From owner-freebsd-hackers@freebsd.org Mon Feb 13 20:24:18 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0D18CDDF2F; Mon, 13 Feb 2017 20:24:18 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (207-172-209-83.c3-0.arl-ubr1.sbo-arl.ma.static.cable.rcn.com [207.172.209.83]) by mx1.freebsd.org (Postfix) with ESMTP id C93A21814; Mon, 13 Feb 2017 20:24:18 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id AAB9B1D5A; Mon, 13 Feb 2017 20:24:16 +0000 (UTC) To: freebsd-hackers@FreeBSD.org Cc: freebsd-amd64@freebsd.org, Allan Jude From: Eric McCorkle Subject: GELI BIOS weirdness Message-ID: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> Date: Mon, 13 Feb 2017 15:24:13 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="r4IX03A8AEMamVkTv0I1hnsQjQwkID24j" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 20:24:19 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --r4IX03A8AEMamVkTv0I1hnsQjQwkID24j Content-Type: multipart/mixed; boundary="7StHMtTjFo29XVR1XxTd1TwwNJTgx2Aps"; protected-headers="v1" From: Eric McCorkle To: freebsd-hackers@FreeBSD.org Cc: freebsd-amd64@freebsd.org, Allan Jude Message-ID: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> Subject: GELI BIOS weirdness --7StHMtTjFo29XVR1XxTd1TwwNJTgx2Aps Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello everyone, I ran into an apparent bug while trying to test a patch related to some GELI boot work. This particular patch involves *BIOS* GELI-on-root (not EFI). I created an image for qemu with a single gpt disk having a freebsd-boot and freebsd-ufs partition, with the freebsd-ufs partition actually having a GELI volume. The gptboot phase crashes with an illegal instruction. I tracked this down to eli_metadata_softc (defined in sys/geom/eli/g_eli.h), specifically to the mod operation near the end. Code here: > if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) > sc->sc_mediasize -=3D (sc->sc_mediasize % sc->sc_sectorsize); > else { This crash also occurs on a build from master. The crash dump shows eip pointing to the following code: 66 0f 38 f6 f0 31 c6 8b - 4d 14 89 cf c1 ff 1f 8b The the first 5 bytes of this looks like it's supposed to be an extended DIV instruction, which is what I would expect, except the opcode is wrong (it's adc instead), which doesn't end up corresponding to any valid form of an extended instruction (the 66 prefix). Examination of the disassembly confirms this, and the surrounding instructions match what you would expect from the C code. Unless I'm missing something, this would seem to indicate a compiler bug. More importantly, it would seem to indicate that anyone building GELI-enabled gptboot from master will end up with a nonfunctional binary.= Can someone else please confirm this, and if so, I think it's probably time to file a bug report. --7StHMtTjFo29XVR1XxTd1TwwNJTgx2Aps-- --r4IX03A8AEMamVkTv0I1hnsQjQwkID24j Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWKIV7QAKCRBWwohAqoAE jQxYAPwJRJ+ETq5kIJ7ka9T5AdtHYvi/u6vom6PXkELFc34rswD+JApVKiXNP54N tXY/yRTlQCi8kNSkF31eBrc0xdZOQww= =YAfm -----END PGP SIGNATURE----- --r4IX03A8AEMamVkTv0I1hnsQjQwkID24j-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 20:36:41 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2A9B1CDD650; Mon, 13 Feb 2017 20:36:41 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from springbank.echomania.com (springbank.echomania.com [IPv6:2a01:7c8:aab2:81::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "springbank.echomania.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E9996219; Mon, 13 Feb 2017 20:36:40 +0000 (UTC) (envelope-from dim@FreeBSD.org) X-Virus-Scanned: Debian amavisd-new at springbank.echomania.com Received: from [IPv6:2001:7b8:3a7::edc2:5bd4:2353:56e3] (unknown [IPv6:2001:7b8:3a7:0:edc2:5bd4:2353:56e3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by springbank.echomania.com (Postfix) with ESMTPSA id 00C0758022B; Mon, 13 Feb 2017 21:36:38 +0100 (CET) From: Dimitry Andric Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_46F982B2-64B8-4F6E-8FAA-7539E4E0E910"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: GELI BIOS weirdness Date: Mon, 13 Feb 2017 21:36:31 +0100 In-Reply-To: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> Cc: freebsd-hackers@FreeBSD.org, Allan Jude , freebsd-amd64@freebsd.org To: Eric McCorkle References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 20:36:41 -0000 --Apple-Mail=_46F982B2-64B8-4F6E-8FAA-7539E4E0E910 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 13 Feb 2017, at 21:24, Eric McCorkle wrote: > > Hello everyone, > > I ran into an apparent bug while trying to test a patch related to some > GELI boot work. This particular patch involves *BIOS* GELI-on-root (not > EFI). > > I created an image for qemu with a single gpt disk having a freebsd-boot > and freebsd-ufs partition, with the freebsd-ufs partition actually > having a GELI volume. > > The gptboot phase crashes with an illegal instruction. I tracked this > down to eli_metadata_softc (defined in sys/geom/eli/g_eli.h), > specifically to the mod operation near the end. Code here: > >> if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) >> sc->sc_mediasize -= (sc->sc_mediasize % sc->sc_sectorsize); >> else { > > This crash also occurs on a build from master. > > The crash dump shows eip pointing to the following code: > > 66 0f 38 f6 f0 31 c6 8b - 4d 14 89 cf c1 ff 1f 8b > > The the first 5 bytes of this looks like it's supposed to be an extended > DIV instruction, which is what I would expect, except the opcode is > wrong (it's adc instead), which doesn't end up corresponding to any > valid form of an extended instruction (the 66 prefix). Examination of > the disassembly confirms this, and the surrounding instructions match > what you would expect from the C code. This disassembles to: 0: 66 0f 38 f6 f0 adcx %eax,%esi 5: 31 c6 xor %eax,%esi 7: 8b 4d 14 mov 0x14(%ebp),%ecx a: 89 cf mov %ecx,%edi c: c1 ff 1f sar $0x1f,%edi f: 8b .byte 0x8b My first guess would be that the code simply jumped into garbage. But can you post the complete .o file somewhere for inspection? -Dimitry --Apple-Mail=_46F982B2-64B8-4F6E-8FAA-7539E4E0E910 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAliiGNYACgkQsF6jCi4glqPBNwCglFGGSO5+5Zow9sh+o/itoDbg fs0AnjQQCceaEcP83wEi40cGpXfwNZaQ =o5jB -----END PGP SIGNATURE----- --Apple-Mail=_46F982B2-64B8-4F6E-8FAA-7539E4E0E910-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 20:58:54 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7864BCDDE35 for ; Mon, 13 Feb 2017 20:58:54 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (207-172-209-83.c3-0.arl-ubr1.sbo-arl.ma.static.cable.rcn.com [207.172.209.83]) by mx1.freebsd.org (Postfix) with ESMTP id 3086F157C for ; Mon, 13 Feb 2017 20:58:53 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 9DAC41D8A for ; Mon, 13 Feb 2017 20:58:52 +0000 (UTC) Subject: Re: GELI BIOS weirdness To: freebsd-hackers@freebsd.org References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> From: Eric McCorkle Message-ID: Date: Mon, 13 Feb 2017 15:58:46 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="q2W15woPPJUCmLwEMqsavnimU2UX11IWt" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 20:58:54 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --q2W15woPPJUCmLwEMqsavnimU2UX11IWt Content-Type: multipart/mixed; boundary="RAQWHlpxtrVt5uKs7ha5bTXdvbXLwt9hF"; protected-headers="v1" From: Eric McCorkle To: freebsd-hackers@freebsd.org Message-ID: Subject: Re: GELI BIOS weirdness References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> In-Reply-To: --RAQWHlpxtrVt5uKs7ha5bTXdvbXLwt9hF Content-Type: multipart/mixed; boundary="------------3AA58EB50676D4DFA3A5C771" This is a multi-part message in MIME format. --------------3AA58EB50676D4DFA3A5C771 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 02/13/2017 15:36, Dimitry Andric wrote: > This disassembles to: >=20 > 0: 66 0f 38 f6 f0 adcx %eax,%esi > 5: 31 c6 xor %eax,%esi > 7: 8b 4d 14 mov 0x14(%ebp),%ecx > a: 89 cf mov %ecx,%edi > c: c1 ff 1f sar $0x1f,%edi > f: 8b .byte 0x8b Note that this was truncated, so the sar and .byte are probably a truncated instruction. Also, when I had printfs in place, I could see the call instructions. > My first guess would be that the code simply jumped into garbage. But > can you post the complete .o file somewhere for inspection? Attached. --------------3AA58EB50676D4DFA3A5C771 Content-Type: application/octet-stream; name="gptboot" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="gptboot" McmOwY7ZjtG8AHy7gnyLdwoB3k6J8MHoBAUAQIPmD47YuAAKBQBAjsC7CACBxgCAjNgtAAiO 2L//f4zALQAIjsC5AID986RLdeKO2Y7Bu4J8i08Kid6/AJABzgHPTk/zpPz6SXQU5GSoAnX3 sNHmZORkqAJ1+rDf5mD7iBYACemOE+sOQlRYAQIA9w+QBgAAAAD6McCO0LwAGI7AjthmagJm nb8AXrkAGfOruzOVuRAAv4AAiR1HR6uDwwTi9r8AXr7ilayYkeMdrJKtk622CNHrcwuJBYh1 AohVBYPABI19COLs697GRQUYxkUIEMZFZmi7ICjouQAPAR7WlQ8BFtCVDyDAQA8iwOqMkAgA McmxEI7RsTgPANm6AKAAADYPtwUTBAAAweAKLQAQAAAp0LEzUVBoAgIAAGor/zUMkAAAUVFR UVKxB2oA4vxhBx8PoQ+pz/q8ABgAAA8gwCX///9/DyLAMckPItkuDwEV0JUAAGbq9pAYALEg jtGO2Y7BjuGO6UgPIsDqC5EAADHAjtCO2LsIcOgYAA8BHtyV+/YGB5ABdP7HBnIENBLq8P8A 8OQhUOShULAR5iDmoIjY5iGI+OahsATmIbAC5qGwAeYh5qFY5qFY5iHDagDrNGoB6zBqA+ss agTrKGoF6yRqBusgagfrHGoI6yBqCuscagvrGGoM6xRqDesQag7rDGoQ6wD/NCTGRCQEAPwe BmAPqA+gHgZmg3wkRAh1AxbrBP90JFD/dCRQahAfHgeJ474BlgAAvwAYAABX6E0CAABe6AMD AACNZCQYYQcfgDwkA3QVgDwkAXUK90QkEAABAAB1Bene/v//jWQkCM+ADQeQAAAB6c3+//9q COs+agnrOmoK6zZqC+syagzrLmoN6ypqDusmag/rImpw6x5qcesaanLrFmpz6xJqdOsOanXr Cmp26wZqd+sCav/8YA+oD6AeBmoQHx4HjXQkRIkl/F0AAItG7IP4/3UsuwCgAACJ2gNe/Isr AeqJFfhdAACLQgSLEote+PfCAAABAHUlgeP//Pv/6xYx0okV+F0AALkMAAAAagDi/LsCAAAA weACiwDrIvfCAAACAHUaiVQkML50lgAA6BACAAAHHw+hD6lh6b/+//9miR3uXQAAiw34XQAA 4w+NfrxWjXEIuQQAAADzpV6LXviJHfRdAAC7NpMAAIkd8F0AAKPqXQAAZuoOkxgADyDA/sgP IsDqG5MAADHAjtiO0A8BHtyVZgdmH2YPoWYPqWZhvOpdz7z4XWZgZg+oZg+gZh5mBmacZmgC BAAAZp0xwI7YjsAPAR7WlQ8BFtCVDyDAQA8iwOprkwgAMcmxEI7RjtmOwYsl/F0AAI10JESA Jc2VAAD9sTgPANmDPfhdAAAAdE2NfuhWvvRdAAC5CAAAAPOluDMAAAC5BAAAAPOriw34XQAA jXkUjTXUXQAAh8q5BAAAAPOlXosS98IAAAQAdA6hxF0AACX/vv//ZolG+AcfD6EPqWGDxATP g/gBdRoWBwYfHg+hD6APqbgAoAAAA0QkDI1gBFj/0DaADQeQAAAB6br8//+qrITAD4SGAAAA qIB08ojFsD2qrFYPvvAB3vbFAXQHZq3odgAAAPbFAnQGrehhAAAA9sUEdEoe90NQAAACAHUK DwBmBHUExTbrCa2SrcHgBAHQlrICsRCs6EYAAAD+yXQMsC2A+Qh0ArAgquvq/sp0DrAKqrEH sCCq/sl1++vWH16wCvbFCHUDsCCq6XD///+qw1DB6BDoAQAAAFjoAAAAAIbgUMDoBOgBAAAA WCQPPAocaS8MIKrD6AYAAACshMB19sNgMcm0B7tQBAAAZosTvwCACwA4Y/l1A2Yx/zwKdBeR sFD25gDQgNQA0eCRZokED0KA+lByBDDS/saA/hlyFY23oAAAAGa5wAPzpbAgsVDzZqu2GGaJ E2HDagjrPGoJ6zhqCus0agvrMGoM6yxqDesoag7rJGoP6yBqcOscanHrGGpy6xRqc+sQanTr DGp16whqdusEanfrAFAeVYnlh14GMcDB4wKO2IsHi18Ch0YEh14GXR/LAAAAAAAAAAD//wAA AJrPAP//AAAAks8A//8AAACaAAD//wAAAJIAAP//AKAA+s8A//8AoADyzwBnIJhfAIkAAD8A kJUAAJcBAF4AAP8DAAAAABCO+31YkRCOAQCMkRCO//8FkgHuAQDskwLuAQBFkgAKaW50gkBl cnKCRGVmbIJQZWlwikhlYXiCNGVieIIoZWN4gjBlZHiKLGVzaYIcZWRpghhlYnCCIGVzcIoA Y3OBTGRzgQxlc4EIICBmc4EQZ3OBFHNziQRjczplaXCMSHNzOmVzcIwAQlRYIGhhbHRlZAoA SW52YWxpZCBWTTg2IFJlcXVlc3QKAIn2jb0AAPxQv7zzAAC5qIcBACn5MMDzqo8FiIcBAIng BQAIAACjjIcBAOh3FwAA6LInAACQkDHAzTC4AQAAAM0wkI8FkIcBAGhQhwEA6BEAAADNMegK AAAAg8QE/zWQhwEAw4dsJASHRRiHTRyHVSCHXSRQnFiHRShQnYtEJAiHRSyJRCQIWId1MId9 NIdsJATDkJCQkFWJ5VChwPMAAItNCAHBOw3E8wAAdhzHBCTAvAAA6H46AACQkJCQkJCQkJCQ kJCQkOv+iQ3A8wAAg8QEXcOQkJBVieVdw5CQkJCQkJCQkJCQVYnlU1dWg+wQi3UQi30IhfZ4 JHQOocjzAAA5cFAPg6AAAADHRCQE7bwAAMcEJNC8AADpwwAAAIsV0PMAAI1KAYkN0PMAAKHI 8wAAi0BQOcEPg7MAAACJVfCAPdTzAAABD4XDAAAAizXQ8wAA6w+QkIs10PMAAEaJNdDzAACh yPMAADtwUA+DjQAAAIsdzPMAAMHmB40EM4l8JASJBCTHRCQIEAAAAOgFOAAAhcB1wYtEMzT3 0LkAAAAMhch1suk/AQAATonwweAHAwXM8wAAiXwkBIkEJMdEJAgQAAAA6M03AACFwA+EEQEA AMdEJATtvAAAxwQk9bwAAOhROQAAvv/////pwAEAAKPQ8wAAvv/////psQEAAMYF1PMAAADH BdDzAAAAAAAAizXQ8wAA6xyQkJCQkJCQkJCQkJCQkJCLNdDzAABGiTXQ8wAAocjzAAA7cFBz OIsdzPMAAMHmB40EM4l8JASJBCTHRCQIEAAAAOg5NwAAhcB1xYtEMzS5AAAADCHINQAAAAh1 s+tzvv////+DffD/D4UrAQAAxwXQ8wAAAAAAAKHI8wAAg3hQAA+EEgEAADHAkJCQkJCQkMHg BwMFzPMAAIl8JASJBCTHRCQIEAAAAOjTNgAAhcB0IaHQ8wAAQKPQ8wAAiw3I8wAAO0FQcsnp zQAAAIk10PMAAIt9DKHQ8wAAjUgBiU8Qiw3M8wAAweAHi1QBIIt0ASSJdxiJVxQx9vZEATcE D4SVAAAAuv////e7/////6HY8wAACwXc8wAAdDyh0PMAAMHgB4uIEPQAACHZIZAU9AAAiYgQ 9AAAx0QkBODzAADHBCTgMwEAuRm9AACJ+uheAAAAuv////ehQDQBAAsFRDQBAHQ1odDzAADB 4AcjmHg0AQAhkHw0AQCJmHg0AQDHRCQESDQBAMcEJEh0AQC5Ib0AAIn66BcAAACJ8IPEEF5f W13DkJCQkJCQkJCQkJCQkFWJ5VNXVoPsHIlV7IlN8It1CLgAAgAAMdL3dlSJwaHQ8wAAmff5 iceJ+8H7Hw+vz8HhBwNNDKGodAEAiQQkiUwkBMdEJAgAAgAA6CE1AAADfkgTXkyhqHQBAIlc JAyLXeyJfCQIiUQkBIkcJMdEJBABAAAA6HcxAACFwHQbi0XwiUQkCMdEJATtvAAAxwQkrr4A AOmoAAAAi33wi0ZUD69GUIlEJASLRQyJBCToTy8AAIlGWMdGEAAAAACLRgyJRCQEiTQk6DYv AACJRhChqHQBAIkEJMdEJAgAAgAAx0QkBAAAAADoxjQAAKGodAEAi04MiUwkCIl0JASJBCTo bjQAAKGodAEAi04Yi1YciVQkDIlMJAiJRCQEiRwkx0QkEAEAAADoxzAAAIXAdBiJfCQIx0Qk BO28AADHBCTbvgAA6Cs2AACDxBxeX1tdw5CQkFWJ5VdWg+wIodDzAACLDczzAADB4Af2RAE3 BA+EqQAAAIt1CL8AAAACiw3Y8wAACw3c8wAAdESAoBf0AAD7odDzAADB4AeLiBD0AACLkBT0 AAAJ+omQFPQAAImIEPQAAMdEJATg8wAAxwQk4DMBALkZvQAAifLoNf7//6FANAEACwVENAEA dEKh0PMAAMHgB4uIeDQBALr////5I5B8NAEACfqJiHg0AQCJkHw0AQDHRCQESDQBAMcEJEh0 AQC5Ib0AAIny6Ob9//+DxAheX13DkJCQkJCQkJCQkJCQkJCQVYnlV1aD7AyLdQyLRRCjqHQB AMcFRDQBAAAAAADHBUA0AQAAAAAAxwXc8wAAAAAAAMcF2PMAAAAAAADHBdDzAAD/////xgXU 8wAAAcdGGAAAAADHRhQAAAAAx0QkCAAAAADHRCQEAQAAAMcEJOAzAQC5Gb0AAIny6LMBAACF wHUjx0QkBODzAADHBCTgMwEAuRm9AACJ8ujEAgAAhcAPhFQBAACh3PMAAIsN2PMAAAnBdA6L PQQ0AQCLDQA0AQDrGok0JOhHLQAAicGDwf+J14PX/wnQD4SQAAAAicgJ+A+EhgAAAIl8JAiJ TCQExwQkSHQBALkhvQAAifLoMAEAAIXAdXvHRCQESDQBAMcEJEh0AQC5Ib0AAIny6EECAACF wHVcoWB0AQCLDWR0AQCJDUQ0AQCjQDQBAKHY8wAACwXc8wAAdUbHBcjzAABIdAEAxwXM8wAA SDQBAMdEJATtvAAAxwQkUL0AAOsPx0QkBO28AADHBCQovQAA6MEzAACh2PMAAAsF3PMAAHQb x0QkBODzAADHBCTgMwEAuRm9AACJ8ug5AwAAoUA0AQALBUQ0AQB0G8dEJARINAEAxwQkSHQB ALkhvQAAifLoEQMAAKFANAEAiw1ENAEACw3c8wAACwXY8wAACci4/////3QCMcCDxAxeX13D ofwzAQCLDfgzAQCj3PMAAIkN2PMAAMcFyPMAAOAzAQDHBczzAADg8wAA6Yj+//+QkJCQkJCQ kJBVieVTV1aD7BiJzotdEIt9DKGodAEAiVwkDIl8JAiJRCQEiRQkx0QkEAEAAADoTiwAAIXA dBiJdCQIx0QkBO28AADHBCT/vgAA6YUAAACJdfCLdQihqHQBAIlEJASJNCTHRCQIYAAAAOij MAAAiTQkx0QkCAgAAADHRCQEIb8AAOjrMAAAhcB1NDN+GDNeHAn7dSqBfggAAAEAciGLTlSB +YAAAAByFoF+UIAAAAB3DbgAAgAAMdL38YXSdCiLRfCJRCQIx0QkBO28AADHBCQqvwAA6Dgy AAC4/////4PEGF5fW13Di34Qx0YQAAAAAItGDIlEJASJNCTooioAADn4dQeJfhAxwOvUi0Xw iUQkCMdEJATtvAAAxwQkRb8AAOuykJCQkJCQkJCQkJCQkJCQVYnlU1dWg+w0ideLdQgxwIN+ UAAPhCcBAACJTfCLTlQx27gAAgAAMdKJTdz38YlF2ItOSItWTKGodAEAiVXsiVQkDIlN6IlM JAiJRCQEiTwkx0QkEAEAAADo8ioAAIXAD4W7AAAAiX3kkJCQkJCQkIF93AACAAB3aIs9qHQB AIneweYHA3UMiV3gjUMBiUXUMcCQkJCQkJCQkJCQkJCQkInDiXwkBIk0JMdEJAiAAAAA6Cov AACLRdSNBBiLTQg7QVBzDo1DAYPvgIPugDtF2HzOi0XgjUQYAYnDi3UIi33ki03og8EBi1Xs g9IAO15Qc1ehqHQBAIlV7IlUJAyJTeiJTCQIiUQkBIk8JMdEJBABAAAA6DcqAACFwA+ET/// /4tF8IlEJAjHRCQE7bwAAMcEJGq/AADopDAAALj/////g8Q0Xl9bXcMPr15UiVwkBItFDIkE JOgUKQAAicExwDtOWItN8HTZiUwkCMdEJATtvAAAxwQklb8AAOu6kJCQVYnlU1dWg+w0iVXg iU3ki3UIuAACAAAx0otOVIlN1PfxicEx0ot+SIteTItGUIlN6PfxifIx9gH4idmD0QCJfew5 x4ld8InYGcgPg+IBAADHRdwAAAAAkJCQkJCQkJCQgX3UAAIAAA+H0wAAADHAMcmQkJCQkJCQ kJCQkJCQkJCNPDDB5weLVQyLXDo0idqB4gAAAA6B8gAAAAR1KotNDInKjUw6MItUOjCB4/// //mBywAAAAKJEYlZBMdF3AEAAAC5AQAAAEA7Reh8s4XJdGqhqHQBAInxweEHA00MiUwkBIkE JMdEJAgAAgAA6G4tAAChqHQBAItN8IlMJAyLTeyJTCQIiUQkBItF4IkEJMdEJBABAAAA6MQp AACFwHQbi0XkiUQkCMdEJATtvAAAxwQkrr4AAOglLwAAi10IidqLTeyDwQGLXfCD0wADdeiL ekyLQlAx0olF2Pd16ItVCANCSIPXAIlN7DnBiV3wGfsPgur+//+LRdiDfdwAD4SvAAAAD69C VIlEJASLRQyJBCSJ1uhYJwAAiUZYx0YQAAAAAItGDIlEJASJNCToPycAAIlGEKGodAEAiQQk x0QkCAACAADHRCQEAAAAAOjPLAAAoah0AQCLTgyJTCQIiXQkBIkEJOh3LAAAoah0AQCLThiL VhyJVCQMiUwkCIlEJASLReCJBCTHRCQQAQAAAOjNKAAAhcB0G4tF5IlEJAjHRCQE7bwAAMcE JNu+AADoLi4AAIPENF5fW13DkJCQkJCQVYnlxwWkhwEAAAAAAMcFrHQBAAAAAABdw5CQkJCQ kJBVieVTV1aD5PiB7CgSAACLdRCLTRQPpPEJweYJifAlAPD//4lEJBwFABAAAInKg9IAifeB xwACAACJy4PTADnHGdMPnMOJdCQYifCJzgUA8v//ifKD0v+A4wF1BItEJByLfQyE23UCifKN jCQkAgAAiUwkEIn7iXwkBIlEJAiJVCQMx0QkFAAQAADHBCQAAAAA/1UIiceF/w+FMgEAAI2M JCQCAACNVCQg6DIBAACFwHQajYwkJBAAAI1UJCDoHgEAAInHhf8PhQQBAACLRCQ0vwEAAACE wA+J8wAAAIPgAQ+F6gAAAIN8JEsAD4jfAAAAxwQklAQAAOhj8v//o5SHAQC/AgAAAIXAD4TB AAAAxwQkIAAAAOhF8v//iw2UhwEAiQGhlIcBAIsAhcAPhJ4AAACJXCQEiQQkx0QkCCAAAADo uioAAKGUhwEAi00UiUgIi00QiUgEgXsQ/wAAAHUOi0MMiw2UhwEAiwmJQRCLPZSHAQCNh5AC AACNXCQgiVwkBIkEJMdEJAj/AQAA6G4qAACDxwyLRCQYBQAABACD1gCJdCQEiQQkifmJ2uiv AAAAoax0AQCLDZSHAQCJgZAEAACJDax0AQD/BaSHAQAx/4n4jWX0Xl9bXcOQkJCQkJBVieVX VoPsDInWic+JfCQEiTQkx0QkCBAAAADoACoAAIk0JMdEJAS5vwAA6JAqAACJwbgWAAAAhcl1 PI1PEOidGAAAicGJThCNQf+D+AdzD4n5ifKDxAxeX13pwRkAALgtAAAAhcl1D4n5ifKDxAxe X13pmRgAAIPEDF5fXcOQkFWJ5VNXVoPsFInOi0IQiUYEx4ZoAgAAAAAAAMdGCAAAAACLQhSJ hmQCAACLShCD+QN3Dg0AAAQAiYZkAgAAi0oQg/kEdweAjmYCAAAIi0IQg/gFdxiLhmQCAACo EHQLDQAAIACJhmQCAACLQhCD+AZ3B4COZgIAAECLfQyLXQgPt0IYiYb8AAAA9oZkAgAAEIlV 8HRLx4ZIAQAAAAIAAA+3ShyJjkQBAADoUhoAAImGTAEAALkAAgAAKcGD4fCJjnwCAACLRfCL QCZIMdL38YtV8MHgCQUAAgAAiYZ4AgAAi0ImiYZ0AgAAib5wAgAAiZ5sAgAA9oZkAgAAAXUV gcMA/v//g9f/iZ5sAgAAib5wAgAA9oZkAgAAEHUwi55sAgAAi75wAgAAi4Z0AgAAiUQkCIl8 JASJHCTHRCQMAAAAAOhaqwAAKcMZ1+tLi4Z4AgAAi45sAgAAi5ZwAgAAiUQkCIlUJASJDCTH RCQMAAAAAOiaqgAAiceJ0YmOcAIAAIm+bAIAAIuGdAIAAA+vyPfnicOJ1wHPiZ5sAgAAib5w AgAAi0XwD7dAGomGAAEAAIPEFF5fW13DkJCQkJCQkJBVieVTV1aD5PiB7DgCAACLfQi+rHQB AJCQkJCQkJCQkIsGo5SHAQC+AgAAAIXAD4TeAgAAi4CQBAAAo5iHAQC+mIcBAIn56NUCAACF wHXRjZwk4AAAAIkcJMdEJAgAAAAAx0QkBAAAAADocjUAAKGUhwEAi4i7AgAAvgEAAACFyQ+I jAIAAA+EmgAAAItHCItPDIXJdQOLTxCLFZSHAQCLkrsCAACJVCQMiUwkCIlEJATHBCRmvQAA 6CMpAAChlIcBAIuIuwIAAAW/AgAAiUwkFItNDIlMJBCJRCQIjXQkIIk0JMdEJAxAAAAAx0Qk BEAAAADoiC0AAIl0JASJHCTHRCQIQAAAAOjUNQAAiTQkx0QkCEAAAADHRCQEAAAAAOj8JgAA 6zYFvwIAAIlEJASJHCTHRCQIQAAAAOihNQAAi0UMicaJNCTodCgAAIlEJAiJdCQEiRwk6IQ1 AACNvCSgAAAAiXwkBIkcJMdEJAgAAAAA6Kk1AAChlIcBAAWQAgAAjUwkHIlMJAyNXCQgiVwk CIl8JASJBCToIzAAAInGiTwkx0QkCEAAAADHRCQEAAAAAOhpJgAAhfZ0O4P+/w+FnAAAAIkc JMdEJAiAAAAAx0QkBAAAAADoRCYAAIl0JATHBCSkvQAA6PQnAAC+/////+kcAQAAoZSHAQCD wBiJXCQEiQQkx0QkCIAAAADoziUAALjEAQAAAwWUhwEAiVwkBIkEJMdEJAhAAAAA6K8lAACN RCRgiw2UhwEA9oFwAgAAEI2JmAAAAHVDiUQkBIkMJMdEJAhAAAAA6IIlAADrWYkcJMdEJAiA AAAAx0QkBAAAAADoqCUAAIl0JATHBCS2vQAA6FgnAADphQAAAIlMJBCJBCTHRCQUAAAAAMdE JAwBAAAAx0QkCN29AADHRCQEQAAAAOhHNQAAiRwkx0QkCIAAAADHRCQEAAAAAOhPJQAAoZSH AQAx9oO4CAEAABZ0MQUEAgAAiQQk6CKNAAChlIcBAI2IBAIAAAXEAQAAiUQkBIkMJMdEJAhA AAAA6E6NAACJ8I1l9F5fW13DkJCQkFWJ5VahlIcBAIsAixA7EXUTgXkQ/wAAAHUKi1AQMcA7 UQx0JaGUhwEAixCLMrgBAAAAOzF1E4tyDDtxDHULi1IQMcA7URAPlcBeXcOQkJCQVYnlV1aL dQi/rHQBAJCQkIsPiQ2UhwEAuAEAAACFyXQfi4GQBAAAo5iHAQC/mIcBAInx6Hj///+JwTHA hcl10F5fXcOQkJCQkJCQkJCQkJBVieVTV1aD5PiB7NgAAACLVRCLfQi+rHQBAJCQkJCQkIsG o5SHAQCFwA+EZgEAAIuAkAQAAKOYhwEAvpiHAQCJ+YnT6Bj///+J2oXAddKhlIcBAIuIgAIA ADHSi3UYifD38TnxugEAAAB3BInCic6JdCQchdKLfQyLRRSJ3g+E8gAAAMdEJCAAAAAAiVQk JJCJw6GUhwEAg8AMjYwklAAAAIlMJAyJdCQIiXwkBIkEJMdEJBBAAAAA6PMzAACJ8A+k+AyJ 8cH5FItUJByJVCQIiUwkBIkEJMdEJAwAAAAA6KylAACLDZSHAQCDwQyJVCQMiUQkCI1EJCiJ RCQEiQwk6HsrAAChlIcBAIuICAEAAIuADAEAAI2UJJQAAACJVCQYiUQkFI1EJCiJRCQQi0Qk HIlEJAyJXCQIiQwkx0QkBAAAAADopzQAAIn5iceF/3VXi0QkHAHDi3wkIEcBwYPWAItUJCSJ fCQgOdeJz4nYD4Ib////jUQkKIkEJMdEJAhoAAAAx0QkBAAAAADozyIAADH/6zvHBCQBvgAA 6H8kAAC/AQAAAOsojUQkKIkEJMdEJAhoAAAAx0QkBAAAAADonCIAAMcEJN+9AADoUCQAAIn4 jWX0Xl9bXcOQkJCQkJBVieVTV1aD7BCLdRiLXQgx/5CQkJCQkJCQkJCQkJCQkIX/dRmAOwB0 FIlcJASJNCToK/r//4nBMcCFyXRci0UUiUQkDItFEIlEJAiLRQyJRCQExwQkGr4AAOjiIwAA iRwkx0QkBAABAADo8pgAAMcEJFfAAADoxiMAAIlcJASJNCTo2vn//4nBMcCFyXQLR7gBAAAA g/8CfoeDxBBeX1tdw5CQkJCQkJCQkJCQkJCQkFWJ5VNXVoHsHAQAAKGIhwEAjYinhwIAgeEA AP//KcGJDbB0AQDopgMAAKG0dAEAhcB0IQMFuHQBAIsNiIcBACnIo8TzAAChuHQBACnIo8Dz AADrILgAQgAAAwWwdAEAo8DzAAChvHQBACsFiIcBAKPE8wAAxwVQhwEAAAAEAMcFeIcBAAIC AAC4AAkAACsFiIcBAA+2AKPAdAEAMcmEwA+ZwQHJiQ3EdAEAg+B/o8h0AQDHBdB0AQD///// xwXYdAEAAAAAAMcF1HQBAAAAAADHBeB0AQABAAAAxwUQdQEAiAAAAKG8dAEAwegKoxh1AQCh aHUBAMHoCqMcdQEA/gUUdQEAoMB0AQCiFXUBAOhd9P//6EgFAACFwHQQuP////+BxBwEAABe X1tdw8aF8P3//wC7AQAAAI218P3//4298Pv//+sTkJCQkJCQkJCQkMYFbHkBAAAx28YFbHUB AAC5O74AAOgGBgAAhcB1DrlIvgAA6PgFAACFwHQgxwQk/wEAAInBifLotAYAADHJhcB4AonB xoQN8P3//wCAvfD9//8AdGGJdCQEiTwkx0QkCAACAADo1x8AAIn5jVXw6I0GAACFwA+FEQEA AIN98AB0DeiKBAAAhcAPhf4AAAD2BaKHAQAgdRiJdCQIx0QkBDu+AADHBCRVvgAA6JEhAADG hfD9//8Ahdt0FMcEJAMAAADoah4AAIXAD4WDAAAAgD1sdQEAAHQF6GQJAADHRCQIDQAAAMdE JARcvgAAxwQkbHUBAOhIHwAA6EMJAADHRCQIFAAAAMdEJARpvgAAxwQkbHUBAOgnHwAA6CIJ AADHBCTAdAEA6Pbq///HRCQI/////8dEJATAdAEAxwQkkMAAAOiq5v//g/j/D4Wx/v//6zuA PWx1AQAAdTLHRCQIDQAAAMdEJARcvgAAxwQkbHUBAOjKHgAA6xSQkJCQkJCQkMcEJAcAAADo hBwAAPYFoocBACB1RaHAdAEAg+B/iw3EdAEAiwyNoMAAAIsVyHQBAIs90HQBAIl8JBCJVCQM iUwkCIlEJATHRCQUbHUBAMcEJH2+AADoZiAAAPYFlPIAAAJ0BeieGAAAxoXw/f//AMcEJAAA AADoNR0AAIXAdCGJNCTHRCQEAAIAAOiRHQAA6y+QkJCQkJCQkJCQkJCQkJD2BaKHAQAgdRfH BCQKAAAA6NsbAACQkJCQkJCQkJCQkI2N8P3//41V8OiyBAAAhcAPhSr///+DffAAdA3orwIA AIXAD4Uj////6NIHAADpGf///5CQkJCQkJCQkJCQkJBVieVTV1ZQxwV0hwEAAAAAAL9weQEA kJCQkJCQkJCQkMcFUIcBAAAABADHBVSHAQAVAAAAxwVohwEAIOgAAMcFbIcBABQAAADHBXCH AQBQQU1ToYiHAQAB+InBwekED7fJiQ1YhwEAg+APo4SHAQDoWOT///YFeIcBAAEPhQgBAACB PWiHAQBQQU1TD4X4AAAAgz2AeQEAAXUnoXR5AQALBXB5AQB1GosNfHkBAKF4eQEAPQAACACD 2QByBaO8dAEAgz2AeQEAAXUcoXB5AQA1AAAQAAsFdHkBAHUKoXh5AQCjaHUBAKF0eQEAiw1w eQEAic6Bxv//7/+JwoPS/4M9gHkBAAF1dbv//+//Od6D2gBzaYs1fHkBAIs9eHkBAIn6AcqJ 8xHD99q6AQAAABnaD5JF87v//+//gcMBABAAGdKD4gEpyxnCD7ZF8yQBdQKJ+4TAdQKJ8jkd tHQBALgAAAAAGdC/cHkBAHMQiR20dAEAoXB5AQCjuHQBAIM9dIcBAAAPhZf+//+DPbx0AQAA dSvHBVCHAQAAAAAAxwVUhwEAEgAAAOgh4///oWiHAQDB4AolAPz/A6O8dAEAgz1odQEAAA+F hQAAAMcFUIcBAAAABADHBVSHAQAVAAAAxwVohwEAAegAAOjf4v//9gV4hwEAAXUbD7cNbIcB AKFwhwEAweAGAcjB4AqjaHUBAOsFoWh1AQCFwHU1xwVQhwEAAAAAAMcFVIcBABUAAADHBWiH AQAAiAAA6I/i//+haIcBAMHgCiUA/P8Do2h1AQCBPWh1AQAAADAAciaBPbR0AQD//y8AdxrH BbR0AQAAADAAuAAA4P8DBWh1AQCjuHQBAIPEBF5fW13DkJCQkJCQkFWJ5VaD7BShsHQBAAUA QAAAiUQkCMdEJATAdAEA6M7n//+D+P8PhKkAAACh0HQBAIlEJAjHRCQEwHQBAMcEJJDAAADo mOL//4P4/w+EnwAAAKHQ8wAAiw3M8wAAweAHi1QBKIt0ASwrVAEgG3QBJIl0JAyJVCQIx0Qk BMB0AQDHBCSwKgAA6KXu//+FwHVWoch0AQCLDdDzAABBiUwkDIlEJATHRCQQwHQBAMdEJAhw AAAAxwQkhHkBAOgx+P//hcB0IsdEJATtvAAAxwQk+78AAOsrx0QkBO28AADHBCTDvwAA6xrG BWx5AQAAMcDrGcdEJATtvAAAxwQk278AAOgsHAAAuP////+DxBReXcOQVYnlU1dWg+wQic/H RfACAAAAswSQkJCQkJCQkJCQkJCAPy91AUeJ+YA5AHR0ic/rEJCQkJCQkJCQkJCQkJCQkEcP tgeEwHQEPC919In+Kc4xwIH+/wAAAH9nMcCD/gF1C4A5P3UGgD8AD5TAooR7AQCJdCQIiUwk BMcEJIR6AQDomxkAAMaGhHoBAACA+wR1Go1N8Oj3CwAAiMOE23WBMduA+wh1GYtF8OsWx0Qk BIR6AQDHBCQbwAAA6GEbAAAxwIPEEF5fW13DkJCQkJCQkFWJ5V3ptwwAAJCQkJCQkJBVieVT V1aD7ByJzolV5McCAAAAAL8DAIAA6xVCiVQkCIlMJATHBCRsdQEA6BAZAACNXgGJdfCKBonC gML3gPoXdwoPtsoPo8+J3nLkhMAPhNgCAACJ2usJkJCQkJCQkJBCD7YKiMyAxPeA/Bd3CA+2 9A+j93IKhMl15onW6wiQkI1yAcYCADwtid91FYl17L8DAIAA612QkJCQkJCQkJCQRw+2B4TA D4QyAQAAPCh18Lj/////gDs6D4UtAQAAi03wD74Zg8PQiV3og/sJD4dbAgAAg8EC6RoBAACQ kJCQkIqK0cAAALgBAAAA0+AxBaCHAQCNcwGKC4D5UHQjgPlTdF6EyQ+EzQEAADHSgPlEifN0 zemYAAAAkJCQkJCQkJC5lgQAACsNiIcBALhswAAA9gEQdQ+BDaCHAQAAEAAguHDAAACJRCQE xwQkc8AAAOjsGQAAifPrm5CQkJCQkJCQD75TAYPDAoPC0IP6CXdBMcCJ3pCQkJCQkJCQkJCQ kJCNBICNBEIPvh5GjVPQg/oKcu6FwA+OcP///4TbD4Vo////6SsBAACQkJCQkJCQkJAx0pCQ kJCQkJCQkJCQkJCQuP////+D+g0PhGABAAA6isTAAACNUgF15+kC////vwMAgACLXfDpygAA AMdF6P////+LTfApz4P/Ag+FLgEAAIl17IlN8IoZMf/rBZCQkJBHizS9oMAAADoedQyLTfAP tkkBOk4BdAqD/wJ14+n8AAAAiT3EdAEAi13wD757A4PH0Ik9yHQBAIB7BHAPhdwAAACD/wkP h9MAAAAPvksFjXHQiTXQdAEAg8HPg/kID4e6AAAAgHsGKb8DAIAAi3XsD4WoAAAAi03og/n/ dQaLDch0AQCDwweDPcR0AQACGcAlgAAAAAHIo8B0AQCLReTHAAEAAACJ2SnaD4Rx/f//uP// //+B+v8DAAAPhkv9///rXKOM8gAAoaCHAQCpAAAAIHUZwegMg+ABQKKU8gAAqAKLdewPhDb9 ///rCsYFlPIAAAOLdey4AMIBADHS9z2M8gAA6FQQAACFwA+EEP3//4AllPIAAP3pBP3//zHA g8QcXl9bXcOQkJCQkJCQkJCQVYnlU1dWg+T4gexgAQAAuWx1AQDox/v//4nGhfYPhE8BAADH BCQ0AAAAjZQkKAEAAInx6LgPAACFwA+FZgQAAA+3hCQoAQAAPQsBAAAPhXkBAAC/////ACO8 JDwBAACJvCQgAQAAKz2IhwEAxwWQfgEAABAAAIuEJCwBAACJBCSJ8Yn66GcPAACFwA+FFQQA ALv/DwAAi4QkLAEAAAHYJQDw//8Bx4uEJDABAACJBCSJ8Yn66DcPAACFwA+F5QMAAAOcJDQB AACB4wDw//8DnCQwAQAAjQQfiw2IhwEAAcGJDSB1AQCNjCQ4AQAAiUwkBIkEJMdEJAgEAAAA 6P8UAACNfB8Ei4QkOAEAAIXAD4SMAgAAiQQkifGJ+4n66M4OAACFwA+FfAMAAInaA5QkOAEA AMcEJAQAAACJ8YnX6K0OAACFwA+FWwMAAIn6izqDwgSDx/yJPCSJ8YnW6I8OAACFwA+FPQMA AAH+iffpLgIAAIA9hHsBAAAPhScDAAChwHQBAIPgf4sNxHQBAIsMjaDAAACLFch0AQCLNdB0 AQCJdCQYiVQkFIlMJBCJRCQMx0QkCGx1AQDHRCQE7bwAAMcEJD7AAADp1QIAAIC8JCgBAAB/ D4W4AgAAgLwkKQEAAEUPhaoCAACAvCQqAQAATA+FnAIAAIC8JCsBAABGD4WOAgAAi4QkRAEA AKOQfgEAZoO8JFQBAAAAdF4x28eEJCABAAABAAAAid/B5wWNl4iFAQDHBCQgAAAAifHorw0A AIXAD4VdAgAAMcCDv4iFAQABD5TAAcOD+wF/HQ+3hCRUAQAAi4wkIAEAADnBjUkBiYwkIAEA AHyvMdu/mIUBAItX/Lj///8AIcIrFYiHAQCLR/SjkH4BAIsHiQQkifGJlCQgAQAA6EUNAACF wA+F8wEAAEODxyCD+wF+xLj/DwAAAwW8hQEAJQDw//+LvCQgAQAAAcehiIcBAAH4oyB1AQAP