From owner-freebsd-stable@freebsd.org Sun Feb 10 18:36:28 2019 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A12A614D5F0F for ; Sun, 10 Feb 2019 18:36:28 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [104.236.120.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BF6008AE56; Sun, 10 Feb 2019 18:36:27 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id B5D652110AF; Sun, 10 Feb 2019 13:35:56 -0500 (EST) Received: from [192.168.10.12] (D2.Denninger.Net [192.168.10.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id 1D6DB24686A; Sun, 10 Feb 2019 12:35:56 -0600 (CST) Subject: Re: Geli prompts on gptzfsboot (Was:: Serious ZFS Bootcode Problem (GPT NON-UEFI -- RESOLVED) To: Ian Lepore Cc: freebsd-stable@freebsd.org References: <911d001f-9e33-0521-51fe-f7d1383dfc62@denninger.net> <16c56c89ff8a3d89164d9152f6c38687dcba99b5.camel@freebsd.org> <3fd7f001-879c-7b1e-3d1a-d2939ac07d9c@denninger.net> <398cae11ff6b81d0bc1dbdcd54f64eb97b2c812a.camel@freebsd.org> From: Karl Denninger Openpgp: preference=signencrypt Autocrypt: addr=karl@denninger.net; prefer-encrypt=mutual; keydata= mQINBFIX1zsBEADRcJfsQUl9oFeoMfLPJ1kql+3sIaYx0MfJAUhV9LnbWxr0fsWCskM1O4cV tHm5dqPkuPM4Ztc0jLotD1i9ubWvCHOlkLGxFOL+pFbjA+XZ7VKsC/xWmhMwJ3cM8HavK2OV SzEWQ/AEYtMi04IzGSwsxh/5/5R0mPHrsIomV5SbuiI0vjLuDj7fo6146AABI1ULzge4hBYW i/SHrqUrLORmUNBs6bxek79/B0Dzk5cIktD3LOfbT9EAa5J/osVkstMBhToJgQttaMIGv8SG CzpR/HwEokE+7DP+k2mLHnLj6H3kfugOF9pJH8Za4yFmw//s9cPXV8WwtZ2SKfVzn1unpKqf wmJ1PwJoom/d4fGvQDkgkGKRa6RGC6tPmXnqnx+YX4iCOdFfbP8L9rmk2sewDDVzHDU3I3ZZ 8hFIjMYM/QXXYszRatK0LCV0QPZuF7LCf4uQVKw1/oyJInsnH7+6a3c0h21x+CmSja9QJ+y0 yzgEN/nM89d6YTakfR+1xkYgodVmMy/bS8kmXbUUZG/CyeqCqc95RUySjKT2ECrf9GhhoQkl +D8n2MsrAUSMGB4GQSN+TIq9OBTpNuvATGSRuF9wnQcs1iSry+JNCpfRTyWp83uCNApe6oHU EET4Et6KDO3AvjvBMAX0TInTRGW2SQlJMuFKpc7Dg7tHK8zzqQARAQABtCNLYXJsIERlbm5p bmdlciA8a2FybEBkZW5uaW5nZXIubmV0PokCPAQTAQIAJgUCUhfXOwIbIwUJCWYBgAYLCQgH AwIEFQIIAwQWAgMBAh4BAheAAAoJEG6/sivc5s0PLxQP/i6x/QFx9G4Cw7C+LthhLXIm7NSH AtNbz2UjySEx2qkoQQjtsK6mcpEEaky4ky6t8gz0/SifIfJmSmyAx0UhUQ0WBv1vAXwtNrQQ jJd9Bj6l4c2083WaXyHPjt2u2Na6YFowyb4SaQb83hu/Zs25vkPQYJVVE0JX409MFVPUa6E3 zFbd1OTr3T4yNUy4gNeQZfzDqDS8slbIks2sXeoJrZ6qqXVI0ionoivOlaN4T6Q0UYyXtigj dQvvhMt0aNowKFjRqrmSDRpdz+o6yg7Mp7qEZ1V6EZk8KqQTH6htpCTQ8i79ttK4LG6bstSF Re6Fwq52nbrcANrcdmtZXqjo+SGbUqJ8b1ggrxAsJ5MEhRh2peKrCgI/TjQo+ZxfnqEoR4AI 46Cyiz+/lcVvlvmf2iPifS3EEdaH3Itfwt7MxFm6mQORYs6skHDw3tOYB2/AdCW6eRVYs2hB RMAG4uwApZfZDKgRoE95PJmQjeTBiGmRPcsQZtNESe7I7EjHtCDLwtJqvD4HkDDQwpzreT6W XkyIJ7ns7zDfA1E+AQhFR6rsTFGgQZRZKsVeov3SbhYKkCnVDCvb/PKQCAGkSZM9SvYG5Yax 8CMry3AefKktf9fqBFg8pWqtVxDwJr56dhi0GHXRu3jVI995rMGo1fLUG5fSxiZ8L5sAtokh 9WFmQpyl Message-ID: Date: Sun, 10 Feb 2019 12:35:55 -0600 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: <398cae11ff6b81d0bc1dbdcd54f64eb97b2c812a.camel@freebsd.org> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms010004050002090800050409" X-Rspamd-Queue-Id: BF6008AE56 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.40 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.996,0]; FROM_HAS_DN(0.00)[]; SIGNED_SMIME(-2.