From b21c27eed6e6b809043d3df4cd238617cfd64d85 Mon Sep 17 00:00:00 2001 From: Olivier Le Thanh Duong Date: Mon, 29 Jul 2024 12:46:29 +0200 Subject: [PATCH] Start documentation on confidential (#655) * Documentat on confidential * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Update doc/confidential.md Co-authored-by: Hugo Herter * Review comments * Update confidential image creation doc --------- Co-authored-by: Hugo Herter --- doc/confidential.md | 266 ++++++++++++++++++ doc/images/boot_process.drawio.png | Bin 0 -> 21818 bytes examples/example_confidential_image/README.md | 7 +- .../setup_debian_rootfs.sh | 8 +- 4 files changed, 275 insertions(+), 6 deletions(-) create mode 100644 doc/confidential.md create mode 100644 doc/images/boot_process.drawio.png diff --git a/doc/confidential.md b/doc/confidential.md new file mode 100644 index 000000000..4e208d7c9 --- /dev/null +++ b/doc/confidential.md @@ -0,0 +1,266 @@ +# Confidential computing + +Aleph-vm offers to launch confidential VM with AMD SEV. This is also known as TEE, Trusted Execution Environment. + +This is only supported for instances using Qemu as their hypervisor. + +## Life cycle +First, a user creates a VM message and sends it with notify_allocate. This notifies the orchestrator about the creation of the new VM. +The user fetches the platform certificate, validates its chain again AMD root certificate. +The user must then upload so-called Guest Owner certificates (created with sevctl) to create an encrypted channel between the user and the Security Processor. + +Once uploaded, the VM is started in Qemu in stopped mode: Qemu will allocate the RAM for the VM, load the firmware inside it and then let the AMD Security Processor encrypt the memory. Once this is done, the SEV endpoints allow to retrieve a measure of the memory of the VM and to decide whether to inject a user secret in the VM. Upon secret injection, the VM is launched, i.e. the VM CPU is started and goes through the boot sequence of the VM. + +The end result is a virtual machine that is accessible through SSH and is completely encrypted in RAM, making it inaccessible from the point of view of the hypervisor. + +```mermaid +flowchart TD + A[Start] -->|Allocate VM on CRN| B(CRN: Check payment, download image, volume) + B --> |Download certificate from CRN| C(User: Validate Certificate again CHAIN) + C --> |Create session certificates| D[Certificates file created] + D --> |Send certificate to CRN to init sessions | E[CRN: Launch VM with firmware with encrypted communication channel] + E --> |Fetch measurement from VM| F[User: Calculate it's own measurement and verify them again the CRN's] + F --> | if ok: Send secret in encrypted channel | G[CRN: Start and unlock VM] +``` + + +# CRN Side + +## Hardware requirement +4th Generation AMD EPYC™ Processors with SEV support. + +This includes the [9004 Series Processors and 8004 Series Processors](https://www.amd.com/en/products/processors/server/epyc/4th-generation-9004-and-8004-series.html#tabs-4380fde236-item-2130f0d757-tab). + +Note that the [4004 Series Processors do not provide SEV](https://www.amd.com/en/products/processors/server/epyc/infinity-guard.html) and are therefore not supported. + +> ℹ️ The 4th Generation requirement stems from security vulnerabilities discovered in SEV on Zen3 and earlier architectures. + +## Requirements for the CRN +* Support must be [enabled in the computer BIOS](https://www.amd.com/content/dam/amd/en/documents/epyc-technical-docs/tuning-guides/58207-using-sev-with-amd-epyc-processors.pdf) (see Section 2.1). +* The kernel and platform must support SEV. (e.g Ubuntu 24.04 support it by default) +* [sevctl](https://github.com/virtee/sevctl) must be installed. A copy is included