t4wkWAEAAA+3hCRaAQAAjVADOdEPhZEAAACLjCRIAQAAjQSAjUTBKKOQfgEAxwQkUAAAALrI hQEAifHozgwAAIXAD4V8AQAAMcC73IUBAImEJCQBAACJXCQEiTwkx0QkCAQAAADotBIAAIPH BItD/KOQfgEAiwOJBCSJ8Ym8JCABAACJ+uiEDAAAhcAPhTIBAACLvCQgAQAAAzuLhCQkAQAA QIPDKIP4AnykuP///wAjhCRAAQAAiYQkIAEAAKGIhwEAAceJPSR1AQC74HQBAI2AbHUBAKPk dAEAoMB0AQCiFXUBAMcFGIYBAAQBAADHRCQIAAEAAMdEJASEeQEAxwQkHIYBAOgTEgAAx0Qk CAABAADHRCQEAAAAAMcEJIR5AQDoNxIAALhjvBEgIwWghwEADQAAAICLDcR0AQAPtonAwAAA ixXQdAEAweIUizXIdAEAweYQjZQRAAAQAAnygcoA/wCgAx2IhwEAuUEAAAC+GIYBAI18JBzz pYlcJBiJRCQEi4QkIAEAAIkEJIlUJAjHRCQUAAAAAMdEJBAAAAAAx0QkDAgAAADodNj//+sU x0QkBGXAAADHBCRZwAAA6FoTAACNZfReX1tdw5CQVYnlXcOQkJCQkJCQkJCQkFWJ5VYPtkED weAYD7ZRAsHiEAnCD7ZxAcHmCAnWD7YBCfBeXcOQkJCQkJCQkJCQkFWJ5VNXVoPk+IHsgAAA AInWic+NTxTotf///4lGFI1PGOgKAgAAZolGGI1PGuj+AQAAZolGGo1PHOgSAgAAiVYiiUYe jU8k6IT///+JRiaKRyiIRiqNTynoc////4lGK41HLY1OL4lEJASJDCTHRCQIQAAAAOiWEAAA jUdtjU5viUQkBIkMJMdEJAiAAQAA6HwQAACNXCQgiRwk6JBFAACJfCQEjb/tAQAAiRwkx0Qk CO0BAADotkUAAIlcJASNXCQQiRwk6HZOAACBxu8BAACJXCQEiTQkx0QkCBAAAADoLBAAAIl8 JASJNCTHRCQIEAAAAOh4EAAAhcB0BbgWAAAAjWX0Xl9bXcOQkJCQkJCQVYnlU1dWg+T4geyA AAAAidaJz41PFOil/v//iUYUjU8Y6PoAAABmiUYYjU8a6O4AAABmiUYajU8c6OIAAABmiUYc jU8e6PYAAACJViKJRh6NTyboaP7//4lGJopHKohGKo1PK+hX/v//iUYrjUcvjU4viUQkBIkM JMdEJAhAAAAA6HoPAACNR2+NTm+JRCQEiQwkx0QkCIABAADoYA8AAI1cJCCJHCTodEQAAIl8 JASNv+8BAACJHCTHRCQI7wEAAOiaRAAAiVwkBI1cJBCJHCToWk0AAIHG7wEAAIlcJASJNCTH RCQIEAAAAOgQDwAAiXwkBIk0JMdEJAgQAAAA6FwPAACFwHQFuBYAAACNZfReX1tdw5CQkJCQ kJCQkJCQVYnlD7ZRAcHiCA+2AQnQXcOQkJCQkJCQkJCQkJCQkJBVieVXVonOjU4E6HH9//+J x4nx6Gj9//+J+l5fXcOQkFWJ5Y1B+oP4DncJiwSNyMAAAF3DMcBdw5CQkJCQkJCQVYnlU1dW g+wki1UQuP////9m98L/AQ+FwAAAAItdHInZgeH/AQAAD4WvAAAAhdsPhJ4AAACLfRSLRRiJ RfCLdQyJ+MH4H8HoFwHCg9cAD6z6CcH/CQNWFBN+GJCQkJCQidjB6AmD+Ai+CAAAAHcCicah sHQBAIl8JAyJVCQIiUQkBItFDIkEJIl0JBCJVeToXAkAAIXAdT+hsHQBAIld7InzweMJiVwk CIlEJASJdeiLdfCJNCToxQ0AAAHeiXXwi0XkA0Xog9cAKV3si13sicJ1jTHA6wW4/////4PE JF5fW13DkJCQkJCQkJCQkJCQVYnlU1dWg+wMic7HBZB+AQAAAAAAiw7HBCQAAgAAuoV7AQDo GPT//4nBhckPjpAAAAC/hX0BALuFewEAkJCQkIlcJATHRCQICAEAAMcEJIh9AQDoOA0AAIA9 hHsBAAB0H8dEJASQfQEAxwQkMcAAAOgbDwAA6yGQkJCQkJCQkJDHRCQEkH0BAMcEJIR6AQDo nA0AAIXAdEsPtwWMfQEAAcM5+3Kbiw7HBCQAAgAAuoV7AQDoiPP//4nBhckPj3X///8xwIP5 /3Qmig2EewEAhMl0HMcEJFfAAADosQ4AADHA6wyhiH0BAIkGoI59AQCDxAxeX1tdw5CQkJCQ kJCQkFWJ5VNXVoPk+IPsSInWhfYPlMCDfQgAD5XCu/////+E0A+FtgUAAIs9sHQBAIX/D4So BQAAhcmJTCQQD4REAQAAoGx5AQCEwA+ENwEAAI2HACAAAIlEJATHRCQIYAUAAMcEJBSAAQDo JAwAAItUJBAx24XSD4RoBQAAORV0hQEAiXwkGA+EPQIAAIl0JBShjIABAIsNRIABAMH5DInX MdL38YlEJByhcIUBAIlEJDCLNdCAAQAx0on49zXMgAEAicH35onHwf4fD6/xAfKBfCQwGQFU GXQVoTCAAQD30CHBD68NLIABAAHPg9IAoSSAAQCJxsH+HwHHEdaKDXiAAQAPpf7T5/bBIHQE if4x/4tMJBwx0otEJBD3NcyAAQCJ0DHS9/GNFMUAAAAAAfqD1gCJNCTHRCQECAAAAIt8JBiJ zon56KgEAACFwA+FjQQAADHSi0QkEPf2gT1whQEAVBkBAA+FAwEAAMHiBwH6iVQkBMdEJAiA AAAAxwQklH4BAOn+AAAAiXwkGIl0JBTHBXSFAQAAAAAAxgVseQEAAL/w////vqD6//+QkJCQ kJCQkIuXvMAAAIsNsHQBAIHBACAAAInQwfgfwegXAdCJwsH6CcH4H4kEJMdEJAQQAAAA6AwE AACFwA+F8QMAAKGwdAEABQAgAACJRCQEx0QkCGAFAADHBCQUgAEA6IIKAAChcIUBAD1UGQEA dCI9GQFUGXUpi4e8wAAAicHB+R8zBfyDAQAzDQCEAQAJwXUOoUSAAQAB8D2h+gAAcg6DxwQP hV3////pigMAAP4FbHkBAIt0JBSLfCQY6QH+///B4ggB+olUJATHRCQIAAEAAMcEJBR/AQDo CAoAAIt0JBSLRCQQo3SFAQDHBZB+AQAAAAAAxwWEhQEAAAAAAMcFgIUBAAAAAADHBXyFAQAA AAAAxwV4hQEAAAAAAI2HABAAAIlEJCyBPXCFAQBUGQEAuJx+AQCLTQh0BbgkfwEAiwCJRCQ0 KwWQfgEAOchyAonIhcAPhN4CAACJRCQ4icOQkJCQkJCJdCQUD7YNZIABAKGQfgEAicbT7iMF TIUBAIlEJBCD/guJXCQcdymBPXCFAQBUGQEAdW2LDLW8fgEAicjB+B/rbZCQkJCQkJCQkJCQ kJCQkKGIgAEAjUgMicrB+h85zrkAAAAAGdEPjWECAACLDUSAAQDB+QyZ9/mJwYE9cIUBAFQZ AQB0Oos96H8BAIsd5H8BAOs3kJCQkJCQkJCQkJCQiwT1iH8BAIsM9YR/AQCJTCQgiUQkJOn0 AAAAkJCQkJCLHex+AQCJ38H/H4l8JCSJXCQgjUb0MdKJRCQ8iUwkMPfxweADD7YNeIABAA+l 39Pj9sEgdASJ3zHbAcOD1wChhIUBADH4iw2AhQEAMdkJwXQqiTwkx0QkBAgAAACLTCQsidro uAEAAIXAD4WdAQAAiR2AhQEAiT2EhQEAi0wkMEkjTCQ8gT1whQEAVBkBAHU/i0QkLI0EiIlE JASNRCRAiQQkx0QkCAQAAADoEAgAAItEJECJRCQgwfgfiUQkJOsukJCQkJCQkJCQkJCQkJCQ i0QkLI0EyIlEJASNRCQgiQQkx0QkCAgAAADo0QcAAItUJCCLXCQkD7YNeIABAInQ0+APpdP2 wSB0BInDMcCLVCQQidfB7wmB5/j/fwABx4PTAIP+C3dJg8YBGcCD4AEPtg1kgAEAD6Xw0+Yx 0vbBIHQEifAx9jl0JDQZwotUJBB9HqFMhQEAI0QkNAMFVIUBACMFYIABAOsMkJCQkJCQkKFE gAEAidGB4QDw//8pyD0AEAAAvgAQAAB3AonGoXiFAQAx+IsNfIUBADHZCcF0K4nwwegJiUQk BIkcJItMJBiJ+uhpAAAAhcB1Uok9eIUBAIkdfIUBAItUJBCB4v8PAAAp1otcJBw53onfdwKJ 9wNUJBiJVCQEi3QkFIk0JIl8JAjoyQYAAAH+AT2QfgEAKfsPhTn9//+LXCQ46wW7/////4nY jWX0Xl9bXcOQkJCQVYnlU1dWg+wYidah1HQBAAHwixXYdAEAE1UIi30MiXwkEIlUJAyJRCQI iU3wiUwkBMcEJMB0AQDo0wEAAInDhdt1EMcEJMB0AQDo4eH//4XAdAqJ2IPEGF5fW13Di0UI D6TwCcHmCcHnCYl8JBCLTfCJTCQMiXQkBIlEJAjHBCTAdAEA6Pfh//8xwOvIkJCQVYnlVoPs CIt1CIk0JOiu7P//icExwDnxdBnHRCQEZcAAAMcEJFnAAADo4gcAALj/////g8QIXl3DkJCQ UGa6+wOwg+6A6gNYZu9muvsDsAPuQrAD7kIxybWA6CkAAAB0BOL3sAHDUGa6/QMxybVA7Kgg 4ft0BViA6gXuw+gHAAAAdPmA6gXsw2a6/QMxwOwkAcOQkJCQkJCQkJCQkJCQkFWJ5VdWi00M McCFyXQqi1UIuP////+QkJCQkJCQkJCQD7YyQg+2+DH3wegIMwS9HMEAAEl16vfQXl9dw5CQ kJBVieWD7AiLRQhmxwUchwEAHgC5HIcBAMcFUIcBAAAABADHBVSHAQATAAAAxwVohwEAAEgA AIsAo3CHAQADDYiHAQCJyMHoBA+3wKNchwEAg+EPiQ2AhwEA6N/L///2BXiHAQABdQ2LFTCH AQChLIcBAOscoWiHAQAPtsSJRCQExwQkHMUAAOilBgAAMcAx0oPECF3DkJCQkJCQkJCQkJCQ VYnlU1dWg+wUi30Yi3UMi00I9gWihwEAIHUhoZDyAADBwAijkPIAAIlEJATHBCQmxQAAicvo VgYAAInZZscFPIcBABAAZok9PocBAAM1iIcBAInwg+APZqNAhwEAwe4EZok1QocBALg8hwEA i3UUiTVIhwEAi10QiR1EhwEAxwVQhwEAAAAEAMcFVIcBABMAAADHBWiHAQAAQgAAiwmJDXCH AQADBYiHAQCJwcHpBA+3yYkNXIcBAIPgD6OAhwEA6NfK//8xwPYFeIcBAAF0LaFohwEAD7bE iXQkEIlcJAyJRCQIx0QkBO28AADHBCQqxQAA6JgFAAC4/////4PEFF5fW13DkJCQkJCQkJCQ kJBVieVXVoPsEIt9FIt1EA+3RRhmxwU8hwEAEABmoz6HAQChiIcBAANFDInBg+EPZokNQIcB AItNCMHoBGajQocBALg8hwEAiT1IhwEAiTVEhwEAxwVQhwEAAAAEAMcFVIcBABMAAADHBWiH AQAAQwAAiwmJDXCHAQADBYiHAQCJwcHpBA+3yYkNXIcBAIPgD6OAhwEA6PPJ//8xwPYFeIcB AAF0JaFohwEAD7bEiXwkDIl0JAiJRCQExwQkLsUAAOi8BAAAuP////+DxBBeX13DVYnlD7ZF CMcFUIcBAAAABADHBVSHAQAQAAAADQAOAACjaIcBAMcFdIcBAAcAAABd6YfJ//+QkJCQkJCQ kJCQkFWJ5VZQi3UI9gWU8gAAAXQIiTQk6Kf////2BZTyAAACdQaDxAReXcOJ8IPEBF5d6ZL8 //+QkJCQkJCQkJCQkJBVieVQg30ICnUMxwQkDQAAAOiq////g8QEXeukkJCQkFWJ5VaLdQjH BVCHAQAAAAQAxwVUhwEAFgAAAInwweAIo2iHAQDo8sj//4X2dA32BXiHAQBAdAQxwOsFoWiH AQBeXcOQkJCQkJCQkJCQkJCQVYnlV1ZQMfb2BaOHAQAQdWCLfQiQkJCQkJCQkJCQkJD2BZTy AAABdBDHBCQBAAAA6Hv///+FwHUY9gWU8gAAAnQJ6PH7//+FwHUdhf900esgvgEAAACF/3UX xwQkAAAAAOhK////6wu+AQAAAIX/dAmJ8IPEBF5fXcODxAReX13pp/v//5CQkJCQkJCQkJCQ VYnlUMcEJAAAAADoYP///4PEBF3DkJCQkJCQkJCQkJBVieVXVlAxwPYFo4cBABB1WItFCAHA jTTAMf+QkJCQkMcEJAEAAADoJP///4nBuAEAAACByQABAACB+QABAAB1KIX2dNu4bAQAACsF iIcBAIsIhf+JynQCifoxwDnRcgmNPDI5+YnXcreDxAReX13DVYnlU1dWUIt1CIt9DE+J8+sO S8cEJD/FAADogQIAAJDHBCQAAAAA6LT+//89AFMAAA+20Lh/AAAAdAKJ0LF/dAKJ0YD5DH8Y gPkIdBiA+Qp1Hus5kJCQkJCQkJCQkJCQgPl/dQY583a366eA+Q10HY1Q4IP6Xneoidop8jn6 cwOIC0OJBCTo5f3//+uTxgMAg8QEXl9bXcOQkJCQkJCQkFWJ5VOLRRCFwHQji00Mi1UIkJCQ kJCQkJCQkJCQkJCQSA+2GY1JAYgajVIBdfJbXcOQkJCQkJCQkJCQkJCQkJBVieWLRRCFwHQO i00Mi1UISIgKjVIBdfhdw5CQkJCQkFWJ5VNXVot9EDHAhf90JotVDIt1CJCQkJCQkJCQkJCQ D7YeD7YKOMt1B0ZCT3Xx6wQpy4nYXl9bXcOQkJCQkJBVieWLRQyLTQiKEYowhNJ0HjjydRpA QZCQkJCQkJCQkA+2EYowhNJ0BkBBOPJ08Q+2wg+2zinIXcOQkJCQkJCQVYnlU1dWi30QMcCF /3Qti1UMi3UIkJCQkJCQkJCQkJAPth6F2w+2CnQLOMt1B0ZCT3Xt6wcPtsEpw4nYXl9bXcOQ kJCQkJCQkJCQkJCQkJBVieWLTQyLRQiKEYTSdAxBiBBAD7YRQYTSdfXGAABdw1WJ5VaLTQyL RQiQkJCQkJCJxo1GAYA+AHX2ihGE0nQhvv////+QkJCQkJCQkJCQkIgUMA+2VDECRoTSdfMB 8InGxgYAXl3DkJCQkJCQkJCQVYnli00IihExwITSdB6KdQyQkJCQkJCQkJCQkJCQkJA48nQK ilEBQYTSdfRdw4nIXcOQkJCQkJCQkJCQkJCQkFWJ5YtNCDHAgDkAdA0xwJCAfAEBAI1AAXX2 XcOQkJCQVYnlU1dWg+w8i10IjUUMiUXw6zyQkJCQkJCQkJCQkJBDiQQk6Kf7///rJYtF8I1I BIlN8IsAiQQk6JL7//+NXDsCkJCQkJCQkJCQkJCQkJAPvgOD+CV0GITAdcTppwEAAJCQkJCQ kJCQkJCQkJCQkDH/6w2QkJCQkJCQkJCQkJBHD75EOwGNSK2D+SV3sP8kjUTFAACD/wGJXeh0 FYP/AnUQi03wjVEIiVXwixmLcQTrDYtN8I1RBIlV8IsZMfY8dYl97HQIPGQPhdoAAAAx/4l0 JASJHCTHRCQMAAAAAMdEJAgKAAAA6DR/AACDyDCIRD3IR4l0JASJHCTHRCQMAAAAAMdEJAgK AAAA6MB+AAC5CQAAADnZuQAAAAAZ8YnDidZyrOmlAAAAi0XwjUgEiU3wizAPtwZmhcCNXDsC D4QM////g8YCkJCQkJCQkJCQD7fAiQQk6HX6//8PtwaDxgJmhcB16unl/v//i0XwjUgEiU3w izCKBoTAjVw7Ag+EzP7//0aQkJCQkJCQkJCQkA++wIkEJOg1+v//D7YGRoTAde3pqP7//zH/ kJCQkJCQifAPpNgcg+MPD7aL3MUAAIhMPchHwe4EicMJ8HXii13oi0XsjVwDAoX/D45w/v// R5CQkJCQkJCQkJCQkJCQkA++RD3GiQQk6NP5//9Pg/8Bf+3pSP7//zHAg8Q8Xl9bXcOQkJCQ kJCQkJCQkJCQkFWJ5VCLTQiLVQzHBCQBAAAA6IoBAACDxARdw5CQkJCQVYnlUItNCItVDMcE JAAAAADoagEAAIPEBF3DkJCQkJBVieVTV1aD7AyLfRCD/0B0CrgWAAAAg/8gdVOLXQjHBCTg AwAA6NbC//+JxokzuAwAAACF9nQ3i0UMjRy9AAAAAIlcJAiJRCQEiTQk6H8QAACBxugBAADR 7wN9DIlcJAiJfCQEiTQk6GQQAAAxwIPEDF5fW13DkJCQkJCQkJCQkFWJ5VaD7AiLdQiLBokE JMdEJATgAwAA6GRzAACLBokEJOiawv//xwYAAAAAg8QIXl3DkJCQkJCQkJCQkJCQkJBVieVW g+T4g+wgi3UIi0UMjUwkEIlMJASJBCTHRCQICAAAAOiocwAAMdKLRCQQi0wkFJCQkJCQkJCQ kJCQkJCQiIQW0AMAAA+syAjB6QhCg/oIdeyJRCQQiUwkFI2G2AMAAIkEJMdEJAQIAAAA6M5y AACNhtADAACBxugBAACJRCQIiUQkBIk0JOgyEAAAjWX8Xl3DkJCQkJCQkJCQkJCQVYnlV1aD 7ByJ14nOi0UIMcmQkJCQkJCQkJCQkJCQkJAPtpQO0AMAADIUD4hUDehBg/kQdeuFwHQViXwk CI1F6IlEJASJNCTo1A8AAOsTiXwkCI1F6IlEJASJNCTobw8AADHAkJCQkJCQkJCQkJCQkA+2 jAbQAwAAMAwHQIP4EHXvMcAxyZCQkJCQkJCQkJCQicoPtrwG0AMAAIn5geGAAAAAAf/B6gcJ +oiUBtADAABAg/gQddqFyXQHgLbQAwAAh41F6IkEJMdEJAQQAAAA6MxxAACDxBxeX13DkJCQ kJBVieVTV1aD7GSJZeDoAAAAAFuBw5+yAACLTRiLfRSJ5o1HB4Pg/CnGifSD7ASJDCToC/v/ /4PEBIlF6IPsCItFDIlEJASLRQiJRfCLRQiJBCToanEAAIPsBIl8JAiJddiJdCQEi0UQiQQk i3UMiV3k6NtxAACDxAyF9g+EMgEAAItFFI1ABIlF3LsBAAAAkJCD/kCJ93IFv0AAAACJ2MHo GItNFItV2IgEConYwegQiEQKAYh8CgKJXdSIXAoDg+wYjUWQiUQkEItF3IlEJAyJVCQIi0Xo iUQkBItFGIkEJMdEJBQAAAAAi13k6JAIAACDxBiF/3QjifD30IP4v3cFuL////9AjU2Qi1Xw kJCQkA+2GUEwGkJAdfaJdeyDfRwCcn2LRez30IP4v3cFuL////9AiUXQvgEAAACQkJCQkIPs GI1FkIlEJBCJRCQIi0XoiUQkBItFGIkEJMdEJBQAAAAAx0QkDEAAAACLXeToDQgAAIPEGIX/ dCCLRdCNTZCLVfCQkJCQkJCQkJCQkJCQD7YZQTAaQkB19kY7dRx1oItd1EMBffCLdewp/g+F 3v7//4tl4I1l9F5fW13DkJCQVYnlU1dWg+T4g+wo6AAAAABbgcPfsAAAi3UMi30I94dkAgAA AABAAHQFg8cM6waBx4wAAACNRCQYiUQkBI2DddP//4kEJMdEJAgEAAAA6D1wAACLRRCJwYhM JByIbCQdwegQiEQkHonIwegYiEQkH4tFFInBiEwkIIhsJCHB6BCIRCQiicjB6BiIRCQjiXQk EI1EJBiJRCQIiTwkx0QkFAAAAADHRCQMDAAAAMdEJARAAAAA6AcHAACLRRSJRkiLRRCJRkTH RkwAAAAAx0ZAHDQRDo1l9F5fW13DkJCQkJBVieVTV1aD7FjoAAAAAFuBwwKwAACLdQiLRQyN fbSJfCQQjYt60///iUwkCIkEJMdEJBQAAAAAx0QkDAEAAADHRCQEQAAAAOiUBgAAifCD6ICJ RCQQiXQkCIk8JMdEJBQAAAAAx0QkDIAAAADHRCQEQAAAAOhnBgAAiTwkx0QkBEAAAADol24A AIPEWF5fW13DkJCQkJCQkJCQkJCQkJCQVYnlU1dWgeycAQAA6AAAAABbgcNfrwAAi0UUi00M i30IhcB0BscA/////411sIl0JBCNg3zT//+JRCQIiQwkx0QkFAAAAADHRCQMAQAAAMdEJARA AAAA6OQFAACKRyqoAQ+E+QAAAI1Hb42N8P7//4lMJASJBCTHRCQIwAAAAOiMbgAAD7dHGA+3 TxqJTCQQiXQkDI2N8P7//4lMJASJBCTHRCQIwAAAAOhSCgAAicaF9g+FAAEAAI21sP7//4l0 JBCNg3rT//+JRCQIi0UMiQQkx0QkFAAAAADHRCQMAQAAAMdEJARAAAAA6FEFAACNvXD+//+J fCQQjYXw/v//iUQkCIk0JMdEJBQAAAAAx0QkDIAAAADHRCQEQAAAAOgdBQAAiTQkx0QkBEAA AADoTW0AAIl8JASNhXD///+JBCTHRCQIQAAAAOhjbwAAMcmFwI11sIt9CA+EYgEAAIpHKqgC D4QfAQAAjYcvAQAAjY3w/v//iUwkBIkEJMdEJAjAAAAA6IhtAAAPt0cYD7dPGolMJBCJdCQM jY3w/v//iUwkBIkEJMdEJAjAAAAA6E4JAACJxoX2dC6NhfD+//+JBCTHRCQEwAAAAOiybAAA jUWwiQQkx0QkBEAAAADon2wAAOnMAAAAjbWw/v//iXQkEI2DetP//4lEJAiLRQyJBCTHRCQU AAAAAMdEJAwBAAAAx0QkBEAAAADoIwQAAI29cP7//4l8JBCNhfD+//+JRCQIiTQkx0QkFAAA AADHRCQMgAAAAMdEJARAAAAA6O8DAACJNCTHRCQEQAAAAOgfbAAAiXwkBI2FcP///4kEJMdE JAhAAAAA6DVuAACFwLkBAAAAjXWwdDiJNCTHRCQEQAAAAOjpawAAjYXw/v//iQQkx0QkBMAA AADo02sAAL7/////ifCBxJwBAABeX1tdw4lN8ItFEIlEJASJ94218P7//4k0JMdEJAiAAAAA 6C9sAACJNCTHRCQEwAAAAOiPawAAiTwkx0QkBEAAAADof2sAADH2i0UUhcB0qItN8IkI66GQ kJCQkJCQkJCQkJCQkJBVieVTV1aD7FjoAAAAAFuBw0KsAACLdRSLTQyNfbSJfCQQjYN60/// iUQkCIkMJMdEJBQAAAAAx0QkDAEAAADHRCQEQAAAAOjUAgAAifCD6ICJRCQQiXQkCIk8JMdE JBQAAAAAx0QkDIAAAADHRCQEQAAAAOinAgAAiTwkx0QkBEAAAADo12oAAIl8JBCNg3zT//+J RCQIi0UMiQQkx0QkFAAAAADHRCQMAQAAAMdEJARAAAAA6GYCAACLRRCJRCQQiXwkDIl0JASL RQiJBCTHRCQIwAAAAOgkBgAAicaJPCTHRCQEQAAAAOhyagAAifCDxFheX1tdw5CQkJCQkJCQ VYnlU1dWg+T4gezoAQAA6AAAAABbgcM8qwAAi30QjXQkEIk0JMdEJASAAAAA6C5qAACF/3RS i0UMgf+AAAAAdxKJfCQIiXQkBIkEJOifagAA6zWNjCQQAQAAiQwk6H4wAACJfCQIi0UMiUQk BI28JBABAACJPCToBDEAAIl8JASJNCToqFAAAIt9CDHAkJCQD7ZMBBCJyoDyNoiUBJAAAACA 8VyIjAfQAAAAQD2AAAAAdd2JNCTHRCQEgAAAAOidaQAAiTwk6BUwAACNtCSQAAAAiXQkBIk8 JMdEJAiAAAAA6JowAACJNCTHRCQEgAAAAOhqaQAAjWX0Xl9bXcOQkFWJ5VOD7AzoAAAAAFuB w0SqAACLRQiLTQyLVRCJVCQIiUwkBIkEJOhUMAAAg8QMW13DkJCQkJCQkJCQkJCQkJBVieVT V1aD5PiB7CgBAADoAAAAAFuBw/ypAACLdQiJdCQEjUQkEIkEJOjCTwAAjXwkUIk8JOhmLwAA jYbQAAAAiUQkBIk8JMdEJAiAAAAA6OwvAACJNCSNdCQQx0QkBFABAADouGgAAIl0JASJPCTH RCQIQAAAAOjELwAAiXwkBIk0JOhoTwAAiTwkx0QkBNAAAADoiGgAAItNEIXJuEAAAAB0AonI iUQkCItFDIlEJASJNCTo92gAAIk0JMdEJARAAAAA6FdoAACNZfReX1tdw5CQkJCQkJCQkJCQ kJCQkFWJ5VNXVoPk+IHsaAEAAOgAAAAAW4HDHKkAAIt9FItFCItNDIlMJAiJRCQEjXQkEIk0 JOio/f//iXwkCItFEIlEJASJNCToFS8AAItFHIlEJAiLRRiJRCQEiTQk6L/+//+NZfReX1td w5CQkJCQkJBVieVTV1aD5PiB7LAAAADoAAAAAFuBw6yoAACLRRCLTQyLdQiJRCQciUwkGPaG ZgIAAAR1MohMJBCIbCQRicrB6hCIVCQSwekYiEwkE4hEJBSIZCQVicHB6RCITCQWwegYiEQk F+scjUQkEIlEJASNRCQYiQQkx0QkCAgAAADo3WcAAIt9GItFFIO+/AAAABZ1LolEJASJxo1E JBCJBCTHRCQICAAAAOi0ZwAAg8YIg8f4iXwkBIk0JOgSZwAA62mBxvgBAACNRCRAiUQkBIk0 JMdEJAhoAAAA6IJnAACNRCQQiUQkBI10JECJNCTHRCQICAAAAOj2VgAAiXQkBI10JCCJNCTo xmMAAIP/ILggAAAAdwKJ+IlEJAiLRRSJRCQEiTQk6DdnAACNZfReX1tdw5CQkJCQkJCQkJCQ kJCQkFWJ5VNXVoPk+IHsSAYAAOgAAAAAW4HDbKcAAIt9IIt1HItVGItFCIP4Fg+ElQAAAIP4 Cw+FKgEAADHAg30MAA+UwIlUJAyJdCQIjbQkEAQAAIk0JIlEJATo8wMAAIXAD4gaAQAAiXwk CI18JBiJPCTHRCQEAgAAAOjTBAAAhcAPiDsBAACJ8otFDIP4AQ+ERQEAAIXAi3UUD4VfAQAA jQT1AAAAAItNEIlMJBCJRCQMiUwkCIlUJASJPCTowAsAAOk4AQAAifeB5////3+JfCQIiVQk BI1EJDCJBCTofwIAAI2EJBgCAADB7gOB5v///w8DdRiJfCQIiXQkBIkEJOhcAgAAi7v8//// i0UgiUQkBI1EJDCJBCT/VyCLRQwx0oXAdGeD+AEPheMAAACDfRQAD4TZAAAAMfaQkJCQkJCQ i0UQjQQwiUQkBI1EJDCJBCT/VxCDxhA7dRRy5DHS6a0AAACJRCQEjYPp0///iQQk6Lvu//+6 AQAAAOmRAAAAiUQkBI2LftP//+s/g30UAHR/MfaQkJCQkJCQkJCQkJCQi0UQjQQwiUQkBI1E JDCJBCT/VxSDxhA7dRRy5DHS61CJRCQEjYuj0///iQwkicboXO7//4ny6ziLdRSNBPUAAAAA i00QiUwkEIlEJAyJTCQIiVQkBIk8JOjDAwAAicHB+R/B6R0BwcH5AzHSOfF1ConQjWX0Xl9b XcOJdCQIiUQkBI2Du9P//+lA////kJCQVYnlU1dWg+wQ6AAAAABbgcNCpQAAi1UQi3UUi0UI g/gWi30YuQsAAAB0AonBiXwkDIl0JAiJVCQEi0UMiQQkugEAAADoFwAAAIPEEF5fW13DkJCQ kJCQkJCQkJCQkJCQVYnlU1dWg+wIiVXwiU3s6AAAAABbgcPcpAAAi3UUieeNRgOD4Pwpx4n8 g+wIiXQkBIk8JOjHYwAAg+wUiXwkGIl0JBSLRRCJRCQQi0UMiUQkDItFCIlEJAiLRfCJRCQE i0XsiQQk6AX9//+NZfReX1tdw5CQkJCQkJCQkJCQkJBVieVTV1aD7BDoAAAAAFuBw2KkAACL VRCLdRSLRQiD+BaLfRi5CwAAAHQCicGJfCQMiXQkCIlUJASLRQyJBCQx0ug6////g8QQXl9b XcOQkFWJ5VNXVoPsDOgAAAAAW4HDEqQAAItNDIt9EIt1CI1GCIl8JAiJTCQEiQQk6B8PAACJ RgSBxvgAAACJfCQIi0UMiUQkBIk0JOhzEwAAg8QMXl9bXcOQkJCQkJCQkJCQkFWJ5VNWg+wQ 6AAAAABbgcOzowAAi0UMi00Qi1UIi3IEgcL4AAAAiUwkDIlEJAiJdCQEiRQk6FYaAACDxBBe W13DkJCQkJCQkJCQkJCQkJCQVYnlU1aD7BDoAAAAAFuBw2OjAACLRQyLTRCLVQiLcgSDwgiJ TCQMiUQkCIl0JASJFCTo+RQAAIPEEF5bXcOQkFWJ5VNXVoPsMOgAAAAAW4HDIqMAAIt1CLj9 ////hfYPhMUAAACKVQy4/////4D6AQ+HtAAAAIt9EIgWgf+AAAAAdBmB/wABAAB0Ebj+//// gf/AAAAAD4WOAAAAi0UUiX4EjVYIwe8DhcB0Fol8JAiJRCQEiRQkiVXw6GHp//+LVfCJfCQI iVQkBI1F0IkEJOhL6f//jUZQi30QgH0MAHQViXwkCI1N0IlMJASJBCToHBIAAOsTiXwkCI1N 0IlMJASJBCTolw0AAIlGTIHGQAEAAIl8JAiNRdCJRCQEiTQk6HsNAAC4AQAAAIPEMF5fW13D kJCQkJCQkJCQkJCQkJBVieVTg+wM6AAAAABbgcMkogAAik0Micr+yrj8////gPoCd0CLVRCL RQiICECF0nQWiVQkBIkEJMdEJAgQAAAA6Jvo///rGIkEJMdEJAgQAAAAx0QkBAAAAADowej/ /7gBAAAAg8QMW13DkJCQkJCQVYnlU1dWg+xI6AAAAABbgcOyoQAAi00Ihcm4+////w+E6QMA AIt1DIX2D4TeAwAAgD4BD4TVAwAAi1UQMcCF0g+EyAMAAIt9FIX/D469AwAAifjB+B/B6BkB +MH4B4lF2IoBPAOJXcCLfRiJfdR0fTwCD4SDAgAAPAG4+////4tNFA+FhgMAAIH5gAAAAA+M dAMAAItFDI1AUIlF3ItF2I14AZCQkJCQkJCQkJCQkJCJVeCLRQyLQEyLddSJdCQMiVQkCIlE JASLRdyJBCSLXcDoqhIAAItV4IPCEIPGEIl11E+D/wF/yOkbAwAAQYlMJASNReSJBCTHRCQI EAAAAOhr5///gX0UgAAAAA+M9gIAAItFDI2IQAEAAI1VxItF2IlN3JCQkJCQkJCQkJCQkIlF vDH/kJCQkJCQkJCQkJCLReSJRcSLReiJRciLReyJRcyLRfCJRdCLRQyLQEyJVCQMiVQkCIlE JASJDCSLXcDoCxIAAA+2RcQlgAAAAIn5g+EHiU3g0+iJ/sH+H8HuHQH+wf4Di00YD7YUMTHC iBQxi1XkidAlAIAAAInTANvB6A8I2IhF5InQwegHJP6J0cHpF4nLgOMBCMOIXeWJ0MHoDyT+ weofCMKIVeaA4f6LVeiJ08DrBwjLidAlAIAAAIhd54nRAMnB6A8IyIhF6InTwesHgOP+idDB 6BeJwYDhAQjZiE3pidPB6w+A4/7B6h8I2ohV6iT+i1XsidHA6QcIwYnQJQCAAACITeuJ0QDJ wegPCMiIReyJ08HrB4Dj/onQwegXicGA4QEI2YhN7YnTwesPgOP+weofCNqIVe4k/otV8InR wOkHCMGJ0CUAgAAAiE3vidEAycHoDwjIiEXwidPB6weA4/6J0MHoF4nBgOEBCNmJ08HrD4Dj /sHqHwjaiE3xiFXyJf4AAACLTRgPthQxi03gg/EH0+qLTdyD4gEJwohV841VxEeB/4AAAAAP hVn+//+LRbyD+AGNQP8Pjzr+///pDQEAAEGJTCQEjUXEiQQkx0QkCBAAAADoXeX//4tFEIlE JASNReSJBCTHRCQIEAAAAOhD5f//i0XkMUXEi0XoMUXIi0XsMUXMi0XwMUXQjX5Qi0ZMi00Y iUwkDI1NxIlMJAiJRCQEiTwk6BsQAACLRRCBfRQAAQAAD4yTAAAAg8AQi3XYiX3ckJCJReBO i33UiXwkBI1FxIkEJMdEJAgQAAAAi13A6M/k//+LReCJRCQEjUXkiQQkx0QkCBAAAADoteT/ /4tF5DFFxItF6DFFyItF7DFFzItF8DFF0IPHEItFDItATIl91Il8JAyLfdyNTcSJTCQIiUQk BIk8JOiHDwAAi0Xgg8AQg/4BD494////i0XYweAHg8RIXl9bXcOQkJCQkJCQkJCQVYnlU1dW g+w46AAAAABbgcOSnQAAg30IAA+EJAIAAItVDIXSD4QZAgAAgDoBD4QQAgAAi3UQMcCF9g+E CAIAAIt9FIX/D479AQAAi00YifjB+B/B6BwB+MH4BIlF8It9CIoHPAKJXeQPhOQAAAA8AQ+F zQEAAIN9FBB8Ro1CUIlF7It98EeQkJCQkJCQkJCQiU3oi0JMiUwkDIl0JAiJRCQEi0XsiQQk 6LMOAACLTeiLVQyLXeSDxhCDwRBPg/8Bf86JTeiLVfDB4gSLRRSJwSnQKdEPiGkBAACJVfC6 EAAAACnChdK4+////4t9FA+OVAEAAIlMJAiJdCQEjUXMiQQkidboR+P//4nxicj32HkZg8fv K33wkJCQkJCQkJCQiEw93UeD//989otFDInBi0FMg8FQi1XoiVQkDI1VzIlUJAiJRCQEiQwk i13k6TkBAABHg30UEIn4fHiNelCJfeyLffBHkJCQkJCQkJCQkJCJTeiJ04nCiwIzBolFzItC BDNGBIlF0ItCCDNGCIlF1ItCDDNGDIlF2ItDTIlMJAyNTcyJTCQIiUQkBItF7IkEJItd5Oin DQAAi03oi1UMi13kg8YQT4P/AYnIjUkQf6CNQfCJReCLRfDB4ASJRfCLRRSJx4l97ItF8ClF 7CnHiX3ceE+JTei5EAAAACtN7IXJuPv///+Lfdx+PYX/fkGJTeyNRcyLTeCQkJCQkJCQkA+2 ETIWiBBGQUBPdfOLddyD/hCLXeSLVQyLTeCLfex8H+stuPv///+DxDheX1tdw4n+ic+LTeCQ kJCQkJCQkJAPtgQxMfiIRDXMRoP+EHXwi0JMg8JQi03oiUwkDI1NzIlMJAiJRCQEiRQk6NAM AACLRfCDwBDrsJCQkJCQkJCQVYnlU1dWg+xE6AAAAABbgcPymgAAi00Ihcm4+////w+EqQMA AIt1DIX2D4SeAwAAihGA+gN0CYA+AA+EjgMAAIt1EDHAhfYPhIEDAACLfRSF/w+OdgMAAIn4 wfgfwegZAfjB+AeJRdiA+gOJXdCJddR0eoD6Ag+EhgIAAID6Abj7////D4VEAwAAgf+AAAAA i00YD4wvAwAAi0UMjUBQiUXci0XYjXgBkJCQkJCQkJCJTeCLRQyLQEyJTCQMi3XUiXQkCIlE JASLRdyJBCSLXdDo+hAAAItN4IPGEIl11IPBEE+D/wF/yOnbAgAAQYlMJASNReSJBCTHRCQI EAAAAOir4P//gf+AAAAAD4y3AgAAi0UMjYhAAQAAjVXAi0XYiU3gkJCQkJCQkJCQkJCQkIlF 3DH2kJCQkJCQkJCQkJCLReSJRcCLReiJRcSLReyJRciLRfCJRcyLRQyLQEyJVCQMiVQkCIlE JASJDCSLXdDoSwsAAItF5InBgeEAgAAAicIA0sHpDwjRiE3kicLB6geA4v6JwcHpF4nLgOMB CNOIXeWJwsHqD4Di/sHoHwjQiEXmgOH+i0XoicKB4gCAAACJw8DrBwjLiF3nicEAycHqDwjK iFXoicLB6geA4v6JwcHpF4nLgOMBCNOIXemJwsHqD4Di/sHoHwjQiEXqgOH+i0XsicKB4gCA AACJw8DrBwjLiF3ricEAycHqDwjKiFXsicLB6geA4v6JwcHpF4nLgOMBCNOIXe2JwsHqD4Di /sHoHwjQiEXugOH+i0XwicKB4gCAAACJw8DrBwjLiF3vicEAycHqDwjKiFXwicHB6QeA4f6J w8HrF4nagOIBCMqIVfGJwcHpD4Dh/oHj/gAAAMHoHwjIiEXyiffB/x/B7x0B98H/A4tFEA+2 BDiJ8oPiB4nRg/EH0+iD4AEJ2IhF8w+2RcAlgAAAAInRi1UY0+gPtgw6McGIDDqNVcCLTeBG gf6AAAAAD4VS/v//i0Xcg/gBjUD/D48z/v//6cYAAABBiUwkBI1F5IkEJMdEJAgQAAAA6Jbe //+B/4AAAACLTRgPjJ8AAACLRQyNQFCJRdyLRdiNeAGQkJCQkJCQkIlN4ItFDItATI1NwIlM JAyLddSJdCQIiUQkBItF3IkEJItd0OhnDgAAi0XkMUXAi0XoMUXEi0XsMUXIi0XwMUXMiXQk BI1F5IkEJMdEJAgQAAAA6Bje//+NRcCJRCQEi0XgiQQkx0QkCBAAAADo/t3//4tN4IPGEIl1 1IPBEE+D/wEPj3j///+LRdjB4AeDxEReX1tdw5CQkJCQkJCQkJBVieVTV1aD7EToAAAAAFuB wxKXAACLTQiFybj7////D4QZAgAAi1UMhdIPhA4CAACAOgAPhAUCAACLdRAxwIX2D4T4AQAA i1UUhdIPju0BAAD2wg8Phd8BAACLRRiJRfCJ18H/H8HvHAHXwf8EigE8Ag+EtgAAADwBuPv/ //8PhboBAACJ8YtFDI1wUIl17ItATIP6IIl96It1GInKfDCQiVXwT4l0JAyJVCQIiUQkBItF 7IkEJOg1DQAAi1Xwg8IQg8YQi0UMi0BMg/8Bf9GNTdiJTCQMiVQkCIlEJASLReyJBCToBw0A AA+2VeeD+g8Ph0MBAAC4EAAAACnQhNKLfeh0EonBOFQN2A+FKQEAAEGD+Q9+8InxidaJRCQI jUXYiUQkBIkMJOn+AAAAQYlMJASNRcCJBCTHRCQIEAAAAOiL3P//i0UMjUhQiU3UiX3oR41N 2OtZkJCQkJCQkJCQi0XwjUAQiUXQiXQkBIPGEI1FwIkEJMdEJAgQAAAA6E3c//+NRdiJfeyJ x4l8JASLRfCJBCTHRCQIEAAAAOgu3P//i0XQiUXwi0UMifmLfeyLQEyJTCQMiXQkCIlEJASL RdSJBCToJgwAAItFwDFF2ItFxDFF3ItFyDFF4ItN5DNNzIlN5E+D/wIPjXH////B6RiJyP7I PA93P7gQAAAAKciJzoTJi33odBCJwYnyOFQN2HUlQYP5D37yiUQkCI1F2IlEJASLRfCJBCTo oNv//8HnBCn3ifjrBbj4////g8REXl9bXcOQkJCQkJCQkJCQVYnlU1dWg+wgi0UMi30ID7YI weEYD7ZQAcHiEAnKD7ZIAsHhCAnRD7ZQAwnKiVXgiRcPtkgEweEYD7ZQBcHiEAnKD7ZIBsHh CAnRD7ZQBwnKiVXciVcED7ZICMHhGA+2UAnB4hAJyg+2SArB4QgJ0Q+2UAsJyolV6IlXCA+2 SAzB4RgPtlANweIQCcoPtkgOweEICdEPtlgPCcvoAAAAAFqBwjCUAACJXwyBfRCAAAAAiVXY D4XEAAAAuQcAAACNggzY//+JRfCLfeiQkJCQkIld7IlN5Il96A+2x4tN2IuEgQzU//+6AAD/ ACHQM0XgD7bzi7yxDNT//7oA/wAAIdcxx4nYwegYD7acgQzU//8x+4tV3ItF7MHoDiX8AwAA i4QBDNT//4tN5L8AAAD/IfiLfegxw4tF8DMYidiLXeyLdQiJRI70iUXgMcKLRQiJVIj4iVXc MdeLVQiJfIr8MfuJHIqDwQSDRfAEuAoAAACD+S8PhVf////p4AIAAA+2UBDB4hgPtngRwecQ CdcPtlASweIICfoPtngTCdeLVQiJehAPtlAUweIYD7Z4FcHnEAnXD7ZQFsHiCAn6i30ID7ZI FwnRiU8Ui30QifqB+sAAAAAPhewAAADHRfALAAAAi33YjYcM2P//iUXkiV3s6zuQkJCQkJCQ kJCQkJCQkJCJVeiLRQiJwot98ItEuuQxyIlEuvwxw4kcuoPHBol98INF5ASJTeyLfdiJ2Q+2 xYuEhwzU//+6AAD/ACHQM0XgicsPttOLlJcM1P//vgD/AAAh8jHCidjB6BgPtrSHDNT//zHW idjB6A4l/AMAAIuEBwzU//+6AAAA/yHQMcaLReQzMItFCInBi33wiXS57ItF3Il14DHwiUS5 8ItV6IlF3DHCiVS59InIi03sMdGJTLj4uAwAAACD/zUPhUD////pmQEAAA+2UBjB4hgPtngZ wecQCdcPtlAaweIICfoPtngbCdeLVQiJehgPtlAcweIYD7Z4HcHnEAnXD7ZQHsHiCAn6i30I D7ZIHwnRiU8cMcCBfRAAAQAAi1XYD4U9AQAAx0XwAgAAAI2CDNj//4ld7InDidfpkgAAAJCQ kJCQkIlV6InIwegOJfwDAACLfdiLhAcM1P//icu5AAD/ACHID7bXi5SXDNT//7kA/wAAIcox wold7A+2ww+2hIcM1P//MdCJ2sHqGIuUlwzU//+5AAAA/yHKi00Ii13wMxTZMdCJRNkgM0TZ BIlE2SQzRNkIiUTZKItV1DHCiVTZLIPDBIld8Itd5IPDBInRiU3UD7bFi4SHDNT//7oAAP8A IdAzReAPttGLlJcM1P//vgD/AAAh8jHCicjB6BgPtrSHDNT//zHWwekOgeH8AwAAi4QPDNT/ /7oAAAD/IdAxxold5DMzi10Ii03wiXTLEItF3Il14DHwiUTLFItV6IlF3DHCiVTLGIt97DHX iXzLHLgOAAAAg/kaifkPheL+//+DxCBeX1tdw5CQkJCQkJCQkJBVieVTV1aD7BDoAAAAAFuB w1KQAACLdQiLRQyLTRCJTCQIiUQkBIk0JOhi+///icGJTfCFwA+O2QEAAItF8I0MhQAAAAC6 BAAAAJCQkJCQkItElvCLPI6JfJbwiQSOi0SW9It8jgSJfJb0iUSOBItElviLfI4IiXyW+IlE jgiLRJb8i3yODIl8lvyJRI4Mg8H8OcqNUgR8uIN98AIPjHIBAACDxhyLTfBJkJCQkJCQkItW 9InQidfB7xgPtry7DNT//8HoDiX8AwAAD7aEAwzU//+LhIM03P//M4S7NNj//w+2/g+20g+2 vLsM1P//M4S7NOD//w+2lJMM1P//M4STNOT//4lG9ItW+InQidfB7xgPtry7DNT//8HoDiX8 AwAAD7aEAwzU//+LhIM03P//M4S7NNj//w+2/g+20g+2vLsM1P//M4S7NOD//w+2lJMM1P// M4STNOT//4lG+ItW/InQidfB7xgPtry7DNT//8HoDiX8AwAAD7aEAwzU//+LhIM03P//M4S7 NNj//w+2/g+20g+2vLsM1P//M4S7NOD//w+2lJMM1P//M4STNOT//4lG/IsWidCJ18HvGA+2 vLsM1P//wegOJfwDAAAPtoQDDNT//4uEgzTc//8zhLs02P//D7b+D7a8uwzU//8zhLs04P// D7bSD7aUkwzU//8zhJM05P//iQaDxhBJD4Wc/v//i0Xwg8QQXl9bXcOQVYnlU1dWg+wwi1UQ D7YCweAYD7ZKAcHhEAnBD7ZyAsHmCAnOD7ZCAwnwiUXwD7ZKBMHhGA+2cgXB5hAJzg+2egbB 5wgJ9w+2WgcJ+w+2cgjB5hgPtnoJwecQCfcPtnIKweYICf4PtkILCfAPtnIMweYYD7Z6DcHn EAn3D7ZyDsHmCAn+D7ZSDwny6AAAAABZgcGxjQAAiU3gi00Ii3XwMzEzWQSJXegzQQiJRfAz UQyLRQzR+I1JLIlN1IlFxI0ExQAAAACJRdDpHAEAAJCQkIl1xA+28Il17A+29Il12IlF3MHo GA+28ol1zA+29ol1yMHqDoHi/AMAAInOi03gi5QRNOz//zOUgTTo//+JVeiJ8onQwegOJfwD AACLtAE07P//M7S5NOj//w+2/zO0uTTw//+LRewztIE09P//idfB7xjB6w6B4/wDAAAPtsKJ RewPtsaJReSLnBk07P//M5y5NOj//4tV2DOckTTw//+LVcwznJE09P//i0XwicfB7xiLVdzB 6g6B4vwDAAAPtsCJRfCLlBE07P//M5S5NOj//4t9yDOUuTTw//+LfewzlLk09P//i33oi0Xk M7yBNPD//4tF8DO8gTT0//+LRdQzcPQzWPiJXegzUPyJVfCJ+jMQjUggiU3UD7bCiUXYD7bG iUXciVXIweoYifEPtsGJReQPtsWJRczB6Q6B4fwDAACLReCLjAg07P//M4yQNOj//4lN7MHu GItd6InaweoOgeL8AwAAi7wQNOz//zO8sDTo//+LTfAPtvUzvLA08P//i03YM7yINPT//4ne we4Yi03wwekOgeH8AwAAD7bTiVXYD7bXiVXoi4wINOz//zOMsDTo//+LddwzjLA08P//i3Xk M4ywNPT//4t18MHuGItdyMHrDoHj/AMAAItV8A+20olV3In6i5wYNOz//zOcsDTo//+Ldcwz nLA08P//i3XYM5ywNPT//4t97It16DO8sDTw//+LddQzVuSJVegzTugzXuyLVdwzvJA09P// ifgzRvCLfeiJ+sHvGIt1xE6JXfAPhbb9//+LdeCLtL4M1P//vwAAAP8h/onPwe8Ogef8AwAA i13gi5w7DNT//78AAP8AIfsJ84ld1Itd8A+294t94Iu0twzU//+/AP8AACH+A3XUD7bYi33g D7acnwzU//8J84t1CIlF7IlN5ItF0DMchonYwesYi3UUiB6Jw8HrEIheAYhmAohGA4nOwe4Y ifiLtLAM1P//uQAAAP8hzotd8MHrDoHj/AMAAIucGAzU//+/AAD/ACH7CfOLTewPtvWLtLAM 1P//vwD/AAAh/gneD7baD7aMmAzU//+Jxwnxi3UIi13QM0yeBInLwesYi0UUiFgEicvB6xCI WAWIaAaISAeLdfDB7hiLtLcM1P//uAAAAP8hxotd7MHrDoHj/AMAAIucHwzU//+5AAD/ACHL CfMPtvaLtLcM1P//uQD/AAAhzgnei03kD7bZD7aEnwzU//8J8ItNCIt10DNEsQiJw8HrGItN FIhZCInDwesQiFkJiGEKiEELicuLRezB6Bi5AAAA/yOMhwzU///B6g6B4vwDAAC4AAD/ACOE FwzU//8JyInCi0XkD7bEuQD/AAAjjIcM1P//CdGLRfAPtsAPtoSHDNT//wnIi00Ii1XQM0SR DInBwekYiEsMicHB6RCISw2IYw6IQw+DxDBeX1tdw5CQkJCQkJCQkJCQVYnlU1dWg+wwi10Q D7YDweAYD7ZLAcHhEAnBD7ZDAsHgCAnID7ZLAwnBiU3wD7ZDBMHgGA+2SwXB4RAJwQ+2QwbB 4AgJyA+2UwcJwg+2QwjB4BgPtnMJweYQCcYPtnsKwecICfcPtkMLCfgPtnMMweYYD7Z7DcHn EAn3D7ZzDsHmCAn+D7ZbDwnz6AAAAABZgcGhiAAAiU3Mi00Ii33wMzkzUQSJVewzQQgzWQyL VQzR+o1JLIlNyIlVxI0M1QAAAACJ2olN2OkhAQAAkJCQkIlNxInYiccPtsyJTewPtsiJTdzB 6BgPts6JTeAPtsqJTeSJVdDB6g6B4vwDAACLTcyLlBE03P//M5SBNNj//4lV1MHvDoHn/AMA AIu8OTTc//8zvLE02P//i0XgM7yBNOD//4tV6A+2wjO8gTTk//+J08HrGIt18MHuDoHm/AMA AInQD7bWiVXoi5QxNNz//zOUmTTY//+LdewzlLE04P//i3XkM5SxNOT//4t10MHuGMHoDiX8 AwAAi13wD7bfiV3si13wD7bbiV3wi4QBNNz//zOEsTTY//+LdewzhLE04P//i3XcM4SxNOT/ /4t16Itd1DOcsTTg//+LdfAznLE05P//i03IM3n0M1H4iVXsidozQfwzEY1JIIlNyIlV4A+2 9ol13A+28ol15MHqGA+2zIlN1A+28Il10IlF6MHoDiX8AwAAi13Mi7QDNNz//zO0kzTY//+J ffCJ+sHqGItF4MHoDiX8AwAAi7wDNNz//zO8kzTY//+LRdQzvIM04P//i03sD7bRM7yTNOT/ /4nIicrB6BiJReCLRfDB6A4l/AMAAA+21olV7IuEAzTc//+LVeAzhJM02P//i1XcM4STNOD/ /4tV0DOEkzTk///BbegYwekOgeH8AwAAi1XwD7bWiVXci1XwD7bSiVXwi5QLNNz//4tN6DOU