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; DMARC_NA(0.00)[denninger.net]; AUTH_NA(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; RCVD_TLS_LAST(0.00)[]; MX_GOOD(-0.01)[cached: px.denninger.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.93)[-0.925,0]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+]; ASN(0.00)[asn:14061, ipnet:104.236.64.0/18, country:US]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-2.27)[ip: (-9.88), ipnet: 104.236.64.0/18(-4.11), asn: 14061(2.73), country: US(-0.07)]; RECEIVED_SPAMHAUS_PBL(0.00)[197.57.1.68.zen.spamhaus.org : 127.0.0.11] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Feb 2019 18:36:28 -0000 This is a cryptographically signed message in MIME format. --------------ms010004050002090800050409 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2/10/2019 12:01, Ian Lepore wrote: > On Sun, 2019-02-10 at 11:54 -0600, Karl Denninger wrote: >> On 2/10/2019 11:50, Ian Lepore wrote: >>> On Sun, 2019-02-10 at 11:37 -0600, Karl Denninger wrote: >>> >>>> [...] >>>> >>>> BTW am I correct that gptzfsboot did *not* get the ability to >>>> read >>>> geli-encrypted pools in 12.0? The UEFI loader does know how >>>> (which I'm >>>> using on my laptop) but I was under the impression that for non- >>>> UEFI >>>> systems you still needed the unencrypted boot partition from >>>> which to >>>> load the kernel. >>>> >>> Nope, that's not correct. GELI support was added to the boot and >>> loader >>> programs for both ufs and zfs in freebsd 12. You must set the geli >>> '-g'=20 >>> option to be prompted for the passphrase while booting (this is >>> separate from the '-b' flag that enables mounting the encrypted >>> partition as the rootfs). You can use "geli configure -g" to turn >>> on >>> the flag on any existing geli partition. >>> >>> -- Ian >> Excellent - this will eliminate the need for me to run down the >> foot-shooting that occurred in my update script since the unencrypted >> kernel partition is no longer needed at all. That also significantly >> reduces the attack surface on such a machine (although you could >> still >> tamper with the contents of freebsd-boot of course.) >> >> The "-g" flag I knew about from experience in putting 12 on my X1 >> Carbon >> (which works really well incidentally; the only issue I'm aware of is >> that there's no 5Ghz WiFi support.) >> > One thing that is rather unfortunate... if you have multiple geli > encrypted partitions that all have the same passphrase, you will be > required to enter that passphrase twice while booting -- once in > gpt[zfs]boot, then again during kernel startup when the rest of the > drives/partitions get tasted by geom. This is because APIs within the > boot process got changed to pass keys instead of the passphrase itself > from one stage of booting to the next, and the fallout of that is the > key for the rootfs is available to the kernel for mountroot, but the > passphrase is not available to the system when geom is probing all the > devices, so you get prompted for it again. > > -- Ian Let me see if I understand this before I do it then... :-) I have the following layout: 1. Two SSDs that contain the OS as a two-provider ZFS pool, which has "-b" set on both members; I get the "GELI Passphrase:" prompt from the loader and those two providers (along with encrypted swap) attach early in the boot process.=C2=A0 The same SSDs contain a mirrored non-encrypted= pool that has /boot (and only /boot) on it because previously you couldn't boot from an EFI-encrypted pool at all. Thus: [\u@NewFS /root]# gpart show da1 =3D>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 34=C2=A0 468862061=C2=A0 da1=C2=A0= GPT=C2=A0 (224G) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 34=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 2014=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 - free -=C2=A0 (1.0= M) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 2048=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 1024=C2=A0=C2=A0=C2=A0 1=C2=A0 freebsd-boot=C2=A0 (512K) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3072=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0 1024=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 - free -=C2=A0 (512K) =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 4096=C2=A0=C2=A0 20971520=C2=A0=C2=A0= =C2=A0 2=C2=A0 freebsd-zfs=C2=A0 [bootme]=C2=A0 (10G) =C2=A0=C2=A0 20975616=C2=A0 134217728=C2=A0=C2=A0=C2=A0 3=C2=A0 freebsd-s= wap=C2=A0 (64G) =C2=A0 155193344=C2=A0 313667584=C2=A0=C2=A0=C2=A0 4=C2=A0 freebsd-zfs=C2= =A0 (150G) =C2=A0 468860928=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1167=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 - free -=C2=A0 (584K) There is of course a "da2" that is identical.=C2=A0 The actual encrypted = root pool is on partition 4 with "-b" set at present.=C2=A0 I get prompted fro= m loader as a result after the unencrypted partition (#2) boots. 2. Multiple additional "user space" pools on a bunch of other disks. Right now #2 is using geli groups.