From b9ea5cded1d27aa3fca86883fdfe213ba43e7614 Mon Sep 17 00:00:00 2001 From: Patrick Roy Date: Fri, 25 Aug 2023 13:51:32 +0100 Subject: [PATCH 1/8] firecracker blog post Signed-off-by: Patrick Roy Co-authored-by: Felipe R. Monteiro --- ...-security-boundaries-in-aws-firecracker.md | 292 ++++++++++++++++++ assets/images/token-bucket-diagram.png | Bin 0 -> 65351 bytes assets/images/virtio-diagram.png | Bin 0 -> 75383 bytes 3 files changed, 292 insertions(+) create mode 100644 _posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md create mode 100644 assets/images/token-bucket-diagram.png create mode 100644 assets/images/virtio-diagram.png diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md new file mode 100644 index 0000000..8b0e65e --- /dev/null +++ b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -0,0 +1,292 @@ +--- +layout: post +title: Using Kani to Validate Security Boundaries in AWS Firecracker +--- + +AWS is committed to achieving the highest levels of security in the cloud. To work towards this goal, we have applied the Kani model checker to verify safety-critical properties in core components of the Firecracker Virtual Machine Monitor using mathematical logic. + +Firecracker is an open source project written in Rust which uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design which allows fast (~150ms) microVM start-up time, secure multi-tenancy of microVMs on the same host and memory/CPU over-subscription. Firecracker is currently used in production by AWS Lambda, AWS Fargate and parts of AWS Analytics to build their service platforms. + +For the past 7 months, Felipe Monteiro, an Applied Scientist on the [Kani](https://github.com/model-checking/kani/) team and Patrick Roy, a Software Development Engineer from the [AWS Firecracker](https://github.com/firecracker-microvm/firecracker) team, collaborated to develop Kani harnesses for Firecracker. As a result of this collaboration, the Firecracker team is now running 27 Kani harnesses across 3 verification suites in their continuous integration pipelines (taking approximately 15 minutes to complete), ensuring that all checked properties of critical systems are upheld on every code change. + +In this blog post, we show how Kani helped Firecracker harden two core components, namely our I/O rate limiter and I/O transport layer (VirtIO), presenting the issues we were able to identify and fix. Particularly, the second part of this post picks up from a [previous Kani/Firecracker blogpost](https://model-checking.github.io/kani-verifier-blog/2022/07/13/using-the-kani-rust-verifier-on-a-firecracker-example.html) and shows how improvements to Kani over the last year made verifying conformance with a section of the VirtIO specification feasible. + +## Noisy-Neighbor Mitigations via Rate Limiting + +In multi-tenant systems, microVMs from different customers simultaneously co-exist on the same physical host. We thus need to ensure that access to host resources, such as disk and network, is shared fairly. We should not allow a single “greedy” microVM to transfer excessive amounts of data from disk to the point where other microVMs’ disk access gets starved off (a “noisy neighbor” scenario). Firecracker offers a mitigation for this via *I/O rate-limiting*. From the [documentation](https://github.com/firecracker-microvm/firecracker/blob/4a3e9bd76d9fc57a3538c1aeb7e5687de43a0efa/docs/design.md#io-storage-networking-and-rate-limiting): + + +>Firecracker provides VirtIO/block and VirtIO/net emulated devices, along with the application of rate limiters to each volume and network interface to make sure host hardware resources are used fairly by multiple microVMs. These are implemented using a token bucket algorithm [...] + + +In a token bucket based rate-limiter, each microVM has a budget of “tokens” that can be exchanged for permission to do one byte of I/O. These tokens regenerate at a fixed rate, and if the microVM runs out of tokens, it gets I/O-throttled. This process of draining and replenishing is best visualized by an actual bucket into which water drips at a fixed rate, and from which water can be extracted at some limited rate: + +Image visualizing the replenishing and draining of a TokenBucket + +The property we want to verify is that a microVM is not allowed to exceed the configured maximum I/O throughput rate. For a virtual block device rate-limited at 1GB/s, we want to prove that in any one-second interval, at most 1GB of data is allowed to pass through the device. + +What sounds simple in theory is actually fairly difficult to implement. For example, due to a [rounding error](https://github.com/firecracker-microvm/firecracker/pull/3706) a guest could, in some scenarios, do up to 0.01% more I/O than configured. We discovered this bug thanks to a Kani harness for our throughput property stated above, and this harnesses is the main focus of the rest of this section. + +### Teaching Kani about Time + +The core component of our rate-limiting implementation is a `TokenBucket`. In Firecracker, we define it as + +```rs +pub struct TokenBucket { + // Maximal number of tokens this bucket can hold. + size: u64, + + // Complete refill time in milliseconds. + refill_time: u64, + + // Current token budget. + budget: u64, + + // Last time this token bucket was replenished. + last_update: Instant, + + // -- snip -- +} +``` + +It offers an `auto_replenish` function which computes how many tokens the leaky bucket algorithm should have generated since `last_update` (and then updates `last_update` accordingly). This function will be the target of our verification. + +A `TokenBucket` is inherently tied to time-related APIs such as `std::time::Instant`, for which Kani does not have built-in support. This means it is not able to reason about `TokenBucket`s. To solve this problem, we use Kani’s [stubbing](https://model-checking.github.io/kani-verifier-blog/2023/02/28/kani-internship-projects-2022-stubbing.html) to provide a model for the `Instant::now` function. Since Firecracker uses a monotonic clock for its rate-limiting, this stub needs to return non-deterministic monotonically non-decreasing instants. + +However, when trying to stub `now`, one will quickly notice that `Instant` does not offer any constructors for creating an instance from, say, a Unix timestamp. In fact, it is impossible to construct an `Instant` outside of the standard library as its fields are private. When in such a situation, the solution is often to go down the call stack of the function that you want to stub, to see if any of the functions further down can be stubbed out instead to achieve the desired effect. In our case, `now` calls functions in (private) OS specific time modules, until it bottoms out at [`libc::clock_gettime`](https://www.gnu.org/software/libc/manual/html_node/Getting-the-Time.html#index-clock_005fgettime). + +The `clock_gettime` function is passed a pointer to a `libc::timespec` structure, and the `tv_sec` and `tv_nsec` members of this structure are later used to construct the `Instant` returned by `Instant::now`. Therefore, we can use the following stub to achieve our goal of getting non-deterministic, monotonically non-decreasing `Instant`s: + +```rs +mod stubs { + static mut LAST_SECONDS: i64 = 0; + static mut LAST_NANOS: i64 = 0; + + const NANOS_PER_SECOND: i64 = 1_000_000_000; + + pub unsafe extern "C" fn clock_gettime(_clock_id: libc::clockid_t, tp: *mut libc::timespec) -> libc::c_int { + unsafe { + // kani::any_where provides us with a non-deterministic number of seconds + // that is at least equal to LAST_SECONDS (to ensure that time only + // progresses forward). + let next_seconds = kani::any_where(|&n| n >= unsafe { LAST_SECONDS }); + let next_nanos = kani::any_where(|&n| n >= 0 && n < NANOS_PER_SECOND); + + if next_seconds == LAST_SECONDS { + kani::assume(next_nanos >= LAST_NANOS ); + } + + (*tp).tv_sec = LAST_SECONDS; + (*tp).tv_nsec = LAST_NANOS; + + LAST_SECONDS = next_seconds; + LAST_NANOS = next_nanos; + } + + 0 + } +} +``` + +Note how the first invocation of this stub will always set `tv_sec = tv_nsec = 0`, as this is what the statics are initialized to. This is an optimization we do because the rate-limiter only cares about the delta between two instants, which will be non-deterministic as long as one of the two instants is non-deterministic. **In order to keep Kani performant, it is important to minimize the number of non-deterministic values, especially if multiplication and division is involved**. + +Using this stub, we can start writing a harness for `auto_replenish` such as + +```rs +#[kani::proof] +#[kani::unwind(1)] // Enough to unwind the recursion at `Timespec::sub_timespec`. +#[kani::stub(libc::clock_gettime, stubs::clock_gettime)] +fn verify_token_bucket_auto_replenish() { + // Initialize a non-determinstic `TokenBucket` object. + let mut bucket: TokenBucket = kani::any(); + + bucket.auto_replenish(); + + // is_valid() performs sanity checks such as "budget <= size". + // It is the data structure invariant of `TokenBucket`. + assert!(bucket.is_valid()); +} +``` + +Let us now see how we can extend this harness to allow us to verify that our rate limiter is replenishing tokens at exactly the requested rate. + +### Verifying our Noisy-Neighbor Mitigation + +Our noisy neighbor mitigation is correct if we always generate the “correct” number of tokens with each call to `auto_replenish`, meaning it is impossible for a guest to do more I/O than configured. Formally, this means + +`0 ≤ (now - last_update) - new_tokens ⋅ (refill_time/size) < refill_time/size` + +Here, *new_tokens* is the number of tokens that `auto_replenish` generated. The fraction `refill_time/size` is simply the time it takes to generate a single token. Thus, the property states that if we compute the time that it should have taken to generate *new_tokens* and subtract it from the time that actually passed, we are left with an amount of time less than what it would take to generate an additional token: we replenished the maximal number of tokens possible. + +The difficulty of implementing a correct rate limiter is dealing with “leftover” time: If enough time passed to generate “1.8 tokens”, what does Firecracker do with the “0.8” tokens it cannot (as everything is integer valued) add to the budget? Originally, the rate limiter simply dropped these: if you called `auto_replenish` at an inopportune time, then the “0.8” would not be carried forward and the guest essentially “lost” part of its I/O allowance to rounding. Then, with [#3370](https://github.com/firecracker-microvm/firecracker/pull/3370), we decided to fix this by only advancing `last_update` by `new_tokens ⋅ (refill_time/size)` instead of setting it to *now*. This way the fractional tokens will be carried forward, and we even hand-wrote a [proof](https://github.com/firecracker-microvm/firecracker/pull/3370#pullrequestreview-1252110534) to check that `last_update` and the actual system time will not diverge, boldly concluding + + +>This means that `last_updated` indeed does not fall behind more than the execution time of `auto_replenish` plus a constant dependent on the bucket configuration. + + +Here, the “constant dependent on the bucket configuration” was `refill_time/size`, rounded down. This is indeed implies our above specified property, so when we revisited `auto_replenish` a few months later to add the following two `debug_asserts!` derived from our formal property. + +```rs +// time_adjustment = tokens * (refill_time / size) +debug_assert!((now - last_update) >= time_adjustment); +// inequality slightly rewritten to avoid division +debug_assert!((now - last_update - time_adjustment) * size < refill_time); +``` + +we expected the verification to succeed. However, Kani presented us with The “VERIFICATION FAILED”, which was unexpected to say the least. + +So what went wrong? In the hand-written proof, the error was assuming that `-⌊-x⌋ = ⌊x⌋` (had this step been gotten correctly, the bound would have been `refill_time/size` rounded *up*, which obviously allows for violations). To see how our code actually violates the property, we need to have a look at how the relevant part of `auto_replenish` was actually implemented: + +```rs +let time_delta = self.last_update.elapsed().as_nanos() as u64; + +// tokens = time_delta / (refill_time / size) rewritten to not run into +// integer division issues. +let tokens = (time_delta * self.size) / self.refill_time; +let time_adjustment = (tokens * self.refill_time) / self.size + +self.last_update += Duration::from_nanos(time_adjustment); +``` + +The issue lies in the way we compute `time_adjustment`: Consider a bucket of size 2 with refill time 3ns and assume a time delta of 11ns. We compute `11⋅2/3 ≈ 7` tokens, and then a time adjustment of `7⋅3/2 ≈ 10ns`. However, 10ns is only enough to replenish `10⋅2/3 ≈ 6` tokens! The problem here is that 7 tokens do not take an integer number of nanoseconds to replenish. They take 10.5ns. However the integer division rounds this down, and thus the guest essentially gets to use those 0.5ns twice. Assuming the guest can time when it triggers down to nanosecond precision, and the rate limiter is configured such that `refill_time/size` is not an integer, the guest could theoretically cause these fractional nanosecond to accumulate to get an extra token every `10⁶ ⋅ refill_time/size ⋅ max(1, refill_time/size)` nanoseconds. **For a rate limiter configured at 1GB/s, this would be an excess of 1KB/s**. + +The fix for this was to round up instead of down in our computation of `time_adjustment`. For the complete code listing of the rate limiter harnesses, see [here](https://github.com/firecracker-microvm/firecracker/blob/1a2c6ada116b52df891857d3e82503ad1ef845e5/src/vmm/src/rate_limiter/mod.rs#L525). + +## Conformance to the VirtIO Specification + +Firecracker is a para-virtualization solution, meaning the guest is aware that it is running inside of a virtual machine. This allows host and guests to collaborate when it comes to I/O, as opposed to the host having to do all the heavy lifting of emulating physical devices. Firecracker uses [VirtIO](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf) for the transport-layer protocol of its paravirtualized device stack. It allows the guest and host to exchange messages via pairs of ring buffers called a *queue*. At a high level, the guest puts requests into a shared array (the “descriptor table”) and puts the index into the descriptor table at which the host can find the new request into the request ring (the “avail ring” in VirtIO lingo). It then notifies the host via interrupt that a new request is available for processing. The host now processes the request, updating the descriptor table entry with its response and, upon finishing, writes the index into the descriptor table into a response ring (the “used ring”). It then notifies the guest that processing of a request has finished. + +The Firecracker side of this queue implementation sits right at the intersection between guest and host. According to Firecracker’s [threat model](https://github.com/firecracker-microvm/firecracker/blob/main/docs/design.md#threat-containment): + + +>From a security perspective, all vCPU threads are considered to be running malicious code as soon as they have been started; these malicious threads need to be contained. + + +The entirety of the VirtIO queue lives in shared memory and can thus be written to by the vCPU threads. Therefore, Firecracker cannot make any assumptions about its contents. In particular, it needs to operate securely no matter the memory content. For anyone who has worked with Kani before, this yearns for a generous application of `kani::any()`. We can set up an area of non-deterministic guest memory as follows: + +```rs +fn arbitrary_guest_memory() -> GuestMemoryMmap { + // We need ManuallyDrop to "leak" the memory area to ensure it lives for + // the entire duration of the proof. + let memory = ManuallyDrop::new(kani::vec::exact_vec::()) + .as_mut_ptr(); + + let region = unsafe { + MmapRegionBuilder::new(GUEST_MEMORY_SIZE) + .with_raw_mmap_pointer(memory) + .build() + .unwrap() + }; + + let guest_region = GuestRegionMmap::new(region, GuestAddress(0)).unwrap(); + + // Use a single memory region, just as Firecracker does for guests of size < 2GB. + // For largest guests, Firecracker uses two regions (due to the MMIO gap being + // at the top of 32-bit address space). + GuestMemoryMmap::from_regions(vec![guest_region]).unwrap() +} +``` + +Note that this requires a stub for `libc::sysconf`, which is used by `.build()` to verify that guest memory is correctly aligned. We can use a stub that always returns 1, which causes `vm_memory` to consider all pointers to be correctly aligned. + +With our non-deterministic guest memory setup, we can start verifying things! On the host side, a queue is just a collection of guest physical addresses. We currently cannot set all of them to non-deterministic values, as the complexity of our mathematical model would explode, but we can get fairly far: + +```rs +impl kani::Arbitrary for Queue { + fn any() -> Queue { + // Firecracker statically sets the maximal queue size to 256. + let mut queue = Queue::new(FIRECRACKER_MAX_QUEUE_SIZE); + + const QUEUE_BASE_ADDRESS: u64 = 0; + // Descriptor table has 16 bytes per entry, avail ring starts right after. + const AVAIL_RING_BASE_ADDRESS: u64 = + QUEUE_BASE_ADDRESS + FIRECRACKER_MAX_QUEUE_SIZE as u64 * 16; + // Used ring starts after avail ring (which has size 6 + 2 * FIRECRACKER_MAX_QUEUE_SIZE), + // and needs 2 bytes of padding. + const USED_RING_BASE_ADDRESS: u64 = + AVAIL_RING_BASE_ADDRESS + 6 + 2 * FIRECRACKER_MAX_QUEUE_SIZE as u64 + 2; + + queue.size = FIRECRACKER_MAX_QUEUE_SIZE; + queue.ready = true; + queue.desc_table = GuestAddress(QUEUE_BASE_ADDRESS); + queue.avail_ring = GuestAddress(AVAIL_RING_BASE_ADDRESS); + queue.used_ring = GuestAddress(USED_RING_BASE_ADDRESS); + + // Index at which we expect the guest to place its next request into + // the avail ring. + queue.next_avail = Wrapping(kani::any()); + // Index at which we will put the next response into the used ring. + queue.next_used = Wrapping(kani::any()); + // Whether notification suppression is enabled for this queue. + queue.uses_notif_suppression = kani::any(); + // How many responses were added to the used ring since the last + // notification was sent to the guest. + queue.num_added = Wrapping(kani::any()); + + queue + } +} +``` + +Here, the final two fields, `uses_notif_suppression` and `num_added` are relevant for the property we want to verify. Notification suppression is a mechanism described in [Section 2.6.7 of the VirtIO specification](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf) which is designed to reduce the overall number of interrupts exchanged between guest and host. When enabled, it allows the guest to tell the host that it should not send an interrupt for every single processed request, but instead wait until a specific number of requests have been processed. The guest does this by writing a used ring index into a predefined memory location. The host then will not send interrupts until it uses the specified index for a response. + +To better understand this mechanism, consider the following queue: + +Imagine illustrating used buffer notification suppression + +The guest just wrote requests 1 through 3 into the avail ring and notified the host. Without notification suppression, the host would now process request 1, write the result into slot 1, and notify the guest about the first request being done. With notification suppression, the host will instead realize that the guest does not want notification until it writes a response to the third slot. This means the host will only notify the request after processing all three requests, and we saved ourselves two interrupts. + +This is a much simplified scenario. The exact details of this are written down in [Section 2.6.7.2 of the VirtIO 1.1 specification](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf). We can turn that specification into the following Kani harness: + +```rs +#[kani::proof] +#[kani::unwind(2)] // Guest memory regions are stored in a BTreeMap, which + // employs binary search resolving guest addresses to + // regions. We only have a single region, so the search + // terminates in one iteration. +fn verify_spec_2_6_7_2() { + let mem = arbitrary_guest_memory(); + let mut queue: Queue = kani::any(); + + // Assume various alignment needs are met. Every function operating on a queue + // has a debug_assert! matching this assumption. + kani::assume(queue.is_layout_valid(&mem)); + + let needs_notification = queue.prepare_kick(&mem); + + if !queue.uses_notif_suppression { + // After the device writes a descriptor index into the used ring: + // – If flags is 1, the device SHOULD NOT send a notification. + // – If flags is 0, the device MUST send a notification. + // flags is the first field in the avail_ring, which we completely ignore. We + // always send a notification, and as there only is a SHOULD NOT, that is okay + assert!(needs_notification); + } else { + // next_used - 1 is where the previous descriptor was placed. + // queue.used_event(&mem) reads from the memory location at which the guest + // stores the index for which it wants to receive the next notification. + if queue.used_event(&mem) == queue.next_used - Wrapping(1) && queue.num_added.0 > 0 { + // If the idx field in the used ring (which determined where that descriptor index + // was placed) was equal to used_event, the device MUST send a notification. + assert!