================================+
+| ``Threat`` | **An endpoint impersonates the sender or receiver |
+| | FF-A ID in a direct request/response invocation.** |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMD, SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Spoofing |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------++----------------+---------------+
+| ``Impact`` | Critical(5) | Critical(5) | |
++------------------------+------------------++----------------+---------------+
+| ``Likelihood`` | Critical(5) | Critical(5) | |
++------------------------+------------------++----------------+---------------+
+| ``Total Risk Rating`` | Critical(25) | Critical(25) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
+| | The guidance below is left for a system integrator |
+| | to implemented as necessary. |
+| | The SPMC must enforce checks in the direct message |
+| | request/response interfaces such an endpoint cannot|
+| | spoof the origin and destination worlds (e.g. a NWd|
+| | originated message directed to the SWd cannot use a|
+| | SWd ID as the sender ID). |
+| | Additionally a software component residing in the |
+| | SPMC can be added for the purpose of direct |
+| | request/response filtering. |
+| | It can be configured with the list of known IDs |
+| | and about which interaction can occur between one |
+| | and another endpoint (e.g. which NWd endpoint ID |
+| | sends a direct request to which SWd endpoint ID). |
+| | This component checks the sender/receiver fields |
+| | for a legitimate communication between endpoints. |
+| | A similar component can exist in the OS kernel |
+| | driver, or Hypervisor although it remains untrusted|
+| | by the SPMD/SPMC. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 02 |
++========================+====================================================+
+| ``Threat`` | **Tampering with memory shared between an endpoint |
+| | and the SPMC.** |
+| | A malicious endpoint may attempt tampering with its|
+| | RX/TX buffer contents while the SPMC is processing |
+| | it (TOCTOU). |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF3, DF4, DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | Shared memory, Information exchange |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | High (4) | High (4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | High (16) | High (16) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | In context of FF-A v1.0 this is the case of sharing|
+| | the RX/TX buffer pair and usage in the |
+| | PARTITION_INFO_GET or mem sharing primitives. |
+| | The SPMC must copy the contents of the TX buffer |
+| | to an internal temporary buffer before processing |
+| | its contents. The SPMC must implement hardened |
+| | input validation on data transmitted through the TX|
+| | buffer by an untrusted endpoint. |
+| | The TF-A SPMC mitigates this threat by enforcing |
+| | checks on data transmitted through RX/TX buffers. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 03 |
++========================+====================================================+
+| ``Threat`` | **An endpoint may tamper with its own state or the |
+| | state of another endpoint.** |
+| | A malicious endpoint may attempt violating: |
+| | - its own or another SP state by using an unusual |
+| | combination (or out-of-order) FF-A function |
+| | invocations. |
+| | This can also be an endpoint emitting |
+| | FF-A function invocations to another endpoint while|
+| | the latter in not in a state to receive it (e.g. a |
+| | SP sends a direct request to the normal world early|
+| | while the normal world is not booted yet). |
+| | - the SPMC state itself by employing unexpected |
+| | transitions in FF-A memory sharing, direct requests|
+| | and responses, or handling of interrupts. |
+| | This can be led by random stimuli injection or |
+| | fuzzing. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMD, SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The SPMC may be vulnerable to invalid state |
+| | transitions for itself or while handling an SP |
+| | state. The FF-A v1.1 specification provides a |
+| | guidance on those state transitions (run-time |
+| | model). The TF-A SPMC will be hardened in future |
+| | releases to follow this guidance. |
+| | Additionally The TF-A SPMC mitigates the threat by |
+| | runs of the Arm `FF-A ACS`_ compliance test suite. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 04 |
++========================+====================================================+
+| ``Threat`` | *An attacker may attempt injecting errors by the |
+| | use of external DRAM stress techniques.** |
+| | A malicious agent may attempt toggling an SP |
+| | Stage-2 MMU descriptor bit within the page tables |
+| | that the SPMC manages. This can happen in Rowhammer|
+| | types of attack. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP or SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | Hardware attack |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Low (2) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | Medium (8) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | The TF-A SPMC does not provide mitigations to this |
+| | type of attack. It can be addressed by the use of |
+| | dedicated HW circuity or hardening at the chipset |
+| | or platform level left to the integrator. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 05 |
++========================+====================================================+
+| ``Threat`` | **Protection of the SPMC from a DMA capable device |
+| | upstream to an SMMU.** |
+| | A device may attempt to tamper with the internal |
+| | SPMC code/data sections. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF5 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC or SP state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Tampering, Elevation of privileges |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | A platform may prefer assigning boot time, |
+| | statically alocated memory regions through the SMMU|
+| | configuration and page tables. The FF-A v1.1 |
+| | specification provisions this capability through |
+| | static DMA isolation. |
+| | The TF-A SPMC does not mitigate this threat. |
+| | It will adopt the static DMA isolation approach in |
+| | a future release. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 06 |
++========================+====================================================+
+| ``Threat`` | **Replay fragments of past communication between |
+| | endpoints.** |
+| | A malicious endpoint may replay a message exchange |
+| | that occured between two legitimate endpoint as |
+| | a matter of triggering a malfunction or extracting |
+| | secrets from the receiving endpoint. In particular |
+| | the memory sharing operation with fragmented |
+| | messages between an endpoint and the SPMC may be |
+| | replayed by a malicious agent as a matter of |
+| | getting access or gaining permissions to a memory |
+| | region which does not belong to this agent. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF2, DF3 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | Information exchange |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Repdudiation |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 07 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may attempt to extract data |
+| | or state information by the use of invalid or |
+| | incorrect input arguments.** |
+| | Lack of input parameter validation or side effects |
+| | of maliciously forged input parameters might affect|