=C2=A0 Prior to 12.0 they were handled using a custom /etc/rc.d script I wrote that did basically the same thing that geli groups does because all use the same passphrase and entering the same thing over and over on a boot was a pain in the butt.=C2= =A0 It prompted cleanly with no echo, took a password and then iterated over a list of devices attaching them one at a time.=C2=A0 That requirement is= now gone with geli groups, which is nice since mergemaster always complained about it being a "non-standard" thing; it *had* to go in /etc/rc.d and not in /usr/etc/rc.d else I couldn't get it to run early enough -- unfortunately. So if I remove the non-encrypted freebsd-zfs mirror that the system boots from in favor of setting "-g" on the root pool (both providers) gptzfsboot will find and prompt for the password to boot before loader gets invoked at all, much like the EFI loader does.=C2=A0 That's good.=C2= =A0 (My assumption is that the "-g" is sufficient; I don't need (or want) "bootme" set -- correct?) /However, /once the kernel boots somewhere in the mishmash of boot-time messages, and probably not where it's instantly obvious nor where it will halt the cascade display on the console, I'm going to get asked for that passphrase again?=C2=A0 I assume I want to remove 'geom_eli_passphrase_prompt=3D"YES"' from loader.conf as well -- or would= leaving it in there save me from the prompt that's hard to find in the cascade? Or, even better, would that situation of a double-prompt only apply if I had "-b" set on something /other than /the boot device pool vdevs (I don't -- those are handled by #2 for this exact reason.) --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms010004050002090800050409 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC DdgwggagMIIEiKADAgECAhMA5EiKghDOXrvfxYxjITXYDdhIMA0GCSqGSIb3DQEBCwUAMIGL MQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJTmljZXZpbGxlMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExITAf BgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQTAeFw0xNzA4MTcxNjQyMTdaFw0yNzA4 MTUxNjQyMTdaMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkwFwYDVQQKDBBD dWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5c3RlbXMgQ0ExJTAjBgNVBAMMHEN1 ZGEgU3lzdGVtcyBMTEMgMjAxNyBJbnQgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC1aJotNUI+W4jP7xQDO8L/b4XiF4Rss9O0B+3vMH7Njk85fZ052QhZpMVlpaaO+sCI KqG3oNEbuOHzJB/NDJFnqh7ijBwhdWutdsq23Ux6TvxgakyMPpT6TRNEJzcBVQA0kpby1DVD 0EKSK/FrWWBiFmSxg7qUfmIq/mMzgE6epHktyRM3OGq3dbRdOUgfumWrqHXOrdJz06xE9NzY vc9toqZnd79FUtE/nSZVm1VS3Grq7RKV65onvX3QOW4W1ldEHwggaZxgWGNiR/D4eosAGFxn uYeWlKEC70c99Mp1giWux+7ur6hc2E+AaTGh+fGeijO5q40OGd+dNMgK8Es0nDRw81lRcl24 SWUEky9y8DArgIFlRd6d3ZYwgc1DMTWkTavx3ZpASp5TWih6yI8ACwboTvlUYeooMsPtNa9E 6UQ1nt7VEi5syjxnDltbEFoLYcXBcqhRhFETJe9CdenItAHAtOya3w5+fmC2j/xJz29og1KH