izTY//+LTdwzlIs04P//i03kM5SLNOT//4tN7DO0izTg//+LTcgzeeQzQeiJRegzUeyLRfAz tIM05P//M3HwifOJffCJ/sHuGItNxEkPhbP9//+LfcyLjLc0+P//uAAAAP8hwYld5Inewe4O geb8AwAAi7Q3NPj//7gAAP8AIcYJzg+2zouMjzT4//+4AP8AACHBCfGLXegPtvMPtrS3NPj/ /wnOi00Ii0XYMzSBifCJwcHpGIt1FIgOicHB6RCITgGIZgKIRgOJ2cHpGIuMjzT4//+4AAAA /yHBi3Xwwe4Ogeb8AwAAi7Q3NPj//7gAAP8AIcYJzotF5A+2zIuMjzT4//+4AP8AACHBCfEP tvIPtoS3NPj//wnIi03Yic6LTQgzRLEEicHB6RiLdRSITgSJwcHpEIhOBYhmBohGB4nRwekY i4yPNPj//74AAAD/IfHB6w6B4/wDAACLtB80+P//uwAA/wAh3gnOi03wD7bNi4yPNPj//7sA /wAAIdkJ8YtF5A+28A+2nLc0+P//CcuLTQiLRdgzXIEIidnB6RiLRRSISAiJ2cHpEIhICYh4 CohYC4nGi03kwekYuAAAAP8jhI80+P//weoOgeL8AwAAuQAA/wAjjBc0+P//CcGLRegPtsS6 AP8AACOUhzT4//8JyotF8A+2wA+2hIc0+P//CdCLTdiLVQgzRIoMicHB6RiITgyJwcHpEIhO DYhmDohGD4PEMF5fW13DkJCQkJCQkJCQkJBVieWLRQjHQBQAAAAAx0AQAAAAAMcAASNFZ8dA BImrze/HQAj+3LqYx0AMdlQyEF3DkJCQkJCQkJCQkJCQkJCQVYnlU1dWg+wU6AAAAABbgcPi gwAAi3UQi30Ii0cQicHB6QOD4T+JTfCNDPUAAAAAAcGJTxCLRxRzBECJRxSLVQyJ8cHpHQHB iU8Uv0AAAACLTfApzzHAOfd3dItFCI1MCBiJTeyNSBiJTfCJfCQIiVQkBItF7IkEJOgiyv// i00Ii1Xw6HcAAACNRz8xyTnwifpzNpCQkJCQkJCQkJCQkIn3idaLRQyNFDCLTQjoTgAAAI1W QIPGfzn+if5y4onQi30Ii1UMMcnrCInQi1UMi30IjUwPGAHCKcaJdCQIiVQkBIkMJOi2yf// g8QUXl9bXcOQkJCQkJCQkJCQkJCQkFWJ5VNXVoHsnAAAAOgAAAAAWIHA34IAAInDiV2kiU2o iwGJReSLcQSLQQiJReyLeQyJfeiJVCQEjYVk////iQQkx0QkCEAAAADoUsn//4tV7InQIfCJ 8ffRIfkJwQNN5IuFZP///4lFxI28CHikatfBxwcB94n4IfCJ+ffRIdGJ0wnBi4Vo////iUWw i1XoAcKNhBFWt8fowcAMAfiJwSH5icL30iHyCcqLjWz///+JTbgBy42MGttwICTBwREBwYnK IcKJy/fTIfsJ04uVcP///4lV0AHWjZQz7s69wcHCFgHKidYhzonT99Mhwwnzi7V0////iXXk AfeNtDuvD3z1wcYHAdaJ9yHXifP30yHLCfuLvXj///+JfbwB+I2EAyrGh0fBwAwB8InHIfeJ w/fTIdMJ+4u9fP///4l92AH5jYwLE0YwqMHBEQHBic8hx4nL99Mh8wn7i32AiX3MAfqNlBMB lUb9wcIWAcqJ1yHPidP30yHDCfuLfYSJfbQB/o20M9iYgGnBxgcB1on3IdeJ8/fTIcsJ+4t9 iIl96AH4jbwDr/dEi8HHDAH3ifgh8In799Mh0wnDi0WMiUXIAcGNjAuxW///wcERAfmJyCH4 icv30yHzCcOLRZCJRewBwo2cE77XXInBwxYBy4nYIciJ2vfSIfoJwotFlIlF1AHGjYQyIhGQ a8HAB4ld4AHYicIh2onG99YhzgnWi1WYiVXAAdeNtD6TcZj9wcYMAcaJ9yHHifL30otd4CHT CfuLfZyJfdwB+Y2MC45DeabBwREB8YnPIfeJffCJz/fXi12wjRwDiV2sIfgLRfCLXaCJXfAB XeCLXeCNhBghCLRJwcAWAciJwyHzIcoJ2otdrI2UGmIlHvbBwgUBwonTIcshxwnfA3XYjbQ3 QLNAwMHGCQHWifchx4tdxI0cA/fQIdAJ+ANN7I2MCFFaXibBwQ4B8YnIIdCLfbyNPBf30iHy CcKNlBqqx7bpwcIUAcqJ0CHwi13IjRwz99YhzgnGjYQ+XRAv1sHABQHQicYhzot98I08D/fR IdEJ8Y2MGVMURALBwQkBwYnOIdaLXeSNHBP30iHCCfKNlDqB5qHYwcIOAcqJ1iHGi33ojTwH 99AhyAnwjYQYyPvT58HAFAHQicYhzotd3I0cC/fRIdEJ8Y2MOebN4SHBwQUBwYnOIdaLfdCN PBf30iHCCfKNlBrWBzfDwcIJAcqJ1iHGi120jRwD99AhyAnwjYQ4hw3V9MHADgHQicYhzot9 wI08D/fRIdEJ8Y2MGe0UWkXBwRQBwYnOIdaLXbiNHBP30iHCCfKNlDoF6eOpwcIFAcqJ1iHG i33MjTwH99AhyAnwjYQY+KPv/MHACQHQicYhzotd1I0cC/fRIdEJ8Y2MOdkCb2fBwQ4BwYnO IdaLfbyNPBf30iHCCfKNlBqKTCqNwcIUAcqLdbSNNAYx0DHIjYQ4Qjn6/8HABAHQi33sjTwP McEx0Y2MMYH2cYfBwQsBwYt13I00FjHKMcKNlDoiYZ1twcIQAcqLfbCNPAcx0DHIjYQwDDjl /cHAFwHQi3XkjTQOMcEx0Y2MOUTqvqTBwQQBwYt9zI08FzHKMcKNlDKpz95LwcILAcqLdciN NAYx0DHIjYQ4YEu79sHAEAHQi33AjTwPMcEx0Y2MMXC8v77BwRcBwYt1xI00FjHKMcKNlDrG fpsowcIEAcqLfdCNPAcx0DHIjYQw+ieh6sHACwHQi3XYjTQOMcEx0Y2MOYUw79TBwRABwYt9 6I08FzHKMcKNlDIFHYgEwcIXAcqLddSNNAYx0DHIjYQ4OdDU2cHABAHQi33wjTwPMcEx0Y2M MeWZ2+bBwQsBwYt1uI0cFjHKMcKNlDr4fKIfwcIQAcqLfcQBxzHQMciNhBhlVqzEwcAXAdCL dcwBzvfRCcEx0Y2MOUQiKfTBwQYBwYt93AHX99IJyjHCjZQyl/8qQ8HCCgHKi3W8Acb30AnQ MciNhDinI5SrwcAPAdCLfdQBz/fRCcEx0Y2MMTmgk/zBwRUBwYt10AHW99IJyjHCjZQ6w1lb ZcHCBgHKi33IAcf30AnQMciNhDCSzAyPwcAKAdCLdbABzvfRCcEx0Y2MOX307//BwQ8BwYt9 tAHX99IJyjHCjZQy0V2EhcHCFQHKi13wAcP30AnQMciNhDhPfqhvwcAGAdCLddgBzvfRCcEx 0Y2MGeDmLP7BwQoBwYtdwAHT99IJyjHCjZQyFEMBo8HCDwHKi33kAcf30AnQMciNtBihEQhO wcYVAdaLXewBy/fRCfEx0Y2EOYJ+U/fBwAYB8It9uAHX99IJwjHyjYwaNfI6vcHBCgHBi13o AfP31gnOMcaNlD670tcqwcIPAcqLfagBB/fQCdAxyI2EGJHThuvBwBWLdwQB1gHGiXcEAVcI AU8MjYVk////iQQkx0QkCEAAAADHRCQEAAAAAItdpOimwv//gcScAAAAXl9bXcOQkJCQkJCQ kJCQkFWJ5VNXVoPsFOgAAAAAW4HDknsAAIt1CI1GEIlEJASNfeyJPCTHRCQICAAAAOgewv// i0YQwegDg+A/g/g4uTgAAAByBbl4AAAAKcGNgzwAAACJRCQEiTQkiUwkCOhO9///iXwkBIk0 JMdEJAgIAAAA6Dr3//+DxBReX1tdw5CQVYnlU1dWg+wU6AAAAABbgcMSewAAi3UMjUYQiUQk BI197Ik8JMdEJAgIAAAA6J7B//+LRhDB6AOD4D+D+Di5OAAAAHIFuXgAAAApwY2DPAAAAIlE JASJNCSJTCQI6M72//+JfCQEiTQkx0QkCAgAAADouvb//4l0JASLRQiJBCTHRCQIEAAAAOhD wf//iTQkx0QkCFgAAADHRCQEAAAAAOhrwf//g8QUXl9bXcOQkJBVieWLRQjHQEwAAAAAx0BI AAAAAMdARAAAAADHQEAAAAAAx0AEZ+YJascACMm888dADIWuZ7vHQAg7p8qEx0AUcvNuPMdA ECv4lP7HQBw69U+lx0AY8TYdX8dAJH9SDlHHQCDRguatx0AsjGgFm8dAKB9sPivHQDSr2YMf x0Awa71B+8dAPBnN4FvHQDh5IX4TXcOQkJCQkJCQkJCQkJCQVYnlU1dWg+wc6AAAAABbgcPC eQAAi30Ii0dIi09MicoPpMIdg+J/iVXwi3UQifLB6h2NNPUAAAAAAcYRyjnGiXdIiVdMGcpz EotHQItPRIPAAYPRAIlHQIlPRDHAv4AAAACLVfAp17kAAAAAg9kAi3UQKf4ZyItNDItFCI1E EFBzDYtVEIlUJAiJTCQE63+JfCQIiUwkBIkEJOjhv///i00IjVFQiVXk6HMAAAADfQyB/oAA AAByS4tF8ItNEI2MCAD///+JTeiD4YCJTeyNiQABAAApwYlN8JCQkJCQkJCLTQiJ+ug2AAAA g++Ag8aAg/5/d+uLRQwDRfCLdegrdeyJx4l0JAiJfCQEi0XkiQQk6Gq///+DxBxeX1tdw5CQ VYnlU1dWg+T4gexAAwAAiUwkdOgAAAAAW4HDmHgAADHAkJCQkJCQkJCQkJCQkJCQD7YMwsHh GA+2dMIBweYQCc4PtkzCAsHhCAnxD7Z0wgMJzg+2TMIEweEYD7Z8wgXB5xAJzw+2TMIGweEI CfkPtnzCBwnPibTEvAAAAIm8xLgAAABAg/gQdaeLRCR0iUQkBI1EJHiJBCTHRCQIQAAAAOi7 vv//i4QknAAAAIlEJDCLhCSYAAAAiUQkWIuEJKQAAACJRCRci4QkoAAAAIlEJECNg7D8//+J RCRsi4QkrAAAAIlEJEiLhCSoAAAAiUQkIIuEJLQAAACJRCRMi4QksAAAAIlEJByLhCSUAAAA iUQkZIuEJJAAAACJRCREi0QkeIlEJCyLRCR8iUQkVIuEJIQAAACJRCQ8i4QkgAAAAIlEJDSL hCSMAAAAiUQkGIuEJIgAAACJRCQ4x0QkDAAAAACLhCS4AAAAiUQkFIuEJLwAAACJRCQQkJCQ kJCQkJCQi3wkWIn6i0QkMA+kwg6JwQ+k+Rcx0Yn6D6TCEjHRicYPpP4OifoPpMIXMfKJxg+k /hKJfCRYMfKLdCRIM3QkXItEJCCJwzNcJEAh+yN0JDAzdCRIMcMDVCQUE0wkEItEJGwDUIgT SIwB2hHxA1QkHBNMJEwBVCREEUwkZIt8JFSJ+It0JCwPpPAeifsPpPMZMcOJ8A+k+AQxw4lc JEyJ8A+k+B6J8w+k+xkxw4n4iXwkVA+k8AQxw4lcJByLdCQYifCJdCQYi1wkPAnYIfgh3gnG i0QkOItcJDQJ2IlcJDQjRCQsi3wkOCHfCceLXCQcAdOLRCRMEcgB+4lcJBwR8IlEJEyLfCRE ifiLVCRkD6TQDonRD6T5FzHBifgPpNASMcGJ0A+k+A6J/g+k1hcxxonQidMPpPgSMcaLRCRA M0QkWIt8JFyJ+jNUJDAh2iNEJEQx+jNEJECLfCQMA7T8wAAAABOM/MQAAACLfCRsA3eQE0+U AcYR0QN0JCATTCRIAXQkOBFMJBiLXCRMidiLVCQcD6TQHonfD6TXGTHHidAPpNgEMceJfCRI idAPpNgeidcPpN8ZMceJ2A+k0AQxx4l8JCCLfCQ8ifiLVCRUCdAh2CHXCceLRCQ0i1QkLAnQ I0QkHItcJDQh0wnDi1QkIAHyi0QkSBHIAdqJVCQgEfiJRCRIi3QkOInwi0wkGA+kyA6Jyg+k 8hcxwonwD6TIEjHCicgPpPAOifcPpM8XMceJyA+k8BIxx4tMJDCJyDNEJGSLXCRYid4zdCRE I0QkGCN0JDgxyDHei0wkDAO8zMgAAAATlMzMAAAAi0wkbAN5mBNRnAH3EcIDfCRAE1QkXAF8 JDQRVCQ8i0wkSInIi3QkIA+k8B6Jyw+k8xkxw4nwD6TIBDHDiVwkXInwD6TIHonzD6TLGTHD icgPpPAEMcOJXCRAi0wkVInIi3QkTAnwI0QkSInLIfMJw4tEJCyLdCQcCfAjRCQgi0wkLCHx CcGLdCRAAf6LRCRcEdABzol0JEAR2IlEJFyLVCQ0idCLTCQ8D6TIDonOD6TWFzHGidAPpMgS McaJyA+k0A6J0w+kyxcxw4nID6TQEjHDi0wkZInIM0QkGIt8JESJ+jNUJDgjRCQ8I1QkNDHI MfqLTCQMA5zM0AAAABO0zNQAAACLTCRsA1mgE3GkAdMRxgNcJFgTdCQwAVwkLBF0JFSLTCRc iciLVCRAD6TQHonPD6TXGTHHidAPpMgEMceJfCRYidAPpMgeidcPpM8ZMceJyA+k0AQxx4l8 JDCLTCRMiciLfCRICfgjRCRcicoh+gnCi0wkHInIC0QkICNEJEAjTCQgCcGLfCQwAd+LRCRY EfABz4l8JDAR0IlEJFiLXCQsidiLdCRUD6TwDon3D6TfFzHHidgPpPASMceJ8g+k2g6J2Ylc JCwPpPEXMdGJ8g+k2hIx0YtEJBiJwjNUJDyLXCQ4id4zdCQ0I1QkVCN0JCwxwjHei0QkDAOM xNgAAAATvMTcAAAAi0QkbANIqBN4rAHxEdcDTCREE3wkZAFMJBwRfCRMi0QkWInCi3QkMA+k 8h6Jww+k8xkx04nyD6TCBDHTiVwkRInyD6TCHonzD6TDGTHTicIPpPIEMdOLdCRIifKLRCRc CcIjVCRYIcYJ1otEJCCJwgtUJEAjVCQwI0QkQAnQAcuLTCREEfkBw4lcJGQR8YlMJESLfCQc ifiLdCRMD6TwDonxD6T5FzHBifgPpPASMcGJ8g+k+g6J+A+k8Bcx0InyD6T6EjHQi3wkPIn6 M1QkVItcJDSJ3jN0JCwjVCRMI3QkHDH6Md6LfCQMA4T84AAAABOM/OQAAACLfCRsA0ewE0+0 AfAR0QNEJDgTTCQYAUQkIBFMJEiLXCREidqLdCRkD6TyHonfD6T3GTHXifIPpNoEMdeJfCQ4 ifIPpNoeifcPpN8ZMdeJ2g+k8gQx14l8JBiLdCRcifKLXCRYCdojVCREId4J1otcJECJ2gtU JDAjVCRkid8jfCQwCdeLVCQYAcKLRCQ4EcgB+olUJBgR8IlEJDiLfCQgifiLdCRID6TwDonx D6T5FzHBifgPpPASMcGJ8g+k+g6J+A+k8Bcx0InyD6T6EjHQi3wkVIn6M1QkTItcJCyJ3jN0 JBwjVCRII3QkIDH6Md6LfCQMA4T86AAAABOM/OwAAACLfCRsA0e4E0+8AfAR0QNEJDQTTCQ8 AUQkQBFMJFyLdCQ4ifKLfCQYD6T6HonzD6T7GTHTifoPpPIEMdOJXCQ0ifoPpPIeifsPpPMZ MdOJ8g+k+gQx04lcJDyLdCRYifKLfCRECfojVCQ4If4J1ot8JDCJ+otcJGQJ2iNUJBgh3wnX i1QkPAHCi0QkNBHIAfqJVCQ8EfCJRCQ0i1wkQInYi3QkXA+k8A6J8Q+k2RcxwYnYD6TwEjHB ifIPpNoOidgPpPAXMdCJ8g+k2hIx0It8JEyJ+jNUJEiLdCQcM3QkICNUJFwh3jH6M3QkHIt8 JAwDhPzwAAAAE4z89AAAAIt8JGwDR8ATT8QB8BHRA0QkLBNMJFQBRCQwEUwkWIt0JDSJ8ot8 JDwPpPoeifMPpPsZMdOJ+g+k8gQx04lcJFSJ+g+k8h6J+w+k8xkx04nyD6T6BDHTiVwkLIt0 JESJ8otcJDgJ2iNUJDQh3gnWi1wkZInaC1QkGCH6I1wkGAnTi1QkLAHCi0QkVBHIAdqJVCQs EfCJRCRUi3wkMIn4i3QkWA+k8A6J8Q+k+RcxwYn4D6TwEjHBifIPpPoOifgPpPAXMdCJ8g+k +hIx0It8JEiJ+jNUJFyLXCQgid4zdCRAI1QkWCN0JDAx+jHei3wkDAOE/PgAAAATjPz8AAAA i3wkbANHyBNPzAHwEdEDRCQcE0wkTAFEJGQRTCREi1wkVInai3QkLA+k8h6J3w+k9xkx14ny D6TaBDHXiXwkTInyD6TaHon3D6TfGTHXidoPpPIEMdeJfCQci3QkOInyi3wkNAn6Idoh/gnW i1QkGItcJDwJ2iNUJCyLfCQYId8J14tUJBwBwotEJEwRyAH6iVQkHBHwiUQkTIt8JGSJ+Yt0 JEQPpPEOifAPpPgXMciJ+Q+k8RIxyInyD6T6Don5D6TxFzHRifIPpPoSMdGLfCRcifozVCRY i1wkQIneM3QkMCNUJEQjdCRkMfox3ot8JAwDjPwAAQAAE4T8BAEAAIt8JGwDT9ATR9QB8RHQ A0wkIBNEJEgBTCQYEUQkOIt0JEyJ8ot8JBwPpPoeifMPpPsZMdOJ+g+k8gQx04lcJEiJ+g+k 8h6J+w+k8xkx04nyD6T6BDHTiVwkIIt0JDSJ8ot8JFQJ+iNUJEwh/gnWi1QkPItcJCwJ2iNU JByLfCQ8Id8J14tUJCAByotMJEgRwQH6iVQkIBHxiUwkSIt8JBiJ+Yt0JDgPpPEOifAPpPgX MciJ+Q+k8RIxyInyD6T6Don5D6TxFzHRifIPpPoSifuJXCQYMdGLfCRYifozVCREi3QkMDN0 JGQjVCQ4Id4x+jN0JDCLfCQMA4z8CAEAABOE/AwBAACLfCRsA0/YE0fcAfER0ANMJEATRCRc AUwkPBFEJDSLdCRIifKLXCQgD6TaHon3D6TfGTHXidoPpPIEMdeJfCRcidoPpPIeid8PpPcZ MdeJ8g+k2gQx14l8JECLdCRUifKLXCRMCdojVCRIId4J1ot8JCyJ+gtUJBwjVCQgI3wkHAnX i1QkQAHKi0wkXBHBAfqJVCRAEfGJTCRci3wkPIn5i3QkNA+k8Q6J8A+k+BcxyIn5D6TxEjHI ifIPpPoOifkPpPEXMdGJ8g+k+hIx0Yt8JESJ+jNUJDiLXCRkid4zdCQYI1QkNCN0JDwx+jHe i3wkDAOM/BABAAAThPwUAQAAi3wkbANP4BNH5AHxEdADTCQwE0QkWAFMJCwRRCRUi1wkXIna i3QkQA+k8h6J3w+k9xkx14nyD6TaBDHXiXwkMInyD6TaHon3D6TfGTHXidoPpPIEMdeJfCRY i3QkTInyi1wkSAnaI1QkXCHeCdaLXCQcidoLVCQgI1QkQInfI3wkIAnXi1QkWAHKi0wkMBHB AfqJVCRYEfGJTCQwi3QkLInxi3wkVA+k+Q6J+A+k8BcxyInxD6T5EjHIifoPpPIOifEPpPkX MdGJ+g+k8hIx0Yt8JDiJ+jNUJDSLXCQYid4zdCQ8I1QkVCN0JCwx+jHei3wkDAOM/BgBAAAT hPwcAQAAi3wkbANP6BNH7AHxEdADTCRkE0QkRAFMJBwRRCRMi3QkMInyi3wkWA+k+h6J8w+k +xkx04n6D6TyBDHTiVwkZIn6D6TyHon7D6TzGTHTifIPpPoEMdOJXCREi3QkSInyi1wkXAna I1QkMCHeCdaLVCQgi1wkQAnaIfqLfCQgId8J14tUJEQByotMJGQRwQH6iVQkRBHxiUwkZIt8 JByJ+Yt0JEwPpPEOifAPpPgXMciJ+Q+k8RIxyInyD6T6Don5D6TxFzHRifIPpPoSMdGLfCQ0 ifozVCRUi1wkPIneM3QkLCNUJEwjdCQcMfox3ot8JAwDjPwgAQAAE4T8JAEAAIt8JGwDT/AT R/QB8RHQA0wkGBNEJDgBTCQgEUQkSIt0JGSJ8ot8JEQPpPoeifMPpPsZMdOJ+g+k8gQx04lc JBiJ+g+k8h6J+w+k8xkx04nyD6T6BDHTiVwkOIt0JFyJ8ot8JDAJ+iNUJGQh/gnWi1QkQItc JFgJ2iNUJESLfCRAId8J14tUJDgByotMJBgRwQH6iVQkOBHxiUwkGIt8JCCJ+Yt0JEgPpPEO ifAPpPgXMciJ+Q+k8RIxyInyD6T6Don5D6TxFzHRifIPpPoSMdGLXCRUid4zdCRMi1QkLInX M3wkHCN0JEgjfCQgMd4x14tcJAyLlNwoAQAAiVQkFAHRi5TcLAEAAIlUJBAR0ItUJGwDSvgT QvwB+RHwA0wkPBNEJDQBTCRAEUQkXItUJBiJ1ot8JDgPpP4eidMPpPsZMfOJ/g+k1gQx84lc JDyJ/g+k1h6J+w+k0xkx84nWD6T+BDHziVwkNItUJDCJ1otcJGQJ3iN0JBiJ1yHfCfeLVCRY idYLdCREI3QkOInTI1wkRAnzi1QkNAHKi0wkPBHBAdqJVCQ0EfmJTCQ8i3wkQIn5i0QkXA+k wQ6Jwg+k+hcxyon5D6TBEjHKicEPpPkOif4PpMYXMc6JwQ+k+RKJ+zHOi0wkTDNMJEiLfCQc M3wkICHBId8zTCRMM3wkHItEJAyLnMQwAQAAiVwkJAHei5zENAEAAIlcJCgR2otEJGwDMBNQ BAH+EcoDdCQsE1QkVAF0JFgRVCQwi0QkPInBi1wkNA+k2R6Jxw+k3xkxz4nZD6TBBDHPidkP pMEeiUwkLInYi0wkPA+kyBkzRCQsi0wkPA+k2QQxyItcJGSJ2QtMJBgjTCQ8I1wkGAnLiVwk VItcJESJ2QtMJDgjTCQ0I1wkOAnLAfAR1wHYiUQkLBN8JFSJfCRUg3wkDEAPhCMMAACLfCQQ ifiLVCQUD6TQDYnRD6T5DYn+D6TWA4n7D6TTGg+k+gPB7wYxzzH3McMx04lcJBCLRCQMi5zE wAAAAIu0xMQAAACJdCRgidgPpPAfifHB6QcxwYnYD6TwGDHBifAPpNgfifKJXCRQD6TaGTHC ifAPpNgYMcKLXCQMi4TcuAAAAAOE3AABAACLtNy8AAAAE7TcBAEAAANEJBAR/gHQiUQkFBHO iXQkaItMJCiJyIt8JCQPpPgNiUQkEIn7D6TLDYnKD6T6A4nID6T4Gg+kzwPB6QYx2THRM0Qk EDH4iUQkJItEJAyLVCQUiZTEOAEAAIm0xDwBAACLlMTIAAAAi4TEzAAAAInXiVQkEIlEJCgP pMcficPB6wcx+4nXD6THGDH7iccPpNcficKLdCQQD6TyGTH6iceLRCQQD6THGDH6i3wkUIt0 JAwDvPQIAQAAi0QkYBOE9AwBAAADfCQkEcgB14l8JFAR2IlEJGCLTCRoicqLdCQUD6TyDYlU JCSJ9w+kzw2Jyw+k8wOJ8g+kygOJyA+k8RrB6AYx+DHYiUQkcDNMJCQx0YlMJGiLRCQMi0wk UImMxEABAACLdCRgibTERAEAAIuUxNAAAACLjMTUAAAAidCJRCQkD6TKH4nPwe8HMdeJwg+k yhgx14nKD6TCH4lMJBSJyw+kwxkx0w+kwRgxy4tEJBCLVCQMA4TUEAEAAItMJCgTjNQUAQAA A0QkaBNMJHAB2IlEJBAR+YlMJCiJ94n5i3QkUA+k8Q2JTCRoifIPpPoNifkPpPEDifMPpPsD ifgPpPcawegGMdAxyIlEJGAzfCRoMd+LTCQMi0QkEImEzEgBAACLRCQoiYTMTAEAAIu0zNgA AACLhMzcAAAAiUQkcInxD6TBH4nCweoHMcqJ8Q+kwRgxyonBD6TxH4nDiXQkUA+k8xkxy4nB D6TxGDHLi0QkJIt0JAwDhPQYAQAAi0wkFBOM9BwBAAAB+BNMJGAB2IlEJCQR0YlMJBSLRCQo icGLdCQQD6TxDYlMJGCJ8g+kwg2Jww+k8wOJ8Q+kwQOJxot8JBAPpP4awegGMdAx2IlEJBAz dCRgMc6LTCQMi0QkJImEzFABAACLRCQUiYTMVAEAAIu8zOAAAACJfCRgi4TM5AAAAIn6D6TC H4nDwesHMdOJ+g+kwhgx04nCD6T6H4lEJCiJwQ+k+Rkx0Q+k+BgxwYtEJFCLVCQMA4TUIAEA AIt8JHATvNQkAQAAAfATfCQQAciJRCRQEd+JfCRwi3QkFInwi3wkJA+k+A2JRCQQifkPpPEN ifIPpPoDD6T3A4nzi0QkJA+kxhrB6wYxyzHTM3QkEDH+iXQkFItEJAyLTCRQiYzEWAEAAItM JHCJjMRcAQAAi7zE6AAAAIl8JCSLjMTsAAAAiUwkaIn4D6TIH4nOwe4HMcaJ+A+kyBgxxonI D6T4H4nKD6T6GTHCicgPpPgYMcKLRCRgi3wkDAOE/CgBAACLTCQoE4z8LAEAAANEJBQR2QHQ iUQkYBHxiUwkKIt0JHCJ8YtEJFAPpMENiUwkEInBD6TxDYnyifcPpMIDicYPpP4DifuLRCRQ D6THGsHrBjHLMdOJXCQUM3wkEDH3i0QkDItMJGCJjMRgAQAAi0wkKImMxGQBAACLtMTwAAAA iXQkUIucxPQAAACJ8A+k2B+J2cHpBzHBifAPpNgYMcGJ2A+k8B+JXCQQidoPpPIZMcIPpPMY MdqLRCQki1wkDAOE3DABAACLdCRoE7TcNAEAAAH4E3QkFAHQiUQkJBHOiXQkaItcJCiJ2ItU JGAPpNANiUQkFInRD6TZDYneD6TWA4nQD6TYA4nfD6TTGsHvBjHPMfczXCQUMcOJXCQoi0Qk DItMJCSJjMRoAQAAi0wkaImMxGwBAACLlMT4AAAAiVQkYIuMxPwAAACJTCRwidAPpMgficvB 6wcxw4nQD6TIGDHDicgPpNAfic4PpNYZMcaJyA+k0BgxxotMJFCLVCQMA4zUOAEAAItEJBAT hNQ8AQAAA0wkKBH4AfGJTCRQEdiJRCQQi0QkaInBi1QkJA+k0Q2JTCQUidEPpMENicYPpNYD idcPpMcDicKLXCQkD6TaGsHoBjHIMfCJRCQoM1QkFDH6i0wkDItEJFCJhMxwAQAAi0QkEImE zHQBAACLnMwAAQAAiVwkFIuEzAQBAACJ2Q+kwR+JxsHuBzHOidkPpMEYMc6JwQ+k2R+JRCQk iccPpN8ZMc8PpNgYMceLRCRgi1wkDAOE3EABAACLTCRwE4zcRAEAAAHQE0wkKAH4iUQkYBHx iUwkcItUJBCJ0It0JFAPpPANiUQkKInxD6TRDYnXD6T3A4nwD6TQA4nTD6TyGsHrBjHLMfsz VCQoMcKJVCQQi0QkDItMJGCJjMR4AQAAi0wkcImMxHwBAACLlMQIAQAAiVQkUIu0xAwBAACJ 0Q+k8R+J98HvBzHPidEPpPEYMc+J8Yl0JGgPpNEfifAPpNAZMcgPpNYYMfCLTCQUi3QkDAOM 9EgBAACLVCQkE5T0TAEAAANMJBAR2gHBiUwkFBH6iVQkJIt8JHCJ+ItUJGAPpNANiUQkKInR D6T5DYn+D6TWA4nQD6T4A4n7D6TTGsHvBjHPMfeJfCQQM1wkKDHDi0QkDItMJBSJjMSAAQAA i0wkJImMxIQBAACLlMQQAQAAiVQkKIu8xBQBAACJ0A+k+B+J/sHuBzHGidAPpPgYMcaJ+A+k 0B+JfCRgifkPpNEZMcEPpNcYMfmLVCRQi3wkDAOU/FABAACLRCRoE4T8VAEAAAHaE0QkEAHK iVQkUBHwiUQkaItcJCSJ2YtEJBQPpMENiUwkEInBD6TZDYneD6TGA4nHD6TfA4nai0QkFA+k wxrB6gYxyjHyiVQkFDNcJBAx+4tEJAyLTCRQiYzEiAEAAItMJGiJjMSMAQAAi7zEGAEAAIl8 JCSLlMQcAQAAifgPpNAfidHB6QcxwYn4D6TQGDHBidAPpPgfiVQkEInWD6T+GTHGD6T6GDHW i1QkKIt8JAwDlPxYAQAAi0QkYBOE/FwBAAAB2hNEJBQB8olUJCgRyIlEJGCLXCRoidmLRCRQ D6TBDYlMJBSJwQ+k2Q2J2g+kwgOJxg+k3gOJ34tEJFAPpMMawe8GMc8x14l8JGgzXCQUMfOL RCQMi0wkKImMxJABAACLTCRgiYzElAEAAIuUxCABAACJVCQUi7zEJAEAAInQD6T4H4n5wekH McGJ0A+k+BgxwYn4D6TQH4l8JFCJ/g+k1hkxxg+k1xgx/otUJCSLfCQMA5T8YAEAAItEJBAT hPxkAQAAAdoTRCRoAfKJVCQkEciJRCQQi3QkYInxi1QkKA+k0Q2JTCRwidEPpPENifcPpNcD idMPpPMDifCLVCQoD6TWGsHoBjHIMfiJRCRoM3QkcDHei0wkDItEJCSJhMyYAQAAi0QkEImE zJwBAACLlMwoAQAAiVQkYIuEzCwBAACJ0Q+kwR+Jx8HvBzHPidEPpMEYMc+JwQ+k0R+JRCQo icMPpNMZMcsPpNAYMcOLRCQUi1QkDAOE1GgBAACLTCRQE4zUbAEAAAHwE0wkaAHYiUQkFBH5 iUwkUItEJBCJwYtUJCQPpNENiUwkaInXD6THDYnDD6TTA4nRD6TBA4nGD6TQGsHuBjH+Md4z RCRoMciJRCQQi0wkDItEJBSJhMygAQAAi0QkUImEzKQBAACLvMwwAQAAiXwkaIuEzDQBAACJ +w+kwx+JwcHpBzHZifsPpMMYMdmJw4lEJCQPpPsficIPpPoZMdoPpPgYMcKLRCQMi1wkYAOc xHABAACLfCQoE7zEdAEAAANcJBAR9wHTEc+JnMSoAQAAibzErAEAAItcJFCJ2It8JBQPpPgN iUQkEIn5D6TZDYnaD6T6A4n4D6TYA4nei3wkFA+k+xrB7gYxzjHWiXQkKDNcJBAxw4t8JAyL lPw8AQAAi7z8OAEAAIn5D6TRH4nWwe4HMc6J+Q+k0RgxzonRD6T5H4nQD6T4GTHIiVQkEIl8 JBQPpPoYMdCLVCRoi3wkDAOU/HgBAACLTCQkE4z8fAEAAAHaE0wkKAHCEfGJlPywAQAAiYz8 tAEAAI1HEINsJGyAg/hQiUQkDA+MqeP//4tEJHSLVCQsAxCLTCRUE0gEiRCJSASLVCQ0A1AI i0wkPBNIDIlQCIlIDItUJDgDUBCLTCQYE0gUiVAQiUgUi1QkRANQGItMJGQTSByJUBiJSByL VCRYA1Agi0wkMBNIJIlQIIlIJItUJEADUCiLTCRcE0gsiVAoiUgsi1QkIANQMItMJEgTSDSJ UDCJSDSLVCQcA1A4i0wkTBNIPIlQOIlIPI1l9F5fW13DkJCQkJCQkJCQkJCQkJCQVYnlU1dW g+wM6AAAAABbgcMSWgAAi30Ii3UMifHorgEAAIsGi04EicrB6hiIF4nKweoQiFcBiG8CiE8D icHB6RiITwSJwcHpEIhPBYhnBohHB4tGCItODInKweoYiFcIicrB6hCIVwmIbwqITwuJwcHp GIhPDInBwekQiE8NiGcOiEcPi0YQi04UicrB6hiIVxCJysHqEIhXEYhvEohPE4nBwekYiE8U icHB6RCITxWIZxaIRxeLRhiLThyJysHqGIhXGInKweoQiFcZiG8aiE8bicHB6RiITxyJwcHp EIhPHYhnHohHH4tGIItOJInKweoYiFcgicrB6hCIVyGIbyKITyOJwcHpGIhPJInBwekQiE8l iGcmiEcni0Yoi04sicrB6hiIVyiJysHqEIhXKYhvKohPK4nBwekYiE8sicHB6RCITy2IZy6I Ry+LRjCLTjSJysHqGIhXMInKweoQiFcxiG8yiE8zicHB6RiITzSJwcHpEIhPNYhnNohHN4tG OItOPInKweoYiFc4icrB6hCIVzmIbzqITzuJwcHpGIhPPInBwekQiE89iGc+iEc/iTQkx0Qk CNAAAADHRCQEAAAAAOhIn///g8QMXl9bXcNVieVTV1aD7AyJzugAAAAAW4HDQFgAAItOSMHp A4Phf41+UI1EDlCD+W93H7pwAAAAKcqJVCQIjYt8AAAAiUwkBIkEJOi3nv//6z66gAAAACnK iVQkCI2LfAAAAIlMJASJBCTomJ7//4nxifroL9///4k8JMdEJAhwAAAAx0QkBAAAAADot57/ /4tGQItORInKweoYiJbAAAAAicrB6hCIlsEAAACIrsIAAACIjsMAAACJwcHpGIiOxAAAAInB wekQiI7FAAAAiKbGAAAAiIbHAAAAi0ZIi05MicrB6hiIlsgAAACJysHqEIiWyQAAAIiuygAA AIiOywAAAInBwekYiI7MAAAAicHB6RCIjs0AAACIps4AAACIhs8AAACJ8Yn66Hre//+DxAxe X1tdw5CQVYnli0UIx0BMAAAAAMdASAAAAADHQEQAAAAAx0BAAAAAAMdABMg3PYzHAKJNVBnH QAxmmeFzx0AI1tTcicdAFK63+h3HQBCCnP8yx0AcFNWdZ8dAGM+fL1jHQCRpK20Px0AgqE3U e8dALHNv43fHQChCicQEx0A0qIWdP8dAMMg2HWrHQDyt5hIRx0A4oZLWkV3DkJCQkJCQkJCQ kJCQkFWJ5VOD7AzoAAAAAFuBw3RWAACLRQiLTQyLVRCJVCQIiUwkBIkEJOiE3P//g8QMW13D kJCQkJCQkJCQkJCQkJBVieVTV1aD7AzoAAAAAFuBwzJWAACLfQiLdQyJ8ejO/f//iwaLTgSJ ysHqGIgXicrB6hCIVwGIbwKITwOJwcHpGIhPBInBwekQiE8FiGcGiEcHi0YIi04MicrB6hiI VwiJysHqEIhXCYhvCohPC4nBwekYiE8MicHB6RCITw2IZw6IRw+LRhCLThSJysHqGIhXEInK weoQiFcRiG8SiE8TicHB6RiITxSJwcHpEIhPFYhnFohHF4k0JMdEJAjQAAAAx0QkBAAAAADo Ypz//4PEDF5fW13DkJCQkJCQkJCQkFWJ5YtFCMdATAAAAADHQEgAAAAAx0BEAAAAAMdAQAAA AADHQASUITEixwAs9yv8x0AMo19Vn8dACMJkTMjHQBRruJMjx0AQUbFTb8dAHBl3OJbHQBi9 6kBZx0Ak4j4olsdAIOP/jqjHQCwlHl6+x0AokjmGU8dANPyZASvHQDCquIUsx0A83C23DsdA OKIsxYFdw5CQkJCQkJCQkJCQkJBVieVTg+wM6AAAAABbgcO0VAAAi0UIi00Mi1UQiVQkCIlM JASJBCToxNr//4PEDFtdw5CQkJCQkJCQkJCQkJCQVYnlU1dWg+wM6AAAAABbgcNyVAAAi30I i3UMifHoDvz//4sGi04EicrB6hiIF4nKweoQiFcBiG8CiE8DicHB6RiITwSJwcHpEIhPBYhn BohHB4tGCItODInKweoYiFcIicrB6hCIVwmIbwqITwuJwcHpGIhPDInBwekQiE8NiGcOiEcP i0YQi04UicrB6hiIVxCJysHqEIhXEYhvEohPE4nBwekYiE8UicHB6RCITxWIZxaIRxeLRhiL ThyJysHqGIhXGInKweoQiFcZiG8aiE8bicHB6RiITxyJwcHpEIhPHYhnHohHH4k0JMdEJAjQ AAAAx0QkBAAAAADocJr//4PEDF5fW13DkJCQkJCQkJBVieWLRQjHQEwAAAAAx0BIAAAAAMdA RAAAAADHQEAAAAAAx0AEXZ27y8cA2J4FwcdADCopmmLHQAgH1Xw2x0AUWgFZkcdAEBfdcDDH QBzY7C8Vx0AYOVkO98dAJGcmM2fHQCAxC8D/x0Ash0q0jsdAKBEVWGjHQDQNLgzbx0Awp4/5 ZMdAPB1ItUfHQDikT/q+XcOQkJCQkJCQkJCQkJCQVYnlU4PsDOgAAAAAW4HDxFIAAItFCItN DItVEIlUJAiJTCQEiQQk6NTY//+DxAxbXcOQkJCQkJCQkJCQkJCQkFWJ5VNXVoPsDOgAAAAA W4HDglIAAIt9CIt1DInx6B76//+LBotOBInKweoYiBeJysHqEIhXAYhvAohPA4nBwekYiE8E icHB6RCITwWIZwaIRweLRgiLTgyJysHqGIhXCInKweoQiFcJiG8KiE8LicHB6RiITwyJwcHp EIhPDYhnDohHD4tGEItOFInKweoYiFcQicrB6hCIVxGIbxKITxOJwcHpGIhPFInBwekQiE8V iGcWiEcXi0YYi04cicrB6hiIVxiJysHqEIhXGYhvGohPG4nBwekYiE8cicHB6RCITx2IZx6I Rx+LRiCLTiSJysHqGIhXIInKweoQiFchiG8iiE8jicHB6RiITySJwcHpEIhPJYhnJohHJ4tG KItOLInKweoYiFcoicrB6hCIVymIbyqITyuJwcHpGIhPLInBwekQiE8tiGcuiEcviTQkx0Qk CNAAAADHRCQEAAAAAOgcmP//g8QMXl9bXcOQkJCQVYnli0UIx0AkAAAAAMdAIAAAAADHAGfm CWrHQASFrme7x0AIcvNuPMdADDr1T6XHQBB/Ug5Rx0AUjGgFm8dAGKvZgx/HQBwZzeBbXcOQ kJBVieVTV1aD7BzoAAAAAFuBw8JQAACLVRCLdQiLfiCJ+MHoA4PgP40M1QAAAAAB+Yt+JIlO IIPXAIl+JLlAAAAAKcE50Yt9DIlF7I1EBih2DYlUJAiJfCQE6X8AAACJTCQIiXwkBIkEJIlN 8OgQl///jVYoifGJVeTocwAAAItFEItN8I08D4nGKc6D/kByQotN7I1EAYCJRfCD4MCJReiD 6IApyIlF7JCQkJCQkJCQkItNCIn66DYAAACDx0CDxsCD/j9364t9DAN97It18Ct16Il0JAiJ fCQEi0XkiQQk6JyW//+DxBxeX1tdw5CQkJBVieVTV1aB7FwBAADoAAAAAFuBw89PAAAxwJCQ kJCQkA+2PILB5xgPtnSCAcHmEAn+D7Z8ggLB5wgJ9w+2dIIDCf6JtIWk/v//QIP4EHXRiU3I iUwkBI1FpIkEJMdEJAggAAAA6CeW//+LRbSJRdyLRbiJReiLRbyJRdSLRcCJReCNg/T+//+J RcyLRbCJRdCLRaSJRdiLRaiJReSLRayJRewxyYuFpP7//5CQkJCQkIlN8It13InywcIVifHB wQcx0YnyifeJfdzBwhox0QHBi1XUidAzRegh+DHQi1XMA0rEAcEDTeCLXdiJ2MHAE4nawcIK McKJ2Ild2MHAHjHCiVXgi33sifiJfeyLdeQJ8Il15CHYIfcJx4tF0AHIi3XgAc4B/onCiVXQ wcAVidHBwQcxwYnQwcAaMcGLfeiJ+DNF3CHQMfiLVfADjJWo/v//i1XMA0rIAcEDTdSJ84ld 4InYwcATwcYKMcaJ2MHAHjHGi1XkidCLfdgJ+CHYifsh2gnCi0XsAcgBzgHWiceJfezBwBWJ +cHBBzHBifjBwBoxwYtV3InQM0XQIfgx0ItV8AOMlaz+//+LVcwDSswBwQNN6In3ifjBwBOJ +sHCCjHCifjBwB4xwolV6InaidCLXeAJ2CH4idYh3gnGi0XkAciLVegBygHyidOJxol15MHA FYnxwcEHMcGJ8MHAGjHBi1XQidAzRewh8DHQi1XwA4yVsP7//4tVzANK0AHBA03cid6JdeiJ 8MHAE8HDCjHDifDBwB4xw4tV4InQiX3UCfgh8InWIf4JxotV2AHKiVXYAcsB84nQwcAVidbB xgcxxonQwcAaMcaLTeyJyDNF5CHQMciLTfADtI20/v//i03MA3HUAcYDddCJ34l93In4wcAT ifnBwQoxwYn4wcAeMcGLXdSJ2ItV6AnQIfiJ3yHXCceLReAB8AHxAfmJx4l94In+wcYVwcAH MfCJ/sHGGjHwi1XkidYzddgh/jHWi1XwA4SVuP7//4tdzAND2AHwA0XsiU3Qic/BxxOJzsHG CjH+ic/Bxx4x/otV6InXC33cIc8jVdwJ+ot91AHHiX3UAcYB1on6wcIVifjBwAcx0In6wcIa MdCLTdiJyjNV4CH6McqLffADhL28/v//A0PcAdADReSJ84nawcITidnBwQox0YnaiV3swcIe MdGJTeSLTdyJyot10AnyIdqJzyH3CdeLTegBwYtV5AHCAfqJ04nPiX3oifrBwhWJ+MHABzHQ ifrBwhox0ItN4InKM1XUIfoxyot98AOEvcD+//+LTcwDQeAB0ANF2InfiX3kifrBwhPBwwox 04n6wcIeMdOJ8YnKi3XsCfIh+onPIfcJ14tV3AHCAcMB+4nXiX3cwcIVifjBwAcx0In6wcIa MdCLTdSJyjNV6CH6McqLffADhL3E/v//i03MA0HkAdADReCJ2sHCE4newcYKMdaJ2old2MHC HjHWi1Xsi03kCcoh2ot97CHPCdeLTdABwYlN0AHGAf6J84nKwcIVicjBwAcx0InKwcIaMdCL deiJ8jNV3CHKMfKLffADhL3I/v//i03MA0HoAdADRdSJXeCJ2sHCE4nZwcEKMdGJ2sHCHjHR iU3Ui33kifqLddgJ8iHaIfcJ14tV7AHCi13UAcMB+4nWiXXswcIVifDBwAcx0InywcIaMdCL TdyJyjNV0CHyMcqLffADhL3M/v//i03MA0HsAdADReiJ2sHCE4nZwcEKMdGJ2old1MHCHjHR iU3oi03YicqLdeAJ8iHaic8h9wnXi03kAcGLXegBwwH7ic6JdeSJ8sHCFYnwwcAHMdCJ8sHC GjHQi03QicozVewh8jHKi33wA4S90P7//4tNzANB8AHQA0XcidrBwhOJ3sHGCjHWidqJXejB wh4x1ot94In6i03UCcoh2iHPicsJ14tN2AHBAcYB/onPiX3YifrBwhWJ+MHABzHQifrBwhox 0ItN7InKM1XkIfoxyot98AOEvdT+//+LfcwDR/QB0ANF0InyiVXcidHBwROJ1sHGCjHOidHB wR4xzon3idmLdegJ8SHRidoh8gnKi13gAcOJXeABxwHXidnBwRWJ2MHABzHIidnBwRoxyItV 5InRM03YIdkx0YtV8AOEldj+//+LVcwDQvgByANF7In7idnBwROJ2sHCCjHKidmJXdDBwR4x yolV7InyidGLfdwJ+SHZIfoJyot11AHGiXXUi03sAcEB0YnLifDBwBWJ8cHBBzHBifDBwBox wYtF2InCM1XgIfIxwotF8IuEhdz+//+JRcQBwYtFzANI/AHRA03kid6JdeyJ8sHCE8HDCjHT ifLBwh4x04n4icKLfdAJ+iHyicYh/gnWi33oAc8BywHzifrBwhWJ+cHBBzHRifrBwhox0YtV 4InWM3XUiX3oIf4x1otV8IuUleD+//8B0YtFzAMIAfEDTdiJ3sHGE4nYwcAKMfCJ3sHGHjHw i33Qif4LdeyJXeQh3iN97An3AU3cAcgB+IlF2It98IP/MA+EPwQAAItFxInBwcEPicbBxg3B 6AoxyDHwi4y9qP7//4nOwcYZifuJz8HvAzH3ic7Bxg4x94u0naT+//8DtJ3I/v//AcYB/onQ wcAPidfB6goxwom0neT+///Bxw0x+ouEnaz+//+Jx8HHGYnDwesDMfuJx8HHDjH7i33wA4y9 zP7//wHRAdmJ8sHCD4n3we4KMdaLVfCJjJXo/v//wccNMf6LlJWw/v//idfBxxmJ08HrAzH7 idfBxw4x+4t98AOEvdD+//8B8AHYic7Bxg+Jz8HpCjHxi3XwiYS17P7//8HHDTH5i7S1tP7/ /4n3wccZifPB6wMx+4n3wccOMfuLffADlL3U/v//AcoB2onBwcEPicfB6AoxyItN8ImUjfD+ ///Bxw0x+IuMjbj+//+Jz8HHGYnLwesDMfuJz8HHDjH7i33wA7S92P7//wHGAd6J0MHAD4nX weoKMcKLRfCJtIX0/v//wccNMfqLhIW8/v//icfBxxmJw8HrAzH7icfBxw4x+4t98AOMvdz+ //8B0QHZifLBwg+J98HuCjHWi1XwiYyV+P7//8HHDTH+i5SVwP7//4nXwccZidPB6wMx+4nX wccOMfuLffADhL3g/v//AfAB2InOwcYPic/B6Qox8Yt18ImEtfz+///Bxw0x+Yu0tcT+//+J 98HHGYnzwesDMfuJ98HHDjH7i33wA5S95P7//wHKAdqJwcHBD4nHwegKMciLTfCJlI0A//// wccNMfiLjI3I/v//ic/BxxmJy8HrAzH7ic/Bxw4x+4t98AO0vej+//8BxgHeidDBwA+J18Hq CjHCi0XwibSFBP///8HHDTH6i4SFzP7//4nHwccZicPB6wMx+4nHwccOMfuLffADjL3s/v// AdEB2YnywcIPiffB7gox1otV8ImMlQj////Bxw0x/ouUldD+//+J18HHGYnTwesDMfuJ18HH DjH7i33wA4S98P7//wHwAdiJzsHGD4nPwekKMfGLdfCJhLUM////wccNMfmLtLXU/v//iffB xxmJ88HrAzH7iffBxw4x+4t98AOUvfT+//8BygHaicHBwQ+Jx8HoCjHIi03wiZSNEP///8HH DTH4i4yN2P7//4nPwccZicvB6wMx+4nPwccOMfuLffADtL34/v//AcYB3onQwcAPidfB6gox wotF8Im0hRT////Bxw0x+ouEhdz+//+Jx8HHGYnDwesDMfuJx8HHDjH7i33wA4y9/P7//wHR AdmJ8sHCD4n3we4KMdaLVfCJjJUY////wccNMf6LlJXg/v//idfBxxmJ08HrAzH7idfBxw4x +4t98AOEvQD///8B8AHYiYS9HP///4n7icjBwA+JzsHGDcHpCjHBMfGLhJ3k/v//icbBxhmJ x8HvAzH3icbBxg4x9wOUnQT///8BygH6iZSdIP///41LEINFzECD+UAPjAH1//+LRciLTdgB CItN5AFIBItN7AFICItN0AFIDItN3AFIEItN6AFIFItN1AFIGItN4AFIHIHEXAEAAF5fW13D kJCQkFWJ5VNXVoPsEOgAAAAAW4HD4kMAAIt1DIt9CItOIMHpA4PhP41GKIlF8IP5N41EDih3 H7o4AAAAKcqJVCQIjYv8AAAAiUwkBIkEJOhQiv//60K6QAAAACnKiVQkCI2L/AAAAIlMJASJ BCToMYr//4nxi1Xw6Jfz//+LRfCJBCTHRCQIOAAAAMdEJAQAAAAA6EyK//+LRiCLTiSJysHq GIhWYInKweoQiFZhiG5iiE5jicHB6RiITmSJwcHpEIhOZYhmZohGZ4nxi1Xw6EDz//+LBonB wekYiA+JwcHpEIhPAYhnAohHA4tGBInBwekYiE8EicHB6RCITwWIZwaIRweLRgiJwcHpGIhP CInBwekQiE8JiGcKiEcLi0YMicHB6RiITwyJwcHpEIhPDYhnDohHD4tGEInBwekYiE8QicHB 6RCITxGIZxKIRxOLRhSJwcHpGIhPFInBwekQiE8ViGcWiEcXi0YYicHB6RiITxiJwcHpEIhP GYhnGohHG4tGHInBwekYiE8cicHB6RCITx2IZx6IRx+JNCTHRCQIaAAAAMdEJAQAAAAA6DKJ //+DxBBeX1tdw5CQkJCQkJCQkJBVieVTV1aD7AzoAAAAAFuBwyJCAACLRQyLVQhIiUXs6x6Q kJCQkJCQkJCQkJCQkJDHBCQKAAAA6HSG//+LVQiJ1usVkJCQkJCQkJCQkJCQkOhbhv//i1UI g30MAA+ewInxKdE7TewPnMEIwYhN85CQ6DuH//+JwYDhf4jNgMX4D7bVgP0Pd0mLjJO4//// Adn/4ccEJAoAAADoEob//zt1CHbNi30IkJCQkJCQkJCQkA++B4kEJOj1hf//Rzn+dfDrrpCQ kJCQkJCQkJCQkJCQgPl/dQs7dQh2luskkJCQkIB98wB0iiR/iAZGxwQkKgAAAOlZ////kJCQ kJCQkJCQTscEJAgAAADoo4X//8cEJCAAAADol4X//8cEJAgAAADpK////8YGAMcEJAoAAADo fIX//4PEDF5fW13DkJCQkFWJ5VdWi0UMi00Ig/gLdxmFwHRzkJCQkJCQkJCQkJCQxgEAQUh1 +eteicqD4gN0Gb4EAAAAKdYp8IPC/InPkJDGBwBHQnX5AfGJxsHuAo0UtQAAAAD33onPkJCQ kJCQkMcHAAAAAIPHBEZ19IPgA3QWAdH32JCQkJCQkJCQkJCQxgEAQUB1+V5fXcOQkJCQkFWJ 5VNXVoPsCItNDItVCDnRD4RzAQAAi10QhdsPhGgBAAA50XNQicgJ0KgDD4SkAAAAicgx0KgD idh1DInWg+YDuAQAAAAp8IP7BInfcgKJx400OonLifiQkJCQkJCQkA+2CkKIC0NIdfaLXRAp +4tNDAH562KNPBqJ3o0cMYn4CdioAw+EjQAAADH79sMDifCJ83UFg+cDifiD+wWJ33ICiceJ 3in+idiNXAH/jUwC/4l18AHykJCQkJCQkJCQkA+2AYgDS0lPdfaLdQyLffAB/onz60WJ1onf we8CdHaJXfCNFL6NBL0AAAAAiUXs99+Jy4nIkJCQkJCQkJCQkJCLDokIg8YEg8AER3XzidkD TeyLXfDrQIn6ifeJ+cHpAnRKiX3wjTSNAAAAAInQKfD33ol17I17/IPC/PfZkJCQizKJN4PH /IPC/EF18wNd7It98OsZifKD4wN0LvfbkJAPtgJCiAFBQ3X26x6J0IPnA3QXS0j335CQkJCQ kJCQkA+2CIgLS0hHdfaDxAheX1tdw5CQkJCQkJCQkJCQkJCQVYnlU1aLTRAxwIXJdCKLVQyL dQiQkJCQkJCQkJCQkJAPth46GnUHQkZJdfTrAonIXltdw5CQkJCQkJCQkJCQkFWJ5VNXVoPs cOgAAAAAWIHAcj4AAItdFIt9EIt1DIn5CdmLTQiLVRh0Kjn5ifAZ2HNCic8xwItNGIXJugAA AAAPhD4GAACJOYlxBDHAMdLpMAYAAInPi4j4////hdJ0BYk6iXIEMcCD+QEPlMCJwukQBgAA ZsdFugAAifDB6BBmiUW8Zol1vonKwekQZolNwGaJVcKJ2sHqEGaJVaBmiV2iif7B7hBmiXWk Zol9po19oIl93GaF0roEAAAAdA2NRZ6JRdS4BAAAAOsvjX2iZoXbdBCNRaCJRdSJfdy4AwAA AOsXZoX2D4SgBQAAjUWkiUXcuAIAAACJfdSNTbqJTfApwo1MRbqJTdiNcAGJRdCNREW8iUXo Mdu/BQAAAMdF7AAAAACJ0YnyDx+EAAAAAACLdfCJTbCLRdiJReCLReiJRaiLReyJRbSJ0Ihd rIDDA4PH/2aDfgIAjU4CiU3wi02wjUn/i1XgjVICiVXYi1WojVICiVXoi1W0jVICiVXsjVAB dKyJfciJdcS7BAAAAItNsCnLicp+Fw8fhAAAAAAAZsdERYoAAIPA/4P4AX/xi0XcD7cAZoXA i03Ui33Ei3XgeHGJXZhmiUXMD7fAu/D///9mZmZmZi4PH4QAAAAAAAHAg8MBPQCAAABy9InY jVgQiUXYg8APiV3keEmJ1otN0AHOD7cHxOJh98CJRex+RItF2PfYiUXojUQR/4nxiU2EifKD 4gOD+ANzMDH2ifjp6wAAAMdF5AAAAACJwotF0OlYAgAAi0XQi12YD7dVzOlJAgAAifjpKAEA AIlViItNyInIg+ADKcEx9sdFzAIAAACLVeyJTchmDx+EAAAAAACLRfAPtwRwi13oxOJj98AJ 0ItN8GaJRHH+i0XwD7cEcItN5MTicffAi03wD7dMcQLE4mP30QnCi0XwZokUcItF5MTieffB i03wD7dMcQTE4mP30QnCi0XwZolUcAKLXeTE4mH3wYtN8A+3THEGi1XoxOJr99EJwotF8GaJ VHAEjXYExOJh99GLTciDRcz4OfEPhWr///+JVewrRcyLVYiJRfCF0opNrItVtItd7HRIjUR1 uo1EAgKA4QMPttH32pCJXewPtwiLXejE4mP3yQtN7Itd8GaJC41MdwKDxgEPtziLXeTE4mH3 34t9xIPAAoPCAYlN8HXJiV3si0WEjQRHi13ki03sZokIi0XQjVD/913YjUD+iVXsg+IDg/gD i03cD7cBxOJh99iJVfBzBjHSic7rfylV7DHSic6LTeRmkA+3RgKJ34td2MTiY/fACfhmiQYP t0YCxOJx98CJReiJyA+3TgTE4mP3+Qt96GaJfgLE4nn3yYlN6A+3TgbE4mP3+Qt96GaJfgTE 4nn3yYlN6A+3TgjE4mP3+Qt96GaJfgaDwgSNdgjE4nn32YnBOVXsdY2LTfCFyXRJi0XcjURQ AvfZZmZmZi4PH4QAAAAAAIlN8A+3CIt92MTiQ/fJi33kCdlmiQ6LTdyNdFECg8IBD7cIxOJB 99mLTfCDwAKDwQF1zYtF0ItN3GaJXEH+D7cRi03Ui33Ei3Xgi12YjVxdjoldtGaJVcwPt9KJ VegPt1EEiVWsjVABiVXsjQRBiUXIMclmZmZmLg8fhAAAAAAAD7cETw+3VE8CD7d8TwSJfeBm O0XMiU3wdRa4AAABAIt97OsrZmZmLg8fhAAAAAAAweAQCdAx0vd16It97InBD69NrInTweMQ A13gOdl2DoPA/wNV6IH6AAABAHLgi03wjUkBiU3YMcmJdeCJ8on7kA+3Mot91A+3fF/+D6/4 Kf4pzmaJMsHuEPfeD7fOg8P/g8L+g/sBf9iLfcSLdfAPtxR3KcqJ8WaJFE+B+gAAAQByXoPA /4lF3DHJMdKLXaiLReyLfchmZi4PH4QAAAAAAA+3dEv+AdYPtxRPAdZmiXRL/onyweoQjXQI /4PB/4P+AX/di3Xwi33ED7cMdwHRZokMd4nxi12wi3Xgi0Xc6waLXbCLdeCLVbRmiQRKg8YC g0WoAjnZi03YD4zR/v//g30YAHRlg33kAHQ9i33QAd+4EAAAACtF5I1Nwg8fRAAAD7cRi3Xk xOJL99IPt3H+xOJ59/YJ1maJMYPH/41J/jnff91mxwEAAA+3RbzB4BAPt02+CcEPt0XAweAQ D7dVwgnCi0UYiUgEiRAPt0WQweAQD7dVkgnCD7dNlMHhEA+3RZYJyIPEcF5fW13DMdIPt3Wm Zvf2ZonDweIQi0UMD7fACdAx0vf2iUXUweIQCdEx0onI9/aJwcHiEItFCA+3+AnXMdKJ+Pf2 iUXgi0UYhcB0EjHSifj39otFGIkQx0AEAAAAAMHjEItF1A+30AnaweEQi0XgD7fA64hmDx9E AABVieVTVoPsFOgAAAAAW4HDczcAAItFCItNDItVEIt1FIl0JAyJVCQIiUwkBIkEJMdEJBAA AAAA6MT4//+DxBReW13DZmZmZi4PH4QAAAAAAFWJ5VNXVoPk+IPsKOgAAAAAW4HDHzcAAItF CItNDItVEIt1FI18JBiJfCQQiXQkDIlUJAiJTCQEiQQk6HD4//+LRCQYi1QkHI1l9F5fW13D VYnlU1dWg+wc6AAAAABYgcDSNgAAiUXsi3UMifLB+h+LXQgB02YPOPbyMdaLfRSJffDB/x+L TRAB+YtFFGYPOPbHMdMx+DH5iUwkCIkcJIlEJAyJdCQEx0QkEAAAAACLXezo+ff//zH2icH3 2RnWi33wM30MD0jWD0nIiciDxBxeX1tdw2ZmLg8fhAAAAAAAVYnlU1dWg+T4g+wo6AAAAABY gcA/NgAAiUQkFIt1DInwwfgfi10IAcNmDzj28DHGi00Uic/B/x+LVRAB+mYPOPbPMcMx+TH6 jUQkGIlEJBCJVCQIiRwkiUwkDIl0JASLXCQU6Gj3//+LTCQYi3QkHDHSicj32Bnyg30MAA9J wQ9J1o1l9F5fW13DAAAAAAAAbWFsbG9jIGZhaWx1cmUKACVzOiBpbnZhbGlkIHBhcnRpdGlv biBpbmRleAoAZ3B0Ym9vdAAlczogc3BlY2lmaWVkIHBhcnRpdGlvbiBpcyBub3QgVUZTCgBw cmltYXJ5AGJhY2t1cAAlczogdW5hYmxlIHRvIGxvY2F0ZSBiYWNrdXAgR1BUIGhlYWRlcgoA JXM6IHVzaW5nIGJhY2t1cCBHUFQKAENhbGN1bGF0aW5nIEdFTEkgRGVjcnlwdGlvbiBLZXkg ZGlzayVkcCVkIEAgJWQgaXRlcmF0aW9ucy4uLgoAQmFkIEdFTEkga2V5OiAlZAoARmFpbGVk IHRvIGRlY3J5cHQgR0VMSSBtYXN0ZXIga2V5OiAlZAoAEABGYWlsZWQgdG8gZGVjcnlwdCBp biBnZWxpX3JlYWQoKSEAR0VMSSBwcm92aWRlciBub3QgZm91bmQKAEdFTEkgUGFzc3BocmFz ZSBmb3IgZGlzayVkJWMlZDogAC9ib290L2NvbmZpZwAvYm9vdC5jb25maWcAJXM6ICVzAC9i b290L2xvYWRlcgAvYm9vdC9rZXJuZWwva2VybmVsAApGcmVlQlNEL3g4NiBib290CkRlZmF1 bHQ6ICV1OiVzKCV1cCV1KSVzCmJvb3Q6IAAlczogdW5hYmxlIHRvIHVwZGF0ZSAlcyBHUFQg cGFydGl0aW9uIHRhYmxlCgAlczogdW5hYmxlIHRvIHVwZGF0ZSAlcyBHUFQgaGVhZGVyCgAl czogdW5hYmxlIHRvIHJlYWQgJXMgR1BUIGhlYWRlcgoARUZJIFBBUlQAJXM6IGludmFsaWQg JXMgR1BUIGhlYWRlcgoAJXM6ICVzIEdQVCBoZWFkZXIgY2hlY2tzdW0gbWlzbWF0Y2gKACVz OiB1bmFibGUgdG8gcmVhZCAlcyBHUFQgcGFydGl0aW9uIHRhYmxlCgAlczogJXMgR1BUIHRh YmxlIGNoZWNrc3VtIG1pc21hdGNoCgBHRU9NOjpFTEkAJXM6IHVuYWJsZSB0byBsb2FkIEdQ VAoAJXM6IG5vIFVGUyBwYXJ0aXRpb24gd2FzIGZvdW5kCgAlczogdW5hYmxlIHRvIGRlY3J5 cHQgR0VMSSBrZXkKACVzOiBub3QgYSBkaXJlY3RvcnkuCgAlcyAAYWQAZGEAZmQAJXM6IE5v ICVzIG9uICV1OiVzKCV1cCV1KQoASW52YWxpZCAlcwoAZm9ybWF0AHllcwBubwBLZXlib2Fy ZDogJXMKAAAAAAAAAAAAAAAAAAAAALZ8blHPbtYRj/gAAi0JcSs1wAAAOMAAADvAAAAAAAEA ACAAAAAAAAAAAAQA/////x4EAkRoYUNjZGdtbnBxcnN2HQwADQoGDxAcFBUFAQsAEAAAABQA AAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAADAAAABAAAAA AAAAAJYwB3csYQ7uulEJmRnEbQeP9GpwNaVj6aOVZJ4yiNsOpLjceR7p1eCI2dKXK0y2Cb18 sX4HLbjnkR2/kGQQtx3yILBqSHG5895BvoR91Noa6+TdbVG11PTHhdODVphsE8Coa2R6+WL9 7Mllik9cARTZbAZjYz0P+vUNCI3IIG47XhBpTORBYNVycWei0eQDPEfUBEv9hQ3Sa7UKpfqo tTVsmLJC1sm720D5vKzjbNgydVzfRc8N1txZPdGrrDDZJjoA3lGAUdfIFmHQv7X0tCEjxLNW mZW6zw+lvbieuAIoCIgFX7LZDMYk6Quxh3xvLxFMaFirHWHBPS1mtpBB3HYGcdsBvCDSmCoQ 1e+JhbFxH7W2BqXkv58z1LjooskHeDT5AA+OqAmWGJgO4bsNan8tPW0Il2xkkQFcY+b0UWtr YmFsHNgwZYVOAGLy7ZUGbHulARvB9AiCV8QP9cbZsGVQ6bcS6ri+i3yIufzfHd1iSS3aFfN8 04xlTNT7WGGyTc5RtTp0ALyj4jC71EGl30rXldg9bcTRpPv01tNq6WlD/NluNEaIZ63QuGDa cy0EROUdAzNfTAqqyXwN3TxxBVCqQQInEBALvoYgDMkltWhXs4VvIAnUZrmf5GHODvneXpjJ 2SkimNCwtKjXxxc9s1mBDbQuO1y9t61susAgg7jttrO/mgzitgOa0rF0OUfV6q930p0VJtsE gxbccxILY+OEO2SUPmptDahaanoLzw7knf8JkyeuAAqxngd9RJMP8NKjCIdo8gEe/sIGaV1X YvfLZ2WAcTZsGecGa252G9T+4CvTiVp62hDMSt1nb9+5+fnvvo5DvrcX1Y6wYOij1tZ+k9Gh xMLYOFLy30/xZ7vRZ1e8pt0GtT9LNrJI2isN2EwbCq/2SgM2YHoEQcPvYN9V32eo745uMXm+ aUaMs2HLGoNmvKDSbyU24mhSlXcMzANHC7u5FgIiLyYFVb47usUoC72yklq0KwRqs1yn/9fC Mc/QtYue2Swdrt5bsMJkmybyY+yco2p1CpNtAqkGCZw/Ng7rhWcHchNXAAWCSr+VFHq44q4r sXs4G7YMm47Skg2+1eW379x8Id/bC9TS04ZC4tTx+LPdaG6D2h/NFr6BWya59uF3sG93R7cY 5loIiHBqD//KOwZmXAsBEf+eZY9prmL40/9rYUXPbBZ44gqg7tIN11SDBE7CswM5YSZnp/cW YNBNR2lJ23duPkpq0a7cWtbZZgvfQPA72DdTrrypxZ673n/Pskfp/7UwHPK9vYrCusowk7NT pqO0JAU20LqTBtfNKVfeVL9n2SMuemazuEphxAIbaF2UK28qN74LtKGODMMb3wVaje8CLWVy cm9yICV1CgAlYwgAJXM6IGVycm9yICV1IGxiYSAldQoACCAIAABZPAAAbjsAAG47AABuOwAA bjsAAG47AABuOwAAbjsAAG47AABuOwAAbjsAAG47AABuOwAAbjsAAG47AABuOwAAWzsAAMU7 AABuOwAAbjsAAG47AABuOwAAbjsAAG47AABuOwAAsDsAAG47AABuOwAAbjsAAG47AABuOwAA bjsAAJs8AABuOwAAxTsAAG47AABuOwAAxTsAADAxMjM0NTY3ODlhYmNkZWYAQUVTLVhUUwBl a2V5AAAAAQBGYWlsZWQgdG8gc2V0dXAgZGVjcnlwdGlvbiBrZXlzOiAlZAoARmFpbGVkIHRv IHNldHVwIElWOiAlZAoARmFpbGVkIHRvIGRlY3J5cHQgdGhlIGVudGlyZSBpbnB1dDogJXUg IT0gJXUKAFVuc3VwcG9ydGVkIGNyeXB0byBhbGdvcml0aG0gIyVkCgAAY2NjY3x8fHx3d3d3 e3t7e/Ly8vJra2trb29vb8XFxcUwMDAwAQEBAWdnZ2crKysr/v7+/tfX19erq6urdnZ2dsrK ysqCgoKCycnJyX19fX36+vr6WVlZWUdHR0fw8PDwra2trdTU1NSioqKir6+vr5ycnJykpKSk cnJycsDAwMC3t7e3/f39/ZOTk5MmJiYmNjY2Nj8/Pz/39/f3zMzMzDQ0NDSlpaWl5eXl5fHx 8fFxcXFx2NjY2DExMTEVFRUVBAQEBMfHx8cjIyMjw8PDwxgYGBiWlpaWBQUFBZqampoHBwcH EhISEoCAgIDi4uLi6+vr6ycnJyeysrKydXV1dQkJCQmDg4ODLCwsLBoaGhobGxsbbm5ublpa WlqgoKCgUlJSUjs7OzvW1tbWs7OzsykpKSnj4+PjLy8vL4SEhIRTU1NT0dHR0QAAAADt7e3t ICAgIPz8/PyxsbGxW1tbW2pqamrLy8vLvr6+vjk5OTlKSkpKTExMTFhYWFjPz8/P0NDQ0O/v 7++qqqqq+/v7+0NDQ0NNTU1NMzMzM4WFhYVFRUVF+fn5+QICAgJ/f39/UFBQUDw8PDyfn5+f qKioqFFRUVGjo6OjQEBAQI+Pj4+SkpKSnZ2dnTg4ODj19fX1vLy8vLa2trba2traISEhIRAQ EBD/////8/Pz89LS0tLNzc3NDAwMDBMTExPs7OzsX19fX5eXl5dEREREFxcXF8TExMSnp6en fn5+fj09PT1kZGRkXV1dXRkZGRlzc3NzYGBgYIGBgYFPT09P3Nzc3CIiIiIqKioqkJCQkIiI iIhGRkZG7u7u7ri4uLgUFBQU3t7e3l5eXl4LCwsL29vb2+Dg4OAyMjIyOjo6OgoKCgpJSUlJ BgYGBiQkJCRcXFxcwsLCwtPT09OsrKysYmJiYpGRkZGVlZWV5OTk5Hl5eXnn5+fnyMjIyDc3 NzdtbW1tjY2NjdXV1dVOTk5OqampqWxsbGxWVlZW9PT09Orq6uplZWVlenp6eq6urq4ICAgI urq6unh4eHglJSUlLi4uLhwcHBympqamtLS0tMbGxsbo6Ojo3d3d3XR0dHQfHx8fS0tLS729 vb2Li4uLioqKinBwcHA+Pj4+tbW1tWZmZmZISEhIAwMDA/b29vYODg4OYWFhYTU1NTVXV1dX ubm5uYaGhobBwcHBHR0dHZ6enp7h4eHh+Pj4+JiYmJgRERERaWlpadnZ2dmOjo6OlJSUlJub m5seHh4eh4eHh+np6enOzs7OVVVVVSgoKCjf39/fjIyMjKGhoaGJiYmJDQ0NDb+/v7/m5ubm QkJCQmhoaGhBQUFBmZmZmS0tLS0PDw8PsLCwsFRUVFS7u7u7FhYWFgAAAAEAAAACAAAABAAA AAgAAAAQAAAAIAAAAEAAAACAAAAAGwAAADZQp/RRU2VBfsOkFxqWXic6y2urO/FFnR+rWPqs kwPjS1X6MCD2bXatkXbMiCVMAvX81+VP18sqxYBENSaPo2K1SVqx3mcbuiWYDupF4cD+XQJ1 L8MS8EyBo5dGjcb502vnX48DlZySFet6bb/aWVKVLYO+1NMhdFgpaeBJRMjJjmqJwnV4eY70 az5Ymd1xuSe2T+G+F62I8GasIMm0Os59GErfY4IxGuVgM1GXRX9TYuB3ZLGErmu7HKCB/pQr CPlYaEhwGf1Fj4ds3pS3+HtSI9Nzq+ICS3JXjx/jKqtVZgco67IDwrUvmnvFhqUIN9Pyhygw sqW/I7pqAwJcghbtKxzPipK0eafw8gfzoeJpTs302mXVvgUGH2I00Yr+psSdUy40oFXzojLh igV16/akOeyDC6rvYEAGn3FeURBuvfmKIT49Bt2WrgU+3Ua95k21jVSRBV3EcW/UBgT/FVBg JPuYGZfpvdbMQ0CJd57ZZ71C6LCIi4kHOFsZ59vuyHlHCnyh6Q9CfMkehPgAAAAAg4aACUjt KzKscBEeTnJabPv/Dv1WOIUPHtWuPSc5LTZk2Q8KIaZcaNFUW5s6LjYksWcKDA/nV5PSlu60 npGbG0/FwICiINxhaUt3WhYaEhwKupPi5SqgwEPgIjwdFxsSCw0JDq3Hi/K5qLYtyKkeFIUZ 8VdMB3Wvu92Z7v1gf6OfJgH3vPVyXMU7ZkQ0fvtbdilDi9zGI8to/O22Y/HkuMrcMdcQhWNC QCKXEyARxoR9JEqF+D270hEy+a5toSnHSy+eHfMwstzsUoYN0OPBd2wWsyuZuXCp+kiUESJk 6UfEjPyoGj/woNgsfVbvkDMix05Jh8HRONn+osqMNgvUmM+B9aYo3nqlJo632qS/rT/knTos DZJ4UJvMX2piRn5UwhON9ui42JBe9zku9a/Dgr6AXZ98k9BpqS3Vb7MSJc87mazIp30YEG5j nOh7uzvbCXgmzfQYWW4Bt5rsqJpPg2VuleZ+5v+qCM+8IeboFe/Zm+e6zjZvStQJn+rWfLAp r7KkMTEjPyowlKXGwGaiNTe8TnSmyoL8sNCQ4BXYpzNKmATx99rsQQ5QzX8v9pEXjdZNdk2w 70NUTarM3wSW5OO10Z4biGpMuB8swX9RZUYE6l6dXTWMAXN0h/ouQQv7Wh1ns1LS25IzVhDp E0fWbYxh15p6DKE3jhT4WYk8E+vuJ6nONclht+3lHOE8sUd6Wd/SnD9z8lV5zhQYvzfHc+rN 91Nbqv1fFG8934bbRHiB86/KPsRouSw0JDhfQKPCcsMdFgwl4ryLSTwoQZUN/3EBqDneswwI nOS02JDBVmRhhMt7cLYy1XRcbEhCV7jQp/RRUGVBflOkFxrDXic6lmurO8tFnR/xWPqsqwPj S5P6MCBVbXat9nbMiJFMAvUl1+VP/MsqxddENSaAo2K1j1qx3kkbuiVnDupFmMD+XeF1L8MC 8EyBEpdGjaP502vGX48D55ySFZV6bb/rWVKV2oO+1C0hdFjTaeBJKcjJjkSJwnVqeY70eD5Y mWtxuSfdT+G+tq2I8BesIMlmOs59tErfYxgxGuWCM1GXYH9TYkV3ZLHgrmu7hKCB/hwrCPmU aEhwWP1Fjxls3pSH+HtSt9NzqyMCS3Lijx/jV6tVZioo67IHwrUvA3vFhpoIN9Olhygw8qW/ I7JqAwK6ghbtXBzPiiu0eaeS8gfz8OJpTqH02mXNvgUG1WI00R/+psSKUy40nVXzoqDhigUy 6/akdeyDCznvYECqn3FeBhBuvVGKIT75Bt2WPQU+3a695k1GjVSRtV3EcQXUBgRvFVBg//uY GSTpvdaXQ0CJzJ7ZZ3dC6LC9i4kHiFsZ5zjuyHnbCnyhRw9CfOkehPjJAAAAAIaACYPtKzJI cBEerHJabE7/Dv37OIUPVtWuPR45LTYn2Q8KZKZcaCFUW5vRLjYkOmcKDLHnV5MPlu600pGb G57FwIBPINxhokt3WmkaEhwWupPiCiqgwOXgIjxDFxsSHQ0JDgvHi/KtqLYtuakeFMgZ8VeF B3WvTN2Z7rtgf6P9JgH3n/VyXLw7ZkTFfvtbNClDi3bGI8vc/O22aPHkuGPcMdfKhWNCECKX E0ARxoQgJEqFfT270vgy+a4RoSnHbS+eHUswstzzUoYN7OPBd9AWsytsuXCpmUiUEfpk6Uci jPyoxD/woBosfVbYkDMi705Jh8fRONnBosqM/gvUmDaB9abP3nqlKI632ia/rT+knTos5JJ4 UA3MX2qbRn5UYhON9sK42JDo9zkuXq/DgvWAXZ++k9BpfC3Vb6kSJc+zmazIO30YEKdjnOhu uzvbe3gmzQkYWW70t5rsAZpPg6huleZl5v+qfs+8IQjoFe/mm+e62TZvSs4Jn+rUfLAp1rKk Ma8jPyoxlKXGMGaiNcC8TnQ3yoL8ptCQ4LDYpzMVmATxStrsQfdQzX8O9pEXL9ZNdo2w70NN TarMVASW5N+10Z7jiGpMGx8swbhRZUZ/6l6dBDWMAV10h/pzQQv7Lh1ns1rS25JSVhDpM0fW bRNh15qMDKE3ehT4WY48E+uJJ6nO7slhtzXlHOHtsUd6PN/SnFlz8lU/zhQYeTfHc7/N91Pq qv1fW2893xTbRHiG86/KgcRouT40JDgsQKPCX8MdFnIl4rwMSTwoi5UN/0EBqDlxswwI3uS0 2JzBVmSQhMt7YbYy1XBcbEh0V7jQQvRRUKdBflNlFxrDpCc6ll6rO8trnR/xRfqsq1jjS5MD MCBV+nat9m3MiJF2AvUlTOVP/NcqxdfLNSaARGK1j6Ox3klauiVnG+pFmA7+XeHAL8MCdUyB EvBGjaOX02vG+Y8D51+SFZWcbb/relKV2lm+1C2DdFjTIeBJKWnJjkTIwnVqiY70eHlYmWs+ uSfdceG+tk+I8BetIMlmrM59tDrfYxhKGuWCMVGXYDNTYkV/ZLHgd2u7hK6B/hygCPmUK0hw WGhFjxn93pSHbHtSt/hzqyPTS3LiAh/jV49VZiqr67IHKLUvA8LFhpp7N9OlCCgw8oe/I7Kl AwK6ahbtXILPiisceaeStAfz8PJpTqHi2mXN9AUG1b400R9ipsSK/i40nVPzoqBVigUy4fak deuDCznsYECq73FeBp9uvVEQIT75it2WPQY+3a4F5k1GvVSRtY3EcQVdBgRv1FBg/xWYGST7 vdaX6UCJzEPZZ3ee6LC9QokHiIsZ5zhbyHnb7nyhRwpCfOkPhPjJHgAAAACACYOGKzJI7REe rHBabE5yDv37/4UPVjiuPR7VLTYnOQ8KZNlcaCGmW5vRVDYkOi4KDLFnV5MP5+600pabG56R wIBPxdxhoiB3WmlLEhwWGpPiCrqgwOUqIjxD4BsSHRcJDgsNi/Ktx7YtuageFMip8VeFGXWv TAeZ7rvdf6P9YAH3nyZyXLz1ZkTFO/tbNH5Di3YpI8vcxu22aPzkuGPxMdfK3GNCEIWXE0Ai xoQgEUqFfSS70vg9+a4RMinHbaGeHUsvstzzMIYN7FLBd9DjsytsFnCpmbmUEfpI6UciZPyo xIzwoBo/fVbYLDMi75BJh8dOONnB0cqM/qLUmDYL9abPgXqlKN632iaOrT+kvzos5J14UA2S X2qbzH5UYkaN9sIT2JDouDkuXvfDgvWvXZ++gNBpfJPVb6ktJc+zEqzIO5kYEKd9nOhuYzvb e7smzQl4WW70GJrsAbdPg6ialeZlbv+qfua8IQjPFe/m6Oe62ZtvSs42n+rUCbAp1nykMa+y PyoxI6XGMJSiNcBmTnQ3vIL8psqQ4LDQpzMV2ATxSpjsQffazX8OUJEXL/ZNdo3W70NNsKrM VE2W5N8E0Z7jtWpMG4gswbgfZUZ/UV6dBOqMAV01h/pzdAv7LkFns1od25JS0hDpM1bWbRNH 15qMYaE3egz4WY4UE+uJPKnO7idhtzXJHOHt5Ud6PLHSnFnf8lU/cxQYec7Hc78391Pqzf1f W6o93xRvRHiG26/KgfNouT7EJDgsNKPCX0AdFnLD4rwMJTwoi0kN/0GVqDlxAQwI3rO02Jzk VmSQwct7YYQy1XC2bEh0XLjQQldRUKf0flNlQRrDpBc6ll4nO8trqx/xRZ2sq1j6S5MD4yBV +jCt9m12iJF2zPUlTAJP/NflxdfLKiaARDW1j6Ni3klasSVnG7pFmA7qXeHA/sMCdS+BEvBM jaOXRmvG+dMD51+PFZWckr/rem2V2llS1C2DvljTIXRJKWngjkTIyXVqicL0eHmOmWs+WCfd cbm+tk/h8BetiMlmrCB9tDrOYxhK3+WCMRqXYDNRYkV/U7Hgd2S7hK5r/hyggfmUKwhwWGhI jxn9RZSHbN5St/h7qyPTc3LiAkvjV48fZiqrVbIHKOsvA8K1hpp7xdOlCDcw8ocoI7KlvwK6 agPtXIIWiiscz6eStHnz8PIHTqHiaWXN9NoG1b4F0R9iNMSK/qY0nVMuoqBV8wUy4Yqkdev2 Cznsg0Cq72BeBp9xvVEQbj75iiGWPQbd3a4FPk1GveaRtY1UcQVdxARv1AZg/xVQGST7mNaX 6b2JzENAZ3ee2bC9QugHiIuJ5zhbGXnb7sihRwp8fOkPQvjJHoQAAAAACYOGgDJI7SserHAR bE5yWv37/w4PVjiFPR7VrjYnOS0KZNkPaCGmXJvRVFskOi42DLFnCpMP51e00pbuG56Rm4BP xcBhoiDcWmlLdxwWGhLiCrqTwOUqoDxD4CISHRcbDgsNCfKtx4stuai2FMipHleFGfGvTAd1 7rvdmaP9YH/3nyYBXLz1ckTFO2ZbNH77i3YpQ8vcxiO2aPztuGPx5NfK3DFCEIVjE0Ail4Qg EcaFfSRK0vg9u64RMvnHbaEpHUsvntzzMLIN7FKGd9DjwStsFrOpmblwEfpIlEciZOmoxIz8 oBo/8FbYLH0i75Azh8dOSdnB0TiM/qLKmDYL1KbPgfWlKN562iaOtz+kv60s5J06UA2SeGqb zF9UYkZ+9sITjZDouNguXvc5gvWvw5++gF1pfJPQb6kt1c+zEiXIO5msEKd9GOhuY5zbe7s7 zQl4Jm70GFnsAbeag6iaT+ZlbpWqfub/IQjPvO/m6BW62ZvnSs42b+rUCZ8p1nywMa+ypCox Iz/GMJSlNcBmonQ3vE78psqC4LDQkDMV2KfxSpgEQffa7H8OUM0XL/aRdo3WTUNNsO/MVE2q 5N8Elp7jtdFMG4hqwbgfLEZ/UWWdBOpeAV01jPpzdIf7LkELs1odZ5JS0tvpM1YQbRNH1pqM Ydc3egyhWY4U+OuJPBPO7ieptzXJYeHt5Rx6PLFHnFnf0lU/c/IYec4Uc783x1PqzfdfW6r9 3xRvPXiG20TKgfOvuT7EaDgsNCTCX0CjFnLDHbwMJeIoi0k8/0GVDTlxAagI3rMM2JzktGSQ wVZ7YYTL1XC2Mkh0XGzQQle4pWNjxoR8fPiZd3fujXt79g3y8v+9a2vWsW9v3lTFxZFQMDBg AwEBAqlnZ859KytWGf7+52LX17Xmq6tNmnZ27EXKyo+dgoIfQMnJiYd9ffoV+vrv61lZsslH R44L8PD77K2tQWfU1LP9oqJf6q+vRb+cnCP3pKRTlnJy5FvAwJvCt7d1HP394a6Tkz1qJiZM WjY2bEE/P34C9/f1T8zMg1w0NGj0paVRNOXl0Qjx8fmTcXHic9jYq1MxMWI/FRUqDAQECFLH x5VlIyNGXsPDnSgYGDChlpY3DwUFCrWami8JBwcONhISJJuAgBs94uLfJuvrzWknJ07NsrJ/ n3V16hsJCRKeg4MddCwsWC4aGjQtGxs2sm5u3O5aWrT7oKBb9lJSpE07O3Zh1ta3zrOzfXsp KVI+4+PdcS8vXpeEhBP1U1OmaNHRuQAAAAAs7e3BYCAgQB/8/OPIsbF57Vtbtr5qatRGy8uN 2b6+Z0s5OXLeSkqU1ExMmOhYWLBKz8+Fa9DQuyrv78XlqqpPFvv77cVDQ4bXTU2aVTMzZpSF hRHPRUWKEPn56QYCAgSBf3/+8FBQoEQ8PHi6n58l46ioS/NRUaL+o6NdwEBAgIqPjwWtkpI/ vJ2dIUg4OHAE9fXx37y8Y8G2tnd12tqvYyEhQjAQECAa///lDvPz/W3S0r9Mzc2BFAwMGDUT EyYv7OzD4V9fvqKXlzXMRESIORcXLlfExJPyp6dVgn5+/Ec9PXqsZGTI511duisZGTKVc3Pm oGBgwJiBgRnRT0+ef9zco2YiIkR+KipUq5CQO4OIiAvKRkaMKe7ux9O4uGs8FBQoed7ep+Je XrwdCwsWdtvbrTvg4NtWMjJkTjo6dB4KChTbSUmSCgYGDGwkJEjkXFy4XcLCn27T073vrKxD pmJixKiRkTmklZUxN+Tk04t5efIy5+fVQ8jIi1k3N263bW3ajI2NAWTV1bHSTk6c4KmpSbRs bNj6VlasB/T08yXq6s+vZWXKjnp69OmurkcYCAgQ1bq6b4h4ePBvJSVKci4uXCQcHDjxpqZX x7S0c1HGxpcj6OjLfN3doZx0dOghHx8+3UtLlty9vWGGi4sNhYqKD5BwcOBCPj58xLW1capm ZszYSEiQBQMDBgH29vcSDg4co2Fhwl81NWr5V1eu0Lm5aZGGhhdYwcGZJx0dOrmenic44eHZ E/j467OYmCszEREiu2lp0nDZ2amJjo4Hp5SUM7abmy0iHh48koeHFSDp6clJzs6H/1VVqngo KFB639+lj4yMA/ihoVmAiYkJFw0NGtq/v2Ux5ubXxkJChLhoaNDDQUGCsJmZKXctLVoRDw8e y7Cwe/xUVKjWu7ttOhYWLGNjxqV8fPiEd3fumXt79o3y8v8Na2vWvW9v3rHFxZFUMDBgUAEB AgNnZ86pKytWff7+5xnX17Viq6tN5nZ27JrKyo9FgoIfncnJiUB9ffqH+vrvFVlZsutHR47J 8PD7C62tQezU1LNnoqJf/a+vReqcnCO/pKRT93Jy5JbAwJtbt7d1wv394RyTkz2uJiZMajY2 bFo/P35B9/f1AszMg080NGhcpaVR9OXl0TTx8fkIcXHik9jYq3MxMWJTFRUqPwQECAzHx5VS IyNGZcPDnV4YGDAolpY3oQUFCg+ami+1BwcOCRISJDaAgBub4uLfPevrzSYnJ05psrJ/zXV1 6p8JCRIbg4MdniwsWHQaGjQuGxs2LW5u3LJaWrTuoKBb+1JSpPY7O3ZN1ta3YbOzfc4pKVJ7 4+PdPi8vXnGEhBOXU1Om9dHRuWgAAAAA7e3BLCAgQGD8/OMfsbF5yFtbtu1qatS+y8uNRr6+ Z9k5OXJLSkqU3kxMmNRYWLDoz8+FStDQu2vv78UqqqpP5fv77RZDQ4bFTU2a1zMzZlWFhRGU RUWKz/n56RACAgQGf3/+gVBQoPA8PHhEn58luqioS+NRUaLzo6Nd/kBAgMCPjwWKkpI/rZ2d Ibw4OHBI9fXxBLy8Y9+2tnfB2tqvdSEhQmMQECAw///lGvPz/Q7S0r9tzc2BTAwMGBQTEyY1 7OzDL19fvuGXlzWiRESIzBcXLjnExJNXp6dV8n5+/II9PXpHZGTIrF1duucZGTIrc3PmlWBg wKCBgRmYT0+e0dzco38iIkRmKipUfpCQO6uIiAuDRkaMyu7uxym4uGvTFBQoPN7ep3leXrzi CwsWHdvbrXbg4Ns7MjJkVjo6dE4KChQeSUmS2wYGDAokJEhsXFy45MLCn13T071urKxD72Ji xKaRkTmolZUxpOTk0zd5efKL5+fVMsjIi0M3N25ZbW3at42NAYzV1bFkTk6c0qmpSeBsbNi0 Vlas+vT08wfq6s8lZWXKr3p69I6urkfpCAgQGLq6b9V4ePCIJSVKby4uXHIcHDgkpqZX8bS0 c8fGxpdR6OjLI93doXx0dOicHx8+IUtLlt29vWHci4sNhoqKD4VwcOCQPj58QrW1ccRmZsyq SEiQ2AMDBgX29vcBDg4cEmFhwqM1NWpfV1eu+bm5adCGhheRwcGZWB0dOieenie54eHZOPj4 6xOYmCuzEREiM2lp0rvZ2alwjo4HiZSUM6ebmy22Hh48IoeHFZLp6ckgzs6HSVVVqv8oKFB4 39+leoyMA4+hoVn4iYkJgA0NGhe/v2Xa5ubXMUJChMZoaNC4QUGCw5mZKbAtLVp3Dw8eEbCw e8tUVKj8u7tt1hYWLDpjxqVjfPiEfHfumXd79o178v8N8mvWvWtv3rFvxZFUxTBgUDABAgMB Z86pZytWfSv+5xn+17Vi16tN5qt27Jp2yo9FyoIfnYLJiUDJffqHffrvFfpZsutZR47JR/D7 C/CtQeyt1LNn1KJf/aKvReqvnCO/nKRT96Ry5JZywJtbwLd1wrf94Rz9kz2ukyZMaiY2bFo2 P35BP/f1AvfMg0/MNGhcNKVR9KXl0TTl8fkI8XHik3HYq3PYMWJTMRUqPxUECAwEx5VSxyNG ZSPDnV7DGDAoGJY3oZYFCg8Fmi+1mgcOCQcSJDYSgBubgOLfPeLrzSbrJ05pJ7J/zbJ16p91 CRIbCYMdnoMsWHQsGjQuGhs2LRtu3LJuWrTuWqBb+6BSpPZSO3ZNO9a3Ydazfc6zKVJ7KePd PuMvXnEvhBOXhFOm9VPRuWjRAAAAAO3BLO0gQGAg/OMf/LF5yLFbtu1batS+asuNRsu+Z9m+ OXJLOUqU3kpMmNRMWLDoWM+FSs/Qu2vQ78Uq76pP5ar77Rb7Q4bFQ02a100zZlUzhRGUhUWK z0X56RD5AgQGAn/+gX9QoPBQPHhEPJ8lup+oS+OoUaLzUaNd/qNAgMBAjwWKj5I/rZKdIbyd OHBIOPXxBPW8Y9+8tnfBttqvddohQmMhECAwEP/lGv/z/Q7z0r9t0s2BTM0MGBQMEyY1E+zD L+xfvuFflzWil0SIzEQXLjkXxJNXxKdV8qd+/IJ+PXpHPWTIrGRduuddGTIrGXPmlXNgwKBg gRmYgU+e0U/co3/cIkRmIipUfiqQO6uQiAuDiEaMykbuxynuuGvTuBQoPBTep3neXrziXgsW HQvbrXbb4Ns74DJkVjI6dE46ChQeCkmS20kGDAoGJEhsJFy45FzCn13C071u06xD76xixKZi kTmokZUxpJXk0zfkefKLeefVMufIi0PIN25ZN23at22NAYyN1bFk1U6c0k6pSeCpbNi0bFas +lb08wf06s8l6mXKr2V69I56rkfprggQGAi6b9W6ePCIeCVKbyUuXHIuHDgkHKZX8aa0c8e0 xpdRxujLI+jdoXzddOicdB8+IR9Llt1LvWHcvYsNhouKD4WKcOCQcD58Qj61ccS1ZsyqZkiQ 2EgDBgUD9vcB9g4cEg5hwqNhNWpfNVeu+Ve5adC5hheRhsGZWMEdOicdnie5nuHZOOH46xP4 mCuzmBEiMxFp0rtp2alw2Y4HiY6UM6eUmy22mx48Ih6HFZKH6ckg6c6HSc5Vqv9VKFB4KN+l et+MA4+MoVn4oYkJgIkNGhcNv2Xav+bXMeZChMZCaNC4aEGCw0GZKbCZLVp3LQ8eEQ+we8uw VKj8VLtt1rsWLDoWxqVjY/iEfHzumXd39o17e/8N8vLWvWtr3rFvb5FUxcVgUDAwAgMBAc6p Z2dWfSsr5xn+/rVi19dN5qur7Jp2do9FysofnYKCiUDJyfqHfX3vFfr6sutZWY7JR0f7C/Dw QeytrbNn1NRf/aKiReqvryO/nJxT96Sk5JZycptbwMB1wre34Rz9/T2uk5NMaiYmbFo2Nn5B Pz/1Avf3g0/MzGhcNDRR9KWl0TTl5fkI8fHik3Fxq3PY2GJTMTEqPxUVCAwEBJVSx8dGZSMj nV7DwzAoGBg3oZaWCg8FBS+1mpoOCQcHJDYSEhubgIDfPeLizSbr605pJyd/zbKy6p91dRIb CQkdnoODWHQsLDQuGho2LRsb3LJubrTuWlpb+6CgpPZSUnZNOzu3YdbWfc6zs1J7KSndPuPj XnEvLxOXhISm9VNTuWjR0QAAAADBLO3tQGAgIOMf/Px5yLGxtu1bW9S+amqNRsvLZ9m+vnJL OTmU3kpKmNRMTLDoWFiFSs/Pu2vQ0MUq7+9P5aqq7Rb7+4bFQ0Oa101NZlUzMxGUhYWKz0VF 6RD5+QQGAgL+gX9/oPBQUHhEPDwlup+fS+OoqKLzUVFd/qOjgMBAQAWKj48/rZKSIbydnXBI ODjxBPX1Y9+8vHfBtravddraQmMhISAwEBDlGv///Q7z879t0tKBTM3NGBQMDCY1ExPDL+zs vuFfXzWil5eIzERELjkXF5NXxMRV8qen/IJ+fnpHPT3IrGRkuuddXTIrGRnmlXNzwKBgYBmY gYGe0U9Po3/c3ERmIiJUfioqO6uQkAuDiIiMykZGxynu7mvTuLgoPBQUp3ne3rziXl4WHQsL rXbb29s74OBkVjIydE46OhQeCgqS20lJDAoGBkhsJCS45Fxcn13Cwr1u09ND76ysxKZiYjmo kZExpJWV0zfk5PKLeXnVMufni0PIyG5ZNzfat21tAYyNjbFk1dWc0k5OSeCpqdi0bGys+lZW 8wf09M8l6urKr2Vl9I56ekfprq4QGAgIb9W6uvCIeHhKbyUlXHIuLjgkHBxX8aamc8e0tJdR xsbLI+jooXzd3eicdHQ+IR8flt1LS2Hcvb0NhouLD4WKiuCQcHB8Qj4+ccS1tcyqZmaQ2EhI BgUDA/cB9vYcEg4OwqNhYWpfNTWu+VdXadC5uReRhoaZWMHBOicdHSe5np7ZOOHh6xP4+Cuz mJgiMxER0rtpaalw2dkHiY6OM6eUlC22m5s8Ih4eFZKHh8kg6emHSc7Oqv9VVVB4KCilet/f A4+MjFn4oaEJgImJGhcNDWXav7/XMebmhMZCQtC4aGiCw0FBKbCZmVp3LS0eEQ8Pe8uwsKj8 VFRt1ru7LDoWFlJSUlIJCQkJampqatXV1dUwMDAwNjY2NqWlpaU4ODg4v7+/v0BAQECjo6Oj np6enoGBgYHz8/Pz19fX1/v7+/t8fHx84+Pj4zk5OTmCgoKCm5ubmy8vLy//////h4eHhzQ0 NDSOjo6OQ0NDQ0RERETExMTE3t7e3unp6enLy8vLVFRUVHt7e3uUlJSUMjIyMqampqbCwsLC IyMjIz09PT3u7u7uTExMTJWVlZULCwsLQkJCQvr6+vrDw8PDTk5OTggICAguLi4uoaGhoWZm ZmYoKCgo2dnZ2SQkJCSysrKydnZ2dltbW1uioqKiSUlJSW1tbW2Li4uL0dHR0SUlJSVycnJy +Pj4+Pb29vZkZGRkhoaGhmhoaGiYmJiYFhYWFtTU1NSkpKSkXFxcXMzMzMxdXV1dZWVlZba2 traSkpKSbGxsbHBwcHBISEhIUFBQUP39/f3t7e3tubm5udra2tpeXl5eFRUVFUZGRkZXV1dX p6enp42NjY2dnZ2dhISEhJCQkJDY2NjYq6urqwAAAACMjIyMvLy8vNPT09MKCgoK9/f39+Tk 5ORYWFhYBQUFBbi4uLizs7OzRUVFRQYGBgbQ0NDQLCwsLB4eHh6Pj4+PysrKyj8/Pz8PDw8P AgICAsHBwcGvr6+vvb29vQMDAwMBAQEBExMTE4qKiopra2trOjo6OpGRkZERERERQUFBQU9P T09nZ2dn3Nzc3Orq6uqXl5eX8vLy8s/Pz8/Ozs7O8PDw8LS0tLTm5ubmc3Nzc5aWlpasrKys dHR0dCIiIiLn5+fnra2trTU1NTWFhYWF4uLi4vn5+fk3Nzc36Ojo6BwcHBx1dXV139/f325u bm5HR0dH8fHx8RoaGhpxcXFxHR0dHSkpKSnFxcXFiYmJiW9vb2+3t7e3YmJiYg4ODg6qqqqq GBgYGL6+vr4bGxsb/Pz8/FZWVlY+Pj4+S0tLS8bGxsbS0tLSeXl5eSAgICCampqa29vb28DA wMD+/v7+eHh4eM3Nzc1aWlpa9PT09B8fHx/d3d3dqKioqDMzMzOIiIiIBwcHB8fHx8cxMTEx sbGxsRISEhIQEBAQWVlZWScnJyeAgICA7Ozs7F9fX19gYGBgUVFRUX9/f3+pqampGRkZGbW1 tbVKSkpKDQ0NDS0tLS3l5eXlenp6ep+fn5+Tk5OTycnJyZycnJzv7+/voKCgoODg4OA7Ozs7 TU1NTa6urq4qKioq9fX19bCwsLDIyMjI6+vr67u7u7s8PDw8g4ODg1NTU1OZmZmZYWFhYRcX FxcrKysrBAQEBH5+fn66urq6d3d3d9bW1tYmJiYm4eHh4WlpaWkUFBQUY2NjY1VVVVUhISEh DAwMDH19fX0AAAAAIq4o15gvikLNZe8jkUQ3cS87TezP+8C1vNuJgaXbtek4tUjzW8JWORnQ BbbxEfFZm08Zr6SCP5IYgW3a1V4cq0ICA6OYqgfYvm9wRQFbgxKMsuROvoUxJOK0/9XDfQxV b4l78nRdvnKxlhY7/rHegDUSxyWnBtyblCZpz3Txm8HSSvGewWmb5OMlTziGR77vtdWMi8ad wQ9lnKx3zKEMJHUCK1lvLOktg+SmbqqEdErU+0G93KmwXLVTEYPaiPl2q99m7lJRPpgQMrQt bcYxqD8h+5jIJwOw5A7vvsd/Wb/Cj6g98wvgxiWnCpNHkafVb4ID4FFjygZwbg4KZykpFPwv 0kaFCrcnJskmXDghGy7tKsRa/G0sTd+zlZ0TDThT3mOvi1RzCmWosnc8uwpqduau7UcuycKB OzWCFIUscpJkA/FMoei/ogEwQrxLZhqokZf40HCLS8IwvlQGo1FsxxhS79YZ6JLREKllVSQG mdYqIHFXhTUO9LjRuzJwoGoQyNDSuBbBpBlTq0FRCGw3Hpnrjt9Md0gnqEib4bW8sDRjWsnF swwcOcuKQeNKqthOc+Njd0/KnFujuLLW828uaPyy713ugo90YC8XQ29jpXhyq/ChFHjIhOw5 ZBoIAseMKB5jI/r/vpDpvYLe62xQpBV5xrL3o/m+K1Ny4/J4ccacYSbqzj4nygfCwCHHuIbR HuvgzdZ92up40W7uf0999bpvF3KqZ/AGppjIosV9YwquDfm+BJg/ERtHHBM1C3EbhH0EI/V3 2yiTJMdAe6vKMry+yRUKvp48TA0QnMRnHUO2Qj7LvtTFTCp+ZfycKX9Z7PrWOqtvy18XWEdK jBlEbJgvikKRRDdxz/vAtaXbtelbwlY58RHxWaSCP5LVXhyrmKoH2AFbgxK+hTEkw30MVXRd vnL+sd6Apwbcm3Txm8HBaZvkhke+78adwQ/MoQwkbyzpLaqEdErcqbBc2oj5dlJRPphtxjGo yCcDsMd/Wb/zC+DGR5Gn1VFjygZnKSkUhQq3JzghGy78bSxNEw04U1RzCmW7Cmp2LsnCgYUs cpKh6L+iS2YaqHCLS8KjUWzHGeiS0SQGmdaFNQ70cKBqEBbBpBkIbDceTHdIJ7W8sDSzDBw5 SqrYTk/KnFvzby5o7oKPdG9jpXgUeMiECALHjPr/vpDrbFCk96P5vvJ4ccalvv//sL7///W+ //+wvv//sL7///W+//+wvv//sL7//7C+//+wvv//Yr7//7C+//+wvv//AL7//7C+//8Avv// AAAAAJjyAAAAAAAAAAAAAAAAAACAJQAAL3xcLQEAAAAWAAAA7cUAABAACAAgAEAAUD0AAHA9 AACQPQAAED4AAFA+AACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --------------3AA58EB50676D4DFA3A5C771-- --RAQWHlpxtrVt5uKs7ha5bTXdvbXLwt9hF-- --q2W15woPPJUCmLwEMqsavnimU2UX11IWt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHQEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWKIeBgAKCRBWwohAqoAE ja/8APi+IsdaymO1bqt9HKvDF29qBOgR9wi2w5JVW3vvHln+AQDu85Yd8hJuXIrf Li9c8WkFPuc5MYDDWcoup0bHddEhAA== =b9Ey -----END PGP SIGNATURE----- --q2W15woPPJUCmLwEMqsavnimU2UX11IWt-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 21:16:40 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33FB7CDD499 for ; Mon, 13 Feb 2017 21:16:40 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from springbank.echomania.com (springbank.echomania.com [149.210.134.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "springbank.echomania.