From a0773f783cfb3cfab8cbbeffb6449159754d785e Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Date: Thu, 25 May 2023 20:10:29 +0400
Subject: [PATCH] chore: add ukify Go script

This is a port of ukify.py and systemd-measure from systemd.

This requires no actual TPM to be present to calculate the PCR
signatures.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Signed-off-by: Noel Georgi <git@frezbo.dev>
---
 .dockerignore                                 |   1 +
 Dockerfile                                    |  62 +++-
 Makefile                                      |  10 +-
 go.work                                       |   1 +
 hack/ukify/assets/sidero.bmp                  | Bin 0 -> 590538 bytes
 hack/ukify/constants/constants.go             |  49 +++
 hack/ukify/gen-certs/main.go                  |  82 +++++
 hack/ukify/go.mod                             |  29 ++
 hack/ukify/go.sum                             | 300 +++++++++++++++++
 hack/ukify/main.go                            | 308 ++++++++++++++++++
 hack/ukify/measure/measure.go                 | 259 +++++++++++++++
 hack/ukify/measure/measure_test.go            | 163 +++++++++
 .../measure/testdata/pcr-signing-key.pem      |  51 +++
 .../v1alpha1/v1alpha1_sequencer_tasks.go      |  11 +-
 pkg/machinery/constants/constants.go          |   9 +
 15 files changed, 1319 insertions(+), 16 deletions(-)
 create mode 100644 hack/ukify/assets/sidero.bmp
 create mode 100644 hack/ukify/constants/constants.go
 create mode 100644 hack/ukify/gen-certs/main.go
 create mode 100644 hack/ukify/go.mod
 create mode 100644 hack/ukify/go.sum
 create mode 100644 hack/ukify/main.go
 create mode 100644 hack/ukify/measure/measure.go
 create mode 100644 hack/ukify/measure/measure_test.go
 create mode 100644 hack/ukify/measure/testdata/pcr-signing-key.pem

diff --git a/.dockerignore b/.dockerignore
index a0da21d4b..cd8b2e2b2 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -14,3 +14,4 @@
 !prototool.yaml
 !README.md
 !CONTRIBUTING.md
+!_out/uki-certs
diff --git a/Dockerfile b/Dockerfile
index b65c5d123..683f82534 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,6 +29,14 @@ FROM ghcr.io/siderolabs/grub:${PKGS} AS pkg-grub
 FROM --platform=amd64 ghcr.io/siderolabs/grub:${PKGS} AS pkg-grub-amd64
 FROM --platform=arm64 ghcr.io/siderolabs/grub:${PKGS} AS pkg-grub-arm64
 
+FROM ghcr.io/siderolabs/sd-stub:${PKGS} AS pkg-sd-stub
+FROM --platform=amd64 ghcr.io/siderolabs/sd-stub:${PKGS} AS pkg-sd-stub-amd64
+FROM --platform=arm64 ghcr.io/siderolabs/sd-stub:${PKGS} AS pkg-sd-stub-arm64
+
+FROM ghcr.io/siderolabs/sd-boot:${PKGS} AS pkg-sd-boot
+FROM --platform=amd64 ghcr.io/siderolabs/sd-boot:${PKGS} AS pkg-sd-boot-amd64
+FROM --platform=arm64 ghcr.io/siderolabs/sd-boot:${PKGS} AS pkg-sd-boot-arm64
+
 FROM --platform=amd64 ghcr.io/siderolabs/iptables:${PKGS} AS pkg-iptables-amd64
 FROM --platform=arm64 ghcr.io/siderolabs/iptables:${PKGS} AS pkg-iptables-arm64
 
@@ -91,6 +99,7 @@ FROM --platform=${BUILDPLATFORM} $IMPORTVET as importvet
 
 FROM --platform=${BUILDPLATFORM} $TOOLS AS tools
 ENV PATH /toolchain/bin:/toolchain/go/bin
+ENV LD_LIBRARY_PATH /toolchain/lib
 RUN ["/toolchain/bin/mkdir", "/bin", "/tmp"]
 RUN ["/toolchain/bin/ln", "-svf", "/toolchain/bin/bash", "/bin/sh"]
 RUN ["/toolchain/bin/ln", "-svf", "/toolchain/etc/ssl", "/etc/ssl"]
@@ -135,6 +144,15 @@ RUN --mount=type=cache,target=/.cache cd /go/src/github.com/siderolabs/structpro
     && go build -o structprotogen . \
     && mv structprotogen /toolchain/go/bin/
 COPY --from=importvet /importvet /toolchain/go/bin/importvet
+COPY ./hack/ukify /go/src/github.com/siderolabs/ukify
+RUN --mount=type=cache,target=/.cache \
+    --mount=type=bind,source=pkg,target=/go/src/github.com/pkg \
+    cd /go/src/github.com/siderolabs/ukify \
+    && CGO_ENABLED=1 go test ./... \
+    && go build -o gen-uki-certs ./gen-certs \
+    && CGO_ENABLED=1 go build -o ukify . \
+    && mv gen-uki-certs /toolchain/go/bin/ \
+    && mv ukify /toolchain/go/bin/
 
 # The build target creates a container that will be used to build Talos source
 # code.
@@ -444,7 +462,7 @@ COPY --from=talosctl-freebsd-arm64-build /talosctl-freebsd-arm64 /talosctl-freeb
 FROM scratch AS talosctl-windows-amd64
 COPY --from=talosctl-windows-amd64-build /talosctl-windows-amd64.exe /talosctl-windows-amd64.exe
 
-FROM --platform=${BUILDPLATFORM} talosctl-${TARGETOS}-${TARGETARCH} AS talosctl-platform
+FROM --platform=${BUILDPLATFORM} talosctl-${TARGETOS}-${TARGETARCH} AS talosctl-targetarch
 
 FROM scratch AS talosctl-all
 COPY --from=talosctl-linux-amd64 / /
@@ -843,7 +861,6 @@ FROM scratch AS integration-test-provision-linux
 COPY --from=integration-test-provision-linux-build /src/integration.test /integration-test-provision-linux-amd64
 
 # The module-sig-verify targets builds module-sig-verify binary.
-
 FROM build-go AS module-sig-verify-linux-build
 ARG GO_BUILDFLAGS
 ARG GO_LDFLAGS
@@ -857,8 +874,45 @@ RUN --mount=type=cache,target=/.cache GOOS=linux GOARCH=amd64 GOAMD64=${GOAMD64}
 FROM scratch AS module-sig-verify-linux
 COPY --from=module-sig-verify-linux-build /src/module-sig-verify/module-sig-verify /module-sig-verify-linux-amd64
 
-# The lint target performs linting on the source code.
+FROM --platform=${BUILDPLATFORM} tools AS gen-uki-certs
+RUN gen-uki-certs
 
+FROM scratch as uki-certs
+COPY --from=gen-uki-certs /_out /
+
+FROM --platform=${BUILDPLATFORM} tools AS uki-build-amd64
+WORKDIR /build
+COPY --from=pkg-sd-stub-amd64 / _out/
+COPY --from=pkg-sd-boot-amd64 / _out/
+COPY --from=pkg-kernel-amd64 /boot/vmlinuz _out/vmlinuz-amd64
+COPY --from=initramfs-archive-amd64 /initramfs.xz _out/initramfs-amd64.xz
+COPY _out/uki-certs _out/uki-certs
+RUN ukify
+
+FROM scratch AS uki-amd64
+COPY --from=uki-build-amd64 /build/_out/systemd-bootx64.efi.signed /systemd-bootx64.efi.signed
+COPY --from=uki-build-amd64 /build/_out/vmlinuz.efi /vmlinuz-amd64.signed.efi
+
+FROM --platform=${BUILDPLATFORM} tools AS uki-build-arm64
+WORKDIR /build
+COPY --from=pkg-sd-stub-arm64 / _out/
+COPY --from=pkg-sd-boot-arm64 / _out/
+COPY --from=pkg-kernel-arm64 /boot/vmlinuz _out/vmlinuz-arm64
+COPY --from=initramfs-archive-arm64 /initramfs.xz _out/initramfs-arm64.xz
+COPY _out/uki-certs _out/uki-certs
+RUN ukify \
+    -sd-stub _out/linuxaa64.efi.stub \
+    -sd-boot _out/systemd-bootaa64.efi \
+    -kernel _out/vmlinuz-arm64 \
+    -initrd _out/initramfs-arm64.xz
+
+FROM scratch AS uki-arm64
+COPY --from=uki-build-arm64 /build/_out/systemd-bootaa64.efi.signed /systemd-bootaa64.efi.signed
+COPY --from=uki-build-arm64 /build/_out/vmlinuz.efi /vmlinuz-arm64.signed.efi
+
+FROM --platform=${BUILDPLATFORM} uki-${TARGETARCH} AS uki
+
+# The lint target performs linting on the source code.
 FROM base AS lint-go
 COPY .golangci.yml .
 ENV GOGC 50
@@ -921,7 +975,7 @@ FROM base AS docs-build
 ARG TARGETOS
 ARG TARGETARCH
 WORKDIR /src
-COPY --from=talosctl-platform /talosctl-${TARGETOS}-${TARGETARCH} /bin/talosctl
+COPY --from=talosctl-targetarch /talosctl-${TARGETOS}-${TARGETARCH} /bin/talosctl
 RUN env HOME=/home/user TAG=latest /bin/talosctl docs --config /tmp \
     && env HOME=/home/user TAG=latest /bin/talosctl docs --cli /tmp
 COPY ./pkg/machinery/config/types/v1alpha1/schemas/ /tmp/schemas/
diff --git a/Makefile b/Makefile
index 13261f988..b1361d3bc 100644
--- a/Makefile
+++ b/Makefile
@@ -13,7 +13,7 @@ DOCKER_LOGIN_ENABLED ?= true
 NAME = Talos
 
 ARTIFACTS := _out
-TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0-alpha.0-11-g88ebb40
+TOOLS ?= ghcr.io/siderolabs/tools:v1.5.0-alpha.0-12-g150efc2
 PKGS ?= v1.5.0-alpha.0-20-g97177be
 EXTRAS ?= v1.5.0-alpha.0
 # renovate: datasource=github-tags depName=golang/go
@@ -285,7 +285,13 @@ talosctl-windows-amd64:
 	@$(MAKE) local-talosctl-windows-amd64 DEST=$(ARTIFACTS) PUSH=false NAME=Client
 
 talosctl:
-	@$(MAKE) local-talosctl-platform DEST=$(ARTIFACTS)
+	@$(MAKE) local-talosctl-targetarch DEST=$(ARTIFACTS)
+
+uki-certs:
+	@$(MAKE) local-uki-certs DEST=$(ARTIFACTS)/uki-certs
+
+uki:
+	@$(MAKE) local-uki DEST=$(ARTIFACTS)
 