(needs_notification) + } + + // The other case is handled by a "SHOULD NOT send a notification" in the spec. + // So we do not care. + } +} +``` + +Beyond these specification conformance harnesses, we also have standard “absence of panics” harnesses, which lead us to discover an issue in our code which validates the in-memory layout of VirtIO queues. A guest could [trigger a panic in Firecracker](https://github.com/firecracker-microvm/firecracker/commit/7909c5e6d023cbac98a5b16430d53d13370cf8be) by placing the starting address for a VirtIO queue component into the MMIO gap. + +## Conclusion + +Thanks to Kani, the Firecracker team was able to verify critical areas of code that were intractable to traditional methods. These include our noisy-neighbor mitigation, a rate limiter, where interactions with the system clock resulted in traditional testing being unreliable, as well as our VirtIO stack, where the interaction with guest memory lead to a state space impossible to cover by other means. + +We found 5 bugs in our rate limiter implementation, the most significant one a rounding error that allowed guests to exceed their prescribed I/O bandwidth by up to 0.01% in some cases. Additionally, we found one bug in our VirtIO stack, where a malicious guest could set up a virtio queue that partially overlapped with the MMIO memory region, resulting in Firecracker crashing on boot. Finally, the debug assertions added to the code under verification allowed us to identify a handful of unit tests which were not set up correctly. These have also been fixed. + +All in all, Kani proof harnesses has proven a valuable defense-in-depth measure for Firecracker, nicely complementing our existing testing infrastructure. We plan to continue our investment in these harnesses as we develop new Firecracker features, to ensure consistently high security standards. + +## Author Bio + +Patrick Roy is a Software Development Engineer at AWS, working on proactive security for Firecracker. He joined AWS in October 2022, after finishing his Masters in Mathematics and Foundations of Computer Science at the University of Oxford. diff --git a/assets/images/token-bucket-diagram.png b/assets/images/token-bucket-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..82e1bbd0aabd1ca46fb361a21b4b8718b52a0d7e GIT binary patch literal 65351 zcmZU*2UHVX*ZvI{CG>>eAqho_bR_f^n$l4OrFRf9bdcUdZz{zA0#Q&9rKt2?rAZS| zdW#?(>Fpct=YHP*`>t=TELR-I$(b|f?6c2rU)RLy>uOMtGLsSz5Kw4oq6`TLt_c$m z5YB>c07pzY@xY&)1X?KNdwv${IV9DIW4|u9;4f~V-tzGC(ecAyXc|6;MQOj`Fz7_t zIic=FOXNT2p^KyD=X#+T!S}rQX7=;vHw>FDPffS#&c04d2gn5Ec^(8e9(v~p>}dbl zD{UA&H$VJzaJ+Sy*@IF7{htqK9?gWt0(V{$OgL7eh-3 zh5WBiir*0H|NcAhU6YK6TG)9f`)|s>ElXhsO`K-u1szUH$+Mg2@e#pOjIUa`=DlkD zZ!0-NX#D2Fh}S=SovGk6db_kmJT?*=3dV60#%5FnK6&N@g@m1{TW!y^e6eo3QDRUS zy}v#w-Xx!!s{!&zY?eQqvK>^stPk35A+GV!o9n~u0i0}VEN3YObd<+fc9 zD;@gR-xcM4qahRzIB8mB zGQ4-1^Kqfz zr33<-NUzMw0hwO)1V(GMczW+7<(Ba48_9|npNw>+JErG=W>#si`?oK@rg`DN+r#VW zW1Ev>OQd-IH(dbU)$*vyDV2sV-v{`Yy2Dt{2lamLymwUD93siK#6~Tit#Uv9_2mOi zS;Zwcx{X3=f;TVF#&e~wM>NfUZ$;X%KIHO3UFM-+=Z+ww{wb7JHS$5Rev9#khoAAX zzYCKUDuCV?EJvKUPguuHW;y0MlhF&JXCJ()D*4#>vmqj1HRfk1;Wa~l0dv_#1vo zUz=Nk`T=7sN3&-4n}GS9JSpSYrjs=R{8Gnb+7=@S;dBZYTV3+ z8;CvMZllr-OkIf9SMgfbs5|)i_z8X>hfgQtY;RC;?lYB?7fuR)bAB1H)iOa87hNZ8Sk~Fl@HV5 z%0;?4W+y^JJf++-Y_+x;=UZ1#-IYnwzxy!(sg1{tl&1AkcD#ug(mTsx~D5NXN zNqv89Y??pt_qlD5LgY1Xa*0B#&m8j*=HcjmTN_nRXgf{{NyJR0BOGq3$?kvtf{ zse<0D!8@#?jfzk~Q0L72chBTx@m36G=&<-=olFs!vBV@h@s@u6tFbUl#skZsF^j+* zwFeI>{P!FVbB_X6?v{2QqTt^0eS9XDz|8kqOq6=K*qLZfYU;!#QsQXE&RN}+z_f_^ zBGnnX{Yu*NEf5-lIv4I%)$9OK=oib=`uRu%RA)w5CGKariP305zg{ktx*!qiA$WTs zidoWcSU*a-_iS$RlgWxr>6T8{vI4L+OgWax0ucbmN66ZFy49qZ|056i2%HCu!$~0e z=DY=o?Ulcha9(I9V@p$cGG1n0MtBWcd4BL~P{!-`9M*8ypg7k0epW4$@n_RjH8a;= zU;0THhhM7X+-7a*6{_p|kYtpu%$4+b{`bP%{W7yjlKeM!GakOW{bb7a=>Fq}PZ9S_ zTGY|^-Whfr0AaD(;)d?cRWsxWSfD@(#|)#b_1)TJ9b3;8o-(jwUp%v3?#=KWfDzr` zWo(0%-Fuf7VEh#M_DoS=clp~3&xMFZtJo2}hs!@dKc04se2fV8Q@=QEB@;#(-+EYu zZcV)`D*2&GCBMXK$l<ah75l?3RP z%`PzHeJMETg)QncQfvY-M4j!8da2}&*jk9;T_{KWpI91R8A9q37^~k`)R{`+X3S@o zu?p+9Xr^~wqp+4&$FV?HJq&^(+0ay3X5?q-SDzl8=8h#WgNAX6gc~77#|I9f|S0qY$1qcV2i5 zB{GRSm_*#5m{J@urQ~HLrs^6gTAJg65w#ZbA@5=63)qn1$nVHig=e9*>UNaGFEKZu ztgQaIe|EY!d-?&U`@@X8rq~#)<9glxLdUh zEOeje+hSzHl>QQ`m)53#>FE5xs6sKXd@odV7)c28`L0YX-IX^;o5bx+YF_K*PAT;n zmCmD6QBqd>?alND)5=ciR zlJHi`zxq8IrT_XZT#k;kD5uO5Lzfia;io>sO({(&sgmFh2RZY%h_}0##UGN|&hR>? z^yPne^tHC;PQJoIwzOJ%2bp1{^k*x~t#-;O=uExdj9yhuuYC1wMKEJKGLaf0d&V|> zWK*uWN5j7DU>%BA!6dLq4FvswBzpyN<&0}^pPwJ~eS(C3-=TjZ)VW(K!?Oh>D@*6H z-)Vq^6GuXbMFu;6c{;0*&)ZpJwVW=&ZF&IIP>~PH3Uv&IIV15?@grT-ZaYO7-RG3K4wfV>+PLEL40Y86>hq{Op zh{9+arvl_Datk-ulDXr%@pDW~N=pNwqGpHDB;d0``H8q7=h|Fk4Hyb2v0IM_+OCU! z3##UYGGZ+*v?X}6=QU||!lb7l1h}vBtcYAR4w{7n!H0jp@7Rl!9UR(Jr6KAZM4tH) z*}_P}z;J4YWSD~0_4v|+ns0R^!fP7a5Up^z@6NY!hVVYdp9G`h=~@A9efF6 zGUO)ra9XSCSPMk1j`G6%wMJ1n=O=!L7j$7;oNy{n7|&FUNRGb((M+!1+jZt@6_Gut ztpsxIY-qE=0t27_=??P%|G@R*rF?;~9Se;v-aLYieGGWmr~X=}Ir=?B82PsJXF%Id z<8~{Vc`ZYLQwn~|$N)m;JL8YfwRK;Q{r(Amy`&i@G*6x$z0^T$6LsImFz4opI(Tkk zq1(f?c>WVi2~8PGp7QNpxlIQ~KM)lAmmN-*Pv5&2#jdx6dGV~zlB$TUC`}Z$2Ju8e zi*;ZxVxMyx&$%ZZ`(~zH+^_R_;>!k?7)_l=d$8&X=ZV7&QQYj!j5xP7nRtq>U%3D)5Tn*O^erJXI5hc@ziYQi9=|*qvF83bZ`GxRkuUj_XDYKQN zSH|2sQioz3u^yXY%}TT#mHMrLR_w6g3bCd?@95k@{^49Ze561<($ZIi_U{xMzW zTUSikh2VjxY^xk`DinIN#7ijps}H+sS?;CE(T5(bf4`q79r{`w{YeJFa|~{=*HJt_;8Z_8w9~^IS{daTPeW@#kSwkZ z6Eh$)EJ3?TzofIr>Y^xgsRwurqz#MFo9^vUCNL*l6vJTH2sD*Q4;0>gEgA!pzfpb{ zMF?wiX%Z&r;_J#+MW@!%yn7ij%E2n%bcgMPyj;%m_fBcW;!#EGh7qUfYNx23H>*WL zo@ly@hB=W+vIBUO%HAIN6--;8t?*tI6hkYXn?uV#JQOIq_NT0FAeO^2uz$9V0Txr; z=FHO&uTFNx)aD+;=B%1Jtl+-j{_@?c{G8hcEV(&f#``EbRlE`|c@wD?&picoz2!Et zf>^vG#dVRFdJ-}2X!#WeTTX8wdPJP+J$||Kp}by&dtjLrmci8#+N=^V_wZh|R4a{W zYx&TM&=%29H}()dscC09?Mu9LR zpAfQQD&}@?sUXcf=X)i)XhoVJ>(A^ll7=*3th9?S+9Z}b@=+CD_0znZSPYblR^CWT zdGuPUQY|Y{yM|#sBB8m>dSx>9p@-lg)CI!}A__zfvg9$r?_i_`)UceJn3*};0vC-a z=X8=L1$m9axDpCF#Q7eQZ5;CnE~DIjGYw{3FJh;SN(p3f1+nZ4)5e`1_J#z>r!(9u z??X3gSj9pLXkaR#?rFwgsYYSHm*1-@G{@f<$K0#b45;P|g{p4bup%!dqPG*lnk@y0 zf~VP#CvIpVIMI&oGfvlYb`!8zBys9{O|~u|ZBnpAJq(ofpuc{^YSpLX@+?yr2cmYL zuk6D=uhQ=PLy^z%M94#UfNF!9vA1qiwC1kT0=KXKAGfQuSUdD5$k<$~VTX@=C^{lS zWru%&X*xL27wd#yogIlF2#?Cs$CGzKpyA?pHbLWc_iglRE!$RSM};}7#rk=>#p386 zEZc{u6SRYL#!V`XhqH{P&e_GVP+FA^#$fV)#5{X#($6s2hAAet ziFqz!yzKrw2o?Gplk9+g(ymuMF~8-zJ~3}RTcn+}(9R;*fNVRCP87DH3Q`|V|NV1i z_HOAQM=9-uG&?6M8zW1MEopNj^Q(xpVz``_S%?=?gpV-23i^ zAtt67*V75uzG$+v&8r8_rKEl9AQesp8G2(}mtJ(71mZMPb0aGmlVPI}OVp=ohR*^R zVM9@CrS|Zk=XS@*N~NBNOL_kvdbpZQp{M+(_~(9Fm%hbNU~yd%BQ&JfoP?Q&J%_Uj z8y}e@I@o6vI0Og&GVti_iQ(;6;~`qr4n5&848ur#s<;L0&kV-@B+2Rvu3 zD>C4Pt9=cuHu_+QeGLFI%r#hsExYS@xiRuoH_1C|5T6ANMZNV+oUvJ|p*j)*_unrS zB#T|apYA6>`c|W3b_lel8%abjiMUD*rB}$r)iM&K{NtiEF^V8+S z&#VZ8{SIINf3;c(>aVdp55CaR1?DpRY73Zcs2YezvAkIC?FcKw+L2eB%75;hA^o z*D-e}ShL>g*?*d{L_+A(w2~n+@XDuZApODi$5+E>A`Obdc#GOG>rW)Gl9@t{WQu~=0&<}0F3&X+ui%*>-5U){QFDX(&B0h+|sPxbpIg0FeKP@vZCWd3Kf%BJAf5v zy0U5lZVDW0uzBArlip#I@%nUee!2yP)W|;cls+jf9+^2^EBQFE@e6+xjL=B(+FO13 z$W63eRBgC4t#VQ370pUab{c@Ts=;I|<2DxP^Yg=5XQS^rRnK+fT#fI1bL1xo*gJUfT%#z=tDOem( zg@J1VdA2joO~L0=(h1jh`c^tBurxq+D6ML){0|%E)FtB0^(*+*=h>Gj>Ykfb7qbQM zxB-A)!Rc-7Uj&8RWY%jJs^3--uxzYP%fW_mQ+7<4GJ(aG}EE0t%(`h5b$v#baJINcq)h2>PjR6I2<7QO9~ zT?{)0P#9K8sZ_lJ8z}U#dVzFYa~{}}&3cl#1Yg0(!|7)Hi^J-`V~;B=IW5{JIl~u{ zoa)i(I6?OMxiVRI6t@M@Zh@rsKOsmMbTjalMg383ZRFXm+5Dg~Lls;tZeps&)0SQs zc^_HoYL(q>p$M*xppb|4m#o@jhhjLQ7hOsnAkOhPW|*CJVgAy}>9t_pGE!FSfp{to-um%PLZU&-<7 zK%eVs*3YF>z}RZGaoD-D@sbCF=ZXT0$ca(X@AmH<2Xh13p#xHEjS~$QiBdD4%FOF( zHOVAdM?L&BV#gdO#D!*r$yF(KRMr(%>=_|);u z+Z2rcU-<98H^~ySuV|o6Wm)MSesgy^z>(7McM{A3)A$L~d<5agnL~$c%1*b!O*-d0 z?)v2Qma?au?jGa!?w;Hn^tfWfn!RDf?2M_mY*%uqKes@X1QoVx7M@k6}um4erU;mBhROM@+QNA*+_;y ziPoDEnNS)yA|?ghqkMYAAAIx~&2G9pQ{|lQdE~4<_W>14JrLG5)b8K1Q?MD0k0 z_JzL-=WiD}H{>iWTjfIU``bxPc(omclBsQ~Eg9g+L4;5Wm?h4e5G$}$CQyxNk#@$N zd^*v7a-#%aFFvp+?KeKu878jvJnXSZO!4G=7PJ%7hDP+q1i;zhOr8$FB9LVL`@M{y zUmloxhQZcWjm@CHu7fZS>0a>IUpwfU`QOZV#sccjdX3Fw+pQ?sB&01BUA(D0$0FB# z@|S6*`v$9+P&WLxv`L2!$ke!S`Ziw`2QvJ?4T?z&;~hgJl2|4z3zqdM@&`Bp zSOjWmY4aLUwLiSa&GD?au#dO=Xl}Kbl09`&l8A2N4Pnz^6+p^Kp;$oEKn zWa@VJ`wzEro)-@)SIvbY9L{beV`DtMfr8B?nSYhzTuw#Y0MefWEcS3s?Dhz z-eWm&Z8Qp+Xdy@~ud2B#RBTBiiDD91r$vj0h+4kZYbVgi93I-{U1h@mlzul!Ya=g@Z_na9>(@^@ zK$b*avfNml@#iGmGK8Xi5`h1BIKj3u`XA~H1Cc^+Vbxic6K>w16c(t%5E=V7K!=V8 zLoODF7gUUJe#9sUnq6xgrV^>dDM=Q;%!Iyh-^~L`kMf5Im3viA28Wkud&=nX$45Fm z?%V#elZn?F6DTw$5y?i!Kup-U@7eC6kV3j@hbO7 z8j0KM3$VEm%ZsNISb=LvC~|)5WNcH5oqawWuT@)M;K%+UIMU4y%*JXz!>~_7TM{Gt zyDtdq@{mapsMiI!WEG#zS2phqt>{+`f>Rk3o+{jF-2o$3NDC;H2d4@iF?QKZW!&UQ z6*b(jibQLCdba4P7kOP3d3rqPh^U{C|0!o@(Y0HXaN9VNES@O;v(!9Z#I0Ri?HsKP z5VkBlBhgp)#ZI9p2;$@!KF7EAJmyGzh~t97;AXrou!ogFu)(g1;m&%Y%ml{g=x%pX z_fT|!`{v$zP1>$Z%gs{5g`;}_#Fut2t*G!w^2CTMxsU>k)xNr%IW9fID5mY(eqej2 ztTs{s*;aZ$ZQs1(Xn#9FuW&<1KPHvsF}E zyQjT9CNoRivDUwBr$1ZLlTw^dZYY<~po10Io!l=StZUEWzJGJnq^7g{&GlOb5$m1G zwQOpm^$!XxOHbNvM5A)6qqlBHhbnbbvxPmX3euWu#fLM~uCNPih%9G8MYpXa*;Bvm z!CqD~EC`OatVpA+ViTgW8JxhfKUc*ZK$Lre?1jM*zb&d6-$rooxiQK?48TGPc$5O9 zduYb83a|8fhw_O0^mujaE-q$}(SV5~$41DYQf-adfN9Ov#0hinu+uS0lPM4~-1p{t zSx9*x{TUJ-BvhC3!|D3ls{;mG90=D?O}@ z?yUIZu=1cI_RdkO&G0)23jDzM85D!8ME;s*MdRk9ZF{7VxmAojpD7#@q-lV46qP^- zYbKR*7B4*rP&E^=fHQ8-<;*+LOmePWi_l!;{MqV`yu^@`Hu>|c5C|NDZ?u!{v&#`n zlCkQ=ymyMWLR=@G0lQ%Jf%wN=a05&?!*sYbD~k0n{vCV6PxYo4F~%p7RDXrtEOtGG zCrUNmb6_g=Hm_=4j&GNoMoNs^((g&nC!i!Llu#aDCuHMX%@$P%iUe(ei>7?p3n$oz zl3ybXyBw*k2bvJ=P<)?vLKI3%xpXb`W`W@+Tnjsdr4vOAC7{s#0`*JY6$rv|i zUsVqO&d8e=zn+bR$S;a7{E`t@)FRyHiwkr+5b!Kidh+vWp()j?Iw1?0j~bKY1$B>4b~t`H^J7G+Gz=>iTai3p0rzf}mO zrELcb9M12HAXkwe>-WC@rp7N?wOl8RQH>VQy+6)Xz%)g6fRRE`dxMd!XIYo(0XND9 z<0K83n^N;19hR&sTh4*w@(iT z18jsidEAq-sLGk+DKXZ$QT}TbU73IOwzl`8t(I~i<(TF3`B21Mh4>2JR>}$?PG0OI z1P7)}03$Awj_{S=nxfQ2+$a2J!O8`6jN{7N)H-TYXq}Z?o|rB0ilW+Ii9*bBW%H>O ztC`d=UX0nZ{o1TRps#~HiZm-dc#sVxmTGlDiLir z*y`_;59;q??O8o%cgVVE9a&*_Tqsqj2%Gt(5;VJ73CV?#F`{biIFr-`Y9Vsfyu>k2 z6uq-Ku6J7-qdNQu&2JlY1C%z~OC;LK+Of0rFqU}{^LIVgLaGRFzi)=B3DnWm{g^j) zJZYZiuNuics#&?%P>F&5IgS6piD0sYuXWbjm51UNPvb_#Sx>(6umsNT$j3DA>F+5IgsZYZ7N-`WQa;`7g_g|oKlC2s(vP6;xX!7AW^+&U}Z zHIIJrD0tH7EMELBDW&3k-LoPVPU8}-Ix9(LeDs)WXBVktNp-12%-c*mDFy5k`1N^j z;?+*XnLkjgdD||>`BU{?tW6M{d402=wcBM+uKikq2-OtnH7eQbe8P=bCvG^#{z96KCZu7t2GE5 zu?5D%otmexylIx2k)=^1a-EY*J-UUhcR`$L7#Y&thMtnn;?&oF82uN|^o?4n3|L$w zt96g4Li8wWFSV-PBF47)O1Y;K!cA(mMR^{k4!fB0{3D7>xd2)}e97i=Rc0ncG%Ikr z>UK2})4Gm)z;u(bx&1CiWz&X7U7jeOUKRyMF1X2v4Yd%9w$DO`lxb7rqLq|E27=JGI=Md-M9PE8hd3w1wgzul<+$u-1q6{!2UUX9 znJzA~WOt`HvL;p(_Ppu~+waOWO3DMpy-@HO6`_pEP>9G>sw?H?Kg?Aa)1=&0xcmo*2)!P0B886x^7gCuJRUkZ>GFhd9Io3UkmfC2A<{4jUZqhGVcU(!s?Xf^2@(~u zo7HU_BdLOgUv7xf@VlJlL3KyRKFulziylNM+rb}>+#mRQve<>{%8O4Y;;$mWmF#Ch?X@0v)59v!T} z(gbM2)~~3g+dmIJ95nGD;=amHhDv9v;?yLy_auDxYn)vtx^)M^OvCk>88*To(g`DH zTq?|U0;bT!q;`s7V3od2=?Vxpf&ajF3n5PeDJPF;+;y&zDX{FUi?%87 zy8hNgkoyF7VU(!H?(RGCmkjOtJG4z|PVYe;gIRB*>?=pTuHb6*^!g;ukmoAXxb{z` zfg)PR>L?@Mag9dnTec{$coErhQ2T^96nWfUY4iU^R)}C4$^f(~SA?S5yRhxJ0?B{05YmF9}RjA!rSfZVu2)cXS>Q*` z`lMYtCNa4lGKPzv?#mMQl;2fpqgWA; z382Q>>CgVTuh-|!05MKoG2;L)+b~23=>?FgyRYs$8xLv)+*x+R{|jmHS>IRol%GdN zL$2WMu!4|Rj_vpXz^^AQL(Z2Kh(Ffv#{D{zcnMBmAPS6z+(I!P2R7|=vea1MJEC#O z1C+%?s)8(wvfcaUFONYwT(d} zX@0YXl)g?dl{0Ep|t-C37KZ97r&3STLY00NB- zg^@-SrX;Dic;Os*bCTWDEL2JF_(574YREDje zUa4mKjpzJ`JDSj=qn*XW+73YdxlwQ*c{wTpjeRWyO9M2l-!?=em6E#9-B0Ux)H8y! z1oPF+Nk8kZr!OUbnHS`l`;Gv?nf79mye-ZuAj-b-AP={3-yOE_!o+T_b5YsF0Mel- zOQ%4;6vOv z%EZnn}JUSxme0mS)@}upYUl-7wRk6>5zfT z+YwStbRyJYDZX{*#eD#Dy{Q(>NVBeL=ef>5DpdO$oys+JH08j!F7cV##cPN(u{XF_(;T;X@_5f)K9ral8< z3!I`Cb(TWMtkU8lMg|9_a;wkbmDX|W&x_6jie72+C zo41zI^?br325n2HAWdN7c9G6HUNPFAL4rRk?e@38nlskF1IQIAFY3kVb$)(*y44s0 zxusw}%y9`+5bAuRQ_3EE%#Ek4P^2JI^z!Wg{wH9kl@-`0XGPNGF_i(ee9jg5JZ_mX z(Fd6t;6${o+wtEorG}Rk)C2kBH;vvVEVAkGN(o!|@i3+kb)MoI5GPEpF4uRCUk8{C z=E_ey5~$XTC?aEyy{D+kBiT+8#|y>3v(ibkP?VOn{|{3~=`vJ^ z^`@Fg*N&_`AY+f!&TGy?>`))^aS{N_P&veD7#DlWo!RXorpqnx1()5OrWg7g%38Kf zX#=JomP1RZP!K1$X(Mk*-0S{k!qhR}taT3bj#;@}5`*z;CBm;ZcYZ>;+~rxH7&{Y_ zGtOZdB1eNyH}FYaBps>qTc%I!_g@S=KxPgZTlo86MTTj$d|O)uN&@>tPG z=&I$6No=QeE3}OyhKf=iKeul9dVM4rt*IrjV6k+OP8mbPoXz}V8ksqcp}Szypf;A! z+*bFB$4oSbT|@kc6;S{wTpu-y@f5i&Xh(9NO8ONVO2-BMph5=aoj#`(@FI*N*>TAfk~(sOyBm#plS>uW)8r{lwbxIFp@t1sC2v0 zNn`K`nhEwU`|7jt@Tzc=Q*50|1ncmGV~%F##Cx}>8-3v<<9;jmAjvQMNERNAX9C=D zfu~ux^vSO;8=py8|EQTX@Vw!Z^XB`p=WS+3RQgsCkogXnl1Lpiv<&4b1l2wg?c(dq zZ_e-N0b5G$;}`oPi&o~UVK*>yDK=4`orYSaeUP%a-+p0nmC-3J%5O^O;NY&*zw}LO ziESJJxqI=Dm7A5rr3f7ekwC71p&&>I&u-gUtMh&|O>edP4+zm%$phacvB3dpWY$c} z-*@WRyWc1mcNXHC;w328icIz?C0WG_kjTp5kmpW&6AW!5KVLa8x>jh~krmMtCI8Ix zqrlS^WxZSmQ{EO*vx9|OvBa_@iSC6St`y3T#&JH6#dJIdo3DU@;6>3H)%>=GcyG99 zX$Olcw$hZLNrkd{49p*A)uA8|{!x{kh)`Io+Vkj9zKf)qWKqjlyKVXQ0CLGl3KdG| za^hmvIPNK|%)R?qFr_RSmMi1CxxPYw$OXrUs2suN7#S9@ojiR8%v_v5&=<#o!#4?A z+UoX)sLFcr7=Ow|r$mXsuCDLpoYjno!F4sEJi^8RmfNns4T;Zr-k>%5_S{Uhtx6dS z*ml@28k%cFVBu|nyIX04)HZBk;oFNAfx5>+HtdxIp(zNP?gfTH45vdAyXgY3;h=Ub z5(l0w5h~PD^URRUvLpF=*wg;rHJo4#2t5&dXYMFkX7fS_X@J~7t_5=|zT|Cg>9BVA zoV91#(D9C3&$QreIGro2jB%&wYFE$FVDK0nKIMgRT%)O}!#*1^8D88ln_+MjAv~}4 zb1EX6mi4ajY%DHvK*x9x`WX4Bl*>p?57dL-Fd7NJwwWW1eKeaIUt6{v?u@Nm?+i=t zi<8h5)@AM(q?L-1{Z@{SA#RP8k3~C}<~!PBz1Sn!b!FZumoq2vU{(Gwoz>uM)E3mU z>9OyURh(>)Qz&xkW5LRbK~njx>G59u*8>(PjN4C&&Yw#z>QM%e=X5<)GV(N0#Gf7x zNg!MFhdA~5wo|B(?X))0Xtf?G{54>%{o-${o0f}VoNG)?D5hQ@$nOj%;B(m~(QDfs zqE-l)-+u@Ow}VuM27NDPLnzPAvtn=wyKHShED*`_&CMtmZzN{-YgT&z!Q#wzncyy3 zs^A&6RE`xIn=Hi^M(sNjMXBR+Bv9A6i2fT01m)v!f~L^!^Dcvap|P8F#P(xU z#L3S|Og%^-?k)b!1_S&QZSk-4@qDSgoOdFO=yFf+va$vl;YN4Z2uePd9#KDm;d8TD z46D&*Xid}UH#64_p#6*tls74vhpt&V4FmKsIv%Da`UN{Cd9}jBmW}bCO~-^!)WiGx;NS6 z-nW(+u;p?C6B#c-OFsd%`B=mGQ1}^I1xwM0U=bjWws`lZ;L4e&Dg^v~p+ zAM_~~(B$7>DAS{jT09QkGayMSq$E!zk}43l_)BB0@(G%V5NiuSp=`iJ?E?L@nN2&4 zd9o;mb(KU-@`c<%)NhrrkmOGb(wfIM+Ti7F3}oTOprGxN>|w_E%yQOA%- z))>D?`7M!qv32oE4B`6U_Tcy;-c z9t(QL)AFqdbS=!KDWJGw{o5q7x-b%O9}FFebuSAeoFo>YDO!Y%gMtF{IJKo;`gV)E z>qOFSF^QtQ!hb`jR2~tEvx7iT`xWovDE2Lc0*Ve&jhsTBt*5s&WQlLvyP<yv~@e6?mJ~8_7ofBD(fx5B$Ei8m6iTDsa zTZP7bx#_Wm`LuVyleAlVHC7F50@HLu2Sjl;DTcKD-8#H_SWCYpxy9$*X&RyTEg}iu z*^D~O{hmk7BU8Rm|1?M#rL2vLlKr?NM{)hAbfMxITWtntfFg-Y;8*@ejMglSRK@H1 ze3;SdNU+LQZ{Y4{(#f$|v>aaCq5y%z&TFUHZWZd3Iw2e|?Q>j}q#U*GZ)cm@7~J?&?vun#0jJw@jiWAd>U`nAa%rMjGTmk%(Ac zpaIerRuF;Y*^MFy<4BSWaoF4*z<}a_rG;Z&3&die z4qz^}M#Q-s0^V~rf3d?jJ}_|mi(oLoPGiSRPmWaBUP&j>7oe8*Tta)vVm%Mlmc2&3WvB?$TeIHkODIQ5FN z@iyNGLXsf`=HJohJDFs)*UU4>NcWdc^`zYmy>ARBS@+3(q%P4mPJa}z0HTJ1XN4o5 ziyFQ_L)`VDH&DXe%NnlG9A&PfesL%gmxlYPncC9R`i_e&8cbf&id&CNB8*9V2Ekev zkevm{Eq2GPc}5I1+i zZ+e6KGb}?a3WNFaEV+cUP%ukvios$#J|c<%#8VJGOII-g2+Z0C?q~o`BuwZdLWg|{ z$G8`N^cOQY1?tzoC8poC78Uq$(m}f(8)2lDE31fmJ9jhnTPMHZLfDIQr|B2F*IKlh zG%8G}rD6R^_ugY=W_zCTnDcsrFtusJ>a zXgC_U%FlX!`Qj^z`VUZaqqdq&Das4}xp71IY9ZjbqSaji-;Mq~0npbXh+GA`%MQdH z2ktF#b2Ko>$6fJA%Kte5qr^z)^P2ZbLW9}bj}HP0SId4R@Iwmz&}ZcT-XCB+R<$}k z*f0ia?2jt!V#kUN5SMb9xhN3PRjcP{l-mABz?) z9?%7R-QV~n^=^Eu1H}mjS{lCnQd0eYexmvxF=Y~R0elJ=6+Z+X?~3M~0!SDj1Pu-x zA!p?@H{}Bku0(F@-od}VJb40O#Z3(WbVE3R-aqnN1uWA4c_3kC@NGcoS6y(tUJ5u< z4*(4q^FAMt+kb^3)J=eV>yWk4d4#79;CDHh$n{Tc>wpZi{BclpIxM_JzB0aRR3}R2xN4>aszj@P66lc;nd=lZ`%`a zSX(YEk3F#b3|L}@Zo5ucy^?zBqe5)pIpyBf@i$OL6BK?2=&<6a7K`-%wlz?bphe8< zw|*VqZQTH@kmc0ecP83nX+8jz{s8$6z%%aH@NC~>Ab9Nk{f){&g-YN)e*GRQ{19-s zDP$AwboA$AQz_t3{^B$QKLu#3843rebPO~u0J|yB;4!R7wyba2XSeB}z-Cyg#PCg= zq|^6idO;H_;0_zF%(T&fvG&S?*#Nj`d`1m4Ca)}Zn;QrrFCoPJ1jmO>!3}`W&`&tb zsLV`Sc7N1p`tv1lrb*dCy7k zqttW}&bsckRmdv$G>VkYwdwqz(!Td4(`mU?m8AM>h_&?j-x2fC$Zp~;>ipHwcj?d_ zr9f0=6dA)qpa)zJH>Z67llU*dE9-h?{|4CJL%{Vpy$TTB$}11ZbcEC0c=}scti0^y z^2)2HUm~a!CfK?@uZ_N|9KUrq>Btdqyqu9^0;@m(lLeCqjB;13*Yp3GO>rcjU|b7P zUhf_Hvuo<0=CE(!>3VqK1Sit)$7AAKFBc87VKA5dmm6tM#q;UD$>o(!gw)$WA=`x}&3G+@Zhxe0;)0RYX{ z5nb8-0maL}0KjZJ<&KNHdiTM?m9LvanC;eoUu%#8C))V+)pws`4?pPZ%h?h4Tm(*Y zWkB{kk&ecYw%Sd6vKDHEx?z$OFOJ&YxC36*mY2eoZjM;@=n`KN;oL#Do1;BuUPEd^ z_g#;+=Qk~6eby)L9v#`{`mZo$7_V&ndfN24ZnL&``c;FCX29cNTu*Mu;R3&a=yP~g zZ7JA}9GG7T{x6s@|MnD4iqJ))*c;YCM%a8w^Fb-n%)Nt7cQk=RapnoLR{P@HS8g8A zRJ1H0_%%PFm*k8635X5Nt757o;9L@*>MOI>8dEgd|7@o#CsPG$g-bCwRjFlC@2XG; zI;qB60`DJqOc0t%-{qGZuqpi*u-z9V7w@4sQ-GL3bo^8DzZ1PX1cdQ013>fbpc60I z-EKqs@&_)vIAnn)}RGe13EK)bjF5A6Ns{11|l+ zYjxN(T3K0V|YCk;{yl-Q20Be37(HQ_LYZuPG&ISkQ zjbb98Vwiks&y{tk%<Md^V?? zfeGQ=ag4Hd%F~`E*+_~l-nJwUQ+@WJBB4qQH1M3y$m|=-XKCD5SOw%>V>!X0YH_L| z&((nae;D}R@Xri@%=m1YV5dSe;LQo+otYT$t(13RB(ovh6wz-qXv3PXCgm9|gy6rS z@juHI6_Bm0?&SV`4g~xE_ks8Uhr{xSi2nCMPNG$1AY#eSq~{v`cV+r#2_w=24sRPN z5&XNN{kyKo1FH+JD`42@pH$#~rq&#gAb^5N!T)LafB(c010(CNpWd@O|EGOmIpA=! z9wFhs@%-ON`Ii&$Y_M->UA;f!e>E`-uyXvDBL2VQz$-U^(&wW5DjyJ!c16RkUQod- z>0fF=w)m7kJkE~`O7&>3M2Y^Y|5qxp%_^8q$kxtlR zic;qPW9!f3q3-@Sa6Hq{$kI#{S;rP_$iCJXV@nB1DkMwxCD~Jqb?lTDMb<(gvSdq? zkV>|!iK6TzvZV5T9=YG&$M5_3{deEh%)DObJkN8zuIr2uSHZ93K{#6kSKCLog(v>a z@dy1td|wa8-w;auw|5=^US2q&_V>#Cbi1xZDNyE3z?7WE+wU)SoptSvydo*AGuV`j&B^|EcTKh8XU% zFT+^!)q)wyAdp@D9LnLeIMrL`_L;nj!hvIV!6Fc#ttEFr+VF3G+;72m&iv>afd6ez zBq7}lfZslWpw|FIa0}biD_&(nr{Uy5czJ&nv@jTN%Ul`sb6VdR>Tey`?0^~$)f;Fy zBT#sG$)yVBYR)qsE9B0V7&-KU^n$hgC!fp#uYP9$%ctFL=}`OMuJpqC zv`wL1rQ)!#D%L1GdLHO}TJH!t2_-;mE*D($n(ljbxia>D2?b67R9?o{H=Kau@f}Gh z=(-QH9dWb$=9!y!b?2B?JOPb{{hvBK*RjUyiOqldE%lm1B^`Rj@Xsrnm{u!m1tv>r6OtS}%WI8%&@xPBegM(wIx&9G$Oo{f)K-JTqV{Nec z+&kG2DWme;UYJmNK05j6<^TkEV<1i3Zu#*4F8OJ+$t>&+lfDd#6WPN1oDX< zpkLS^E|G0<_#5!kPM@lM7vD<1?*aGfxHRCMIt>|?oMTrW=WN>l`)%yL|I~JeAtR_2*KK%usxJ`57MQ)QHYZM!R$y;kgvNPfdECAR!|IeSZA|4JtO>e`tsXmOYZ_^Vl(<22;o$@pi}y zU;V@N&zec*croL=+xccyUF+E<(kcP!h3_0^Wj6ZuEL3`wT(QM_i^5;fz^&N@T!173>s|HGXCRU9rVko>ET9o35Co9=U*AI;E++CBZNG9LYF zYbp5dqgSiA&XTb`kAqcJdaBgdfhDhZyR~U>R5ZOw59f0L#D5tK%0*UpR<7$aS?`BW zMPDi9GReU1JykH}b;K2H!*i@vpzY0=3NogqYouJm`%Yj`>s~ZqZS@?t6j0XxIly|f zsG9mp`xUT#WzLRO-m_i_9PLWhXmR5AV<5@NMNvyqh1bOZ2 z^1Ooevqc3jx&8L3d}@Pw8nE7sGboHG*Jt6BB;GsWnYX^3y6etRi~mX|B)B$JUekuz z2j8tz*=R_UCb`zbM-sO%@!`#fs^2hRUi^6JJ-t;c7aGVnGwP5201Y7%0L$lt_Z0U$ z`VV4+SBBm0IX&LAiQqF;)acX@y{qi%A3q40#{xAA(vdVtWG#4`JOKP_nhk)Xabeqi zv=Gka{Rywig7xPTMh4@b&t;^?*t$3AMjMi+0ks7eIKvit61npbl`(pOU6W4Q6&7`v zeWvAwNO`GX`1Z!0{nvb<6a0?qMaas(IGFd)S3#Jj<9Zgh7wl#$X4~Q4h3H5?CTEL) zMpvK|$Ssd4SWhN)0S-eX^W0;GTWlE6HhR*p5?j5Xm!kA_#8BxJGAq-i7f8!SPib73 zTiGk`8Myll!Syr**mM!M6sY6hhwyg5fZMU(q!rb^V0Qs-33| zVCRqJZLmhyudR+{tXuSJ$UUT1rX8FV1tp;jJT*_YO_Lw=m)7cTe~tcuevzd{H_m!t ztgXP}x$Z6Tp#Sr;KJX@H4vny{)*$C}V&hkZQ)&;d{kEdt%3cUw_Uu5V=ekfAL|x%O zhY;@-&bJag`q6-wT<2b3#U6l9zcirN!^9z80&)bR{s&UTz#BPXQvH8K$hv&&0ks@k z5#5_5(9k>snM^Q?MkexOR4inC!kdm|W5a9Dhx2}0JU`Y~`UosrSYdOwHf-IsBNpG@ zCds*cRJaTYe?AnaWe|_E%+GP4{s}b=d?jP^-7W<-K{t?XsF)!saD%$Zkuff%J<^PY z=eDqp4b=tb`^A`cZaMq4| zV>K6wy1VJs3ToQ>#z6bBH_i%kE=$DWQ3lp9!!6k=zdar_5zI7xL&dK1B<+NTIb`5oQu7pKyKS+};1$#&-9Jb<4#eJ$3_cQXH}Y1_}1 z6y<3!v#08;iuHfu9m=g5Sw($p;bcSAzx{0>o5Dm+rs+dY!fls<%F{q;#pqGi+cco7 z1v}Po%$7c+*7f>97~VIY+hw}9i$WJtA=Hz>UO^XMKHwd;5f?3Rf?=^Bp!SV zE8WDxThZDE_f82JXg^HH9$?x{<#s8rn_g9KHc{Dg81$Mh87Q|mfvc>sc)_%sLwM3j z2GyUYBZ*??kv3axgx&J`fl+{Es_z|t8;G|kO*!e=PUQpPyuj!)FPTNYLs8u?a?8{b zN^Ni119O}je>#sDbgltRK#3s4w3F`66`&b@02eU2lSFISkQ&?$8Ok+I`IH?*%v8u9 zlnQ})8Si1@qi*5%Z-t8A36;`OHT71s6yO7O6jV;^MH+dkbMg&z3LG+}|9mvFmp~ln^JZiRAnsLZY|0(Ko z^?)_mH}YL}y1;6b*?e;o{W2o2uKfk+qehKLzgt^(>@B}y@$l4R7psQoB4{Bg7dVa$ zE$k*et++f>(TI9;kU*F0Ja8s!DR5z7eUZb#EB(ONxTGAyMzZhuV*LK`^S^%38PNHq zQhray9*Yu-vsGUCgwTlWNz)vkbX6eonxV*`b6MO>Y>iFf_xG31u&KsCN0bj3GZ#aL z9rBH6Fb2zy9>%q}WI&pMNSk8jd=DJ(&2oM$92oZgL8u$_Y8yJ7oq&jDoT%Qh*KW}V*MbuoSZV-YZm~N3H1*HQXzI-KbxJ-`i`%g3=uNEq=%4;>Rn*?8f+=}w zbKP*!Tj1wDW2@i}&{*mRsD|0oO5m3hyH0qTGT<#T&-OVX{*G6#&8>Zn->GXf;?gm;0~{CCZYPSH^}%k9_K6m6d0VqOGx@j1qAo~p>Pg+6 zd5xW>80cD85{f22RumWY=H8LTdW+kQz{(q6lzJYYJKSx)3SxR}lIyh^l?OF{1V|}-JTN>s;g9&%9KL(b)%d$HJVseS z{V|K*%X2R0Qc)?d;WP_=uKaO2+rRZ(1VM|8T>_Yk_%w|lh!gB}+7%8PkL`p$3Xz1d zj_kNesi%-wWxAmxKutYu4!)B{YKMwKm^WAa_G_$Nf@wOL{*g&hMo~cUdS>)Qs1~CY z&dO{0XbSl)NEd}n{u#HTFs!nAppvQye5@L(c{ojjQ*fHLbq&d$fuAhL6-uy|y3=l= zT4S8eG#Z(5l&Qe$P+tJS80rz$YE3a&s*a_v7ezD9wVr$h8ivLK+^C&lMWgjc(cXfKF+2Fd!w7{e8`=Q?d z=uK(M(3plk%g%%UPLMEUZ#vtx&32n$|IVkbmD7Ro%q{|wo5ArrS3c|%1p_GbrzrO? za~V*of^;qq{Hx%<^eJ8#DmNWW?i*}W?d^kBrhKc-H}=J_6V~fq9}L9PCs1_sHYEr- zL*``+S#=%ZUr2&3$1P!Mr%jNC#oym6UWiz^GlzW!NlMgV(%N7nt##9&80dN)5Ky(y zt~(8}aQmK(XZ|l7D_}wCV$0JzXCR_+AHG^`uo=x5@N_sH(8Q9v_=Qq6{@|{uhw;Y4 zs=&j(w#wZ{A6<*&Y;EuPK9F_jZ2DTdUg!;>IS@d<`-I|DEZJv{CrN4OZ>%tK?Gcim zxfTSwp2GAS;A9~_TSB*zwQFeep)>UkU|!B>vI1{k6*L9eHhpqr*fuJJ%vL3@DZ3bM zc`uU7^FLnHjkgy>Z~vn6evn3B^5SgGY74kR>(1IHsnktBnGhm>x@c{Ac$=t+oa-ki z=n!2D_%>+&trcW}--f3XF6f|4rWlR8{`A}2GP?kM&i}JECfM~!!}cdWbC%sZPu}#! znrQILIo(E{gE0}Rln$0B;A4!RSnG%y_UNQMx0QYY)1AJ>>Hd6hc8j2AYRiX@5!*}0 z@3Nr=CeaQHm|9m< zEw+jK0>gEJ!pU;`uNm@#U%-QI7nS4{$E3s2PCGEcBLC3>EnE1e(yfRs5S7!JWAL)) zcH$DxyPh;R7`!0oA?oM9)u3d4VKzx^D6hEX3H0+o-x$B85J&e`0!c48zUq<8yv*`{RL8#qF#?NEj)25=NarAQA ziTjMy1R%ck|{;9 zHXy$;G+}P?G5-Ioh@|(7X?ILyCC)J9%juMDoDWO5T`JtansQWt_NZz)&;Z;}JF?XA zR29;5a!%Y|%%}ocI+(5shrN)c*2I5a?*Cm0I^(WfZ&2Kh{#>5y)n`v96kqWY+P5{j z9GM#Kg2+#tnr{VF>|2^1uoAo7ccom{!~%`R8k+Y~cjOA!wsH3~ZyZh}Bvzr~S-NSv z80ZI_J?{*VX2-aFZ;g=?^}O2szm;E zo227`Gr^q|Z|}&yF~2-r`j)>?6KZ%O#+O8#e)R^%)3&!v-6Q(HDw#QhO7CLF@xv8Y z$XxO+PEhZb38;rkEOQzHO)*4t1*?Ycr>^HRtJudi z+)bpul~z*Yl~C)rp*j+BJItxkA5baw5wv(dA8G_UY}qfyb*v1Fq-~H!j9Gps_+<*H z9-~$kJ+}Q!wg22J4lgKDcn`@eewZhdh;i; ziw$y)9ytjE-jCu73O-3j)zJ!f0Thh-*Noj-S@Wy!Mr_w03(vD_%P6?SKD!Jf`zH5t zk0eVga&i~U(YrnOT>kmt)O6uX);HEFTxW4qaO8b0D)UD5rQcUW`Y~rMksO^1W1FF(4Un3IJ;EQCws$0axz>u}) zz|)VGxWHtt+{1Y#-xjYjm-O2#xyY5M7gj^iEw~!QzR%c|8}zI@(rtYILh?9VDbTh{ z^hVfl<8Kt%WnDjggx1j$2$B7YPbk-a>0pQZ{=)(+%|0$LOj>YXbKURX$jqzMxx;FH zm(7ioJDgYT60UR{ldrhp^{oO*1>ja#z?zrB+^6S`tYaQ3JFw{nkloNok&N~G&9&_v z`bu*5kwhB#MH3VA^--2;dIyUMJDFoN>#KHNc-sErUIu2)cq=0`*m>h>E0W^>v$_y! zl8*(|KaMQ%ph|ckQt!~pNTSNtSzt4jEkXn1!N{-A9Ix6g1M?_fJ)E_|{rSgg#@Wav z$|GxR>Hc|K{Da6=(dH+R!uMBP%8q){nkDdI&@)L(dS0`B_7y~xK|YYr;t0L*&qHN} zk=}m!`h4xrV>WTH}OO1Pn_Px%k33;G2SD<5-d6V{z<6@JJW0ZB)c8GXiW6y#hzq`~z ziOQ{#gFGC@p9!5%_fjngLra9g8~Z=bJ=?S4IasK-UokzEfGLaPF26=z@2qe3U#j;W za2TIqKTf9*s~D>wtL(9yp>QvyuvjYj@|klNPGxbA4mWr%OTSkczJtf-YlkKD8Kse^ z&%`xuNl#pdB7I!$O#Pu>V?wB0Yn%89C$tnbZ@#+BLds0ww*p#OLGPwq*IQ;@r=|E5 z^9$-CRep+R>Ald0d$0m#OE{G7)prSYumAFuTMe$Ty> zskUj{jJ@OpPVdYIXq&RhI&UVB{I;}(K%z5KvHQKG&-bAK0j-hvemw_V0yg9H3VaPWCT28RUh1~{5es)xDf6EGSw`#hfd{7s#UpWNpCmw)%CY9E26)TMb4P_D4e zzABcYT=(i%P0lgPt3_X$SL1dsT0Sd?g}u_=hJg^`KIr*7cC5G9)=#D6--NwAp7imH zh{~;78I-Lz>{)aQ)*#o4es;>=VV7X|AJsw_&?*ZAT9iW?U}~TgT8J`RRQc?&@x2bS) z+g}*fO;XrB70jx=t2|TltL3?UTJ6iM=jrZ-6-O2mEf8b9Pm>SSH?LJXU2E-MP^XS7O{dD=5|w z$3H8VE#zzgfpez9ZZKL~w_eO4`)3sfB2asrJ}n3^e;N zrrL+qaZ(p3_-?f+0f%az&nx9S4GLSeIRf5SR69CQ@d7ltme9=@36-aJSBcs>ub9pd zq(6S%BGFDjeX2TQt@qyNCroNjL&x~6$42WB{L#lRp)~qfKd%N3`A5^VQ2mR6^U4mL zVxo3qU2K&vmB{qr$sXK-`zTtp9(<7KyQoVm-hvDY?>OJ931hb;+3D}UTX*ptY8u$t zzfK)D4x5KY#)|68Isse%L#2@mq8WQiYU>Y*?q%zXVE+8dfxG4Km%veCklF~fi6vt{ zLFk7RlsvbtY8>HckmlHD{5C=^gnfy{)i^MoTv)ihNkU&xn1ZP$>>#I||DB=wHSxs9 z)IB|;DG9%ZV!Ww7EZl!Vxo(W_-PP^yWwkt{||9fRzUP187FdHx>dqlSDu)X*^dKxcLL>kdYXQDC<060lmqWl?($u#3GP`T@sIU51p`ms?eUWC#ri;y0UrYxJcBysc7-Z(e z>9L0^iM0O?vZE<~BE+!Qz|4&(*m_$7aA3=ygvl)!-oecqz28m(O}Cmz*52j-@wZ;| zi$Z&Ww!pAS^7+19#SX{!ZhtkX;FG2D`8(UVNx574rJKFp!XFiG;h6N~?2l$0MVI2t zNVX^CJQJ|y&u<92aWO-NMwpP(o)(;rYNFp`jpI!Ay?5PKP^o@R2*}w4wXEPALQr_; zo{VFilObHs-;U*ll?R%sXf|^mW3-z-dWNfQA0_m7W3WgN^ZD>ravG6SJtiRh7Ju*{ zC6S8{yPIVv?Jd5I+&QNwCYL=eG4R6Y0!UBzspo}q* zOSeOoG1@F^@8>^H&Ch}!;0{49wS~0Y^u1JkM1=U?U2aKvNZbIy#I6-qI~+Hm8|DO*atfPX}@0Bc1m^5w;h z-%}bhcG$nNW(;v*jPDid9$PO9Tya@O)%DWC4#%~rccg40CwFVAZXqxjFX)_{e{^Qf zR9Zgnen0ab_q>|n`fHYrdwFut(XjQWuewhRpAV+-D0$?(OFcaJ0cQ{&tDngiwxoV# z`>WNJ4>Zk#3>2P$9yd9>B<{#3CbOAqJ46H?YW?DA)2w`l=0H++Hw_-xUs*KNFiZ6j zno2sRm5K5x>Ihqt{1=fG^^P4HLjjD1$KxKWr|+b<4X)(*dsI|5!!L{O+8r%x#?P+< z2#PY1X<<=`idU;8U&kJ>zt*W~a6&_A<8}2%H7{}WHLyk8+{hVkLY?ohGBL4|yy;6w zqI^5s%4vX^IUYZDU`LyXVM~svpyfQ&9p!e!pC@~F@lM(8RXc#+fDX%|hg&5S)$J|S%}ORDr9aZoav>+HU&r?8I_{8TIakAX z8oC#x6sA$~@4kEj8AWwinK%Lh3gX2Y}NVw!#?<#S6&4O3SZ6=V?m_XIGT90yoJ{C13tfBLsL zrOLYCE!iV{mH&|IwQFd6@Xl!&dbnmBQk7u_&xyLnF*HWQa{TV!A%BxfBq>|z%lKX7ic{^X?zr36egBcIMqt;wsYgMQjBDr5 zao01J?)!a<-&lugKzyCQ5ps?=Ne{dPWc(gse-))|=$)#rLD;si~84o~X z)%m#UPa}uH#DbX+`ji*=y?>wo-bDoro`$IYvf9xnd&CIRizDeo{_`&aRs?LAZG(q@ zZ!_RjiY-dmbN5pF_B+Rp0EUChn|th@Dh%=(;Nqw(c~Mx0bZn0Vf`p4dOO&zNsj)E) z$rXV`XF1nr4m~1y%aPDy;-~Msek?C~2ihB@u6s$Rw6fyM!qrK-R%bKDJ!B z+)`F+>L@}pTJNSa)NKUB8EP92H2n7*X!BXDlHbGNvEtdGo-M-rGF5lq)!