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EB9B71FCA for ; Mon, 13 Feb 2017 21:16:39 +0000 (UTC) (envelope-from dim@FreeBSD.org) X-Virus-Scanned: Debian amavisd-new at springbank.echomania.com Received: from [IPv6:2001:7b8:3a7::edc2:5bd4:2353:56e3] (unknown [IPv6:2001:7b8:3a7:0:edc2:5bd4:2353:56e3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by springbank.echomania.com (Postfix) with ESMTPSA id B3F7858022B; Mon, 13 Feb 2017 22:16:36 +0100 (CET) From: Dimitry Andric Message-Id: <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> Content-Type: multipart/signed; boundary="Apple-Mail=_D83FAEC8-6DBF-4670-B99F-2DA42FE58B78"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: GELI BIOS weirdness Date: Mon, 13 Feb 2017 22:16:29 +0100 In-Reply-To: Cc: freebsd-hackers@freebsd.org To: Eric McCorkle References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 21:16:40 -0000 --Apple-Mail=_D83FAEC8-6DBF-4670-B99F-2DA42FE58B78 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii On 13 Feb 2017, at 21:58, Eric McCorkle wrote: > > On 02/13/2017 15:36, Dimitry Andric wrote: > >> This disassembles to: >> >> 0: 66 0f 38 f6 f0 adcx %eax,%esi >> 5: 31 c6 xor %eax,%esi >> 7: 8b 4d 14 mov 0x14(%ebp),%ecx >> a: 89 cf mov %ecx,%edi >> c: c1 ff 1f sar $0x1f,%edi >> f: 8b .byte 0x8b > > Note that this was truncated, so the sar and .byte are probably a > truncated instruction. > > Also, when I had printfs in place, I could see the call instructions. > >> My first guess would be that the code simply jumped into garbage. But >> can you post the complete .o file somewhere for inspection? > > Attached. > Can you please post the file before it's been stripped and objcopied from ELF to binary format? That makes it a lot easier to disassemble and analyze... :) -Dimitry --Apple-Mail=_D83FAEC8-6DBF-4670-B99F-2DA42FE58B78 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAliiIjQACgkQsF6jCi4glqP/3ACgpoAOrSKA4dTH/Z0+y+mov+4Y LJgAoK2FL9ljxSyaQ2IJmgGRaw5xqzvS =OMJH -----END PGP SIGNATURE----- --Apple-Mail=_D83FAEC8-6DBF-4670-B99F-2DA42FE58B78-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 21:33:00 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 72315CDDBC5 for ; Mon, 13 Feb 2017 21:33:00 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: from mail-wm0-f48.google.com (mail-wm0-f48.google.com [74.125.82.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 12221E53; Mon, 13 Feb 2017 21:32:59 +0000 (UTC) (envelope-from cse.cem@gmail.com) Received: by mail-wm0-f48.google.com with SMTP id r141so2193896wmg.1; Mon, 13 Feb 2017 13:32:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=tRMkvQvuYSukcKtMT36giYcYJVirJTj282QQv7PBEvI=; b=kr2YucXIrZdPlrUz1WRBqOO/+QCuwtb3uN56TxzrgEadIO3jai/8Ylis5Zww0gS3du Vku+D/j35n1sONmQJTzDaVmVoj7EEhLUNlGx4c1F7X5Qut9S3DC2IqcUFDtvU/AK2kQy Kmmjz1eMVvYgz5A+ee7DYaw5nI3s250tt0AK6vwvsZqLyxJKkF9SmPa+BZVzB5Cq7hmA w/B3weR7Y/GWOmZWqqPsocjIIKpEddB2rJSpNxsmzAlwKX5u4h6/B+Zqlf4MajUUoSGx N/+w+hje1yNk7T7eYh/bisp76vyuMFTkIMFKEDoZaODtLZKMW0pc9tb8DodFp/UccZp/ OVtg== X-Gm-Message-State: AMke39kKSv+2ooHZYFAQFHVQl87tE8dK/1pe+K49kc31CgP7p42W09wWK9ChhkZGQemyzA== X-Received: by 10.28.213.142 with SMTP id m136mr351888wmg.90.1487021572427; Mon, 13 Feb 2017 13:32:52 -0800 (PST) Received: from mail-wr0-f177.google.com (mail-wr0-f177.google.com. [209.85.128.177]) by smtp.gmail.com with ESMTPSA id q1sm6880900wmd.6.2017.02.13.13.32.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Feb 2017 13:32:52 -0800 (PST) Received: by mail-wr0-f177.google.com with SMTP id o16so159639013wra.1; Mon, 13 Feb 2017 13:32:52 -0800 (PST) X-Received: by 10.223.145.163 with SMTP id 32mr23816219wri.198.1487021572102; Mon, 13 Feb 2017 13:32:52 -0800 (PST) MIME-Version: 1.0 Reply-To: cem@freebsd.org Received: by 10.80.152.82 with HTTP; Mon, 13 Feb 2017 13:32:51 -0800 (PST) In-Reply-To: <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> From: Conrad Meyer Date: Mon, 13 Feb 2017 13:32:51 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: GELI BIOS weirdness To: Dimitry Andric Cc: Eric McCorkle , "freebsd-hackers@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 21:33:00 -0000 "objdump -D -b binary -Mx86-64 -mi386 foo.bin" should work fine (no symbols, though...). Best, Conrad On Mon, Feb 13, 2017 at 1:16 PM, Dimitry Andric wrote: > On 13 Feb 2017, at 21:58, Eric McCorkle wrote: >> >> On 02/13/2017 15:36, Dimitry Andric wrote: >> >>> This disassembles to: >>> >>> 0: 66 0f 38 f6 f0 adcx %eax,%esi >>> 5: 31 c6 xor %eax,%esi >>> 7: 8b 4d 14 mov 0x14(%ebp),%ecx >>> a: 89 cf mov %ecx,%edi >>> c: c1 ff 1f sar $0x1f,%edi >>> f: 8b .byte 0x8b >> >> Note that this was truncated, so the sar and .byte are probably a >> truncated instruction. >> >> Also, when I had printfs in place, I could see the call instructions. >> >>> My first guess would be that the code simply jumped into garbage. But >>> can you post the complete .o file somewhere for inspection? >> >> Attached. >> > > Can you please post the file before it's been stripped and objcopied > from ELF to binary format? That makes it a lot easier to disassemble > and analyze... :) > > -Dimitry > From owner-freebsd-hackers@freebsd.org Mon Feb 13 21:37:47 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A289ECDDDAD for ; Mon, 13 Feb 2017 21:37:47 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from springbank.echomania.com (springbank.echomania.com [IPv6:2a01:7c8:aab2:81::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "springbank.echomania.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4088F11CA; Mon, 13 Feb 2017 21:37:47 +0000 (UTC) (envelope-from dim@FreeBSD.org) X-Virus-Scanned: Debian amavisd-new at springbank.echomania.com Received: from [IPv6:2001:7b8:3a7::edc2:5bd4:2353:56e3] (unknown [IPv6:2001:7b8:3a7:0:edc2:5bd4:2353:56e3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by springbank.echomania.com (Postfix) with ESMTPSA id 308E358007C; Mon, 13 Feb 2017 22:37:45 +0100 (CET) From: Dimitry Andric Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_3BCA08C2-3953-4D19-907F-58478BF23ED1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: GELI BIOS weirdness Date: Mon, 13 Feb 2017 22:37:34 +0100 In-Reply-To: Cc: Eric McCorkle , "freebsd-hackers@freebsd.org" To: cem@freebsd.org References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 21:37:47 -0000 --Apple-Mail=_3BCA08C2-3953-4D19-907F-58478BF23ED1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Yeah, but I'm interested in the symbols, otherwise it becomes hard to follow. Also, I've looked at my own copy of gptboot.o, and it doesn't contain those bytes at all. That said, my gptboot sources also don't have the lines: if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) sc->sc_mediasize -=3D (sc->sc_mediasize % sc->sc_sectorsize); else { The only use of G_ELI_FLAG_AUTH is in sys/boot/geli/geliboot.c: /* Store the keys */ bcopy(mkey, geli_e->sc.sc_mkey, = sizeof(geli_e->sc.sc_mkey)); bcopy(mkey, geli_e->sc.sc_ivkey, = sizeof(geli_e->sc.sc_ivkey)); mkp =3D mkey + sizeof(geli_e->sc.sc_ivkey); if ((geli_e->sc.sc_flags & G_ELI_FLAG_AUTH) =3D=3D 0) { bcopy(mkp, geli_e->sc.sc_ekey, = G_ELI_DATAKEYLEN); } else { but the assembly for the rest of the geli_attach() function looks pretty reasonable. -Dimitry > On 13 Feb 2017, at 22:32, Conrad Meyer wrote: > "objdump -D -b binary -Mx86-64 -mi386 foo.bin" should work fine (no > symbols, though...). >=20 > Best, > Conrad >=20 > On Mon, Feb 13, 2017 at 1:16 PM, Dimitry Andric = wrote: >> On 13 Feb 2017, at 21:58, Eric McCorkle wrote: >>>=20 >>> On 02/13/2017 15:36, Dimitry Andric wrote: >>>=20 >>>> This disassembles to: >>>>=20 >>>> 0: 66 0f 38 f6 f0 adcx %eax,%esi >>>> 5: 31 c6 xor %eax,%esi >>>> 7: 8b 4d 14 mov 0x14(%ebp),%ecx >>>> a: 89 cf mov %ecx,%edi >>>> c: c1 ff 1f sar $0x1f,%edi >>>> f: 8b .byte 0x8b >>>=20 >>> Note that this was truncated, so the sar and .byte are probably a >>> truncated instruction. >>>=20 >>> Also, when I had printfs in place, I could see the call = instructions. >>>=20 >>>> My first guess would be that the code simply jumped into garbage. = But >>>> can you post the complete .o file somewhere for inspection? >>>=20 >>> Attached. >>> >>=20 >> Can you please post the file before it's been stripped and objcopied >> from ELF to binary format? That makes it a lot easier to disassemble >> and analyze... :) >>=20 >> -Dimitry >>=20 > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to = "freebsd-hackers-unsubscribe@freebsd.org" --Apple-Mail=_3BCA08C2-3953-4D19-907F-58478BF23ED1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAliiJygACgkQsF6jCi4glqOroQCdHgFq7cC/znJ5WGlmFh5ZzAzp wPcAoIxZoQVsX8zgSAlPfYCRznoXEbOt =gFwf -----END PGP SIGNATURE----- --Apple-Mail=_3BCA08C2-3953-4D19-907F-58478BF23ED1-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 21:37:52 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 12269CDDDC4 for ; Mon, 13 Feb 2017 21:37:52 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id C3EBD11E2; Mon, 13 Feb 2017 21:37:51 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 3268C1E13; Mon, 13 Feb 2017 21:37:51 +0000 (UTC) Subject: Re: GELI BIOS weirdness To: cem@freebsd.org, Dimitry Andric References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> Cc: "freebsd-hackers@freebsd.org" From: Eric McCorkle Message-ID: <9127dfc3-3c33-68c7-53a7-31753ac7e1d3@metricspace.net> Date: Mon, 13 Feb 2017 16:37:47 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="2sLGNof96H6lqXf8oL1EdggCgJ5ipDx0L" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 21:37:52 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --2sLGNof96H6lqXf8oL1EdggCgJ5ipDx0L Content-Type: multipart/mixed; boundary="lGo4r0nAdRGBWbhiPIVi9LqAiP2rsGBev"; protected-headers="v1" From: Eric McCorkle To: cem@freebsd.org, Dimitry Andric Cc: "freebsd-hackers@freebsd.org" Message-ID: <9127dfc3-3c33-68c7-53a7-31753ac7e1d3@metricspace.net> Subject: Re: GELI BIOS weirdness References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> In-Reply-To: --lGo4r0nAdRGBWbhiPIVi9LqAiP2rsGBev Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 02/13/2017 16:32, Conrad Meyer wrote: > "objdump -D -b binary -Mx86-64 -mi386 foo.bin" should work fine (no > symbols, though...). This is a raw binary, which is necessary for BIOS booting. boot0 is way too small to load an ELF. >=20 > On Mon, Feb 13, 2017 at 1:16 PM, Dimitry Andric wrote= : >> On 13 Feb 2017, at 21:58, Eric McCorkle wrote: >>> >>> On 02/13/2017 15:36, Dimitry Andric wrote: >>> >>>> This disassembles to: >>>> >>>> 0: 66 0f 38 f6 f0 adcx %eax,%esi >>>> 5: 31 c6 xor %eax,%esi >>>> 7: 8b 4d 14 mov 0x14(%ebp),%ecx >>>> a: 89 cf mov %ecx,%edi >>>> c: c1 ff 1f sar $0x1f,%edi >>>> f: 8b .byte 0x8b >>> >>> Note that this was truncated, so the sar and .byte are probably a >>> truncated instruction. >>> >>> Also, when I had printfs in place, I could see the call instructions.= >>> >>>> My first guess would be that the code simply jumped into garbage. B= ut >>>> can you post the complete .o file somewhere for inspection? >>> >>> Attached. >>> >> >> Can you please post the file before it's been stripped and objcopied >> from ELF to binary format? That makes it a lot easier to disassemble >> and analyze... :) >> >> -Dimitry >> --lGo4r0nAdRGBWbhiPIVi9LqAiP2rsGBev-- --2sLGNof96H6lqXf8oL1EdggCgJ5ipDx0L Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWKInLAAKCRBWwohAqoAE jSjpAP9TctLmgMt//n1u+EDyekEWMdgoFGUX7TYnc/A4KSA1BwEAl5cvQgDiS+F1 bYCn59120efsjzEhZUrwRykYlPbGGAE= =+yzR -----END PGP SIGNATURE----- --2sLGNof96H6lqXf8oL1EdggCgJ5ipDx0L-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 21:44:11 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8A68CDE2F6 for ; Mon, 13 Feb 2017 21:44:11 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (207-172-209-83.c3-0.arl-ubr1.sbo-arl.ma.static.cable.rcn.com [207.172.209.83]) by mx1.freebsd.org (Postfix) with ESMTP id A8D1C1909; Mon, 13 Feb 2017 21:44:11 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 2D6C41E22; Mon, 13 Feb 2017 21:44:05 +0000 (UTC) Subject: Re: GELI BIOS weirdness To: Dimitry Andric , cem@freebsd.org References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> Cc: "freebsd-hackers@freebsd.org" From: Eric McCorkle Message-ID: Date: Mon, 13 Feb 2017 16:44:01 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3u4MwgRJFF54xpWJsp8MJU7gobSBHIpTI" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 21:44:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3u4MwgRJFF54xpWJsp8MJU7gobSBHIpTI Content-Type: multipart/mixed; boundary="9RtrCT0DOsnPc1CG4IihXHPsGfFPOSf0X"; protected-headers="v1" From: Eric McCorkle To: Dimitry Andric , cem@freebsd.org Cc: "freebsd-hackers@freebsd.org" Message-ID: Subject: Re: GELI BIOS weirdness References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> In-Reply-To: --9RtrCT0DOsnPc1CG4IihXHPsGfFPOSf0X Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 02/13/2017 16:37, Dimitry Andric wrote: > Yeah, but I'm interested in the symbols, otherwise it becomes hard to > follow. Also, I've looked at my own copy of gptboot.o, and it doesn't > contain those bytes at all. That said, my gptboot sources also don't > have the lines: What version of the compiler are you using? Mine: $ clang --version FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on LLVM 3.8.0) Target: x86_64-unknown-freebsd12.0 Thread model: posix InstalledDir: /usr/bin >=20 > if (!(sc->sc_flags & G_ELI_FLAG_AUTH)) > sc->sc_mediasize -=3D (sc->sc_mediasize % sc->sc_sectorsize); > else { >=20 > The only use of G_ELI_FLAG_AUTH is in sys/boot/geli/geliboot.c: >=20 > /* Store the keys */ > bcopy(mkey, geli_e->sc.sc_mkey, sizeof(geli_e->sc.sc_mk= ey)); > bcopy(mkey, geli_e->sc.sc_ivkey, sizeof(geli_e->sc.sc_i= vkey)); > mkp =3D mkey + sizeof(geli_e->sc.sc_ivkey); > if ((geli_e->sc.sc_flags & G_ELI_FLAG_AUTH) =3D=3D 0) {= > bcopy(mkp, geli_e->sc.sc_ekey, G_ELI_DATAKEYLEN= ); > } else { >=20 > but the assembly for the rest of the geli_attach() function looks prett= y > reasonable. >=20 > -Dimitry >=20 >> On 13 Feb 2017, at 22:32, Conrad Meyer wrote: >> "objdump -D -b binary -Mx86-64 -mi386 foo.bin" should work fine (no >> symbols, though...). >> >> Best, >> Conrad >> >> On Mon, Feb 13, 2017 at 1:16 PM, Dimitry Andric wrot= e: >>> On 13 Feb 2017, at 21:58, Eric McCorkle wrote:= >>>> >>>> On 02/13/2017 15:36, Dimitry Andric wrote: >>>> >>>>> This disassembles to: >>>>> >>>>> 0: 66 0f 38 f6 f0 adcx %eax,%esi >>>>> 5: 31 c6 xor %eax,%esi >>>>> 7: 8b 4d 14 mov 0x14(%ebp),%ecx >>>>> a: 89 cf mov %ecx,%edi >>>>> c: c1 ff 1f sar $0x1f,%edi >>>>> f: 8b .byte 0x8b >>>> >>>> Note that this was truncated, so the sar and .byte are probably a >>>> truncated instruction. >>>> >>>> Also, when I had printfs in place, I could see the call instructions= =2E >>>> >>>>> My first guess would be that the code simply jumped into garbage. = But >>>>> can you post the complete .o file somewhere for inspection? >>>> >>>> Attached. >>>> >>> >>> Can you please post the file before it's been stripped and objcopied >>> from ELF to binary format? That makes it a lot easier to disassemble= >>> and analyze... :) >>> >>> -Dimitry >>> >> _______________________________________________ >> freebsd-hackers@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.= org" >=20 --9RtrCT0DOsnPc1CG4IihXHPsGfFPOSf0X-- --3u4MwgRJFF54xpWJsp8MJU7gobSBHIpTI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWKIoogAKCRBWwohAqoAE jRN2AQDQdlFP0fp3/+nN9PLEKXOfT4f9/8ykQPzxW+bLBYDKxwEAuElU7wDWvuU5 DDr1b/XiYpHZuyjtMtlH7C9cVUbwrAU= =z/8/ -----END PGP SIGNATURE----- --3u4MwgRJFF54xpWJsp8MJU7gobSBHIpTI-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 21:50:53 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B0001CDE65B for ; Mon, 13 Feb 2017 21:50:53 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from springbank.echomania.com (springbank.echomania.com [149.210.134.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "springbank.echomania.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6FA729; Mon, 13 Feb 2017 21:50:53 +0000 (UTC) (envelope-from dim@FreeBSD.org) X-Virus-Scanned: Debian amavisd-new at springbank.echomania.com Received: from [IPv6:2001:7b8:3a7::edc2:5bd4:2353:56e3] (unknown [IPv6:2001:7b8:3a7:0:edc2:5bd4:2353:56e3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by springbank.echomania.com (Postfix) with ESMTPSA id 1E26058007C; Mon, 13 Feb 2017 22:50:50 +0100 (CET) From: Dimitry Andric Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_CC5C7DD2-7BC4-420B-B77C-6B5979CB1E47"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: GELI BIOS weirdness Date: Mon, 13 Feb 2017 22:50:42 +0100 In-Reply-To: Cc: cem@freebsd.org, "freebsd-hackers@freebsd.org" To: Eric McCorkle References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 21:50:53 -0000 --Apple-Mail=_CC5C7DD2-7BC4-420B-B77C-6B5979CB1E47 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii On 13 Feb 2017, at 22:44, Eric McCorkle wrote: >=20 > On 02/13/2017 16:37, Dimitry Andric wrote: >> Yeah, but I'm interested in the symbols, otherwise it becomes hard to >> follow. Also, I've looked at my own copy of gptboot.o, and it = doesn't >> contain those bytes at all. That said, my gptboot sources also don't >> have the lines: >=20 > What version of the compiler are you using? >=20 > Mine: >=20 > $ clang --version > FreeBSD clang version 3.8.0 (tags/RELEASE_380/final 262564) (based on > LLVM 3.8.0) > Target: x86_64-unknown-freebsd12.0 > Thread model: posix > InstalledDir: /usr/bin I'm on the projects/clang400-import branch, obviously: FreeBSD clang version 4.0.0 (branches/release_40 294803) (based on LLVM = 4.0.0) Target: x86_64-unknown-freebsd12.0 Thread model: posix InstalledDir: /usr/bin but it's easy for me to compile with any old version of clang, though I don't think that will matter much. However, I also think I'm not using the same gptboot sources as you? Are you working off of a GitHub fork, by any chance? -Dimitry --Apple-Mail=_CC5C7DD2-7BC4-420B-B77C-6B5979CB1E47 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAliiKjkACgkQsF6jCi4glqPYZACg3iUQQQaTYpEuJpDx3mZBDa6B 6cIAnRmsWVN5G15K4tybCCeUg1ErUsdv =AA2G -----END PGP SIGNATURE----- --Apple-Mail=_CC5C7DD2-7BC4-420B-B77C-6B5979CB1E47-- From owner-freebsd-hackers@freebsd.org Mon Feb 13 22:19:56 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 478F6CDEDEA for ; Mon, 13 Feb 2017 22:19:56 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (mail.metricspace.net [IPv6:2001:470:1f11:617::107]) by mx1.freebsd.org (Postfix) with ESMTP id 17AEC124F; Mon, 13 Feb 2017 22:19:56 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id A27CE1E7A; Mon, 13 Feb 2017 22:19:55 +0000 (UTC) Subject: Re: GELI BIOS weirdness To: Dimitry Andric References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> Cc: cem@freebsd.org, "freebsd-hackers@freebsd.org" From: Eric McCorkle Message-ID: <38bce785-bc5f-9e13-fa3b-07ead328be84@metricspace.net> Date: Mon, 13 Feb 2017 17:19:47 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="oxSLVk15o9Jiwatkwj7aMBGAn9QS5TaTG" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 22:19:56 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --oxSLVk15o9Jiwatkwj7aMBGAn9QS5TaTG Content-Type: multipart/mixed; boundary="Cit71HcNrTV152rTGsUfs1HEbHCdoDb2C"; protected-headers="v1" From: Eric McCorkle To: Dimitry Andric Cc: cem@freebsd.org, "freebsd-hackers@freebsd.org" Message-ID: <38bce785-bc5f-9e13-fa3b-07ead328be84@metricspace.net> Subject: Re: GELI BIOS weirdness References: <6874308d-8892-2f03-d125-418949fd472c@metricspace.net> <919F6E39-476C-44B5-93EA-447D855921DE@FreeBSD.org> In-Reply-To: --Cit71HcNrTV152rTGsUfs1HEbHCdoDb2C Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 02/13/2017 16:50, Dimitry Andric wrote: > I'm on the projects/clang400-import branch, obviously: >=20 > FreeBSD clang version 4.0.0 (branches/release_40 294803) (based on LLVM= 4.0.0) > Target: x86_64-unknown-freebsd12.0 > Thread model: posix > InstalledDir: /usr/bin >=20 > but it's easy for me to compile with any old version of clang, though I= > don't think that will matter much. However, I also think I'm not using= > the same gptboot sources as you? Are you working off of a GitHub fork,= > by any chance? I am, though I rebased to HEAD recently. My world, though, may be further behind. --Cit71HcNrTV152rTGsUfs1HEbHCdoDb2C-- --oxSLVk15o9Jiwatkwj7aMBGAn9QS5TaTG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWKIxBAAKCRBWwohAqoAE jURYAP91cfRPpGGksv5s9MbQ4NtTUZErU4lIUqAKNdnRS9AtZQD/aPYekNQvouyX 5DD5P6CYfhtO7oyPb3QM9g0SDOQDdA4= =Itct -----END PGP SIGNATURE----- --oxSLVk15o9Jiwatkwj7aMBGAn9QS5TaTG-- From owner-freebsd-hackers@freebsd.org Tue Feb 14 04:25:52 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 80B2ECDEECF; Tue, 14 Feb 2017 04:25:52 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C475A1819; Tue, 14 Feb 2017 04:25:51 +0000 (UTC) (envelope-from kaduk@mit.edu) X-AuditID: 12074425-13fff7000000093f-34-58a285988f07 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 7A.3C.02367.89582A85; Mon, 13 Feb 2017 23:20:41 -0500 (EST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v1E4Ke02016508; Mon, 13 Feb 2017 23:20:40 -0500 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v1E4Kaj6028452 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 13 Feb 2017 23:20:38 -0500 Date: Mon, 13 Feb 2017 22:20:35 -0600 From: Benjamin Kaduk To: freebsd-hackers@FreeBSD.org Cc: freebsd-current@FreeBSD.org, freebsd-stable@FreeBSD.org Subject: FreeBSD Quarterly Status Report - Fourth Quarter 2016 Message-ID: <20170214042034.GA30306@kduck.kaduk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.6.1 (2016-04-27) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpjleLIzCtJLcpLzFFi42IR4hRV1p3ZuijC4OYvaYtd106zW8x584HJ Yvvmf4wWh5uFHFg8ZnyazxLAGMVlk5Kak1mWWqRvl8CVsf86a8GVJcwVa961sDQwzjrO1MXI ySEhYCIxafJRti5GLg4hgTYmiQ0Ld7FAOBsZJU53fWaEcK4ySbzr2sDexcjBwSKgKjH/rjBI N5uAmsT6FdeYQWwRAXmJfU3v2UFsZgFriX8PGplByoUF7CRunc0GCfMCLTuw8wAjhC0ocXLm ExaIch2JnVvvsIGUMwtISyz/xwERlpdo3jobbLqogLJEw4wHzBMY+Wch6Z6FpHsWQvcsJN0L GFlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Vro5WaW6KWmlG5iBAUru4vqDsY5f70OMQpwMCrx 8E44sDBCiDWxrLgy9xCjJAeTkihv7CagEF9SfkplRmJxRnxRaU5q8SFGCQ5mJRFejbhFEUK8 KYmVValF+TApaQ4WJXFecY3GCCGB9MSS1OzU1ILUIpisDAeHkgTv8RagRsGi1PTUirTMnBKE NBMHJ8hwHqDhv0BqeIsLEnOLM9Mh8qcYLTlO3Tj9konjzMkrQHJX94TXTEIsefl5qVLivN7A 9CEkANKQUZoHNxOUfCSy99e8YhQHelGY9wTIWB5g4oKb+gpoIRPQQta4hSALSxIRUlINjEUe W9cnH2PP63tmstJ/9lKrz52+O270PjIucJ62ZvqBO9cClIu/b7L9+zvBfeX725bvk8zqJXgL 3G/uvegoYvX2jvHly9ezmMx3bb4pcaB73eeqRNGqiq5v19Yz75mcerv4LcPHo7Fr5qVWrTg2 /9y0X34PhP+aOTBdvb5jzgaB2HWTNFdOt3ypxFKckWioxVxUnAgAIxrTUBkDAAA= X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2017 04:25:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 FreeBSD Project Quarterly Status Report - 4th Quarter 2016 Another year has passed (and another has gotten well underway, while we worked to assemble this report). Over the past two years that I have been part of the monthly@ team that assembles these reports, it has been enlightening to watch the individual entries pass through my emacs and/or vim. These reports give me a picture of what is going on with FreeBSD that I could not get just from reading commit mail; I hope that is also true for our readers. This quarter brings the usual mix of continuations of many stalwart projects and entires of new participants, as well as the return of some items after a few quarters' hiatus. Enjoy and be enlightened! --Benjamin Kaduk __________________________________________________________________ The deadline for submissions covering the period from January to March 2017 is April 7, 2017. __________________________________________________________________ FreeBSD Team Reports * FreeBSD Release Engineering Team * Ports Collection * The FreeBSD Core Team * The FreeBSD Foundation Projects * Ceph on FreeBSD * OpenBSM * Sysctl Exporter for Prometheus * The Graphics Stack on FreeBSD Kernel * FreeBSD on Hyper-V and Azure * I2C, GPIO, and SPI Support for MinnowBoard Architectures * FreeBSD on ARM Boards * FreeBSD/arm64 * FreeBSD/EC2 Userland Programs * libarchive * Reproducible Builds in FreeBSD * Updates to GDB * Using LLVM's LLD Linker as FreeBSD's System Linker Ports * GCC (GNU Compiler Collection) * LXQt on FreeBSD * Mono * Wine * Xfce on FreeBSD __________________________________________________________________ FreeBSD Team Reports FreeBSD Release Engineering Team Links FreeBSD 11.0-RELEASE Announcement URL: https://www.FreeBSD.org/releases/11.0R/announce.html FreeBSD 11.0-RELEASE Release Notes URL: https://www.FreeBSD.org/releases/11.0R/relnotes.html FreeBSD Development Snapshots URL: http://ftp.FreeBSD.org/pub/FreeBSD/snapshots/ISO-IMAGES/ Contact: FreeBSD Release Engineering Team The FreeBSD Release Engineering Team is responsible for setting and publishing release schedules for official project releases of FreeBSD, announcing code freezes, and maintaining the respective branches, among other things. The FreeBSD Release Engineering Team in concert with the FreeBSD Security Team finalized FreeBSD 11.0-RELEASE. FreeBSD 11.0-RELEASE