 image-%: ## Builds the specified image. Valid options are aws, azure, digital-ocean, gcp, and vmware (e.g. image-aws)
 	@docker pull $(REGISTRY_AND_USERNAME)/imager:$(IMAGE_TAG)
diff --git a/go.work b/go.work
index 2acb29f8c..0b2fb749f 100644
--- a/go.work
+++ b/go.work
@@ -7,5 +7,6 @@ use (
 	./hack/gotagsrewrite
 	./hack/module-sig-verify
 	./hack/structprotogen
+	./hack/ukify
 	./pkg/machinery
 )
diff --git a/hack/ukify/assets/sidero.bmp b/hack/ukify/assets/sidero.bmp
new file mode 100644
index 0000000000000000000000000000000000000000..c4e74ced296dbba0c9c0beec049242cb994d39fd
GIT binary patch
literal 590538
zcmeF42bdhinf_a=EUoe;tv2T@ktC2vB7=z%$pM3Lwl5gtjKiIMUdO*P$J(3^9I(#;
z9Iy?BvyBgIY=SWcY-~)90--GJ%+9Xn|9g99@UU!{?yj1h(N;bCK0Q0r_0{*iRrPjt
zb#?bqr`%RF*Hii=ct5ykn&*8EO!Mlz>HL2rzc==HKKM74lAbsGr~i{j9lzn?^e@?N
zXJor$fc@&a;$B^Md|F*cY(ZT|d?k1d_&m4)+y|Zm10b0J{l5v^4Xy<r0UJOQm|5L2
z<TZBh3E+j9UF+IoUR`^94zVn+>x@+fM0s6j{|pe?nYy06USq>Huf8L`puRn}JSuA2
z2g+(Y<4eHYy3Y7axGkzXEa}zNZVBz<WMr)GqF&%6V0{FwKcoA@`8@m$Oc!<Lfg-RJ
zlm-R$JR7b8mpf608u~_Udu%#wvMf@&>=>9u`<|#c>%U94s++{M-!H1+?Pz#=8@L?&
zFOYUU4R(P97zF)bGx$6B4fr4MAt3E)$Hx4+o?Yl+?zJlnVQQb$MKOM_!~YKe#r+tF
zgS{YAvnTpI#QuB0U%@xQdDyOQ=o%=h?;Hr@UZ^~jD-A!C?eBn&FMrGue`3Gu@wqli
z`>gLs(57}vuigY?^R9@vll+S1m*8sfCGZ|_4mb#u*LMuetZfUfHK7O&nW?^$dg+M2
z8Hkf?>tr(bgZJ2J_!>CkTJnGr^8N^@{_Y5X-?Oi@C~&zGWsps<7D&6qZP2!<{`CF2
zj)8Kv6BTFW_v-fN(X1i*cx(<nbb&X5tH3>A8<18{q*Wt-Pixmh<h>5O9~=P|*R}d%
zLMyR^HQK<jt7lC@by)#4-u@}r0)lGxNFGN1uW`DLgC7H3XdB1>L|C`8&PQ3)@4(C0
z?gk@$n&|(>(C^l$8eY?}NBsU<i1H`$FY|ZttMP>T)wjS!U=96iVMSZNS3OC6Y^;h(
zY50fnF*AmI{yd0=Ux>eBg*4{(DGjeAuQVZOjFcNcD@?g#I>ZmM$9Pra`>%nZK4tFz
zq4@_Tz3MLeeK|9p+KvIrM7xJ|>y>Odmc*X`;w#fXQ=fG__&@M&&{@+NpHb5_;MFzm
z$aE{GpX-vGf4BL^;Zl6kc<44D9WWL1Sax)5cocjBG&OV$dN#-9lpzg2iES7Sf3$!!
zd?erE`FZe5@Gh{bAy3YE)zDKK{_prT((iozUmC74PT+oOK*P@rQ|?%fR<|W|zAgPb
z2B?jM<@`_BsWa)@SU#t}Z)iz)oh#5T&X2*{!5u*J1Yu(cnos>oa}$?>HMC>RXQtiD
z*_N@HIM6ZpWS~Bt3+*1smAKIP&V~M*6Z1HA9fQU>!2VR#@JznN^^-tjuH%_&nOEOE
z=+!mvGR}9l2AzgytvMQ38rAUO{y#7eyWa(w?Ig%&`StdOp4`kW)V9)(nSbNlL1WH;
z20GugHRjHihiC9XbD3R?%Zs>Pl5O)3y<Z*k(EfZ5^U{?2S)lWSZ2h&hpXSW301efx
z39o@`T_zKDorb@-j<>_fHQ<EWj@TUfgh{%yw&gTD>wafk!*yOj{p;LRZ6R#Gz70*S
z%!O`g-lVoYq4BPK{uKx_#~n7#Z1O#bPZz_-(i-N6Tld?Ubw3EQV-45V7We2JWI)#|
zZw8vT&&I!8?4xnwtzcdI%H3Xdo4ISA*mN2`dOdH2n=8P6^=$*w>RCIH%j7gX>%M1H
z!&77M1=RZwLD;^n^Y%BW4woKa?_92wzFW^2gJaHe%G2CylzE@9v1Xf3oct85X=)vu
z)?oNrAM<$3fAtq(U*}{xW@PJEuJ^m2W7*NIT>ItR#E7I2tJCoD>-!Nnx|qJbL}PN+
z4H@BmA|p=2v+je&G`y~(A3gNvQ8!ZOyCUd-uI*_~W1?yf{d-NT*7H80^98QU`|IQK
zY0NpEE<TLE7t+3GtBspToG(*vG3mFi-D>`3yz=wmxBKyNEo*3*|B61Zf-R@v6W6(}
z30=b)%$3XMbFLO)J$$xp)@gXw{m`6-bBv~r7gN{QgRp(QpS-V<u9zNcrrQqo8FR*_
zv)uq50AYQdtb9B0xtDW@#X66OlEibXKY!w{9o|$xT>Oqcu6u)`gzx8-jVZb=B~1JM
z3w&*;@9dvmZ{YYjUgbFr&svv^Xn1|Me?3s++Lr_AaG3U?JlFfjfr#2PR@>10I?&wr
z8^N;?{0tkPseGDS`EO7T#tL`b?`yb@>-UrP_~F=i2$=FMS9VxKF;J}eyC_NgISmg~
z_qqr7UxDtKh(i6id7Xx5T_;8~-0ue+10`&K1;X}W&A(_KM#qA2>o?4g{u<2Tdo0!d
z@?pJ2Sf0}PH2?E$pnGq;?lqeO(V{$XQqT5xAZ@ddwi+v3Sj$?PChiFio5X|D@WA!I
z8{Yl{a11ryS5=oz!?UiF$QrIXOwEH|$mb|)sei!rD&5B&wmXiQPiyAty9P9W@>Z}f
z=yzIcwO->Y!1aUdb&UOWoSX|T18G}@xV;PiYr&XxKhY1$>oh!68;HT(CvEjvr{P)G
zi4hHF{zK>VzXf4+K<k)J0BDQZ`#5xuUsKn>G;Hgd-DVKh$9&DF@%VoNtp}P&vi#>t
zrPhCH4a!cCuW@DLmyTiYsp{aFGa=_x#F^9Z&}~3tHpb(zIZ>WBFj}K^8lH8XMAGnD
z*6F66FZLGdG6Aybccbm|Esp1U&e~|z8Tvc=roVOpzm5ZsNAPbnpGW&nnxb=jU3V08
ze@ZUayr?f-QqvKiA$=Y%v7hc|(lJ--e@2TT?01@@e;E7>d<OgrI1ii)E&%TYI@a6-
zbp6y6FB*%l0ON%{=5NYZ;2N$rr+%D<DPFT}2bx#8h;>5KP2LX_QNu@alIF(dmOdC$
zJ0G*HjrD^+&)X5NB=18YTi(<ADJG4_#xg(d_sR#Vz?~p%Gw4>=NR9wT){131?Azq|
zBW(W&g8DVl{%R-E=|6yPfcFB8^-l!rQ_$yEfOmr{!EHe29LhV9{h+^Z!RFa5EitcZ
zoHe{!Pr!a}22qZ=nZBvqYk>5cwIZ=OjR*VBE6A)0uZrh7)v_jyeRRIC9}r)v7q!7m
zdqF?z*ddNzR9?3KC|`kV_@9V@`t+Z-^jbc@3A_V*9H?FD{P+nVo`Q0l?fyEy-PpkM
zb!vG=nu!!q!|%Z#)-8yWoZ&T;*-UwX!=Ee-uj^q9KKx9ix8r-1et0?gXMw=6kC#FA
z;ASb?t3kGHF`NC=7o<HO1xK>JudKF>XEe9(MW435#HG5Lq*p_`u4x<48ti3YE%*S?
zeTN#eXH#aj`}`Su-D(p}V?586-!%rm*+98E$B=d(%{<1uM$X9;XEsU4k(M6+d8^gr
z*R`>zb6j8NIma`Y)61s#7wtpYg|6W`@0qJO(y6XvFIt+^b-|gOb1ecL{C*C&4BQ8F
z-j;2f%67lMU~?7l8Z&%J`xJB=QNyp}8rU3N2P=d$X&SD!-!V`}o#~jDZ9R|N?<w-G
zQN5c?dgkAXo`f{>eZbUsQ^zTtZ)luTN$kwA2X7<N8OD8@pDzLGS2uuuFp`_F|9=O+
z7LMf`<y-)yzhUhw-(%oS#8Iq!u=yOS`uyh{bR=ewU-K<bg0Mbu?274pFt8uWQ{dxp
zY52T}VwaxPcF`v~{qttE0ku2LgM{ULw0u9rp2kgq>tSSuh#G!9@iI3Xynl}LBNzWq
zhKAR+>psT|)pw<lQRW3c#~ki-#b7e24S~afjuE4^wV>ZgUoN5jub9V+b?UmpzqchF
zXLaY0?r+z*!eVT{4xmFueARk^H`g@kTEI(r<+q<lEJx?=>l?Zg(@Z=QR>!pZ*0_#o
zIv3p$(zl(&x}Lmgdb8dt&s5OxG$9Q<S9Hbx+liU+`S3jIui2U!=g7`GmN)F4R>SiU
zq9mu`S!;pDmVxKP$s>(y0r!KTdYIn-Va859vQ^z`?mafL$2D^4;<XWcOZ%wf(=WlH
zjA5qRIIh=n&QQM2pFeJ=oU4F|^W6L4K=xkJjri_A!QVibeyj84L#mkzX>H{tafT8$
z)t=^nD?pn2AY0Xw&X2r9+k^R~JX1--(^a;-d#~5r=D&NQ3=ZA{OpSLQ!PWudHA-?C
zo^?M6tl_M)_F7jCY25S?5Tu`t+_#r&*_!W&Qq?cYt8u44SHUy0up3nimH(^2KSwvc
zcIrir^Uv_SLYz4e|9viD$D^4Xf1dkaX6PQ6%+xS^pK3kjycYZjYy#52%)Fz0-oic`
z{O5#?GQQ6&Bg|)POUId85B<E$UL9lge#{`rFSoGY0g=^Q%2=GJKDn+n9UgQZ^BXW)
z-3R^dN}j30F*#UWWcuhdJnMQ0tl@r}A71P6P=xyaD|*{%;+aL6^`7!gnj2-EjM}T_
zBR&bFshLGs{XDGW1G6dfU%)mHwC`l@FKu26UgGnL{r1vtS)Zag!{IU0C2Vg2J3*$6
z%+FusoMGn3W5P>}hx~$arQxOEkK_1|>Cec|Utx}qF+nih@XMXT8m{WnGugT3F8&+A
zHDCyg<TuFwdhYazAY^NZe4nP94<Cbh)d|=CHFlQ11*y}_eKqF0q@*e7HFTPrL(#is
ztB2n$t94aT+Tg%&d@=4L4yFfV&=%-x%2r>R3EmENflTg#e*P+JKxU2ie4;vdtLMHd
z%2^7I1D^+)Gs!%U(RsGk1A2`;;rr!yM94PBb<L+-4}!+2{WT9I-o`8DCBJF^sW_MN