*)Wy4>yj z#9-Ij0N~nKQMYxp-u7BsTa?GXt)F*s+n=SW3yOKn*QtGPW2@KAQDFQd-BxH4v)BX~ zuseAiG$HhwKkYBkez2J!E5|MG5`E{w&dK5l1=yC~u+3xs;rNTb(8KxB{c_xX-P@=$ zS||G;{aI5jv8@G{EVEWi96s!|tm@afzIzur$i)avJ@s5Tx+|s}jz1&=2l)*bfs3d2K{(TSE?gYe!6$9+*<=kxmqV-qVv?MF)F^jy!pP@v++;wJ#T8>IZ zYd*Tj1(+8&WZ(09IMFXP`_q8}dCE#6=^l;4OTf1DZb_ascNOm-Tond{OHoZO6DS%7 zBp$3ae!5$0CR;YWCK|yW`PN`Agn?Z{Tbr-hD61~-=(sOAL5wkJba#Sc8|m8V?KW?X zgfH=N#owcm%{$iqm_J|pP}R3sICFmXS(ka^%F4&onVDx{^GXGd`B(TxJ#4lc#(-|= zFs;6)$Vz=MR_q-_UniJVrN3w7)9yEqUIu*lm6-W)nkV`ErwIdMWK zp54uge`kh6XDRb8sjT*J-6-owZv=ihB`-w4kkc0MwFeDK9ZrtcXH=z8a5y>vBKAid z$)JfTR}K1uC4l75Yu9Re5Cm0|HNPcy%urW2pM->rbS5@>Kx`HPMD%GS0B zv3i4@;-+>W?ULB_$RgI8Mlo?JV^eH?-9^6n+NaFJ-G)K!AB)c5J1OgukEy zl+UaE5>IuKeFW~Pm4r;*^Jv#;vD#*TUVaf~ ztY16d@ejRb!bbRUO(+nzjt!JKpGCM{9yz#Y?P5v`aUbRSSXSuwfM`p(W69uV=ch6e z)ZvTaYyTrVE+;3$Bsn&aCOMbxP`uw-iYv_tP$-e>& zrq{n*lJIzr+CRF=7S9RH=Wsjy49jErDE81b8d~I`R=dqYUItMvK|r;%p&Ia+KQf5TUoKt-GGo z{pq1G3sSoG36d$g-=81=ld~o5Vq{AaHbaxLS#W3K8;R#12~k9WV3VOD(Tw1t7*Z_i zP@+C)l$e@0?E%r>ce}{e2Td3Gn;3nh800Q2wDEa`Z8?>pfLJ2KR>K-Cw*C}q&JDn5 zMG5&q^uCmPu~%+l|69YDZnN41zgwPNryJkxxI{$9(*sX**P9lMt_ok_@WG)WE_7NEJc`cE~jy8<;S|bL^FmQN2-hW-{)Z0#o z>XgZQw%GUP{5;?>^Din!pVwwxvQ$4B`GZiP+vcmkY#7R})()Fkb>1zQlaLf-N0=56 zWXR1_=C*zebBRZD_q(zK;QqmSTs1tLsk{WYbBV!u;|q)*Lyc6wCH)d|s1}9|Ok~A; zste7;W#8QJLR*7LYE8Nm`Yj+GeM?W;d*-9;A;DLSmejVR6Nwyxn>>0f=hfO?il*7cMl$*5OMF)l2@Y-9fG`C3L_ZaSKy*@Xum}?V%n1)kU zV`CH))bL}=wd>?a*xitf?RZb~YhwtC;3FFH~yuW>uT8=L*bw0OIZjkU@7+GPS7=1rHdv$it zRjuXjHS5)Yn!`-y&#RZV#=br$)bV`0A$gJ~?qb0z_A%RUUR!*rc<1{$z6-}i&+OJ+ z_Zj3gNgR7nD93x>}b!+X%o;0>^x9Yy&QeBIqOoWy;v=0#qQAMcznZ7 zcK$YjX1eo2N>Kv9b+sB)+lxXz1-G=9%}jf|#sItZRMC*aAuBgzy;;sdo^~_A zQuC}n*FNnhLZp&NKMtI9sX;}wjVpHRDFOUWx-Rxv;??F~mwj6pKMD1(x3KD|8YMDP+n46sz#WgW(MW3ql5#CVg+;xtw!# z2Y*j5z|`iTvok}Oya8jXyFu^Lfj2*M90jiAtMFZTek$TQ|FFmxiYkk6@OuFnJWm5t zuAp;7<*p{yH9 z`^x%*oO1mRU%lt<`%m#EY;Hitv_3wfA*LR18tBK(oQ0+wRFHN12tk%aA`C4So`a|XtA znixWBd?;yLfV7#TuaoTx;4F@fv*-(LN3oE?NtbX7cRbc8>M-WI=wqK99c4tl_@MdR8t_uuc`#FtZ5lQ|8A4sP@?tb1`*&1p7-?D1J zvKIPGx-e1#T_{s4FTSM%Q1dtu!}SC&#)~EHpX#qaByr`}!k+(sKVbnA{zYi&_QL?y z4&aJWv!tvFNEf;Q9CjC)7m(Y&h5I!`DI2C*i=$PubGi+P`{D|@mjJkI>-y~H&8XTu zKsvqNtR}P*BN9Y{j2{t+%AmK7#_*>EGutKCKR>5N8WA~kN#vMSWG$ew?9Muu-ayT8 zFPQO|z*y8$X?yMgcu{nD4e(;i+`k^73SieiszHL+#HCH%e64N~&gb7eBf9-{`fm%mEwpKIUsmrdFza`zS^0K5 zmh8YpwHEr0h6QD#@TIq5e1GLNgL)!x;-bt}fe+9uWtJK);1hOQq!R0PWQ=59H%vGEFM z#xdUp@VGkbwnme{1pHmeJ_*;TR(gzE0z-nfVM}DtBdg^J*Lw0rjei>kRq`Y%=80#Em4sGw>$o{D7E7azj# z*j;fRc=TQv19Yra2!PBIodT-6cS-}TM*IIhraw$95Oi0_^)Fob;a26b?rgSToWw69 zY&f`MJGcc#S0(Z0&Gmz~odOny6+NjQDUJbm@C*?KU~F|kG}(>pvE#;tf6EVGO&hT5 zsy|RM8ADN+F0^5vWcajp?PS?&N?^>iT#v=({tI`VrvRdJY&VXp6i*YtbXM&LFgVcG z@#@p}pP-x^a#z^4l!{Jm%fMOy!#V+Y3u#~?Y>;JIkr6wFya|h<8N$CEOHn!*xUt;? zwB3Tsm7YKFx8Yun0mx|=0cqBcF6Q16sJS0&Nvnk_&a{33Ft3Gx5!xFj6yLo5n(c4~ z?|XbR6pEn3@LyR-;0173nNzP+=FbUu;GLWE?`Pn(ouzTC47!zDQGxha#(X&8xM;B6e0i58ry@cm_ z{dqqWe7gO+Y)!V!>nxzHi%b2khm~RO{qJR8YYtUT78Jt(for-&hyVJ<%g&)i;#;h| zL?&2dR-wTrFi=$yhG=_aP}l+NmtYbAx1GVP%76&HEOy}7`mc#Z!mmZ><%R7q!vgZ* zg7k&A;5CpQ=EiO+V0#j;dAx_7B_jd(3Md?;;M{85+cfaHpX2g>Sb#&|>eQD2|A+Xg z;uzEtAok%9p^{buxCy1c$Ro<@t_B0osZ%TLNNXbp>RGKVHy-|2LqJSL=n`q@s@a33 z)H+~|^Gwd)b$SwkL^}19r)32GGayaamnOEfeo;0mpn})Qu}}wh!Cl4HL1_j|R8Hde z7UkLUZ(Q#Wt>ytgVlM-iuEzQg+Y3Q#>YIPmrom3P=$C7d8HNBNa@I}pG>1K<@Lsni z&jSp_R5*Fr#uIMuJD}eEm3;6pRD~RHt577G*@Q$Q`Fg}-PwTz76?kaJtc zI{LIxETAU=vZkW8?1)1-c0m}es2>iADS$*lRWBebGqRIq*5kA=9vlHyuQH5>1q%j! z0a}8kaLshvBDiWhF_8oCawbsedRG9AZVIkhW|u-n4p{;n1Ybc(Mni!l9H4Xf$^c9S zVE^eUK&&14cOWG(C9;F=Zw`R3+`LUi^2MDavg@nqj<&JI)G>>oJ_NLqQX~Ze37Zwd zV+lP->4c}X03nDjXpSIZjpR(VjY#}T3wCh%5|L$lWGw=xKv*w<-RpywF{=>IsuHtC1YoS@Fs}Um@a15LnhwA>E{hXTUF@QiH-MZgODr2HBUSM z?*p``3t&DqaIN#(`|&!k>@-#kw24ZA;8qL%emn2|taaZ_{EQyXpU!Uil}6w*p+jrG zFP(MFFLinm!uaZ>rZ>bM3t7yd|9s4c+!KwE>Py3pPlrUK_kyep3%gA_8q%q~8-s4o zgL|SIc3@AGOCSs3!l{6mq8D7o)(_AMK9=QaOMUX%?Ra|TCYrUHDZ57ES22Wto& zM<>=lc`XKf*ptz7nQ@yisK4|sS+Rp~8!`|Ll29(P9}tY4f-Aoy1v58JC~S+ML|YP* z{WX2a{Sa0TO_Of!KYi_=3G!lncJ`_)LRUC4*03Fn1=%4FeC7;}oYsURncR`Fx17u? zj(rB{f{QC7+SFI-7SJ~kH;cB*+4w*P^5iAo)cb_l0TkJTa~-Os0vN0+BqQxS6V;CB z)@PsH%Op`fl#%}5bL~XWb!VIXb^UcjD)7JVffH*6S9j~*ld)g{%f$Z(pji&B83%dW z$>`Y%8PKEQ$wUlpVRmrP*$7x*EYJx&ij}#xl}xO_#aH$MRx&dw?EgL)waBWm50FkU z%wElxd!;+Z)moStOoCsHw*7J2DmLQ(ECBpUHMlf1U04Oe)f5E!;?k}&`!Huz06{+CfpUJ%1%$juCS8Jaio3{;)RW7(t7~k(|(47)rWG@R_L?ooZFz z=BbC>NN*_Hz=p=&MaUcx!=MQ2Tsi*03+^WC2cAai`fBK#Vi~saIYA=qz9;#=CFDa( zc$dvS5w`ZgKI1&Mwp&Q?XZ`%9m9Gm6APJqz0IG|8M4J)E!ZF2T>>*cZdx6Ig)P`Uf zhZG8WpuRj05J_uF$u%xA@ia~baNA&h7l4JV+f^%j223J^bQIa_Yl_ahb}b7qaj)_F zx0D{wf_})6fLg9}JdKEfm3#vF4ZTnXaHvgZUHf;gXw`NsI4X_!9gy`s&}_5>gk2R1 z5(R%Xz_XCf6LNsn3lc_e5I3fWd(vgYWp9N=(U%-23g~lU%Rc!z_CxG3d#8I>&Ux#l z69XDx4&g|T0!c=+P&Y*+Y@DqH^qilPwKK6ot$;^73uC+~K;)JomROy(-55FTI}YI+ zAwRG}E`!O@PA$5DlmCvUyCCt$ zH8w$B=<0{pLMXCFRtCBQy$I#0(xw%%RtQHXCkjPVJKDBlm7@PK!`{(Dg08v;Wu ztLlROSwKC!OHn>$xAAr%XbZlNXqQ?Gl4evrB}#P75f`Vhj^Q2hhsB3>&zW#=Pz(HcR z{qySthu0cIP-J@_I1AU~xxNhFc3d3KRe=}Vgn3-^>tU&VN5hBPMUB_~b74{7Ts=lL z?}%{H$u)z2Se=6XaZ71LmNc@Bij>D&4y`(^f^VDmW-~ke&rBaRvdpCj#4mhrxyL6qmi{~}{a)sDaTuTl*G7om8#8QJgh5*s=qb%#Vlz956Xsc$UX%Oi zrd|aBXd0wXbQQR`YLIIo{z4BK5Sw+LOemkJoSX{fFfTkN*ISR+v;QK`Z$XqJ_kfCs zErNhwV%H8Kwc|N~%)$%YmOi|qAln*PLk}Fl7>_QPqbLcU(a>c{xMlY)yo7*xM6h@t z0qI)jcjo612gsUW4=Th!t3cWta6C3*BXsA?r225bM-Q(R0o?P`O!d4TVq#?GJCRFX zMqqqd_YFq5d=LA|HC^!{7)<50yPRxNWXW6ruL$US7dg0_wfnX7!yi3XalJ?q z1%h57808>=L;EX?&K@+GShRyztqi(<3%`60i|Ak+p5twq;pE0M1Tt|O4&1q184O*y z?eAPnK>Rk;jxhuy4ZiE>Qa#tuqL6(;;Q0w@Ep9sr3b(cv@ZD1!Uz$55$vNNo0}L*Y zV>$(Z+Nypu{Q3>j_@^Qjqz_BN?Z=G1LEhzN?kds9b1C}eW$2@I726)a{C8z^8tCrs zv(|F#vBk;m&3jzbNA^9gZU>CF{vP!`3&~*yca*mCPyu=H00h4U-|o>+3|mmW7drIU z#rxyM@Uz}dCV&8&%oy8IdN;C~;;fk!hsP0-us|=6xreH+v42M=GDig~X?^gU1YC4r zTm4E+G7qN8_RzC=3Y_|?#8lPAo|iX){12##Z0RR+A1|;)FUH9AHECQZ>#>Z=V7=R9 z09XLilFd@Ds>BB|jEKXhhKaaGL_LA1jKb4q3LO*@3TYWI#A*sWFBdrD7*Do@flFWqE%b9f9{XVgB&O}hZmFs9FzYd%_tz+ zn0Bxxha#RL%6Pt3XoS8OXm@|fB42Ljrf;_wfPZf;KYT$NDF+8wL+JV$N}|UPX#k6V zNojTns2*n2ed9*p#0&|w2MghVf*QrkDR5`8^d!n@Z2iA{ zBy+b|{o#aTMD;ATclT8LHFkg3p9MazO>5p%xaH6`D0&8>WW)_G5LrKsgaXZiV_-%m-=enow&c0rOWIBa(+!G_usw1W~y zW5O~BNqtbh=bY7fVEg^gsx|EivMzP1;}~M;9ZZa?8cCAMmsTC7Dx>c!KWMk_6C_wLAnAePWx{ix~ZEp zUJg`oL29d=%=&N)`!T32CcCMVQrkdxiINy=#L7hg72I!6TCTJedoLa z4N z!?ibg z^=PnBLAUwkcZxr%Nkkp#5cYPbz%$&;zkn2|JV1;_Nx*#EJv^>!bJitLT60M$WKh`s z_D=ZFG<5pJpC!mfSP|w7_8Gn-?#(0M_$MFlH{iiB&1M;CiC|L}T9LLJVFk(k+>a%j zv<5TqTD%=p5a(b$pZdmhGWT|BR5d%>m4UOk5KS;Nk*)gEL!|0YC4zq zoGkbG6LmxaekU`ZARW7my7u?CPoePK^)r5_%B)4bGA=j?w^tKWVtUL!D{<+y7v5=zOMfAW7|3QavA%St z4uzXybx3Y{Zyw1T6m%NNb&2s-m^^*E3o{;al&mK?B_M{AHOqRH&M_JH{@_9dgJ1Ez z;A@WW)IXXqQIv?f_%k$Nv$s&o@;&7<>5u0WB*lM!@&G5bjbcG8RtXr|N*zg3{z4Pt zNpJXETO5LaZTW{p+T|_IQ|{6;D%IU5{%sU`hm>1ti{6GT?eMMZn zQV2&%Nm6;#<6#`v&)x=#_@OY~J(oDseLMvY;+0f>ae7fSC1WM~>LTnkTiu$yt}v@c zyG73-RSornHRb%C!twZM@#>Mzd*7A$E`GY?6SgvteNau@o;!*)>-t3%zxz>te?}y%)wMd9u?Bp1_=Wmf`y8IBR(d$&?2NmN%17{hR?D9x$~3&#rC#D2LI5Eh(h+) z4|f;#Xk)As5>*YCel5*DR}y(M7}ZJc+R{U^494VI+%t)bXBm9O^y79Pk6`zmQPn!d zp>3ao@#)*fE#p<|vy-lm|` z?CpCE^T>#rnFCldk#y_ei`pz6A6H#khX)N3ZAE;oerEr*>7i$Guw*xC_6Dtsfa$)7M-7y_j&X1)cFptfUv>>;8iwj`r1PZ;cfcpk#D$2Qt!lkWW76p`tZ+C;8w z(d(pI{AQzWEuL3wkkQLNNq(aYoS`eGZ?QTNAA>1cxKV-pZi zWgcJ*L*cP8X3Y{Ce#VpE?6bipsF!D#^oTnJ#%i~qT@pO`wd1E5+MEzUjOvo1b*qGz zS`O6)acNe1{Rwdi@=-!#Zz6D6fM8Q)yU_ECcH8JG`UF+dt~0VGE`JprmBc#gf1!==+Qx+<*VNpNMyroHvwkfL3w4MQ=Yexcm!bpucC1t!+RiqCP@ zIvYo``5lSuiD4I3ncLP6A56oNZRgN0_p z!69ygIl{#-n2r(4p!FM>omTVMiM$iY*!ofEjY;ZyyGbotoIoNzF?R4j{&T#d(F5Vx zcF8bFzPB2EhxS4w)39A_RwHL!r}zq|FK2kE0%{#$%THztfyKt5@P&4X!~N9@(L6H#H${?Hu%9&Du$kf)*`Fo?| zr4gE09GpLf8h8hv;o>#~Je}?N;|4fwo7eAz$0Klls;H@K?NcDl#Qr zD)%J05l^sa<&gY3aI4{dEkW%h_|?)^-H=MyQ%&*=`^tR<^NyrFYFxXh$q?pVlY)dT zs#BY{CKd71*em4*^C#K7?E=9lrFYQ}uZSscW-EJzxnPc`Al4Isd@1B!D-k0-VVuVY zOEG4!(f32s4xMa6%6a#%6KB54j)Mrg_GTkuwI%Uq0-UxUXC6C|5Z?H7s&{CjUO#%ev5cPdg{eY+q+h2TvJClkmziZT zz}NY>@EmgnydP>1T=%? z;`xYh<=H>>Ys_yaFQ+!B7Q(M%zHOVN3*WNI{vmIn363+sil-ZzA!;SHMV@$^U;HXo zmXdQX%Y-CWr&25TId7JSQB&8e)kMRzQ=;AZ*FWIYMs1Z3a4&3Leu8wk1}rEmm1P-^ zA>bV#irhr{cpZVunt(0j-_!Ngy`QfyR69+HEWjQCyOeaey-Z?GDucWy5Z|;~Hoh$= z0A=y^H$?3jo!La+X5e8s{ez?JI|Xc!BT=miYU#2<0tCiN`34X)3lVdw>2s)Y_5*6d z6KEt40TIH|?X(v`FJ_QD^?ij+1j|*G#5Gwv72w?Pf&A5A0DTqek zZh@c(V@9lEvjuKaMnHu8fVEJ7Ece77{VpDF{34=@c9JEzKv;qVfB_^x+7f3EY2T+tjpo3pOP;e%& z{>=lm!A9*Pa*%-a;Pv0%-f`c7>ZIDV0|ciA%Ff~U%#zVTK=1ghiJ%_02m~tRB~O}U z0^SSRJUN~A71XQNnE`vlOA+Qp+6Fm;T9-s~&mAW7>YnOF%tuGga$HEP}%05pQ3IWazNLm#-aFM|OO zmrEtpYLujJ1E6$rTAzjqJxk+lrI3uk!!g#X#oY1Ao%pbhfiiQ^mO@h z4(8i1oPW%v2})`UJA{@= zsl9(rI=Flt4n9<){}QPfTJ!y?b?eC;XZ#;8sfdgHcn+qGhAn zV#^zG$NGeH(wEC1jchN@7Vi^Pb8A@?2XbgNo*wNtm!s94B7vnqY#4fiuJQ$Nsw_z} z_4JSa_a8u(fip9zpZ9@l_9^5EhhY0qfo$4~aX`y>4#v8==8W=b)zW`i?nnzB4l}e5 zlk}#1S1Sy+y^-2$z!i16gNjym?{hl$P2I~q{XN|1tjuQVNi_UyLNgfP1OO;exS01U zm|&s&lujmsaecFIY3;$x#!NiHwW>n0u#hfQ0p6}#K$!J^gFB{T z*xCs_l67+T-T-!maZ`0WgB6-CG><*_>Lz?p6(DqlOzG%VV6h*+vek1xAOiP!!>I&F zc1m2-Txrh84B30L-hhS_4#Yp584(`C9vd7Y9u{?{S+q>}7218F=SyqoMpx2&RYkEs zL8g&=!P=k`Vz1euTG^!-&(fcvy-`o7FuQv4CCv3;iHAIkk=2>byO=Dca3Df`0?0fu zzjAKY>35%PJ8Z$Q@q>v}fiaB|6))hO0~}so!bYTG4!gMU_XOmJl;(v#~Ksy#XczRmy*S6^??8bL#oFwO5MjUKMU(3aAb#9-C~ zz)Vwv=er87xjol2UG@bxHq!(r+||XW?Rs9oNpfHC0Yvk-FgA4XDyTkub$XH0eP@_K5$5b6Zzq*by&yZEk`t%$MH!48vCKSgJ9BKeuq4=oV45I&jFr`0ER9D>+Et=M zA(NuyC8!#CIepjUHafXlc~~@rc;W&WLb{bXvd+!}!&z8cvQ9E8NNJ~6=DN<#zr;uP zgMeYJkZ1rOIRj<|4)>e2$ycB-a>jA~tXSVnFp|sqjq~hz);_&i-)ZT5?r1bS^pK+L z)-=oZZ0j;ckJS&Bfd9<$#g>=D%X6JM5kEx{ou=r5+Qp8q-V$Jy(8e;Lrb7_t?XC>Xf&AKCv zja4yULbl7ceDP~d+c_B9xCaIit3|{jvn7@$)E=q}n&M}1Ge?yrks3Hso9&m2UvR@2 zOoVK%D$y-VIBaSd+1fg#zUB!_4rAhaCu0MV)#r`dQq;AvtOVnH8>}#@rkLSmdrTv@ zz9jWPDdSDD!e~6*Oyt5W8GVb$Cr#?aU0j?6Nw^59*kI46KKz{DSDt_BEx%`UAWkYT zY!j5xG&}<=4)=(I-|rN&*jdeTHj){PN->(%5@ZE#3fPS5>lrMuXBQ}cflN$l)d+LB zyX1H?gy+r=TRF0B)q|=miNSTWI;5pZYEUm0E0ku0e)nAQ5ecYyCRza=$*0xN44y>n zDZ?UPtWRuQnu~z$lctcjU2uM$v#al86)fU{O}gaURg2G*ila7>I-L5Aqek>wF<|G> znc?fx&4LZa5tTV44LA8H*+JsA2&~vYuMKegm`Z66r)kODl%RyoQ7Tiliv2RJ+PW*= z;&E4&BO8~hsz?M=@^fVQq&C(N)rM-KJ)a7$&`cWAKnM{yTKG>9O*rB!c2>(wmbf=i zAp9ZB;>AyK!p)3lA`QG60dhIi^Y-nRs;m5k9K&2AJyJ+{B1ap{^A=IurQL3Ryu{`^ zDO9WUSg2}z+bkdUB0(5kSnZ)aWXC&T`M~zCkB(!(^Rz} zFN4RL=p)E0y^>3L)`vn?EiCtTUhl62b~ur4!xNvHXJE1uYiNeXFbtjg2-y4@D$m`0 zH21{MtmfCd4sZwk3x9G%02W0cDW5Ij2NkYhRcXPHHsT(oI*2JpX1A@i9BVk;UuKz# zYJ+k;ep942{l7nFGCsRY@ohJEcJ#lKp_xQI#7V(1(j0@NokDd*iVYTvYDDtc-6k92 zebFk&!w43$RWL65TldMs*VvWVF&$Z`LoIgydxYhXVzh-`%ewSQZa(}gjw&6a4T7u~ z9r5y%>Xe07+K^JG&;V8$)l5_HxUH6P9<~^Z=QC}c{4o*XFHXJ`EAfmf_$qUR@iAWP z#N9tsv>d@ku779u9kL#8WA_3_yLmBTOu7^Pn_mnqt#CRgm%|OAxr|^ckrQ=ft>!1o z*rwe^(kD-2?L!5+ofxyuDX#1AY8CSiW1`D7r8>(cN*ugaQ{cP?CJ~}6 z1cUfz$B}2SR&Fud*VDSznT+%Rs^(Ng{>;a>>ZfcdEfh)a4q)f?xIrreb1Blso3u3b z3};LPqb%?@?ql%BbhcrJ)>0Ou?wm$;xT{3^MqHjK6ZQM8+tleq^P*5uyO-dYF;Gt0 zm0Yp5(&W_Po++F@kKkyFGd?>Qv94s2ifc|`Fw*xeB@LuKvJ&RgwSPxyqIHV`zKhb} zWEqb3#3R=>fvX<#AzeVFagmT-Sv6^pA}gkP-EuvgU$D7WY3*F>&2^eOJ15nv!kSw1WTU7`xOs6y@03nX5RG$3 z-00@d(j~KG9Srp;Muj+@`D1dGoPftwIbtrgG@AI!1+qGj`K72~EX7D&GW!;f$EHT$ zWLv>pbYaJieEz8uhg5f{L7{Pn`Iw~&;*M#{MVX;BsV9oRSSgl0Nxx3ClTYcil<&FQ zo{fMn;Egc~i{fMbhj{I4j85^vzO`rYGNsTZOQbNr@$)hbLCl}t8_)VGcbg>`(JhbV zCJKn8=BeaY#xzIHM%cZ+#AeG<3J1U6BxDLEj{kF*n51YNT&G2@9m%C>M{0Jz{kt88 z>W_R^l}I0rZ^SoNKA^jo&oOxln%sCj^$l~Ky)|>0#_n06c^3Gx!nNIhZe;+@)P#n|LXX)F?2?pu4~4>o>>l7K zzx2GQWTB9^?G=mI@F6SSUnH8UR=1+OO||SCDaNl$l6t;VjaOpH>GV6KBK96Z0Asdr zG?)1ga*QX(Ur4IVy)8nHiy7TZRV(1D9gc6&CZBs$OnmoFTJYv&GEbJ)cPHTVxP0W1 zdB($?>4;(xve1QQd%cH7UMZ_tN#;{cLPv%H^IR_P_oLs=v(l&DOM54hbo!)~?V3(! zp9-!1B?J>RB5`f5%Xk)^TP{A4b-8WjGobH{o4O9J@EG&zv}^k5ga%Ecup*J4REjyI zQLiIcs}$*y=|)ykNo3}v(BlzA!EHv=BSgtey-aGtl=VH~B#AIy)Wf|rd=N@#JAwYZ z$y>}*Q~zD`gR^2hECfr{u$g#toC;j4+brk00XJ3)X+2ln*z$`iD3Kz46donh)u9*H z$v2=&JR)^7EIT0QeQLJ>Jmtr%D_MP`IBxRy?sO<7j1x;7Q6UP^(hH=%f7Lk`Q=uum z?y0DJ%2wZIRyy?wwkQG54Ub&hw3D_0#u4rSY$84v*&L9mb-i>d^s*Vj!eP-a3P6r* z*IIb|bWkawC0OS47%Q^e?9%s>QDbfUN8J%u>0?FOnW>dfj?tMZ$62cCvjBgqI@!t&dg@^N2` z!EN4yO+!eSw^{Riw&#n%_5UVuH-J4tx_C?G0e=RA&a10shX!RK3CPQw6deoYN5hP< ziNyc-Q2+Pex|||6P_OkiaX}0DV@dp!(ytYP_H+ImhdKY5zW=XDhTGsNgf@J^-N3O-V zzFNue!BaO6y#K8CBGb-r?dEJiTBB6d4~-wEC4*YnWJkf>$(rV8NkKE{!$rdvy3OC& zbB2~Gt11n*EkeE?h)fGY0G@RTAb8^g?)OT@L1|&uP|>RwxbvAhbNR$2hXdtgr@`-W z^T|E@AEk2sxU*x<6W%r%e)BMX;G^mB-X_C`-zU7PuWtRDXlTDtpc;fz9R;qLYDLaX z&W29QV#eXGiTEZY;NB7XML5oVc4Nf83zoTHz0oNg-J(8y}SHh&w{x0 z_!Tyh?MFHiSwfT!V>WHbpuPl*fm=7!Q=yyPzt5MWdif>88J3yKu7D?>c0gD+k?o{X}9Ry)f<|O4lAeS^`c!D_AyWKybOcmGYQ?FFDv&gfDa z7yi5va?^J9WiYlj@@CssBh-Uf{7g7wU-IPF)rnUx)$Xd?)I4} z{H_9b&Lwe?uS{fjP#Vdt3DHOcMei(2Ylssxz>`e=$(Z6JG|;xtUTjJDMJ~*;Gxrx; z>{I_hybb`Hx~yXGZQ!IhJ>!XJ0UjlQuRXc@De8)u3wM@Ism9l=THTAlaKjxB`f$Fi zYEsg-Ujx@ez3`n>#6TI;G~;^h&vvTw-PvBjDEWH%52WmbX3$%?xcT!J-)Rse%T^Cf zKZ!^%BPs8Pjkt_N5uQ~o7t|Ul5g*06gY1l)`rUf&1gqMcfuL4k>)Z>-y$>~E%sY0p zy2{lr-Mjy}*hm?$O?uCqrRLmlupP9DVOu;-yCY~4L^X0kzZ^Ok1qB5tciHNlewg5W zIkPOF=rrUs+y9|5Z~(zztBF0L&V^ovNUmWW;M0!O^d^J>U+GJY-ksSWKod}Kh>rzd z^ZCbf;lQ|pdgkeRMT~Qx1NWr|C_*7&w$#toz^T0*cBL(i%$;%c?LN@)Ocjg}AaF%_ z{A+7o#3Srd9HdI_i7__5+Jl_w5MIAf$LEzMthsppR z5w|!2JSCTB(zT4Ugh~Zz8B;eOlKXEnOBR-#McAs7<*d&F>-J+O<^m6-jt7@FKbd8o z&jJNRy;~0DbFylu;}L@}#E=U{H@~KOQ0(DMH zIAjJaz${0e$*Bv=-B0*%6TuNyVbp=BN~9iMdelPBJa5}^wBeS}Yeg7*1IRC&AyouX z$<1uC-!R%zkWv4Z0893PkS_U(+$Efb66Say92e-jlB&h;Nq*j7aX`PGW-#^U2=Mng zJB@%2x=Ack)3d`G!XOA(xRpC|(hwkT#f*sC=#ccyq0Y(jWOa`de7sx61>9@uV~+L; zB!|}^9CIJAXt(+yi zr)XU9N3K|HSGC?Mcm#+!4eF-FZ_i%>2knK9 zY}`@x)cu?y+f?kPUFws2D$*>BuD(~MHs4r|I)MeSxd1VVnSWRERA_T1=P;@fMQYkQ z3B&*~O_ZyE`;0-y@c=;5i2++iO)tYGqYJDon;?X^NM?G|kD5UxqUNEv2vj>5fae(2 zJ{ft$2r1{^zWzq;3%I(R<4Nvq@UwA&s0muEQ4mz1F#o_@!Y+CJxu+bKM#(yAqI+^Q zDlzEz`icd7G)_RTP!+Altn*Dv0W=a>W(8riEV)Kie$Tf2;%0QIaszDzyfN$u1_FKy_uVYIpUQ| zf6-J2IFpjNk!Sp!<61sLh|i3|#PmJ25^!4^HYhaUP`X z77-&rxqSJ15Vb{tdavFwo3!_-Em{q+8CYPXih4Lgx(&})M+_g8i48phc7#AhBjNaG z_bE4{nBB1W>WD9UvGYkj8Yu6$NY%h%?_n0H8|T=mf9wRZ^6Uyvrpv1!);A^FC=r~> zU`~vP)!?196gAInpl5a){;0Lot$Qtpl^^0IKRH6;!r^OOut$)7*)S5L)r2c$22QR#nD}k*v!J*_t zDKHX^n~LC^F*c&mil#RsIFmtUNMI^6bQuUA^?`K4c-!0O=Qn#zS)I^6{DW0Esg$dv zgFj7t(P5GEDye?j48a@+_C0BKtvO?OMzO_$k;mSaKAo2_OQhH|L!@2mQq_~#AgISw z$AcsaK54SjrFahti7iQoa6QZp7^;P$TG8f5u$aQuv1a$Vs~+%Vk$}Tz;u8V3`ZTbl zpE9>y02#?%r$hl7f9X9cb~vK;2Xi)pexE3^?yS3O;7Z;*?9wn~dibW#uznv=2BVvO zlyp#w*L<$c{37~wH^)}*tH|f4InE!qwiXOi{hVA+Phqo_Ea)mcDK#x{&M+;E(rNjK zIuetJmqs_|8JaOnU2gj4&96>jU{T_Q>Hk2PS_mSTSd@!>vC@d5;`MLY69l@NEob98 zs*!-V)7on5yt^8U_1C8(cJCv3=^Qq?_BcU=ajdO1M$PXs>LlcLG80PDlh;CBCxnup zA1?uJ11H{V9i+13B4fnvsa-uYRRsvm|P!?8UlA6q9_M!D!teu(o$QNWYEyN(vz> zu*11bB1>UTA+Po#yPr?hwmQ;s@UTHsw@P%*s)K8+uTk9TfW?F`qZ3nLxpcFpq0uz2 ztfQu>ZujuC%8zHqC;K_f&Y_bjX<;W^-r5I`M_efJyApdYy&3V`W$;v%HyJ;ca zzf^Lv`SPu&DuZn(wehFEa*U5!4hmi=DbxCGvWh0Tq8SNRM30siUs+p>tdHxO94Ts| zv6cq-ci;*zc)qIG=>mZzPxa&nTt{CCZSma1UO(g#&+N8ra!)MjRmZ!vkFdaM>(>$N z+-ys_6Y5dV)9hsp@|9&h1)F zjI93aYOZ1N-3k16GIg^$=-RMKn9G%8^8j6b!gRL$gwLs&qnxnFQ|q^CX*`p_7p6owd*to@7TCoqu7$UoTV zuPR@ofth02ZSZ!S@ln)l>MwfGw((Jc0rgJHC@sQw+r!vHp|w(crv5?!@%0-$?muf{ zgAzY}k*VAT`A^Xl_p6Q$G?S_0c%mL{j{J;x2-~i6q-rJ3@d@E?Gg*V2L2yKWqy`U@ zWtA2XW}(ua8T7(uR>GpQ`StGSKT1{iIx|sTXb#-3tx8^8wN~&aO7ZF_Q!<}1s?awk zcSbRM<|k5ePY*Nq!MBfE@Mh)Fx}UZ?K1Qs6&75i$qS&y?f28}n8{g(c94DmRNnqt; z(p{V_PG?9tOk$h3Xh*_{^Dem)jij-0^Lf+Z`t+)}yjxp1mK6VumznUO7+_K$pmC_r zk+B;xp1xV{B)(JZcNzUWa;!M_hECP}ogjcsjC$5&Nkl%7HZpnBCqredk`4W*3K{2N zbySGO3+3TVAg&ji+{Lh=mJAg$7Z~L|P~Rtc!rl1=8h@+n-o7jOB17dnCZ(I%D?^8q zeH%~P3SL3~pnIYpev@EgBz8k;ZZR7goMJ z+xxTVyK$$ohVbIB*a$k#m`h+5zK3bQvbMqhZPipAMzL`4vW~XnaFp7FH4UwJ<=}L8 zw^9(LA_R@|5p|(EGFWKw>vKih>PzT9q@U2kUMIBrb}Qk2&1RHUnq#B&JsfrV3i-Ny`4iebQF?$=*`I&zuZUOmfN{8L->847Ov5Wm| z`Ela1p)uM9u`X@u#5r-O@hqfL{FQ(`Jt@sv$nAjY%3i>d2F#A~91%EY;)|QysL8o& z>Uu4g^V1cy#cXVDwexNV?WNYS!-GGGSuO95IZ4RdyPJ0jF1mY!NB4ESxa5+vaIngb z-lH5+RMs~_APH-hRx~aXtKx_7=b{41FOUxu$_q|s2^laN--ZM0ylFJ)3)3BV5)Ffh zWtYUy%l+s?kC&g;%W;TAHsG;Hba`q6&tP3w!Hw$(k~$HC1d(6UcSeX@2H0$_XW=gc zzN79$;W%U^4mMv!aTL>%;HsUQ}9l!39~ zzI&nVQ-=xTPkbaJ6C^AEjh|AzoZ7FG65havL7KvSlPwKkyJP*&Ph;WJaSYZhaYYmC z<#nBwcc{ZL33zed+vzed_Xewynt;$x4TUeb6OyGjlV@GDhD6WDV}!s1sf}t(6(p(br{QPd&~_pbMA>QtPoTbN98~TV2g(%dx)8&KM*H z-nmlYTT;A!eo`8|vYC4unOD=NSF~ysnP<)gNhN^jk!K;EnO|3ShPX ztv9_Q0_yMFWusnaot+4zaR7h-pn4d5(`r@AKjg(OpxYy7*8j%r1Jrv1Kn?a&ogBAv z#KT8DY9`XS>RQR2mZ;oN3X;tDFL?av;7b4~W61)CQA!f8q$$t!Z7aJ^7uP_D0kiq2 z@mHXMYqfoK6FjTfXIF%#KeC_iV7UQs9nW!Wu~2HWD59|Uaw4)R9w1ZvX{`e_pE;tT zU_O+!g_89n$G<|T3g9q#xrR&VIqHXrX+P*AVC+3!MnOalGTJ`q41u0Y$3Sjrt$@n~ zG~L~Kii~1o&f(^R4VW_ktXr|c0{}(|tnf}j5>;W}dM7|I*ukXv-1T4CWf{6%A8r|d z+N)m;iJvgLAQ>0ow$2wap#Fmp+iyD}aFUJ!3hL2`>4YaE&!7X*w6 zugq2sX22nc&LapE1XPT$Pe7n>*pC68_F-`FM#9o#Zc-s$1`sdLBgF?(v(aG2odBNO zEg$)=7XXMflqd8F2WA5Qa<@lBnY|WgjK%dK4=69m(++c&_S0M{~J7Y65Kre zDRky^$Mb+>Pj$V{HCWfLzWF8YwDmvSuSQoo)iGtQei z5`QtdwYxapT04sXQQ-GV(taTSd1;wedI_kjFV4yD!I?{OA#+wc{N5IIbB9da#&XrJ zP2Btk;>@r+-+u7h-yKjQbQ-)5#lQprEuA0)fO>25i>m;Da>%5pf24Dpa{S3wm%_tQ zAVYiukB}j@wqz$qa74(5HXHeSiurj>64o&?UH z>aL<%9AW1}CVMTzh*I!Og#i%7z;RxA8mk;J_(lBkH`~`;gq$TG;SA zA2RxY{O=0oKzqk%iaYb093jI`KxP!1`U#>-MLXgx`G-EXXFjq>fb%HZ^3lL#JfrR8 zQ$5Mq#BH-D0-P7y+YQJJ*(?dc#nu3a<4*8vh8e$YeC*-fB>kzNEZ{3x7nV7XQWl`( zPN`2f6+HzT|XrJ6hJ)sd4=b$_r|Cf zPF?22Y(vSg8g;oto0O-3(l~K-_ri#vf^Y4UOwjZg-$nDhJ0AoVlyKAKYD{L>Qlf%q z;GPCX8RU~M^$IQJpm!Q=A~mB7AHPzLG{hJHG4_m!X{YX@oBGkIvCykteTvH6ifbyx zeiJ&4CZlRef6lhtRZnfq^{ZcW#~?4j*W=a`L&04Bpc?}0MFcot3@=a=?C#;vThgct zC}(ZZ_1`~JSEHA#9KIArOf$x< zrrf=xOz~(OM1_G`gRP}yBRmcVrnDzp^JTVKJPUHAzqj6QCbpm112*snhCFeE2aNLx ze&1uWOn&p~es~CCljTqY^s9)<2Y4IKkDv@t$3!68#EC6|GhXyC?wiFnR)ghiqL8>} z`t#u-O?)-Z3teo~ituE2u}Jqeajkh@ZYiX7Z%5l|r>jlU+}*Ls-j zf^13=BiGa@NGX2t=b)o1}a9 zD_l#84DBxesqY8rY%OYU3%>qZ1+B>!9=$nmN3SB*rDh%(UtAhCEZD~zsgkL$)f8Td z4N(K~ecrjF1v&w7&o}}RGiQ5@41eW$Lf1rb^DWOt+`M~V0Zl1A*JhZdPwSYNr~yGL zrbDL_Jzyhjv7W)HfK~R$8Voi@vmo4Y>&!_b2@+s)!ongWKkgtr8BK6*aXW%0*Og;9 zy(k9}Tz%q6!Yp#HL7&N3lzMzo@z0iaYIA>UXDJguukc{2cCvsJr%hYM$#uOXEQ_1} zQMLip-wY39ZXM=+f+{Y0J%86Xz5{kqrTvm4`yCYmnuEahLPlPV${5;?z}_<&XKn8W zY=Z?N2Mb>tC3tX!{Zjn=hl=F>;8bnw-_u1o7eTOxaL!-7>Z0>H% zypegsZIZ8Iau&@?DDV1&Nzo+@eLujdhV?}KxZ20j4mHyG!1)Z&ShD-jKuVg9N71H^ zX9sboI1sB-zm)glK#yp1A(;ndWLz&ae>Rs}!tnEl7eA-{u{@}qkHex#GU8FCXBOh| zHK#kOJ!;Yije&N5ZvMHO&j<;JDaD+^*>4)WYk21v23uZoR&cJ# z>Ao={4v6?LuSs1+;|v?%AEz#=`yl?;DV|J}qeQwBC|aE?*uP;-&1TaNjwlFFao znOij9%4Op`*HpcsK7DfTwDMm|aXx&;5ukcDT}-6VO^*s^vCsf@Dp7r+dO;7f5R72Pg7js!+ic0|_U)!1M_-mO8&QW-fNv1XCOzrt6w^GI_fzj+cBCcJ7j5NaHDpjroHR0hnU))?u7d17v;09Au;|#9tQhLcU*06}V zjQR+9N7Byr6kohi`c%@RWED$)ft470F8fZYkSl|r022&EK;k<5)){`Vs1=>zp`wSm zSquq%GmI9kl43GN4**9?DK(xk#TCh1Dp)PuDV-$s`xh6pN;BpTIK?9^?=r6vg6$H4 zS4QdCsj6pu1RHX#%ERglWcef&I9wIZg4i-^KrSXx9XVarB~?xNDWJ|x`*G{%Ilf_Z zmU=tO9P&Jo549D8;FV%Ob+8XHU>fSVvY|I{v^2~4NZ$IlxoGY`AYDd};}L3|9C_{Sk#al3r-VJbI^ z%49N`-Aqjk5#OSMgmofWY){jP7#FTJxmlRxhY^)XCZQJNqa1MqsT(OlhgpQoGzX*_ zN%)?Q=N1X1P{Mg2+b%>0!fWXw^zsERCY-Q!ys2g`xQGXCASzuw4X3qNFc!I9&y^1+cukoNFh7X0n4*C?~t@eJekF@Ug zHOz((g|iY)-05X=?mv=;Tr9iWVh-0S_Q~0{Zew#n_j`;G^L-McJbTdtRD#{})>YfM zt2bBa!X$xRpH4jtMzQJgS??aM9a0efe9F*WaI=UzN90*EoOo6p3nweuC%Uyd{SnWjJ6-kZbj^pFzC?TqmLZt_B(}o@3(rnsFde7WxFbDr4(A?S z)ID5PLXz8%PB%(YNn%V1CU3A?Ox;Wvo%Cz3oc$=pPRdHTll;ioiCJEaU@d?8N4pw4 zdF+6GW8{_k1GAiK>TR6U1bD2#0nT)1u{N9>F#s!8epvBJ%7lBqF-3Ld%rpR>v#cro zG`YRLHN4fd@)JUk_X_iJnIcbL)HUfcv)+ZBDo9f4_^tkA4% zg!#qxU*c-~e)SLUEBd-AE7lwJsan2qht}wQCWJ5;8Hm0)WLwS;x^4t8aKdwP<)h;D zV$c3kp}4HBXit|?*)X%ocVo>#*5(=7JkzELa;Qh$3A`imv&Ptb)?uE31MAXbL@_gO z14;e&l-POJP1B*c1^y)cfoHWBKB^fcH<_vj?2Oi{D~4O~ly&!< zdqx?CYs_{!UDNXI&B=1Syv?_c-LpTw-o7<~@h5p0k4QBR&OYB2;9WX`8&(M?ZqTW7 zAqa6#uj;C`!$9F9WAu#ZsE*@tFD9eQ_c5@|Z&+^UNIKoxu zw)W!1KH);?`F&Nfn{mkpTSZ|E8{U7YGP#E+pGKIymgd?|lWDwDGXXU z^cviM+ErY?&=V`|ddaRV%U1zpi*`Lc679ZXWx;9$s_%7U;$P3aJKM2(L(e|gArO_3-+ zAYB?po$4wOnYfO04&qoXpIy6U0hUG`j9sTNT2Qd`T}Wz~kBeltQ?)oAMgOr4?!#s!^%C62}%j1JJB`PPW6i=Lx)ayFEUf!E`B#GVC z6N^JN6XfDpLv67bbseTQ)|N2$Y8=A$OW<+uo(ph0dwD3|jRY@oVCVm!s0oX~EI`b%VRvF+cc71)~S|)xcn{ssUZ^T(FEqb_PHRO zck05|mhNjxn|uf4#bm*pltJgKKp$Ue`R!w1p-NyVHfa1gJDp>eEk$2wUr*SZRC)8> z`Y4Z?s-HgUKs^z!)QBTAAGoOSlaH6gfM*A(NbyT6D!@!hM2e*xvOlDH)vW{go!gDs z+9=VHl{6u?6dReA(m>5|BXeQPR9Edj#5>6}l>YiLRIb}g%dni4u2Op#oTm;GXtyg& z$paW;@O7)K2%;(!(}^;jE!sE|)2en${#A8Zk=zK^p0$8B$=-@+d@38@y$oPDH$L652fa_JPu}I7^%jqD_#oG($i#hv%3gL)0$x z`Cf5s5mL`I7;i859ZoOJU`UrB`gj=(OmVS_S49#$q|1{*Tx_wY%1jFGyo1za@_Y>o zuf75HcQoEsPJ?5pvEM9jOxZ%6_qL=+)cVnZ)VaMjYXv74d-$;t?Shj(i)O3psJRf6 ztz4@@I13ph(m$Y?ZQX<@u}r}8A9PNhXW`nCZrpw-}Zx`=I)l56eL*{MvKgv&R@tb4LCq$@sBV*1pU+Hn(FEE`+!3Uc%z71G)!RW{lns> zEsuyjMI+SFbHs0ocm;?3ct(l6Yjq9u3`80GRs?*j;QRcqsD_- znUh~e%U~w0`^PH;_r~{+{8WCu^#oLg)bX&dcvo26oE{4r)aY8vvQuJTfu)`eyq=2Xaq~Ec<#Fs6_AoEV~Zx2TZc=bM?xX1iK!O z+vf>9F|YOX-4A6NsqfG0zY#VlyZyDy_@JMjcKh2U%=_CTQx`qHvj?^dwZ+#=43Ex;wIJ*0j%9H5iS~Q1n zJG)0Ze)WyA>1{`F`eaN!8Imxx+|k;P(Bzqo*uS>_a{qNn{CPO$y}oqS%x3^#d#0Oy zcLrM8Kwupl>Pq6`@_PvS?;eGUbAvtx=3N&-)`6J@c#Yz z+5z=$`~3rZ*Pi!1c9A@p7Ye8ED~cH%>MOV%!o|fi+6>l~|Dk&UmbC=<*-ZDvsv}`h zMhx+v%vs`i=aq(yH6N>RlNGUwud3p9`*#TN+$MR_id1G-o&SrRX1x;*?~ zg_d(nb+BO+q3C8D;MO_FB66O(bNOokXG0AXE`@~aD*${2FU(r)0%-7@d3~U z!y$QX><-Ym@1O9#*BKA7_9E%2h0n`Zig6kWzWGK7{ z@!5KT)u(a%eU6Z>&%kP4(eyu=oDuvd$k+mqgQno%q2a3NTBxA?=WT$@4t)OvLI7So z4Kd8;`bsW-IS9(b}P_aG?-Ai6-oskV1qCTVg%t? z&%`OEOF-uJdBm%K$fOoRwV{zJn-ryq8 z&vH2e0%;?ll~KDeG#7j%Ho!xv0W$JO$fPy+0u*ZJKb1Rvejk9h^;#G=MnTV$%Ssm* z&3*%Zz)MF!G^sn%Q0Ns%-hBf`nkT@J@&!W5=s$*LJxBRtp~NSI1r)mQhCXoL;o+cY zrI|E*lLX#T9REQYSZw9E;E-I6m8XSyS$@TqQ_fy>Is}59@16trjIPZRsCc>nmdWQJ zG&%|#Z_|H!qyP%)A?N^Wow%}PEdpR~dNz>ba}l!+B1C#EElswKvVe}8I4D8`i~S}U zdN2A1K%+*IwO~N@f3>U%IMp0=YwU}jRhuAOItDnz0T6Zq0?^*Iy17~BN&XB$8v*{a zm={Uz1sB$GCr`T-$f?e76+=XIv?7dl`}u`W!!@sdIPEkY?@2q5ij)%pyMuSDr8#s# zqv608!wSA~@v=H#Gb6zy;m=@3v2Y&Xqy}kh5DmyDaQ;4W?GM4VI~IVvK&L_wvio@+ zW&fCq<%!KNf@dht7aDmq$9yGU0ypi^0Fp2e$Qi(!Ff%yTfnOlH7*P!ztyx@4u1P!+ ztAq4GHribvd<06qgL=9zCU*l&)Q?e5p0bz6K^N(J*ZADWZ2U5#{5JX?Ut)HOpzQ1h z+}a8Hyu6Hq$Dy2_P}Lu(*o2$ML<4<^CdLf9QiYgV5{;3r};HR^zk#l z1_A^%GFnx$U%|iC0jTI0h=k5GumifT_KJq@eXDVf*~AdY>z#W5=HL=`J)o0*^%%kb zS)RRL&qFi&|5iCjffLw`{0SIL)!{2+HFv)PWw{Q}RaI6HMCBQ6EH3n5na1OXnRoh2 z$m}Anpl(xA5=OlN8ml4Qo#G?{ecJN)=IJ+S7l5a&POVqF^#Z~2cRpmh+Ju0UhMz-k zKo>ZE67ajiY;ypv^z(-&0FJCRQ`rZs43a&R9_d{G4TU_3V&Hcl-ib*@U2b*`>CtfH zy$rM`XT~)!*}4D%nrwIn69L#;BZk3Ezz`Y*R##t$qjtaiUy#-itPfquw|YT18qJ8< z0~mfKCp!S;yQOu}wHNyvB#(!DA6i8p3{xs>Emj6ms_v8niN7Is?=sPh-UNN(LHs1B z!+Hd<-LNqeyugch%#YKm3<)ze1}6mK&VwULkYLm=hrqfD?XoMLU@z;g`VPqO^PL@# zX>qV;w9f;W9y_DNFE>II>S0G8u{>R<;NrGA68-z=4t@eN_P$(w?nIfK61b+`ym5ng z&FB`y9`MYZDnBY{E+;q9=i`HJeBx6abvFPBYC-zUQG!)6;AEYK6Zu~P`kS+^T-6bDMsDkTwIxHlblb_dM?tn!~Evpk3;xG@1ddcAZJh z;L2TQ{{h0ppBiD?;CC_x;jYDWLu<1n&F8jV8(x6xNfNI|w1+pUyj!L0>rzK~*&y zsU6Ctvb+AcSaA(3{KNN7DvSg}pwjCxQ7$&%2D9mP8*9;L!JQzKJM|+1^fWx9 z%oiN{M{z#{-9dM?+BrZ`eK@asiO}E?U^{-*n2`}k5ZH#|-qAa&MI)CNr@=`BAT6lr z&j3_J0JL!F2O<5v_11B-+&{ZJbzr6!v;AdfEI|1(a1|=dw>P9Bi8ye&*@~}l0lsYP zXGE>JB?x*KX=#*fLa46z98{|JdYdgBc!c>tVHyL2 zc!LGO=mZ%Yq%OhLe+?6wU>OoOh}Mp4d1C4C2;5Li$PG&X@NGbj)$SG`9E<|MsK5%H zs0Teh6I{=#JK6!(Z)}U?@h9i3p-tf%SnB$swgBe8TO1(rUIJgc^F4%AQVCRM9me}k zCNkLX{%;WU)$s&Ah6Mam-i6@@w?I9_hYQEvZn=WaE@+b(&{+q6@(da+LXgl2HfRI> ze@}iUsFpUYFc?RsbU6pnnSX##0gCxAxMz6@Fqd7RBt>KwY=_RmY`cb_Hbqa;7@GN( zTmz@-`Ao*X+vN!H?