was announced on October 10, 2016, roughly four weeks after the original schedule. The FreeBSD Release Engineering Team would like to specifically thank Colin Percival and all members of the FreeBSD Security Team for their extra diligence in ensuring that user-facing upgrade paths were properly addressed and documented. This project was sponsored by The FreeBSD Foundation. __________________________________________________________________ Ports Collection Links About FreeBSD Ports URL: https://www.FreeBSD.org/ports/ Contributing to Ports URL: https://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/contributing/ports-contributing.html FreeBSD Ports Monitoring URL: http://portsmon.FreeBSD.org/index.html Ports Management Team URL: https://www.FreeBSD.org/portmgr/index.html FreeBSD portmgr on Twitter (@FreeBSD_portmgr) URL: https://twitter.com/FreeBSD_portmgr/ FreeBSD Ports Management Team on Facebook URL: https://www.facebook.com/portmgr FreeBSD Ports Management Team on Google+ URL: https://plus.google.com/communities/108335846196454338383 Contact: René Ladan Contact: FreeBSD Ports Management Team The Ports Tree has reached the marker of 27,000 ports, with the PR count risen slightly to around 2,250. Of these PRs, 572 are unassigned. The last quarter saw 6871 commits by 176 committers. The number of open and the number of unassigned PRs both increased lightly since last quarter. Two commit bits were taken in for safe keeping in the last quarter: jmg after 19 months of inactivity, and edwin at his own request. We welcomed three new committers: Nikolai Lifanov (lifanov), Jason Bacon, and Mikhail Pchelin (misha). On the management side, adamw and feld were elected as new portmgr members, and rene was promoted to full member. feld is already involved in ports-secteam. On the infrastructure side, two new USES (lxqt and varnish) were introduced. Some default versions were also updated: varnish 4 (new), GCC 4.8 to 4.9, Perl 5.20 to 5.24, and Python 3.4 to 3.5. Two major ports reached their end-of-life at December 31st and were removed: Perl 5.18 and Linux Fedora 10 (the default is Linux CentOS 6). Because FreeBSD 9.3, 10.1, and 10.2 also reached end-of-life, support for those versions was removed from the Ports Tree. Some major ports were updated to their latest versions: pkg to 1.9.4, Firefox to 50.1.0, Firefox-esr to 45.6.0, Chromium to 54.0.2840.100, and Ruby to 2.1.10 / 2.2.6 / 2.3.3. www/node was updated to version 7; version 6 was split off as www/node6 for long-term support. Behind the scenes, antoine ran 39 exp-runs to verify package updates, framework changes, and changes to the base system. bdrewery installed new package builders and added builds for FreeBSD 11 for mips, mips64, and armv6. He also improved the balancing, monitoring, automation of the package builders. Open tasks: 1. If you have some spare time, please take up a PR for testing and committing. __________________________________________________________________ The FreeBSD Core Team Contact: FreeBSD Core Team The major concern for Core during the last quarter of 2016 has been about maintaining the effectiveness of secteam. The team is primarily in need of better project management, both to improve communication generally and to allow the other team members to concentrate on the technical aspects of handling vulnerabilities. To that end, there has been agreement in principle for either the FreeBSD Foundation or one of the companies that are major FreeBSD users to employ someone specifically in this role. Core confirmed that the new support model would go into effect with 11.0-RELEASE despite the postponement of the switch to a packaged base release mechanism. For details of the new support model, please follow the links from the security page of the FreeBSD website. Core requested the removal of the misc/jive port, on the grounds that it had no function other than to turn text into an offensively racist parody. This proved controversial, with many seeing this as a first step in bowdlerizing the entire ports tree. That is certainly not Core's intention. Core's aim here is to help secure the future of the FreeBSD project by making it welcoming to all contributors, regardless of ethnicity, gender, sexuality or other improper bases for discrimintation. While misc/jive may once have been seen as harmless fun, today the implicit approval implied by having it in the ports tree sends a message at odds with the project's aims. The Marketing team and the associated marketing@FreeBSD.org mailing list were wound up, due to lack of activity. Messages to marketing@FreeBSD.org will be forwarded to the FreeBSD Foundation's marketing team instead. Core member Allan Jude, who was already the clusteradm liason, became a full member of clusteradm. An emergency correction to the 11.0 release notes was authorised, as it was giving the misleading impression that 802.11n wireless support had only just been added, and this misapprehension was being repeated in the press. In reality, FreeBSD has had 802.11n support for many years, and the announcement should have said that support had been added to many additional device drivers. Discussions about a proposal to improve Unicode support are on-going. FreeBSD is already standards conformant, but the propsal is to switch to a __STDC_ISO_10646_ implementation, similar to what Linux glibc currently uses. Opinions are divided on the technical merits of the new approach. There were the usual quota of queries about licensing and other legal matters: * Plans to create a GPLv3 overlay for the base system were shelved in the light of faster than expected progress at enabling building the world using an external toolchain. * The trademarks page on the website was updated to show the current owners of a number of trademarks in their approved form. * In the absence of a tool to extract and summarize all of the relevant information, the obligation in the BSD license that "Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution." is fulfilled by providing a tarball of the system sources with their embedded copyright statements. * The European Court of Justice's "Right to be Forgotten" only applies to search engines, and the FreeBSD project is not one of those, so it need not take any action. * Core is following closely discussions within the LLVM project regarding a change of license which, if implemented, might require an audit of the entire ports tree to discover all packages that contain binaries linked against libc++ and ensure that they are licensed compatibly with LLVM. However, indications are that the LLVM project will not adopt such changes. * The "Open Source Exception" in the firmware license means that committing a "binary blob" driver for the Nvidia Jetson TK1 XHCI device is acceptable. During this quarter four new commit bits were awarded. Please welcome Dexuan Cui, David Bright, Konrad Witaszczyk, and Piotr Stefaniak. We were sorry to see Edwin Lansing hang up his commit bits and step down from portmgr. __________________________________________________________________ The FreeBSD Foundation Links FreeBSD Foundation Website URL: https://www.FreeBSDFoundation.org/ Contact: Deb Goodkin The FreeBSD Foundation is a 501(c)(3) non-profit organization dedicated to supporting and promoting the FreeBSD Project and community worldwide. Funding comes from individual and corporate donations and is used to fund and manage software development projects, conferences and developer summits, and provide travel grants to FreeBSD contributors. The Foundation purchases and supports hardware to improve and maintain FreeBSD infrastructure; publishes marketing material to promote, educate, and advocate for the FreeBSD Project; facilitates collaboration between commercial vendors and FreeBSD developers; and finally, represents the FreeBSD Project in executing contracts, license agreements, and other legal arrangements that require a recognized legal entity. Here are some highlights of what we did to help FreeBSD last quarter: Fundraising Efforts Our work is 100% funded by your donations. We raised $1,527,540 in 2016 from 1471 donors! Thank you to everyone who made a donation to help us continue our efforts in 2017 to support the FreeBSD Project and community worldwide! You can make a donation here to our 2017 fundraising campaign: https://www.FreeBSDfoundation.org/donate/. OS Improvements The Foundation improves the FreeBSD operating system by employing our technical staff to maintain and improve critical kernel subsystems, add features and functionality, and fix problems. This also includes funding separate project grants like the arm64 port, blacklistd access control daemon, and integration of VIMAGE support, to make sure that FreeBSD remains a viable solution for research, education, computing, products and more. Large projects supported last year include: * arm64 port * VIMAGE Integration * Toolchain work * blacklistd access control daemon The Foundation team worked on a technology roadmap for 2017-2018 during our board meeting in November. Staff and board members continued hosting bi-weekly conference calls to facilitate efforts for individuals to collaborate on different technologies. You can find out more about the support we provided by reading individual updates from Ed Maste, Konstatin Belousov, and Edward Napierala in this report. Release Engineering The Foundation provides a full-time staff member to lead the release engineering efforts. This has provided timely and reliable releases over the last few years. Last quarter, our full-time staff member worked with the FreeBSD Release Engineering and Security Teams to finalize 11.0-RELEASE. He also added support for the powerpcspe architecture to the 12-CURRENT snapshot builds, and continued work on packaging the base system with pkg(8). He also continued producing 10-STABLE, 11-STABLE, and 12-CURRENT development snapshot builds throughout the quarter. You can find out more about the support we provided to the Release Engineering Team by reading their status update in this report. Supporting FreeBSD Infrastructure The Foundation provides hardware and support to improve the FreeBSD infrastructure. This year, we purchased the following hardware to improve the build, continuous integration, and platform processes: * A server to reduce the build time from over an hour to 20 minutes for the continuous integration process. You can find out more information here: https://ci.FreeBSD.org/ . * Two ThunderX servers for native package builds for the FreeBSD/arm64 architecture. * Two servers to improve release engineering builds. * Four servers to improve package builds. * Four servers as build slaves to increase the number of builds in the continuous integration process. FreeBSD Advocacy and Education A large part of our efforts are dedicated to advocating for the Project. This includes promoting work being done by others with FreeBSD; producing advocacy literature to teach people about FreeBSD and help make the path to starting using FreeBSD or contributing to the Project easier; and attending and getting other FreeBSD contributors to volunteer to run FreeBSD events, staff FreeBSD tables, and give FreeBSD presentations. Here is a list highlighting some of the advocacy and education work we did last year: * Attended and/or sponsored 24 events around the world * Provided 15 Travel Grants to developers * Created new and updated marketing literature including: + Updated FreeBSD 10 Brochure + New TeachBSD postcard to spread the word about the program + Google Summer of Code flyer + FreeBSD 11 Brochure + Updated Recruiting Flyer + Updated Get Involved Flyer + FreeBSD as a Platform for Research Flyer * Created a series of FreeBSD How-to Guides: + Installing FreeBSD with VirtualBox (Mac/Windows) + Installing a Desktop Environment on FreeBSD + Installing FreeBSD for Raspberry Pi + Installing PC-BSD as a Primary Operating System + FreeBSD Setup Tips * Acquired New Testimonials: + Accelerations Systems + NeoSmart Technologies + Chelsio Communications + Crescent River Port Pilots' Association + IXC + Stormshield * Updated the FreeBSD Project and Foundation Branding: + New FreeBSD Foundation website and logo + Updated Brand Assets page to include more information about the FreeBSD Project and FreeBSD Foundation logos. We published our September/October and November/December Journal issues at https://www.FreeBSDfoundation.org/journal/ . We also published monthly newsletters to highlight work being done to support FreeBSD, tell you about upcoming events, and provide other information to keep you in the loop of what we are doing to support the FreeBSD Project and community: https://www.FreeBSDfoundation.org/news-and-events/newsletter/ . Conferences and Events The FreeBSD Foundation sponsors many conferences, events, and summits around the globe. These events can be BSD-related, open source, or technology events geared towards underrepresented groups. We support the FreeBSD-focused events to help provide a venue for sharing knowledge, to work together on projects, and to facilitate collaboration between developers and commercial users. This all helps provide a healthy ecosystem. We support the non-FreeBSD events to promote and raise awareness of FreeBSD, to increase the use of FreeBSD in different applications, and to recruit more contributors to the Project. We also sponsored or attended the following events last quarter: * Ohio LinuxFest, October, Columbus, Ohio * Grace Hopper 2016, October, Houston, TX * COSC 2016, October, Beijing, China * Bay Area FreeBSD Vendor and Devoloper's Summit and MeetBSD 2016, November, Berkely, CA * USENIX LISA '16, December, Boston, MA * OSC 2016, December, Beijing, China Get the whole list of conferences we supported in 2016 at: https://www.FreeBSDfoundation.org/blog/recap-of-2016-advocacy-efforts/ . Legal/FreeBSD IP The Foundation owns the FreeBSD trademarks, and it is our responsibility to protect them. We continued to review requests and grant permission to use the trademarks. We also provided legal support for the core team to investigate the status of certain patents. FreeBSD Community Engagement Anne Dickison, our Marketing Director, has been overseeing the efforts to rewrite the Project's Code of Conduct to help make this a safe, inclusive, and welcoming community. The updated Code of Conduct and Report Guidelines are going through the final review process, and will be handed off to the Core Team for approval in Q1 2017. Go to http://www.FreeBSDfoundation.org to find out how we support FreeBSD and how we can help you! __________________________________________________________________ Projects Ceph on FreeBSD Links Ceph Main Site URL: http://ceph.com Main Repository URL: https://github.com/ceph/ceph My FreeBSD Fork URL: https://github.com/wjwithagen/ceph/tree/wip.FreeBSD Contact: Willem Jan Withagen Ceph is a distributed object store and file system designed to provide excellent performance, reliability and scalability: * Object Storage Ceph provides seamless access to objects using native language bindings or radosgw, a REST interface that is compatible with applications written for S3 and Swift. * Block Storage Ceph's RADOS Block Device (RBD) provides access to block device images that are striped and replicated across the entire storage cluster. * File System Ceph provides a POSIX-compliant network file system that aims for high performance, large data storage, and maximum compatibility with legacy applications. I started looking into Ceph because the HAST solution with CARP and ggate did not really do what I was looking for. But I aim to run a Ceph storage cluster of storage nodes that are running ZFS. User stations would be running bhyve on RBD disks that are stored in Ceph. The FreeBSD build of Ceph includes most of the tools Ceph provides. Note that the RBD-dependent items will not work, since FreeBSD does not have RBD (yet). The most notable progress since the last report: * RBD is actually buildable and can be used to manage RADOS BLOCK DEVICEs. * All tests run to completion for the current selection of tools, though the neded (minor) patches have yet to be pulled into HEAD. * Cmake is now the only way of building Ceph. * The threading/polling code has been reworked for the simple socket code. It now uses a self-pipe, instead of using an odd shutdown()-signaling Linux feature. * The EventKqueue code was modified to work around the "feature" that starting threads destroys the kqueue handles. The code was just finshed, so it is not yet submitted to the main repository. * We investigated differences between FreeBSD and Linux for SO_REUSEADDR and SO_REUSEPORT. Fortunately, the code is only used during testing, so disabling these features only delays progress in the tests. * A jenkins instances is regularly testing both ceph/ceph/master and wjwithagen/ceph/wip.FreeBSD, so there is regular verification of buildability and the tests: http://cephdev.digiware.nl:8180/jenkins/ . Build Prerequisites Compiling and building Ceph is tested on 12-CURRENT with its clang 3.9.0, but 11-RELEASE will probably also work, given experience with clang 3.7.0 from 11-CURRENT. Interestingly, when 12-CURRENT had clang 3.8.0, that did not work as well as either 3.7.0 or 3.9.0. The clang 3.4 present in 10-STABLE does not have the required capabilities to compile everything. The following setup will get things running for FreeBSD: 1. Install bash and link it in /bin 2. It is no longer necessary to add a definition of ENODATA to /usr/include/errno.h 3. Clone the github repo (http://github.com/wjwithagen/ceph.git) and checkout the "wip.FreeBSD" branch 4. Run ./do_FreeBSD.sh to start the build. The old build method using automake is no longer used; see the README.FreeBSD for more details. Parts not (yet) included: * KRBD: Kernel Rados Block Devices is implemented in the Linux kernel, but not in the FreeBSD kernel. Perhaps ggated could be used as a template since it does some of the same things as KRBD, just between 2 disks. It also has a userspace counterpart, which could ease development. * BlueStore: FreeBSD and Linux have different AIO APIs, and that incompatibility needs to be resolved somehow. Additionally, there is discussion in FreeBSD about aio_cancel not working for all devicetypes. * CephFS: Cython tries to access an internal field in struct dirent, which does not compile. * Tests that verify the correct working of the above are also excluded from the testset. Open tasks: 1. Run integration tests to see if the FreeBSD daemons will work with a Linux Ceph platform. 2. Compile and test the user space RBD (Rados Block Device). This currently works, but testing has been limitted. 3. Investigate and see if an in-kernel RBD device could be developed akin to FreeBSD's ggate. 4. Investigate the keystore, which could be embedded in the kernel on Linux, and currently prevents building CephFS and some other components. The first question whether it is really required, or if only KRBD require it. 5. Scheduler information is not used at the moment, because the schedulers work rather differently between FreeBSD and Linux. But at a certain point in time, this would need some attention in src/common/Thread.cc. 6. Integrate the FreeBSD /etc/rc.d initscripts in the Ceph stack. This helps with testing, but also enables running Ceph on production machines. 7. Build a testcluster and start running some of the teuthology integration tests on it. 8. Design a virtual disk implementation that can be used with bhyve and attached to an RBD image. __________________________________________________________________ OpenBSM Links OpenBSM: Open Source Basic Security Module (BSM) Audit Implementation URL: http://www.openbsm.org OpenBSM on GitHub URL: https://github.com/openbsm/openbsm FreeBSD Audit Handbook Chapter URL: https://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/audit.html OpenBSM 1.2 alpha 5 announcement URL: https://lists.FreeBSD.org/pipermail/trustedbsd-announce/2016-December/000008.html DARPA CADETS project URL: https://www.cl.cam.ac.uk/research/security/cadets/ Contact: Christian Brueffer Contact: Robert Watson Contact: TrustedBSD Audit Mailing Mist OpenBSM is a BSD-licensed implementation of Sun's Basic Security Module (BSM) API and file format. It is the user-space side of the CAPP Audit implementations in FreeBSD and Mac OS X. Additionally, the audit trail processing tools are expected to work on Linux. This quarter saw increased development activity, fueled by the DARPA CADETS project, resulting in the release of OpenBSM 1.2 alpha 5. Among this release's changes are the ability to specify the kernel's maximum audit queue length, sandboxing support for auditreduce(1) and praudit(1) on FreeBSD and other systems that support Capsicum, as well as the addition of event identifiers for more FreeBSD system calls. The complete list of changes is documented in the NEWS file on GitHub. The new release will be merged into FreeBSD HEAD and the supported STABLE branches shortly. This project was sponsored by DARPA/AFRL (in part). Open tasks: 1. Test the new release on different versions of FreeBSD, Mac OS X, and Linux. In particular, testing on the latest versions of Mac OS X would be greatly appreciated. 2. Fix problems that have been reported via GitHub and the FreeBSD bug tracker. 3. Implement the features mentioned in the TODO list on GitHub. __________________________________________________________________ Sysctl Exporter for Prometheus Links The Prometheus Project URL: https://prometheus.io/ Node Exporter URL: https://github.com/prometheus/node_exporter Sysctl Exporter URL: https://svnweb.FreeBSD.org/base/head/usr.sbin/prometheus_sysctl_exporter/ Contact: Ed Schouten Prometheus is an Open Source monitoring system that was originally built at SoundCloud in 2012. Since 2016, this project is part of the Cloud Native Computing Foundation, together with other projects like Kubernetes. Prometheus scrapes its targets by periodically sending HTTP GET requests. Targets then respond by sending key-value pairs of metrics and their sample value. Prometheus has a query language, PromQL, that can be used to aggregate sample values and specify alerting conditions. Tools like Grafana can be used to create fancy dashboards using such queries. The Prometheus project provides a utility called node_exporter that gathers basic system metrics and serves them over HTTP. This utility tends to be rather complex, as it has to extract metrics from many different sources. On Linux, files in /proc have no uniform format, meaning that for every kernel framework a custom collector needs to be written. On FreeBSD the sitiuation is better, as the data exported through sysctl is already structured in such a way that it can easily be translated to Prometheus' metrics format. The goal of this project is thus to provide a generic exporter for the entire sysctl tree. Not only does this prevent unnecessary bloat and indirection, it may also make the life of a kernel developer a lot easier. One can easily use Prometheus to graph the occurrence of an event over time by (temporarily) adding a counter to the kernel. An initial version of the sysctl exporter has been integrated into the FreeBSD base system in December. It can be run through inetd by uncommenting the example provided in inetd.conf. Unfortunately, this exporter cannot be merged back to FreeBSD 10.x/11.x, as it depends on KBI-breaking changes to sysctl(9). Open tasks: 1. Are you using Prometheus or are you interested in using it? Be sure to give both Prometheus and this sysctl exporter a try! 2. It would be nice if we created a set of useful alerting rules and placed those in /usr/share/examples. For example, how can one use this exporter to monitor the state of GEOM-based RAID arrays? Is such information even exported through sysctl? 