z5+e9QV=DM42j2wQoSThTPg)N)AB<Migx|Swc-DO&>v8ysX8*mos$=zKtxFiM{>J<5
zZt~WF3F|S)4zdTdR!#SOj9316zp33`33R<DNbyGZO^wH;XP*M9qw#zm@3&{jy9Ri5
zU!C~foa#3Xo&Nk*4SCK3-vzSqE#|0Zu{9cJrm@tudBuDK7%!%=e!Ggb$($zy^HDK5
z4Ii$Fg~zfUQR}9LpTQG#O|H%(kJbEUGwW-ECa2+9_W|j{n}OyZq^qN$R=+bJTml%I
z`tJuDs~=7Dy~=xAL$}_Y6RfX|*9Ow_px9<zf2eD9X}^C-ejNwAM#dzQndAe|`okZ9
zw0~i?pQ+k^Xqv8_W}7rNZ|Gp{!tgsad(hX82A*?Ry2f0cjr4`GR9*x4I|vi!f7Nv}
zuj@2?B(;J6&!~&vhOCQp{ar~vpQ&q9L6g()Kz-n8>gj=TpfwCy_jWtD32X)FItseI
zjl9c2&?+5wf5uT7OKI-<#t6P?zTgOHK%M`Nh;fUw{$n+B7UBu$yeF)#seb;72G?tx
zo3BaNA*&m9D%N*_u=8M_scY18Q-Z~*{oOeH#Vtc^#pk6Xek9w+LC}7l-d}ljpY)3h
z$l^bz;h{NCb8lm-dFD5$KEu@Mc-5Y=sq5-tuLJ7*;F1RJy~*`^1ILTYe-}oVKUe)0
z{L7r54pKjg?X_UMq9*OPChqmE(t47P_%R@gUR<o}7uDRO7$k`or{OPUO!tV@w-0Ll
znU1Sr)}f}`=tW_!D>)6%OAY@u=T)U)&Z}P9!v67%>U!1w{yNtv*I9p0J6)mvoNq}!
z0bOqlJ5Q{>bTz!sG0lBcu5^!(?iIqn<3N;q4YZDE0|@Mr@;D72oi?AF;k81VV@zvu
z(5>F<QXI7HISmiZchLIDcK?3bz$<k;HoZ12)y_0;ta+Mj{mI-<<J$|g{yQJ%8}wXA
z|J{)t@iXvqytRLsF^&AJYtZdr^v*g7-^v%}t#s}9U%?Y#q|ZVAe*#;f;`9BO;%f`X
zs{VTBxO9yej&ytsyGBaa#8-;vAjxTXr2Y`3?_|60&sg8KXuLIULFzZXZ+ZJ){COGL
z$B|$=$kw0C{cffImuen7UsGzG$^zok{T!LTXZu;_!sq8hjGFuASgAGeM}r>&jiIxR
zW32sdAhuBN520)~4j-rCtG+;#wx_wg*QxE*w`AYPoQ6m46Jzz2u-|`!G59i#!|OKw
zahw(t>?fU{scq0k-W^g0bp7lijltOlD?EpLYtBLbfeV1HD}<?s%iyXghi<=6RAtkk
z*Sw$3C;auon)lZF<1HcM7%ld<W6SF~Jop+m<#Tf>FI3g2AAF8F;;&{Kw(WhTq0_&w
zWK{d3ed#njR39I$Z<zW{<G`O#FRR+xcY4)ar!$f2c=i@!1l`x6d&|Q3`Y8EAor9b3
zKZp(dl!j~Fqn;faCe~ZYR}!SmsQcD%T?`bV-CA#cA-EPqS=TgL+z(?jbRCk{Y4`*c
ztvN=ZI{XV5tqvyo?strn7Hh1OZE_kOisy;y!Nl*<pA(uoc2BEkOdd7){crgF7x#p0
zTi<1#g7f<9*G@<EIc$FaoMZU87JVUOeUf|!ge^bYeCm4*UH<bow1)H)@I|1tsbR-(
z6ScdK)wb#RJ>lvQznq3oP`N%woqnBO&gY5hW3=D3-YC#<)@gVso=4-}#&@dEvl}`G
z(eZHoF5Tq(w$%|oh;5j$o#s*Aq`8<ybAq3Pr+vufHWlyLY{RTG)V%X6Z1}5duDq8|
z>q{!Y$>0m%PhbzQ(T37Cb?j~dp~F&MH<vO#eYNc`+@pOyeCeDz&40FAwS!~Db+*ZA
zcwmmRtqW88X-v3b*&&;`?j3$St~LSA0%68@(tZCv^laPJWbc=XSK}G+7ql*P%=(C_
z82oFKo%HSDIqtRC{wTN$*w*cI+&d}jRn?r&)wd=>hlLHN;aRZf^E7<F*>ikO*Fm=1
zz2td~Y-F1vYWP%ok59IBU}L|BsnhlTb<O~Fo7o1`CcwKu82|Kqyz(G(beUyO#^+SL
zx*zrbLdN{<sD9V+zO{x`Lz*Aedd`=FYr*p&{RvZV%A>L1$9V_dZ06b{g@hfa;aM=K
zxlf?;th+&&di#L5&NfBVaNXC;vxws#&I$bIMGr8x3OBEiy53NU&ku#<HcWk(%A+;i
zO(5H<ePO>k-hrd%dXV?CA>;lb&smvi;$1W^IA!@mWy=n)x^t)IEUpY0^RL6YsO!-4
zR_a|91Lc&h`$lz*RP!^Y+CsK=bUyK4U@-_A&I|cu!_B3<K*yLLhR0g5x$yNfkZoOM
z?)Uj1^%YUWGt14zXVy;+Y?z`NE`Gm8AL3bB!H!{?$7UX82Km1pwoUcy@4r81%yye^
zKPYDZ+GYpii*Wtu&tYO39w!V)GhYjS2g1x<ndnO@_sj60a{#ZlJNo)2*>M^^ajR(T
z9P~Q&^ZN_yghOfg*Sy9}URP&!*PaSY!#OV;;2ykS8kT0=z&KoEsomqCpWoDXH2yKs
z4@cV2{ON^_-7&9pMfUTWs$-yW!4E_F_1^UQ@-&zEzD+&fS?3;a3K{d0L1Ij`EgdJ1
z0zUzhG44*cmu-~)?_d!K62`du%9hjcaVdJ?$JF@YOK_I1lOWswX>1uNYG}<)=bVOT
z&9QX({or75=omPH?~ezs1{(iq{!?p9IDg2xoQdlCZr1oUVDE+YGSLTrOxmgUG=zSR
z$eUGOO@wQz6ZvTR_lDtjHAur>2`1unwBNU8<5N}3p#N?c$|wWU&1XZFH<}M&zPp$5
z&t>j=R@C|Lk?~{KY4}J|#`r&VFWhHBwuSH4w)M}@JssI3r{P)mZ|U%vYR40$p2HsW
zX6v2qo&KDdo+qh$<L&^awEV+uopIJ1PV9?(mCr!;0RIw%(S_H@#=Oex&g~}RCl|jj
zZ5y8Z!Ee=BnDe4t6Zz@CL*b%(#O?mz=fG6`hN&YxKjEvOZNouNdR4rW-E_jX)9@@w
zO|3uBympwn{BC2%!1RVJ`?u5ZtU1nF!!xT{{e1fBC-poWT}yo*cp_xIX10aDVWSmf
z7B%K)|Gcg}qJ|U4ycva~;UYu)fQ`VohS%^M*cD9!x@M|-bN&o6>nE3=HD~j`;8f~)
zE^{4Ywu7iYP=?d+EJ!?fEzbz%Js|L<V``YT@XZ64C%u;D?E0J2@T@rwrQzu+SKq2{
zPZUw7hXY;f3RAb4dESK$U#HS#jI~W^xaLwcR?M`K?Pq^3h4+JwRYcx>-~5l~rf5xH
zwsB_eH|AW5Uze@^d)Quq?J(=lGs_A4S=UBx0_QX4TT-X@V4xc|6J<FK&w^my(Z{>3
z24=$74?vjuy)4^vY`Nn!JZp|4X}Gvn-`9OQ)T_qOH-@a=bes4s`IiBi9ye(p+JvrY
z{s^S=2id+?bE|4Ag_2V9k>Xm%pCGZO_Z{_`W}V(?Ugyu#oQvH}A#JD22(#TvnYzw$
z4s&%&k2&%=>LoYFR?2i5o<#>pjhU9hm-=X!I{v8B@X?8mxGp8KhRdtYRa?@}xYm8o
zS~nb~j+JL8I1Y>+Y{s{#YnoBk7Ji{@fBzjh8CLWAqj*t$v(<IRFdV;RZDE7Py3C<q
z?^y6yNV{Qt(S16aKl=hWl6Mx(Z)D6}g+IAWl<hP;3&MS#I^xZ2!?uyP%0{-yjl;9<
z-$pcC^^(#SX~B9B<y`!uwVk?uXZ$(P+P0Y90i*Ih2f}E`k68;dvxalTLP@pFdw4EM
zzvipI7Bc1+-Q!c&^TIXKChXlF(q<6uHHZH+(7Ds=Km*sfrbm5lPL%q?2dCj#5a{zX
z{45;JcLk|)?W^PUsj`u6avGjB$Hp{Vb)!1sTv+qtVaJK8?_Y2{&^-5q)$NxT{@LMo
zlfNRHawc>nM?0j>XSF{1W)QR=Y5#9!x~kZ@F0J{f{|;#{8z1&!TleB$4=w^LIft6#
zpGRd;$C>`x_>4bJ!zUnC<Ei2MqC?+XrnRXDi0f>V)9|eOw^0pO{iNo08mO<Z&l-Ld
z8#-s3u)4Jm&>Zdn$VN{x_t6~e!C=C2@?{743bd~CDUcaUHlH;H{%|^$;sv~elxqQe
zw*hDlD;pa@_R)P~y3YOY9DCM+;`(~V{VhXj7xH3@e@??Es0p8=j<}xF^D7Xf4W#$I
zhkSZQ!vrP$<7cPgS@UdO!+9oBm$ysW@X3(%t-i0hS<n0NKk9U}Pud5p0lJ4T-CnZY
zYJB+58r#<J45va!_^Wus9<yS~n~u{z*0#r&@LkmF&?EWQHPQb8r%}ezmacw1Pdr_0
z-fi*IY4`-S;&apyKaA}bFtWb0`Tu*gg;}zbZ7MJgM@J{^c`3#<{G<b3m}8X=haKNt
zsQOktj+e9#s0LxzGHYH|a|z=WlNZ0qN5;+5*?t*h({D!ZqiYoVD;VC3CEkRMAk6&c
zNZa~f=LWhDd$s0DYPtu!*2V(i)x8sW%r>s|K@Ht|G(Q^l{!F!v_YB`3l>I$g5jA`>
zW&Q%(05nFijqB0ybrW5~8;fLrJT?3-n}_gqw7xaocg8hbe&UBv1^ybsC;5AczwU1W
zZB5M&>-c_c$a0>>#wyv#_e6Z+v<8GdUj3G}AImc8XC}733C3$5+5EOEWoLCm$H0uq
zygnJG4)NWM!^a`c=V$mGJbw?_R<@JxNZARJB5L^0>pKz)8`}qGHMS?Lqk%GNItPnD
zkPu(kH(xcJwV=8#spDWaIxupd|5w9()f25J)$e-eJ7s(@WH~DL1H8+NvBreAp})X+
zu0IUN>1+7;_#0;KUvXYq-?L|$eCM;!3?2shEiC><-dBTpAlI}QDNlZLkHbl9HHR0J
zhexTK)`{Bbc#fhqymORm6aF)(1D7v<e+I1Zuecg{k2dx{27+>v-v16Xs#H1^Bt_Kl
z>v^s;*UbxK%~@V*IOAH@9BZ7XdC_!T2HE~+UF%L?YsRbh8tyN`zHmIycrZvA>3#3!
zJg-X61kBeY-+-PCb6v<76Xbgp@I%xV=vrpj<AJ!-^~%*{)k&|uD}TA0s7{H&Y4{i<
zNn7BDIf78v(9`|vQ~R&ux%XK<uQ2V30S%w)G(62_@U4#DoKx%mo2x*&E`x0Q>N*~!
z{Y-ou)jnW3<)Fo(%F=w&+nU<9F{aOczAiW`;d0cZ*2?4KX&~(Ng-6NT3cRY$Kd4^{
z9|1w?By(SJy-Idk)&v`0g=4{9F2&%+;V<Ra=cOaInC;adv+jd@);!A5vK2Hr4bPf$
z>6e~?7nI_0_m@4cYw7&%Cm=|jr}zDQ>K#4fmZKm2^>JPP`QD`=%Tk&50^R50&F*+)