-w=xGVTo%bN^3qXZ{ZL`z~<#s78sggsd}0ma?zO&d3^3p|WP* zlPr@#mNfQ#7ZD+{g)Gxp5?Q7ZX|gmzc4Oa#^UU{q&bh90&L436GUk2Fd%vH1d!GAs zhjh{j+aX;N-)RX2CJ9ADL{mihq9nfjkST_z-Z>{)_&NFG$GV?VI>rq`_UG-&BI#OD zFSCYLSI~ry=)Ad2k^H$pOX+-6-W-k)wBplBXi_B{23ZmnoTe{g?3GMl)wNJci9j|$ z-B&jOZy*PZR&ny?W1z)k!P9p=I0Al+J3VOJoVGo%E)&`&r3UNllbVlk)__4FBGxn* zwnKRszbwKW%HCJx3Ca}kK=5*uDhEHiUqdAXjw3|t(ciS#iZ9=7Sq7|UCxjLm@UjgU zGpp5LP;(sQk(4{=gNO&}A-HdybPEFc;Fu9$rZ6gN&4fbco;(VK4o}Kzjg?1`(LMd_9be32e2sKY~GlCpP75u zt$JK@zsueVwGJu~Zu<~hNcHz`{Q2DL2%@PI)}7G89dJjP@{}$oK|a5HiN*7ajM`jD zT=clBn9QH4k4bAcPKTT;wVtQyNGp^A468v)*M1B*)y+joj4!gBJy zJ5OUu1rBejCfJ1lXK3qyt6{Or4&wUyuXeI9(P__tD_eIrnj63m@c_2FKdUAF)Yzx( z)Y&`bHRFo{IqpnT4wKDNuJkl-!rFvOa+CRL3PmW8j6rM$@MXNO_-bDU*DVpNhRLvv zEkptdsOW+~#eoy#mHlkONv?zfF-mHlCECwoJQM;U5Pg1Cb@5WGW%<&VEh)+c(0Qp!gQM%JVY@jp&eU!@C$ zieIhJoc0FK%%&Nft_pa&IsVvb?(mDu*92xBZ2Sbx#b-aX9(inHw3P}K=3j+pgOx1B z@8eSpuM3k;Z?1y)uxaz z6RP%#_Y_~J#l`#@#}qw%L`)HO@otstO5nsHz10C|KZ0Wns#!G0WT-b5f)@@B7ux0; z4W7tw-Sl(~*xiPUx-+I!pJKZ=;h#xnTZ#{4ON_1 z9w<)u9~I5@ZloN)9Fu?Y^0ANb?UqVEf*-(aluZsjAGsCSO?r=x)LkTh@(8G_TxOzl zTFBYy=HmzoQ8Y_0<95r)T3X$29^JM}s2?-^K?F+1qS9`8+j2X-`^YkQbocE`FJ5V> zmgBE;uBuu?E522M#c5OM(N@)sqy&qRe}d2Ci*@$V`Q4XM0C&R5a4N7-=WHO^&AR24 z{L$JA)p7KCjI{x$#mrmdY_pZ-IK3m&gRM+!LGzu_-ol@S9%jq z{li@g>o}}0H|L>2)6to6i-S7;N2t>+=o5Gtk+mN+@Zs|ll?fFyp7JBh^!z{17au&Y zQUVu!w7efYQ?s!;=rRzTu2RyG_}X?Jo&Tx82vYvRXszM7t69_NdZpcd01Br>+V=M( z4D8ohkQI96>|FF;2url zG%H1VTOdETj{!}=ixRq>4#eatS|hSH8867L&YKflb=%xXqk}Eu{x^x+mcFS|ulib) z|7?3QDngfODVPP_UV5!NU3r8cl{e^nKYG1s z&NBzqa5d!bEF65%R;jg_I5A%T11>y^>wP01csr&D8h5V!PzE$iGy{8UXT`r&@vi0O zo*&Ah1v1N@H!PXguOjZE`>OAtD|hwEZN#Chqy#^gYo~9)f#l)^8Y$}8D&<+p1X?vm z=qb)K%#w24J3~@?MuDS4j%&K6o++Bxig8?=;CUd>!mvlXEfdP9Um&PS5dO}3m!hxO zsI8ATGIE@hm+pPYpH& z?^(1D(+&mvH~~XUKQ{7TL*^;eJdj+U!)$mB?jdoB6;eSDL9h7a>mM>HAC3?VH$Ns0 zWVHUBdChZlR&`I^2e^YWz?4kiNFzM2m~|o%0kC`Q??y(eLFdT})xWm)J<+Vok({17 zhu7~3uZj6L>H7fitUOLJfQ(wzg0w6H%CINT)~mC!4CvqgINhii&YJ-@=7CJYbBBHc z>6QU^U@nBI9jYomOZDMfx8Her7}SOI=v&pAe~3F2;R8yQm2tW8E*S3pJkjen!@p!6$C@$z{v}te>LtMKfog`F(uVQ+CewuWVtm9!$_M-KoRdN)7Afx z4yrmE6#xt&#kmoz$pZA35dqP4kM?tlJt1?76AK<=05vnT45%qC9q*lc0Cb(Gw3$V4 zcb~u3g|rY6_som9zG1;aZ8LOJ-ot7=+DwK*a<;ikNqG2B`bDkRf1+2E0UXuurNzBx zudWEM0r>B0RF`yKQu=klJxEP?74Ev|hAl4QW4_39E9uPz(#i4eL|z_^58-5l5G==d za!-nL`}ly^YUt8H5;e@vKU#Lu{gMk>gW&%0=rqU<8f01O7cz0%SwORUeqgcdw z_X-f@E*zdsf8bv8In%YUpAH7B_L=L#+3XaR`=Sk4so`9|Q5U>V{^59;40XZDC=r(~ zhm%p?>M;s_d>?Vohp}xiaY$+I#+=fe z!jLm5cTo+qb!z(Z-1hOegkYIwu}(V4+RRUAGWhny2XyX!bLTZf(7fj6J5NJm%p;{m z;{;dIX5OxhQ9uVXlUzEvLH#PiCUHPaaVGV)$^FYop;)F0q%F@sAO>@M+e)}b+b^Et z=}-Z$V6%9nzVVaN__ORL2(9mWaRXz$nk}fjpsS0%6c}s#RJGqISQx?~9MPA){fx#0(jyJz` zECE`UQJC=}M}d6QrM_xP+lX-}6)vRfTpXIWuP2b+Zsx(n!4L9>lRoR?P)uGvxk@Xc{~bX}-+c#))y344WxYJ#yiDff3R8v^meaW-=<-%{8?4 z5OGUsK_U~`ro2_a-~o|!;at@4ggzw1Ta03Tmg#2(F$Q^*h91mO-vlKz_a=54KEy>X zfP3?K4|p$fCOMcZq$A+At1uFP^Cn(=eY<$Kk+GoQ7r=6vb~pgXQJ>_ea2&D1zmr;` zbeUGM)6f#TazMJ48NmX(DQ!Stvz#F0W%$a$l>lsURL8@#cb~R|#?HE`>8K+$D8=K!tRD9FM zoE0TgKR<4v$`$P^CwC+K{G z&B7?%wZpzi?*Tl#1%>T`=26EXk`a1}*+t|6Iiom!0t~{Q_Q@7)nQs3#LI(Nmgcg44 zdF36;f6iyl4;h6V4Cy8=-kwmmeIEy$jgggB=OBs)EJQyH65 zH4-uyueMeZFKHEkR6pns=l%Qp39Zq!hh_A6Pa{IUB)WEfaxB1bB`4U&JPmM6!M2z@ z?rmlaG!6s&dm;Qgn?*kc`-DdI#1Esc<*x4&mjS3;74;>_u*=OORwqGYyem8S2kU}l z^{||=eB)*=z?3K1mFvv}^u@uGmeMHoqFPXVmjoT7yfSV<^Qt1Z&; z&T+PrlKI2~FN}28koo1Ptq3ElEP`cg0dQ-M?iwPF#DmvkIB6Q)njQ;#9Q3oRcM$;$ z=?>u&&rUVJ$i~Kp`ar}-0LpUN*vdz5^thm-nc8oiW19TsP*{Te==NT^P=vBzy2LqB zMeKsusF-L~tb6krfi6VSZRw!!(nFWOOq0MS9+^Z;AMdt?JoN|5gnze7s>KHK+QQ?~ zezJVNk-+@x)_7|R)YH!M|;F7H%2k`#K1{OPF@a!^czy4molZy1YGdy>A zrwTo2sM@ul^!W8je1;ys310$Ff#z%xSS*tZSa(r%L>;epNnaA&pof3akc%BpM;tOP zCrC5(Xj*WbD#_hq<{4Kqn|;lDF(xO8N0g(s_0uZCm0_f1&p;UhGR>i-UG)X>`9hK7z1V+OMx(* zy0@PiM}cuP6TYISV-a&M^@a@;chJltPGX=A6B0h;Cu*`YrVS2{exr{+FN~>_C1|=n z$Y4w*!R=mP>i8u}s9xx>ss~MX@6t;$*sU%A``x3+a)S2?PRW(wq9NIm-`xu)Zl@?* zK?cc{Jt9f2hGd|4{j2j77 z*UuCRi57X7E=?Y3C8DIqs0(*8BhtP@{v<+^j|)gD9mA(Hw#0~f`NFsTEj}rVn>>5v zY@H8p8gxc_Lwg&dNHARi69$jJJ%@U)7&#$yt73e3CB(O|QfAbb=|p%2w&`+c^5byi zQcgJi_0kcLk2EWb-eo^^Q8I;NSgx^MykvQ+Ueg+$t|ObI3r&mcM5G{>**BF2e?!fa zgujV(XxF`FNvJ;%xncYDdDErA=c7mZk76KvjeL)bo8&`j-g5}EWIeXxNL=z^5hG5M zMs@1^FY)OwGoxj1SK(xNMjwJ=0*I*bNPW+%^@UHLti^;1sPBg^FSuwT;PagkF$vNJJRR)d^qJL##i` z>_M**g1Vf5Hj5e!Se+DVZpZE8z1~dYN+5g$-H7k8&xXy`O0!mNr{A;QGv+bvyiddm z1zl|}x>@M(zceF^`goF0qVU2{<|f}eNRKSTtJvlMx zs_Zrq$e;iC$2h~3Q`o7)oTGoj7>nT=kiw?(G@2P%#BgW09ky(irY=r9=f&99VOgnh zv8(m^_S9KZzEwB*SW!&vP&oVjG)zg3S{WVzi-f{7qB2@#Ty*30YlP=C?8B;p?W?^i z=0nO&7DB#ZvZJ2CKbhopvD>P1>5QqfGG6oD%*&CMsAE6%H&JowpQhA}jJV8;mQ1J0 zuS$@VV#E~<)CX< z3y+lBesJl6tbb&iKwc4IN3;QU{qn}0hf5!)Bz~){2j(w4n2A-M3P(JH$?(v^eBS;Z zcd9fqV*5dpgkw=C%c_%zzi^e5won>Tv&z3JXnakM+q1ug%_02^2;cR?1IJ}S2;)d~ zidh>~z}T!SP`<02T^fm@PPXQ#eW(I45|kR1M{zY7GZYM2U8L2mo}=lI^V7ik!R{&b zV;kzDdS@?Wj=}0_lgQG4E_h4(m$2CAM1P?Y-yXPf3tME$qhaCNY0gV=n?o>2Vf)K#_Q9Y3;6~L^J9! zU(?V(ZAQkdhX1fb`yg0M(HwXrhK1kI2|HLsSq7NwuwXi6*^&Ms&%FF* zDcd{LuO%zur3*r1$*&!d*-zdTTx|L6YSDgXVHZnxX10oPl~2JkaGAYC#o>GJUifow z0j=Bj@8Qwi0U2>gqq!`P93O@#)9swRsfF!fTMPckY&-BBIS@hTL()ygnUOUbB&LaU?WS)eEE#YzT!6>6QD zF}Z7bj+(Va+OReyTu|iC-ePUY81wt2M?C&kfkn72}Ss$7KzO(n9St8 z3|~GvC0r+OdrF+s#e!*F;)-PXF;rdY?H6fxz3C)vl3Q4zNX$H9MyZp0Hz85Fkg>*_ zf$xosu-zJ5#LfQeChTx=ej|16y6rRj7yB znuhUyL3}N^U5s^ktV5sO&uhC@-smS;Du0kLJ_T(I8>5a(c0|msin{|PG;-LoQ_`Zi za8%SA`>6I}Jj`@R%3l5YX+F_+(b|^^v=2}wD2<~{ZmE;`n;Kq5MK|uC`fkGHY0YI| zt3=5=yn{$6Jb{l!AqX>PagIG~$k1z{oFVDr1z1HQW102ht&)b}2%UE-RxZ>`>slJ4 z{J$(NmMJSW*mYhG6MEitBbHBXl+PiO$R4HjL<{BWVmIpeTG?uC)YVfUww$f$E#6Kz zAMfM*As?l6)t+$yc>rC3$HsDNbh9U}I4afOq-kr^YI|X__*>+@n$X5iM19_8i)=~# zS-v=A(K_NNCR0+q+5PrJreuCJ(K0*d=@#HB+7b1fnpBELw6}EXjEclcI2yQV$cKR{ zge#AA`I)OD=)^zXk>M@+AWn9jf5~y(s1bUGq}*YIG}VLKN_G{&IkZVtBDc0*%iQu{ ztDnCw{7vy6L61^f{>yPx$)j>z7$xeTEvjsN<#DLsiH`@`_WglsE~3etioNEl(W@@$_Q(>d^GU)Kwd5V{x%gWmn3&zvJJ$>Q6y zJLS=^XxbE-6S6l8hb3up9;T56f|aBP!@eT`0Qd{H(TO=%krSLzN0Ko-6F%a@7>d%6 zGg4X=lj`D(t%!!M*Ct5*Iaj0gs5n2 zO3)RIFCm->(hqOMx}0Z}@$>gBx;>^v-fBXf8~N?E5@$k#Lz{{T{1)EzZ~sFHE}D{8rbM5$awW=KQU$rhb5;g`1O!oerxt0 zT5X9%cQ6{N6lU8^_>dEmdrxV0`W8DGzW!+3JxGyemq!ULXMo>I2eUDZ3dx@J)XC3m zm?_r8KY%|hQuForW7guI_bC*u+mh&tXtmU1VoJ_9eyQJbQ|fD(45a?=uCB?z>|+AX zEm1M=(ZU1Bm88!;;~(hU-{Erg?26@?e|3A#5-ast)MRv1HSEZvTd1F-q5;X;STL@!A(3-uqKe=21nS zYm2=Fy!UxfrIju(<=G-KQ>|p`9_-ew+$-;1yn{0AMz0{U`D+DhWr~u4$VaBh?%zZ9%7_)J!I*NIQ0}SdS}MmvwH9+QiyLnGF>{q zPkAa^%?3w_A;iPHDY0RNIZeR(;_=Ls!TKqJi3;}ale&ZtcSf_e=!IEl><^3G?ZyMw z8DWlEaFGj~tp7@6>uG{KxZcvYfIP}v1_$+y(eD|ypoOt9dsq3`Xv(Aou;Sq36&tYX zl4}3jPzr-Nbnv_TT&nQ1i;s{I=|*?`wMy?J?r?i$-0RmCb9P&R9MQ=a$NqTY$DD2Ly0;Owd^TjI#1 zAC}i0>#i&IBh++%S3NUVS#yn+-frysUC;i;cq#paHVa(2z{fXLXd=iLyYO&sR{kKd z#qgMC5e65?Mo3adu*io8Kv+@R+I0fp8qzOO?^vqs9I9lGt4!?rA6gs-CFj@IlI?ts zejzOh1II2>C{+Lc-=4W%yBS}Hrkx3gBgD8P*|Cd(@bC2tn>OKS!aEECQ zZXT7&`eYtUV#C<|hL-Yo^=`cfV?@6rs~;)Poy>AJ_R&=h0hN}wf5^|SR!Z#$9HI}+ zQP`lb=I-YiT0d}0?XT{vkJeZi;eJG;S=DOhb@yw``Yp^@EF4b;O_4r8&0#!aU;OK( zQQjTv+0g7g_n7AWza&9-H|iGszwyF~ZwxYSEjRncLdZX~qmmzWu1`+5hu5;M+V94t=_~|Fb=lmXfeS%4;FO+{%B7 n-+z68g!2E{2K|5C;r9vEvg^?I{1aClD)6VPWr(cQunGGQ!bLXO literal 0 HcmV?d00001 diff --git a/assets/images/virtio-diagram.png b/assets/images/virtio-diagram.png new file mode 100644 index 0000000000000000000000000000000000000000..3172191fb727cdf2f8774275f42e9118fe450eba GIT binary patch literal 75383 zcmZs@bwHF|w>~@!0}Rq#0}LR7fYLDZ(5Og=0g6b2($YONNQVm2pn!_BAYIZeNJvYH zbT_{}`aJJ@zVDnrVYuhsd+oK?TGzF%MVOX`D#<0rOArWz8v?;8hvS3a zOo-H4K_E!T4JG-zZU(EVgroQ74$fHz#dU(Ylfq-#$ures*=`1@d_yW7$6davq#R4F ztR08{KB1fEu2PQB+XPCAAccga^NYS?1I_xuU(CIpt+fZ0BhIP6y?@JiZY)(ENSwG2 zKRl=!p=CO+mq;Qfhbo}qa2z%yED-abAILAk%40ZKU!1&^zx4n6=+EB?z~C|JP2Css`!**AB>`YzpWouTa}p!94$S=l@x0RE;d||6v&-qhbwGW)t+?R{@VdEtuR=>Nz0{GbH3eoyMwFX=1ZRSaQ-^`Axev` z>s8C_u15>6s|Pitu0489yy_gNylC6g;D_&r%HbJKHX}IvU=>f_StqR)m3A~<2<9z`=lz_wyI-qd7ydH zW!&a!>Ma7I|M=3F^2}BnYsFi#lN*1|5xD|SXpfcKZs(W`qBB^wt=$_Av_Ar?pM3Sm zR&U1BVQ9Vfz~EqaP&1h$*rxt$-?rzCsO`8-#pFCa;z*H9X2^N%$M@OQpQo>R?sYzP z>=AWQ*A_Esf{nbpMOX2B;ihZ9JV9k|s#Nvxr$=_u^CM4uMRRS2^0e0r>(8IR)_)%M zd%E7YNn^Qsqt0sX)5FitV&@LGyZ9&fMxNO9S|kaX5jWrBuN{h#XFKyFU=e8hKK?5= z-B!c9=AD1bBfHv#g1X~p6<$ZrRn1xTQR(8F%(7lzaN}3Lf2^)vuj)#*Zz5#6kTq!~ zt|nmh+VtanRGzQM@8^i{+H7Q+-T|jj&0ARWt#+qZYX8EdE$VaCjxI3fh<=6bBw}Ns zj+8}uv>?FIr%&c!l%76Ye3#y~a)I`Q3pM3^FzHh71H2}3V>SgQXZ(q~+kLvktZRZw zQ+js)hZX-wiP^1@j}Q1y_yh{Fqa;7HpS+j*Z;WV^hcy0RcAXf|zB2OR-p3hYbq)%w zZ<)gV0-2A3i0G=CNu|24JuGWye%{U&L`tx97A3VV5VE?I?&|_rIh}+A%hD@91UmIh?ia&ycsRm~`QF;@hY_Nc*T) znlt`1H+3S6D{XnW;PG$szO=PBqE_Z)$MqNI<0Vsebw@c?16e^Qz}OS>9r2SfY>M3s zk)kQ%-#!q+l<+x6{=Qgvo8GY@ztc7+-LgJfnBzM<%kwe6w zL+h7lc)on9n3DXY>$N{-;gUM-bJ8O;GSiM|D8KXW=6c=9x+AlcixUBhTZTljz-3xK zT|*D}#o2~$PwZk{+_l0-6$Re-@Hl(2wrJLkUa1XfRjq*I=Zk@ch#e(7mRzs!Yvn~p z(kH8>tpyO_DJh4aN<{NsXL}>G-7^m(BBz-|ENAvdO`;>)o_l4hL{7ZD5kCRm`J2US zQ@;6ghPsz_;?9wu-t+ULB`I1T;)iG8IQYKowz2w}F8|IM{Ci~R0t%$s)Y}_WCiTGe zT`F0k3evB@>W)`#Df9N|`SmY`!_%Ukfp*u;f7qG4{QPfmQ1pgYv< zS}>h~TcemEh;X^pv%yRemo)7;hvCH3K@#b=ptLZ$!_}?IfU(A<*+EUY&+5L?yq7b{ zQl>6rjY6Pr)Dh%wUM5 z$*5V+Yw!C5aZe@<&R#?mDoI!9x7_(*wuBR^5S0>vw<7A>JkTcLwO+Z@jng(3Jk=u+ zOu}SNS}nf(TdT9<(vCsNCTibww?ixbs7)|ul7W;12kK8WWEn5P73a0nBVHY^A=%Lz zOUh>-QOOT7LxCsoJexe2pdpKZ?>fJRhmjeT0PzALHKM5*wHjb%sn@2>phNny~PMXQ&tm}2~sTbJ#b0c$ zJc@|z2yyq*=6FE8XgX&Us>P1pgqi5HEiq+JaHPpo?h*Jca$(KeP6va3jVGrUG*%kU zA@(FuVc-+lXD-?0X!zkXtY}yBHX8+R3kgxS7Y*ogW1=Z z*WcZG{m?1F<5|j18;fT*2<4I7Jf!o&ebOe{ck>2|cfAqll2+61TgIp^t)ln0qQ$v~ zPzBRoJCPDgHTG%@tYeZOK>zm5YjQLpVl!Z)@WhK~$V4sgC&*`LW8z7!r8TIm{rG&% zkh1U{#5{s52lpMVK7lzpp8_+pQ4@Wep^<#~u*FE@20nf1sL2FV=QT;EWy3F2Lov_1 zZ`3{YD8yEzNCcc*-~24V=5+zah8_B8HN@~k@syUqE1O%U5o7c^>{)dkQ30?^VL1Di zLf8TfEsF%syYYLjgC*T#<-JPVeiR*g8@}m(WT^eNj)>6&d^%y@K1*%s* zeB=v=65hC`$7d)#^K~vXfG|pCWd7p4GuK>?em^gFyI1R*ZgC2`6f4@E*H3)L5SBtq zUSbBmXU^3lsMc=gOLF)IFh%?M#*YF4+i()r9LSKXE(E4*Ki`qozr?KHZcPqr_!5#r z*A2hq=c}FAe96#jnZurp@TYy9!(6LgIm`tQ=V}@GpBs+DM$Qc5##5vUkx^sc+fsHm zyrGowonwjFeOPbQWx2m-gl(+h&Ak*FE|ugLp?o9eJ&NeWuOW0L?}qxvtDJvZNBh^2 zn>ni@90EU`M99=Bk^p>xzps2*x+pI6xaqm6Z)+MEp2zv)Iu6F~bzGMu44{-s4@fNUg3WNhsMTlnVV8{AL%MEHhL z9$T%t6ipmLQMgM1_~+h3H+C+D+UCB*#|E!QJ(r5gd!XL-tM%w>5@$nW7QRg%Q8?h3C=7FvY>54KiR>t z$Dh~;{p_2A|1St8AWDnP$)kRB&S}RE%3>f8#pqg~=nhHF)hjhm>etUF#niLx%*zH4 zG;fTxl|$JA*|L(zZ!npfJjWWhEL8%)^&Q z-BJdbteDG+H6ipzRnu~T?1>1` zkUMe+=V6{Q5BMpiz<%q)`w3{?vH2un3)|-m(@n3x$xWx`puWDK%;t2D`4GzYThz}n z!W5@lZCI=1bTw1WkbF6$Qg!%;)o_t*_Af<9x;J&B#}oe>7=Iah2CpJ;5F>r8DhNN? zURC=58QeMJ4Z3PFUSfWFPyOhxlpPe5gbCj=Jr%Y5-v*@P9*}SpX*NL0IacNV9)mjE zbTXEV5e1{r6|k4gG@+_B(|&87a_oc9Ed1F!N~lC$+(P)aRhEJSiDnk(&l=R~HbRnT zE=no|%z0*TJ)erJA>c~I;IlhaiqM+Vlb~i{cJP&=Q3VSQdmPf4^bdGAJ9n2d=Kg|z zq&J)#qQZ(tYa~s?zt4l}HH~*L)w>{spx4YFv+bzQOh3{F0iEC8-00jvW1sFa54~cR zO2!*O>MJVAq!fB7k1h8MB3@%8Kd)4n4d~8(V91QNGv8$zCx$Ns?C&cT17UXdPZ2g!< z#KLJ2i5k59Z~Rd}ZZIF2+R{dGi(Jd9=`U(FOu$E5MBBvE1v^+p{5@$T?3*8i+QxrB z4M(?M!eP1n`rOwOh}4^F30|{W@h?NJurkdoNr%D9;>NfFBIA?uj$F#|z=gY|^a>*P zc_GpD`O}sc%K{9xlw=9C$n9{G^~k!l%k1q_b1{vC>Ezj0uS+1%6;flajYX zodjJQB{7CmjRE&qboB|P;J&#fxq6aNi>@#I0*QekJ?)hUV*bvq6O`}C{@Tk(O_*V= zDk$C>u#`y0BL!9`S_VzkTiYUfQpBAMcbz-&{|Ws_*ft4{<#>NZhe&qjT-TiabqAEu zZ0zjf2I>r6afepr8tR8!LRjOsfUKVSfmLi~m{SjalP~K$AI3Ojr)%}kwuI!C_e>iI z5nAcJ7n$D`x#;}q`uncRT@I5cVC*F8uQRglU&}0+^O{2iT*JS|+{)p|tuaLRPqH6A7=N8QM(SiLCtkkG6ig^T?K9Qnh@u2P;BRdwIdY=a;6wN#Z=6hLs*LM8<<8P z$xX`>5JX#lrnAasz9u@2Du=aYb}BOS-^}=KqK?GzdxU6HB6;YmZCs``r9%^|JVToM zs{CW<@lUt-NYz685V~w7hy^o2S_8q(JKOUgR)wD-1dqej?7zCalXp(r(X!B#k?D0d z%Bm|uaLXZeF{JX+J*gRZd^qcmv^%#=_dAN3`H=nob5T1g4LFK!(R~mc0)L(aUGkbx zJHO=Rvw@SQ07yQiY;KW`kR^a56WeAR->i)2JfUXQx~8?`j47?)&0Z)z3(`4sM4t$%73gK;QDP6LGREF>6mb zG5HZ~B$d^gMvm-o==U^Fu5elC zvi_#~+ea|J?7Q7WyxYW>Mg;~^c{%8lpwDF*3m%g9;ncwxguA!cpKJ6_M7#sL1B_Ul znlHhyr_c1*df6OClkPt26}$JgH?^Bf@7}|ich3??$PFVs(iaG*2~7tLk|rpR$l|IKr&E7!r%%lP8nHS)S*UpXZpV@dfD#_lGP6|&6P9|_5=;8rZfl>2$Pq`5CL z@b18~9MYdghh{dTgJty;`3gM`)`xpz_Jhh^er%5Mlx9>x@A9V!O|ZtV`g+z z)$^sQn*sUW)(=8V+uqJ?)A`jrpa1xv(AN9*d+~Te0M&||e%;ZzuR@aeusMTCG#5_h zPVpfl`oY|vwJPD@a5rgTv=dcp_*WK}!qqbD1nKuAUYq)qkpvcF64`n!w1ZdV7Ra24 z8}xbtdlhc98jO0@a&!9TMy1|~GmUUR{zfW!Ib%{Q#*fI@tt?UrNtu0inUmv`#Nz@K zf~yzaQeRD5vrPig1`^vtdTejA3|5Y3RGD#TFL_)jFe&x7=`{FD+gVz|RoN_Ijw)BM z)eAXvOdey+8IcD#DG@2U?%8|C`)gJXIRBp`$n6!CcNCX^=lV6nDhmc^?q3$9ummJ|C=FX}_?z zh)5%~f!{JN!t;87|7@ZVaENh;x(?4;4&UQnxlH%c97!02zCM25!C3&9A(qx36yR$HAdAk+ar{1;M`q|=goh4@|R(>F=qG|EX%4cV+2jYx7{O5mBP z0qkE0K2y|wAR(0)g=ct6{98tUJ7v5(mPDZ@HGszHvBmRz>W}{pFyfnH#dJ|*XtyP% z#p&&ZF7Zo4oQ~xDaHx}Qt=zV_nJ%7^3C|`f{5*9~k?@hbSk=*LO zoh;S^*g?B&Mp=2ByPIYT4cL93g7Tn;Ayvw?V6N*c-Icn9_Q$T1X4-{VSDxdVU#pld z?_LC)+TxE2yYzl8f+bp-zJkZqk|{=C1>I&ggDz+71J;|)oh48=gIn;GkXdJ<;w#HZ zMl$N<6XmPEim#2WvBa)+;_spNCh9nWs3Op&s0L(WgP^OO>^8mJX47J4fXX#d%HuDl z^S6C6XXlOV=S}cTzsXDKM2|#x&U~8&*?tMtSg40y4%#h?2XEc;aHIu8%^v=J3*4svk!S-Bkn0(QM zRTJ$eBmOR@IhaJ)p$d?z580z_@%n%26oU{suri@tz_l#@T)?Fs;cJU{F2L46aqE5V ze5}JUv8=kneh&(oJ3~}hoEuyrLq0AxOwJIzk_XNwe%B9 zVMkW(+~2f}WTikSM9T1Va9HjuGkEB%J{e2?DP8K*R)Ql@t{6hvs&TE?{a}QxG0;RE z%}PL*n^ud{TK7_hhrv0;Eydj~RFrn;W{k}F*D$I`BS>nxx9B;V$7M)cb(Cz z9<>;xTRCW))7DSlG+UPxbA!)Ea%jE+DP>q?tahuFX)PSj29f(pHby$)uxN*TXULU> z(e(XM$(H@qRe2{s@jhym9k!3joFKow^Td#PM`8&}=R(2Wn=_;5y{FxaxY zrc$IMdC%K-1fOJH2(w3f9YxEXyScV9Sd8NOIZ(A+e$kFgcav&v!JD2;J*%jUNAWTV z8@WG&^kI9qV@ie6(!&YV-a$88!_Ov*38wU`iQJVUvInpMZU;7h&8}Cv$I|R5FALqT zKA?w`5d49q@M>dj002O62$Zsoq~UgZGnT)v|yt;9?aa&zC3LSrU>PN zlmF(MON^h`+PHe@e)^jE^vydjWPk5IwRl1-_3})Z_R&)B`DD0md{77tI)}+m=I+7` z^UWs1(L0XmFBPOP78IPYd?vQ7GVmM zu92@`BZ`W_Cl$ZTkn$`dlwRYS=(V9dYI8(%^DSC(P7R?b(^Ep~uZ(0W+=5VHrSY-sG4E?N2PrG#>MJN2? zp3Q=A*k*)<2f1?&A_ywr4@0CsVKIzX?yhccC)j#e~=Fmi_QWPC^O*GV-zk_67s!j?svc0`A z>t_G8qQOv1A2h&%DNeZdJtso&h-gQr2``hMhT4UMu;N}nq<-f3x}BMH#1q6EE?hNQ z7Udg1q73tD<}U991^X!Ar-b~V(!}{!3qYqKK*q`*fcnnq>|gNZ=cVkClZfgIH4*F4 zeuSB&5Ngr%By3sUi0eoDYu2`KpOhi)Mkw-ynv?K=L2lZs07HE3J1G)(WiuCd%yM1c zs4*v;>1Mye*AHEH$Du6AlUB-@3&4q0P9!l%h?oPV!_PcpyyM zk!9M9(C8uJxzP4%x?bCu1+6J+Y}KOU4(LjE(Z8oBn*RuvgcLL=5D;+INc!cEaPFa0-@PmuojrgCFq_{u91&PG!E0ZVtO^+jngtt+3 z-oKQw)s^8KuIAV1Zd9)n86?X{OEYv{-hpdJy^Mq_oq+bqox<}}?p-A|hx;h;rR_z$ z_6+mNC^{|_nNwtY$Y@|BKV#IJrm+d_Bky?h6t`9Lt$xm8ku+P zfGM}0JA3g(23gr>^%r!MWm&|W%w`ba=f_KG7Fc3j3a*BzNWe=KuBSv|;z zijTCoc%fCMxgN9Jc(v8t;z{E<##@CQzbE-jq|9Zbf3Cgx)q*~~2FjCWKRI;LNS~EW zf>LeOZj|Het4a^m)cKbWdJg8;lJHKVFGI~rFBgw)G<61LzR8z2%RQyRXS-42AGp-+ z6+q)h7}0>^7;QG(eB7cFfINB%g zls(DHw7QKKM{1LeSKg49rqe)Z=er=NAOi{fl<-VAqnOe>89&D=khKYZ9VOB+AdE~_ zqVKq}|JgJk{DZs2h2PAhQxCWf4Kq)QGs2_fSU}f7*IR(A4pz?XReMf@gV(#p{6uNn ze(H#&IK*Q5wicv~t}Xe@j(y<+-s5CS-9pv|2@~hHKc_WSQs)UBTL>ET4*cM|g@(LE z2j*VIpU;De@eQxtc|r8(RV5~UI^HpTv@}~zNsn)IlgdP{?}S<){71$2N`NPCJwG82 zo*`@iZV3gEJtSVpF$l+Uzc%)z_;SmM`PPr5W8iwlSEi>DSDz z+vq$ObQH??^R#U+>QXY(fC}`Isfo7?MXXlAEfJyNOK+@%5`QJmQy}}Ba8uFIbcUJh zFB(V|A5~H0{{Yo$gu|VbB19@Z{MgX6`@KUOTub{!qXngrBvcFbS}WGf=w_?e-8UJp zq7AtmS)w}bMnC8!i4WcqG@yO5xyaQ>8qq*V^jRGXU$n@fVV7EOA|9lt>$5k=#(Ue> zXpcn3hvhvq3fAd7rzt1wmK#mqQYlAFa>iXs%hIS8rJiu;>=2`SyUXIs0>w9QivFBP zEPe8r-;!XC=G9f>=d1OZuXW5jzfjuzM)=-FI4T7R(#I4LhL?hXT{um2JgWTmc`zENh7<%iZ$(onMYmfs zl8LU&xl<@*EL|qkV3Adl%cP~bLLJxRu=21`0i!P9ACB5tW@tbevF%bgDpA$;`t!3H z;TK=9N^$h9qx)Mb>}EHV=EH`l;F~IjFCY}mlz9U$Y{Ds{DZ@oRoB7P{`5q`lEA^Y) z5|5LY(2+4<2+tj&=+E+r40ZF;d?>(UIhO^3_QY*w4p>$YI?KP9vMqAhn{3Xy{Wwm$ z^(gR{YU=?2jb+o}LQi;>rkm4VevY40)0lONL-O^*0cKLl;#|&g0QKsFctXouuRITA%E$Q(PXs@(7Ot-GCMYuzP@-k|y zC_s?XB&ASb5+{-3^6k7ZRVxUt9h6^ylKgbRZLzy90*$NUEpvlZZx@Keo;1kpHMx3S z^-6W$wXHR$rh)a}MIQGUH#W^PP#K`3+!Z)>7U=n?hg@de6iuRCKe)?T6C>`?YWFG% zgyF^F(U}ucm`PqI=SDI`xB9ypgs*I4TA{J#b&nF_-FC8~>u5}Q4z9$@7}OeahF`Zq zIP?la$%k?&AYp~|0N~tR&xxXe4yd4iei^8%Ka!NXseARF*@kw)>}aV4Qmug{_>N|Z zS44#Dm`92SV%+!QY-H5VbmILWR|AGB+%ddSi8EZ2Hcgb_TArJq#FXk)#OggtWCx@A zy@y|EoX(qi2_551j3X&kC|$O0o^(XERClTugy48F>Y>F}{$LEFRCs(x&KB|sL(Ptm>u5x_4z015p$Frjpt9P1F zKUdaz{gS0nMk!`?g6_)b@_577kqO0F6GRH`iZ0Kq_bi1GVQ=KP{p#9yFP3O5Joi@2 zl1arVP#cLJH960@ob$;;WkGt6JeTPmVJLZ$@mf;Eb=QrX<6R9IEo%oX#ieARSj3x> zIP~k0wRhI&?DF7Zq=rn%1zW=uOdTFat@54j{;cYsZIG*C2*Pr!0x!g@@U@jO*NLIFT!1eci1kn6#Uz0;v6#hte_x8>K& zL*wG{qHQYFQc-(9w}Sn7cs|3rjOp}!LOfbsNssmZZmFXpb!#sClN3iH^foCDbJi-z zpPi3~iWQJ@q%bN0mgvlcMnXMjx6Ir<~7|dS&owahJiB0kIxVrWIB{WU(DaVH{QIklYLak-v$b1ohp{=H<{=LjKPX{_*b)dAk zc9Kr2DvQ0cyleDVZ#Te0i#jrRA;EK`wx);-D*tqk8rp-7p=p3GVo(J@qnKd`Bgb$E z`duf}bA|4~6;GTWe4&YgEJT3-?aE)X=`Sc`HlPH|KH;tWj+yiJ_cqlXT-KL*^1itm zsmj-<@_3s&<~Q;Z3Jhw09JdVK7aS&kmR+8jC$?ve`Zbhi5_+wbr(eev|GUrTOyjW5 z6w~K50UY=hds)kK)I7aB4);MZGqu;6%!{L;ME6+wm9;R&+-w!>4jLI-d?O%uewU!M z#VV6>P9Dz&?T^3DiSkUNdKBR>GMunE{EakAB?Tlmyg%wqiCQ3JKq5|=3Txd1noDG# zw+!wHy{ULydPx{+I_Pl!C`>`>=G(kY>vXl?_X_E%vSPv5e=9J z=0VTM-pMkrjSGFBqdBcXv-%M{`9>a2)pT#S;oWe0{l_+|#QLX<)mSkCRvTl;fr(*m zY7t<*y4K9S!GRNyMm8B{I-m?}?6mR8oK_xYoa!dDZaQ@9_4UWg>M~}j;xS1F3}(KV z!p!Z9E7?)o-d-2OK(Ck#VfpE?rQ#`>;yisN_yGAK#3UN9hdn~4W&T_5cvD!}5O!E) zCXhb~4KP_cz1Pk0sL8_XuX46BxsEiaE0pa@)E;=pNwVizmZXghQEx$r`j?@+q=<2G z3_&~(egCa=gMAh{I8Xt(tk+z3i}o>)@2Vb5Ju|0J#1M;RJqM7@Vb@HVkoJX#_M-BN z8`)1m=ar$c`L!X(_{QLe(?G5z?sd4SfQvg6kd1l4F2mr0a6Iq%Nnsc98IV;uwqzu! zEkRau#2gv{+^nMKQ{>+R9z#gv%KM%PRS1BHnpu+d;So@=Duk$nK}5v*q_JGvdREjQ zrQV-L#tVf8snv5C_$9f`2HatJi$>RTOECZUr@jEB~d$;W&NrmjG88u?m@I_h;U=16YnKjr~H3T6Y!q+FfVbW-2FJNIui=X8%`s!|9NF10~zveYsWWA<Gj$Yy6;_SJRw0ie*|JwlxWWY)IHC}G>`#w-%Ixt?= zHne|r?U7iw&fsXcJR0bV*(H=Q9?PEVm2G(=@IdX5+ft==^=HH9lR)*D5~WE;2Tf8y z%NPg;<@fSp)huifZ~9Dr|6w6Ez)BX`1v}puL9EPEFsn4H0nQ2><;i)lxl7qewkSiA ziO_alz+fK&hYaDd^2JO6c@v)3W|gp>v&asS+Pd1Z_9kcreLwlqMF$AF_B}m*yqf{aare6Dk%*;qxD+~ zaEfZv2Dh=8o0tPF!Gd!EB#OFM;w*To1OTffYLPY)tICoztG&GY=i*FY+jg#_zdMzY z7)pzL#V7CYa02aAT(Ba4RgA2xkv!OS^YdI0tiquwv>{Q@WCF+~5tDZSrMbZGJKCyMtvWS z43@$p?+Z~+@YN+D4WR2_+Iv#tzSHf#v zMi}SgUF0T^`sf9pk6EOPhWG&Wu44c`$#bdoFWC~iW!FIyCW8&UK)#xTF&g-lwyNR! zMCGt84Hsy;g|IBK@W?jaJLez&q?;X8iPeaqZ9zSg&NSit{W1lbI+|GKLkeowbECF` zN!qOls|nU$>P>wNu6>+zDJc~+32PYPfRDX@r0U$4{P^n*n-Crb33IdkK-JlcI2NDw z8az9wzi?)jbh4LPD~rec(Ut{bZIfAJ!?^2@N7S8}E@0#z_VXqGlPOvYgeT%yxEG~} zB=l=Qg0=fq(lCaCwYvvHdaGTR$>dJ$yV_4=aP>S>+*6K$NLRcsX21!{YDqz#&o}!J z?0B7q(_Rw_@mU=$ewE1&^uS>g2&}}eALwv-`zXHc2KZwL z_Zhh+xZx0r4L@9hs+0BVK7@y*b+q($=(RM|E@%d5c8vn1r$t4d?1?VM5OhVJO5|#Q zEB((*gejRHP{n=)J`wtJcBmexu!or~s@KYeL(=lSKZpU@w(5N!VCnUoWLu#~*1uX1 zJrFy%!c(G%@Ssn8&ps>HI;`j=K7BxNc3w89QObCn9W5)l;EsM7>>naoX}N#3`90O2 zSPfpji8lP_Dl}RaCLa zc)WFzWd;`(eU9yC`)+s}^rWZATtC51q<^GYvC)0>yL6cTp(-g+z05VzB)zCa|CLz;M%l#XfxdH#4 z9*oKlsL`h^4~7Qk`Uj_8t)rr4_7nFqEzUG^=wv!zLg#;k>MQSazunoUQ-_K2fVX{% z1c=g!Xd6`Mhr^f8p)#B#&{8y{V1Pv0su)5+kR)7I(EHUr&z`4h0 z19!2YHb|A`g9D(tn@Ve-$7nT1-J3Sl|lvXqGqx`q3`Fxh@-oCF;- zPRaXr|83g)M>gc9`&1Q2rPVem(>q_i54J3gm}iu0mXLcPM`#ByAZbB8fPT>tB2$^7N;9Z^}~< zY-@+e5j^sb%NWD+4Qf5I6*W~6DaY z7E=L+g!;xG6^3!WXaM|jPv$g820fXo5%?B$I=LDJUPs$4X*u!%__ni6LF+}$q@{Jm zWkpzN!atiFP-@_voST^Ix2s%urBXQ!##MSU?S7O!jipMLb}s?C-&iRSuO{^@QWt>W zI?WRLP7gdCLkVKJj=v_s5*5^R$YD8ieDK*K7+)D(?x!0O3ihZhtUK;JTavpFw2)<> zsP$@k==g7aN$vvEstUOdgfC5Qmtk6U7e`C!kCsqygNw>Hua92ZOA%W6B&yEiI zZzmTn_muPuo3|M}?yhzG;D1~-gz(7Q#bbEqj@mKZKXM;=>>6aV!id!jGhp!! ze&hG|*^v--H`H!fIGeGo)i7W7_}ox@F@O8@noWfefnKY^TJt3Lj8O^*tSUwg@`9k&&b_qI+AzHSUgG-K7~P>UEp{8WDIkt{;dX zw$!bP5NuUr+Zw?zTs|zdD{x*DD}dzaJO4TS$nNt&`wP_!Fy+70`((%WehqT{p8JmXSCWSXFcWN> zCmZ#Tg3}&=l<;Y=2mG)ROvYL_kg2*g#S{h^#SBfQgZi|R$qijV?1Sxvf~X!|3nq^& z!YBKs>tVl-$9L~@_vYsvf@r?JRqrPIw!)g${Eva_d*yRTh*sm40 zvE@htA2%>a+E9~oFg=xo8wCbG8p~kzodW_t?Jmww3V9z_ z?W$NzN^PR%YUK90+M2v(T8im6+Q!;YbQhXSeqfBGv5H>%eur!!m<(9Qc5By_PAA-# zQWb;CgPHDw02#8^`*eaq8AEUcvggW&2Zifk3g*?&XKY{+-Q`o-P2lWY7v4=18maYk z6$gbv1<*YF5Ve%x_-`H26odw$2(k7oT5^Tk6(ky4uUYF006-Rz*fGCFQ(7}BE)9_o zAJAnl0Nv7cFuWlU!a~5pwFT09NiAWN>qi(QC4^G%7{&Ou}>^;Dg~&>hT! zXjXAu>511?kRUIifPM6#)R+$xhPsGIa-hT*@h!7$>KT$wfe9pAPcnX?^HaWiAMOe@ ze;0Ir0dkad?baKY0eI2OPp=*FC1=1JCU>4Xv@u(R@5mD{CkO=c-9_yV)q_Vm5FX3> zHEtPz1{r@iCf~Ls-|K(vf7m4e;u#34xDKIKRQ4)!`^?YLqwedyY@|H?E~vel8jhQb zqdJvGM?eZu1+L%-LfLW`m8U6pRwl94-||ZplCcXI1WJ5z|^K>rybd7l9^axlH z28)->QoU(<`QPB6YF9(<6k{i?z}U=WB)uT}%fW<0-4xHnL?@m^Io~?%)B2-DrUQ_G z#w+3T0%B0v2@|0+7||i~A`U%yio|Rn)#^Pk9@PLMf52PZZ$KS)R3`tPN}0qDbSjc} zNP;4L3Zw(|)WWED*uyn;6Vjy5=Ufp6u*nQ(g2u%0_E?U|-Cu*uyKW`lBd7@W zK-1p3_r&{ zi(na!ZWzMD{v(((o8_j0BC)f#xNI>tPoYnsdfsY_eOcj@nMh)u7N{-iPbZ@PoyLPLw( z2gH01_=i!H(0tET2?OuFdycDy_$3dJC%5`BZ=s?)l>&&tt+_TSD8p*JZhB@Jl`iVn z+j#6{wa~CEC-IY{c0o3~r zyZ#KnFpm2Gtj_-a75RsW-Ccigo?rsgb;?xDeAB5oQg46gupd^l?XMCPN<{WNYeTxo z8-l?LZTG$#iN@FV6k|K*8j=z)EQWGzBo1Nm$g72?{8c7{tQ3d`pzY1gb`kNX-@fjX0q5%cv3bKX0}nz3`GH!1YRx&I z9QfYq zl2hyqw9lknj~E7yt}xcFJDBpck-zeRWj{pFFTzcA@`7n8)&0(32&o@kerBLwm4KxQ zYOn04Q2_diKV7fnT}4gtuSQE7rxD)n3wqPff_;fj~db@&bA305aSRZo5SzVwVd3Rs)CsW%CNoNe?sdUetJ+))idlYXetn!^^3`M1;6Yh8B<1^T~* zJQVfk?e-HQJ_?YufVK*@GlV>G&mi{ombjxSb) zGwqnE6T_jqy;AagerLtSszf1U9$o`LY`K;j!IVy)gZ2CG*&57jv_hMB602d~hV z4pydWtEB*Z`BbYBLu`R9KP%G80FPEKab%DYlP{|dp}qNIu|Fp!U4Y_0vUmR%4FIt` zC1p)=g|5PXX|K~!)0~<*1l(xz%3Fx8ip5}B)CjXS3Y4Dv-BDgX0@KPVf3g42XjfJM z*3=WXdX(UANpMoWgRDE6a=)-D+A_UQskDC(_hq`)@i!wFyd9?R&_Yx2bTH=?9=vLR z>s8&C8m(2%yv9~Pk5jDVOiZCT%6n8?MZTVuG5zn2ppJ&@4WWJ~w6Y;?@uK{fVVT*+ zL(!#I;sZmgr5EvMmO;w#2r(4vp^7Yq7r-B>EA8(qY=F)Dwbj@nPatc6<`FjFnN!t;UWVXA@%$|Wy zxkWKgG43y9K_1~svs|guy7-UHgd!oorT5nQq<10+>r3k9`cnZmOsaFz=+(6MuO;ra z9wK=)(<45;nxmO+Fmv}RO$y2(OJXlUEzTM}UjaDq^%Te6FiGjyv~Ot5OSw{e=|rzX4zJoQr5c8<5z=2CMnaB^Qbi z8m~C9qU%QF-{RA}=}yS?4guN2TIZQVLFD(AJR|s0NL=VO3iltS6iM&!#<4mwW5-I7 z<62OYf7dQ-%Tf@Lxfy&%?$EQ1r4{!s3iix?`@M}KL%mtoD?e(J#5bDJBnD%`M}fsmxf)Ryi79A5r0Bnr-^6Ap{oLY%ys zZ)Me@j7!aX^6y7W9$_JVY-S%FhtT=YaQ=r{LH8wgf4?h_E`anSD>ciiV3*tL9Z5I{l;2x z#w2oX3aII{`|?lXpEZgv+1UX|m+7kU%qBet7}E(5>^uWU!e@(OHa~P9C2*y=HHlp| zT78sE8nJBACo?Z<)=B;G{S(0E2~xxD)t-tmbN|MYk#N6F4s@*}nCI@+dw2JvX1eV9 zgkvAc#n*2Fxb!}j1AKZVmq{$T3Uwv`4qwM2uy1mdeBLMfpJ|&*X0YU>+kp}XC6tf@ zJ^ZRlJSz{N`%l>a1E3F*vp%3j)fr@_?1?*ubaI(RvL_Kt6e|bX1-Y-i>XZn{+Yv-Dkk3x zXq;~c(ks%WTgz}VmCS$|OBQvY0RH6xAqRwn>ARk#lj(G3rp^POCPJ>uUQrpfvDP~* zo~yG4?h7>I8DC4_{$j)W5f(s8yEsHfFVJw@oaII~2fd9Wi~A3O5h?~PqX?)~nG~<$ zDU0NUTpvf^K&R%~qAP|A!C1v1wh^)?2*9)yVXw>uw*LW+>I)fT5V;y0C*|?V^n*eJ z8*Mk*4}c1|;$+=F9r$qN{v(?OEaCLq`QucM^0XlP+%h53R!PnfD#cCp5Bf$vgwK3w zz8i2enx2Q0N6svW|bMC8WDS z>24Hhq(M?p^qu4Vz5m{;es=fFnR&iXjpSuIA)~wyKgzU(5se+Wgb@@Eb`#rauXwEL zuh06NIerCsAAS0%m=KzkhC)@J094_p6LNZ{06B^L`Idd!YG8k&fQO zZ@|0FA+1Vn2Viug(GEZaa&g=@?7n>jM-0==Ro`Zp??Om9B)nND>WcnA3H&mZK<}KSEr$hkpZR%9N&v-C;^V-hCtpME29e5J}KRJ5l2VHr0pc z4h;R%Lf_MK`c*00Kx{xi+MD9F1ooxS8ArVWjYobJ&ChU|kC|tdaJ`~`=!VH3&9=SO zeFsoecB+KRV!Bp{NE-1)18}F z-F@k7bvPK;@rRm^09R268o^*zR{Kis3!C0bFrkK4>Z5a27|R3e+h zWx(0`z36X%NZ$W&K{%Sgu|cylkCb5VzIwqUK;i}KQ6Sv`)G9CA2R>%So(1Q(vPeIT z@XV>NO-?EZ0v5VaG1WE>K8RDqtq>_ivJv|O0R8nTDu<4KKO`IP?4$QX-oDy78ILxD z7FVGAdtTu`mfuo45W`_lr(_G29RlL%^S#K}80FYVzp?~CanZrwN}^Hlc6srp06fHt zE#CEvif-PcdYaH3(1|a=Gl|+{9pZx3KK`83aomlwwDu{Y{6(SJXq?3t^kn*FjgCF8c z{4~_qt2rC^35f1;lGD{tT33rKpZf3_sM5j?SkE8+kUM7|os1ec14nL{7_1g?FrE`= z#yZfQzOi4{|`MI{F^IUXW#!OlCV05#x1q@9rG z#HsGbrzM(pw~4Dt2jgPq@n)O@g3$<9LEX=nY<0rEoFkCMsJu-cJMpiNrB2SsK;UGd z?HNJf~0rHk10D9p4)~ zK%0<6;T(Nw`9FYiuUp;`)C5O5fYlK?N{=|ktn`mlP+`R; z?O7J2)!F9UY^A^E;EQ1+%8mTruB%9eKFh~%h$Q`Fzh;#AiK6^FRCfiO^53D>gFW+} zBhM|CXs6$z_bkNDr?sNY>Oma_(;EirG(mX(U=LbQTDNbYIM0FyhF*NAPPF&Q{Ei~M zIvq^bU$?QuD^CznV4tXECdYUTPMqA<034wai-j0nsY|sY_tDSg~;K@N^ zuQ!}@|CthsISj3FwSS#Mla+0V8a7Ty*poK|dj!RR6hvvaFMudkdk679-Nq&w4VUEt z4S<|nmm+$cH=yB)80T(*3KShmT9K+M%8M#mA@!>KR*40xmFUq8nl)&0G|M5PgBK?h zO~VVZ!z%!>O?et)m|SKGHV1CoXy*;8Ptq7E)IOZ zP*F4#N6;_+qlZk~v$kZkJ9QrDA5kX*7MXagZJz(>fZp*7H?a|oKtoT&$vALyvVt$ERk z6KuAf2Y;#lEJPkV0oM2J4S^#Mmw^_924ZdD_97tkw2c2O_4?;+Jc@iVT;6N8g;&lK za`Jegxmk+ueFjOR`>~K@Ohg3Mn(stc8%rMi?H|n>k{R=eH{Dic)_Zp+TDQ2=&)9#TtyEd@Ye0Oo^T-kn?vR{4@22>+U4x9LL38T3WxyWe9@3)^sVvyCs0=TZbwG zf80NF&Fm*lt>x6`Y4dx0Mm^!