3. Prometheus uses a rather clever format for exporting histograms. Histograms are useful for expressing the amount of time taken to complete certain events (for example, disk operations). Would it be possible to add histograms as native data types to sysctl? If so, is there any chance they can be implemented without picking up any kernel locks? __________________________________________________________________ The Graphics Stack on FreeBSD Links Graphics Stack Roadmap and Supported Hardware Matrix URL: https://wiki.FreeBSD.org/Graphics GitHub Repository URL: https://github.com/FreeBSDDesktop/freebsd-base-graphics Ports Development Repository URL: https://github.com/FreeBSD/freebsd-ports-graphics Fork of libudevd-devd Shim URL: https://github.com/FreeBSDDesktop/libudev-devd Graphics Team Blog URL: https://planet.FreeBSD.org/graphics Contact: FreeBSD Graphics Team Contact: Matthew Macy Good progress on graphics support was made during the weeks around Christmas and the new year with the import of Linux 4.9's DRM for i915 and amdgpu into the drm-next branch of the github repository. The amdgpu KMS driver is already somewhat usable, with a few major known issues remaining. It now supports GPUs as far back as Southern Islands and up to Polaris. The 4.9 update also appears to have fixed a regression in i915 that was introduced by the 4.8 merge late this past summer. The drm-next branch now supports the Intel integrated graphics unit up to Kaby Lake CPUs. To facilitate out-of-the-box support on CURRENT, most of the branch-local VM changes were reverted and the graphics fault routines converted to use pg_populate. This new interface is the source of a couple of regressions causing panics on i915 and severe artifacts with amdgpu on integrated GPUs. Mark Johnston (markj@) has volunteered to analyze these issues. Please show your support and encouragement to Mark for helping to move this project towards the finish line. The xserver-mesa-next-udev branch was created for the ports development repository, and holds Mesa 13.0 and fixes for newer AMD GPUs. It uses a fork of the libudev-devd shim, also bringing Mesa closer to the Linux upstream. I plan to keep updating drm and amdgpu (for use on my desktop and potentially longer term for GPGPU computations) as well as work with Mark to address the existing bugs in i915 (assuming that two new porters are approved). However, the Linux i915 developers seem to aggressively explore the space of possible implementations and use of Linux internal APIs, making it prohibitively time consuming to track upstream. I am helping someone to learn the ropes of how to replay a subset of changes from a Linux release into FreeBSD in the hope that he will take over the mantle of drm-next i915 maintainer. Assuming the issues listed above are addressed, a port of the linuxkpi, DRM, and KMS drivers for use on standard amd64 CURRENT installations is planned. Together with upgrades to the relevant graphics ports, this will provide experimental support for new AMD and Intel GPUs. __________________________________________________________________ Kernel FreeBSD on Hyper-V and Azure Links FreeBSD Virtual Machines on Microsoft Hyper-V URL: https://wiki.FreeBSD.org/HyperV Supported Linux and FreeBSD Virtual Machines for Hyper-V on Windows URL: https://technet.microsoft.com/en-us/library/dn531030.aspx Contact: Sepherosa Ziehau Contact: Hongjiang Zhang Contact: Dexuan Cui Contact: Kylie Liang This project provides native virtualized interfaces for FreeBSD systems running on Hyper-V virtualization, improving on the performance of traditional emulated evices. Per-ring polling, multi-packet RNDIS messages, and system RSS integration have been implemented, further optimizing the throughput and latency of the Hyper-V network driver. Live virtual machine backup is implemented (for now, only for UFS), after the VSS (Volume Shadow Copy Service), which it depends on, was implemented. PCIe pass-through is implemented, and the patches to implement NIC SR-IOV are being reviewed on Phabricator. vDSO support for speeding up gettimeofday(2) is now implemented. The FreeBSD 11.0 image on Azure (https://azure.microsoft.com/en-us/marketplace/partners/microsoft/FreeBSD110/) is now available, in addition to the existing 10.3 image. We fixed an issue where SCSI disks would sometimes fail to attach, resolving bug 215171 ([Hyper-V] Fail to attach SCSI disk from LUN 8 on Win2008R2/Win2012/Win2012R2). This project was sponsored by Microsoft. __________________________________________________________________ I2C, GPIO, and SPI Support for MinnowBoard Links Blog Post URL: https://kernelnomicon.org/?p=767 MinnowBoard Website URL: https://www.minnowboard.org Contact: Oleksandr Tymoshenko The MinnowBoard is an Atom-based x86 board (Intel E38xx Series SoC) in a maker-friendly form-factor: it provides convenient access to pins that can be used to connect peripherals using one of the standard buses: GPIO, SPI, or I2C. These buses are more common in the ARM/MIPS world than in x86, so while FreeBSD was able to boot just fine, it lacked support for these buses on the MinnowBoard. As of r310645, HEAD support all three buses via the ig4(4), bytgpio(4), and intelspi drivers. The ig4(4) and bytgpio(4) changes were backported to 11-STABLE; intelspi will be MFCed in couple of weeks. __________________________________________________________________ Architectures FreeBSD on ARM Boards Links FreeBSD on Allwinner (Sunxi) Systems URL: https://wiki.FreeBSD.org/FreeBSD/arm/Allwinner FreeBSD Commit Adding Support for IR Interfaces URL: https://svnweb.FreeBSD.org/base?view=revision&revision=307984 Contact: Ganbold Tsagaankhuu The changes necessary to support the Allwinner Consumer IR interface in FreeBSD have been committed. The receive (RX) side is supported now and the driver is using the evdev framework. It was tested on the Cubieboard2 (A20 SoC) using lirc with dfrobot's simple IR remote controller. __________________________________________________________________ FreeBSD/arm64 Links FreeBSD arm64 Wiki Page URL: https://wiki.FreeBSD.org/arm64 Contact: Andrew Turner Contact: Oleksandr Tymoshenko Support for accessing floating-point registers from the kernel has been added. This uses the same KPI as i386 and amd64. This will allow for handling places where the floating-point state may be modified, for example when calling into UEFI. Support for the optional ARMv8 AES instructions was added to the kernel. This makes use of the ability to store and restore the floating point state. Tests have shown a significant improvement in AES performance on ThunderX hardware. The Cortex Strings memcpy and memmove functions have been imported into the kernel. These are optimised implementations of these common functions. FreeBSD now boots on the SoftIron Overdrive 3000 using ACPI. The needed changes for this have been submitted to phabricator for review. This includes booting with SMP enabled, and all currently supported devices. Support for the Raspberry Pi 3 has been committed. Most devices work, with the exception of WiFi and Bluetooth, as these are attached via an as-yet unsupported SDIO bus. This project was sponsored by The FreeBSD Foundation, and ABT Systems Ltd. __________________________________________________________________ FreeBSD/EC2 Contact: Colin Percival This report covers work since the last FreeBSD/EC2 status report (2015Q1). FreeBSD/EC2 is now part of the regular FreeBSD release build, with snapshots and releases being automatically uploaded and copied to all available regions. Due to legal restrictions, this does not currently include the GovCloud or China (Beijing) regions; anyone wishing to use FreeBSD in those regions is encouraged to contact the author. The AWS Marketplace reports that approximately 800 users are running roughly 2000 FreeBSD EC2 instances. This does not count the likely significantly larger number of EC2 instances launched directly through the EC2 API and Console, but at least places a lower bound on usage. FreeBSD 11.0-RELEASE shipped with support for the "enhanced networking" capabilities of EC2 C3, C4, R3, I2, D2, and M4 (excluding m4.16xlarge) instances. This provides significantly higher network performance than the virtual networking available on older EC2 instances and with older versions of FreeBSD. FreeBSD 11.0-RELEASE and later also use indirect segment disk I/Os, which yield approximately 20% higher throughput with equal or lower latency, and support the 128-vCPU x1.32xlarge instance type. FreeBSD now supports the Amazon Simple Systems Manager service ("run command"). Open tasks: 1. Complete a pending reorganization of the accounts used for FreeBSD/EC2 releases. 2. Support "second generation enhanced networking" via the new Elastic Network Adapter found in P2, R4, X1, and m4.16xlarge instances. 3. Provide tools for improved functionality via the Simple Systems Manager service: listing installed packages, checking for updates, adding/removing users, [your favourite sysadmin task goes here]. 4. Add support for EC2's IPv6 networking to the default FreeBSD/EC2 configuration. 5. Continue ongoing interoperability testing between FreeBSD's NFS client and the Amazon Elastic File System (NFS-as-a-service). __________________________________________________________________ Userland Programs libarchive Links Official Libarchive Homepage URL: http://www.libarchive.org Libarchive on GitHub URL: https://github.com/libarchive/libarchive Contact: Tim Kientzle Contact: Martin Matuska Libarchive is a BSD-licensed archive and compression library originally developed as part of FreeBSD. It supports a wide variety of input and output formats and also includes three command-line tools: bsdcat, bsdcpio and bsdtar. The FreeBSD tar and cpio utilities are taken directly from Libarchive, and many other important utilities like ar, unzip, and the pkg package manager make use of libarchive's functions. Libarchive development in 2016 has been focusing on bug fixes and code cleanup, including fixing several critical security issues. Automated testing with Travis CI and Jenkins has been introduced and libarchive has been added to the Google OSS-Fuzz project. Fuzzing helped detect several hidden problems like buffer overflows and memory leaks. Over the last few months, NFSv4 ACL support for the pax and restricted pax (the default for bsdtar) formats has been completed and merged to FreeBSD-CURRENT. NFSv4 ACL entries can now be stored to and restored from tar archives. Open tasks: 1. More extensive CI testing with FreeBSD on different platforms and releases. Currently only 11.0-RELEASE-amd64 gets tested via an automated Jenkins job. 2. As every commit to libarchive may influence the build process of FreeBSD ports, the ability to trigger a (semi-)automated exp-run for the ports tree would be great. __________________________________________________________________ Reproducible Builds in FreeBSD Links Base System Reproducible Builds Wiki Page URL: https://wiki.FreeBSD.org/ReproducibleBuilds Ports Reproducible Builds Wiki Page URL: https://wiki.FreeBSD.org/PortsReproducibleBuilds Reproducible Builds Website URL: https://reproducible-builds.org/ Contact: Baptiste Daroussin Contact: Ed Maste Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers. A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-for-bit identical copies of all specified artifacts. Baptiste Daroussin and Ed Maste attended the second Reproducible Builds Summit last December, in Berin. We discussed issues of common interest to operating system providers, including other BSDs and Linux distributions. Following the summit, changes were committed to the FreeBSD base system to address outstanding sources of non-reproducibility. It is now possible to build the FreeBSD base system (kernel and userland) completely reproducibly, although it currently requires a few non-default settings. Approximately 80% of the ports tree builds reproducibly, with a few work-in-progress patches. Now that the base system can be built reproducibly, focus will move on to the ports tree. This project was sponsored by The FreeBSD Foundation, and The Linux Foundation. Open tasks: 1. Integrate FreeBSD ports builds into the reprodcible-builds.org continuous integration infrastructure. 2. Integrate reproducible build patches into the ports tree. 3. Investigate sources of non-reproducibility in individual ports. __________________________________________________________________ Updates to GDB Contact: John Baldwin Contact: Luca Pizzamiglio The devel/gdb port has been updated to GDB 7.12. 7.12 includes additional fixes related to tracing vfork()s. Some of these fixes depend on changes to ptrace() in the kernel to report a new ptrace stop when the parent of a vfork() resumes. Support for FreeBSD/mips userland binaries has been committed upstream. These patches, along with support for debugging FreeBSD/mips kernels, should be added to the port soon. Open tasks: 1. Figure out why the powerpc kgdb targets are not able to unwind the stack past the initial frame. 2. Add support for more platforms (arm, aarch64) to upstream gdb for both userland and kgdb. 3. Add support for debugging powerpc vector registers. 4. Add support for $_siginfo. 5. Implement 'info proc' commands. 6. Implement 'info os' commands. 7. Debug gdb hangs related to the 'kill' command. __________________________________________________________________ Using LLVM's LLD Linker as FreeBSD's System Linker Links FreeBSD LLD Wiki Page URL: https://wiki.FreeBSD.org/LLD FreeBSD/LLD Tracking PR (LLVM Bugzilla) URL: http://llvm.org/pr23214 Contact: Rafael Espíndola Contact: Ed Maste LLD is the linker in the LLVM family of projects. It is a high-performance linker that supports the ELF, COFF and Mach-O object formats. It aims to be compatible with the common linkers used for each file format. For ELF this is the GNU Binary File Descriptor (BFD) ld and GNU gold. However, LLD's authors are not constrained by strict compatibility where it would hamper performance or desired functionality. LLD developers made significant progress over the last quarter. With changes committed to both LLD and FreeBSD we reached a major milestone: it is now possible to link the entire FreeBSD/amd64 base system (kernel and userland) with LLD. Now that the base system links with LLD, we have started investigating linking applications in the ports tree with LLD. Through this process we are identifying limitations or bugs in both LLD and a number of FreeBSD ports. With a few work-in-progress patches we can link approximately 95% of the ports collection with LLD on amd64. This project was sponsored by The FreeBSD Foundation. Open tasks: 1. Fix libtool to detect LLD and pass the same command line arguments as for GNU ld and gold. 2. Investigate the remaining amd64 port build failures. 3. Investigate and improve LLD on arm64, i386, arm, and other non-amd64 architectures. 4. Extensive testing. __________________________________________________________________ Ports GCC (GNU Compiler Collection) Links GCC Home Page URL: https://gcc.gnu.org Contact: Gerald Pfeifer Contact: Andreas Tobler Contact: Antoine Brodin Long awaited, the update to GCC 4.9 as the default version of GCC in the Ports Collection (lang/gcc port, USE_GCC=yes in Makefiles) has arrived, an update from GCC 4.8. This brings quite a number of improvements; see https://gcc.gnu.org/gcc-4.9/changes.html for details. lang/gcc49 has moved to the GCC 4.9.4 release which marks the closure of the GCC 4.9 branch and release series. (Yes, this means we should rather get the next version upgrade for lang/gcc in place soon. That update per se is straightforward, but any help in addressing the fallout of broken ports would be great -- please let us know if you want to help!) lang/gcc6 has been updated first to GCC 6.2 and then GCC 6.3, bringing a fair number of fixes, and should now be suitable for production use. Open tasks: 1. Update lang/gcc (and hence USE_GCC=yes) to GCC 5. 2. Support for AArch64. __________________________________________________________________ LXQt on FreeBSD Links LXQt Project URL: http://lxqt.org/ FreeBSD LXQt Project URL: https://wiki.FreeBSD.org/LXQt LXQt Development Repository URL: https://www.assembla.com/spaces/lxqt/subversion/source Contact: Olivier Duchateau Contact: Jesper Schmitz Mouridsen LXQt is the Qt port of and the upcoming version of LXDE, the Lightweight Desktop Environment. It is the product of a merge between the LXDE-Qt and Razor-qt projects. The porting effort remains very much a work in progress: LXQt requires some components of Plasma 5, the new major KDE workspace. We imported some core components (it was necessary to update to x11/qterminal 0.7.0): * devel/lxqt-build-tools * devel/liblxqt * devel/qtxdg * x11/libfm-qt Standalone applications: * graphics/lximage-qt * x11-fm/pcmanfm-qt We also have updates for: * x11/qterminal 0.7.1 * x11-toolkits/qtermwidget 0.7.1 * Updating the Porter's Handbook for LXQt support (https://bugs.FreeBSD.org/bugzilla/show_bug.cgi?id=215650) Open tasks: 1. Improve support in sysutils/lxqt-admin (especially date and time settings). __________________________________________________________________ Mono Links Mono Homepage URL: http://www.mono-project.com/ .NET Core Homepage URL: https://github.com/dotnet/core Mono Project Page URL: https://wiki.FreeBSD.org/Mono Contact: Mono on FreeBSD team During the last quarter, many ports within the mono project have been updated: * Mono: 4.6.2.7 * MonoDevelop: 6.1.1.15, 6.1.2.44 * FSharp: 4.0.1.20 USES=mono has been extended to allow for easier use of Nuget packages. This extension has been used adopted by FSharp, MonoDevelop and OpenRA. Work has started on porting Microsoft's open-sourced .NET Core. Thanks to the work of another team, the native components of coreclr and corefx already support FreeBSD, however, there is further work required in bootstrapping the build process and compiling the managed code. Open tasks: 1. Port .NET Core. 2. Test patches for Mono. __________________________________________________________________ Wine Links Wine Homepage URL: https://www.winehq.org/ Project Page URL: https://wiki.freebsd.org/Wine Contact: Gerald Pfeifer Contact: David Naylor The stable version of Wine (aka emulators/wine) has seen three maintenance releases in the last half year, and Xinerama support (in case you have more than one screen) and GNUTLS (helpful for Evernote or World of Warcraft, for example) are now active by default. The development version (aka emulators/wine-devel) has seen steady progress and reached the RC phase of Wine 2.0. We are looking forward to a new major release soon that combines the progress of a year of active development with the stability of a release. Open tasks: 1. Port WoW64 __________________________________________________________________ Xfce on FreeBSD Links FreeBSD Xfce Project URL: https://wiki.FreeBSD.org/Xfce FreeBSD Xfce Repository URL: https://www.assembla.com/spaces/xfce4/subversion/source Contact: FreeBSD Xfce Team Xfce is a free software desktop environment for Unix and Unix-like platforms such as FreeBSD. It aims to be fast and lightweight, while still being visually appealing and easy to use. During this quarter, the team has kept these applications up-to-date: * audio/xfce4-mpc-plugin 0.5.0 (committed in devel repository) * deskutils/xfce4-notifyd 0.3.4 * graphics/ristretto 0.8.1 * sysutils/xfce4-diskperf-plugin 2.6.0 * sysutils/xfce4-battery-plugin 1.1.0 (committed in devel repository) * sysutils/xfce4-fsguard-plugin 1.1.0 (committed in devel repository) * sysutils/xfce4-netload-plugin 1.3.0 (committed in devel repository) * sysutils/xfce4-systemload-plugin 1.2.0 (committed in devel repository) * sysutils/xfce4-wavelan-plugin 0.6.0 (committed in devel repository) * x11/xfce4-clipman-plugin 1.4.1 * x11/xfce4-conf 4.12.1 * x11/xfce4-dashboard 0.6.1 * x11/xfce4-terminal 0.8.2 * x11/xfce4-whiskermenu-plugin 1.6.2 * x11-clocks/xfce4-datetime-plugin 0.7.0 (committed in devel repository) * x11-wm/xfce4-panel 4.12.1 * www/xfce4-smartbookmark-plugin 0.5.0 (committed in devel repository) We also follow the unstable releases (available in our experimental repository) of: * sysutils/xfce4-settings 4.13.0 (it requires Gtk+ > 3.20) * x11/libexo 0.11.2 * x11/xfce4-whiskermenu-plugin 2.0.3 Open tasks: 1. Apply the changes discussed in D8416 (simplify the MASTER_SITES macro in port Makefiles). 2. Commit the stable panel plugins. __________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGgBAEBCgAGBQJYooROAAoJECjZpvNk63USnIwMIO4lgSyECoViv1/WVXQdWkNr cQ70ARRSDDc1q3mN6Y0FTsxyvllR/u1BOdcJz5M/oWnbh87TISp3ocL2t4Ehm2ti gY4o4sLNtQlRV+45klHuxdDCrTbnOmUUuxKdIMPypDlHg3SI06Ki7oDptaP16EXM wc8zOwZZHeOCKQ1PDE1rll3BpDGCeB+BbdElIRdWY280gKeuN7/LuyTjYt171ohw Z3pGzomE7JTGulwyu86mo1M1C0R3ZhngrichpGkxD/x+uwsNJFyj2l39yFDnTtwu NZx1xmWjPgtprPFBtjIEViGPVHg58hzSVSDYpALR5dRsno/QpO57GArshq3sBuAn w8NmgmtZM82MdrrL7SwtRWbc9bIpyqJr3D25GQnJnhXJKacmPhnOlcSCtd9XGaqS VFRJ/4GODcxVXXN0h6euJEwgSheBFCd4lc8wHGWmTw6/qrQzJURVFErOCt3uayJf 7IHeQVqErAbBm/ZHEUdRlFvXKcduE9z8/TWcdJ/1TAoCMwY= =Vpv4 -----END PGP SIGNATURE----- From owner-freebsd-hackers@freebsd.org Wed Feb 15 11:07:40 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0D180CDF345 for ; Wed, 15 Feb 2017 11:07:40 +0000 (UTC) (envelope-from sebastian.huber@embedded-brains.de) Received: from dedi548.your-server.de (dedi548.your-server.de [85.10.215.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF97483E for ; Wed, 15 Feb 2017 11:07:39 +0000 (UTC) (envelope-from sebastian.huber@embedded-brains.de) Received: from [88.198.220.131] (helo=sslproxy02.your-server.de) by dedi548.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.85_2) (envelope-from ) id 1cdwzE-0007oF-MU for freebsd-hackers@freebsd.org; Wed, 15 Feb 2017 11:39:00 +0100 Received: from [82.135.62.35] (helo=mail.embedded-brains.de) by sslproxy02.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from ) id 1cdwzE-0005j5-FI for freebsd-hackers@freebsd.org; Wed, 15 Feb 2017 11:39:00 +0100 Received: from localhost (localhost.localhost [127.0.0.1]) by mail.embedded-brains.de (Postfix) with ESMTP id 0BAB02A0008 for ; Wed, 15 Feb 2017 11:39:02 +0100 (CET) Received: from mail.embedded-brains.de ([127.0.0.1]) by localhost (zimbra.eb.localhost [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id yHjnkh6fPTCH for ; Wed, 15 Feb 2017 11:39:01 +0100 (CET) Received: from localhost (localhost.localhost [127.0.0.1]) by mail.embedded-brains.de (Postfix) with ESMTP id 8E03A2A1804 for ; Wed, 15 Feb 2017 11:39:01 +0100 (CET) X-Virus-Scanned: amavisd-new at zimbra.eb.localhost Received: from mail.embedded-brains.de ([127.0.0.1]) by localhost (zimbra.eb.localhost [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id KWrsPruPabxa for ; Wed, 15 Feb 2017 11:39:01 +0100 (CET) Received: from [192.168.96.129] (unknown [192.168.96.129]) by mail.embedded-brains.de (Postfix) with ESMTPSA id 554CA2A0008 for ; Wed, 15 Feb 2017 11:39:01 +0100 (CET) To: FreeBSD From: Sebastian Huber Subject: kern_ntptime.c and NTP_NANO Message-ID: <58A42FC2.5070608@embedded-brains.de> Date: Wed, 15 Feb 2017 11:38:58 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Authenticated-Sender: smtp-embedded@poldinet.de X-Virus-Scanned: Clear (ClamAV 0.99.2/23066/Wed Feb 15 09:40:49 2017) X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2017 11:07:40 -0000 Hello, there is a comment in https://svnweb.freebsd.org/base/head/sys/kern/kern_ntptime.c?view=3Dmarku= p#l92 which talks about a NTP_NANO option. I think this option no longer=20 exists and the part about some sort of counter is superseded by the=20 timecounters. Maybe someone how knows this stuff good enough would mind=20 updating the comment. --=20 Sebastian Huber, embedded brains GmbH Address : Dornierstr. 4, D-82178 Puchheim, Germany Phone : +49 89 189 47 41-16 Fax : +49 89 189 47 41-09 E-Mail : sebastian.huber@embedded-brains.de PGP : Public key available on request. Diese Nachricht ist keine gesch=C3=A4ftliche Mitteilung im Sinne des EHUG= . From owner-freebsd-hackers@freebsd.org Wed Feb 15 12:06:25 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 63416CE0A89 for ; Wed, 15 Feb 2017 12:06:25 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from zxy.spb.ru (zxy.spb.ru [195.70.199.