in the aleph-vm Debian package and installed as `/opt/sevctl`. +* QEMU must be installed. + +Check with the `sevctl ok` command that the system is supporting AMD SEV properly, at least: + +```[ PASS ] - Secure Encrypted Virtualization (SEV)``` + + + +See AMD DOC for more info on enabling SEV for your system +https://www.amd.com/fr/developer/sev.html + + +## Enabling the confidential computing feature in aleph-vm + +Enable SEV in the configuration of `aleph-vm`, by default in `/etc/aleph-vm/supervisor.env`: +``` +ALEPH_VM_ENABLE_QEMU_SUPPORT=1 +ALEPH_VM_ENABLE_CONFIDENTIAL_COMPUTING=1 + +``` + +After launching the server you can check the endpoint +http://localhost:4020/status/config and verify that ENABLE_CONFIDENTIAL_COMPUTING is true + + +# User side +The user wanting to launch the VM, referred as the Guest Owner. + +The aleph-sdk-python and the aleph-client provide way to launch , validate and start the VM. + +## Create an encrypted VM image + +The user must create a virtual machine disk image that has been encrypted using a password of their choice. +Follow the instruction here: https://github.com/aleph-im/aleph-vm/blob/dev-confidential/examples/example_confidential_image/README.md + +## OVMF Launcher Firmware +The OMVF file, a UEFI firmware for virtual machines, handle launching the confidential VM. +It receives the secret (decryption key) in a secure manner and pass it to the VM bootloader (see Boot process section). + +Aleph.im provide a default one, destined to work with confidential image created following the procedure described above. + + +In the usual case a user would just create an encrypted VM image but they might also provide a customised firmware in the `firmare` field of `trusted_execution`. + +See [the instructions on how the Firmware is built](runtimes/ovmf/README.md) + +The hash from the Firmware is needed to validate if it's the one launched the CRN. + + +# Implementation details +## Aleph-message +on Instance type message, we check if the `content.environment.trusted_execution` is set + +``` + "trusted_execution": { + "policy": 1, + "firmware": "e258d248fda94c63753607f7c4494ee0fcbe92f1a76bfdac795c9d84101eb317" + } +``` + +* Firmware is an [IPFS CID](https://docs.ipfs.tech/concepts/content-addressing/) reference to the OVMF firmware file (see OVMF firmware section) +* policy is an AMD SEV Policy (for now we only expose if AMD SEV and SEV-ES are supported) + + +## Boot process +The following diagram describes the different pieces of the VM boot process. + +![Boot process](./images/boot_process.drawio.png) + +* OVMF: UEFI firmware (see section above), finds the bootloader and launches it +* GRUB, the boot loader, decrypts the VM image and jumps to it. +* GRUB configuration files: the unencrypted script looks for the user disk decryption password injected during + the SEV boot process, then jumps to a complete Grub configuration file provided by the user inside the VM + image. +* Kernel + initrd + root filesystem: The OS of the VM. + +OVMF and Grub must be unencrypted. This means that the VM supervisor can alter these pieces at will. +It is therefore crucial that these pieces are part of the launch measurement retrieved during the SEV +sequence. + +The process documented in `runtimes/ovmf/README.md` can be used to generate a firmware image that combines OVMF and Grub +into one binary. + + +## Detailed sequence with endpoints +```mermaid +sequenceDiagram + participant Qemu + participant CRN + actor User + CRN->>User: Fetch platform certificate (GET /about/certificates/) + Note right of User: Generate via sevctl using the platfom certificate:
TIK, TEK, GODH, Session + User->>CRN:Upload certificates POST /control/machine/{ref}/confidential/inialize + Note over CRN,User:session.b64, godh.b64 + CRN->>Qemu: Run qemu process (pass session, godh, image, ovmf) + Note left of Qemu: Emulator is in stopped state + User->>CRN: Fetch measurement (GET /control/machine/{ref}/confidential/measurement) + Qemu->>CRN: Retrieve launch measurement (via qmp) + CRN->>User: Measurements (SEV version, policy, firmware hash, signature) + Note right of User: Verify measuremetn signature + Note right of User: Encrypt secret using TEK key + User->>CRN: Pass encoded secrets (POST /control/machine/{ref}/confidential/inject_secret) + CRN->>Qemu: Inject secret (via qmp) + CRN->>Qemu: Start VM (via qmp) + Note left of Qemu: Emulator is in started state, VM Boot + User->>Qemu: SSH or other interaction +``` + +# Development and debugging + +See QEMU.md in general for QEMU related developement + + ## Note on systemd in dev + If you use a local copy of aleph-vm, for example a version you are developping on, by default systemd will still use the system version of the aleph controller. It is necessary to modify + `/etc/systemd/system/aleph-vm-controller@.service` to point to your version. + + For example here is what I use + ``` + [Unit] +Description=Aleph VM %i Controller Olivier +After=network.target + +[Service] +Type=simple +RestartSec=5s +PrivateTmp=yes +NoNewPrivileges=true +WorkingDirectory=/home/olivier/pycharm-aleph-vm/src +Environment=PYTHONPATH=/home/olivier/pycharm-aleph-vm/src:$PYTHONPATH +ExecStart=/home/olivier/.virtualenvs/aleph-vm/bin/python3 -m aleph.vm.controllers --config=/var/lib/aleph/vm/%i-controller.json +Restart=no + +[Install] +WantedBy=multi-user.target +``` + +After modification use the following command to have the modification taken into account +```shell +sudo systemctl daemon-reload +``` + +# Testing + +After initializing the VM you can check it's status with: +`sudo systemctl status aleph-vm-controller@decadecadecadecadecadecadecadecadecadecadecadecadecadecadecadeca.service` + +and see the logs with +` sudo journalctl -u aleph-vm-controller@decadecadecadecadecadecadecadecadecadecadecadecadecadecadecadeca.service` + +**Important** + +If you modify your base image between tests, you will need to delete the image file on disk (which is a delta of the base image) +For example using : +`sudo rm /var/lib/aleph/vm/volumes/persistent/decadecadecadecadecadecadecadecadecadecadecadecadecadecadecadeca/rootfs.qcow2` + +Ensure the VM controller is stopped before! +`sudo systemctl stop aleph-vm-controller@decadecadecadecadecadecadecadecadecadecadecadecadecadecadecadeca.service` + + Between your test you can also stop the execution using + ```http + ### Stop all VMs +POST http://localhost:4020/control/allocations +Content-Type: application/json +X-Auth-Signature: test +Accept: application/json + + +{ + "persistent_vms": [], + "instances": [ + ] +} + +``` + +## Sevctl +Most operations done by `sevctl` are implemented in [aleph-sdk-python](https://github.com/aleph-im/aleph-sdk-python), either by calling it, calling the relevant endpoint +or by reimplementing the functionality in python. Here is a primer in case you need to call it manually. + +### Install `sevctl` +If you are not taking the version from the debian package, you can install sevctl manually with cargo + +Requirements: + * `cargo` + +On Ubuntu/ Debian install it via `apt install cargo` (as root) + +To build and install sevctl +```cargo install sevctl``` + +Ensure $HOME/.cargo/bin is in your PATH to launch it manually. + +To configure which bin aleph-vm use, set the environment variable +``` +ALEPH_VM_SEV_CTL_PATH=/home/olivier/.cargo/bin/sevctl +``` + +Alternatively, `sevctl` can be build from `git` : ```cargo install --git https://github.com/virtee/sevctl``` + + +## Example Commands +## Generate session key +You can generate the sessions keys using sevctl +1. Export the platform key + `sudo sevctl export platform.pem` +2. Create the sessions files + `sevctl session platform.pem 0x1 dwdw` + +This will create the files `vm_godh.b64`, `vm_session.b64`, `vm_tek.bin`, `vm_tik.bin` in your current directory + +### Calculate measurement + +```shell +RUST_LOG=trace sevctl measurement build + --api-major 01 --api-minor 55 --build-id 24 --policy 1 + --tik ~/pycharm-aleph-sdk-python/decadecadecadecadecadecadecadecadecadecadecadecadecadecadecadeca_tik.bin + --firmware /usr/share/ovmf/OVMF.fd + --nonce URQNqJAqh/2ep4drjx/XvA + ``` + +### Debug +To enable debugging log, set the environment variable +```env +RUST_LOG=trace +``` \ No newline at end of file diff --git a/doc/images/boot_process.drawio.png b/doc/images/boot_process.drawio.png new file mode 100644 index 0000000000000000000000000000000000000000..a0e20f74ec49f7328a639a6709b1dc2b0f5bec80 GIT binary patch literal 21818 zcmbTe1yq&I_CF4YazF(RAxO%h1?iNILw7eGy1QFF(j}5oN=pmUDIp>V1})vvAzi;Y z`o8zx_ulVX|F!;WJ-D9pJoC)#nZ0MvXZB~05o#*3w{ggD(9qCs%gae?prK)OprN4? zLvDa4Yww?aM?<^*%>%CI;pk&!>tKmS&n@-mj-HFd#@XG2o?Dupiwoi6!e(KMuy#W@ zy0bZ1dVojZy`!^*t(C2%#h)@<99&!vIQSoMa%ypM(Q`}ia)5uh`Pn%61PuO^M_5}r z{Z%0^8waR>Nsp70`OiB`4}|rfddwA_WVN*)=<1r+JM* zb8H-JoPS<;__|pBd1~$KZ0%r)dddw4UHMC9(3I_8QmRYnOK@BBx^lrEJW$|ubk}tg zl=)MM6TOzPTYKM&ffCc()I=xpp=5NvZt~V!c14wMVFonG$f;;?ylAvD4Of?@$>6zd#Qn{ycBtT)P1=nEcCf} z&8+-nZM7ZMIISJv`~vc_z6vsWDxi$H0-wCHs*1axgMz)Tye+2+kSpu(-}Wa(zcE8yuT z<*eqYVCCp7i|})Gbe7kYk#n?Bb&=7NuvFpnbkC^GVoBe(X&ufa&Y1Ify*G|Z58dLTnw!BJq_T}S{!zAegYf_X-_vn4{Lcj z&@Dj)RXH^uNqxA6wWNZCfSU)0ueGz8q@W}aQ6BtBa?4A&@^kQ5*h{NOs#!Rx>iW3J z=qqZ=OLOSz$ys?SOMpTaZr<*k){=^X`ZBhDF7oDFc5n%2A9-b2TXShEGahaUAA36u zxPX-=r>nObx2=z!wu>CXR!85>4IwAT!)L*xqv@ri>7v0Y>FDU-%cm`)X2BuvW-DQV zu;les({|MqFymF@GqAIfmgVsFv+=dy(9%%Tkyp3Z(1Tl=Ia*j~Iw@&baq#GxDcKvC zIjL({I`P;___%0D=<8be*eU=KCA1Z--Bs14-N2-gL|AGWxJU!@lmXq8bhFk~w3Y)m z;L=hu@OAOC(o=JH(A4#^*YlLHapLyW*3)q0cUKYgR8lop)ONB|Rx|gubmTUd;PK+O z;O3T72VZhas!DOWs(Z+}YZ*wWXsg+J`f;17E30~X3!1BFxqE2~NcnI$Xe)xE25v4A zK!r~7%3xMYa&kI>#$}u>xcRIkWo!-9fwz!xv3JpN@v_tQ;8M3z^On-$L~t2+p;|HL zQ|DJ#w%~Sgv2*8f)Ase^cJ;F4QB$_DR#TPNb~od2)K@igc2KZ!)RE@21Jgy4LzPcc z)7;fhU!7aPN|HxV6(QvWTHq7lMwy|alpdd)f`YZ5ouz^vho+qk!qd{n&PAQW$v}pm z*Gmc%LDeDcqo?NP?x7}c<*lO4Z|T9QD8tR^ZEeBj%I#`_FxRj$aCbM;<2Sd^P;&w0 zmF+e84eZ^Wxs@F?xzrsrIXU^f+#Kv>^=!SA930F+t&++L_MW;D5;puEin@{RP%6JeI29y@mm&97*y%Sd7`QTo=e72jfY1{8Qf?&sG93)af9A?NP4Jos(AYNIa^r@%DF3fqnsV;LiO-( zANSkgp}zm^$btV8J>OJ9L%WA2FD;?vW3riv<)fut7b?d5g_SY8A zBayIM%@i+se6Qtby2(T8rUDl9r?FN%48o)UUEFGENfUdFIbflZxu1DT5kX5k^84b+cJ61oPilyCtT{D@YUTyb&9AJlfw^2uvJm1^f4JH0=5WH27E&VkJlZ zKfY$_=tn2G_wP%W093`bVZ`%yJ*W!dse zP>+ zDt!Equeq`ddrN%+e!q$)Dl zO&X{94HN%O-o@S*Sfk~}Qp3gCoWYj?4l}LB5vRi?x=HU;G6d9X&Q4aczvjsk23%bn zeasZ9J55VGW%Nd74{s&un!Hb9(Zv@F3hOaUU`C~SoUBIm_)T7$lD!G^t}6qS{V#cM zYTN=MMMaUY!-6l*?XYwe%-Vu35*HP0ldgnpztJH>LyNVoKEKqy(8qCU@jIw=80XS@ zqjCKy7T$-o;S$%`c68}UXshc&=zVX!YO5HsT>qmj0nfEWJC+st>jDA-q=t1)aG-Tg ztNzqN>0|xP4!BQe=W{C(LZqHQY8Ak4ap^O9Sz0aHyybK3oivZmo zaL(RB8CCmN%$ySFbhR~}+tR1&4YaJ@mVJrLxg%-9zHS);t{A*_L*hNLl4OSlt-R|d0X3zX7OVo8mhd@Awy`K?H&%zzG>49k4zxn}d@SyW}> z^oJPo63VS7*KhjS6)eS8Qb^%kjJ-AgT8WU7?MX*z0?fk0LL0XSzcqo5{y?ZhHkRUj zx^wFrs}vXQWU44i|pdZ+ZnkgwboYkqsKpDPoyvk)idw{F3WoT?!2?*+=mGRN{zQSYsc(~E_kIPC~& zU@3`^K4V?qw#m0iaSAW!@xyQ_HTK3E+^sjJTgcna_o4`l##N{)$vGZ{Bsl6vsyF+% zE`Cne-CX?SYI#vL`8;T^avcCnWD2M zqVw5{klPS7q$572%43v-8A{@jm8C05Ze+U&Se=WpWu?$qJ6Qqs9O>0>`BC>Bw)NilRf6Ii77;L4el$&#(K=nceyOoEV11Rb(0z7-X~d-xE1Q- zc!T+yB(2Dt#pn2PBJlEOVfGO2&Rl1hwmg!^lDSMZat9^uPTSRGNtZAytCEOBj^Dvr zaj1Sd%e*@>U#pLD)1<{uP;etd2>bXtm~p1a=TX0%;T5A=y$gaqX%8DZ2Wxg+kfHDV zz3kj$04|gB^#}hy&R&W3p1t1^qKSZBp@?#7$IqmJRtd`Y;1)$V<~eG;Vek9|e-74= zkSqLnOOi5!8jUM~XRLLQHj9QQMCK>IuuV`i1D_CsXf9Q4K?L>V?