~QPUP$aP3e~ABRN2i#M6Abt+y6D=ZL>bvs+&FUb7N zJYm8^QUI@@O|}Ep;0g)%OB;bX0;l7X9^mxr7R?e2}RQ~ci4?0ANL z_{bSJRvp3aQyouK!il*hXh{b)zI-hIdfP9}VC^|q#`?P&$Cd;dFMi8bJW35U2DQjRkk z&zCG#>OsXhMRKI)XF?CFy9v?scNan2cMsSY7>lKY(CTaf;7Cb|k1crz#7g}(&pP4L zY4`t5eGN&!Ns&c|>h?UY7$IvGTL3k*83`z3v(Y=o-itoxoOz4>UJ}Qh{!SQODMtpP zlGXHe*tf3kU>r{22R8GS_Npwm@{$>|(A8ZAx9KEtgp0)h`%!APo>1ZwsJ&dIM(fs3 zAKF-=RV0s@fjb;DD?UwrM=AyU1wTG-rCq|3B!v~iqRf5o63v1#@%Pgfe7NnZ++eZE z6K3y6=iE7%=+0cX9T!Qls{1Pp7)_{tHL_31%42Qy>_^CBl%k2`uxh{(LJ; zulWgAQ*Y2$Qw&CX$lEmb!U|?2)ejm2I8#s^LB|P4(~>@{#Ok}mSARfqP~t!!e^pA6 z5onBbWeAQ}?O$c>hElkXUV0q}D6|Ma-K?>M%Xp05ku~J@N0Lds*6l)ggZ918VL|kT zKF|3jnD+b>uh7H+@FC2jl(`0U!3J?hh#J_! zX*xrv@lc=#KtuQ#Ub_59Km5Vl#F&|55~JQ4)U>%g)+5q@8>nPN^Lal>SA7)bzSg@g z`F#-O^X2$7KSc>F>?8!b433To{$0CvRt2XE&?Z*^H-e1|CQaJBVeFBZez zLcM+Gjeb&`xNouCh~EGx9D=Q)u1t7Z*jKGVin>VkPY{u+JwQ*2mpd|VB&ZGZ8q%s{i>?kg{;(VZINCs#wIcP>dX_EU}8ux&wamG za(ktmI$0~i+3v^1I#tGoA^jp(;IWX&pnVUHXSuc;`a^);TnIVBv^~*!G)cta z;}xB0K(?=~>tN=ief5pBP4~43qwtAFN6))gRS0BB0ZAtAgTb>j!D3I2*1x|`V>o-$ z`hQz^;-`r`BEBccSR6MPH%2_z^oUy^0;r}HzW^+cqma#$+UPb^2U2ixl2EU{%L_5D8-@W?R z#M#`o{|14K%@HT}!aB_3SVUw?$vNVVATDANPqzXG;>JQ-%7jV6&;-oK%fWVTi(R=O znAeChB>%-CDYL4{-{N5@h(MWL9$( z?<2nCTAP!j3+6y9dQxhcUfp1Tkkp8u899XkWEtgP7zai{t->NM8dl#S&W7Q&nS>5v zhUW2pT43_ao4*8dMy=w>lHs#`5CHsFa0|wiK{ufj^FN7$(p9gjO~ZL^^y+QMcbbOc zV$Kd`Hn64rwmGIL6JI$kRlqbF0EF+6`fj3JTR3C^%(0iDDv4BAzpt1&71IDk?L&J- zGoIkvN9{IDi^i`7AcW&vsN(S}&_Y#?Nz8TTBkP-(m{AS0jSePxWPB;!f+BCgyEC5!rnWd>in%T4LOM)fxeaJp>Z6fCak16djrID=3tV z;Xa(oBSoe;`Wb5MFu4bHZ8~l^xsp0M8GWRbqQk7m_7}8z`X69bW{|X`_V0b~x;UWZ z!*+_5zS=nTibn4T#0DDYvble+xdFqetJ;Eo98>HjDGazptF;@v9~zowc%KZ!!NJhY z^tzPg84?C<&}Y>zYf*8)yZFLTQu=O6*bm^BTd!!l&?EXb^jyEmv7l5vCqUQ%>?@v= z55~9l!G85nk2=+uZMCK;M@?L3$|RY@4;*oE(!P_5MVFF?cs_9hT)-CUb|D=5kLTqL zmRxT4SpwAghM>*7;fEtBE1u_*!h8gS7y}Y>C0c#pn^+!#240RGONLY53-m8`E#;yR znFhFmDGBZazDaz`MK$*xyoWl5)?jds7MzlLyi(wl3qVD9;pkmOI8sb_E7e4~EAiV* zSQdN)mX0(wXsH+9?FkRZ<^xT_i)S+=^BTcG75d0G6OMen`YDn9_>Obe|UG!85)6x#m-umS$BR(l}9!(>_=CfMufX252zR!A^(<{{Q`($tUso7OjCuhS~ zV>A9lEl>t5#B10e7c*QwEo)4eeHRBu07vlLc-kPe3;Cfdt*G9sKbC&hL}ED-m!n(e zO6bzNW$x2Rid>2xiLo3=Ri{u&c)L4|PQ<1vmk-hAAt*r(Dg@QT(GrH39TrV2x!L9sKabO9fs*LIr8n9xtp70gNcDq?9r zE5r3AgJn`}fmu{Oyr*Q06|B>PufQW=0G8LO<>EVQdW1U6|CX9AZmt~E@lg36R~U@O zL0dg#vzEsNcUui6ZHB5X@Nvz|i`@Wy_~-E|$!s9ov!KoX_SpSaWrVuC%w%NsAczPA z(;$IIyCe9Wq!^6jMOb=V_@nLYKxr&>fOM(LU_n>NjRDp#Mxj8ei0Hm0n02Vn^4$}V zRn1UqEIHx%x2YP7% z`;+rtq|S?NPHQd(NjcbjWsI26m<#;?zKA;<$r6O$vYD)}=hY0_m=IL|W-)2RcvZ*^ z`XajqQOkX7G|vII?eVVNO|0mtC!+Tg*JSO)u>XLjlCHGf21D)9bv`U9l7rTM&2{>C*Pm5u$qJ>y>i(|2M#`p(oCFvF&VG+POl3pad;0&m+&WDOIz{{Ks+cd6jO2P#OfIvKP0_9gNRz zn>*D53_Ax5qe&*FgkAT6N;v5nfTm8i1DS&uQ2ZiTZ64JqK875 zb5e5ub2 zeka@DNVJ)_VAC4LY2FLOBya_SX|*;v@EL#L{H(#Z2q!Fa2ZUFypuh;L3}T#=f*OnW zbb2TY{73TUcvUD56-)RNBy~9Y)sD`*k)bLVFX_<2wy9lC6Ip)X7W8>fNA`At-O{{S zG>Sst?cy1K7A_rH%WJ^%u@trddDUzMdq*6QI%jJoHD+Y!LDuFY@65`JAe-iDDaPs9 zbc|LXXqR4YY;yX3+bQ;56kfqXqgSIK(hoHTu0o*2#7qO)u%dL@dCP9xh z`**p6*1b32;Jzg=0{r;thPJU~fKI`G=0@caSQ(K>jK0`kiAb_uDiMKL3lVY5r;5&p$jZQO4)oak|`@>H~oRYY6++ zcEYb^YHcC{2%V*#go!hS(*cJA77WTnqyw4S#U1fsAdX=7{Y0Z6gQVYBbJGIj=4@ny{HmP%WJddrPLv?{O)6N>;v_2-C`p6_j8V=+7tgDXdS{sqr=XMgrk`mlK{Ab*@ z6GL@>lfEqv=VvLN05ME#SeVcfaFUWdeon9om2^texg+RiLrfsAu6ahBe0^3K*VrA{ zZ3vD~in^9z{9WH$zk0M=O}LGxW&b`OD(5k*A(CZd}UyUeJ0c-bo}79 zPm3tq#e-i6*%}Lk-ttdbDe0AnwqDjOZ{ucJKus#0jd!-i#4B$FhB=IX3B$k_!$T3l z4Od=((;ZyY@~wt9F*}v&D*G!|lnEnDy(PP0eVE=kM(%*vwTJ zh^Ur0LBa|n+&+WQgLx&oCQXIWLzy}@j2*Od(T+!*lz)f^a zs@TT}K1VyNlQ4JCBq+FUfX&N`{+>S;!EZe~EDo4elFId89MF~yi1*Ppp!?f>ZFIo@ zbZtZF?5lLdW(Gy3mH?nFr;6R@?sA5sEWJX6XhQCYbvMD$0*3b^KK%gckQye;w%W(W zm08&bFXwUlBK(E`BS769241xLu*B7qn;6cL$LAR(RKQsQlG`?mgxM0*--&+ID^u2S zy$JQJe0!H&j|Jqxs|$4q-FKeAzzF~LX%;QE8Q+epchdBH;>Jg>= zjKhw}G73gOny{V0ID%f=aXLvfy1v$J^Wh?>I?Wol4M`l>24H_#139J1w`qHN3I0PY#_3D55Puri5{cUNz5ShB!`hlQOWIQpG$;%uO4?Pq#~zaK3# zI)}Lt57iYo4HgG)6^kZf`8zY%gV9~59+yW2qD@z&{9K}3azIuOnpXTNgwm{0r(w04 zq-q{CJ)0ceAFB(@&;CHRV>6U;y+bUy?3cKhX>|q>F37;>4 zC?=ixqgtz(LCCZ*h}mr{^rIE@B&-3krmhlKe;pSc22gDEjR0qvlO>=E!`mxt5$aC( zZQ^X?yv1JQ>kuJacQSrJIFL(vPr#!}T6emi?rqUqI(vk%yq;nb+u2OB}yj!sWNt|+; zOmTEu8^Yee#V9^CSNGELdPju)Ny5z-xb_R>av>#fA^QN&kk#|ElzJb9DAyo*XGXSC zDhz4VscqssYaBmG6z|ytX0ayemvaJebYLA7_#Lq0DCDbL07DAP7#yc<6YQ&RzOK9i8TK%%Gm(z64DhP@EjLF24 z&wg*?9eZmIK8K}L$#n_9Fzi4~CeW_(UKe%iz3_jl((m?NbWvx~@u|UJu<}8%-IhFD z-T9L+zGi-+-UC#F4H>e`h(3hop~WcGC2*vY$wh37tO=eKT;Thtzh)nOkn7+pgT5st z$Xg(!Jfxtm8Sjs-h&)vkD9nYIqq zuR_Crtd{BDDL_L%X$AMHm{8Sj$cfo+lS!2qi5Y@KsDJOXKDRUnuUm zZS4>}CDN3U9o-;2-VY2J{QWXB^U~3s;08D9^D=}8eLcim(CHv>Dfs*8r6Z1aKqF|N zKqIj{AMh-)uQCdu=fxN@;Pay6Tu;vdZ9lli;!r*4x){e?%|F|2+^dF>OVKZ=>>j5r z7^jvH$1j=zQLDVpPU;Un^$ze)ypl!$Pb(9tLX;wSgV1idY;jZP@v81yBHPP)H z9bmzqOW)$wqt6($8T?`MqNn9BtC}Qr@tutc)k@ zG*aMk0|X|eb&rlaDW{(4gmZ=mjCgvu1C*N9U->!MPpLd)c1(-x2+hXYhwYxAI$XBW zEX;qu8+hR-N1Cy)?R>B(kfsGf<*^T7<8nE3MEla-N`P{ee1P2k+Ei0zhJ2p4!Fm4z zVDovJ02^1bEa60Sb?%sKTFwg;t#X53PW#sabv3zEphW0+VI&GX;q8jD3vXg|+)XV_6aQ|=65Xl0b`%b=M&dS#!VnI0(t z2X37stJyM3Tp{83Jl0^GJ zMKJI}U47C4bN*@UJ;`nS0$tgSZHEZSm#uLa7BbR*ujt731HeWotXKUTNTPPVVT4j- zvn(cl_d2_AR4hCF(ETa1ZWD{c5$!)->;gSU!fB$V?VSdKFnftgl~mBggJo5x)%F{w(jw6bNTKyeK27)> z{HZoiiYM1y?6&ako)0v>&V)k7?!<1;rCF23UrdNn_YunuyI5CA1C^welqh1<4Jip? z!@m6XWSgb?==g#C)-LXp*Mh-X9GwT+pgD8qc{i zw~wbtBVYD4D9L|JAvK>}eLQPcd~pYZ z%6UHwz@NRLtdD@ZzrRyy_v_HDBV9#gCx0i=^ydzxp`d1WgSG=_H_V>`c8DqAKfCCm zD|F&PPu=$zp)4@-w4@$;sg+Xs<`>|ElIJmGH^^9*WpjfgNuD!wuw8%%gOQ~wxtT_X z>xU(_3zp7mvKu&2fnnf)2nVwN7P==jyl_^>B&y;=-^i^NA$huSC3xZ+hsNOowy#Ei z#7BW#PL6tvDx8P2NH`4tECC1-JoF!fZ21 ze#c!Vy`8@Q5YGyEyT}Udiug7b_ET!Oa z3ZD{O-V6I_S9NL_zkJZUzu+{XOF+LDVI*8EpjpGQMgyK?a3_$8<8@?6@=45%{3YpP zxnaCHTT1B1z`rP9CI+f_x6YKYGsgI*l&|oMnG}FzIi^{!U#RwwdemB1Id=`X8dRcr zEUxksRIL`q%c@3!k7^%$V`ZNe3_PJpDwe07sce0ai%pZ9k=aKoJ5GhA?QSX-w$7so zjLIz{$yfxTI&!-5TSD!E=U(|2l5rGyV^v-~ogrStNRGG(4N0^&4O<_Nrq3PEI}V~x zo9uYGU3A45NUdyy53J05FI$!iu=my5}Vp*`23Ln1aJI$6?f;(04(ai^ECVjNb4jWa%hR&{~!k=e!0 zEz#z+=)#!;4F&3?jOYG`)oI#QaF@1+2HaLZe0Wr=&xuqR&V0`IGZ>frJk2|kgh(ve zu0HEI?MHojhs{nDD0yYvz*OG5ioO(glG5)?Fom`_%x*{=Ouw^ zW{EP-O@O19>7C3gzJ)-*Q%Tf)Vb9CSDj{^T1+n~>Z#g!sO3Rb24%N4zOCEWg zwFI0hojy<9di~IEO@6iI^fz8c-KGkhs5>X@*I4J8su=Z2dZzu@R+^c5(1!P{chu1D z{V{Ncn8y==KBp+pYu;ClBr$lRa_RE88?O37CkOIE7g=muR%&vIKnh!_kni1a0)h2H zxzAv(O9#}IE8a|1&YJzpIgl8BVbAOE;h>M{fyW2*yji{c@}{kKCB9j?5`r>1bg`^3 zlIUG^aZK45Hrh}On7`yN!UwO6Ke=xS$%v112%oWCW-Nk#L|`OoOOJocPS8`7NL9#a z(6yoTPwU;EMy$p-jWn}9=dP6QU>2zXL?N?a-hQ1+tNaAszWcJt@0c1e z^F4_i^FT=0)=tQm&-?7>^&+5HaLK;RxFnH zFQ#7gw6$I)in%8|mVRsqF?e%5*P(hQFdUHkg!U^pivz#3ZI|b}A2SlY)*MzG`@d!D zI7AR}a{>|TwWR1UMLl`FSb6RCHl4n2x6l#Uqf_s49z;t&5{bfg%Ih$RH)$V2jfSQG!OF*<$Lvu za&RCK@Wlu}WoC*G!sDlN={H*sJ09b=kr=|qg<>+F@8SBdRIVZCK~u(5Mj755STz@Q z{@EEs80{PJPwtpZ90e3TYqXoyNo9R{oWx+r88qqRaA_qPqYT$%=xnhBH?rD_J{3B# z4HR_6MW4_KFk^@}LnX!cJtH(D5mz88P0`dMs%`=@&7SKYeGje-BVsRU888{Y!Div_ zX4xLnfs2KGLjG7)EM;FS9;$4y;6OmP(&meI@{rce8Gr6`ty{j49dQ2Wa2-C5BFMXB zXI;L0U*rQExJ8zK8P`W1kt-XlTDmwFY?x}ET;P0? z%oazuE8x`6UOTd%f9M+qmDIH8sA)5X8s7I**R5NXo}cv!Y>S78%AVcH*3z)0&QFZ# zslY-1o`jF}qdOO4?`@;ttS8wkrKagWM6Qv%6$}-!UNM$!R<;M3uT#Lo<}x+uDBzF?P>juK_^Ce6k9|} zv;?Sij230qi}OrK-ENKH5Z0i)#0-9;>NS>Cu6}Q8!)YGl{?{yibW?w}HDf9JV+>={ za~~@Xv_zFl8xGtr4ho4*S%(Ay@3!0ZjDw-q*9)2bzUPYQw|v6u#JDZd3=dt;G@q_T zkYp0$84^0%im&u0T*=>?tywTnFL1u<1NUnS;8skVi zD~@P9+IeJ{QeWy~E_AZw)RB0oJYEpyjg0(I_i~+z2HfGW0P?u0#5&LQEDI*1M90u` z4!CN^rAz8RZZA52zlnJDo1x8K2ZX~qa68ZL5_P|keWlKlMA+Zn@7(g|3=VuH(d{(3 zYRhh;8D8W%i4V^nu1N=A@?K^9ijlZx<3wN-)oSD`y&WWCww~g9YL!WPvP}s;BRo!tKzpcdn9Um-k(0IvihL8ICsrH{gq~7x9w5VhZ2Im z%y}R;OtS9pA*fvEjUMAJHp>k7AL1FkkMTo`x`Z4D$xWXRD(yGE_*?Dsnehq>Z`&1R zI4U`QQ~xGwnMNua`t8ZL2!q~ws}R+G@tn9z<;;GB%Cl{7q&%&QNJqrRs*?ltCzsxkiX4^ia_4}xa?#2eLY#NX-aupT!$=bwizMCn%{c-d5VusV&w&u$7 zTMC^Ol*;N>AmX;bQ8OIB$mFnwk)IeDI4-7wYHf+8wV{&f%(W z+3?lziCzRMxKK4cP*yZp<`Ij)xps7p)i2&l6Mf%x%4J1kH|w%0dF<`bnHWEk&&~;m zvv+Px&$~rP(HEbjW;F912kP0b_BT*W%)gTMiyZ)MdpAtZb5qJ?R$Xl?!e>_16Uj5< zTJ9UebL`GjJL)~svnj^j3;Uq4<;nTm-5E}A&%7H^0)Y+UUpzR7#m4CO<6K1=`{zy1 z1anm~uUQ!ctV+V+e^xLbp`6{SdA0rq-ig3nd+;Wa z1@)Zu2lEcmY!kxpT;)L*Je+yj3P+)RChYT{Y5+GlJGM@U zclP_?oWU*xux}cJLCW2royowNXFKx=rG@4L*p}~mx#`+cX4{4|uorB9+hX5*HE+** zrk4;R5Q7%?B2B?5SLF50Mhj2uvY7OUPl8UZWOaSh!>{%-yTiy?4}|+1;;C_Ky&lnh zs;ki!TBS$Eb>r~v;=oJu>UJtm>{Z^gr{A~%-?1@njmI(+o=Khj2nM^)wo!rclt^!(1d|<#qc3Z|?I0enD2%M>%NgJ*R zZdKnMr$ABHHXS@JDKYJ=|6=#W(N#|9q{-m36_p}8x4;joba~$0;xD_K6VE}F)5`R- z0sC3c^oX;N%?LkKrQX9chtXy|d1u+^4;ZnZ)X(Ne|ByRG-$Y6%z2LEC~1v79CO&ZryP17 z?Z+jX;XeEXpGA8SBxdG*k(xw=5F!;>#L94<=I!l;5Rkk=;lPw0So$Ly?FzsVqr`9W zs^lSC7X^2^IWF~+5MMAm59EBGciIXipv~OA05r7|UrW>xe>hqk_svo`eBi0hG3p1S zi1HL2*zD}jzSivWhR-y*$&?kI9uX72SR&!j_|$ zvsc2{n`Xu7m5=p2doE{~g&$q-uM~~&5cslMSZuv)+2``wxLnV~P+WFAzovpto89QO zCuZ|%?I753?#5ST1$6?CToy^wV)WUk)_mo%TbTID_-*Z{8F|H7M>rowd@cdHRXu=> zfoYgYDL+b0S8r3mP5#RJ3H*I*4jrP-X(7{d=I<%F5mf;p9A2UB2sN`!M?Zk}mv=IL zGSY6w!FRP4M|q3dQ8o3Q5BTN?zx8k>7Bpn?j8^`oH}qkVjPk*Hs46z%U+Im^zGr42 z4?hZHjPC!Q?U0yEmpv6%{Uq&58;q>w(!3W5*U=HN`+x!+yFSu)teC14;Cp7sq*_)(ur#fy>ucp=vG@K)yh~6#yED zIdE{;TBQu-eEdKmS_Jt|$J$TdA2Gdk%Y+4+wJN-&nSv&d*&ZEE=)9ch316S{M_ZLv z#`aIuwsZ($e1&;j_4o*Z8YpmmTCU%MLQQK3p8+Gd@jK;uaO0OO`{b-tVQRIrjx`c8 z)M)tyHBy_o2DlmdDEOTgZN`^ziQJp$tolq*dL$Yxz7f#5{P)kL@^k#U6Ch`Ja`i<9 z!eL86oxld0xHyuVvP=K!Lc|$gEc7KS4Sv}hr!Aik{M^QBHdUWUO7JLF$AC!Hm~J-| zElz6v7MeVL@P#*Gqs3$H<7KGV+O(E=|NoENe;eE^2sLk%u-ddl%~OPCIu@aruG9Z) zdcM=bQV_tlra?Euou0#x&;9ekgG%92<-@<|4zf{Ar3nMES?L- zKKn@oFF1)3{Rnr{V~~?I-KJWCK#=N6LWWG#uM?DprdyQ&1$qA~n#R!9r{KX?d0q}1 zKvg|k;atFj$h37Y z*B5k7CB5n7>6XlvMIhx87LuYE&=xHVzl$j~@k%qa>P0zjSK&5KpfGeuL6y{rzJ72L zXcQ+kE}LCZlI$LgKug{OuClDbQ@xy*w9(!kA6@z)m0dr)`TK`_@GEq9f9>-D12J>x zw;yKPP}bt|jyn40@FFlqt=#w_KBy8k)jgqYc#>RMGG5{55MFJ>cI?g*CYa>Zo) zgl{qpf+V0`cfz&it6M4W-EOxw2*oCd<8i^0J6bw+Tr%T7X$!M$cL`6=(=44PaXJ~E1@biR0eIIAW_oGX*gY7t&z@XmdO0NPnh*Rsc4!qLtaMec$ZM_s z|BuV6cSB)a7PlCm*fs40YI8reO&5P0%5>PyBe~jpjsg#JgvR^0i^-}1kb{Y$d_L zejo=F7_9S2IUK>Mxmw5cC*C$7$PfseR)i9p0q!0Zylm%z8PDerO#So1&)J5UXsQyJ zq*6d_xCEX!SgKv5uP&;A(*$BQ64WF-O3)@|Lu6hv$Zh5of84|ieOcOC$$^CdHqy2Q z;FX9Q0gVOdkNpvB7#iHKdBPY%CyTc@%Q6td01Tu>QWZ&@2@QHg89&{WlH?SATc6$G zfmvGcW%yUR%twP#7eY?r=ws06DZ2X<<6M}$I>hYpxHGXIGui&xlv-9Zht6_v5|KZU z1-RQV-<+l|pIQ2?_FrPP|Kz=2**^)4;;-}`oMn6;_o^}?z@?QClN%I1TmHTE@QLW5 zD*<#f;}dc3BM{KF$q6R0x?DB>>q1uvcKZ61YIBa?~4 zzFDVw)jFGcmm0=XQF*3$vOF2f0mXx#o_JlSdO%z3B*h&+#NG>dZGO$?yRs40lP3m! zP}H+-xIQ_y)^Zk{{3K03U*4HQ*3F2vYk77x+w8WR-mZGn!!xYZ$l$YtN z2+G=i%xnM_JKu&(^XD0JZ`mtS`KbjLQF+rJ9y=QxO;n!Ht-Ld=Gi*e5;6RV`Bcq=Z zH(5z5UJI(EAo&B6^5F07Ec=x#kF7Kt0KZkFqQY6;72AtJo!7*XVjHnC44toj&Y+gi zwi~^Vyq2GgWs)=)ZAu$XK4u-+0;?A@z2o+T?4>rA5#_>T(x6si$(Qn;09pb1_ zzSD^P-zTLTDt-AIs(gYZgF&tORUQ!5v;n0x%KWZJ?$>N`6otK@xi|yWZnPAPCZ)|0 zi{$25c47Wgq9VvMZZ6Q$9ml=wa*#@BY3)xjiD&hlMQgNG?+wwrQ0%0pblz-U250mP zYaI(Zdtj9>O!gz`nzlHnKKIh`Ko-}%-pCFDAft1Ruu>=K;I3plcmZ$a{*6Iv77u-C z?*p9iDw}q4sM+F~C9n->4SfTULbO7Slp#BK+thFY;hEFXO_s7pVR?3Darh@30+B) z`As<7I$BJ?>jmkiD-_vz@s3Mw1$aqR&OFTu5-01-@Y!jg&JVG=zIyrB^$UE&Wby#O2?pHfUqbUWfZ(IUT@o>l|wCXNVfl+aNaNw zFCLi}yacqQC02*T&iXop`o|PqM#H-#;8p`r|K)WAV94XhyPK?1OEjlTKju3A2;BP$ z9A=y0KN_J@2`RC%5bbnq@llW?FP*0<1>JM5qsBotD2rqAR!<2Z_`I>{K+- z-k2{os_{V9^=iEicw|{iNHWf`@Ri;+y&DF z743`F&p$u=`OV4&9ZnC>I`k6WtC_KsDzIzogn19r)^1GSWq<~YKM|cPU4aQ*PRPt&$w+p#$S7oH&&=#C zJM&Ov6xl>p_8yrfqpW_{x953&f8BrFulshs>vLV#dtF|7RwF!-rk*6)=g}qR51=#G zy5SBP2oDx=6}=L=u7V2p7sWf9H;b3(|HK&1@)BS096}G;?fu*{@&t30nY0x8W_795 z%N$ojS=NWFaF0dYU%mcG$bW||={KmL1VlmERkifm@Q%m#yw@x(!$RR)f6or6p17-< zLVQ9>!nU|84aWHzivH}9MBOBb6Oqk1TpMB&o$(gWqlp=nxK-GvTwjqEZelYgJ}PZ+ z{5ZvKWaZ>Du?Rk{Q{2w&o+y&W>!)>YR99s1L_n_pGZ3F5@9g0N^>F@K!R45&6qN#!zl5}jF z>eyCDg>&V${%H${At$xU`RMvRvg@;}sSbDdt1?bX2Flv@4SaAOw}Y=QLyvPkkwlvl6~kL6 zcT3X??oh?(+l9y*M5+erY04P$+Qa4^^*ra8_x=IFUE{XWvicyuv*kNr&-K268QZ?47J4ytA zAQp(AzImX>)tbQ+s^=m!?t1#KC14@%+S7;*cU_ajE*5@#Y4JxkrB=5FYr;eBj}7(6d_| zj+4i-5#gq2=jivHIMOs7O>MI+l(| zvb318TuE_Q46A?4@XRdk0+(WcZQ=Dm{y-c@+LOt`gHXRUVMr%16|9N9X{&6cD1B!w zPyeiy+=l$c&roCj9lGi}8h+Q=+AanOhKmIgPNgWrboc{G6oOl(IoSHhp)s(jAcYfz#FmU2*GJU z(TY5uhr9%Ujn4z}r($0v)cC-ucitC*@rCt4Iv(3cd{$29CWc+|D`EM7J=t6bwNr!0 zPQmy?PY4SeJ9FW7fAj+PU}lEr{#ac6C|``!HtvX5wr-g1i>eNn_Jc`rIEx)?zyX+l zx?}wLk_3TH+6(mUu==x(i}R%5C*{(xx#g^0s{5-PiPX;Hti9cqI(iebQYsKML$Orh zrFI7OTAEWT9+eI=-ZYPWOQ@s|PM)+6vC!JmI@V!vUFKSiqVplV;a5c=iWwC_b%~j* z4kFxhsaK&oCKMc?cW7_UyT)}3UqD=atcDSG^=MpfuPMSfYk2oJWMslLgAT!XLM{4A z$ekJTlmG=c5jjk@d7G5t8kFgKsNwR)*ic4-BSXLi{lj{cjfW6zjWG%_2?k+FlA||; zvwlabX%7iEnEuAr83BfMk-EQm9xIsj?ronnKy7aYXzYZJU@y)>cd{Of?oioxI2d6G z#Z%cyS>=bU>L1+q872UUhlpm&t{0@5S~is0^eDal?_Y}d0TV1>L8V$>KJn&-o@zifaRC(-Lr+NWR#_a56F6GH7C-Ms`GuD&aPTLv?l02 zHLf{#_WN-n1GlC4VZ3a##hvw%Dz+6FSJr>ONmE7G9KjRK!N_;lBxT7MWeNDlHn|fI zBo7!Jd%~!vdh)6CBJe-zmokqcRD>czOYxFRr6eqPeC2Wb-GLH!k1qP{8pPnLW34-X zDZ|K*;98`thw9%Xi}ZVa|Bwn^TD{KBn#eA&116*U-U4^N5hQ+W?14|^!7YYLv8&M) zfE{9&t)-7|l+d87y|V8p`t!oiqeUrrIzJ(KHL}Bb;RwEh$|o-t=*B?GPkHfAG>%*f zl~$bp$8Rt;$OiZ*ePCSHlk;d&wT7ojJoUTDxZZx+ zk;FO5T2Z9DUu)4#vv*5V>86YT^hM^#P;%#GXigk0?tDlc6=ENRol6dd?c=>Kt1OWQ z_)U(44zn6R8l6LJ;5-oSlTd?oOSCx86~EP!sAIcHLo~(ggkAB11!bE;(i!{jzbahM z`&th>3)rx^Fowwn;NU}$!iwq`l8Jj;;u;R_Js&wH&s(f2x@9mhb8Aq}Y>CeNQF+Ru z9Ao^4#Q_{6Y!%G>K@djX{~G^+oYZU|Dm&Ue`Gp*lTsIwV>FOJ(z(Y;KaMRR6p{GCI zF#LP?U?_*miD13}kHrD<3ogqU!NAwmW9aq`&WBhXd1M{L7MD=kHliD8mCbNpE3^dx zPTxY@x=7%&el1Pq_*;?HxLWuORG4sLT+hWR)-J1-9XX#nR3km0Y1cmZ*b-evSF~o& z{!6jK3mG28h>?HK+pzCE9yYA^XLox>e3&V@Kx*;EUmJ}PR%xviA7aD^-M7a1y|?f3a45ANVM@ER)@|jug%0yzN^MI z$~ORP)*yfXxu{Dz8@q{hmX6_M#O%kmV2N0|nqJU^W>Nd0%il|(n5hp+Kpv>Hz#?%V7AiXY`y1D z`#3e?N`el{i6#!Y;`u9-@sr2FG95o3EVHck{`}ji>a`QEsP42Fp_@;j#J0CM-b|Kk z*UIR&7@eytRgmyj?c%@l{O-HDe)XHA))PBPK z2egC@vJ7swZXr@10jY`$pAYA`v+ySuZ6&2%@RW_*`JCYvp7{t(47ruI0Jho%r{CXh zG_5}*QCpYA6JihDo1@f+o_;*5=)TIE$Eb$eQz zD+UAUC7%0>0l}s#kwh5`iy$J@cV;jia zJ|^v_PO&)L=+t+ym+&4z*CgwK=E`J>{tA?~I8vJt9umy<6tsoCTiNC_gS~+oCkPj* z+a9m3-ei82PSpA$s>^uwA+imEYrW12smqY?9gbtiCz3>qbT=}7Es2WzzutK5 z`Y$4gejHluNcpO4a}45#7=yj8ye_-YWIiA}egRciBSc;G*Q4EsWUUL%#Zj+iW&lFd zz)y5nt~mlyL6H_T*@!z+0F;<{WkhHa1_OxB{Cb$hE|o_upR0W#1J)X03$j`rMKQj} z#wZtK5{e@b8I4J@ZbxPnMdt?ucxpw#;d?=Wa;D8csL>N1W-Xe4La2dEIh*Z13qRb4 z`$bnyrVkolvs>}2i^T~|XeOBJl_&WVbUJJ($4UQoN5p6G*+1DFXC4%fmt4&6SOnW= zG8L&z%ApuakBX4(F~6^|Z*u{O#CGlz-#fHGIAiq$$67#%wj}N&WWuaQf=V_0#l2E9 z{3ccDfc}d2VVlz%VFv5D-o4e`Wt%UlPbF>*ClA+TEl$VQ6j2T9&DA!Y*iE%y8TG)F zHn`sy7P+0&1S-NxWN7X_;e-Qq4B4;fSL8MUGd5mD3&;Po010|OvxZFh0Oi_a{sGeU zH?s+qv9cl(Lsi?~-aJE7=@|Jg(!tAT-tgquTOU|4YNg?6c}1#$OMCXEJbmw|@o-bp z2i%G433NtI9yA@^&wd~Bp}Q^YNAUxFz)YIx{cwDm_M9KfbSkH^oAYbtwi#G{=_4NU=HW_l!2)y3haPU*(=3R&2 zb%)h!Lqs}6wXvBLuSy=|Fw_5`@|!8GKWr0hjArwbwX`t(gbFwXsI>#+j4yi{0K!0)xGxXy|9`Q)Adad z>#HbzoNEcX+Q6XesC1cd*YALL&X2%)QTR`)`$UB8$mJNK-tY&mGj%WZ8e7j$p;nT< zU8#yBRYNwd4Sw6^?x1x*NN|eJaGmaIQPkBttSL9FZ9mQRggq90(;-Uhrb>>UeU~DnyjpOe za|Z3Il+C6TM!;4nvqXhelE~C#?B)cwI_-P{3m871}Z9f-#fJgR8HPs|Gjr~1A^<#kG?Yc6_i=&mR zOH-1Z>{*&%i2rJ)>+#-Uez@aEysO6kRK3udu8F`9$Cq`ops@XyL)JFsu%D{cOXeV_ z#i6K@@rhO8&-+tR$gZ|Q6Okc{u=gX@_IOijt~npF5^YH2dYN#Y76HN=q(_<|gos|F zmDsotR(6h7{4+DDoZVSp&^vM5RK{o{Dvyzm>4uzH?m(xzs}=na7#dgZSgY5&;_kbD z1J!ql0U8*xv^nNtLptI0FW&_&-n?}Tr}b@)iDG^}VfC^DO@*4V(gkGt6@uSuw&~@QG8tA>tDiENM$U7MewmB z5pgwv2XyY)2@heYq$KHosfSa%^5S8@uN#BHpB}kUMo=ta5?{f;YrynBZ;o@h5U>>1 zj3}cSp3nNagarh$W^C_$f0t88^kDtIQ=+~jiXCzfRQUM@NGj$yk+o7BzYO>`HTqXL z{RXtuyX6GN+6wd2MfMCX2S4DeW_EF5`FaP1TX2w5)V=*)b+3fo%8%MhPxG;5F9XDk~p&4QED5RDLvyKjFmPQi@2Bleu0i-aA6%T?Ty zWjzcHlM&<)^;H)&fYC@pAf1ni3NsYejI_yh_l>=&xON_HC)S&b+F}1lcKNOU@7-~r z4{66%x`d3=>6(`gS?k{A-}bk}v=5E*7bcC0$TB_N_2PFFQx?Lvn@T zgGby0Y^b_!&seK^m_%m6aWc5u!-QU#M}?HyMi`dWs0i)EH{4$nb*xrPav}^Z<#iF1 zwh{WqTHImt%$G&gF+si?83QP4hd=5whufyQm8LyTGEb0xzw)CfCBrP{9$A_WmBADD z(ycWE9f$c*D6v}gs*6!)N(C}rmJQ)xPk*#rP&MV%UCugtJ!ehmZGgMJWFQ=DjObtq zlOgH)PwxHJn*wV@4K17nQnp3dZ*9|EAwHk;iTTKIup>{F=&hbb5pwCJh$TzLu*ERK zRkC8_HH@8g^n;dye7@@5o&DClrvvkFrq-MtdrtQ?tj7BoP4{M8{L6A)T7Gu?S)$lY zidrN}Qj42~u5|i=nQoJ|vpX@D?`?(MRM%)utXSpG8ePbz)l9q4J~`9BG|=l_1%Wfd z1K-T&2o5kT7!rqIYY6TaGVRU5#?1y!SGO^p7WqR?&wNUa(!Y5i;}=DV68^8&#l7~u%JOuGyH@naSj|6}+YvLq7GtnSW` zSk1qK{Z@mAF_P4gN0OAezUgnUkgyA)D&?mI72KV>G2KkQ2uU;nvuaG>g^$y)v10K* zmo34nNGHOO^=U^+V%B@wZABUN`P;ky|MRM_eo_H@2$!FO zVZVAQm5lspPRE|7$0mzd%O2tA?n!V(kVK{snx`Z9TNh#XYQRzy4g<5fzX&>OR9_rg zy$BZO5V>D|q3&>}9cHN?J)hepHZbzVa~Fe}-*8uJ^Sqh2G6oU8V}03wY!pV?FiGJo zz=Xl!aM^KHMP}AQ{7BaorqR5&M9?zKp18q)$+l#9h4|mY&iq^bxvBC4Jm`K>OQP~#wV5Ac#cL?EIm~vCr{xwtO`gjpte|RR~d)d!LGDD?z|Yi8-07X zU#be|okG_3ne#8F5gl}P@Q+z&WXI0uQ>?t=Lm?;=VVewHcB=2+rj|nWVSDnWcO!MY zf7Oxi@0g_DAfQ=q_5EUy+ZWao@R9YQpM)Gv16MEx_^f)5#C!omgpYQw-fcM)$4qy@ zt-wZ1kQdD4TYIzc;uET41$izNN6B3{fBh^j*1ob3!5V9z383N&7P6LObwIqB(CoWB zWs@?!G^6MSgvI4(Nfsl8_JD?mKg_cghe{#d2d&jr#w20>FN?53XU5oPBj zv82GAvKNXGnf6}_Y6kE&@jUGS=4R*Z8+>FNPi<3XBto#V_>qH+|1YO`ju0dqkq<2%#L9x`rpfp*zm>> zj5ZB+Z%26X*KD6b#pKi3mP-P%US^Iczso!b zf=5koz~V(+CY~w8tez=8^4FGTX)ykCi3i}s#f~NbtjFNfO`q{ykoT34#OSCqzD==F*HR*uq9gsr!Ql}hU_7XN)cFneS3 zWq)C(X>^b>x_v2M3 zqG7KB{YdSEDmHENJ zG4}h<=`K`G4-Uw_d6zPqFMeXxM#`E14EC*;u#)liD=oEQg|k!Gi|CZU#Gfr=cOc9p z#w`Qnl2eg5To@CZI&*(4u`gm*xasjiX!VZR-^~NaB)XjfXl*5M+?;#a>97?e#>f%w z0|tdSD)*5l>_0}D&@-^zx# zU#Td8OTCDm6z?)Md(3kiPB@<%zLDer%IJFGN3i0d@K|_2?O_Jn?_Lz-2|AqT*|LuO zv+7m!jQVmG_U6u)@xRDY;Z8)}IV9%=v_}V`NpWUaQ*W|2dRJlfnl;mN5maq)2%tR% zi)p5oEcD+F4lV`Wz_s@L|C<&0!S)A85;Tk{LdEtFT0v&?FL<)35O$!Q#pq^jGm0qp zT$1}{`7ueRVma`V76=IQzu(AAbQ?aEeEaM7YZ3EW_c?d2*gH>U(-z(`COJ(HN;3U< z7M}iZ){ffVJFcCHmr{X`mV=#{PqkWy+d-@_g!*46>Hu?wgq%2U*Z@ zl3&?8fTdm^H~sIth2eS#^Y$26>5GZ(eza%=CfyuK{4rZ3Y9vm3@f(Iy9`*GDC?>X$ zPo4JS8iU|IVwMR}9;P$cen%dTi;rTxR1Wh$n}tSgxV=EpSFx&lc{%oSM}-d>znUHbZ9MA#@V36k;^Nlb$WL?CyEcsJruJnz zS(W4X{oskPozTvoM;Vc#54_8HTq@043 z??@4U>cFPY{mYE-@*eH}FsM4x5v^5H2qc~tk-6u^u>HdFyab`h_g>sayd z6xp(5yLK@zbAjsF_kzFa&!*kxFci-SL{2+eBiTpD>n7m;B6|8laiUt4q zS%GWjrx4g1x8-cp*V#er{>3{gRfdUSszKIe`+LDbPxh#noE=lV>Ga?|csYLRhYmxW zRpR)FiD~B+7?~oNeNM7+sXmLspz+~Bd2(FKkm+2<=u3@&+JOTdSq`edf2PrER$RxP z2;vR0&Kd9Z`7EpXjY?zAgI?`bYSL4=g$VO4@F;ZHpMQ zLZ7-f6uCy{ahtyS&v)%E8QnC~A5iBWg%H`M^En{~u6!scX!o+?gXo{i*K}PgcK%hE zur+B(zIv(bNDkUUJha!(FvH7d`(cn8j2ZNV8LQE`$R^VH%f5|Q8C*;u@ze~a*|Ay9 z^{d=zZF6&C>aTG}y{CS5-w2jJB5-!=)(7vndvJK|F-zp`K*DBU^_^*0OZC6+=M(01 zT`0@I;r~B&&&!A$weCp)q0}B$lX`$@Ons$VljPtp6$Q(CI#&S{TL5r(>;w;rJc*#3Hl&IzAmaJ|9SIUYliB2+ za8VBrjIOS*io)%W02{F0Zn6~DcZozB=OglSuQ!Vd-@|JYwNZZbOpyJ9=ml(z!Y^l1 zz?at~jlfqYZxfIcDRNC8l)3-Cm>b~zRbtlK$$KQ00jB z5{y1DaehfAK2J1MORuIq>aSmpi~645tVj7z zYT7l*z7LY`dz31|eHC~Z9qwajzEtkzcCw|E;CX}_42AjZH8SqBUb|xS{~%1ka3WBx zRS*^PE{46sf0TYtkNa8QtByNsw7#^uPDwtHBg8XYrvI*or{x@C=i==WxS4t+y8$J= z5AoQ=%`vAUB{0`>rL$ z#d<4`GV<3CA02s;_UJ5%j|UZMuf(c+)HIBCeo1=dQ}z>IZD3S_BYoNy>ed$_wBPxE zNAkOafooGO>iJWcr=Bwj%K=pBhzqL*qGa|xgOG_tii9Vh&icdQ-Mi4EaD59s}^dD_NQT9ZZe{%3Z zN4F)UWqB2~AR1cDuzWqwx(;!@+jXL`(Tl-0*K-8Ya_+z`(#zu+O6E!HK0{||`3PCu zZ?!WcAg?c?UmK`K=OVuO?NO6@DrO(tpC{Yi;_4I)PoRA-Vm4}|lsJY`q#v(&W66ye zI`g9iroV})XVw9hHFCzVljbp9vby~J$|`c0wo10cP+<$xgUYGWe@RAXQL)8=I`y7k z0`m@QE@ngO(*rZZ`A5)g%n2>rWng2!y0h`Q<$IcGq%d!EX#kZT`|zQ2oiTw>*%@LX zW^5*~#A`A>t8tkl09Yk#0^#>>w8uq3(uGaU@lJQXktt`W9**Tkwke53>Gn*Mw*a{D zA}=}#5^LFg&~uZVG{SRPptPS7cGJcR*6iE2M%zwdiW;D0{H{7CvR)EP{|BsmMfN;E zYta>1+Y5oXcF04|Ig)Se+Jet$st? zHob`w^nV$=+PNiT_(gjvVEEe?kb$PUV>ItB^&sd>jjH=k_aM@BKs<{4{z+E~y^-;_ z_-R+(?JrOh_@rJZ#1+=2-RDrfe0JCs4WfX6-7 zm&3rurcC_HQwNfY70TYthgvZ}s0k3^oU}a^NI)W@r#VxQ3Rbx2{)bk1@s%JbYWSbV zV3LHNV)zWd4M;9knMsrjg};k2xT@4q@ljY0JEq(=>k|H+iWz$5Qg?VQC(_}o4b$C+ z#yN66IwRmQc}=l5-1)C*%(Po9^FCR>e2p^fojZxmra1a_-WQSua zP|~sPS3Xii9!Zlc$5BiZbQG!z3U`zr)r#2je-}%0HhFqly5g?mgvnes;bDKG)}Fg( z09_s(3dVYUSE!t3P|zQljQ9gMy%Bhj(TDq=-vyWppIEdo=9>!$gdE@om^y&B!-oi&-m)K1<%N*^a02W~)+vw~9Be*jsNzf0{fQY24!&D89bTLw) z`CwLF^XlG2;GUc^)KHiLIM zd=u*Fg86z;&yuCw#=gMw*E++n$@A;(hvW7vQ^^^H2myCbKtGJQjVDgOt9p0QZq9=i z{pM&%PUPC>vbJA7XNcwJ`Herb_@F=^t(w=Fm_r4JMz~M&1VX|V#9`}-B{&Sx&fi}} z#D%~aUli;U69Z(P#hN(56Yb7O5RzQx3=$TE<-TTvN_@)KLMA|J!@Ftbayrl@_=QZk zom_~yk)wk|+YT)h;mlcm@AE9t@}rvvXGZz}2~CNBhd%}{(C7~c|9L`Fx#lUUJPdBT z*pRpD_ZUDbjNXQXyCbBbv`X~T+~`X3Pgk5|x+EL=MvE~txzZ~{ zzi60#$MqA^vsKPpkNmo&<<0fd<hFLgk~V8Rp};)OlSFqrp1ELG_SOmFgiC!j&e$eLRz z%(?W=gdRCsu6rmKdCk*5JHV;wfSuc*9wrp?KF82WZQj!x#|%n@)ur{+m-U^}@gY^g z%i2>&-pGb8K4S+WOhmvaMH3Uto8!-wZVgDkZk#uYtC zuM~g+0Fs#NxtaN=V*_g(AUO$MlJprYu(SGu`kxkHNZRxHx4$H_(#Assb=mL9D^CWZ zyyA$YQ)_{m78iE(<1`+=+w3w*^%Xk<&Rh+P6p%(C!sS6)NuzBrsLG#8=KwyH6MWy< zgJ=*I;E7_z2C3f{?Zba>0l7fRC=+%k)(HqYNNKg*S^ew=eKecg91N3XYfHhu7zqGn zwVuav6DT}$tPL_szp%6>OKBNK=Rz+`Vkw3a-6)qT!k1gpw$_Mq6C|u5@_F4^zNR*b zCBzowKTHd9oG-sp)DzcnW`&pWB~DIjs#)AfFw~#s*O^jp>eZ^;ML_EM>;$%}A1Z}1 zYS#9&+~c|~#PXQ;TxGiTBhjIi8ob>4aQ* z^D$9+O=x5KOd?JW@2x{T>W4ho#uOCy$O{ zT#%>Hu<3 zl%8=ib%;Zk616$+BZWDnjR_2NfN{(F`)c+#ge4D2cod}`h?sX{@4ov2>v_{CiiXz^ zDGP^wM*hjqC~u{_=Of%hU8NV%I&r7~7j6_1rT4W8DJ!`n)qa{#p&Y=#m#4wBea2;{ z7Zk<4EDt_zlXfuEph*y@@_kn;$EOOosGphCD<8hPb zNaQOF>$PWSr_g$Qw6IG|^TU`w`cMtR=#=1_g}{0s+N_ZHi#(;@ut-YtTfxx!`e4bq z5UHt@?^wGADIqO}b&y2HN_&U2x+Lq;b+qYaJm*e>!|gkTGX?VtxrG%7X4tMC4E;G0 z;^X>xmt^wD`*1L0?O5A(L()GfLPpO$l|uPjSNUyw zFkl@!e-Z1Q=w>uw)r!TydJx12yLnq{quw8bSuA)KuGenD9qB_Ti=Hcj?;-!&$JT)} zkZa#;6^FMU$;(7#uJ_c0++Efqfr+##hq3fLeQd>0O!u)eQINwb5SyuMI>YTmBQ7x< zxYb@QWIOgx8O8W2PkTdP-%&An3VTUCiJE;7!y&Zs*Qc6#cdu>VknVC6xYf?%?oym+ zU-vzk5mKp?r5-eJhprYa+@)K&n$ zy?zAg?E<44KCTj3oO>R9j6>7$5_kQ|qR4NhxXF^bwW2X4zTP;b;CYI~IxHTc4Y7^3 zepT`^+#b;RJC$u(Q;thtkskH9b31hwv6M)O7X_V-dTL>kYM!90(M$TUV4&+$p=doI zq8e!W&k4NjSsAV=3D2xaxDuqNT8eye^4$IIp~DbcP}@&LEZ()c2?2MXiP<6x4N zXM2?o?oOZHyCuGVWZ?c~`X_8@H*-Ze6NUHgKM{u-9U!)YAH-VD@x2h{T%ep4d_5XY z6+y;^ElvH)o3e*Pg}xg3^%QXDi8vjaG}50=_TN0EPd?S1!IfmUQ9F<@WN6!x$fdXN z9ex28b#qXL+SdS9eqg2c&xXC`IkqSpazF5W$u4iwy%U;-4@xzuztSJGP{-c^`>cj& zGGLNinxfADO??wol%Bi~Omk35^p$WEuP`;S&ibZ6vm2(?2{~|B-RuC?8rEcc)`eKqsbdMe_}GeJ`Qp`E~p@@Pn+dY}#ua zHEw&x&0JzJGEQj$g7j+)aRG8OrK2Sm%j;8rAxxREM}P|(icHI|bL5SmrMbl`XSS~1 z2))ASTsk|}y`P@Y79NEfeQtb$VuVFv8unbVJ9!(TdWoHi%5|?t3ar0LPjS>*4{N7P z3Ll}bnhki$*(AZ2mc{zEBm^XBQ7T%JdoRLuB1%5kP?UCv%<~HHcYLPO=fs|iaUlQ? z;5L)iqc3UU|GwH6l(sbK%b71fbJ@CMy)1lU-C2rP;)p)x zhG}zg$klHO`bw+gWlv)I2zr9^&jqbvL%o`ws=O@wFwwdadh)21&LuRs?)OszDS}!A zX||&JJ@x=1oXRlT8%O*Dv}2E}U!`L$WF#cDtdTg!yM}PytLjOFm5=tcM%J+?BDs2O z#ss>)Uxm2z$4FVtY$AYf==z9 zQn{=YtgqiVR0%J7Jnon|o7K%%YB^rfVM!I1J|jgp2~F|W_g}9$M6Tt^J#t=EPU~_f)l3#B+xp6fz#+x6+ z(_NFoK=KZcLi{*^Nd(Q!Y`(Jw73z9rrhiSgv7ewg;)PO9v?Fu?qUi0s_-1~bm>m1s zYWZEUDc?`)h-^j!s`Oxdixa@t6n9O?&r4n)ZtyB-wK2=VCKd`Wu{|U0il($s{*6rG zMJETIxMy}ftTO;gbrn@9EA;FV09;3afP7TqdeT5rKp3@f5TmRgwKe2IFyZ>r59}AT z-1vf(HjN)xkZyJ1_~H^09Y=)gYx%3v=Rx`v$u)nx3ADI+TRh&=onhZmg|A%!Ly2;x z4LN8ZDxYTmy*^|ZPe@1U)zI3UJFEN0^@^RI$ZF`eQV`xK!5PY&yDXd~4>7CkdFQ^= z2RFO^ClE)c!ZVRXrfS%f^rcl0Y3il3mlg`r20LVh@b9P3rcdw3Sq;qL;Yhz{?>G%?%#F*yQbmls{#jz4)u~H>f5U_kJ$DyL>Y=hQ)~Z%{|jd z%FHK0oz>T4r7~XsxtrClG&q$Ld&@z#O%^4^bquMH8Ed~wKch*7@iuvU@7?mqZX97U zwKg1$Txh?uE+=ufNLwU(vF`y5oUs5%PSU73@}+)M5V1Q+1KnGo2^?P>A9b z*xBvtDoy7EvV_KtStjHSKweVlFG0mC@{x-thrfwhJahj*#kTkj zXS0XQj8!yV>F{`uAU4B)vm`%R@^XaAW#(^KN(bRZ! z`sR?WN7xy<8N?UkTAa~^l!%s1Dr!-@gokCOrya31B_q8cth$F`tK7N{z!}vNIM9BB)hOz z{;liz`~E!hIrFLE9Yw8is)UI8=Uc+?jI$`xAX6y0^W391)1@k!bOT(Ug*qKyUmS_A@ z{Mr}ZE-Sy1^bp<^({jFWUgRmM=Tyqa&(g{=qt8Rm6uw*!D|C5z(e=zj9*R#QM7SmA z(g+?wK#JB^GHuXaDi?iR>d)B%@X@z9k(9Zg?Yg;FRUqa_1l2_({3Dgm&x!1+0*>%c zB>QIT)xCu0?VUYDH`qPTfm>Wj5tmWYY${=1_u9VuuB&q?gG)47v+b2wVbCnSifW3Y z!lk&rH&HpW=@5f(<#G1}ebo(K`yTxK6jQP9O+PL9^6V9hnae@b3KDmT>cEhbwJ&vBVJ zsY_zZpF&oVO8cdder+fVrP5U5kz?P4!