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 271E2764 for ; Wed, 15 Feb 2017 12:06:25 +0000 (UTC) (envelope-from slw@zxy.spb.ru) Received: from slw by zxy.spb.ru with local (Exim 4.86 (FreeBSD)) (envelope-from ) id 1cdyLg-000DP4-5Q for freebsd-hackers@freebsd.org; Wed, 15 Feb 2017 15:06:16 +0300 Date: Wed, 15 Feb 2017 15:06:16 +0300 From: Slawa Olhovchenkov To: freebsd-hackers@freebsd.org Subject: Parse info from core file Message-ID: <20170215120616.GB15630@zxy.spb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.24 (2015-08-30) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: slw@zxy.spb.ru X-SA-Exim-Scanned: No (on zxy.spb.ru); SAEximRunCond expanded to false X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2017 12:06:25 -0000 How to I am can parse core from my program? For example, for dump in human-readable form hashs/trees/etc. gdb in many cases don't have information about types. lldb don't start w/ core at acceptable time. Run application w/ some switch can be help, but I am don't know how to load and use/map core in application. From owner-freebsd-hackers@freebsd.org Wed Feb 15 14:15:46 2017 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 37485CE0C37; Wed, 15 Feb 2017 14:15:46 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from mail.metricspace.net (207-172-209-83.c3-0.arl-ubr1.sbo-arl.ma.static.cable.rcn.com [207.172.209.83]) by mx1.freebsd.org (Postfix) with ESMTP id 07731C74; Wed, 15 Feb 2017 14:15:45 +0000 (UTC) (envelope-from eric@metricspace.net) Received: from [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f] (unknown [IPv6:2001:470:1f11:617:3210:b3ff:fe77:ca3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: eric) by mail.metricspace.net (Postfix) with ESMTPSA id 05BAE13C1; Wed, 15 Feb 2017 14:15:38 +0000 (UTC) To: "freebsd-hackers@freebsd.org" , freebsd-amd64@freebsd.org From: Eric McCorkle Subject: CFT: Crypto key intake metadata and GELI BIOS boot Message-ID: <38263f5b-b33d-1a57-9891-b08cb114a3e6@metricspace.net> Date: Wed, 15 Feb 2017 09:15:34 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="X7FPO3HRCLtP8EF11JkUNmr81Rg9AtiPG" X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2017 14:15:46 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --X7FPO3HRCLtP8EF11JkUNmr81Rg9AtiPG Content-Type: multipart/mixed; boundary="jmJEd4Js9xDh8P6M6aV64OhDxXmdRl4Bh"; protected-headers="v1" From: Eric McCorkle To: "freebsd-hackers@freebsd.org" , freebsd-amd64@freebsd.org Message-ID: <38263f5b-b33d-1a57-9891-b08cb114a3e6@metricspace.net> Subject: CFT: Crypto key intake metadata and GELI BIOS boot --jmJEd4Js9xDh8P6M6aV64OhDxXmdRl4Bh Content-Type: multipart/mixed; boundary="------------E31E4CC531EE896A8C281EC0" This is a multi-part message in MIME format. --------------E31E4CC531EE896A8C281EC0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hello everyone, Attached is a patch that provides a flexible mechanism for providing encryption keys to a kernel from the boot loader. This patch also modifies the current BIOS GELI support to use this mechanism. The git repo can be found here: https://github.com/emc2/freebsd/tree/keybuf (the branch is the "keybuf" branch). Please test this patch with a GELI BIOS boot setup and report the results= =2E Note that I have been encountering a strange problem with the BIOS GELI support that causes gptboot to crash with an illegal instruction. This seems to manifest on an unmodified copy of master. Also note that this patch is already under review on phabricator. --------------E31E4CC531EE896A8C281EC0 Content-Type: text/x-patch; name="keybuf.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="keybuf.diff" diff --git a/sys/boot/geli/Makefile b/sys/boot/geli/Makefile index f5ab2432903..2ab31d589e0 100644 --- a/sys/boot/geli/Makefile +++ b/sys/boot/geli/Makefile @@ -39,6 +39,7 @@ SRCS+=3D md5c.c # AES implementation from sys/crypto .PATH: ${.CURDIR}/../../crypto/rijndael CFLAGS+=3D -I${.CURDIR}/../../ +CFLAGS+=3D -I${.CURDIR}/../common/ # Remove asserts CFLAGS+=3D -DNDEBUG SRCS+=3D rijndael-alg-fst.c rijndael-api-fst.c rijndael-api.c diff --git a/sys/boot/geli/geliboot.c b/sys/boot/geli/geliboot.c index f9a128cb667..c8905a85b0a 100644 --- a/sys/boot/geli/geliboot.c +++ b/sys/boot/geli/geliboot.c @@ -29,9 +29,45 @@ =20 #include "geliboot.h" =20 +#include + SLIST_HEAD(geli_list, geli_entry) geli_head =3D SLIST_HEAD_INITIALIZER(g= eli_head); struct geli_list *geli_headp; =20 +typedef u_char geli_mkey[G_ELI_DATAIVKEYLEN]; + +static geli_mkey saved_keys[GELI_MAX_KEYS]; +static unsigned int nsaved_keys =3D 0; + +void +geli_fill_keybuf(keybuf_t *keybuf) +{ + int i; + + for(i =3D 0; i < nsaved_keys; i++) { + keybuf->kb_ents[i].ke_type =3D KEYBUF_TYPE_GELI; + memcpy(keybuf->kb_ents[i].ke_data, saved_keys[i], + G_ELI_DATAIVKEYLEN); + } + + keybuf->kb_nents =3D nsaved_keys; + bzero(saved_keys, sizeof(saved_keys)); +} + +static void +save_key(geli_mkey key) +{ + + /* + * If we run out of key space, the worst that will happen is + * it will ask the user for the password again. + */ + if (nsaved_keys < GELI_MAX_KEYS) { + memcpy(saved_keys[nsaved_keys], key, G_ELI_DATAIVKEYLEN)= ; + nsaved_keys++; + } +} + static int geli_same_device(struct geli_entry *ge, struct dsk *dskp) { @@ -191,6 +227,7 @@ geli_attach(struct dsk *dskp, const char *passphrase)= } =20 /* Store the keys */ + save_key(mkey); bcopy(mkey, geli_e->sc.sc_mkey, sizeof(geli_e->sc.sc_mkey)); bcopy(mkey, geli_e->sc.sc_ivkey, sizeof(geli_e->sc.sc_ivkey)); mkp =3D mkey + sizeof(geli_e->sc.sc_ivkey); @@ -231,7 +268,7 @@ is_geli(struct dsk *dskp) return (0); } } -=09 + return (1); } =20 diff --git a/sys/boot/geli/geliboot.h b/sys/boot/geli/geliboot.h index 83df1529571..fbac5316a93 100644 --- a/sys/boot/geli/geliboot.h +++ b/sys/boot/geli/geliboot.h @@ -27,8 +27,10 @@ * $FreeBSD$ */ =20 +#include #include #include +#include =20 #ifndef _GELIBOOT_H_ #define _GELIBOOT_H_ @@ -63,6 +65,7 @@ #define MIN(a,b) (((a) < (b)) ? (a) : (b)) #endif =20 +#define GELI_MAX_KEYS 64 #define GELI_PW_MAXLEN 256 extern void pwgets(char *buf, int n); =20 @@ -89,4 +92,6 @@ int geli_passphrase(char *pw, int disk, int parttype, i= nt part, struct dsk *dskp int geliboot_crypt(u_int algo, int enc, u_char *data, size_t datasize, const u_char *key, size_t keysize, u_char *iv); =20 +void geli_fill_keybuf(keybuf_t *keybuf); + #endif /* _GELIBOOT_H_ */ diff --git a/sys/boot/i386/gptboot/gptboot.c b/sys/boot/i386/gptboot/gptb= oot.c index 14438e6659c..1cc5d963996 100644 --- a/sys/boot/i386/gptboot/gptboot.c +++ b/sys/boot/i386/gptboot/gptboot.c @@ -101,7 +101,7 @@ static char *heap_end; =20 void exit(int); static void load(void); -static int parse(char *, int *); +static int parse_cmds(char *, int *); static int dskread(void *, daddr_t, unsigned); void *malloc(size_t n); void free(void *ptr); @@ -316,7 +316,7 @@ main(void) } if (*cmd !=3D '\0') { memcpy(cmdtmp, cmd, sizeof(cmdtmp)); - if (parse(cmdtmp, &dskupdated)) + if (parse_cmds(cmdtmp, &dskupdated)) break; if (dskupdated && gptinit() !=3D 0) break; @@ -366,7 +366,7 @@ main(void) getstr(cmd, sizeof(cmd)); else if (!OPT_CHECK(RBX_QUIET)) putchar('\n'); - if (parse(cmd, &dskupdated)) { + if (parse_cmds(cmd, &dskupdated)) { putchar('\a'); continue; } @@ -489,7 +489,7 @@ load(void) } =20 static int -parse(char *cmdstr, int *dskupdated) +parse_cmds(char *cmdstr, int *dskupdated) { char *arg =3D cmdstr; char *ep, *p, *q; diff --git a/sys/boot/i386/libi386/bootinfo32.c b/sys/boot/i386/libi386/b= ootinfo32.c index d4344278351..8e050c9d7b2 100644 --- a/sys/boot/i386/libi386/bootinfo32.c +++ b/sys/boot/i386/libi386/bootinfo32.c @@ -32,10 +32,18 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include "bootstrap.h" #include "libi386.h" #include "btxv86.h" =20 +#ifdef LOADER_GELI_SUPPORT +#include "geliboot.h" + +static const size_t keybuf_size =3D sizeof(keybuf_t) + + (GELI_MAX_KEYS * sizeof(keybuf_ent_t)); +#endif + static struct bootinfo bi; =20 /* @@ -146,11 +154,15 @@ bi_load32(char *args, int *howtop, int *bootdevp, v= m_offset_t *bip, vm_offset_t int bootdevnr, i, howto; char *kernelname; const char *kernelpath; +#ifdef LOADER_GELI_SUPPORT + char buf[keybuf_size]; + keybuf_t *keybuf =3D (keybuf_t *)buf; +#endif =20 howto =3D bi_getboothowto(args); =20 - /*=20 - * Allow the environment variable 'rootdev' to override the supplied= device=20 + /* + * Allow the environment variable 'rootdev' to override the supplied= device * This should perhaps go to MI code and/or have $rootdev tested/set= by * MI code before launching the kernel. */ @@ -185,7 +197,7 @@ bi_load32(char *args, int *howtop, int *bootdevp, vm_= offset_t *bip, vm_offset_t case DEVT_NET: case DEVT_ZFS: break; - =20 + default: printf("WARNING - don't know how to boot from device type %d\n", rootde= v->d_type); } @@ -221,6 +233,11 @@ bi_load32(char *args, int *howtop, int *bootdevp, vm= _offset_t *bip, vm_offset_t file_addmetadata(kfp, MODINFOMD_ENVP, sizeof envp, &envp); file_addmetadata(kfp, MODINFOMD_KERNEND, sizeof kernend, &kernend); bios_addsmapdata(kfp); +#ifdef LOADER_GELI_SUPPORT + geli_fill_keybuf(keybuf); + file_addmetadata(kfp, MODINFOMD_KEYBUF, keybuf_size, buf); + bzero(buf, sizeof(buf)); +#endif =20 /* Figure out the size and location of the metadata */ *modulep =3D addr; diff --git a/sys/boot/i386/libi386/bootinfo64.c b/sys/boot/i386/libi386/b= ootinfo64.c index 751e806e1b8..c53ec91e4a9 100644 --- a/sys/boot/i386/libi386/bootinfo64.c +++ b/sys/boot/i386/libi386/bootinfo64.c @@ -40,6 +40,13 @@ __FBSDID("$FreeBSD$"); #include "libi386.h" #include "btxv86.h" =20 +#ifdef LOADER_GELI_SUPPORT +#include "geliboot.h" + +static const size_t keybuf_size =3D sizeof(keybuf_t) + + (GELI_MAX_KEYS * sizeof(keybuf_ent_t)); +#endif + /* * Copy module-related data into the load area, where it can be * used as a directory for loaded modules. @@ -189,6 +196,10 @@ bi_load64(char *args, vm_offset_t addr, vm_offset_t = *modulep, vm_offset_t size; char *rootdevname; int howto; +#ifdef LOADER_GELI_SUPPORT + char buf[keybuf_size]; + keybuf_t *keybuf =3D (keybuf_t *)buf; +#endif =20 if (!bi_checkcpu()) { printf("CPU doesn't support long mode\n"); @@ -197,8 +208,8 @@ bi_load64(char *args, vm_offset_t addr, vm_offset_t *= modulep, =20 howto =3D bi_getboothowto(args); =20 - /*=20 - * Allow the environment variable 'rootdev' to override the supplied= device=20 + /* + * Allow the environment variable 'rootdev' to override the supplied= device * This should perhaps go to MI code and/or have $rootdev tested/set= by * MI code before launching the kernel. */ @@ -238,6 +249,12 @@ bi_load64(char *args, vm_offset_t addr, vm_offset_t = *modulep, if (add_smap !=3D 0) bios_addsmapdata(kfp); =20 +#ifdef LOADER_GELI_SUPPORT + geli_fill_keybuf(keybuf); + file_addmetadata(kfp, MODINFOMD_KEYBUF, keybuf_size, buf); + bzero(buf, sizeof(buf)); +#endif + size =3D bi_copymodules64(0); =20 /* copy our environment */ diff --git a/sys/boot/i386/zfsboot/zfsboot.c b/sys/boot/i386/zfsboot/zfsb= oot.c index bb64384fadc..b78339fd610 100644 --- a/sys/boot/i386/zfsboot/zfsboot.c +++ b/sys/boot/i386/zfsboot/zfsboot.c @@ -121,7 +121,7 @@ static struct dmadat *dmadat; void exit(int); void reboot(void); static void load(void); -static int parse(void); +static int parse_cmd(void); static void bios_getmem(void); void *malloc(size_t n); void free(void *ptr); @@ -398,7 +398,7 @@ bios_getmem(void) v86.ctl =3D 0; v86.addr =3D 0x12; /* int 0x12 */ v86int(); -=09 + bios_basemem =3D (v86.eax & 0xffff) * 1024; } =20 @@ -442,7 +442,7 @@ int13probe(int drive) v86.eax =3D 0x800; v86.edx =3D drive; v86int(); - =20 + if (!V86_CY(v86.efl) && /* carry clear */ ((v86.edx & 0xff) !=3D (drive & DRV_MASK))) { /* unit # OK */ if ((v86.ecx & 0x3f) =3D=3D 0) { /* absurd sector size */ @@ -729,7 +729,7 @@ main(void) */ nextboot =3D 1; memcpy(cmddup, cmd, sizeof(cmd)); - if (parse()) { + if (parse_cmd()) { printf("failed to parse pad2 area of primary vdev\n"); reboot(); } @@ -756,11 +756,11 @@ main(void) =20 if (*cmd) { /* - * Note that parse() is destructive to cmd[] and we also want + * Note that parse_cmd() is destructive to cmd[] and we also want * to honor RBX_QUIET option that could be present in cmd[]. */ memcpy(cmddup, cmd, sizeof(cmd)); - if (parse()) + if (parse_cmd()) autoboot =3D 0; if (!OPT_CHECK(RBX_QUIET)) printf("%s: %s\n", PATH_CONFIG, cmddup); @@ -810,7 +810,7 @@ main(void) else if (!autoboot || !OPT_CHECK(RBX_QUIET)) putchar('\n'); autoboot =3D 0; - if (parse()) + if (parse_cmd()) putchar('\a'); else load(); @@ -979,7 +979,7 @@ zfs_mount_ds(char *dsname) } =20 static int -parse(void) +parse_cmd(void) { char *arg =3D cmd; char *ep, *p, *q; diff --git a/sys/crypto/intake.h b/sys/crypto/intake.h new file mode 100644 index 00000000000..4f1b1e8522e --- /dev/null +++ b/sys/crypto/intake.h @@ -0,0 +1,60 @@ +/*- + * Copyright (c) 2016 Eric McCorkle + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in th= e + * documentation and/or other materials provided with the distributio= n. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AN= D + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE= + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PU= RPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIAB= LE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUE= NTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOO= DS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)= + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, S= TRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY= WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY O= F + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _INTAKE_H_ +#define _INTAKE_H_ + +/* + * This file provides an interface for providing keys to the kernel + * during boot time. + */ + +#define MAX_KEY_BITS 4096 +#define MAX_KEY_BYTES (MAX_KEY_BITS / 8) + +enum { + KEYBUF_TYPE_NONE, + KEYBUF_TYPE_GELI +}; + +typedef struct keybuf_ent_t { + unsigned int ke_type; + char ke_data[MAX_KEY_BYTES]; +} keybuf_ent_t; + +typedef struct keybuf_t { + unsigned int kb_nents; + keybuf_ent_t kb_ents[]; +} keybuf_t; + +#ifdef _KERNEL +/* Get the key intake buffer */ +extern keybuf_t* get_keybuf(void); +#endif + +#endif diff --git a/sys/geom/eli/g_eli.c b/sys/geom/eli/g_eli.c index 6d734aece18..2945149d5f9 100644 --- a/sys/geom/eli/g_eli.c +++ b/sys/geom/eli/g_eli.c @@ -53,6 +53,8 @@ __FBSDID("$FreeBSD$"); #include #include =20 +#include + FEATURE(geom_eli, "GEOM crypto module"); =20 MALLOC_DEFINE(M_ELI, "eli data", "GEOM_ELI Data"); @@ -114,11 +116,29 @@ SYSINIT(geli_fetch_loader_passphrase, SI_SUB_KMEM += 1, SI_ORDER_ANY, static void zero_boot_passcache(void * dummy) { - - memset(cached_passphrase, 0, sizeof(cached_passphrase)); + explicit_bzero(cached_passphrase, sizeof(cached_passphrase)); } EVENTHANDLER_DEFINE(mountroot, zero_boot_passcache, NULL, 0); =20 +static void +zero_geli_intake_keys(void *dummy) +{ + keybuf_t *keybuf; + int i; + + if ((keybuf =3D get_keybuf()) !=3D NULL) { + /* Scan the key buffer, clear all GELI keys. */ + for (i =3D 0; i < keybuf->kb_nents; i++) { + if (keybuf->kb_ents[i].ke_type =3D=3D KEYBUF_TY= PE_GELI) { + explicit_bzero(keybuf->kb_ents[i].ke_da= ta, + sizeof(key)); + keybuf->kb_ents[i].ke_type =3D KEYBUF_T= YPE_NONE; + } + } + } +} +EVENTHANDLER_DEFINE(mountroot, zero_geli_intake_keys, NULL, 0); + static eventhandler_tag g_eli_pre_sync =3D NULL; =20 static int g_eli_destroy_geom(struct gctl_req *req, struct g_class *mp, @@ -997,6 +1017,8 @@ g_eli_taste(struct g_class *mp, struct g_provider *p= p, int flags __unused) u_char key[G_ELI_USERKEYLEN], mkey[G_ELI_DATAIVKEYLEN]; u_int i, nkey, nkeyfiles, tries; int error; + bool found_intake =3D false; + keybuf_t *keybuf; =20 g_trace(G_T_TOPOLOGY, "%s(%s, %s)", __func__, mp->name, pp->name); g_topology_assert(); @@ -1035,97 +1057,115 @@ g_eli_taste(struct g_class *mp, struct g_provide= r *pp, int flags __unused) tries =3D g_eli_tries; } =20 - for (i =3D 0; i <=3D tries; i++) { - g_eli_crypto_hmac_init(&ctx, NULL, 0); - - /* - * Load all key files. - */ - nkeyfiles =3D g_eli_keyfiles_load(&ctx, pp->name); - - if (nkeyfiles =3D=3D 0 && md.md_iterations =3D=3D -1) { - /* - * No key files and no passphrase, something is - * definitely wrong here. - * geli(8) doesn't allow for such situation, so assume - * that there was really no passphrase and in that case - * key files are no properly defined in loader.conf. - */ - G_ELI_DEBUG(0, - "Found no key files in loader.conf for %s.", - pp->name); - return (NULL); - } - - /* Ask for the passphrase if defined. */ - if (md.md_iterations >=3D 0) { - /* Try first with cached passphrase. */ - if (i =3D=3D 0) { - if (!g_eli_boot_passcache) - continue; - memcpy(passphrase, cached_passphrase, - sizeof(passphrase)); - } else { - printf("Enter passphrase for %s: ", pp->name); - cngets(passphrase, sizeof(passphrase), - g_eli_visible_passphrase); - memcpy(cached_passphrase, passphrase, - sizeof(passphrase)); - } - } - - /* - * Prepare Derived-Key from the user passphrase. - */ - if (md.md_iterations =3D=3D 0) { - g_eli_crypto_hmac_update(&ctx, md.md_salt, - sizeof(md.md_salt)); - g_eli_crypto_hmac_update(&ctx, passphrase, - strlen(passphrase)); - bzero(passphrase, sizeof(passphrase)); - } else if (md.md_iterations > 0) { - u_char dkey[G_ELI_USERKEYLEN]; - - pkcs5v2_genkey(dkey, sizeof(dkey), md.md_salt, - sizeof(md.md_salt), passphrase, md.md_iterations); - bzero(passphrase, sizeof(passphrase)); - g_eli_crypto_hmac_update(&ctx, dkey, sizeof(dkey)); - bzero(dkey, sizeof(dkey)); - } - - g_eli_crypto_hmac_final(&ctx, key, 0); - - /* - * Decrypt Master-Key. - */ - error =3D g_eli_mkey_decrypt(&md, key, mkey, &nkey); - bzero(key, sizeof(key)); - if (error =3D=3D -1) { - if (i =3D=3D tries) { - G_ELI_DEBUG(0, - "Wrong key for %s. No tries left.", - pp->name); - g_eli_keyfiles_clear(pp->name); - return (NULL); - } - if (i > 0) { - G_ELI_DEBUG(0, - "Wrong key for %s. Tries left: %u.", - pp->name, tries - i); - } - /* Try again. */ - continue; - } else if (error > 0) { - G_ELI_DEBUG(0, - "Cannot decrypt Master Key for %s (error=3D%d).", - pp->name, error); - g_eli_keyfiles_clear(pp->name); - return (NULL); - } - g_eli_keyfiles_clear(pp->name); - G_ELI_DEBUG(1, "Using Master Key %u for %s.", nkey, pp->name); - break; - } + if ((keybuf =3D get_keybuf()) !=3D NULL) { + /* Scan the key buffer, try all GELI keys. */ + for (i =3D 0; i < keybuf->kb_nents; i++) { + if (keybuf->kb_ents[i].ke_type =3D=3D KEYBUF_TY= PE_GELI) { + memcpy(key, keybuf->kb_ents[i].ke_data,= + sizeof(key)); + + if (g_eli_mkey_decrypt(&md, key, + mkey, &nkey) =3D=3D 0 ) { + found_intake =3D true; + break; + } + } + } + } + explicit_bzero(key, sizeof(key)); + if (!found_intake) { + for (i =3D 0; i <=3D tries; i++) { + g_eli_crypto_hmac_init(&ctx, NULL, 0); + + /* + * Load all key files. + */ + nkeyfiles =3D g_eli_keyfiles_load(&ctx, pp->name= ); + + if (nkeyfiles =3D=3D 0 && md.md_iterations =3D=3D= -1) { + /* + * No key files and no passphrase, somet= hing is + * definitely wrong here. + * geli(8) doesn't allow for such situat= ion, so assume + * that there was really no passphrase a= nd in that case + * key files are no properly defined in = loader.conf. + */ + G_ELI_DEBUG(0, + "Found no key files in loader.conf f= or %s.", + pp->name); + return (NULL); + } + + /* Ask for the passphrase if defined. */ + if (md.md_iterations >=3D 0) { + /* Try first with cached passphrase. */ + if (i =3D=3D 0) { + if (!g_eli_boot_passcache) + continue; + memcpy(passphrase, cached_passph= rase, + sizeof(passphrase)); + } else { + printf("Enter passphrase for %s:= ", pp->name); + cngets(passphrase, sizeof(passph= rase), + g_eli_visible_passphrase); + memcpy(cached_passphrase, passph= rase, + sizeof(passphrase)); + } + } + + /* + * Prepare Derived-Key from the user passphrase.= + */ + if (md.md_iterations =3D=3D 0) { + g_eli_crypto_hmac_update(&ctx, md.md_sal= t, + sizeof(md.md_salt)); + g_eli_crypto_hmac_update(&ctx, passphras= e, + strlen(passphrase)); + explicit_bzero(passphrase, sizeof(passph= rase)); + } else if (md.md_iterations > 0) { + u_char dkey[G_ELI_USERKEYLEN]; + + pkcs5v2_genkey(dkey, sizeof(dkey), md.md= _salt, + sizeof(md.md_salt), passphrase, md.m= d_iterations); + bzero(passphrase, sizeof(passphrase)); + g_eli_crypto_hmac_update(&ctx, dkey, siz= eof(dkey)); + explicit_bzero(dkey, sizeof(dkey)); + } + + g_eli_crypto_hmac_final(&ctx, key, 0); + + /* + * Decrypt Master-Key. + */ + error =3D g_eli_mkey_decrypt(&md, key, mkey, &nk= ey); + bzero(key, sizeof(key)); + if (error =3D=3D -1) { + if (i =3D=3D tries) { + G_ELI_DEBUG(0, + "Wrong key for %s. No tries = left.", + pp->name); + g_eli_keyfiles_clear(pp->name); + return (NULL); + } + if (i > 0) { + G_ELI_DEBUG(0, + "Wrong key for %s. Tries lef= t: %u.", + pp->name, tries - i); + } + /* Try again. */ + continue; + } else if (error > 0) { + G_ELI_DEBUG(0, + "Cannot decrypt Master Key for %s (e= rror=3D%d).", + pp->name, error); + g_eli_keyfiles_clear(pp->name); + return (NULL); + } + g_eli_keyfiles_clear(pp->name); + G_ELI_DEBUG(1, "Using Master Key %u for %s.", nk= ey, pp->name); + break; + } + } =20 /* * We have correct key, let's attach provider. diff --git a/sys/opencrypto/crypto.c b/sys/opencrypto/crypto.c index 9e769c34fea..e6fa01c54b3 100644 --- a/sys/opencrypto/crypto.c +++ b/sys/opencrypto/crypto.c @@ -63,6 +63,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -74,6 +75,7 @@ __FBSDID("$FreeBSD$"); #include =20 #include +#include #include #include /* XXX for M_XDATA */ =20 @@ -84,6 +86,7 @@ __FBSDID("$FreeBSD$"); #if defined(__i386__) || defined(__amd64__) || defined(__aarch64__) #include #endif +#include =20 SDT_PROVIDER_DEFINE(opencrypto); =20 @@ -186,6 +189,36 @@ SYSCTL_INT(_debug, OID_AUTO, crypto_timing, CTLFLAG_= RW, &crypto_timing, 0, "Enable/disable crypto timing support"); #endif =20 +/* Try to avoid directly exposing the key buffer as a symbol */ +static keybuf_t *keybuf =3D NULL; + +static keybuf_t empty_keybuf =3D { + .kb_nents =3D 0 +}; + +/* Obtain the key buffer from boot metadata */ +static void +keybuf_init(void) +{ + caddr_t kmdp; + + kmdp =3D preload_search_by_type("elf kernel"); + + if (kmdp =3D=3D NULL) + kmdp =3D preload_search_by_type("elf64 kernel"); + + keybuf =3D (keybuf_t *)preload_search_info(kmdp, + MODINFO_METADATA | MODINFOMD_KEYBUF); + + if (keybuf =3D=3D NULL) + keybuf =3D &empty_keybuf; +} + +/* It'd be nice if we could store these in some kind of secure memory...= */ +keybuf_t* get_keybuf(void) { + return (keybuf); +} + static int crypto_init(void) { @@ -238,6 +271,9 @@ crypto_init(void) error); goto bad; } + + keybuf_init(); + return 0; bad: crypto_destroy(); diff --git a/sys/sys/linker.h b/sys/sys/linker.h index e650967cecb..49ac80a4027 100644 --- a/sys/sys/linker.h +++ b/sys/sys/linker.h @@ -143,7 +143,7 @@ int linker_file_foreach(linker_predicate_t *_predicat= e, void *_context); * Lookup a symbol in a file. If deps is TRUE, look in dependencies * if not found in file. */ -caddr_t linker_file_lookup_symbol(linker_file_t _file, const char* _name= ,=20 +caddr_t linker_file_lookup_symbol(linker_file_t _file, const char* _name= , int _deps); =20 /* @@ -157,7 +157,7 @@ int linker_file_lookup_set(linker_file_t _file, const= char *_name, /* * List all functions in a file. */ -int linker_file_function_listall(linker_file_t,=20 +int linker_file_function_listall(linker_file_t, linker_function_nameval_callback_t, void *); =20 /* @@ -217,6 +217,7 @@ void *linker_hwpmc_list_objects(void); #define MODINFOMD_CTORS_ADDR 0x000a /* address of .ctors */ #define MODINFOMD_CTORS_SIZE 0x000b /* size of .ctors */ #define MODINFOMD_FW_HANDLE 0x000c /* Firmware dependent handle */ +#define MODINFOMD_KEYBUF 0x000d /* Crypto key intake buffer */ #define MODINFOMD_NOCOPY 0x8000 /* don't copy this metadata to the kern= el */ =20 #define MODINFOMD_DEPLIST (0x4001 | MODINFOMD_NOCOPY) /* depends on */ --------------E31E4CC531EE896A8C281EC0-- --jmJEd4Js9xDh8P6M6aV64OhDxXmdRl4Bh-- --X7FPO3HRCLtP8EF11JkUNmr81Rg9AtiPG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQRELMWN3SgpoYkrmidWwohAqoAEjQUCWKRiigAKCRBWwohAqoAE jXLkAQCP26VGHDnGoFbNWOGWsEdeaoMwPN17KP7yjIJuxJCmwAD/Rz2NbZ0mJVDQ 1elCb7zT2ziAha+MmFAaR+niNzBGjww= =uFcz -----END PGP SIGNATURE----- --X7FPO3HRCLtP8EF11JkUNmr81Rg9AtiPG--