z!ZLHYLu$@n_c;F?r1=TD{T}Ztnyqn(`bO%#^I?y#JMcr-LbbL$msD6OOK~_2e=)Us
zb_Vy^>H0a>B164@JKaA2m$BTUFxN<&hG*T^?P>V%deE?AW7ZT8&y&2kb&dX?-w%iH
zAqz97nQm|Yk1}W0Q*OQ_&6U=+`|C8{6rnGvj$b2=l%(T8^D??_pN>7qR>$S}T4%5?
zB=O=j{2w)0-#+M7cWu{sn(nK776fS<nfq$~?v21d@B2py*?n>vo;B|_HC*#(Vb_zs
zS#_^^%qFGUNeSCqL1sG&@>%!%oT2f5E$`}_>{Qn>-1hNFa~8UG7$la=eRZ!@E$~Cq
z7HC|r`RvU7vi<xX&6NecMwKm}HE>_mxl8sJ>X@oyxy|JB;jU@=6xZ<Vvj(nhz{%kt
zN}E$#x{Erj62D=R)9|eOrg06|`E{eNX|mn}WUC9A`^Ct2it4_$eRo#XuYT@d_v?ti
zlYDzamg~1W@^+}~C~FO}a(aTD<O5g+t^t|+1pWNU#vYBUhR4k*yQOUJ3Tf9L)7!cR
z?9YvL`fHlLf`3{Izm~N}v(>J2d^Mf0@5bSf+6cGB?OWC6H1-O6{+w=`(v^#vTKm1q
zRpHj#IStRc&l}fpzfW|;SFrs9NY`nQt?m`+mYpC;`vYCKi#mR|mhr=KTjR`ZV$yvT
zK=&Sf8mNwf@Rzx-xI7TNP^>-!owM8lGWX5)^F_lp?2M1aJN8ci>3eUV<MY?SF@S3<
z%;|S!cWi$l=y5(^bINNt*Gjzlp2Re`5byVcY}>+E``v~OX}~zlkN=a?@T}{=sD^9o
z+BrOr{VwV+toHnl>v&6o-gm?OE8dFE-D-y)1!J|XY`)hx{z}HJ(mAg_$Lq%Hi37~0
z?017G^ZSaGcfiMHW{#PC`<<~x{B{$_hL4f^d_!xF!d#~szt^U&Pj|$%7UCzP_@=q8
zAAr+oXNzW)B)!J&JrkLn@OSJ@Sq-n_ojQK}odaCoh`$v)2}ag;(EoMc@A(>s=-!R6
z$!U1j^<YfH>v$hdiuXgQ!$%{ug)cUC^k@BE&CE8U`2xyq2M<IjUu|{>T!FnZ9UEGj
zvU`72rY~VWQ>Of%1Ek+!*Ab@soW|g5z>8e*$M{|7dPn@bAiZyp?PKKIZ=~H96%yhf
z-IrV2?!QOq9oUYK<J&HN`(N-%uxwe&F0U)X^KP&)B{f{*t;UWRW1a!c9n#i~J#*oE
z^c$|3N4w_jG(79RX+*=zy135+4W}JwF5@>Kh$dw2tGVzqK?oIK9LGDe8;76Q@?LC6
zhcj&l{VZ-Y?rYV(L<b)feoT=~FggaJW19c|6p&5@^>^g{|BpH3>6%~8Om*!;)RSLV
zpNLS#H#oK}jM`7re);}%`p-o_7oVQZ(l51@TfiHcf2nNf7@F1)V!oXGQ%b}Ac;N}o
zEBLH=v8Z#8neFaj?5$QAQIpf~towgt4X^7=cx5gAJ(XHNaTCa_)1aU4VO+pGT6n!w
z`vIDZi*hW<^!s*fomAVNn8`RXYSVm4e(4u$F&GcUR#MK@Ky{K?ewfeqVxtATq&$70
z@4+iT*s=!5t78B<K6)9W7Cg$A%1?jQ+|g@+&K-irn;_4f;2oeO=$du%?DHC~7&XQM
zy6>(TNV_#>E$)KyJ=XsH*m}z=*7F{{h;2g6#A$fe^%7dcYZ`|9d#o8h&Zq9A2Y)uu
z9zHp%YY0sXuM0J-jjA7B7jp*wY&YPO+N_>~_Ho9vwVqeayL6(RC#sEBF&=L4@4@uv
zf8UJ#zZ>#Zed%?L9fQnAj_xPFOT#<C6JV@9Inno;@6ffz4z7vmI)uW?It^d9?bow7
z+Q6ki_YO@|=6Jt9N&fvn);?%Q?Y|GK51*SEcLUG+UD3*W20MMtUc_&z>sNs*!9yVI
zv3orJFX!Hh`KIo#h^XP$aSw!hUdk9fLGOVFx`#{8u{o8k#*QY={h!9pLBMMcaZa4+
zu52)tpT+j`Aj(?9%r>jJnLmPmX3Sh&(-AAu{cJ%~9sR3z<!)(*=1tB9Hvr8GWR?}>
z^Hp4L)bqy1bWLkNfacwQXrSD`VdH~<^N4{toofcXWmTh}uhevL|47eX>AlA9hk#!2
z05DNUms9>sY>gTBXg_HG0@v`nh~d@X9Pn~*KKLi_VQ>Y|e3OoECdb?(+vhK^UkxIS
zzcTA5qK4m%FXBOb<O<9K#u~&y(3I+rmE?U0jO2Er|D{Wx0;hou6JR61>sWp<_zKYZ
zs|oE+`*>Mh7tdH3F@GDBkM#a2UTX01|3JD76I=BK=6w8TxgCMOCAHk^KfHc<^!jV)
z+QV}ZcXOTAUk`F1dEX7xw{#8PgimQ3f5Kje#@`*hGiR(+$9aT!X5S0JfB_$*!I}s8
zDfoBr3UCZqm%>qO)yCcez6ew&&jaO4`yOSh<Nv{6tdPh2UU>>!!_|jXhiRyNn&LH^
zI#HY3PnuiJyR}WFh#Ic=(|qJ=%lU8Ye98?>K|~E#9jVSW4x9+_)V?;_$D`QZ9|Vqn
ztPIu6CBUh4>M-yK$fi98*+)ERuI6^|-{9>)$2sZM+7#BaJp(XykN+pQ89WEn?}C(-
z&AzgGdNmw2WpO=$eZ|cRpkr}1_Ji!B_;h^VlEMzQYCl121ljjfb#47KbX_=T!ly#l
z@E|;y-uD6cJF=E}o2FIUf>J;3{t-3Ybe!4PV}2_38nvgO$$*Au<DboaG&gq%>%pgm
ziGMu4G}lpm*x#j9uLfIz%{XLR$HSdK+NE)(v`gav+vREw{GI-Din5&FX{6s(v%Z>q
zI`5X>wtci^U&qioFkVv_^Ec%y@Nu{;UMI5qcep#Q>mZ(g&h;nL$!T~&^+%r99xn^q
z2PbMfT1x^nPx?+^dhTMPcAkshbqxG0*Kp<qUC$%V$y37i7a$kDnl3}vnorZbP}sE)
zJ_m*UycE-%W@GQq@OE_ltY_4IChCHres>yPF#S=-@-=D)%{}JspB~w07-#WL3a(QR
zU+2-7HJf%?2>WP0=UZTzo<|ro@t%(Ky!g@B(42B1#GLj~b2IPdTEuh^H1rqt$A%k+
z2dnqrz}e~wuD9s<ShkYW@Pg=z8bh7aa=>n{Cg3|h!n7OdIOB1~s{XqV_J#4d=A8cr
zEC*iK>gU7I;_(hlo>4YfgpGd%g~E$szl>x5f~ey_ap&ezveFC932MC1sB@ku_t9t5
zP@RTnRVV53%w%kJE%2?Z5uUE+cjPMhYcV?g_t?Li^0$G>h}}e)>Q7gI3J{q-UHfG%
zi`E!_3glw`J_-lY?{89<rK-=UN&GntpRgZ115fW`475mdletJv!zZkhD19huUR_)K
zmpVPOBg^Y=CfkhPXFL3NeV)(f$3WD0a-Cn-Oh3kbOpA3dlc}U}6<CbzFMxd2ab0`W
z8lZB2eyltCbKbG#G<@tnAijSIj;3u)w>|dGY|Bo=^H!I1ufc0rFETUeJ<*x<8}+l+
z@^CF(>tK!qzXh6C&b1bYDeqzYyb$Q#^r$qvB)@C|-G9>ybgT&Dqpdvh=M&rq$TKa?
zjRmpkH2kIYtp4x-cn2sIN4Xk*ryHfy@Vx4K>eFfyzX!)Ob|$7Zgt-2eu3J-EwM)O9
zaQ{4?zXUYDV@rRc+SRyN_s<;M)XKA++ReWUA<e7iI+@?n^<O=|<WUgScN6&^O8Fzd
z(ykiW%AT7`d7+NgPjznkY0%No87~UE-Y071I1PWHPE7Qls5Uh3d?~1};oXpWM`S)F
z|G6E*_nn`KkG}(2s~0t9lldRSpNr{BOKaN_Uh96ltkdVO)$5MwJcTtw{(FQbYc0=i
z%KskcO$Su3+B>bb+uZm&O(OQ4h7aE#a35U!2k7QpXS%89o}_sWx^)_!7aF8~e*-v~
z_Aq<0+r)TnsJ4su2)6ZW9-$Jv2iy;I?aZVW2eqZ^NMGdMr_S2$c#(<gcjIv|+Hacw
zWZlOi{LuW(tsqzP<XShVds<&X{H#4OJNC|uRko+-I9%=f32+V2Iae+3(=5_+-18wh
z4WCr)(KSn*_rIL}w?u2d*ycmCn9zqt`g3zfT;tCc@Bwfy$mKnZ>2q0~x2&NZ>)xaZ
z{kFM-$}d{CO~<!#@Op3~u(75`v1`5Qwcu6E=alGq2@RItPfb}-H2g8nk6NS5H|V^y
zro+Eq_TTU&=y5*C{yP4O-#>sWfa<c7XHL$kW^S`#lH1wHHtaOqYFilDZZ!9x`^q&=
z`#3lp6zlnXb)5SbVye;ed%AoruOSw-^`8Mfk3>2%GJX^POA|Hj)Hy&W&)%I;L%*tP
z+>tl*t)83oO4soGnRdPV!G9)<u6xR7@e+3aNxGu3;Qs<0GY_e4i_dTF8S+YMx922w
z%9Mty&E5rc{`HqE@mKcyC8!6XebqbdYB^3}<DbFbfP4rG`L1z?V$rpFjioLJ?*}gj
z2ZB<@R5NPx;F{EUq~WK=e&R$tXIm$ewV&!syl(*Gg*EDLspqAXk@r{NLGX7=&~<A0
zdJoXN@sGe~!0W&ou(Y-#!5G&3oaLy2=ip1Nf0*{RyFAv=6cgWS@DA`}ATD%2Oc+g9
z9?caz4m76yAe<e^c1b<=y-miPNl+^FzNEVLJvv{}Jj;GS`XEjJ7Wf6Y8;B!aACpEu
z3e*?%Y?JH36+pVOfqvS-ICg#`?=98y9dn)h^F*GR%espyP#qAJJWGBC$DPn_*LCjU
z+B)yS>WnX9Ok5KY)o{9;_5LNyiOeUqS)i!ytnFUi%J4ph4lY7Q-nk+T*Lw7zbuxMT
zcMQxAv;H#mevawXT{Zo`0n}T8Ki(Lqp-ohPg&aF(a{d+Sy_XTHcG9xe^{~EbmH%9Q
zt?R1;$AW(an)mo2(75M5@CcAT3(~GX1D&Ht`@aly9C#UMQ$K6s83U7{T_%ZaY~AIp
zF1eg{Z}9Bk;kAhxQ&iGM)L!cO{DQXdc|O;Xi>i1>>Dp6nG3kc0<rr`bI0gbSz%#*l
zxB9MW95d&jP0aoK_f1xzTWGxCYZu47_)^B2b9t^H`$oSnC6JSDXUBkJz%k$$a11yG
z90QI4$ADwNG2j?*3^)cH1C9a5fMdWh;23ZWI0hU8jseGjW56-s7;p?Y1{?#90mp!2
zz%k$$a11yG90QI4$ADwNG2j?*3^)cH1C9a5fMdWh;23ZWI0hU8jseGjW56-s7;p?Y
z1{?#90mp!2z%k$$a11yG90QI4$ADwNG2j?*3^)cH1C9a5fMdWh;23ZWI0hU8jseGj
zW56-s7;p?Y1{?#90mp!2z%k$$a11yG90QI4$ADwNG2j?*3^)cH1C9a5fMdWh;23ZW
zI0hU8jseGjW56-s7;p?Y1{?#90mp!2z%k$$a11yG90QI4$ADwNG2j?*3^)cH1C9a5