(T`5`heY+#%kkS ziLiJ_;Dl;cm@7u#kiPQG&$&6QrD+bx`NIk6{A5O>7dJ`RFQKYkv~`RFZpq%6)3^!OC@!^|^zq%x6GOr(1?hSPT#n#H&WC*E$6c+x(6Aza~Q_C|W{F_kA37ln zQ+_ZW3uK&WS3mT}$+Akz3AU{rhl0ePO*zga^PKzXt?Qq7H+eSa%$5qf^*Nu#8dDna zlkCO@FbO#rO{hkF5@_=?En3f;X3|zcSI1QJms&~1ImHb##?R7GMfijnnILn|P!P`9 zu#LB5!Y0x8`9l}zpF2+&o~%76ydG6~SNAs*$=vGlRn4~)Bv}26%<5C+`z#IsMLtGm zR9Vw`7$_9ix6At^BxVD&ABc`i1hLLsJdm)GD`cSceGfEyp}82T+#TI)cQ(RmKD%#q zAB8q6=aEvVk<~jm4dYL)ZCCWl(Deumk5iWgX+GH)aF_U zg9AQlDj3K2#$GnnJJ@GvEtqanw&Dy{(5qLy;G9tIX+x-`lW7ho-aO~xX)ke>(NuT>GNKCV(2}QmWW}*wk(Se?WKcrCXL!>P*z+R# zWK!Sd5u5$m&(%#9CmAeZmTMjKOl%c*=lLV{^Pf;MR%Dd1O3cbz;5NL<*)RR@EcjVQ z!1b%GM;yr4MJv_(p@m>5GE&X%{<)XYXUZ5jE5s!|on8D~D<{()>sh%`7vUxpwrddD zoJZZdj8@zYu5Du!akjK^rT6GOk9#@*t-(mmPQAmTQ+?c&M<(bA^OS^X9ljNiGV8F$ zDA3DNF_t!3vNm2)=tx4;dwg13K#cGhlZ%jj#Ih4!=SH=%h>6yj(*we_#9$fDNy5&7 z@-s%HsbngwyHMsbs0Xy zgnI0F3Bt*PfA{ScTQyFc-b?lljVJKe4y>AU7?O|Kp$L#BxhYl7Hz+ZKSU- z<^BAsu1-uF4<5N)5&q%tVLrDFuupFBC88N+2D8*Kmq=#36}}Q-bam<#FD0q$_|o7M zI^`F|x@aU>z!prgir!!Zw=%M_uL7#;^DAE6r#DVP6}FxnC|HX0aL9;(p1Fr zCfhEE9&{qK$uf=gig8+4Gi)A9QwDVmhveW5xTOXi+O|#O?K(q;{^o@Y8J+G(kcTI0 zcU%C|@SbFl)I?0u>zf!5)tFdS@>f!?Ewpq+`HVlZ?nNwxu01!~e z=JKVpP?al z%e{_3{CMs{6__T)QUFe>|4woJ*$uy&sJORQqWZT2SqPE2E!6*MABVpe4kFnAqBuYM7+B=gs*(M@UG|WyR#TAV zdP8K1;Sao(8J2rP7Q=1Ggto+B3$N=c4tllf-+GB(QuS-{zXIogb-AZ<439aEw}k%r zr-p*v`+BU9=;*>xd<;;VDBc|dL#5BIh0g-)K`QzhVtns2#U1cA-C4`4b5PDAFCOimUY0StorJ@aZeF zi4<12#EC?$yZA2_=iHTX1Vvb-L$UAa*e2f7vv;i|SazCqsd^P~@I>Xdg?7g8qH);t znTl?@O!NlUTvlrr)k$%aoQp*=$a46x@DHuM{nff(Z}EO?1MoMD-Aap*zZuH-86h+mE8`bITx>_sm!Pe(jsn0jR9ZP4lYs3Xyz#Zf)jW%1v zY7hH8tL$X!Mx6VtCiIZLa_B|w(!q%K!xK;|gSAn;6f~~eL0}+8%(sLbsJ6v^B*EEE+=~=nP2sA1fam<3=w0EB@|H>_&^pST zyBaz67>$1XZ~?~e++MjZSkE#+?1&}q2MjY;y5XnfQa zDG5cn(p4c>K&HQ2eyAxDf$>4 z@m&ec7nqT4-I#`&%YhGxJl37J8M7oFNha|5G2OeV{YlXEy z+BPb|pVNf~VRcv1<->0yeH4OB#umrHv#77Bs>Q7%=f(rKAf|vyxIT9(_02a*>&H;FbptC%>dFMGqi$8cMl~UH>F@O zG%84^G&6Jwf^?&ZG?D^Rl9B>a0@5KZV7zC1{=fHwUv9l;<~r9o`|Q2;T5Efu5?I=v zRO5ZNC&gvdqb4s3hJ^?C=iQ?UWa-xhYTA89QL5}8>tZjKgzjJbYeL@o90H5gA2K#u zM=83_uJSYg1-;WMH$6@@0B6z$1AvRe=KJWjhpvO&KyjO5yAn;VYV4^|#D7B~q*j_1 zfR8cplKc*WQ)A;8k8aNZ@p(>&42v(S3XG?6aU-=qYJhUWSdDJh}yY*_PfVb^M>Oc@mI) zi>*wMS(&xin?~Mw51R1*U5RQMoOkdFX#zVeA6YOy^j0vXBPD8 zs#A|WF?M){&(!r?D!;B$;j_`cc0(f)c86ffVO)Ib+W>-wUQ2UR-eGF)8mu*uKet>O=!fex=_pCTw@D@v} zo@#*jOXA@{Sx9LXjWFH;q`1}sy-Y~!U`^BWb##I{=6#e}5NuLMAXhO0%h4NQE%><# zAX_Gg)OVRRNn`>Ts1$nn4c(8;HRhn#^>Hl1NBBJVwl5Ul$X&bQ?iNsuceI+gQp7eM z80S_T@e|BW)|f@v+$NMAyg@0uo~1@|qt)5Ja(vb;d?HPY?I*meCVO>a1USCU;8`bl zMgGiv0C5g_{uv>?TYc(x(<8bT=fQuW!8;ykYJzMJDyjqGOHa(ex6^x#j(h(R+#$Uw zK-|i4_-_nT)1zLY^Ng-ZQjh%2-%-kc0Dp_`r2c!RYWxWQiEP^AwFzJh$j1lKnGRKn zC*iwmU^07GW?v85jxoL-2|NKfoiJU3gZpUiC3C-mgjkhPBvw6_vW+@LLF1 z(RbU=Tn{+V^O4t6+-@tGPpr-AQA&BT znBeIyIe?+$`TS!AH39phLCv&>XZs*v2p)Oq{=w%+A%;mt5aY1He;lZU=}xpE{kvb{ zdSvSIdbKw_`N^yTzDr4DJwWZ#p{(|}!vXt=hwxRU0f*vC5-p{y4EmRUX1V2uTjKxH zS6KlTWizF6M;5*^;2RJHe5jaq&D!M6rh!ad>`}!R!QOmlvF3T4cjkXQNcOv$^y(6% zO4{zWkQ}`7!H`1gK=4ShK<&Y`$L7(d9-}@PZi$?-`JMmA1qeUWO$%Rd$?G4JK~z#6 zRLj0o3+P=gJ#*iwB9&SzxP%Mz&>|}~R@&bFwz_20^$VCb4Y+wm9Y9{>)qjhV@Te9z zexREl^-2Q~S8@T*n7Jp7<$6p%D!MD99FPyLrv*%h$B%H9J<;z`r3(b8p;mHU=_wHU zX0Y5VCnuB2Nw>`?`ynJDLqID-4mD>?40!As2hwt9U@mI!nRd`hsrXM-;0uSCs@jmq z5EL^!3Ww+R?ar?^Dq62q>VbhXn(+UYw!uf900)9uj&+74xk+u7> zgH@PisUIQdFC{a*gB`XZ?tk&&3kIy9N^vD$Zi8cMgQvahwF8o@%<80cF03`fG5HbW zKc{7L?-M;^ZW}_(-H%KvOL*7Fbo%QI&o&H((qUYYR`<<-R8oS@KI;K*Hj7ufnKs2q zB5yv#I5BuX?B?{DkZ)w3=?$(cc=``P@r$$fUhj9_%P(enT`!mEpRZnb{Awd4^{v{d zep{;yaaG2#?ZFSwI$JQ=$jaew2?{%jYI1TS+7F~`@e#o9Y)CK=qONBG?$sER(v`TN z`wIXDSiqX@c%x=MMpEgCHVZSR25Dx%sjm4lLMi>N4E_o~9PO_vRd8#SI<7us@x5N_ z=V4D5lIa`5UfRFK7cgOz+6~5w)K54j5Iq&z%ET;ga+m(4dP50$$-VF}f2Xe9*kf3J zxHbyrGW#Ok;kRn})aB>PjLI^_Vy|3j%nqj;H=)K!|Lo&kz)8Yg6*StP*>t-89dD20 zp{n%X8)U}P0WY+c0xpjH?~!LU<~tq`fRnz zyG6a$?iPS=1tBLm%tcxRs_DKG$)4LyTS9x3iy8y}WS}cv~i^o+O##UAMrbE+kQJR&s z!Of4aqk}F#1}x1NadLvvgakTKaW}|!3d%H^yYZ3WM_@6Nu3yo$dhmL9?6QdVWovIGhnJ*0wS@2g zHOXbUgh89=34^t-T;Es3mE{ArM1I1%&#qTiuv<{*PYJ{_%&rNsMbjmVA+rEG zFM;@-)QRKv@4Y{{Oxq$rX;$3L)s*!3gyuB=_<4$w({=ZNXqg$m>nZxm;lSTt_r~{J zUOl-PJu;)`H5w|2x~GgKpwPHwpemqvWWqE=e)JDXQT6PT3cShVS1 zFjQh#g3sJ0S0tPuKYJoQ^oDy#Pp)yQVVEK(C-1Y?)<~ajozg z=JpfHmckGZ!d}ZIQ%|c0zz7Z>O%~t@tj%P4-b*vitxO2B`pe%|xzMD_t7`aHh7q($);NZyPRPC>XB0Fuh8Cc$WaS)@Fn z<;kxQcc{77tV2mk*7_3QZsI{mDhS@B`8FaxD@&SBL-BD%LKECFKK(Wt@&4ek!f`oj^_e<=UvHVsqhz3Eh`{1 z)n;U#vXmKe#Z12V^c(LQD|uQV60mOb)z9|Z3mTW@fHdI%JRS-KqBQpR@1UeLI1M+( zJE9*GpRQi*sSi+lfFDJ&RcZg`t!V3$(LcNzzI~3At$+W)S9oKF+H_`6Re6Hc`?>1d z=Is3*@nFRgj@%O#o(0(eK;O4hXK_V)_8}t+mzqG;0kaV5qXP*r@GKvBh7(OHq?5WQQt|3KlTxX-;Z{De$Pn0F4od@17+cpFz;I{_vh zHt*Gp+jO}gXL4UhA5xWue~})}e^pv0 zZQ}6SLcm6U9THS7Bj!cuYHXk@DEM|7qNQSMm?u(x1i0DGCox^T9fT-+2^u^c~%ETblgwzugUFlor?U?kqFl z03}+uu5ry;j+g@==8Z=G zk4A85MP6*B$C&}TEg$~>-_jq0b)tTMw9xTOAQ@0ni{BXJRgtsFN?zIAAbXRg-HO-u z7xA}jT;R!UEWU|CjN$*wqcVVBrK%Sh$_szXiZo;Qp%B(^f;?_xykVZ)sH*xGizlne zC~7aj;N^*Ga`sQe^Dk{I2ClR_X!b(S^d!H9(N5!;=Fu!xEHYq6OS2GKR<_)iJiLQz zxx}mwV7~RGZ8{n|^XIREv4j@=&|_OrpFFd$-yn@w_5y*fSlVRt6xf8-H@xdzB>ESq zxgdYvwTcinRNY(rx&2fl->}p;B_$~Z9jZ-1jVMwYiy72p{{F`Qi8Zuq!n8 zqJh)Q)k$DJ;_x=N?azgidaOdu;@0FFW*pB)H89yZ2(CdI3>c!_Fj)g{VcaHiAI$1I z`x=F|mn|JZ>8rQ0zQTH|)dpc11D0@|$-=$1A%af$>EX)ktWf<*wYO}->@<*v>Ou9I zwRYXXRu%W8I1c8Uy}ZC+s2k6=>}T~Q^kgJv`%q@vqyDw|5)r*SQ{L1d1Yj6e{k7^>jrLgqzF$CVmV?JgY5jvdTPL)u4In16;vl+Bu|= zU=+9_tT2?|ae3)kD?s@h$S_52@~x(@pNxbs*->xtBLB1`ZapU{;T3Ae#YVtxj4YVk ze*NDY{u}%BDlgcSM}7e_u=TWu4lLkVN=kH(LCVi>KVXm0*}9rVJxn>2Z@ql?!j&po!MqSglOUu{STR719hRL#+6+6Oy<_9_7}^tf~}GgTC|ScD${u-UIA{LRNsYibCJjz zSw_6RO-FVQD64AsH#C#ExsK{HuZM21qKxYtC!fKLKY<5=L%NlM+L5zTP{bAS;S8}i zk|m#J{LrgzBz3oFse-{9YXW1;EvW2hk;os%MO;_)KLiHQ)ZTm@Vbyn)5XlZTR0@)x z0F`)o-E@BV3vE~!BACypm;txWCTLz=nCOig{bhzY&s3=(ql+Lg@V*cM zlD=0@4p%?n$re?-{=IRm#4rDC(gN7T8`F_IZynz%{Er|ETZBh(y@@^kEakSwfW$Xu zk~8*z7swiZT)4+EY;|-iw!SJ*Liksovf_W&4etGKuQNh7!aP7dZ=ufLA8-G7zRu|j zW+CH?HG1{v>W5ow(FECnsDr}4;6D%l_u5#K;0k^Xgrf*Hk0mJ)P1fUr;EbpQQEY&r z365`*^b6h@7DXj`8*dp^HM*@g6=|hqFzn(R`2BZ}Jo%U3OK$ZY7hv=*u`L4OxA>uu z&~}h5*y|4e`F;6{t}jE(X$~-`5ZHt0KGH|&`9gg&HFkGjkxtlce&zjlI55<~FK(JP zHF<1XYzd?*2qWR#Q29SUt!e5C8l-O=6@DJC@Bl`#-5K0y282|tljD~P%W}8X6`k5- z&gzI$;$hgo$Ij)2!s|I+YRJqEXUTjOdH3vle=va#S{^yn-M@D&FO&-EVHoOq>&w4egmljP7raRnTq~P`WA6D7z%S< zXqhqGL{t{gvAnR!{{fr-Y*P^_^XDnBkYE;HN%gKykHs^0XQ zO_U~)YBow0)8cIS^Ux+#c{k_ZZ_;Oh!hb&^(rdjve;ZsJ8!-I_N}RgU8USbA$msYh zFYj)ygumk_B=l8EPE?U;%bfqC!T%Fx7YZq`e3Y3vqCHF)@k^) zus^_-5}b-(;RJG(cw5bFV&>W=iRZ|&(VxVGh6>075T!f-+Lr&usz9qoi4lwPSGQm`FlXcoj@dtK@TO8VJZz#yf? zrV7r#Gg_dYiv+Lk_%QtWkJ{0^`p4kciFPpkZ>u680D*Y(#-JbqTura!B&L7#hbbl? z6w4FqalqZVRy6_JnFH)Ul(G%2dKU6k$!Szlw&Lb_TxS6laj)7^v5+4#aTN`?1 z$Ax#IthCu7o=2~SwuK-V{?0YJ%>y$yhis9SO=0kI!W0c)wU56}froQ@GMcYieCH+& zL`iiCXo;%h$iPy(SH(0unRn!DbDVswlx4Wk8vw>`H-XnV_4Z!lSpHZ1hjhjgF!BTQ z!KfEGgV}Ol^UU-j%WuEL`ZJgaLEJ!pC1|oHhE-+?uiS3StO|4RZ{%k(?t(K&JuCG2 zy5GDn&*!b~y!%ny(s8LQa{qH)=qnMsxGN&A&j-d-mVgtryO`6IX!qam18L2mToY@h z*_sFI`jajgfTJU#oG|Fvqqt*VsPe}#gcf?Cp&^^Z1Re~qcYK^}0`^oLiEQf<$+u${ zP0%YiCWwgbpbM*vr+b!+m&u2pr2>I{YtbtiOg};I<8w+suG4F4f)7(Oxaf}UGk6+j zwgj3GD|b@)(?4`<^y6a?F=2lqw(D$f{%iHiY35x0`(S~}?+IS#xt2IWy47S`1<##2 zDJ_V5cI}37B^9bQ?>C0J_+Z@8p5H(P&tLZha+i=d_dm2To2isOp6ZlVr2b8bP035wk~D5}`5v4>%rS*o-v7PRRC)R}(fIZUuwV=711zDDMzdZkIM@Opzc}(L}Y& z2c>3VrrRlC$4CYyTM!bCwj%tWpqG9ojG3khE`ost{Hr2U$KVS10cVhSl3B!dw!gTD za`?BV6~I*~Qey=ia~+*@cVF{BkV)a75)DM(WlZ^PdM1<5?fedhtpZ|VgI z7>ywMe03As0c(1Cjq?20&ra3(vxh~*crXgq;^lC5= zFiwcS1g*B{g5HCl2P>>xDBCZ(oGz)5LG=g1)vRNP<+$;^RYb zed-TisK~2}qnRb1xPzNdWO7E@V=K(RCnFnN)gH-;4|JMZw=7gyA9{YoY zh9fi%>yJs5o};lbx)17-2LJPCU+0{xY4=X1cJgrqlrkE!{R^N#isFW4csxLOgGk1b zSimIa_`X=@m4%a3`f~*P*Alyt?BZ?_rzw6X8!r5VDZoB=N7dJ)e5rRB?>X82G9q7N zAdEQYed~!`Z+iHVwA$nj)_c}?-x=YN0Cg9t*? zc<$8Mp}qtRbc7!EByy-X$p>6OpDQC?c68xr1ezK^yWHGK8g+~hsE6?cD9@rhFRE!T z;#g%eHazwhT8|VeS>hGZ^1VUZ&t_DDqElZ{K5Eud77S?;`gTJUc&=0`6*cDd3tR2m!F*7WUhA!z>&}7#P6C9#^Qxv-vPa-ns$J$F_sFx^txN$(CW3 zGD=;k;>Otzw*B`>s)ITFe4RH1svU>G!Ku1W7G;iK^^j0N++bPiPZijf2jYt*atjWS zpR(7&fXy;bYUd?*h-M&%nVJXSQC`*?Zf@wW5Q0mettHT=mTmAoaXbTLAx2!9+oBZ0 z=fhkPlX?%L{qAtuW3c5|0v_T9qX+F+Y_s%X7?xoC1zK(IxftMe252&vU%#aD{*^DR zP%Jq$yZvHYYXNgGKIPhBZ(qn7VV35wiV*Pgoq3LcCw|F-J3=eKgu(`wZ_3ew<98wi zt+pKT0r4jdA<7DP0J?x;!1JbQ#qm13*bVSxsQC6D-#*S)KKwWboVC`9^>WzGX&3tz z;Slx}m_E16gLVQ5_YHk7kchn3&5~x!OZ!bli13-G$WsqWRS>Zob_cGL^|*=8%4&({ zp9Pz_85E(Z0(Wh*cRG`({BUb&~B6aW>VcY@ktlzP{~p%R)!1u1SE(w?RfJb0gAZU3=q~z+$mZ4 zK@>ZMzf^eM<}_1XbY+JBew(Zx{aAW9zG7uWF9Ev@4?rl1`&#)h6hUc)e~VG^1dj`W zje(mN*!Hi6uPME+8J2$YlZX63Ms-!C<$cC%98BLx#aDMETTVdCZn+D$rkRGn4emqx zUOwdT2a?7{Vlui_uiH&c|6YkI6uzj8bvjt?u5exHssEs8eit8H4`Kc%lcpwA_p2VM zHh65CoPqYOjI@EOWqKPgRCP7^!v}W^4DJn_E$@LFVlDxx!eZcSZ0Ccow)?0c{+egI zU%%k1VL706J!cH7xPb>2`UvndmXmSYdmyEpTFk)a|1a;()uzIg9D6LZ_yFLo!p%P$ zqsqaKdMCsA45sfEy3PU-3jF2$1r+>eVB)OYGfDeSW%fnblCdAS)8|3e<(#AXzx;9o zrky1{>9IRI`FN(f8;k-`*#iIhTxuZf z2&qYIpvj^#Z*#A8X0)mhGAkC_` zy9c6_HcSsJT>CIAmru!*&$koM!Zy{GL9rlEnuG>lp_%J$_7k2pPfdAa@4L zCDUP6Ag}0@Fdx!@{e%YNE9Z?>aH9z@#nW4HLqp;SE^Y#!pin#kAm;r+mNHql{|vDA zT6Zx^4xqCwxJUUo7UajxAboATLc?v=Z2n<-y2^SU@I$P{+Kh^|T|r1c8~7|riA*qs zPP-Lo#A|Rqw!2b}_d@YuHG&J?LS66rZ~Uc51i{vHVe2G77j{9KAD1H8_X|IBugYly z4UXO~dO}CF^ZW&nwAZ}=aW6I(0ReFijicVfr+nZrx~ExsrmOra2SuFED`rFmApCT) zOt^=@-XsQUIn4kxV3F0OozUd&c0lmcpV?a}v-3fx$@Bx2 z-^>8@-*o;D>RPRxG5qntlfvktN8S2W7m$@U_N;R=-I5h>R$B zpB!Le9Y(A2;u&^LcV65`=T_aFt#eaIz}`#rl#~4c2BL1fHhH@R@QoGhpzMcnS12rFIwxwR)e-0Aoo|wXW&lueyA5~Cs_ud! zQqCEmhwDHCm6ofcx^fNTqmGY6VjVnPyLebBL_DRkuR4@q*Y7h6fmb;wbN4`{+CSXw zKBbJvol4%R@c-g)9f;kZfCo$EQl#*i-UY^8_0{k3l1#XfO{TxNInUNFgY8s2yr`HP zStyO=x^UmpHm$bz>YwJga{zy^-{O7nXaKFWWD;C8xNsA7nBHwn@KyPs94>g@PJ?sr$Azi6ywev09s`J!pdPaHo}>ySJ-rP2g!D;2&J zsK+m7+D4wG2;7}Qa~ZrFnd(V*GuozL94h|En_j2ITq&C!w9Zv`gbh5HGj^AckIvJw zBPYD0j%`a0j~svfWWI?}ra|{u0g7JrkbniF;4fu;s#VtyQjMHSjs50t;U9okt%mP6 zIFzxnip!IPsAjK0;8?cpd%EKw4Yh1?cLht9sVcuUQATst2`00DU`6kPn(xLl7m$C~ z*j;}-2pZvnPLnul=~JLUXFg{iTW0iFPPi~T(qLG20?pv+#Q$Ib#9(`QyH$9`$wdw& zCwbSESD$A1gY|%96cg!;>8C-i$rsvTA`bgtQeoudXMcaLP{{-|KKsssu%F_Yipsbi zmbL#H6vt-GQf(!F_W%AFseAlYoTKhy!ee}!@mmYNR1#&-mHY-(Z{mkM0b+sIPP4U} zlq+1Zc*{?BfK->?+>(z9pz%&1j1;GES~izH(|_%h`fg?PzuZ8E@Jo<>HXW?=+6@sV zzmwW(8dY2ZGdF9TTL79dcS?kP(qA1Jg!MnIoJ>~sxc&o0>s#y$ny({U! zpdr35(GLD!rcB{o>bE$%dnKh#U2Rm~t;dqUxovD+W2kBXBZ4_udhvM>8z5)PSUz;q zv^$~xrad64A+tNipzxlSPA*ymI zhxZ-Z_iG?8vfcW%G-x;P_QOTsLYc<0___3Ok@p!QKMkGZN(X>6R};!ZU{UglfJNZ@ zSZm~1x>wsmv~{EgHzOrLMn%YNl-XghO7%7K;7S3Mr`y_~E4bt+J3kZ2sUgl41#?Jp zZbDn!9~uYUZFtfucTr$`dGBpd#fmAE-O+pAKr7OJ)RyuQ&wxAx{tfi-7ZRx{kv0O; zzmnyS0d;Wab`bvN0||{;SDJ-K-#09RqyD-|)-6uB9DLSQx$>t%ew8EVH$>uI{G6jQ{f^l5u%hUqo#S)?TT(=)H3Cbg z$*C#aW!`%=PF4t22lq*ij#O(7!Y>m`N#z3&Cm%ST#OHkZ>l4 z`lUK4K5`}JvS?l&9@yV65TM`I6ekL(2UbH*zP$eL<_D^~E780VFb67BO6L>PvbkC= z8EFo`1Plu}o_3a8oG|zayG_EevZ3Tm%HiiI9U}5i#$pu61UR7{u3j~ouHJ!1Sbfzr zl^N>7shp1x1DzX@iGJiXoU@wKMKQ^jssr^nomc+VEm*T%;rjU3G!0oy7O!kqcHl8D z#rRb8`aH1owt+IPb8pLmHkOksDPMtZ&asc-0q&G0tK$j*W3V%|gLZdR6Uq9wec9-A z1%n4Yn#~`9|MO%Y_Y4xmyipHB#u_hvN$$>cY-?J*ZV!=Luz#`zMV_9h0#>25&voqc z6oQCMm=OeCBaWHP#L3YGDSgPf1*F&qNp zLU|KA6R|1`>hgZpZB&>>RgkJRcyBu*6@w@!Mz5nCN>z&H;iI%Z>?)P-Gn4@gLW}EE zIo$Y0UKKi_^b6Cd60{+uY)x!bikz2yg|&Ah|65^Jm5(23x--+gkM7eP>H!tWlT}=; zKTNJ{HsN;P1ZaIeNDPE=Y>pQ?_cD#BjJ-o{rXcH{E-n~OA}6yE9^o4_=KOKp%_JwM zG11yY`S0z8T@+CI7G}?v(JLCZw?4(?@cxI&v>qXL;Ia4 z33dDu@?>g*c&PEBmy{igT$WHMp!5eanh&c(| z9*6i}$&QXJpCi_&P?q1&HTavO1p8gXtosRZ*F|h&RAtR+GN1Y{Y~BGa(sRY2eHxhT zrB!xAism={wIjg+ISA^ovG<-S`4z~--^x!9YlzZI0uxB@I%D`bjV49I+C8D{4hi0d zWx&eUh9eU8@YAz+0?Z}2J|xD793u4*tT|F{#fZZ5qjhFJPH7!7#r*LNdUn~~ny6Wu zu}WNfubR2}-TYZ>UAKr~p3n7@K>(Rb2$P(HbIep}>NR|c#7z7*eqZjImODigGJ#_G zg)En}SBooWlkUzvYDqjD5>JiaHe z2bE-|>JaW3O&VV*V zx+dsB`+sIlJR2#UUz3xhGZdPb!~N)OCP{~&Uwxuxr)Yej2IKpNE_A)~!#_?U4*dm} zrFCOPFH9sX{a|I4JxP}{V-crYW8$AvnW{Pz-zPCln}0S@Q1hu63i+s{R2VZD-P!-4 zJ+k(3rUFJHw~nB=@O*{+A%8ie?zR~Pl#0lu1J_;?wBq{6C{Rt4D0M@AdA4xhNLSH# zM1&>0oNLTe2Wg8-|j{G@{EV2rzpHY@O zKZ@$(iGLAC3vop#rbOxpFf)b)l7oZz;+ZK65WYD1Q@vmqh@* zj&z!D@(_8Hx$_H)p%?9w-i|b4um2+RA(U}A!p!=u*>mU)_K)&sMvfbYg$-_P00&x} zrL69-Pz(Ajl_JWVv8J(Rei!r=tc z%qbH~EM1J+=j27EDR$r7Q_hJ1rt!QyR1HB5#fBU#Ss!VI!G!fP3bkQS1R?4L+#98U zUcj;`FFOcukx@cmpLH@NM^oC9#jv!aR#s>y+(xyJigPq=pkssP;%TT7Kk_3wSMx6? z4WaNL1Fp;H%dRT!_w5Da-h|;_rITkairAzRBId0#*B`W^8lsff$7au4LU|Ug?K_w3 zmjW;WK{s`o_XzXd5BN3C3|?<9N3I|^x-=s{UbQ3TB;&csN{ms?m4q#ot9PaQy#Yz9 z+R~?4l-Y}ZFAdjatq@xC?N|A7uhL;^R9mO@`H@4NvcL98XQ{jR4EERo+25MBl21Quko49O`ZHKPDl!R z$!YTSi#n(6u5=}EwTMV=@hh|60`MvN#Y$oOh9tW#bbB&ck({%I!6$&R?r4%IJIrN}%rE*t?| zi7uF|V3T0qzcs}78Q=lo6DyfTSx8GJ`((1bry!n5a+jIYMiKZ8frjA3Ea$ifq)N*| zr+PoE{pd!yT+tFa33zKAW<0UN7?>u(-d8PR1l9cdba=Zd>k9#zdE1L9(L$QGn{cw_^U>eT-y9ZE5W@@g7`$;qS z0}dZ|+`8&!^p;}6v8sEnAiUjt1>r62_1Q70J{*1qYR5VJ5RNv65|TtV@M|`|m3WZ_ z*Zyl`FbiX_C(GZF(fY9|9pfR!Pvb&^)RzE-!zrLB?UtounLFHjOaP?Cy#LJFrr2Vo z_42iH)S33#6)gj$P5o0QMX39azN1;FtIwpJM^?1Wb2LbSUZz32(=v$5|~L zn8-dP(-nZE&$0#ZaH!C+fr{^AO=^Z_5Q2S|!a&wAcOzK4D@EEj9Z-6L0TT4}H#!Rg z0GIM27KrCW`x~xDO&eRk!Cmf`mYOYDfHw;FCs+D12!~8;n3U>wfO>0cC{s#A#ct9e zNfked*B!m-BWC}(y^Y4@BI#hP!cyjIy_xWn1r`GXEhZ2OnDcO@pr zH-BPLKS0M>3MJz{*BAC1;2lqfGQ=FN1mL?Aw5jXES=$*BPqT3ki`*$M_{U#sT2S+K zm~3=BZ9Peq%fa@IwQB!;~R^00kdIUL38Hv_u z?IPhrQRsVb@hku-PJNJO^#kp|U0FOXh@Z+UT@rQd=US_@!K0gLznUQGcWeaT44+7T zMwPdI6n)sp?*;qpLvX0;gV4Q=y#V~bN9LYvKHw~3_DBkEerF{_oVN%DldwaVIfBft zC}TjaQQ^~z?;&^r2$)P5SxEyy*8rOaHVNw<@~{5jhzVpjWfK<+@^sp5cObAXsT;Fs^{tx> zTASSiWOa@yNv@Y#+%Y49PCtNXaL+|L%)qt2+@kIVP1?b{R3F0@z~LrsR9MD^_N<4y zee4S~F;=N;5Kv9dWcyN?7moY{2Cmi)UlT5_-86CLIgvD&F6k4FCb-a)_48T#e2&%5 z1+DeTu{GrWomV6L3raGtu>PM-v{zy|A*fg0d#u~k`CVhd}%UWSP< z4Y#(7a|BWqHt)VSHv^Lm@f7~c(Qe16⁣TqGelA&6VNsPB(U}KwS5R9q499vs&tX z&seCk8Aug#)t}h@i0V55m`~#^%cl2$)Z!cIS%^;O!{xOEPdz*rz0E@gp>FUwvgKGz z2`aMoj|cu@pDEa6r~CUcf6zhubcXw`I|r!NHc+-zShf0kjwo-<C`}Y>VGWG`tGbTTlO^U>=EB_~R+3N`s`d$r9 zTmRz?-ELXb$UPs0BUQaz(0$nhD*dXj(;#14VZ>71(9l>TyT(DY`?~SXB7OWW7+i5@-+(p4EJpuE-(HRa%GIjjK zTOoM;H6X};;o3P38Bf-}nyEYC2S^z~>q+WcjXdlp=+#ZdcBUhL_M0J>42Js%zraJ5 zq9l_@+lK2{s7;L^@^sg z8(sjwCvg{N@)U+82=_;1*l&Oh;m8-;>UUPJlLBsSMQu$tyPAQu$KN``Q#HRao-7tZ z7lANRt$S&na)2lk54i@)1;Gfz4+|0}axibm;m`kLt&IFAYC&1u^bUX-X z+JWz8znt%JrKoMsE5|HJXo9F^zHh+gsaR+K`Alt6dXRNeU~hsG?6Tav#yO+#c-iGa zs8*I-;=K_U&jjD7f>0qO0kJ%>(WF%Nie$Dk6w8^#(h@@qnwMS%ziW}_ne>ngz+rgh z&G|BqKsSXcbVC$S5BgqF&&{-`1R~`#2SiY>@MIp9f}r)LFOF0;X8>bkeo}Svsci7W zQm&cPFzI<*K&mXjRn-<6&%B5A{i12scWOrJ>v#?FyC_SRvmJ!d3lRu;`W$-wXZFP=2adx~Vi z8fF_oJl&yFLwwl z$iA(~mNPzAPq>k-#6FP1XI&^V811gXN{*7J>!F@izFD^s+VC{$9#-YDyNhmg|P zryl^r9;alKlXQAN(wa5y62VJ9=miInAC&rYeS2 zpF3iYER4j?~he<#ex2T_0?;lT0<;*;k4| z8*TNpw4D2V5P6ziBB|gYF?hrl$)d|CZ|%h9HQm-al}<2)-QIk)ArQkXF^t_PH7MX$Wlg%;u`Ic#q`_H;o3%x0 z6xkK#v+xlG`%jy{2b-xe~NoRQ?{}X*JpwAM$y~-sakoo>+rqT*N^1W_og{!jKC6l zl_xA`aZ^W!j$nkFd@P12q>kwB6k&dd$W@QWsJgi~m;|M@+lKS$^d=LnEHWl*ln6{q zIHS2^OyUS^IY*Mu>{Yg$->jE)mb3@Ig|-RF$^(kV23P2}Fajb}zO3JW)u}r?O&crN zzM8#-=;tdzhkbGipYo9?%YjOuUSy2lG�?2?8pN{92oLwcn&e2{R-ABxq?(Kui1RRrj@z}EB z&I|91JVvJbhY4ONP3Nui5FUyb9<)AGL&E!_hPHgHEs(E*hH(wna6QiKf=sW2J)bWDzz&XmR*yK%i(XJ_$itE45wYNAX@Q3jVI zt{B=v>AxY?Aqg~GcE8Yn!T1o;n_q(m3-0LJhT2JD8HmCdg+I1pt*<5xFKYCz@5j7y zHMp+F2j$H0BYqa|%3@B2p?9@3e3NYOcD)U1ot+%cxIH5FDTUoS%<*tcQ?A#%!gFKTPSQNui?yro{UY4%2rIC@+NgLT1&!Gd zF|b3Wp)+wN%GHhPGjNrD7i#4{>_@m5cgKZ~N3gNswX{X#5_=IN2vGo1m9VIP-epk=qktID3L5a(X8@bx4+)G3>>Gk}UE$`Zw+m^+`8- zG1?D#^OO92|kSnP0S8i{^q-T($;`(w{$c3uRZjt>Hzg$D;24 zG=X)=0k!la56l()_^|URde#>!E19G=A|2xNP_3T0i!~A+7J1S+6Cx5eMgS8pLP?^d zgnvLw%&NMlS2Q=*{3v>1aYWhg;5XdKZ}(_3LWggliv5d!{!(ITeD~?FeP$?tdq4n! znQ)2s3u7G{9=MdC_;u$Cf*nYljj}d9@t4Q-W{)O)dUaur?Skl z2HKhTByqe>9eKS2mstm0wv38P=L+fYK5lUGX3(bVbP#!!pb4e?W9KK>i6i1QzK1k8 zEzaT9noX#qdz)l0vKJ|ri0 z$Qn<%6uCp2D7t6Nzu>`ck2XH{bI#z=g~I5>x+MwUOCbB_n&J1whq0d!S@{(VJOm$V z%5*RZ4w+_yu^P9(#CkkRa2#0={(uPQX41GqlcJ!kVu3YgJX8oQuof>U{I}Ez9t^d9tRl zzi>djng>*>C<5juST1I?qx?A}Y`TVz`-aMDSPEKiULyZ?k=SD_F#`u$!x+mXKPHWH zp$T^yPxxIK_#Y+d?v^I=DEhp)irUj4NNO$)k8H zO5(}fdm6s@NV1dN3CZLTGAW+^;q@3%e^i$hG;4!VSKDv{XKy#o{%T^6IzV^In`GrS zUn$A`=?fR#Y{7D>#8u3Cj`O)NE1f>ml((;bWvdoiEu}CB@rW z#GVH}N(k6XUS^6T(D0Vs4aE#I?=LJj!y~B+E8k0UxdpH$2SC|3s=DMC_Sp>1G<^9V zuKzWTc=@|-?An+L04?Nx9X~BuyoIz$R()#O^rJN5wrDcsX<^(aPqiQm!*^>` zhr_mMI#SG5vS*TNaPyE2Y|Az!H6&d%sPx9$3+zO)q1Hr=4N4MWEf<3Ssg;xz!S}=76bfApmStCL;tNYLwm_Yt zaoB$S=Mj>$1~z?sH`+f<1+P71V*J3#S4phu>*5d3I-GEzl3XI-*qv}xo}1*pwK9-P z^H076q&qe&{vQkixdD9vXv7FX0?S^W)WZw)4TmaGFcw=SWf+VpBlqE+EG!ep%5&)wy^3>u>Or+fSKU@eNE`Aa{sD*@ z%!FHcqmH>}JI)tAaVRDG4|>A6H- z-*lxw%_3m{bPS;d#GcYgZ( zsQg^(p`1nH$&YTy9Jko>S|RW8T=C<~uO56UY+rJGpTfIW+AV{0faQZfqmC?i z6(70+;8Hx`^m8?9Ni8tcAtSrU252e(C%u>=tU^Hcpeu0L2VC-b{yP_NcPz3V7$*pn z5m+~rtibB38sH+q`R_$9d<8FFVdQ&MBb@00C=*v;Y7A literal 0 HcmV?d00001 From 36710a9ecb39de06d86610c15d50af1e8d492fa0 Mon Sep 17 00:00:00 2001 From: "Felipe R. Monteiro" Date: Thu, 31 Aug 2023 13:13:59 -0400 Subject: [PATCH 2/8] Update introduction Signed-off-by: Felipe R. Monteiro --- ...-validate-security-boundaries-in-aws-firecracker.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md index 8b0e65e..651c9fd 100644 --- a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md +++ b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -3,11 +3,11 @@ layout: post title: Using Kani to Validate Security Boundaries in AWS Firecracker --- -AWS is committed to achieving the highest levels of security in the cloud. To work towards this goal, we have applied the Kani model checker to verify safety-critical properties in core components of the Firecracker Virtual Machine Monitor using mathematical logic. +Security assurance is paramount for any system running in the cloud. To take a step foward the highest levels of security, we have applied the [Kani model checker](https://github.com/model-checking/kani) to verify safety-critical properties in core components of the [Firecracker Virtual Machine Monitor](https://firecracker-microvm.github.io/) using mathematical logic. Firecracker is an open source project written in Rust which uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design which allows fast (~150ms) microVM start-up time, secure multi-tenancy of microVMs on the same host and memory/CPU over-subscription. Firecracker is currently used in production by AWS Lambda, AWS Fargate and parts of AWS Analytics to build their service platforms. -For the past 7 months, Felipe Monteiro, an Applied Scientist on the [Kani](https://github.com/model-checking/kani/) team and Patrick Roy, a Software Development Engineer from the [AWS Firecracker](https://github.com/firecracker-microvm/firecracker) team, collaborated to develop Kani harnesses for Firecracker. As a result of this collaboration, the Firecracker team is now running 27 Kani harnesses across 3 verification suites in their continuous integration pipelines (taking approximately 15 minutes to complete), ensuring that all checked properties of critical systems are upheld on every code change. +For the past 7 months, [Felipe Monteiro](https://feliperodri.github.io/), an Applied Scientist on the Kani team and [Patrick Roy](https://uk.linkedin.com/in/patrick-roy-31929323a), a Software Development Engineer from the AWS Firecracker team, collaborated to develop Kani harnesses for Firecracker. As a result of this collaboration, the Firecracker team is now running 27 Kani harnesses across 3 verification suites in their continuous integration pipelines (taking approximately 15 minutes to complete), ensuring that all checked properties of critical systems are upheld on every code change. In this blog post, we show how Kani helped Firecracker harden two core components, namely our I/O rate limiter and I/O transport layer (VirtIO), presenting the issues we were able to identify and fix. Particularly, the second part of this post picks up from a [previous Kani/Firecracker blogpost](https://model-checking.github.io/kani-verifier-blog/2022/07/13/using-the-kani-rust-verifier-on-a-firecracker-example.html) and shows how improvements to Kani over the last year made verifying conformance with a section of the VirtIO specification feasible. @@ -285,8 +285,4 @@ Thanks to Kani, the Firecracker team was able to verify critical areas of code t We found 5 bugs in our rate limiter implementation, the most significant one a rounding error that allowed guests to exceed their prescribed I/O bandwidth by up to 0.01% in some cases. Additionally, we found one bug in our VirtIO stack, where a malicious guest could set up a virtio queue that partially overlapped with the MMIO memory region, resulting in Firecracker crashing on boot. Finally, the debug assertions added to the code under verification allowed us to identify a handful of unit tests which were not set up correctly. These have also been fixed. -All in all, Kani proof harnesses has proven a valuable defense-in-depth measure for Firecracker, nicely complementing our existing testing infrastructure. We plan to continue our investment in these harnesses as we develop new Firecracker features, to ensure consistently high security standards. - -## Author Bio - -Patrick Roy is a Software Development Engineer at AWS, working on proactive security for Firecracker. He joined AWS in October 2022, after finishing his Masters in Mathematics and Foundations of Computer Science at the University of Oxford. +All in all, Kani proof harnesses has proven a valuable defense-in-depth measure for Firecracker, nicely complementing our existing testing infrastructure. We plan to continue our investment in these harnesses as we develop new Firecracker features, to ensure consistently high security standards. To learn more about Kani, check out the [Kani tutorial](https://model-checking.github.io/kani/kani-tutorial.html) and our [previous blog posts](https://model-checking.github.io/kani-verifier-blog/). From 72f816ba67ab18d6ec6006a210dfde5106a90686 Mon Sep 17 00:00:00 2001 From: "Felipe R. Monteiro" Date: Thu, 31 Aug 2023 13:25:30 -0400 Subject: [PATCH 3/8] Implement minor comments Signed-off-by: Felipe R. Monteiro --- ...ate-security-boundaries-in-aws-firecracker.