+| | the SPMC. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMD, SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP secrets, SPMC secrets, SP state, SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information discolure |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | High (4) | High (4) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | High (12) | High (12) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | Secure Partitions must follow security standards |
+| | and best practises as a way to mitigate the risk |
+| | of common vulnerabilities to be exploited. |
+| | The use of software (canaries) or hardware |
+| | hardening techniques (XN, WXN, BTI, pointer |
+| | authentication, MTE) helps detecting and stopping |
+| | an exploitation early. |
+| | The TF-A SPMC mitigates this threat by implementing|
+| | stack protector, pointer authentication, BTI, XN, |
+| | WXN, security hardening techniques. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 08 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may forge a direct message |
+| | request such that it reveals the internal state of |
+| | another endpoint through the direct message |
+| | response.** |
+| | The secure partition or SPMC replies to a partition|
+| | message by a direct message response with |
+| | information which may reveal its internal state |
+| | (.e.g. partition message response outside of |
+| | allowed bounds). |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC or SP state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information discolure |
++------------------------+------------------+---------------+-----------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+---------------+-----------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+---------------+-----------------+
+| ``Likelihood`` | Low (2) | Low (2) | |
++------------------------+------------------+---------------+-----------------+
+| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
++------------------------+------------------+---------------+-----------------+
+| ``Mitigations`` | For the specific case of direct requests targetting|
+| | the SPMC, the latter is hardened to prevent |
+| | its internal state or the state of an SP to be |
+| | revealed through a direct message response. |
+| | Further FF-A v1.1 guidance about run time models |
+| | and partition states will be implemented in future |
+| | TF-A SPMC releases. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 09 |
++========================+====================================================+
+| ``Threat`` | **Probing the FF-A communication between |
+| | endpoints.** |
+| | SPMC and SPs are typically loaded to external |
+| | memory (protected by a TrustZone memory |
+| | controller). A malicious agent may use non invasive|
+| | methods to probe the external memory bus and |
+| | extract the traffic between an SP and the SPMC or |
+| | among SPs when shared buffers are held in external |
+| | memory. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP/SPMC state, SP/SPMC secrets |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | Hardware attack |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information disclosure |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low (2) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium (6) | Medium (9) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | It is expected the platform or chipset provides |
+| | guarantees in protecting the DRAM contents. |
+| | The TF-A SPMC does not mitigate this class of |
+| | attack and this is left to the integrator. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 10 |
++========================+====================================================+
+| ``Threat`` | **A malicious agent may attempt revealing the SPMC |
+| | state or secrets by the use of software-based cache|
+| | side-channel attack techniques.** |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF7 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SP or SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Information disclosure |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Low (2) | Low (2) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium (6) | Medium (6) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | From an integration perspective it is assumed |
+| | platforms consuming the SPMC component at S-EL2 |
+| | (hence implementing the Armv8.4 FEAT_SEL2 |
+| | architecture extension) implement mitigations to |
+| | Spectre, Meltdown or other cache timing |
+| | side-channel type of attacks. |
+| | The TF-A SPMC implements one mitigation (barrier |
+| | preventing speculation past exeception returns). |
+| | The SPMC may be hardened further with SW |
+| | mitigations (e.g. speculation barriers) for the |
+| | cases not covered in HW. Usage of hardened |
+| | compilers and appropriate options, code inspection |
+| | are recommended ways to mitigate Spectre types of |
+| | attacks. For non-hardened cores, the usage of |
+| | techniques such a kernel page table isolation can |
+| | help mitigating Meltdown type of attacks. |
++------------------------+----------------------------------------------------+
+
++------------------------+----------------------------------------------------+
+| ID | 11 |
++========================+====================================================+
+| ``Threat`` | **A malicious endpoint may attempt flooding the |
+| | SPMC with requests targetting a service within an |
+| | endpoint such that it denies another endpoint to |
+| | access this service.** |
+| | Similarly, the malicious endpoint may target a |
+| | a service within an endpoint such that the latter |
+| | is unable to request services from another |
+| | endpoint. |
++------------------------+----------------------------------------------------+
+| ``Diagram Elements`` | DF1, DF2, DF3, DF4 |
++------------------------+----------------------------------------------------+
+| ``Affected TF-A | SPMC |
+| Components`` | |
++------------------------+----------------------------------------------------+
+| ``Assets`` | SPMC state |
++------------------------+----------------------------------------------------+
+| ``Threat Agent`` | NS-Endpoint, S-Endpoint |
++------------------------+----------------------------------------------------+
+| ``Threat Type`` | Denial of service |
++------------------------+------------------+-----------------+---------------+
+| ``Application`` | ``Server`` | ``Mobile`` | |
++------------------------+------------------+-----------------+---------------+
+| ``Impact`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Likelihood`` | Medium (3) | Medium (3) | |
++------------------------+------------------+-----------------+---------------+
+| ``Total Risk Rating`` | Medium (9) | Medium (9) | |
++------------------------+------------------+-----------------+---------------+
+| ``Mitigations`` | The TF-A SPMC does not mitigate this threat. |
+| | Bounding the time for operations to complete can |
+| | be achieved by the usage of a trusted watchdog. |
+| | Other quality of service monitoring can be achieved|
+| | in the SPMC such as counting a number of operations|
+| | in a limited timeframe. |
++------------------------+----------------------------------------------------+
+
+--------------
+
+*Copyright (c) 2021, Arm Limited. All rights reserved.*
+
+.. _Arm Firmware Framework for Armv8-A: https://developer.arm.com/docs/den0077/latest
+.. _Secure Partition Manager: ../components/secure-partition-manager.html
+.. _Generic TF-A threat model: ./threat_model.html#threat-analysis
+.. _FF-A ACS: https://github.com/ARM-software/ff-a-acs/releases
--
GitLab