zfMdWh;23ZWI0hU8jseGjW56-s7;p?Y1{?#90mp!2z%k$$a11yG90QI4$ADwNG2j?*
z3^)cH1C9a5fMdWh;23ZWI0hU8jseGjW56-s7;p?Y1{?#90mp!2z%k$$a11yG90QI4
z$ADwNG2j?*3^)cH1C9a5fMdWh;23ZWSZ1K7^ii*~?BVG>We?9?S@!Tkwo5^IPuU|?
zJ*5xV^SPOAM^D*9EBSl?IH<eqq5b)P6`wmn6Q~9ipadI>$UBeUXB_P{c|D8&YB>UD
z-Z9`9a12ac2GCs(yc}E$egS?D?gbBn$H9}}X|M@A2R5g+&$89``u!2`7jOr-30w!>
z*i-VzG`3ThTo<`xz%k$$u*`ro7JLjO4dcr_WsemxCbt}cGw&F13^)d+E(0kI?=`I7
zIv(^n4WGL0%0=!Na17*z0gaQ<TQvL;bk``*@JHP^JU7+oN^uN02Bs(j=qwuk2paw<
z8g3M5_~U5!qf?Yw7q(--G2j@m&%m&TKWah4A4_TYWA=k^B{&8g1CD_y$^diLjKd#8
z!yjWDZWO8caHru@v}w7p9RrSm95BFq2O9o38vZyMZWL(vBg~~Z4bMR}x*{9{j)5u4
zKzG>_UN;)fHfb1rtID20!=IR<%(}201C9a5fPDtK%brBTpRlCiPov>a+7H5&;23ZW
zI0mLD1Kp))c<Gb9AZZk3Pxh^<c+zS36m3^7Y{!6OAU6zjmp+AtKZS-rg@zji8omh)
ze>yjTxKbPgjseHO6l9>g^l3EwX*B$4G~6iA@MoNcPr)|jLUs(~GXv`yANMkm&%S2k
zn_Ugpe0X7x!+SVS0YxcfL#f-xG2j@;Lk7Alp5;lZA7ae<Oa=HSa8h^KCa-&0VQbW|
zhCjnN{29jKMv<BiFLZvMQJo(HJ__2qN}nwPdDudoOO64@z-SEglt1mYF4#^#-c$<S
z0Dcelf}et7Fj}^P`A+@=G<*{pZWO7xl)~i)&6a-8ftUYDaq}SCfA22Y)Y!Fb^R%uK
zr{x9H(4C`Gjsf~AYwk929{ud%?$T$^2e<HDJk^(_ciRBtv%=LVRjT|4PQyoO;ltcK
zdkEWSLHZas#OFVQcY+mbeVs4tHZV%)?kmSYK{J3}qu<ZX?k;`qcs?`UezqUbhhKvK
z>MD6|CMei=i3tsV77c$%Y@@{+<h#E8{A-$psc+(?r|j8jY(F~&H-mhC8#s@4vap*r
zpkuyEjseHO<T21yN<S=lZaUlj=$HQmwg7Z%Og!FIx_OoI6>1_jH2gU<e9Rcfi+{Y|
z`g$t16m^$vE=X#`3-#K<_U{vLvxnb*%)Uo=m2IBYS?1<f3bMkT(*@1I{#8$S?Mt_N
z^ugt5^1p${Kr%~wB<UsT@6Q(`2g6#mxi`yLv*kql^|e=QF6t~m4e#*hm!79iH@`Cg
zFPqu-i=gEzMM-bJk}U<<9-PyTfkI=TtAxH<^86e$_ze2rZ@?f3qE+{zQ#FOCRjRA*
z(#>9H>GPH}{CPCI@Q!WNzx2Bt+!nAc>}CJ^XiKk$(}i87TfB~PH!d$UO>q7e1_PZ-
zw|Z@hw@#y<b<^km3v35ycVM9T&%X&2M&Kj7?8fh54G$dmL|icr--d=4)_AnDd@ILv
zY54Q60&y@=oTL37Bi|3e!ClL?6lt8`l4HOzV1|KqohO&5pKe)zextox9su;iNVtjo
zOMn?Cb7-X-pF2ypFb<Ct|7iT7;adt$!)X_48^!SP69b$)fsOZor67m3>WXp<?3)a9
zmTmJo%XTyN-r57c4f+lAQ}k==E^rF)dX^T}_04X4wx{8mODQbvQXSGJ)`P8v+C~DK
zKLcw!mcYld!s27!R00=OAu`Z~es`B{pW9Ws?G5y&zX55lNqoI?+4h;8CEE*%o?#8&
z#yH$47veQF4&PcZd~`0`;dL(E$-1O%ms;S1HB8$s?kd^J`QNsJ;lw%W7|0g}&~IsY
z6aD8wfW{cdQ(dLoS!Y;S{j(c?J4?5t;l}ysYhS*Tad_bz)2KhzCT(wp3tMgEv96MB
zU4_<0@}&<uKc+SV-K9IY2V=)f`ssfIG~5D8wtr~<%AH;t*Gmf}>DV@`;l}ysYcJbg
zgzbW$Lb}>T8=+mi9k9N{I3H?r-|8;e&b?!W!AU_>oO5!@FwkAGn`>2!vr4uf2ex;W
z>_}R`UD&Jy1;cAMzIK-E=(WH_U;7fq;ml7ILh8a#unZn<vA~7e+AikVPGwsNbT}U!
z19{1S^s0N=js^6i>n!!tcvs2J^Uy@Er({=Naxl^<aRL_>G<+u-z8ekSIkL#S{9oEi
z-JQX9kEOQpE9@>&IW9Q{90TDPc(r#2W6oXbtLJx?>>L0|3-}Rb%u_jqkl+GNcJ^A}
zp|8Uqhv&bBclm8%*KD}B$^s8+V+m}(sbkr0U6Uz<X5oBv4CE~X(pFFj{s8D-#_>Eh
z4+DA2L8fE!6QJS7dFbn0!hCoEjKfnL9KiNz3p}We-3w|#CiU*KW56*Gf&q=W+DiAJ
zTe~j-^e-#;Y<tO$q7KHm`JRYBrQxP|*oB5`K0Lp5OYwJ=b6vM&_eU(X1+}sN_$Tjn
zuf2RvzBdQwpJSjP7*N0MEZNh^_7O|{_I~WvtDJmK@F4wS9Bx{}ccbCE(D3}`K=T`b
z^RnH4w7`M%`zbiyk8Qp;1?Qh*pkNs2WE|d6)<2!Tbs3<a8Ak$}ukX+puOyb&yx^yf
zXK1)_4pQUr{MN2i{4Zx4x4?ng*4H{q`nmVZjluJ}BRJ;@jsf}=+SPvy*aqlp#_`k6
zWwH4nuel*^@qmUKj~@+>F%Iv~+xR<6iM_Oc4zYjNLi}n|tS9V0S^C|wd?;^uaE>_!
z3XuW&mb7aj_&Knl;m@NFhpL=>PVx^}((nWtp1;SiRP0>K?B`mhl{WC}u9AM%6Xtgt
z$mjOyd~*zp#XuM1Lw_7r(*Jt;FLNJO`tYZED&jn2D}Vbiaa+{zfxOl5PUg5e{53iK
zAGB2Wd$Iek?bQ9b(~@H~L-)O7z%dYkfz-Kl9ozdr(gN<mW;KZ5rQNLZ4fF!j@%MF>
zqv2)wISx<7UB>oy3$csK2SGEiTY=8HV_*t1&_Vy|D2q*_pM3(D)-c%{0Oxc4)XUd-
zVf?eE;q4UzMev)KEi4uHMz;OHM%{m@t0d0zV)8ToysQ-Glw%+S1HO)z_8-FbIgqq~
zAGDXm=7JF3+0T-Szt=+CeXVGCdmd_dD&|>izhNP6wV|zGJ+NPat^~)x6lb8FF*2A-
zf4dsk(C}xmyE<R{v-|>6O2boQ@E+oR9N4Jy>#$p_xp0>p1C9Z^478TVdAE<|RQg{I
zVjyV&|JK2CO*_g4>;@CUI<YGDUJEhzwU*`II9&Rz<2LbL4E9=xdk~wi1tDs~WpNBR
z2Es6){st<+UBHHh|DJi_(tMm7PQ^ZDG`zi>x-O3`BJN*Vs_VaCw@$pe<QQ-a<c5I`
z#^UXZw@Sx9YN=oE#_q||@V1KldVYws222?ZPsO{Q?KWWJc>TF<t^;(I=jZj0-1I0{
zien)63`k$;(+7j+EcNZLw3o;7?iwGlP8khXtZfy$r?LICr8?e<T^%2C-+*0-j)5u8
zfYwj6m&WFGl=uG#BrV_pjuQ>o%`2wm51P|!A>O{$<;;iY(RftzD4>d1|70Ovjp=Xf
zDBH6T<W(IzXB-1lfq}LP&6E0l`~v#<07x3fAogAdyt+f~$Qw%Ai5s7K4aX|(`r22Z
z;T8EYr_fQpTX72Kf*3GezeCu3tJ;xEjseHO<S;-VR3EPe_W{#=T=sqh=7GrxaFkMg
z4QCu~A>O|B%KXvrwu(KPN0~{S-?R{`>h{65^8RKp3d`;*$ADuX7Ywv<ZL@9p;57Q<
z|FhK3H(~c6kc)7#Dr2f>xHtzL;4xt1`26Lzvfb0&dmgfCc5WxffHej*f6Mv*5nwAw
zTEP1|mop~hc##i@_|UdkuZ1}K+Ly=kVlJhpDgobUctz}Az+MZn?&7#`Vm{6N=R@0a
zJ~##@g8_8M0}JTqH(KcHIwsuQRuNy)MmhPA@JHHaN5d;vhm!~M;qsxaB38`yI$-0t
z{2S~q1^G~=&IiZ9lxBeO6q<&PSH#{1Y>e5qV|P8s3!dc%*ylBz7*~VmfDH}5ME8DH
zHxA}SojNBR15=#=`nhzi6Fg?A&wqUNu}QBj57rT<V%=voyo0*bIS+AOVyP}SVfO&>
zxT@YgCw!`Fhl@Wy7|?tQ{eBkb##e!)1>D}YJXV$u=ibsD{OC0uBX)Uy_~g%}v{IL?
z%VUd)@Bd84n6mdHVx21<U2+UK2J(jiG!`9?oeSb1X&Ae(_cGvhu1HL3(Czqu#`PMG
zPki<9{)b7Q4;RPaNU#l<uE#-az78$-TB`En`o^R-CRey)AdeWJZ>sNCfqQ`IzAt-U
zYAlUUYo6r$824ojZ>x-ZT?;p<9&H?>REH0MMvzA>*SX>ta14k6jjgzMdK&%nGr)$1
z--lftBPNybeOkkH9Ijx_YI*E7OLh2_*2?(w*2?^QrtqXTDp$B;AWs;OzJjB{b_*Jy
zIhwP<q(-~1YIvva%N(x1lh|tR%Jgw~H#SdE8Lg~ia>+5^7|1^c+A7iT%GeTcGe}y%
zSGjgNLpm^7sht>GE17FBA75YRa^}OaKN(5SM_D(Ud6df7=Pbmgws0pX2a^$=E7LLH
z7|4QwwGBzG_wl^a%GmpX4Gq5^yLFSP1JYQ^x1!-)m6NC8;uKVXyMT?l`(#JSX3EH)
z=O$#)q}?u#fvg#5T`}N+8O#^ff*D%lRfs921#8%DHmwDWe`DZmmC-awbE+y^<8WYF
z=lZZ+B>R(*h({WJ65HKujmCz}?cgYtQHV)(0*Y9V)Wki*tcxtnzFCOe7mCj<)d_T=
z9}SPKqn+OdUf#SSF|CDl0)>|RI4b*#iQ#&Xw1CT-SHz22R!j~z#PfoN8;-575uIq6
z1f6TC+~YM?Zk<LvpD`R$y8ds$?ov=_&6&DptxoH2Rp%#yyTCau+-ufeKe=mM3y#Qr
z++noaYgrLn!uDE_1W$u=n`_bW0$WGx-y>3m&aH@D1oi^OV-kPCUJaO(Rv{gt>|Vn$
ziJ!hEo|iHi8ZItDIk*#;tgE!G54NgJ6qts$()U`qKNwC<01u|P`9oV(yphk7(*9hb
z`Nx3zZ1eKiG}^?)U?9~_)b^$0=d{!$rl~CzQo?Vw`<38HknYE(wsCBp1tx_OU&E{R
z9Sv`)(j1;&U(%^vz*Ie@?L3doLsUj($>h{on1<52g0Xh>W^wZ}@DNDHqwSYCN1k1X