YqWHlo3Kswi9G77an+zh6nWkMuHs+03DU8DaOEWzZEav3lVD4u76bKRDTbhh0bMAk4eXriGL h4MUoX3Imfcr6JoyheVrAdHDL/BixbMH1UUspeRuqQMQ5b2T6pabXP0oOB4FqldWiDgJBGRd zWLgCYG8wPGJGYgHibl5rFiI5Ix3FQncipc6SdUzOQIDAQABo4IBCjCCAQYwHQYDVR0OBBYE FF3AXsKnjdPND5+bxVECGKtc047PMIHABgNVHSMEgbgwgbWAFBu1oRhUMNEzjODolDka5k4Q EDBioYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UEBwwJ TmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRhIFN5 c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYIJAKxAy1WBo2kY MBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC AQCB5686UCBVIT52jO3sz9pKuhxuC2npi8ZvoBwt/IH9piPA15/CGF1XeXUdu2qmhOjHkVLN gO7XB1G8CuluxofOIUce0aZGyB+vZ1ylHXlMeB0R82f5dz3/T7RQso55Y2Vog2Zb7PYTC5B9 oNy3ylsnNLzanYlcW3AAfzZcbxYuAdnuq0Im3EpGm8DoItUcf1pDezugKm/yKtNtY6sDyENj tExZ377cYA3IdIwqn1Mh4OAT/Rmh8au2rZAo0+bMYBy9C11Ex0hQ8zWcvPZBDn4v4RtO8g+K uQZQcJnO09LJNtw94W3d2mj4a7XrsKMnZKvm6W9BJIQ4Nmht4wXAtPQ1xA+QpxPTmsGAU0Cv HmqVC7XC3qxFhaOrD2dsvOAK6Sn3MEpH/YrfYCX7a7cz5zW3DsJQ6o3pYfnnQz+hnwLlz4MK 17NIA0WOdAF9IbtQqarf44+PEyUbKtz1r0KGeGLs+VGdd2FLA0e7yuzxJDYcaBTVwqaHhU2/ Fna/jGU7BhrKHtJbb/XlLeFJ24yvuiYKpYWQSSyZu1R/gvZjHeGb344jGBsZdCDrdxtQQcVA 6OxsMAPSUPMrlg9LWELEEYnVulQJerWxpUecGH92O06wwmPgykkz//UmmgjVSh7ErNvL0lUY UMfunYVO/O5hwhW+P4gviCXzBFeTtDZH259O7TCCBzAwggUYoAMCAQICEwCg0WvVwekjGFiO 62SckFwepz0wDQYJKoZIhvcNAQELBQAwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3Jp ZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBD QTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExMQyAyMDE3IEludCBDQTAeFw0xNzA4MTcyMTIx MjBaFw0yMjA4MTYyMTIxMjBaMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdGbG9yaWRhMRkw FwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRswGQYDVQQDDBJrYXJsQGRlbm5pbmdlci5uZXQw ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC+HVSyxVtJhy3Ohs+PAGRuO//Dha9A 16l5FPATr6wude9zjX5f2lrkRyU8vhCXTZW7WbvWZKpcZ8r0dtZmiK9uF58Ec6hhvfkxJzbg 96WHBw5Fumd5ahZzuCJDtCAWW8R7/KN+zwzQf1+B3MVLmbaXAFBuKzySKhKMcHbK3/wjUYTg y+3UK6v2SBrowvkUBC+jxNg3Wy12GsTXcUS/8FYIXgVVPgfZZrbJJb5HWOQpvvhILpPCD3xs YJFNKEPltXKWHT7Qtc2HNqikgNwj8oqOb+PeZGMiWapsatKm8mxuOOGOEBhAoTVTwUHlMNTg 6QUCJtuWFCK38qOCyk9Haj+86lUU8RG6FkRXWgMbNQm1mWREQhw3axgGLSntjjnznJr5vsvX SYR6c+XKLd5KQZcS6LL8FHYNjqVKHBYM+hDnrTZMqa20JLAF1YagutDiMRURU23iWS7bA9tM cXcqkclTSDtFtxahRifXRI7Epq2GSKuEXe/1Tfb5CE8QsbCpGsfSwv2tZ/SpqVG08MdRiXxN 5tmZiQWo15IyWoeKOXl/hKxA9KPuDHngXX022b1ly+5ZOZbxBAZZMod4y4b4FiRUhRI97r9l CxsP/EPHuuTIZ82BYhrhbtab8HuRo2ofne2TfAWY2BlA7ExM8XShMd9bRPZrNTokPQPUCWCg CdIATQIDAQABo4IBzzCCAcswPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8v b2NzcC5jdWRhc3lzdGVtcy5uZXQ6ODg4ODAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIF oDAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDMGCWCG SAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBDbGllbnQgQ2VydGlmaWNhdGUwHQYDVR0O