From a1a625a4d6b243203c4aa8b2fde21c641052c7a4 Mon Sep 17 00:00:00 2001 From: Brett McLarnon Date: Mon, 22 Jul 2024 16:10:36 -0700 Subject: [PATCH] Update verifying_attestation_records/README.md for new provenance format. Switching from slsa-github-generator to the attest-build-provenance action results in slightly different information in Rekor. Also update the example ledger evidence to match the version used in the README. Change-Id: I835d27f3e95bfe05510ce36072bb622fb7d326ca --- inspecting_attestation_records/README.md | 57 ++++++++---------- ...th_empty_data_access_policy_from_file.snap | 25 ++++---- ...h_empty_data_access_policy_from_stdin.snap | 25 ++++---- ...cord_with_nonempty_data_access_policy.snap | 25 ++++---- .../tests/testdata/ledger_evidence.pb | Bin 2594 -> 2639 bytes 5 files changed, 62 insertions(+), 70 deletions(-) diff --git a/inspecting_attestation_records/README.md b/inspecting_attestation_records/README.md index d501501..1f5f87b 100644 --- a/inspecting_attestation_records/README.md +++ b/inspecting_attestation_records/README.md @@ -81,7 +81,7 @@ _____ Root Layer _____ _____ Application Layer _____ binary: - sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4 + sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe config: {} @@ -154,44 +154,39 @@ the `https://search.sigstore.dev/?hash={THE_SHA256_HASH}` URL format, where `{THE_SHA256_HASH}` is the SHA2-256 hash of the binary in the evidence/access policy. These entries should show the binaries' provenance, including a link to the Git commit on GitHub that the binaries were built from, as well as the -command that was used to build the binary, and which should allow you to +workflow that was used to build the binary, and which should allow you to rebuild the same binary in a reproducible manner. For example, below is an excerpt of the SLSA provenance record for the ledger application binary listed in the example explanation output above -(https://search.sigstore.dev/?hash=892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4): +(https://search.sigstore.dev/?hash=5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe): ``` -predicate: - buildDefinition: - buildType: https://slsa.dev/container-based-build/v0.1?draft - externalParameters: - source: - uri: >- - git+https://github.com/google-parfait/confidential-federated-compute@refs/heads/main - digest: - sha1: 20a4f3fc1f49943d03b76b264d3dc0ce90f83ade - builderImage: - uri: >- - rust@sha256:4013eb0e2e5c7157d5f0f11d83594d8bad62238a86957f3d57e447a6a6bdf563 - digest: - sha256: 4013eb0e2e5c7157d5f0f11d83594d8bad62238a86957f3d57e447a6a6bdf563 - configPath: buildconfigs/ledger_enclave_app.toml - buildConfig: - ArtifactPath: target/x86_64-unknown-none/release/ledger_enclave_app - Command: - - sh - - '-c' - - >- - GITHUB_ACTION="provenance" scripts/setup_build_env.sh && cargo build - --release --package ledger_enclave_app +GitHub Workflow SHA: 0f8072c8e9dda36170f0fa466305e9664716fb56 +GitHub Workflow Name: Build and attest all +GitHub Workflow Repository: google-parfait/confidential-federated-compute +GitHub Workflow Ref: refs/heads/main +OIDC Issuer (v2): https://token.actions.githubusercontent.com +Build Signer URI: https://github.com/google-parfait/confidential-federated-compute/.github/workflows/build.yaml@refs/heads/main +Build Signer Digest: 0f8072c8e9dda36170f0fa466305e9664716fb56 +Runner Environment: github-hosted +Source Repository URI: https://github.com/google-parfait/confidential-federated-compute +Source Repository Digest: 0f8072c8e9dda36170f0fa466305e9664716fb56 +Source Repository Ref: refs/heads/main +Source Repository Identifier: '775138920' +Source Repository Owner URI: https://github.com/google-parfait +Source Repository Owner Identifier: '164364956' +Build Config URI: https://github.com/google-parfait/confidential-federated-compute/.github/workflows/build.yaml@refs/heads/main +Build Config Digest: 0f8072c8e9dda36170f0fa466305e9664716fb56 +Build Trigger: push +Run Invocation URI: https://github.com/google-parfait/confidential-federated-compute/actions/runs/10088700871/attempts/1 ... ... ``` It describes that the ledger application binary was produced at commit -20a4f3fc1f49943d03b76b264d3dc0ce90f83ade in the -https://github.com/google-parfait/confidential-federated-compute repository, -and it shows that the `GITHUB_ACTION="provenance" scripts/setup_build_env.sh && -cargo build --release --package ledger_enclave_app` command was used to build -the binary. +0f8072c8e9dda36170f0fa466305e9664716fb56 in the +https://github.com/google-parfait/confidential-federated-compute repository +using the "Build and attest all" workflow. +https://github.com/google-parfait/confidential-federated-compute/actions/runs/10088700871/attempts/1 +has more information about the action that produced the binary. diff --git a/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_file.snap b/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_file.snap index 769c3fa..898ae57 100644 --- a/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_file.snap +++ b/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_file.snap @@ -1,6 +1,5 @@ --- source: tools/explain_fcp_attestation_record/tests/snapshot_tests.rs -assertion_line: 63 expression: "output.replace(record_file_path, \"{TMP_RECORD_FILE}\")" --- Inspecting record at {TMP_RECORD_FILE}. @@ -16,9 +15,9 @@ _____ Root Layer _____ The attestation is rooted in an AMD SEV-SNP TEE. Attestations identifying the firmware captured in the evidence can be found here: -https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d +https://search.sigstore.dev/?hash=a8c51290169976afc37e6e6d866107285b5f4711a9ce5389c05d9a5d297d68c5 -ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a; it is listed as the 'initial_measurement' in the evidence of this layer. +ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704; it is listed as the 'initial_measurement' in the evidence of this layer. The evidence describing this layer is outlined below. @@ -26,16 +25,16 @@ sev_snp: current_tcb: boot_loader: 3 microcode: 209 - snp: 20 + snp: 22 tee: 0 debug: false - hardware_id: d137b92d3ea7907e6829d123513c2a250acfa5c9eecfc5759f79c574eaf61792c0692af3b9caa39ab4069a329e7f8152b3fa2e2fee2717b42cd263983244198f - initial_measurement: 6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a - report_data: 8ef5ac52c6101d73903859b9b242cc1a84ca096a1fc13b15abcfd2857b6ea0450000000000000000000000000000000000000000000000000000000000000000 + hardware_id: c1f5c58f728e2eded313ee675ac982393169c9bbffe6e250c54d81fcea2dad556d314f3c62c16cb9ae3d22f68a747261835f220d3656d0e6b646e6b2f11252cf + initial_measurement: 571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704 + report_data: f75ac8ac3bfd479a0f121c384d71b4c032867895db71d91d135710083fd780a10000000000000000000000000000000000000000000000000000000000000000 reported_tcb: boot_loader: 3 microcode: 209 - snp: 20 + snp: 22 tee: 0 vmpl: 0 @@ -45,19 +44,19 @@ Note: binaries for this layer are generally provided by the Oak project (https:/ _____ Kernel Layer _____ Attestations identifying the binaries captured in the evidence in this layer can be found as outlined below. -Kernel: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8 -Initial Ramdisk: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8 +Kernel: https://search.sigstore.dev/?hash=4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b +Initial Ramdisk: https://search.sigstore.dev/?hash=51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8 The evidence describing the kernel layer is outlined