z=gDEXaCydNpsjj%Y(kqj7(6<nov5w&I^J15FpXpX*oN}#7tM2kIr#sBQDVyM3t>Nh
zrMY@w`edA=>}wj{Sd;KpmG6{RecDo8-H6sL;5;+WTItyCs9n9m`;Is{2|PRsFWdQU
zV=L{vt$^YhJ7V`sSO#bZ9_N?~!4E)k3_QvA8=ETzG*%B=R8I4$ZR4}>1~3H1iY@H-
zf5v7t$Z1?EELCT{7Gmmas%9=F$1#aRPzLU>5R>N8F80ePkZU__)q7Z5H6%`s1rLtH
z$!+{r3v%8DU4i+*Kr_es_NqNRHzM{r5Ch3^@HoGnwq)f)UUOAptj$u}2JPU{apD>;
z=J9^($L2=hwbtae52;Mh3&!&=%x`_ob!a%}X1Pp0hgGrT*zPhN6LtR#*dOFFq|jw)
z?9o)aOZB@R{B;68_VW9GG*k@~ag9B6nJ!~tGSFE*<f*TMW^fNkW`Rf8=Vj-w{R_I4
z|2j_lR$rKn&)>@;wrt`bxzDA{r%Y?gasMF})myKHnEG03a;xFZwQ;Xw@ovTQF$?ji
zzOLgKJ3rUQ*)XcmLA^Gr%~r<_2Y<<ukEhx1P!Og_m#2UkXr|7atK&1N`_E?CR?_<Q
z5c?nBRPmhGQa_Z}479RdQf(W&9t?tX45qesF>hIs>pAgMOm;L}b16C0gW+}<TSA$)
zSg0S>^Tmos$mi6;m`Lje@N+G=7X)deS2tJpFKnsK|8Z45*FhoqR?Bnm8E*;4g3TZq
z5D&D}#E<T*@7Hl4uR~Yg1?|N5Sil&w;ba#!j{`a7K;?m6kd2Q)_UYrgU(PhVvdoV|
zv8)AKEX1=3n+JlN)=$vFYU}rUZRjt4t^s$0Aa$mF`@w}RwSHR<TD;r802!dZ)m|2X
zYeCTVlHUI><UO<%9j{oLzxNtw?w&EqY<&HGgjmxtkGB12WAzTNwKjLp!6OcP8m@bM
zax`XbCJxPU5YM|U)y?(TEf!z-nwnTY*us1gKCS|Hg3;PoHs9Szy;T>&oKe2kMWOhm
z_T0qrn*Q@@&<~Oka5s4mY*atQW<I9oS~ML0z#G93h!XE;d2ep6jV%T_3*V2YHr8t)
zmOkcVi)23+sj05t1M}hTdJD0ruHK<`*_5Z}in<oi%p3~wx8v(A5jogP{`a@l?wOXa
zeK8kpYATc=tpUrytsrRtvePB4Y^ur6c@_Lq%$?wIU?S#B8_#3&5RkLxLtph+KhkR<
zmcIJhSdotLxk%y+^nj-<#PTdQ4+6OeC2$#K%eYok=f_`<k2e~M|L@qLFUGuzHus*;
zz?D(}8Jd{)IKfM*-@FqHflMum^7&V2N>elAs>bU4yUvMk(!4pud$qxsGx>TKc2!1B
zT0yETD;nOwx|CdKc%9Z?3~Sh%h{t4GOxFv#7%$dXHy=}~4y)My7^HoUzO9RWfqpnc
zebJ?TkAakywX(e*Bn{)I*sB3vW1h7i`Qz(FUF@y+H)J?&@%Xc*`q(^>lSU(sL9c~4
z`Wl!^$%TeD5d(b9B8Kl+h(mSqzGmu!ZBFVWNFly{*T%~5?b~24FxeM3VQ(D>;*#69
z02pX%<~?Pr_DrMSeAIB8d7=Gb`}<7|u?moPjHpe6Rp1#5@jr>pPH9Fi5@j)uY+l2$
z+1JQDKGIj)Nyj_TNGuOpsE;kw#i8OU-%{$>wS?_g@z2J1B1!C5HrK~zgM16$`4fSG
zRG;Z!`w&Q4!Vq@93KoF~-kQ&vx_(xSUpD~L@egA2f?UO{V?|?qtk*&ueND}1xaDK8
z<~PI@*a+el;`j|Vmjd$*DS|~EQ-IFbJ`EDUbURGj+l=iafY*>`97LdRN@s0qr0q1v
z)i*zGvE8KGPl9qj1#&jGkWJ;PJ*V(KOB{T)p<!TpV}t#%k2MW%;Muc{_BFhzdBAHc
z-R;pvK4+;eKEAT^d9R@^ck4YTYJ(herKhuqS?zC+rMT05P}^@bHpFIwiClBP=Q#t7
z^#kfFLJxQtBy)g0l=1GC`q<3oJZVGSwR_S$9ExvSEpYIsriS=(V7*0%Q~GAFg&6v<
zX?+|{8LEqA;CH}ud)$r96M*%4$hH8riKd1D@%l!v9hi=JG<(le&QZW?Y_#7dv*p6=
z7n}i($DYRF)a9!{9E?`qHon_Nxo>D~=Y2OV`O${dp21S^TMInw#OATUYiJk@UQq#Z
zNW&?|j)pg(;j|Z<NgRPgz!qS-?cI${j-_^E$d;exCbj+Fs}G)qPtRJ2cP#$)Qr5d0
zSo51N{V!Y2+<q@+ps8`!u!cAGFQy%Rsj)GZ0LdI-6Xk4dY1x?<V*zR3oRvGp$0sbs
z|8I>Atgo~@?vcjgf3N8nu-n(%iiS7Y(?4;O^8X^!{-^9+*4PxE2436|CgH!jTGoKK
z@Q%60*wNq-OYx4@m-oW)_dsO>ZGQFY{9Erk3Dr^XMbduMmX?4ogF!G_-P`!?;l`%e
z`lcqdtzq)#Cy84;oCtPX;NZrF#&~f<qun^+Q!yCVaP0QA=$fWY4VUjt%+of;uC~B`
z9NTC6#|euuWFrO*tOFxH#d;vydo08{USGY2@>b|rS)T`eE*rkwJ`*!g&zuVF$!lne
zEoJ*vFbI-4!XGH78!*o>x#J`G09Jr|f$8|4!lobR#5EFrkH%qr=(XT~UyJ5aEb1RV
zi~mOOkOlv-8E?vmF?cG@dbT%Nh;zJl`xD}?$p;R?w{VwpJO<Q1X;UTOYhWmc?d#`_
zP5o7rH=cXee{13#yQwig9Y3zL5W9|x7b?craX+lB<ZE~n<8brGAgdalYI|yb8-d2m
z<7rWt->yNs=1jJJ(asqw^{bElkA)b=<K=qFu5V!c-PE$%R`YXqCz*l9hTWd80nM=r
zw%-NG9APizT*-OBVx4DBR$`5%=bz^`$6kv+Ll$DcyuKwdy@7IUC45#L_FC}0uel*!
zWJ?1NUYGRhc-{kkf7*iYYR4A=ue#apHRbW@wUK%UbMfOdU=ZZ0f89h`&0swD+;963
z1JW2!1%3>YIl=(td<@J1lg6gXrl0k&eF~V4{mzD_c&W|!8dzV=aj4gV?|rPPDQal4
zGoL@~_rN0j{<Q_)w_x*NFlp_ok@Z)NZ806c-wyhL>9#eNz28w*S3R-oJkzDA!2si7
zudx*^Xo)v~8$mKh*hM*Ssc-Ess&Ac~F$3*g$FE}ixWPiqTd=tnSZhcPEvh#(+<cw&
zHMF4N*te0y3B32Pea3?Cw_<y#>UJ_xV{6=7(U?$wIu~rV5Z_q+^N*BuV11kJ198u}
znvA-i%rfh$lU@UDuf8STMmxAUhwV;%_~iN)&Z{ly#dy5d6SK~F@!><3V*Y11B{n;H
zQivM9e+O+%8r~8=A0#aB{@K<yP{t(8C9LS)>bGP1l8)UET8M2d{l1T~D3i4UjK^G>
znhex)Ue5WS`qnDi;GH0uBiutdE5W1?uX4dLU>7hQ^S78!nPF{CLg!DdjKj_Q-Ph1$
zXB>{N;=2f3X2I_mHa7sTImcsy`u5$5OQ;7o1JiA3EPIbo*0J^N_Qnd6(lK43p%`dx
z?f2?h2GtJNf%|jS4jB($$2s8g`nKHbI58^T<={`I<0Y<p!3vG{Z6uAkY-xC7vn36u
zjvLzI%i#KU(|lv^LC^qf&^@lr2Ieqmzl*5rZ&-+HEd73lvNo1>JU1!lvEvfrew;K0
zbbemb<+sNZX_JqEWDc;GGA^xai_Zf&jlHI0z^iQ^m`?d$w-Dz}Y#t4)#8lr-Juwcq
z;CEkBCmN1@(@9)_HDI#^zkkShbdJi%Wm221ZHv#O+z)~Q3vrFs2e(qrh4n2lt|#R-
z-du9)$_mGT#&<1^L+Wd1gH1VVll_!)QA68MQA1nq-mUEG;IOW|neufk8LhuW`R=`S
znxkTzW;zY~UXU9877IM9j^3kddi9+<O;bIly~fUdZ+YEb^_5ow>1vd=l5O5ylygyi
zTWki~F@1ACOl<~g(eWDQL>bq-32X<+9AFb=oK)Z8kJWNk0hH;1HDEI^9q0G!+hem;
zhUw&Mcsm+y-sisNcJt%#I<C3YHYL=iuCU<qPHY|pOw&B3z5UyFsNJO7&Vv?W8m%qH
zDd)qC3+CkdoOMhh+z)xnKppK9%%aU)0%AF8qko{BR*hYAl_*dBa4Gm57_Hw#`R;zk
zN>w(-OExvU(SnAjcrImoy9J)_#b%|-$W`Ll?A3R~ROXEq;u)>Y4N=aQ8`|RwY_z9b
z@#f0OEdwbXpU?L5bsh0Rkjw$TUDpv?OgT9TR{g%QJvNQ<F0~Nb4!B#dSQb~9z3;w`
zxqNu)HSTkJysx@-u!!pfM)?;9;6Sk1xX&H&Z#H!B?hQD}MXK-QxZfF{LmZz2Ll)wB
zX+LX^Urk#oSD$prF%X0S+Nb*7GH_K++G<C9fO6hf-x-@;M_<WBqCCZT9!P+f_Md3q
zU6itKG!$zZ-eF$DS9EcI{V>NDvb8Z5c&p~%YCG(oztwjRc!wSA$MYIu*#%6um(lFq
zL^%x{vyHYPXKd;)K>N|WN)6i^(bZ%Q@Em2FQrFebJcs?~Ug%f>y1-MwbbMFUGe*>S
z-(;#oOX@lqhnx4eubR1(T7zR+d_-U4)7V~W!Qbbxd9cc`our{E2OI((0;b!_X!ia@
zIs3t%*VyGW+;$!BtM=8O>$?25yOQ?w#~iiYyC|mxc$Lj&=OISclOJ1Gd?981+CprK
zqg-*AOjb3VwS~1DBTS`QVh4-h;5Qcdy%U?IruiK$c9j7tK(59zPf*rzHSGznY2}{L
zTyozz2C`<LrdxA>8vDhMLGvC1N!zIHieJHc_4&1|S+|*_G2YT0I!=AwLQGq+c`z^<
zf;jQV;pXdMcpPq0!-<``?16))Ebw~;?Q*(len(ao{(Cju12foul(L2_#4)lzZKI3}
zm?N5IJGPOry8riG25LGJUQJt4{qfacD@a<#9_+ud+lzU%J!Um9vzDsSL&_1(1B1Y1
zTtnD<Bk+n_&7Du6CmeHPy@q{N+<mp0OEItE=V043w|lYqPav~8jemw`+J@goPNl5p
zfywqUnyolxe4ws7J`)&^#~Ga34EW=}u7t)T@2l;O$3fCE9>o5Ez^m!8H#bf^((wH#
zXOo3^{<CIPVp=V_YbyB~-i?Nv=fAJE2MssqtIutB{9_h;-Hz>b*fmA#sCHx@G=kfK
z?e@NxGQL7w#p2B+$AAq6bU!{=KwJB24%)Q(%#YEOrEG14<J*+&y6)H#wzmS){q)zh
z-7)cH%zvvIz8@OiW9E2M$N3YOL+saD;PoEHsmpDSRcp{u+WK64@3Y|lXzlDq%2@%7