BBYEFLElmNWeVgsBPe7O8NiBzjvjYnpRMIHKBgNVHSMEgcIwgb+AFF3AXsKnjdPND5+bxVEC GKtc047PoYGRpIGOMIGLMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHRmxvcmlkYTESMBAGA1UE BwwJTmljZXZpbGxlMRkwFwYDVQQKDBBDdWRhIFN5c3RlbXMgTExDMRgwFgYDVQQLDA9DdWRh IFN5c3RlbXMgQ0ExITAfBgNVBAMMGEN1ZGEgU3lzdGVtcyBMTEMgMjAxNyBDQYITAORIioIQ zl6738WMYyE12A3YSDAdBgNVHREEFjAUgRJrYXJsQGRlbm5pbmdlci5uZXQwDQYJKoZIhvcN AQELBQADggIBAJXboPFBMLMtaiUt4KEtJCXlHO/3ZzIUIw/eobWFMdhe7M4+0u3te0sr77QR dcPKR0UeHffvpth2Mb3h28WfN0FmJmLwJk+pOx4u6uO3O0E1jNXoKh8fVcL4KU79oEQyYkbu 2HwbXBU9HbldPOOZDnPLi0whi/sbFHdyd4/w/NmnPgzAsQNZ2BYT9uBNr+jZw4SsluQzXG1X lFL/qCBoi1N2mqKPIepfGYF6drbr1RnXEJJsuD+NILLooTNf7PMgHPZ4VSWQXLNeFfygoOOK FiO0qfxPKpDMA+FHa8yNjAJZAgdJX5Mm1kbqipvb+r/H1UAmrzGMbhmf1gConsT5f8KU4n3Q IM2sOpTQe7BoVKlQM/fpQi6aBzu67M1iF1WtODpa5QUPvj1etaK+R3eYBzi4DIbCIWst8MdA 1+fEeKJFvMEZQONpkCwrJ+tJEuGQmjoQZgK1HeloepF0WDcviiho5FlgtAij+iBPtwMuuLiL shAXA5afMX1hYM4l11JXntle12EQFP1r6wOUkpOdxceCcMVDEJBBCHW2ZmdEaXgAm1VU+fnQ qS/wNw/S0X3RJT1qjr5uVlp2Y0auG/eG0jy6TT0KzTJeR9tLSDXprYkN2l/Qf7/nT6Q03qyE QnnKiBXWAZXveafyU/zYa7t3PTWFQGgWoC4w6XqgPo4KV44OMYIFBzCCBQMCAQEwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBglghkgBZQMEAgMFAKCCAkUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwMjEwMTgzNTU1 WjBPBgkqhkiG9w0BCQQxQgRATm5uYoTkaMef4IeaeOLYsNQUBHz1Nb9BywQA9nrmdsambcwI nyJNMjMXL+/FUpInVOmWT4C0qlyysr1ApdKl0zBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3 DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGjBgkrBgEEAYI3EAQxgZUwgZIwezEL MAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lzdGVtcyBM TEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0ZW1zIExM QyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTCBpQYLKoZIhvcNAQkQAgsxgZWg gZIwezELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB0Zsb3JpZGExGTAXBgNVBAoMEEN1ZGEgU3lz dGVtcyBMTEMxGDAWBgNVBAsMD0N1ZGEgU3lzdGVtcyBDQTElMCMGA1UEAwwcQ3VkYSBTeXN0 ZW1zIExMQyAyMDE3IEludCBDQQITAKDRa9XB6SMYWI7rZJyQXB6nPTANBgkqhkiG9w0BAQEF AASCAgA95qyGdJKQfwsDIHL/bHHKq7yS/UhBp/gh3c2nEWYvNk0Lq2ouAzP6Ro8Ic8CcwaeM Eu0WsRtPUguYKtqp9cYueY2M0DbOoz7gem9UQfzWuNJiAmycZY2rLUTRcMn1jAVlvM/gSd9A W6ILx5uHQr1PKVcr+tXDknVOeEfezjJWINxnF6AIAyZVQ6rh2zgc84KHcRRiXiqjZh69VHE0 b94We1KNMAtq2k0rhvlvWYG7reL6eMlI2NqXmLhayKvO7AsRWeopPGgl6qJzyIoxHmPZkX/a /xvvknAVAIAyc/lmgfHYBFI22mlTT0ME+zVDMWajEFVeOnKGBpPPmnxzOnVY8vWFJbiAaFPh JL75oD08cNesYEERskZB6i/xtiekiWAyQbWP1DTInsOahCASJTy7mQs2oXLg+oFqWBBHodwn r2X94yYItQ/xPiUwB2fhrl3j22IOdbnOWFC4zAkQ6UwREHPB8lAyjBp275cx5UzS+Hgz/DIo zETaG3m/82KaIhdRSAENytDlU4vxtUWMsCPAsGmrUZerFHX3e7+24mcRYZVNCofb4YI9XipI ui+vWO82VPNt7jaUeuRDXMO/ZRKPLy4b5M2eJtco6MO7A6opcxH9HYyyktyPT64BpQiT2Jt1 XCBUDisuzYaFix0DovEoglMLxRoNpzUeLFzJ/yJHDgAAAAAAAA== --------------ms010004050002090800050409--