<uP7jV2#`AP^qS!Ojhkum}G!XL6znc;8tIVmATj9?Za7#w|nR2tP82IwnD zI_AqxASkJ12+RSZ%2)$FPoqTL0Dn9X>6FFe?eILvzI6 z;-Q@JPhbHmarahKe^-tF$QFqmFNg`+N1y~FHShvUvpB}3YDn19x!4CI8th|kbgJb2 zl~p%KRMn3-Kxf{EjEjITUW2Ma=Pg%I&u3@A=W{c=OKWoNGuV|p9W%832PoV5`|^Q< z8k;-1Km1!j&iR@pWbY~G3ZHiK8?6(Jr95Zu zX#G-s)e>MlAtsaY+6#cJ&C-mq1eilx5!_c#r9>dHd>H4TSXaDLmBm-bYpVlpabJV- z>b&_Vt;D!~&Hfy$RYhm=zQ#qrAXH%wsZ*pz`hT{pvCF14rt;T{RapcaH5~2UK57Ve z7#Ft}{o%HkG31WD<9T8v?J#=}G>3Ja<%VWHqzCQg`#L>_j;AuJJ)L23_(MOV54%t+YgWEo_mh$2>Di(2?j* z&u=q#j6C}s|1ErF6B3u*fElKm(S0PVI#(E#va3FT$01rz9-H+rEOhhqKA8vxnZz9q z(^fy@3*k*e=I5}J^?F96kN9YEvGT{`@%sJInYBToLrTdKDyf}?!8VxY>AO_!0_x%7OLrT28wMg$ zWdR+f`2w!XveA@72h7l9p_&paT;0t)I@vl}qf$Tj#m~>-y)NHI6MVvDi010tb-QvR z-ZRBBHk}6Um%sN}TEhI8&BF3wK<`QA(v?W3YBHiZE1&MLJRJ_LW#hk1od$CdFjK?= zzT|0kK6Kfo0FvH0UaZd4q4S)7^$pZOfi^ZnI7*&IWcU-~pmA(2;~<>5qj2!5^bD5K&z2Q&9 zo$0+MJ&!vXIovJc842#<1m<|<`05QbF7o(UL{@%9mThLk93BM6ma_wo(ki?;LJl8u zfdPZa-l-;ZJ_}caM)v- zcrPq!XU2QmTi3aw}}XI-c8}VY11a`o&6Fd!jFkE31Qi-nVf6 z>Xh#H6)QAL>Agc2E5VK7Bnuz9TcvusVt33O3=d~wcglVQ!+v7r?{qF-CqkSp6*zH! zdpX#6`(vyUJy;ot`LVcDfx$g$zvHb6trb91zqS1WGHCi1y(LshO{jq$XZgeMdfURj z$~7&K%EXD4h@H%~Ei;!vzIfgaC|vK;TJzHSThE_#=Rx~?i!Ue*_(~rKWu`9-_jhyJ zYnf`X8IwloI!iwKD1Bb1&2ADF~v05`YuxJbVd%iK#d}L5ynD|8&Sv?9y|689f&-;f)I2U z&_sToa~NhKLX>BFWl}rARKT?^k$DXUsNQ^#RcvTE4UMjeH@br-*p`3c#u5PXcO>Tors zLeanLarIxA)@u_up0|I6Ix-o0n z9tYk{gKgXtIh#?0)&@rlNNr*sUzTJh5gLA@-5}wOtR&$?VECi=$tW{-@Zp4_Yrck% zqa_&|$N*?^*H80Cfo$rN@e&E94wG54|0%~C$)-<+_?M5SLJ<41XOqqK-E^G~mrtd; zd@-6U8+Q*+uPc&R@j}q2|DM))UXCh}3@#b{X;H|nG;W)%l|ivf>63Hf%7wAIm)jA= zG=yV}0m)P6tWc*B-+Kk@=QwQ?dSP133I5AI2X*9fX}Q8=L#5$qv`^JqoebaEo-^N1 zzE8CI@Q_M4lCLGy>?%~SvGf2;Jy*mw8J)_nJzbQ32Hd9Bb}AilUiRFc4ooCeG7aYCyc10wPG?r;J-8kHl?XuWj^zVoVb&Gi zD$=RhzBA`8^uer$QN{2Q8W1mdzO3Htz#08g^!`LcjpHQlu$?yiQ=P_Z-6j*gR$u)@ zM_qQ~7(vbD`HqI0a)|;^9AftH+NmEf+r2!KGXKrJnz6TzjG@uw8^eLEe4?J`L=Wp$ zpOAUl&raRiHrpC%NNt`K^XA;kktLNs8V{5`@=kp%)X_3=eSXu!IoJ1$J?rI^7~ZAC zB*}uGa^BCv&sxF0IE!Bc*x`EI_uCwfg`p+@j@;TBzk#l7=Q|>1JK*NAC5FSxlA-|% zkb_vSB|6{xX)m8+`Ku?}+huR#I!!+HY6s^-=;h@{`NWD*+^7EUWQMEYu7=S~Zc?eo zuLQ3(=?sd8dViNDyL#+X)xqZ(y;Km@SXYbsAmELQnRxrACpPE?G@&G-Xt~O}#HQz6p6qLadZu#{66; zSUAY5Ft0rRl?oe9hpbJK^x#p;emLUJ2^>89czQ(u6MHjoXVbhVHb#{^C{mx$+ErFB z+sMs`eUNZYOgh%M)sJ$fG-FNQ@TWo9&daefr5%j``i>-WFY&0;;o(@9Dm;bP);~Uw za$2I#W53_{Qi^L3H8sDDn=KyY^c1}R%-+asYf}BwaI)=9SxWi^F8FPDD*0!H9-L%ySF9A zEoSlolX=|t6IsKbo5cpggEdzwq>uPw)T&%eJfkM(wkC6^xbjt_0+PsH_gZUnIKID6 zr?f*58jg3pDvq&&IyO^g-|4+T;HCBA1;@>Tpz)i|5u>x84TE1<#?g%JZHhL(qw4Fl~y(xqjcwc9kH{mvJv_E6DgP*W|mOS=a&Pa9r|{|G4SugmO5s(4E80 z$*_0ZdGIUfMZBo_X(4HuX$`u$)Q9`*O!}>KjYr#|KD!HZ{k`0)qxsYWnWAy;whQ3d z@zWnOc)9QN8-;)GQC;YIPFNqXTb1C&yv-PwNf6A4RqR}{^ud6P)9N^Ohq~?xUuf>J zK>hYTx8=_fO~ErUi_EQ7=C#Z8s(Q z^lPamcrR`Nj31+cj3WN{>>1$=#OUKrrW0GmNx}UGu{gU?OdW0Ke#8i~p8fSrf3-4K zM&vIX@t$Q*b@o?r1ZvFDF+#tjjNYAx1X8kc*ucd|E> zWW4^uNcy$z+9wkB5VmVQvy8hRs;my>YHs){lYP6!IB*`GV8+_3kt`DkV7p92P0htQ z_bm!u%GXc2>q-jd)+?t-c|B?P`l)k8nUEMpFILLc#M*ZHEQv}_8zQg4$9gNo z2Si|xyCMh|-ao}6<#>el(0l8gh@vTKXC%gu)4W5e-%#Wz?eXww5IelyaDA)TC|55n zCza2NjIaFCpe3b`vUx{Q!D(SFhSR=ViSAB15&G>PIZFB8ibhMR?vs>1VJJ(VeKA38 zzPaZ~dbA`^I#YwIxbmPgzMV$z9pd%ioGdy2J3NjrU9eYyl~PYN7Gb@T7e!6uue zoSQRNi9Ob))DP(Uqzc$Gm&YsjdDFp`lVIp7NK=t^@g}YJ<)qCHJg_EVRa!5|j%61i z|BH$sT!UEQjcUN0Zat)p*(=8`u{dHgtP|gKW1_dj?7hP3x4N5Nk$EaGuZ6|(>So-n zGn0Uaj*8F`v0#d?3;WV~3O_A(Q(Pau)nxJZvSu@g*@iQB0g$&4KXyIFPS&Tj$o_%m zuQq3{1nUPegg;W|pWt_f!;GrbOy1e388`pDczXO3XZFL}2X;Lkp+)kSUNbbq+n&2g zlYM3+d;kgx1f1WB9JYxKT(_dlP1V!_VL+b9QHRIrjJ3XFg`W-Y>Q-EpUmDSw;s&(1 zWF(B|oVe$-jFlyiR!a-S)L)JCI{FAAFotUta$}1$3Lq~>-YnlWKik^=@^)J;;OId3 zfcpeNqjbLU0*5}HNlKjp&u|{PqGRTL{D9_b72e5X$#TQPK%?g8!**Y<$=0&P>L6Ko zZQ^9Ib!1``t~TXH9Vv^v5|}$;ecrexkU>x}cXV|0V!BlTkXL8gg6U{RG?BT*P~0hY zI`>^&&S_}!OfA(|Aey;VtWHT1Z%1}w>6X6l{^93gtE7=5f98(;g3r2D_bWi?I%fw9 zUg^^b(>Aypq)f_(?