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md index 651c9fd..db377c9 100644 --- a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md +++ b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -53,7 +53,7 @@ It offers an `auto_replenish` function which computes how many tokens the leaky A `TokenBucket` is inherently tied to time-related APIs such as `std::time::Instant`, for which Kani does not have built-in support. This means it is not able to reason about `TokenBucket`s. To solve this problem, we use Kani’s [stubbing](https://model-checking.github.io/kani-verifier-blog/2023/02/28/kani-internship-projects-2022-stubbing.html) to provide a model for the `Instant::now` function. Since Firecracker uses a monotonic clock for its rate-limiting, this stub needs to return non-deterministic monotonically non-decreasing instants. -However, when trying to stub `now`, one will quickly notice that `Instant` does not offer any constructors for creating an instance from, say, a Unix timestamp. In fact, it is impossible to construct an `Instant` outside of the standard library as its fields are private. When in such a situation, the solution is often to go down the call stack of the function that you want to stub, to see if any of the functions further down can be stubbed out instead to achieve the desired effect. In our case, `now` calls functions in (private) OS specific time modules, until it bottoms out at [`libc::clock_gettime`](https://www.gnu.org/software/libc/manual/html_node/Getting-the-Time.html#index-clock_005fgettime). +However, when trying to stub `now`, one will quickly notice that `Instant` does not offer any constructors for creating an instance from, say, a Unix timestamp. In fact, it is impossible to construct an `Instant` outside of the standard library as its fields are private. When in such a situation, the solution is often to go down the call stack of the function that you want to stub, to see if any of the functions further down can be stubbed out instead to achieve the desired effect. In our case, `now` calls functions in (private) OS-specific time modules, until it bottoms out at [`libc::clock_gettime`](https://www.gnu.org/software/libc/manual/html_node/Getting-the-Time.html#index-clock_005fgettime). The `clock_gettime` function is passed a pointer to a `libc::timespec` structure, and the `tv_sec` and `tv_nsec` members of this structure are later used to construct the `Instant` returned by `Instant::now`. Therefore, we can use the following stub to achieve our goal of getting non-deterministic, monotonically non-decreasing `Instant`s: @@ -88,7 +88,7 @@ mod stubs { } ``` -Note how the first invocation of this stub will always set `tv_sec = tv_nsec = 0`, as this is what the statics are initialized to. This is an optimization we do because the rate-limiter only cares about the delta between two instants, which will be non-deterministic as long as one of the two instants is non-deterministic. **In order to keep Kani performant, it is important to minimize the number of non-deterministic values, especially if multiplication and division is involved**. +Note how the first invocation of this stub will always set `tv_sec = tv_nsec = 0`, as this is what the statics are initialized to. This is an optimization we do because the rate-limiter only cares about the delta between two instants, which will be non-deterministic as long as one of the two instants is non-deterministic. **In order to keep Kani performant, it is important to minimize the number of non-deterministic values, especially if multiplication and division are involved**. Using this stub, we can start writing a harness for `auto_replenish` such as @@ -114,11 +114,11 @@ Let us now see how we can extend this harness to allow us to verify that our rat Our noisy neighbor mitigation is correct if we always generate the “correct” number of tokens with each call to `auto_replenish`, meaning it is impossible for a guest to do more I/O than configured. Formally, this means -`0 ≤ (now - last_update) - new_tokens ⋅ (refill_time/size) < refill_time/size` +`0 ≤ (now - last_update) - new_tokens * (refill_time/size) < refill_time/size` Here, *new_tokens* is the number of tokens that `auto_replenish` generated. The fraction `refill_time/size` is simply the time it takes to generate a single token. Thus, the property states that if we compute the time that it should have taken to generate *new_tokens* and subtract it from the time that actually passed, we are left with an amount of time less than what it would take to generate an additional token: we replenished the maximal number of tokens possible. -The difficulty of implementing a correct rate limiter is dealing with “leftover” time: If enough time passed to generate “1.8 tokens”, what does Firecracker do with the “0.8” tokens it cannot (as everything is integer valued) add to the budget? Originally, the rate limiter simply dropped these: if you called `auto_replenish` at an inopportune time, then the “0.8” would not be carried forward and the guest essentially “lost” part of its I/O allowance to rounding. Then, with [#3370](https://github.com/firecracker-microvm/firecracker/pull/3370), we decided to fix this by only advancing `last_update` by `new_tokens ⋅ (refill_time/size)` instead of setting it to *now*. This way the fractional tokens will be carried forward, and we even hand-wrote a [proof](https://github.com/firecracker-microvm/firecracker/pull/3370#pullrequestreview-1252110534) to check that `last_update` and the actual system time will not diverge, boldly concluding +The difficulty of implementing a correct rate limiter is dealing with “leftover” time: If enough time passed to generate “1.8 tokens”, what does Firecracker do with the “0.8” tokens it cannot (as everything is integer valued) add to the budget? Originally, the rate limiter simply dropped these: if you called `auto_replenish` at an inopportune time, then the “0.8” would not be carried forward and the guest essentially “lost” part of its I/O allowance to rounding. Then, with [#3370](https://github.com/firecracker-microvm/firecracker/pull/3370), we decided to fix this by only advancing `last_update` by `new_tokens * (refill_time/size)` instead of setting it to *now*. This way the fractional tokens will be carried forward, and we even hand-wrote a [proof](https://github.com/firecracker-microvm/firecracker/pull/3370#pullrequestreview-1252110534) to check that `last_update` and the actual system time will not diverge, boldly concluding >This means that `last_updated` indeed does not fall behind more than the execution time of `auto_replenish` plus a constant dependent on the bucket configuration. @@ -133,7 +133,7 @@ debug_assert!((now - last_update) >= time_adjustment); debug_assert!((now - last_update - time_adjustment) * size < refill_time); ``` -we expected the verification to succeed. However, Kani presented us with The “VERIFICATION FAILED”, which was unexpected to say the least. +we expected the verification to succeed. However, Kani presented us with The “VERIFICATION FAILED” message, which was unexpected to say the least. So what went wrong? In the hand-written proof, the error was assuming that `-⌊-x⌋ = ⌊x⌋` (had this step been gotten correctly, the bound would have been `refill_time/size` rounded *up*, which obviously allows for violations). To see how our code actually violates the property, we need to have a look at how the relevant part of `auto_replenish` was actually implemented: @@ -148,7 +148,7 @@ let time_adjustment = (tokens * self.refill_time) / self.size self.last_update += Duration::from_nanos(time_adjustment); ``` -The issue lies in the way we compute `time_adjustment`: Consider a bucket of size 2 with refill time 3ns and assume a time delta of 11ns. We compute `11⋅2/3 ≈ 7` tokens, and then a time adjustment of `7⋅3/2 ≈ 10ns`. However, 10ns is only enough to replenish `10⋅2/3 ≈ 6` tokens! The problem here is that 7 tokens do not take an integer number of nanoseconds to replenish. They take 10.5ns. However the integer division rounds this down, and thus the guest essentially gets to use those 0.5ns twice. Assuming the guest can time when it triggers down to nanosecond precision, and the rate limiter is configured such that `refill_time/size` is not an integer, the guest could theoretically cause these fractional nanosecond to accumulate to get an extra token every `10⁶ ⋅ refill_time/size ⋅ max(1, refill_time/size)` nanoseconds. **For a rate limiter configured at 1GB/s, this would be an excess of 1KB/s**. +The issue lies in the way we compute `time_adjustment`: Consider a bucket of size 2 with refill time 3ns and assume a time delta of 11ns. We compute `11*2/3 ≈ 7` tokens, and then a time adjustment of `7*3/2 ≈ 10ns`. However, 10ns is only enough to replenish `10*2/3 ≈ 6` tokens! The problem here is that 7 tokens do not take an integer number of nanoseconds to replenish. They take 10.5ns. However the integer division rounds this down, and thus the guest essentially gets to use those 0.5ns twice. Assuming the guest can time when it triggers down to nanosecond precision, and the rate limiter is configured such that `refill_time/size` is not an integer, the guest could theoretically cause these fractional nanoseconds to accumulate to get an extra token every `10⁶ * refill_time/size * max(1, refill_time/size)` nanoseconds. **For a rate limiter configured at 1GB/s, this would be an excess of 1KB/s**. The fix for this was to round up instead of down in our computation of `time_adjustment`. For the complete code listing of the rate limiter harnesses, see [here](https://github.com/firecracker-microvm/firecracker/blob/1a2c6ada116b52df891857d3e82503ad1ef845e5/src/vmm/src/rate_limiter/mod.rs#L525). @@ -162,7 +162,7 @@ The Firecracker side of this queue implementation sits right at the intersection >From a security perspective, all vCPU threads are considered to be running malicious code as soon as they have been started; these malicious threads need to be contained. -The entirety of the VirtIO queue lives in shared memory and can thus be written to by the vCPU threads. Therefore, Firecracker cannot make any assumptions about its contents. In particular, it needs to operate securely no matter the memory content. For anyone who has worked with Kani before, this yearns for a generous application of `kani::any()`. We can set up an area of non-deterministic guest memory as follows: +The entirety of the VirtIO queue lives in shared memory and can thus be written to by the vCPU threads. Therefore, Firecracker cannot make any assumptions about its contents. In particular, it needs to operate securely no matter the memory content. For anyone who has worked with Kani before, this yearns for a generous application of `kani::vec::exact_vec`, which generates a fixed size vector filled with arbitrary values. We can set up an area of non-deterministic guest memory as follows: ```rs fn arbitrary_guest_memory() -> GuestMemoryMmap { @@ -277,7 +277,7 @@ fn verify_spec_2_6_7_2() { } ``` -Beyond these specification conformance harnesses, we also have standard “absence of panics” harnesses, which lead us to discover an issue in our code which validates the in-memory layout of VirtIO queues. A guest could [trigger a panic in Firecracker](https://github.com/firecracker-microvm/firecracker/commit/7909c5e6d023cbac98a5b16430d53d13370cf8be) by placing the starting address for a VirtIO queue component into the MMIO gap. +Beyond these specification conformance harnesses, we also have standard “absence of panics” harnesses, which led us to discover an issue in our code which validates the in-memory layout of VirtIO queues. A guest could [trigger a panic in Firecracker](https://github.com/firecracker-microvm/firecracker/commit/7909c5e6d023cbac98a5b16430d53d13370cf8be) by placing the starting address for a VirtIO queue component into the MMIO gap. ## Conclusion From 48d11912e13c375fcd8b0354ac51e11181441245 Mon Sep 17 00:00:00 2001 From: "Felipe R. Monteiro" Date: Thu, 31 Aug 2023 13:52:23 -0400 Subject: [PATCH 4/8] Use math for any equation Signed-off-by: Felipe R. Monteiro --- ...ate-security-boundaries-in-aws-firecracker.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md index db377c9..6afc18f 100644 --- a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md +++ b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -114,17 +114,17 @@ Let us now see how we can extend this harness to allow us to verify that our rat Our noisy neighbor mitigation is correct if we always generate the “correct” number of tokens with each call to `auto_replenish`, meaning it is impossible for a guest to do more I/O than configured. Formally, this means -`0 ≤ (now - last_update) - new_tokens * (refill_time/size) < refill_time/size` +$$0 \leq \left(now - last\\_update\right) - \left( new\\_tokens \times \left(\frac{refill\\_time}{size}\right) \right) < \left(\frac{refill\\_time}{size}\right)$$ -Here, *new_tokens* is the number of tokens that `auto_replenish` generated. The fraction `refill_time/size` is simply the time it takes to generate a single token. Thus, the property states that if we compute the time that it should have taken to generate *new_tokens* and subtract it from the time that actually passed, we are left with an amount of time less than what it would take to generate an additional token: we replenished the maximal number of tokens possible. +Here, $new\\_tokens$ is the number of tokens that `auto_replenish` generated. The fraction $\left(\frac{refill\\_time}{size}\right)$ is simply the time it takes to generate a single token. Thus, the property states that if we compute the time that it should have taken to generate $new\\_tokens$ and subtract it from the time that actually passed, we are left with an amount of time less than what it would take to generate an additional token: we replenished the maximal number of tokens possible. -The difficulty of implementing a correct rate limiter is dealing with “leftover” time: If enough time passed to generate “1.8 tokens”, what does Firecracker do with the “0.8” tokens it cannot (as everything is integer valued) add to the budget? Originally, the rate limiter simply dropped these: if you called `auto_replenish` at an inopportune time, then the “0.8” would not be carried forward and the guest essentially “lost” part of its I/O allowance to rounding. Then, with [#3370](https://github.com/firecracker-microvm/firecracker/pull/3370), we decided to fix this by only advancing `last_update` by `new_tokens * (refill_time/size)` instead of setting it to *now*. This way the fractional tokens will be carried forward, and we even hand-wrote a [proof](https://github.com/firecracker-microvm/firecracker/pull/3370#pullrequestreview-1252110534) to check that `last_update` and the actual system time will not diverge, boldly concluding +The difficulty of implementing a correct rate limiter is dealing with “leftover” time: If enough time passed to generate “1.8 tokens”, what does Firecracker do with the “0.8” tokens it cannot (as everything is integer valued) add to the budget? Originally, the rate limiter simply dropped these: if you called `auto_replenish` at an inopportune time, then the “0.8” would not be carried forward and the guest essentially “lost” part of its I/O allowance to rounding. Then, with [#3370](https://github.com/firecracker-microvm/firecracker/pull/3370), we decided to fix this by only advancing $last\\_update$ by $new\\_tokens \times \left(\frac{refill\\_time}{size}\right)$ instead of setting it to `now`. This way the fractional tokens will be carried forward, and we even hand-wrote a [proof](https://github.com/firecracker-microvm/firecracker/pull/3370#pullrequestreview-1252110534) to check that $last\\_update$ and the actual system time will not diverge, boldly concluding ->This means that `last_updated` indeed does not fall behind more than the execution time of `auto_replenish` plus a constant dependent on the bucket configuration. +>This means that $last\\_updated$ indeed does not fall behind more than the execution time of `auto_replenish` plus a constant dependent on the bucket configuration. -Here, the “constant dependent on the bucket configuration” was `refill_time/size`, rounded down. This is indeed implies our above specified property, so when we revisited `auto_replenish` a few months later to add the following two `debug_asserts!` derived from our formal property. +Here, the “constant dependent on the bucket configuration” was $\left(\frac{refill\\_time}{size}\right)$, rounded down. This is indeed implies our above specified property, so when we revisited `auto_replenish` a few months later to add the following two `debug_asserts!` derived from our formal property. ```rs // time_adjustment = tokens * (refill_time / size) @@ -133,9 +133,9 @@ debug_assert!((now - last_update) >= time_adjustment); debug_assert!((now - last_update - time_adjustment) * size < refill_time); ``` -we expected the verification to succeed. However, Kani presented us with The “VERIFICATION FAILED” message, which was unexpected to say the least. +we expected the verification to succeed. However, Kani presented us with The "**VERIFICATION FAILED**" message, which was unexpected to say the least. -So what went wrong? In the hand-written proof, the error was assuming that `-⌊-x⌋ = ⌊x⌋` (had this step been gotten correctly, the bound would have been `refill_time/size` rounded *up*, which obviously allows for violations). To see how our code actually violates the property, we need to have a look at how the relevant part of `auto_replenish` was actually implemented: +So what went wrong? In the hand-written proof, the error was assuming that $-\lfloor -x \rfloor = \lfloor x \rfloor$ (had this step been gotten correctly, the bound would have been $\left(\frac{refill\\_time}{size}\right)$ rounded *up*, which obviously allows for violations). To see how our code actually violates the property, we need to have a look at how the relevant part of `auto_replenish` was actually implemented: ```rs let time_delta = self.last_update.elapsed().as_nanos() as u64; @@ -148,7 +148,7 @@ let time_adjustment = (tokens * self.refill_time) / self.size self.last_update += Duration::from_nanos(time_adjustment); ``` -The issue lies in the way we compute `time_adjustment`: Consider a bucket of size 2 with refill time 3ns and assume a time delta of 11ns. We compute `11*2/3 ≈ 7` tokens, and then a time adjustment of `7*3/2 ≈ 10ns`. However, 10ns is only enough to replenish `10*2/3 ≈ 6` tokens! The problem here is that 7 tokens do not take an integer number of nanoseconds to replenish. They take 10.5ns. However the integer division rounds this down, and thus the guest essentially gets to use those 0.5ns twice. Assuming the guest can time when it triggers down to nanosecond precision, and the rate limiter is configured such that `refill_time/size` is not an integer, the guest could theoretically cause these fractional nanoseconds to accumulate to get an extra token every `10⁶ * refill_time/size * max(1, refill_time/size)` nanoseconds. **For a rate limiter configured at 1GB/s, this would be an excess of 1KB/s**. +The issue lies in the way we compute `time_adjustment`: Consider a bucket of size 2 with refill time 3ns and assume a time delta of 11ns. We compute $11 \times 2/3 \approx 7$ tokens, and then a time adjustment of $7 \times 3/2 \approx 10ns$. However, 10ns is only enough to replenish $10 \times 2/3 \approx 6$ tokens! The problem here is that 7 tokens do not take an integer number of nanoseconds to replenish. They take 10.5ns. However the integer division rounds this down, and thus the guest essentially gets to use those 0.5ns twice. Assuming the guest can time when it triggers down to nanosecond precision, and the rate limiter is configured such that $\left(\frac{refill\\_time}{size}\right)$ is not an integer, the guest could theoretically cause these fractional nanoseconds to accumulate to get an extra token every $10^{6} \times \left(\frac{refill\\_time}{size}\right) \times max\left(1, \left(\frac{refill\\_time}{size}\right)\right)$ nanoseconds. **For a rate limiter configured at 1GB/s, this would be an excess of 1KB/s**. The fix for this was to round up instead of down in our computation of `time_adjustment`. For the complete code listing of the rate limiter harnesses, see [here](https://github.com/firecracker-microvm/firecracker/blob/1a2c6ada116b52df891857d3e82503ad1ef845e5/src/vmm/src/rate_limiter/mod.rs#L525). From efa484520f7a0e2fca9bded8fffa2bad052a159c Mon Sep 17 00:00:00 2001 From: "Felipe R. Monteiro" Date: Thu, 31 Aug 2023 14:40:41 -0400 Subject: [PATCH 5/8] Wording in intro Signed-off-by: Felipe R. Monteiro --- ...g-kani-to-validate-security-boundaries-in-aws-firecracker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md index 6afc18f..6552538 100644 --- a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md +++ b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -3,7 +3,7 @@ layout: post title: Using Kani to Validate Security Boundaries in AWS Firecracker --- -Security assurance is paramount for any system running in the cloud. To take a step foward the highest levels of security, we have applied the [Kani model checker](https://github.com/model-checking/kani) to verify safety-critical properties in core components of the [Firecracker Virtual Machine Monitor](https://firecracker-microvm.github.io/) using mathematical logic. +Security assurance is paramount for any system running in the cloud. In order to achieve the highest levels of security, we have applied the [Kani model checker](https://github.com/model-checking/kani) to verify safety-critical properties in core components of the [Firecracker Virtual Machine Monitor](https://firecracker-microvm.github.io/) using mathematical logic. Firecracker is an open source project written in Rust which uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design which allows fast (~150ms) microVM start-up time, secure multi-tenancy of microVMs on the same host and memory/CPU over-subscription. Firecracker is currently used in production by AWS Lambda, AWS Fargate and parts of AWS Analytics to build their service platforms. From 63703714482d8fb11326936821990a847a8e2c87 Mon Sep 17 00:00:00 2001 From: jaisnan Date: Thu, 31 Aug 2023 18:07:07 -0400 Subject: [PATCH 6/8] Add mathjax rendering to blog post --- Gemfile.lock | 1 + _config.yml | 4 +- _includes/head.html | 15 +++++++ _includes/mathjax.html | 8 ++++ ...