below. acpi: sha2_256: dbaccae7bfbf006e2b8623a82f1a5fcda2ea0392233c26b18356b3bcfac231eb init_ram_fs: - sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8 + sha2_256: 51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8 kernel_cmd_line: sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297 kernel_image: - sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8 + sha2_256: 4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b kernel_raw_cmd_line: console=ttyS0 kernel_setup_data: sha2_256: 4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1 @@ -72,7 +71,7 @@ _____ Application Layer _____ The evidence describing the application is outlined below. binary: - sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4 + sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe config: {} diff --git a/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_stdin.snap b/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_stdin.snap index 2639614..f7aafbf 100644 --- a/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_stdin.snap +++ b/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_empty_data_access_policy_from_stdin.snap @@ -1,6 +1,5 @@ --- source: tools/explain_fcp_attestation_record/tests/snapshot_tests.rs -assertion_line: 88 expression: output --- Inspecting record provided via stdin. @@ -16,9 +15,9 @@ _____ Root Layer _____ The attestation is rooted in an AMD SEV-SNP TEE. Attestations identifying the firmware captured in the evidence can be found here: -https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d +https://search.sigstore.dev/?hash=a8c51290169976afc37e6e6d866107285b5f4711a9ce5389c05d9a5d297d68c5 -ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a; it is listed as the 'initial_measurement' in the evidence of this layer. +ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704; it is listed as the 'initial_measurement' in the evidence of this layer. The evidence describing this layer is outlined below. @@ -26,16 +25,16 @@ sev_snp: current_tcb: boot_loader: 3 microcode: 209 - snp: 20 + snp: 22 tee: 0 debug: false - hardware_id: d137b92d3ea7907e6829d123513c2a250acfa5c9eecfc5759f79c574eaf61792c0692af3b9caa39ab4069a329e7f8152b3fa2e2fee2717b42cd263983244198f - initial_measurement: 6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a - report_data: 8ef5ac52c6101d73903859b9b242cc1a84ca096a1fc13b15abcfd2857b6ea0450000000000000000000000000000000000000000000000000000000000000000 + hardware_id: c1f5c58f728e2eded313ee675ac982393169c9bbffe6e250c54d81fcea2dad556d314f3c62c16cb9ae3d22f68a747261835f220d3656d0e6b646e6b2f11252cf + initial_measurement: 571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704 + report_data: f75ac8ac3bfd479a0f121c384d71b4c032867895db71d91d135710083fd780a10000000000000000000000000000000000000000000000000000000000000000 reported_tcb: boot_loader: 3 microcode: 209 - snp: 20 + snp: 22 tee: 0 vmpl: 0 @@ -45,19 +44,19 @@ Note: binaries for this layer are generally provided by the Oak project (https:/ _____ Kernel Layer _____ Attestations identifying the binaries captured in the evidence in this layer can be found as outlined below. -Kernel: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8 -Initial Ramdisk: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8 +Kernel: https://search.sigstore.dev/?hash=4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b +Initial Ramdisk: https://search.sigstore.dev/?hash=51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8 The evidence describing the kernel layer is outlined below. acpi: sha2_256: dbaccae7bfbf006e2b8623a82f1a5fcda2ea0392233c26b18356b3bcfac231eb init_ram_fs: - sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8 + sha2_256: 51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8 kernel_cmd_line: sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297 kernel_image: - sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8 + sha2_256: 4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b kernel_raw_cmd_line: console=ttyS0 kernel_setup_data: sha2_256: 4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1 @@ -72,7 +71,7 @@ _____ Application Layer _____ The evidence describing the application is outlined below. binary: - sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4 + sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe config: {} diff --git a/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_nonempty_data_access_policy.snap b/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_nonempty_data_access_policy.snap index a6a8c82..ab99912 100644 --- a/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_nonempty_data_access_policy.snap +++ b/tools/explain_fcp_attestation_record/tests/snapshots/snapshot_tests__explain_record_with_nonempty_data_access_policy.snap @@ -1,6 +1,5 @@ --- source: tools/explain_fcp_attestation_record/tests/snapshot_tests.rs -assertion_line: 109 expression: buf --- ======================================== @@ -14,9 +13,9 @@ _____ Root Layer _____ The attestation is rooted in an AMD SEV-SNP TEE. Attestations identifying the firmware captured in the evidence can be found here: -https://search.sigstore.dev/?hash=33d5453b09e16ed0d6deb7c9f076b66b92a1b472d89534034717143554f6746d +https://search.sigstore.dev/?hash=a8c51290169976afc37e6e6d866107285b5f4711a9ce5389c05d9a5d297d68c5 -ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a; it is listed as the 'initial_measurement' in the evidence of this layer. +ⓘ The firmware attestation digest is the SHA2-256 hash of the SHA2-384 hash of the initial memory state taken by the AMD SoC. The original SHA2-384 hash of the initial memory is: SHA2-384:571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704; it is listed as the 'initial_measurement' in the evidence of this layer. The evidence describing this layer is outlined below. @@ -24,16 +23,16 @@ sev_snp: current_tcb: boot_loader: 3 microcode: 209 - snp: 20 + snp: 22 tee: 0 debug: false - hardware_id: d137b92d3ea7907e6829d123513c2a250acfa5c9eecfc5759f79c574eaf61792c0692af3b9caa39ab4069a329e7f8152b3fa2e2fee2717b42cd263983244198f - initial_measurement: 6c090e4594fd40ee186c90d43f7ad8d904838baa9643a4be1d9d4ff0fdd670a62565e2417660008e058cc2f2029eac8a - report_data: 8ef5ac52c6101d73903859b9b242cc1a84ca096a1fc13b15abcfd2857b6ea0450000000000000000000000000000000000000000000000000000000000000000 + hardware_id: c1f5c58f728e2eded313ee675ac982393169c9bbffe6e250c54d81fcea2dad556d314f3c62c16cb9ae3d22f68a747261835f220d3656d0e6b646e6b2f11252cf + initial_measurement: 571e632335e16997bdc312208d540b083518fe05d84b8954a6529a019a04229f25347fdaac1bc80418addc64a3d48704 + report_data: f75ac8ac3bfd479a0f121c384d71b4c032867895db71d91d135710083fd780a10000000000000000000000000000000000000000000000000000000000000000 reported_tcb: boot_loader: 3 microcode: 209 - snp: 20 + snp: 22 tee: 0 vmpl: 0 @@ -43,19 +42,19 @@ Note: binaries for this layer are generally provided by the Oak project (https:/ _____ Kernel Layer _____ Attestations identifying the binaries captured in the evidence in this layer can be found as outlined below. -Kernel: https://search.sigstore.dev/?hash=ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8 -Initial Ramdisk: https://search.sigstore.dev/?hash=daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8 +Kernel: https://search.sigstore.dev/?hash=4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b +Initial Ramdisk: https://search.sigstore.dev/?hash=51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8 The evidence describing the kernel layer is outlined below. acpi: sha2_256: dbaccae7bfbf006e2b8623a82f1a5fcda2ea0392233c26b18356b3bcfac231eb init_ram_fs: - sha2_256: daf79f24b5744340ac18c2b468e7e0a7915684c5dfda2450acfa7225bdc75bb8 + sha2_256: 51534334403d87176dc66406a07b5108d51f46a8534497c21f2769d1217c51b8 kernel_cmd_line: sha2_256: 2b98586d9905a605c295d77c61e8cfd2027ae5b8a04eefa9018436f6ad114297 kernel_image: - sha2_256: ec752c660481432f525f49d0be1521c7ea42ebbf2ce705aad2781a329e1001d8 + sha2_256: 4b1e70ad0ad326f3ee6f8f45f77358f0b8bb5df05321a5abc34c66022e27450b kernel_raw_cmd_line: console=ttyS0 kernel_setup_data: sha2_256: 4cd020820da663063f4185ca14a7e803cd7c9ca1483c64e836db840604b6fac1 @@ -70,7 +69,7 @@ _____ Application Layer _____ The evidence describing the application is outlined below. binary: - sha2_256: 892137def97d26c6b054093a5757919189878732ce4ab111212729007b30c0b4 + sha2_256: 5d10d8013345814e07141c6a4c9297d37653239132749574a2a71483c413e9fe config: {} diff --git a/tools/explain_fcp_attestation_record/tests/testdata/ledger_evidence.pb b/tools/explain_fcp_attestation_record/tests/testdata/ledger_evidence.pb index 810a205993c4363c1e838b2b4f1ac0bcf4de4fc1..bcaa699e4979ac9720f3e3376c05b7e04008e4b3 100644 GIT binary patch literal 2639 zcmd<;<>FuzTENM~00Yc020@w;r~;x|>>`Mb48BL5SY!RyeHOovjD>IEmIFp@6;p2) z-jo#%7vQkJ-mnl^EjD(zT(Yw1!_4V>4+|;uhH!J3O8jHJ;oTXsENB+vEEc8tswVZf z)<~aVkyv{tW$~4E7HnqFQ_Svs?hM9Ot+&GQ7mnKQ|9bG89!Ia$?C&R@r>|KR^h7h^ zKLG#>M_g_``1NRiQJ>zu%fj!{qfRzi8fKo{{r}mcfTO;Re_rXX4b3(5w@EsfvvZxT z(zmXXqQvHSC0?_z3(vN>J=^qADCj)Qd=Ya-1`vkvaoIQ6#6Pcp9liItKZ>u>)}kEU*Sj(huS9y*;>G^jd+%l%7_xkom)v}QbCcVI%} z@+HTQS-D;bYI2vD`Fv0PjbkUHRxe;TvApZlE_r*(=};z~Ke)^p6{l|qNTn@jWMT?2 z&WV#;E5-9i{6T+!hwSpuTT=y*IM;Dm|GQLQr3i)KLxu4wt5a{L{k_TCvDtC~?=$~L>es>+Ydvs$nshETO{j^L z>px42^Fl_og)Bji#g)0asU=03$*#^W!H!0zW|2$^%NQ#(jE&8bO;Zgm6H^Qm4U*H6 z4b4*xEYeI3Oe_pj63tCb%~DK~k_?lQnJP3AQ_M|L%q)`4O$}003=L8(O-&39Qj(L5 z%*_pxlYu(TlPye>jm@nX++D&WAl_VCa;>M7?;_t+N8Z!wg=Y?ypNKI>c=Nua%EGs= z?nT7-e@~VA-V|^1Va507CpIuJ+HGN3^UXN`=*^z{Cd=ysbo)Jwl|3ulFFil{Z^gD- z8&~mh9y|PPP0OBQkYy203Jf4RYB`8ZSO_AsBNV*l3f6L6R{Q)ezu)zHam0rmyJJ5D zD=uAq*e8uiPu-Opq%0ApSbIi9?o8HYtcRvvuStAy{t{Ew(;W-^-mheAG5fYw&}lkI zaZYY>eqM2YPO5E5NoBABNGJ)W-{*ot6YsKQHhag`QzFY>FrTfNv(UpP<%QYp7B-e` zzYc;FC&Ls620NQL*tU!39!p_cP#wr|Ro-nyu*>vA^6Hrv6>9=_fE1^|6gQNq{!BhM zdG*6jH>X9%F0e_vQnv17Y5u({tmon#CA9NFic?{VZ?8G^eE)uiJnc5+75Y-~XBWL< zo}_G}wy`;E^PXRa3}1s3=fD&%JaSRWtvCF@|Cdud?KpxC)E@d+~j4l&xxPp%Nkdcl>u zMeC+ywK!=;%-v}Hm-VmZ>}9{DwzF~_XTqHbBVH~Ara@v87BCGOn3*LeTbL)N7?>L; z85skq6hjjWQ**OqBeP_~L}PP(Q=XIBf>BLffQ##6gxyXOlcE0 zH3+cn3x2&ta(?@rX%n~3jqI~n7bvx)Gt2k*fhFtH-mN`XY2^QTLdc3w{12XYPqA}l zIkiZv-ts`*%(r~Yg>nk*FP(29TNb&3feUQ delta 1477 zcmX>vvPfitn~}&xMg~;S_jOIsF#*})2^Nt%H#wb=YB|N3C4bObboKd5t<`x8Tqj;s zFv#KLbDi?n;hjXzge&${H*T^tcdwe}ykwv3T>lS$uN5p)O?~88mcY=*+H>d=)4VlZ zlNp&B6h0?NMqXu`S)cuj&CfAtSxM_ zjONuh25tVOr~gh}e2dPd?}EYV^C_HIXem-sex6 z@8q<~Im4`J^&@-PAG!Za8=6j(IDUHna_MQQmCJuI1nDo-`?Fb*xt+0|K`L!IBNJ0d z =TKhB$mv=zQJ%x#z){5I@p8?zcqBa;H7VuV7K&j$0Q>jjhrE?pMNIQeZti)cuT z#hf1fojyHD=lXl5DMcu}eLctO`%|TZ-xsIP7P}Kw7k%%dVC7fc{jKK=CeBHbt`NG) z!gYzI#d#s4+Cr8f$KuM|+|-hy$*bA9>LVFHFJ-LIut-i$G)+u2O|wW&Gd49fu`n|? zOieL1G)u8CurxL`PE9d2OE$GIW2(?dv@kKVOinXTF-b}`Ha9XiFgLbHGB-0YFicKL zO-waRGfXltHZ(D`VsLi}kAV1ah1;C(SN52zvs-LWU_AZm;l~Yzj$j|wgS{wKWs!Zp zkU?E=VzlLjdH37cdrdDIUbi`ERcxBq{V=2r=*4MHkIr3lxWi+~zAlY{(`<&oU)x*W z_MNMO$~Mj4BeL)($hHV41qKiuwH!nyECi9+5ejcgb<$WGo%Ms_JumDNRXqO6>Ggh{ z=d7zPRY)1J%oAX|G1-W%O8(aO`6^pWoE_Fk9NLoc{K4{xVJ%1R-%<%!^Q%a8@A2r# zr`e*NA{-vR_)+z3+93u@iE{?sInt>wcW${DvZ&uHPkLUVwTsu4xpEEbno4>n2ZSSFa~B0D)nhY@C>AZkb|knv`Z~X<(UTnPgyL zZfI$0oMdTWW@u?(WMGkGoMM~|@@aU4%Q8krrjWy{Dz8WXoG^PfN8wcK35gRFx@~Qk zE#z1lSru4-$!Tl2++p@t%fqS*tKNU^*7Fy?X2O^gg&5SA*lvF;|wk_kC zIom3>DF#PY*}Q(1@+6^iALE|A8oM^x?iK&lb4+^Ux+=?i6|ye9A1xDrk22DnwFB7Y6eW2 z76wMi$p!|Hpn@dJ2+_!7#h#D{r@14)-@o%ySLKKCY)9pH^j0$Ym?{xRQ<~j0BbQv$p8QV