%k#0qPt7QUg2)GFc&9wiEnAj9_jq?q4`4A?X23QD6RJ)(2L<4 zV-IPn_eU>}jz&7tqFgTfeShI>-7SNx`0}$$9tFnecJr(6-G82&_i%>j@^einzF0Lj z%EO$_I5$Fc&+9Qh=`fe*?Bzj%X}p4#w#t?2mDl;qC&p~oSmK^^ETTC#PmCe5rLYhRGm_JZ=gL`XwcFfAiL`W3A)0LeAim)48?2^v#4H8D zcbON1BPwp^L&VN4E3A(gEY2N_h??g1q{I&jj9oQ0*!tEJi)c$}6lAjKJKWd^pES_~ zZ#k@Gm7A^TCuf6zPjLQQ9?3RRIzTXuR+#EiGRVcZ({=$it24d=ZmW@1D~iW}*9X_7 zJ=d~D`cx#*qk#=|ZD7moT&y^Cp;}cF+8fbookUA@x zd5{JsLHD=~+-EG0U7bl0alX?>qiS07DKHeb1?;2(2jtd;DwS=e^VgDwM(^$=z$WuN z&54){#4j2=vbfeXC(q_fqSE=Dice`z+Gr%CcK7H64}4e&6g0Km?i3t6>Jt$g~J>IVFsMn9)KBpZTh6>zGSykF{@{NrSokNfS@RY zP){*@@{-2=)JFmx(5rvw7d|l+nysS&J8`-!))Vvgcn8?LKHax8#YrroROm6Za~t?P zlKn@CvdDF9_U$(ZNwCQpPpL$<1l1{8@8^Yh+hx*vTaX!1;)1oOOZ4;xhwLjvLA{-h zkLQ_*{YM5g#2RV5s;t>eo(@PBnEF;gRD!De_lIK8Xb!8oq^TB5zLt`!gwOOUMnO`_ zrf!%HosDsCpXNlG<%CL#tbAl?|8M;z@SVry4n1R+EBMS!7K!*f?d01)|?6 zH+{7X*{OUWc=IglcN=Frj=bO(z^(nY9vS%PYwhKDdXga*Nr#oMLy_N*wC%{_6 zA^IGrs-PvC$xx%-Qa-jhReNp9@TficY5MTZJjK59;$*okn76|SGz^dGeO*uMF7v%} zg-+Bys}znDig;>Hc^2FLm|CT%)98hypCpxNl#{F;J5=RmK3%dB)f0ked*PI$4-_cy zob{2VY2Ri2^_&WsN{Z-kw{NeF;M9~PX=906u^X2xpVczm#hHPE_=KCa4wWeRcm*w= z(~p?QgCB_fd29uwWsJ+H&TV|wEXm!^S=;I@`nnm@Z(-jExi0TiwEenXjF_mLW@28R z5b>cHxbT3MSjUKWdPx)y_~sNrMd@1^9_X|Pb|kCnm~EFqRMYA(_H`Y!csr_YG>9iL ztiAP|gw}2>E!<62jrqcULv;(H7?DU%;3g|TXX$K6{C6$@PrD0Bp`s(KhEaF>3Kwdb z+>6y48AR>%6kk9Tak$|zJLh-j?`?g#r@iH~zWgAX{2^6S+f>Y2jaY;RGS|NiuL4TN zZ=G?>P#69XpWQpWvs)meQJ83^QG&eRgqJ)*`nGcjlQ%0pZvU{O0Z9^$w$2jiaF;&J z_mxvuJ9MnlUL^T}-c}N%ucuJnJDwV6BFcF7b`HCKo3LZAR%B(+PiKAATB14H8S3sG z^iJ2)F56wY@X`45&-`CX9W|3&a-YbWkDpum(21g3eNH33CX0*TrW$*9!P@L_ahz1p z6Ind>yijXtA8iKz=#X@b@&xCiZh=0Vl*T@7QIl5G`MY#;y_NWg%!!*iGVrzaREq)J zCxuBdKCD`jBt}=L&?>xAn1Z40Qk7NoTpKD>vm+n=$2Ve-BHR54wJ+?AC0HNffM0qyhZwycHaK|VopndRn=rfGR#PFBV?ub zvemDuvt)kf<0^Wl$iW~qmm&KF>w55DlyNErwS`tbc*z{JV-H4l;bZ2yxLQSf`M4$jGMT>m9k0G7_>%ZW)9wyJaF90#Q+?#{6B*)UbJIG;jz+nW zr{3j~Q9XGl;(knc{Vws;SqstJ0n6wD`|c2q{=lwD!4bzJi>tyTFC`tj~$oR84vkF@~xJv_xOg#-UXl~lXF#|(o%+vkoH@l|E?kbbXrPD~UZu0q+ znv&u|d7{huyE2iC+C)UWlSGJ>uIJn_S>g$F@-ExcA_qg^;TWZL5bhhCwD<6qmPlp< z`T!(yK%96K56=WVL*@u;#zj%R#)1c)ar~;xXw|G~ zP&6O}*1r57vBF=Fl8;i9v&n;7L3{JD|7XYwgrZP^v%kXNt5BWig^+bgQ0+~b??SI3 z>9LbTASY#c*6Ke3cBs~W2kaOs*+`YQkuZmcZkkwmko3s(r+1Y=0F2{NR8yg>9z{q| z>n6bgfhw`mM-o^?5%#Zgo-`W@5F*>C4Dl5-j;u^+ADbKj{8=q-+~A8`$XT@75pGT? zbR>|-OAg}>NXRjS%phMgcQAw`loA{xlg5jXJq z(*6-2j2qC-rFcH=}ppG4KuY zkFaYsPsjh1vRq*R&8Od*T%2R-V7NBQL4nt28`8xv0Ju{xuk$Q^|Hz$v$nKE}$fEGl zc-NfG0w43Yl9>SlyyQ5m%K(ANJ$%xKAo%~V=^SFbZGDtxV8cwdSmW z{|tVj2r8gS*(}=sE_E{WPr3HrKu4ahd`t#S8d70M0cxF(h#iExo3j9Y!*Gq?S0J*o zx1IJ@Poa!n52y}hiLPk3sIq`T&R%V2{a4)I+7{`#C|I=wl${*b{sqLiZ+G_%DF5cX z>w7!Zk;*s95du`n-_atJGn9eNZXAm^9}>;2Kt&2Oh+s zvmj985)Fq3Fe9m5zlWfOf9MHxo6fX2eG z;=ePZKfsifl>AbtO8v3oZIkzQ`O=+Q8gykqNWaD=BnKq)SR#twe=9RqfWGif4kSU$ z_r%4W9c|MBm{;$;ZKBjT`*-rfEE%YE6#4Szfj5R5zW@`{N7|0Sv%{tG$~LUbb&wAL zX#JfCpiRbr<}}O=se1wZ0s%6U#I>pp=LiN6UH_fAHERN>Y!~N^1~(FXQZ5U~B5oyX zl+RLEr=-1?(10{{zkm~?NO5uKnCm8hX`N|BCvi>}gl-zwm6+?tfv zjtHc9h3$}>HT&*=X$|y8rH_Gn_*`ymOx#8>^`T7eF?6$SsN1%;OP}QK5uk5Pa?<>j z#~@A)IREb-BFg02If0eLViPm|PC1}^#0eDLjXt|W_lh6fO-qkw(*Xu$86Bhpyg(t4bgAC}m#4oqQg%_KD?}JqRglf>mSNs-J|`CTX#gzt9i*SpbDYC5kJD zF#^&_3_CM(WmLs+6akSR@lh3@d!=^SoE5rEzA`CWdtE)sih-MSThyK%%&?;Tr&Z+=oD_m7{M zx_|)a7oIJZZ@0&2g+z@$-Mul2ze8Wa#Cn;@;CC}h$Ka2QD%;ID5Fu_n0ega-mm%yO z^9PTb-}9n0^HR;fMXlu-d>xFCfxKXK=Cp73H;DBzI_QlFa0dP{(fp)Jpg*W(XB5?V z*q_GJl72US4jR8_0Cd3+HU&}B+qeS_Trp3s6c)5!PHJ_1XXtFTL<~sR=PLnn?XsX4 zHTvEm6VT$52q-0bHS!s3qnu($r~*h*em-Ys4BX1b{49CBhv{CVkoS!nA8r`0KVUUT z>1zI_@F{Kc*8mGuvbz4u#$( zAlW7jD}xu?N4cE@vFpb%4JIC#GRj3QCPmX7Ii5fol>WfjnAsw^_d}`~&?``6oXiLE zTMXg|PSVQmso#xv{%O4b)9=QEK;!ri&?7lsbUI-&v3f;?x9)Q)>Sbl{?kmg)OqB6g z??u8K>OQ)Q(#_HW1CB%U^-lyt{k|(aHblQe66&RkyOya7B+CV0a3$u0YcOhV3 z1O3+qUSc*g%tlrEh>$wF+y+3Vo?