zwH0T`F)$hfnjZ(%w6$L_&ylo@1oq!WUu7(7r)^7X>Q~0lF8ZqZcpk-O3mA>cP~X*{
zv9&#n!_E8JSG&@jhAU=J1^!~(*Y5bY>zJdiH*~xiSrJWK%dc7K`~NC@-(}qYm)6~%
zY2W+XYU3m0bN@RAq~o;f18aKX_k*NmJcj*)0dp#Lo^wBJJN|mML%?J_{n$H6_N#f0
zfr%syuR+5N`>B}wRxp=RZAcdtGdL7%2PQd{t&8CR`(`*DSufa^?@i!tVA}VQ_MWAT
z(<)c(;e60eJR{?C|2qb%=|6QVr6utVj8`^;q-Fe|W>tKV#zr=h?1D95D=;0)J8M>&
z)0-Ocz7h>L?`Pi%=2EJ$A2pR7H0WQ8#>Y2;A;Z4z#NKfrs+*(c7r$^Y3;SO(?DuHx
zDn=P^uj(2os&@K4YJIpb?J?kw2fGu~X@i%50n6<@j{UbTE!*zZt}@?uIX-w`Ic3~q
zA&zg>?w2S6Mk>RqhVPGtuZphW^08{w&@{NTp@R=$w;mYbGt)@zD&DEA^PH9O)4?_{
zn(mtX?!RhR4HVZJIBsUf;XXSCvSmR12xxqK6&jedj0dp4vSz=ySH)UKlc{!PzgN35
zHWT~TScu^^Y?c5cF8dn3igCDkzK6%*Ml{@S7sdE^lLbG2PJ1g>+cTYNh#gep^Q{*A
zesTX;8NZnrYHh?}nipqpUuGbw@vB$8D&7ok2T9BLTJ`?%xxgr?ilK^Q1HOOAg8!SU
z_ltL9*ND#=Cs*$m>$Tu#Up3b>O^m}8D`)}_Tk!L<b!(_E!|U&;Bd>aY<}_BtKLYkz
z@H?|_Jc|9pt2G8P)GmxPE@xy)GEjNoa66<A90#5TNsHKl?Ts~@^Hv^cZY*BCI*BgQ
zhp`Rfz+?>l*gG8<X&=@5r8L~EkBYaiTGuoUjKdWxSPymqlUxpA?*d?i%e0Xd%yY>m
zSO=a2CVd`hOPsu+r1(jWbM84P={j)R$z?#A%6hjV+UC0$Bga9~B5tYLe_%OdCZj>)
zyZUe!em`Zw_jhT$Reo@E?NQv-`!fzV&v9S1=EDu}>T|h&{Po6t+%LWb+pA^YWU4-Z
zx<4R3AAi4V+~<+?v|s!(j>B_xEOyB;kWUQMFuy_nUsOdu07;7&#P&N@95Cor9bj%8
zgG~=C0k;Cv{(lvl(?R4a<M@T2v0e*4_SGJQh93}3TiVt<D;|Z<TJZ5t*sPF!Q>kY4
zfVYA%2sY0FyMXDs&$M?d$KN{U!o0F|(Rel$zq8{Q$Yh|3@eF;Si|u_NX%T<Jc00%{
zKGJ9W*7$ZhHos=U@0+o?z=Xe5Xe`IBUJE|<)gBOC!>c*2f;ss26AM265SueqSEiE2
z0iXiAw^;Buvkz>-@8ef6_h|Y&!W0+Ij$@$eK#gZKK8~LYwp;EKpJvP`%{4;&iq36b
z75xi)@3r9f!`N&z;j6FV2ino_I*r2*j5a>>IXp04Nv!u;;PGS2hvz+v)Vb!3R44fS
z&ukMG{7q}PY`+f;r@cnw*GS;bh+|+J23F7~z%2U3ml$&-E#gURudYIKDps4he^X;5
z{63xSfMLIPVs||lhq>&2TA^|HLGfP0{;8h&R;(E;T5(V`jlqrw_6M7R$@(9{-UZ@t
z#lg{hOf!u=`C1451Wfw+B3t<UQ&3`}{?op@tz*Cz1J&ILPdc#Tz=3+UcYvfte5LZB
z_{<dtMb}30;ro5iz)H5yTJZUGvL7{7ira$*dM)_ZSH60nNcN*7#R$#@al<}t#ojs)
z#l08u>R7nMds@C;0`>x1?euZ_!rChQF6r9)Liz54V<4Xy(D`_!t`!|Lun}yt*grO{
zSUs>7`$p)H9Z&}D0;c=)CuBcrlE$J3Ry4fgz-Ss?ad3k37@xy;Tj1{jY*w4#P<0?X
zpb7j1n6B%zy#%)3#rS)gG~6Y}Kp`=pu`!s1#(n`LZGmIO<;z#cXX=;{HB}vi1|5``
ziLXDf;O}=TR>!A<NN)Pa#?@%JVNS8zxBP%;8eU0km8)Y#_;#6T|FCz%iq(l?5Q#r!
zUe4TGJ?}Rr<_}o#GqbH<yJB^GDP=_V*%@#Q<eGs>&Q+y1pc&j#xn>|~2~T5pHSlT=
z7>X38uR#Y7%I97SzTSe(#qu*sQhs3GKQx>%ev#@dY*Jn@2mh`IrtAB%IbBKS!lNAn
z6<dnKdbamj@G~9vCb&4fl4DNI`scz@>hd`TCY1q=KbCX-iGK20&~LH7e4g<$`V(!8
zRx|8t+TXo~{e2L7bs$omC_gZ-;cL+FHE4JQ|5Cn{v9)o`en%AF(xfk^O;$1IgRQrN
zA&}NwlUuc&-W6*Grh|0RZtEB*NCsA{;Tq?`0}Cn-9=IAkPg=r5*lpACB5INia2(hP
zO!~VGd#gbt7nh?6*yuIvo8s&%XB;m3VUuD5-QY=JlDh=$=M348nq&i%gWmy@K4#jw
z10HKtmP?L-LT6z4+Jv|K5c<s_1M9%kAZZEjspfc5L0M4}zRA~i@RVUc<Jdb3L~$?8
zWv^l1R409<>jsLV@Tb_oF`yrqtmiG*I|xMLPMMb<5|@v!05M?F$F!~8!}e+S2IhSt
z2kZ<u1`IGzxt8mj>tfSs+yBo}zfu4BJtzZ_JXU^C3hoB!eram^4%sh1B>WmP<p)+Y
zyzEdkd~JCCQog;G?OtGtGuipu^0ka>BlxC9Q3-d9=jUSY2ZsI2jP-}C&sm@~IxaZ|
z_9X_?|3EuXe@t3HKQ_+<UPXjwQB-i=0Oq1)*P8Ybo1dS1XcGGobaI%-UJJhUm9LGc
z;lsXt*n)32Qzyl$n<&X|8*2v+Vf&nEA5-?8XM0QqW0uN@zD9}D<#i0$V4z~%Aoo-5
zkiNbL41uHte7*9pftet52qoxH%euJyywrk!-$TD=MbU74l5f2heCw+?3=I!?{9ATN
z(mV9H2jtsVE%^3LjxRH!@K%0k+-q&;__=Q2KP>n++?Ll4Twb;|F$-Tqw?CKBF_6y;
z(09~_s==L>`q3lH*A29(oG3~8fsQq%k2Al)<^tIdo0J#W(eT63@I%A-rswdLt>gS<
z-M~+QY2H3s%9^9)5su9%-pbhCZoxmr`y@CJgsoba&oPkq43w|s-3><!dFaHyfI*Nn
zj3Mm3v4SyI#bM#+oUtJv&jY4?ydRsDvL7}nFX#oPx$9f5`S6gwm6H#YkpDIdzWq}<
z+Nib@HYqOrJCW^f3;wAtzQ7#&bX~)D$uY1mGmz@*Rc!wVlE!h^z}4l44a^3iY4m+O
zY~X0N{YL#eY~Ts}>WtzW^BvNnUZZ{u*F#^W)}@5iaQSuEKn-}%uy1i}o`ucO^;xoh
z(7Vd}iv0VGVc*j2_bKciC?6}=CPVw_GCBqdfr0YFVvLdf{{9~N)LxJ@j7PB73PRJN
zykHf04w&?B8}<$bp?#}3oH>ib&~USUDaO7^UDFJym5K>;0UMkhF8g6q%C}Osw*!;)
znYMK~buu%Gk6~kT`5Xh2!9Y1W1lquZAZZv0?7aebWrv14uT@@92mS_3`X}E`0ikJE
z-m=5daI=0X#=goU(eRMI$uDpu*a1v(_B8fdK_t%5*CVj8-LP+pb1SxwisE1Bz+6Vh
zz$7tHc0|G}KVon?T68H$TELf1Z{*n;Ys1Z-mK}jk9x<>Oziu<^+g|KlAp2nx`F#yH
z?3e1GuWbE5QCQzner;eIGwj=a*jq09VN%JFw6(+H;_O|9{YtmnpJKN-tbbu*a(NsB
z`M`j592^U_qZ>)HNc^_!@Wc`jD%3LiJ(z`WKR4@_ALlz1d)Oq61-%yh>MJ`U9$v$T
z>+^N^HDuVgn@bNLSPVi@CazO;`F+EFsm&(9>q{x4BEoSwRA4TXV_=dQNa^Gfwl{;M
zVQj))HwYD_-|uyvaAe|JhW%2UA1gazFqB`)q?kaj1;6^rj*1nP9T{9Jmmj;=laArj
zJ1zM2W5&{RHJ%QWO34Q*@$1hPe0!k$$V4Lu<C@Fk7$|54%GM{m62>m{uMdKxVZ^a_
z76`?W@>Lu;IF0QWfN9?@D<}4_Nxp$z3x4%g9F2yr53b>*#FO&tBNqJn`qE>Q(@KsC
zH!qg*YaQFI7JR$1?5M#RWvqK~$uThH7`QU&`F($V;t00eK+-TiAp0d@HA%X(KJj70
zJ}Jhls!mCI<tK$(gI0P}O2f_b)mO1TyoQ$@H#CjdzF>i`FJjaC{$U~c8m`Clv9Z^%
zZ-dx7PrkY27?`RI_<D3yqLhAcr{VsU#P*e7hRO(<N|{gaeOsTn*tlQo6F=e{WTwtT
z!laa6y%zlHt2i>ehL@~QOvk4yjQe#|;-lCMLzSOLdErbpOpg&Brw-f0)??^^Tt>%0
z9x+gM6!#n+9h*)c`|pyY5=q1O750ij;E0RYaE?Ge^1j}%Pm1y9*q$f*VUpqjy%zlH
zTXsaOD9m|_d|GzY;7qpPvEbLcLvwX(+*@{Bya=DJvf$S*@N0fp-@??r%i|cxM+Qoc
zMw5<CybUA`<Ikl>C(1#nuv31W$9BlDUpHZIq3nlA$_ILZX}<avb4_#E(ZT1#Q$EdR
z`(q1!{gdp6Nu|UBipl@K7X12b>0v{vi!iRaJdS~Vh5_{fa3Y8Sle+Y1$uWr*5Q?jm
zUuUt68}{o~>@Ai3FiH7<6%Ah!R>R?V*)fSZ_;mv?S%*4)z7~X`%GX!&mVrBgNxx+4
zO~5NTHuy0wR4^`+V<1l%kj8>lU^7S>#Ix8s0ECJhO_DC12Ko*9r1);fW~uClNs5QO
zy}%?_N$mA4<(g)gakydubHT3+b2Ws$SIK^ul=7>F?cWUhwFi5rfG}>kJdS~Vih*Uv
z(*KW5G=Yaf(jc~CYaIy1m-2y=!5(1JuRF0<215B&LcXQaaI-!szP@G0q2VFMm5K$-
z1OEq1ay5v(b3rJsln*q5$AL+|wqS292<4Z{<QUkO7+6X_05$Z7`wjQA9oRcEY(G=J
zWycPl$aXg{+5hiacHCe&2vv<G$N9QsN5fA*!;cF-H!#eVui>{C=1LlVw(N&VDZiT8
zJ_AhF;j`FVCHpQp2Bta#%cM!iC2GN6LDC?0EIlr91PDbje#ozvf!zjuQha{^Xn1(P
zh^g1GPx7m8DdX^^VKjW0t9jVC#jsz4*gFSAsl#USKW*5rXR)^`tY4vmahV(gdCI`j
z;~9q^pJ)S*qfJSJ*ov)nAXMbahn}6nb`LP;*YSxvh_zI4he^YJC3=ner1*|c^eti>
zzU27e<M5PE^Vt5{uwO&?^$OV!lf*G-1ZLaT@rf<iTr2x7IR>UW1L_Ch5U>MCOH5%C
zw)O|1C{{jj28aPuKFQASK?#WBSFd58l1ooO!%srPPY9vm#Io%8#9Vy(rD4B@@az20