-security-boundaries-in-aws-firecracker.md | 44 +++++++++---------- 5 files changed, 49 insertions(+), 23 deletions(-) create mode 100644 _includes/head.html create mode 100644 _includes/mathjax.html diff --git a/Gemfile.lock b/Gemfile.lock index 5e4dac5..fd137bb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -67,6 +67,7 @@ GEM webrick (1.7.0) PLATFORMS + arm64-darwin-22 x86_64-darwin-19 x86_64-darwin-21 diff --git a/_config.yml b/_config.yml index fc253ab..4f0402d 100644 --- a/_config.yml +++ b/_config.yml @@ -8,7 +8,7 @@ # For technical reasons, this file is *NOT* reloaded automatically when you use # 'bundle exec jekyll serve'. If you change this file, please restart the server process. # -# If you need help with YAML syntax, here are some quick references for you: +# If you need help with YAML syntax, here are some quick references for you: # https://learn-the-web.algonquindesign.ca/topics/markdown-yaml-cheat-sheet/#yaml # https://learnxinyminutes.com/docs/yaml/ # @@ -37,6 +37,8 @@ plugins: # Hide future dated posts from live blog future: false +markdown: kramdown + # Exclude from processing. # The following items will not be processed, by default. # Any item listed under the `exclude:` key here will be automatically added to diff --git a/_includes/head.html b/_includes/head.html new file mode 100644 index 0000000..680c806 --- /dev/null +++ b/_includes/head.html @@ -0,0 +1,15 @@ + + + + + {%- seo -%} + + {%- feed_meta -%} + {%- if jekyll.environment == 'production' and site.google_analytics -%} + {%- include google-analytics.html -%} + {%- endif -%} + + {% include mathjax.html %} + + + diff --git a/_includes/mathjax.html b/_includes/mathjax.html new file mode 100644 index 0000000..c72c539 --- /dev/null +++ b/_includes/mathjax.html @@ -0,0 +1,8 @@ + diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md index 6552538..3283181 100644 --- a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md +++ b/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -5,7 +5,7 @@ title: Using Kani to Validate Security Boundaries in AWS Firecracker Security assurance is paramount for any system running in the cloud. In order to achieve the highest levels of security, we have applied the [Kani model checker](https://github.com/model-checking/kani) to verify safety-critical properties in core components of the [Firecracker Virtual Machine Monitor](https://firecracker-microvm.github.io/) using mathematical logic. -Firecracker is an open source project written in Rust which uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design which allows fast (~150ms) microVM start-up time, secure multi-tenancy of microVMs on the same host and memory/CPU over-subscription. Firecracker is currently used in production by AWS Lambda, AWS Fargate and parts of AWS Analytics to build their service platforms. +Firecracker is an open source project written in Rust which uses the Linux Kernel-based Virtual Machine (KVM) to create and manage microVMs. Firecracker has a minimalist design which allows fast (~150ms) microVM start-up time, secure multi-tenancy of microVMs on the same host and memory/CPU over-subscription. Firecracker is currently used in production by AWS Lambda, AWS Fargate and parts of AWS Analytics to build their service platforms. For the past 7 months, [Felipe Monteiro](https://feliperodri.github.io/), an Applied Scientist on the Kani team and [Patrick Roy](https://uk.linkedin.com/in/patrick-roy-31929323a), a Software Development Engineer from the AWS Firecracker team, collaborated to develop Kani harnesses for Firecracker. As a result of this collaboration, the Firecracker team is now running 27 Kani harnesses across 3 verification suites in their continuous integration pipelines (taking approximately 15 minutes to complete), ensuring that all checked properties of critical systems are upheld on every code change. @@ -21,9 +21,9 @@ In multi-tenant systems, microVMs from different customers simultaneously co-exi In a token bucket based rate-limiter, each microVM has a budget of “tokens” that can be exchanged for permission to do one byte of I/O. These tokens regenerate at a fixed rate, and if the microVM runs out of tokens, it gets I/O-throttled. This process of draining and replenishing is best visualized by an actual bucket into which water drips at a fixed rate, and from which water can be extracted at some limited rate: -Image visualizing the replenishing and draining of a TokenBucket +Image visualizing the replenishing and draining of a TokenBucket -The property we want to verify is that a microVM is not allowed to exceed the configured maximum I/O throughput rate. For a virtual block device rate-limited at 1GB/s, we want to prove that in any one-second interval, at most 1GB of data is allowed to pass through the device. +The property we want to verify is that a microVM is not allowed to exceed the configured maximum I/O throughput rate. For a virtual block device rate-limited at 1GB/s, we want to prove that in any one-second interval, at most 1GB of data is allowed to pass through the device. What sounds simple in theory is actually fairly difficult to implement. For example, due to a [rounding error](https://github.com/firecracker-microvm/firecracker/pull/3706) a guest could, in some scenarios, do up to 0.01% more I/O than configured. We discovered this bug thanks to a Kani harness for our throughput property stated above, and this harnesses is the main focus of the rest of this section. @@ -41,7 +41,7 @@ pub struct TokenBucket { // Current token budget. budget: u64, - + // Last time this token bucket was replenished. last_update: Instant, @@ -61,7 +61,7 @@ The `clock_gettime` function is passed a pointer to a `libc::timespec` structure mod stubs { static mut LAST_SECONDS: i64 = 0; static mut LAST_NANOS: i64 = 0; - + const NANOS_PER_SECOND: i64 = 1_000_000_000; pub unsafe extern "C" fn clock_gettime(_clock_id: libc::clockid_t, tp: *mut libc::timespec) -> libc::c_int { @@ -114,9 +114,9 @@ Let us now see how we can extend this harness to allow us to verify that our rat Our noisy neighbor mitigation is correct if we always generate the “correct” number of tokens with each call to `auto_replenish`, meaning it is impossible for a guest to do more I/O than configured. Formally, this means -$$0 \leq \left(now - last\\_update\right) - \left( new\\_tokens \times \left(\frac{refill\\_time}{size}\right) \right) < \left(\frac{refill\\_time}{size}\right)$$ +$$0 \leq \left(now - last{\_}update\right) - \left( new{\_}tokens \times \left(\frac{refill{\_}time}{size}\right) \right) < \left(\frac{refill{\_}time}{size}\right)$$ -Here, $new\\_tokens$ is the number of tokens that `auto_replenish` generated. The fraction $\left(\frac{refill\\_time}{size}\right)$ is simply the time it takes to generate a single token. Thus, the property states that if we compute the time that it should have taken to generate $new\\_tokens$ and subtract it from the time that actually passed, we are left with an amount of time less than what it would take to generate an additional token: we replenished the maximal number of tokens possible. +Here, $new\\_tokens$ is the number of tokens that `auto_replenish` generated. The fraction $\left(\frac{refill\\_time}{size}\right)$ is simply the time it takes to generate a single token. Thus, the property states that if we compute the time that it should have taken to generate $new\\_tokens$ and subtract it from the time that actually passed, we are left with an amount of time less than what it would take to generate an additional token: we replenished the maximal number of tokens possible. The difficulty of implementing a correct rate limiter is dealing with “leftover” time: If enough time passed to generate “1.8 tokens”, what does Firecracker do with the “0.8” tokens it cannot (as everything is integer valued) add to the budget? Originally, the rate limiter simply dropped these: if you called `auto_replenish` at an inopportune time, then the “0.8” would not be carried forward and the guest essentially “lost” part of its I/O allowance to rounding. Then, with [#3370](https://github.com/firecracker-microvm/firecracker/pull/3370), we decided to fix this by only advancing $last\\_update$ by $new\\_tokens \times \left(\frac{refill\\_time}{size}\right)$ instead of setting it to `now`. This way the fractional tokens will be carried forward, and we even hand-wrote a [proof](https://github.com/firecracker-microvm/firecracker/pull/3370#pullrequestreview-1252110534) to check that $last\\_update$ and the actual system time will not diverge, boldly concluding @@ -154,7 +154,7 @@ The fix for this was to round up instead of down in our computation of `time_adj ## Conformance to the VirtIO Specification -Firecracker is a para-virtualization solution, meaning the guest is aware that it is running inside of a virtual machine. This allows host and guests to collaborate when it comes to I/O, as opposed to the host having to do all the heavy lifting of emulating physical devices. Firecracker uses [VirtIO](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf) for the transport-layer protocol of its paravirtualized device stack. It allows the guest and host to exchange messages via pairs of ring buffers called a *queue*. At a high level, the guest puts requests into a shared array (the “descriptor table”) and puts the index into the descriptor table at which the host can find the new request into the request ring (the “avail ring” in VirtIO lingo). It then notifies the host via interrupt that a new request is available for processing. The host now processes the request, updating the descriptor table entry with its response and, upon finishing, writes the index into the descriptor table into a response ring (the “used ring”). It then notifies the guest that processing of a request has finished. +Firecracker is a para-virtualization solution, meaning the guest is aware that it is running inside of a virtual machine. This allows host and guests to collaborate when it comes to I/O, as opposed to the host having to do all the heavy lifting of emulating physical devices. Firecracker uses [VirtIO](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf) for the transport-layer protocol of its paravirtualized device stack. It allows the guest and host to exchange messages via pairs of ring buffers called a *queue*. At a high level, the guest puts requests into a shared array (the “descriptor table”) and puts the index into the descriptor table at which the host can find the new request into the request ring (the “avail ring” in VirtIO lingo). It then notifies the host via interrupt that a new request is available for processing. The host now processes the request, updating the descriptor table entry with its response and, upon finishing, writes the index into the descriptor table into a response ring (the “used ring”). It then notifies the guest that processing of a request has finished. The Firecracker side of this queue implementation sits right at the intersection between guest and host. According to Firecracker’s [threat model](https://github.com/firecracker-microvm/firecracker/blob/main/docs/design.md#threat-containment): @@ -166,11 +166,11 @@ The entirety of the VirtIO queue lives in shared memory and can thus be written ```rs fn arbitrary_guest_memory() -> GuestMemoryMmap { - // We need ManuallyDrop to "leak" the memory area to ensure it lives for + // We need ManuallyDrop to "leak" the memory area to ensure it lives for // the entire duration of the proof. let memory = ManuallyDrop::new(kani::vec::exact_vec::()) .as_mut_ptr(); - + let region = unsafe { MmapRegionBuilder::new(GUEST_MEMORY_SIZE) .with_raw_mmap_pointer(memory) @@ -196,7 +196,7 @@ impl kani::Arbitrary for Queue { fn any() -> Queue { // Firecracker statically sets the maximal queue size to 256. let mut queue = Queue::new(FIRECRACKER_MAX_QUEUE_SIZE); - + const QUEUE_BASE_ADDRESS: u64 = 0; // Descriptor table has 16 bytes per entry, avail ring starts right after. const AVAIL_RING_BASE_ADDRESS: u64 = @@ -205,13 +205,13 @@ impl kani::Arbitrary for Queue { // and needs 2 bytes of padding. const USED_RING_BASE_ADDRESS: u64 = AVAIL_RING_BASE_ADDRESS + 6 + 2 * FIRECRACKER_MAX_QUEUE_SIZE as u64 + 2; - - queue.size = FIRECRACKER_MAX_QUEUE_SIZE; + + queue.size = FIRECRACKER_MAX_QUEUE_SIZE; queue.ready = true; queue.desc_table = GuestAddress(QUEUE_BASE_ADDRESS); queue.avail_ring = GuestAddress(AVAIL_RING_BASE_ADDRESS); queue.used_ring = GuestAddress(USED_RING_BASE_ADDRESS); - + // Index at which we expect the guest to place its next request into // the avail ring. queue.next_avail = Wrapping(kani::any()); @@ -222,34 +222,34 @@ impl kani::Arbitrary for Queue { // How many responses were added to the used ring since the last // notification was sent to the guest. queue.num_added = Wrapping(kani::any()); - + queue } } ``` -Here, the final two fields, `uses_notif_suppression` and `num_added` are relevant for the property we want to verify. Notification suppression is a mechanism described in [Section 2.6.7 of the VirtIO specification](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf) which is designed to reduce the overall number of interrupts exchanged between guest and host. When enabled, it allows the guest to tell the host that it should not send an interrupt for every single processed request, but instead wait until a specific number of requests have been processed. The guest does this by writing a used ring index into a predefined memory location. The host then will not send interrupts until it uses the specified index for a response. +Here, the final two fields, `uses_notif_suppression` and `num_added` are relevant for the property we want to verify. Notification suppression is a mechanism described in [Section 2.6.7 of the VirtIO specification](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf) which is designed to reduce the overall number of interrupts exchanged between guest and host. When enabled, it allows the guest to tell the host that it should not send an interrupt for every single processed request, but instead wait until a specific number of requests have been processed. The guest does this by writing a used ring index into a predefined memory location. The host then will not send interrupts until it uses the specified index for a response. To better understand this mechanism, consider the following queue: Imagine illustrating used buffer notification suppression -The guest just wrote requests 1 through 3 into the avail ring and notified the host. Without notification suppression, the host would now process request 1, write the result into slot 1, and notify the guest about the first request being done. With notification suppression, the host will instead realize that the guest does not want notification until it writes a response to the third slot. This means the host will only notify the request after processing all three requests, and we saved ourselves two interrupts. +The guest just wrote requests 1 through 3 into the avail ring and notified the host. Without notification suppression, the host would now process request 1, write the result into slot 1, and notify the guest about the first request being done. With notification suppression, the host will instead realize that the guest does not want notification until it writes a response to the third slot. This means the host will only notify the request after processing all three requests, and we saved ourselves two interrupts. This is a much simplified scenario. The exact details of this are written down in [Section 2.6.7.2 of the VirtIO 1.1 specification](https://docs.oasis-open.org/virtio/virtio/v1.1/csprd01/virtio-v1.1-csprd01.pdf). We can turn that specification into the following Kani harness: ```rs #[kani::proof] #[kani::unwind(2)] // Guest memory regions are stored in a BTreeMap, which - // employs binary search resolving guest addresses to + // employs binary search resolving guest addresses to // regions. We only have a single region, so the search // terminates in one iteration. fn verify_spec_2_6_7_2() { let mem = arbitrary_guest_memory(); let mut queue: Queue = kani::any(); - + // Assume various alignment needs are met. Every function operating on a queue - // has a debug_assert! matching this assumption. + // has a debug_assert! matching this assumption. kani::assume(queue.is_layout_valid(&mem)); let needs_notification = queue.prepare_kick(&mem); @@ -281,8 +281,8 @@ Beyond these specification conformance harnesses, we also have standard “absen ## Conclusion -Thanks to Kani, the Firecracker team was able to verify critical areas of code that were intractable to traditional methods. These include our noisy-neighbor mitigation, a rate limiter, where interactions with the system clock resulted in traditional testing being unreliable, as well as our VirtIO stack, where the interaction with guest memory lead to a state space impossible to cover by other means. +Thanks to Kani, the Firecracker team was able to verify critical areas of code that were intractable to traditional methods. These include our noisy-neighbor mitigation, a rate limiter, where interactions with the system clock resulted in traditional testing being unreliable, as well as our VirtIO stack, where the interaction with guest memory lead to a state space impossible to cover by other means. -We found 5 bugs in our rate limiter implementation, the most significant one a rounding error that allowed guests to exceed their prescribed I/O bandwidth by up to 0.01% in some cases. Additionally, we found one bug in our VirtIO stack, where a malicious guest could set up a virtio queue that partially overlapped with the MMIO memory region, resulting in Firecracker crashing on boot. Finally, the debug assertions added to the code under verification allowed us to identify a handful of unit tests which were not set up correctly. These have also been fixed. +We found 5 bugs in our rate limiter implementation, the most significant one a rounding error that allowed guests to exceed their prescribed I/O bandwidth by up to 0.01% in some cases. Additionally, we found one bug in our VirtIO stack, where a malicious guest could set up a virtio queue that partially overlapped with the MMIO memory region, resulting in Firecracker crashing on boot. Finally, the debug assertions added to the code under verification allowed us to identify a handful of unit tests which were not set up correctly. These have also been fixed. All in all, Kani proof harnesses has proven a valuable defense-in-depth measure for Firecracker, nicely complementing our existing testing infrastructure. We plan to continue our investment in these harnesses as we develop new Firecracker features, to ensure consistently high security standards. To learn more about Kani, check out the [Kani tutorial](https://model-checking.github.io/kani/kani-tutorial.html) and our [previous blog posts](https://model-checking.github.io/kani-verifier-blog/). From 1a6c55af2eab5d1581c3e4f7c906dd22a4fcf127 Mon Sep 17 00:00:00 2001 From: "Felipe R. Monteiro" Date: Thu, 31 Aug 2023 18:44:40 -0400 Subject: [PATCH 7/8] Fix publishing date Signed-off-by: Felipe R. Monteiro --- ...ng-kani-to-validate-security-boundaries-in-aws-firecracker.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename _posts/{2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md => 2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md} (100%) diff --git a/_posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md similarity index 100% rename from _posts/2023-08-25-using-kani-to-validate-security-boundaries-in-aws-firecracker.md rename to _posts/2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md From a74d826f930ec2c9a0ded13a9b0da4246b40adf9 Mon Sep 17 00:00:00 2001 From: "Felipe R. Monteiro" Date: Fri, 1 Sep 2023 00:22:06 -0400 Subject: [PATCH 8/8] fix wording Signed-off-by: Felipe R. Monteiro --- ...kani-to-validate-security-boundaries-in-aws-firecracker.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_posts/2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md b/_posts/2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md index 3283181..67c8399 100644 --- a/_posts/2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md +++ b/_posts/2023-08-31-using-kani-to-validate-security-boundaries-in-aws-firecracker.md @@ -159,7 +159,7 @@ Firecracker is a para-virtualization solution, meaning the guest is aware that i The Firecracker side of this queue implementation sits right at the intersection between guest and host. According to Firecracker’s [threat model](https://github.com/firecracker-microvm/firecracker/blob/main/docs/design.md#threat-containment): ->From a security perspective, all vCPU threads are considered to be running malicious code as soon as they have been started; these malicious threads need to be contained. +>From a security perspective, all vCPU threads are considered to be running untrusted code as soon as they have been started; these untrusted threads need to be contained. The entirety of the VirtIO queue lives in shared memory and can thus be written to by the vCPU threads. Therefore, Firecracker cannot make any assumptions about its contents. In particular, it needs to operate securely no matter the memory content. For anyone who has worked with Kani before, this yearns for a generous application of `kani::vec::exact_vec`, which generates a fixed size vector filled with arbitrary values. We can set up an area of non-deterministic guest memory as follows: @@ -283,6 +283,6 @@ Beyond these specification conformance harnesses, we also have standard “absen Thanks to Kani, the Firecracker team was able to verify critical areas of code that were intractable to traditional methods. These include our noisy-neighbor mitigation, a rate limiter, where interactions with the system clock resulted in traditional testing being unreliable, as well as our VirtIO stack, where the interaction with guest memory lead to a state space impossible to cover by other means. -We found 5 bugs in our rate limiter implementation, the most significant one a rounding error that allowed guests to exceed their prescribed I/O bandwidth by up to 0.01% in some cases. Additionally, we found one bug in our VirtIO stack, where a malicious guest could set up a virtio queue that partially overlapped with the MMIO memory region, resulting in Firecracker crashing on boot. Finally, the debug assertions added to the code under verification allowed us to identify a handful of unit tests which were not set up correctly. These have also been fixed. +We found 5 bugs in our rate limiter implementation, the most significant one a rounding error that allowed guests to exceed their prescribed I/O bandwidth by up to 0.01% in some cases. Additionally, we found one bug in our VirtIO stack, where a untrusted guest could set up a virtio queue that partially overlapped with the MMIO memory region, resulting in Firecracker crashing on boot. Finally, the debug assertions added to the code under verification allowed us to identify a handful of unit tests which were not set up correctly. These have also been fixed. All in all, Kani proof harnesses has proven a valuable defense-in-depth measure for Firecracker, nicely complementing our existing testing infrastructure. We plan to continue our investment in these harnesses as we develop new Firecracker features, to ensure consistently high security standards. To learn more about Kani, check out the [Kani tutorial](https://model-checking.github.io/kani/kani-tutorial.html) and our [previous blog posts](https://model-checking.github.io/kani-verifier-blog/).