*y@UCSBq6}1rlH8#M)(tO+XUxbVTy_?W3+`d8h zs*?29*!&i%@jk?##)0lojf(-Z2~P%DzP$*3Ft3{6(laNi^sK4_FMac!DKmoT_IDt~Ve7R@EeMe1mN&rFniJ z^YP=i5~ILWN9Z{#-X*wM3AOA;hAn0MkLJJ>c-GzaT^jU5A?jcDPlWi}RCnNd%~a9+ z^`Rk#AS&WC8M)iZ@aSaOGHWcf9J{-n>M4h3FOfxnSng|1=O6Wy#lyvs1WO8}4`Z`3 zQA%D}wt$KT>~P#Tpg?w$lZd%D2!3Dgh+UY0Nj$-{(XS(B7|4Ewt$Luri_aAV`DU$D z@ur269Lzv~BFqy783{N-K+n;NHoh@ps1PJG!hOz`Hz5wAOCUf?O{M%1l-9Nzm%Qx;@9c@p^%BewW z9mXQ_dSB!q_HPtvR7ai~Uq)a55-c5jYgH7DrIt;$#*8{w|A$p7w=eE|D=Eos=^qbc z>`Q9*3kONWvZF{$&^~G1e~SB%7(S-%;b@et#g z0?{6(oz{*`hEO1`sR~7;y>9tyiJDMSZg-xlrTzlxdY^H#RpQB;*rqDslKMEbs*i<> zH(y_b?f8B!7z=jFPDn(Td}39W@l2PX<%!OLVXpM}yv^Cw77GyQpo zZ6a`*O24WlF2o6)3Ywe`1z9Jp{RG5Ii^NCrqU)%E| z-bY_gtuZTTyn26u#T4K0iokvZaup|x*XO%CZ>CA$!i93Dz3a=9G4!*FCW7*Mc@S^M zVP$N`NG)cy8a>{cT*Fs3=)ytgq~jWvx&-8JFY7E$2<(njB6k`y?RO2njS9n>?S3d| zOVU*2j7QFuRBEq&d3TNN(hVD%kl`1mvcgf~vlq-ACV6jP?5+920+ze(V&2}&eF>tB znAR#;f#r~}m6xn#0$!`6H)5z(?-octj$BK}iR3^jh$uZFBp4se@$;u>x(H14x+EE- z7_S*%s!8t(<7n7e-hEp7*{If*IiW4h2ywYoXo^B}+Jnp>pM2{;ZqFd$D#9fdf6n4L z+~-l;<9U{i`J!Wa`0&=qcAd*b-MWH-9&M?J|AjnqFiZHUD9v<)i%+?uLEYV((w|TI zuV$c^3y0K9zk(3jg(}cXQ&AA9J+qH`AP*AH0d~R7HdUFH?;sdn_>MtV1JCJ-7>Z37 zhIk)siTr{t5sa2!hThO7FQPQpzgen{JlYt0%A8whw)aHdhjTh={+rZEOJ0V@cZ|pa#ZQ=f35Mq@z1Tanjc+{sW)!P)Bf;Ss|~2d5muxvg*jijqLw|D0*L)z zYpxHWP!YF)4%Hkxhy zOYq-d;ZHYV4svAU1)8XuXPH3?UfoqaYMmuU4c4D^7PiqZ%waL&M2HnxNn>k~t}>N8 zsPh=?tp1Pj`;C#>|Xxye?v0go4MCgR26~?7v5Q4*M+QXVZi1vPeLV z=)%fH@N!^&L7iM|E~G=zZH*4;QD*~{)LNvW5)m1`~982q!%YA z`WN^H5YCEu+8^>pw#p1 zX+DS}0bN>Q--M4{HoRK7^&4BQ-lYsXT0)JskT4>fI}oMzuZsx5l8--vjZgqTvVrz* z!GG@>{#WsZsARRj#t&rY{sp)rE4laoTknR~!G{0;vZ#D0K%i28v`(HNQ~PrWXq|k= zLf|YM}MQsq#26j^ft3=4E-jdAQ=>7yY#A;`vl!uogly_Y)0;R{>brp zY_vMjh{$u0GkrxCisjj!*>)+@!q@WlQOCWZaveU6bk=UsZjiG$*V9ts3X(qp06#z9 z6+!t%If)DYHef=n$KvIWuJ=D-0lJH(ACZFbfF1f9Ne)!ANfEWWEc1V=<`cVg{q_#C9>`)+qL?&p>AiCMiE|p08ks9; zgy)bN1vhml{xiXy$jY+s;zzvzpavO|xn34V9anl7Q%vws zZ|BKVGUHz_35s1KR(Pd9Wha+ab}QCFANlL&w1(p;wy!ATRwj2r+k|a;wFhNv_|)Qe zA)VPJB(_$%L~h~2PDJ(C(FJE@plQUl5 zXQOvyAPWB>^u#{~LDQr|=Q-qV0r60gAAIVYqO8VPPaA6_yEUGnj`=K% znkq-*(BsU1zkemKJ;3GpwMCiMgPbQB=CClTj*4MlT?XEw5Wok=0>J4ll{<5|61393 zssXo%8px&&I^TYer#^l1kWcE&%CifrE_aY{`v7fy_Vx7wtIK1YYjtY zwmxkD$TQ3%(3nf?o9RM~lsqc(33L4S@M>xCI9FFx9R((tw1)-lQC z`<+rr@!6Ctt((RIxDh5Q;q$zPv!`D_gX5TYytagXDM5pjHy~k{wc3Fc!fpiGWS(8! z+ap5sf!UX@s@eFtcmp@aPJ}GyTa#r3EHg8#`yn74EojAm>XJf)Fu7C~A8g+H@h$xB z%{C3**7fDsp!?(&4NoVbCfxpcW1Io^KG7ezRZOLbsRuZz*a?n&4KEVV$<0E|m_M#qwS@!pG3Gu$ zn5Ny+O1m>ChR5lpHd<(~Tr!3)_3R6S{4bofceq_|E9r|rzkoHbG|{edJ$hHjBN@c~ ztyo=o_z+|e4X@9?SM{gpl~tLT5gilc!_N@-eS{}IWC5=)Q}C*KVoIdS6Z$Pr1hlmBP-+ z@d~Xl;bU)}FEpc$^tSt9#F8K)Do5k7^=dekGG1*zZl<<+U!fcPG$5hNmZo>6JY&tb zOKbH|WUcbcl>gE0`VqOX7~TwEi<(c@H;>)sjf}1??x+M*vnDWo>?w4W9Xrj7vAY4b zM}!PYMM%A5xsQ}{`|k6CI>;phkmtfqwd<`*`NUtWQ)rDd$k889^Q6T`V@DGfAWgB8 z*wkGpEgv5+FF*be{rG4mSOnH=^}TM426rGofcvf}p=#bo*eS(ib&SZh5`+#B;&!}; z&Ag&561TJZ=ARg8$V{>fQZuc^;sL{F<8qZRZOL?R$FSL=TQghR?ahu@&J)}cxnzB7 z7KE1iOtP|NiRSzz6P5@WFkTLIyxJ;b>JZJ(6yy&Zg(!~SB$*w^6!O2}?G{sMgk+6b z1tCT8tPT*z;TIg_?s8*sR7`SLU;``6rWj3+-YQ+?~-sKea|2qJt#kryn%*+ww{nfHE8gq{B|ZJWDDJjrOjHINCcT^fUtZ4>@2 z<;4kW$5-XFuqCBi1;(LnD15n@;QOJ!6CjgYaCbjI=5(gz#)pUjb_Gb`Sas*OtPBy> zUw9^y2X7z(oa+3NWL#vA8;ZtJn!`YEkxtErDzV_9|1R0~;twJ}5Mb@0M3m(8xXQOT zVE!UNfKa6q?y9Ies+8UlQI&QWz=tKX;0OY25R{n$TgR=~HkuOebOEa1V|+9;yql>1 z7XWZ2|3;~(?a80Qph6Hq6N-bCO`~=thue$ZhN41(F98a5`z7E_P#GFx0;8DP0L+g4 zyxq^D->@(Mlz9EdOU&~`aHo3BeyQrWc3G-FAHN02@&jRvA0{A+ z;8_a^Ax+q;^c|pPZ>qOEIrHdNA=w~goldAnmCPN+Eej4;hAWA)LzgvaQ}wAZKuaKo z?Y;L0g`;pau#ZU;tFv`XUgh_Dkp70pCGCG3(4;b`0WhCU`{DUez-s)^1!4)lUP1`2 zbVYL0qc`DyQAFk%;sF9DMJ`AN87ot~3!`#vM+CrA@FFs|W`B@`s zZ?e3UOibGVHUy7Yd%#Hu?L|R0?D}*tHvQlz;|f%f7Q~wCD$u~G22@+_0`5cv_a1*l z=}VONN!k+4ET8LaY-KQG8?dWl8;$=%S^pmj0-@e-khZ|mNMp%<_QRg-R zyOe~cNV`FHcOVM$9MzQ#ZChk8EjS1X>@fthnH~^4(*)-Jzh@j!oQVjpWL!iw9?DDJ zL%*T{){?E~M*nwkEy|r9^;`^fqH_hy>*NVBWQ_<3&ZYa`*_Vj~2_44VL#4X3A8t|z z+7R6j(m=nFgGN`HXmk8~xD5nfGST?6j22LLIqTV8d6&Jbr>G%5~h&59fzR6Yl-L zO0GN{%C(J4%5u_}BC-zVpu?GI!-$Y|B!iMAvXvGj4vnSGd|8Ur&_R}(DJsh+F@$6- zGfb&06*+CFL}hECk?q{iJ9T~E_vd$A?;r1Vz1RCZ_jBL(^W69Q-oN{&7h$Yw5=G!O z8kKrC#!34ea#53k-)BiTAJqpO64||JlXY)?>`(<3|7lQ#@GCsP3noF|cl-=4W0>_@$qZVFhUSCe||D^)e+BJn}+kn zS2b!?22`HYlVA4T3KZX!BDeD(uc*I^68T-ZkwuYx$`eQz>+`a6uKe|3)J5k)p>k#d z>7-uY0q;7a;+|ryHoY|8d#sl1+Nk0y&{_!!3ecS{uTnhlj z@X*+>H5wXm)-u{Ddpp=Fn&M1e>V9&OnLWM{zPR?CV!vVg8RI*PuK!ke*8f$*k;tn@ z$5krFUi`MNKRU}1ZR$)Lf$Y*(SjX`gDulMDHpvb&vS&2LPKR~-tImIMf~t~-zLL?G zL0-wJ8yMhKt;=W5d+cgv+s<9xlhp@1mkt(ZS`I3n>mD~KeU&74xoOSm0s*o4*YI=A z96KKk+lveIv>E#Q#00Xo)ko5Gr`O!H;mt&+5uGfHdcmhB#Z zYft#qmY(avc*NO>m$+dgj`*X-3q31Kk~Hf52c&}CtL|uaxsiQ#etaGtV<>9;wbk~- z=R8;LF2T?pv%7z3Y11$E=FzhT|LhwzDx#l=&T$kT#Sc8-NH^GLdGjy)NUwTTo zdO_-?SdLn?AHck**=yBz(F5Om1h-e-;!O6h3LCy|R4aC5ONes_p^PhzyW+?vlt_85 z-h&@|R;F8#-s_LJ4wC8BaGisu!Rq1sD6<6alf*%F})Id5iMOYn{iG`Dp zb!oYCw?tpvQO9nH!<#FY1Z9@u^F_@r_f0SY%PTT+dlOrrjm4ZRl2PXB-M#d_Zp5gT z9=pzJwDkLSMQ37=v)=Pc*?WE4O25zj_)|=zW{VgeeqnV!@=?*kx%}ni)9lyg<(4Lg zpP4w*!c+kPc0HkTh@7T2L}Obf-`q}M%nCj@d3!oPeUr-j4f%ZEa{HK%-<~U&24qu+H&=WqB;Ves-bm)fY$<@Oxf}+US@*DjAxsvfckM7z9@}u5;UM=evwBt+8m5;wRcS$!F+VoNcEJYNs1S_G|Sk-lg zmJpOVEi19_iUKpO^@2;5K3Z9ATP+yXGawenqXe*e%j_8y%W&m&nANl zi4m=Wob1if1~xR6yg(+G{JX}np$_BMb~5pt@aH7nDJ5}-U4}Ld1(PoFp9wE3rteP- z4`}Wc!VV`!l-)>P9|LI%}j4=7MVrP%&&Y1=(^D=; zgps|gYuE)Xw-n6H%T(ZuQIJul+aXqi5Op|XLQYjSJYDlKrh`R^*U~q23&0OJrgOfP z7#aIWKzIghAlbRU0j1*o2o;s3ecU0lDS*2QigPlDYOA*}Yr7Av*QIf(@DKxQU?Th% z+GH4IUywVs$NEL0Va!Ee;lZQEqssL``?*;Xw)`|lrf;T@9U&Vi5Q3%lEw>P5SVL0g zHt^OTi;p=70PvtD42tOy!YIwUD9JKI_H(B~l-5h=$g{iMB20~%TkLrG7`;Rpgw@6s zZ|7jvb#T(8Nb0|`L?RG#b)nikoSe>vX%7%ViW?g(G(!!9h?cb{MR505bI&yZ_ryvR zt@rQ>Z3N*{p+e3FO<1bZlK36!ixS~8$C&8E(!%^`0}Lq$kGN&9ftEm54HLYal(|~5BO%`n250u+m$dS zbSuEgJD}mFkmaUME!l4&N>fKFyym1ZA2MA@?)PuNqJjLK(yYeRQ!IbC|wg1kOTsT-~n2JvK>bd zaBd^VYn7w|73@v$qGQV<<}%^LtPJzlg?axJruChMq!A{X&I>VSc*%v3GR1-|g(?hQ zxt*4Pp0RAfSL(CFT8aHQu=u=;bty(wqf9d|dz5sTR(6CU3EH6E4i>du?_$xl?A)J< zaN3y;ym^S6;pYV;CXURBn@NBCgg;>q&cmYh{rokNE|6k`w>NFJG=&NJFE$BBYwiq7)z*>Hh_kN&Xr|Mjlhcg5`Q$ z6!9{Zq@Y`6%w|YK!pqzTC`$^-j#HQq{SdQX2HY=EEcr2JQ(c5I!thSi+iu`66G9ji zVUhew*ktnJm+Z9{nGwJk3>hmDrjrtY{8cBL@FB16j0Z9oT=Gafrr)h#PLi}qmV+q6 z0&W>As3h#cPhr%MFgV*Oi~lH$*uNGDv*gTUEKApw0AZv)AeS;HgD{<^i8C0vjXZ*K z$uDKwYb`RB6hDWOX|C!)^zP%t`_x40UMDtcf;6xR%v!+> This script will require sudo for certain commands + +The password option is the *secret* password key, with which the disk will be encrypted, you will need to pass it to launch the VM. + ```shell -bash ./build_debian_image.sh -o ~/destination-image.img --password your-password -r $ROOT_DIR +bash ./build_debian_image.sh --rootfs-dir $ROOT_DIR -o ~/destination-image.img --password your-password ``` -> If you need debuging you can pass the -x option to bash before the script name +> Tip: To debug the image creation, pass the `-x` option to bash in front of the script name ## To test and further customise you image you can also boot it inside qemu ```shell diff --git a/examples/example_confidential_image/setup_debian_rootfs.sh b/examples/example_confidential_image/setup_debian_rootfs.sh index f87683569..e3d320b1b 100644 --- a/examples/example_confidential_image/setup_debian_rootfs.sh +++ b/examples/example_confidential_image/setup_debian_rootfs.sh @@ -106,9 +106,9 @@ update-initramfs -u # Generate system SSH keys ssh-keygen -A -# Example to add a sudo user -useradd -m -s /bin/bash username -echo 'username:password' | chpasswd -usermod -aG sudo username +### Example to add a user with sudo right +#useradd -m -s /bin/bash username +#echo 'username:password' | chpasswd +#usermod -aG sudo username umount /tmp \ No newline at end of file