zT%AB2o{*>}|6dLJwFi5rg!L;_#k)+7fjnh^KISbsA@M4Z07+B8?xUbZ_QNFnkYDEl
z(|+B8PfH^D)oY5U3_E>`H4YD>;lo-v2V2)=*fUX=d$IS%uv|%FK`Hs~FzlCNd$a5>
zdRe&VxP)nwE{|g%-xyeQ68F&^zt>xGV&dZ<X&ComuM~s|Tlv5RU@tJ~+b@=!IJf|W
z^GnB;6BE6LeNudVOPCK2qv7P$@opB|A6W3~ZL%LG;gkHDPyQP$`1OTFrzNI^^({<1
zE{|g%-xyH)UwmSs*is++C3e++1Bbor*rd1QBws7vLVlC_EnC+uJ#k<z2<(?KC?0&X
zqv6M+;UWCe@o4c$gER5%+ZOn`L@|d+OI|kU0qN{FEckU3T+w#J)nk}=Tpq_jzA>;E
zodlgrP8xg?Bn{)g7riVoU1bDK(hM{StsH!}VV@M^HKivcW|T2T43o$&zj`hB)wlGN
zp(5#C&?KLhp0sy5+sjS+MLm2%_QNLS1^;f^FYG-9x<FXhTt3G@K{K%AWPj}DEq>YH
z>%kC68pb8k;YDFIi98F*i$A@FeNv2H_fAWC&4-73mMZye`PH}V<Rls%e12Ct)_Q{P
z*Jmy8b=e~9SDhSzuagE}iC?DM*bwdOLe+;$j)AGjz~Yk!JTRL+@I4FtK8DRR!uBua
zTYPe28r%N_rjIR`E<QQ9PNv(4@0*=tOJB*$LTdQS65c|zAKyM~fv;~ZK6!Au;trEi
ze63;oyanIBz3Ak`ED**um&Y+s&<xNoy+tPvcC&o~Bn{&!>~(-p91ZvT#0>I($FN_D
z^FPAOSEK_`OrY0-UwunYOBO9YCHV2BY(vsN-@&JgE%^0QY|aB|3Ic7F50ryH0n_d5
z5p1@DKt8#h9Rr2Vz#_(>i%wx(*2#nK1xX9|KWr`np{QC&J}{g7H(K!R?Tbzc=a+(!
zUXZ`nxL>CX_7$Vy3qxqQ{1Vsr^*XjghJE`D_Lj(gn4~c>=TtMvf0bds)NY4}`CnDW
zqL93WiOJ=03`{ly(y)c643@IJ6(lX-vn8w-n7=XH9IE^SOTit6ecOw@3qa^9kcKZj
z6%9AfTVL@h5j1?5vorB4X4tp;u~!K~akltWzb;ju{{qCn>GpOLHkW`<{<%z!fkI<o
zfyUpbG7dj=@a3Q%Bn=~uy^ZQq3r-C;PpQ119y<>h_AP<EQ$XlylP38ZZl1TkV&=m`
zkHd$x@+e~4VVJXLsEc;hN!TR5!5Z+qVc*ntcY#wuSod5$$3Q_bz<m+k!qXB9(4n7!
zqy_w){?rhqPvMhvaus;auz%aJcNhp=XUYqDfobmg7P2lStcIujTFG{^Vc)i4?{L`<
zn--o1XQvG=!Nx6yeM{HDcNUyJG-u&y!LKERjmhP63`_<Ct!E_FmxPnSPLQ;KZ_=M;
zE<8Paf5IpEcogV2?BA2v>jt6eS6<KyOmo+_Q1js-btvUmJ=;eO`xZlY&y@YJY32oc
zy~T{<vGEbZzNPEndF-y2j|)Qb7dAGR&oPio1{R(%<SjU3X#T>}2d@T63rJw|)#^)&
z&IvacE<Ug!yaEgYlYagUdsQGb?aB*!fl0rlMSTl2A0ASJ7Wn!#SdN{$jQe)_;9FFu
zb2sdb#@lIwN8sBw3;wAtzEOO};A{}uN0-qtkk1S(I6Z-WGfp{U@bm?z5AFm>3-~KG
z>p>(clpjCeVZp!OV{>5?|9s!ja0|Zm%{x6=R2=gBr5MgYF@D`>!M6{ik$(FLTd`_;
z=<6bU`;`U%)Rwn^V^oeyj)8rVfdw1sgB$5XXAE8kl9tf7XyZ`P;*H_wQRbbM^cJ5Q
zmtK6{f{#C1uwiJ<f(_yOIX=m^UJJhU%{vnf-w=+w`EWk(%)LeU^=%8jUCH^|bnJ%i
z8VfcIcneNXio17$y%u~_o4$tnT>wJ+=`uP7@{xggXAN=wpYVz|44w!2LDB+tVDorD
zUk$e&Mcgewi@+T0Tw}q<%Zkq&Dk|o97B(p_e)U@Lt&g>sp*39b%-2|V!{BEu`1ULG
zaUKXuo1YKAJdU4TY#+1WquTUta1PLzKa#I5vtuBi7?_XlfGYIo_aJErzryZf5Gi!!
zrw=Y;dpj`g>-&q(f(zDGhE2YI8_{s{zV#KKjfS5Y*|&=<`1WV&WJU3Y@W*EHJ%1zP
zh>eMv_;;lRAJc8+CTy32uvP5xIR^5Ifq9H;XP=pzhBkbFc0FXN?+jx1&C;LwoHIvB
z#rO*vvG<r^UlZ7SHHhM#d;=CV{LG=g;<NUe(C`iTr}{{1nu+bE;xh+Vfk@mbv-k%m
zf}MtaOvjnP&x>cAne^sII37k0)ERIL7-B%}7#si|1xZV|7rQkeve&W!4g*_(Nq=`@
z??@2I$N6XOm4Cg4eN&u$3%QmMWgM>9z#+gicX4c<Ap231Y=A}J24J#&Gj08S{#ipk
zDy#V1@M~$J#_IAr2BI>cd2ld~_WX5_w1^MQK975cBCI`Atcy-%?1azY<sf0$->0zG
z3L?=u|1328tifKxzNv1aYxppCjo5m~uz!28_a+dDJ7u2FHEZ}&9iIo{z*f7wV&2(%
z=YYsQI|Gh^$zWjCt9||U=AAwCDzFPAE#X1zwu8uFs&CIb2fxoAdangv@0x%1P&tU?
z=e%=<HQa)KeZ?;yDw<FHVUsi#EXKDxEco}yx##dc2cEqiH4SU{U@1QS#)6;ecD^0k
zXBMA3=*<cF+@7d$y8MoTC=AR+3qUjN_->2+B#GvJZ0@<qB57OH<m>l2gV-ASngySK
zW@216R~mlyV6Soi&Kc^PckYm44^1OJas1mmo9&M*_;(F;JljY;%g^Cs_3QC-z__pf
z7_Z!p?RwzN<oUcVIR*-afnhBiqQ4DY3Z%2P@DR2;fe~uvp38CP+@S^7yV-)zUzv3_
z&)I%uw7x72pLY%#Zl2S=`O<JW2%B`=p0#ms8oqtOf`51Y|Mt!U%&O|z<7e(vs-mJ0
zqQ)A{Q)4W7dC?g1VxGRJDH>lMT?8>GNEg9^ie5#E6+Id?Xl#HLv0=qTjn9&(32F-Q
zLxUO{3Ihl;cfa2{d&Z2zw0rMf=bj_`eBb{&Gq<e0{{L0>KKnLo_5_8x_qpexq3F0B
z_MTSo^|O3OlS@IBE5AQS!vEtHP*9*VpK<TR>p1knW5CD2DB`@DpPRB8N3R><r}(`K
zSgzpnWU*iDVYRKxD)<+69Y7E7SGbQ=tTj9Fe0&?H;NLsg-phrC5`)hD+2de7#NP4X
zQw4t;^L`b!kCFMUbN|A%EjDlb^SuHcRUoS2e)YR@egPOoEW`G0prfv}`#7-$4gqU`
zOW!wQ?`Y7j5A8jmQ$PAnKYF-Z|AcGUjs5Uqdbs#59KnylI^a^nwb=U+XiuUJ-*2_d
zZH3K89sAmx_w(4_S$vl<{oxfzssh#IDCk_%zy7*T{i$C))MI;6cYc4qW`M(*W}SrH
zVL<G=^#7mOI{*|Nx=#HYdbnHvglouJF(ZAZm_s;%eSmOwsi7gS#)<tZG;nbUS8R&E
z$AUGk{cUQGajvQ9U)Kq^aNXPR3OHAw%OL8C?<FKxPXKFy)SMQcsqSCj8#v=3y;0@^
ze7;D*?`7ER1&a2!W&nQnugfa<7*?<!UaY3V5%dNxYxr2zFPD)qTpiWKyn0}LS7N_F
z!QZC&UyJ?W)qMYQ%>duWUB%Daaic&@Kk{-QwL7qWe`?{cz$juZwg*TZ)C_d99upO?
zDZQr?=erere*l|eyJ*3q9zK8`?q1`tlKpV$X~i7Ek=WF5Uaa8b6ZqGqSRb47vp&~<
zhx5A%J~yp}zhVDC8P7F`=A8WhUV(fRs2)U44yxaV^~@q*l(7)|-9SDrw)<GAsp<i_
z-q>BH;QwU->#wRJ`=gMkX5PZTtb&gr`(Q=)@J@Wjyqaq={JTuS$K}}E6|@`Ad>&AP
zznun|3hd5O@VR+CEM~3K(=~^D`1;3s1)3@l)$3qW$@zRx2aF=#Cif4*ep45m{4F-Y
zx4{R%HHXn+KNwux`wE4q*a2AuAH(V)CR07gnUA9sd|ZpoLxGc+e`bWwZrZsqw+psk
zR`9!NK1q#S0II-eF8DvZ0;N!(ih8dZTo+Ug%Jm~3KLSm2)%D-?*q>fGFqf%xocopV
zka_~g0U5`o@3q)F95@LPTC4T&s^d(i%H2G37@XHR*3wiD&W&}YWz&FE4>UpLadJJG
z8wO;qaG3+mZGDXW0b8&KSw7V5HAPcS{%@~9dkRzy&IMINa{F_B9T;W&7W;ibdv4`@
zKO6%2o;hsKR^ad^Hg|XBcP0F*hvc#feum|PO{UU84;QXr53oYP&uhz%Gi8-SioafH
zo+y$B_}dlSrr>w;`uH>B9T<)2;M%7-7yrLkpgjem+#8bHj`RJ%DB~mSA63n7+g23$
zImecGRURj6uv`seJgC6qH`v?)v@~?yw^d4?ksj_|^RRrNqaJR3?2eC5EBN_aY;Fni
z)~>xLRLDBq`o2H*mn-<*yiS%dMsE!+?Q!+@Z{7;X?}S$lt*_xc8`J}%j7!+7t*la5
zdr2hmU9cl~U4h4S-G=1KIy+e3Ht{v9;AhC%HY4*{u}2kp(hJM+@j3-R-@@h|pjbCs
ze7@|bR1IA#`7jP_0Ghd-!~WdLp{6tE7X9%zdIel7P&t%-H;h^znj1;p)hg$>)X$4x
zXAlIxD89e6q=(oB-vz6I>zW-?fql7#aB(#Fn&=*0!#p6I@pXcNp6jsrW6_}xzmKVL
zi0_~WW8A0UfAjoWOD&D97*?ODJl;)?XlUYXelZj%AI2JmwQ$ApxgS;x&Am<T8D)Ho
z{bMT`w?b(R9vJw@yfid7#x)o0)`I^M`(1{*={NW&zGhwfioKB7GB-Q*^9bzLy7m=4
z&#FQP(N*J+YZ0-H-v@yeuKjOrkFnkbKPuz(&6?xg=&zxRx0!wg=-tx4_XaNmql_H(
zFRnP=RB=`l5BovIFjK)8^Az~Jfz91q`Y*i&dsziv!|D_0;lteY5aA5I3f@xi_3rZH
zb5%esFUqBt4mD-?J`Q}Uz@d5l{E;#Ctr#YAlm8s2T3|P0!{iseF4r5}4@?YrvV2%>
zd&W^!UF^ec8_q8%a9WDZZZd|eLu`R8a2<oNTK34?_V6C~`CA2FU&W?+ZphvSxzU}m
z7ASCNDSi*f!OK-HdOPV+pnP~PC?9URa1KEZ7-hUuF+6uD2+D@LSr@jZHuFRP4usEp
z3Y@O29Kl-7AqRXU7P+i~uVH3{$q?t(q{{2|GMNjGH)Z&For15cvDp{o<x{>7E<d4O
zazn5WW4)@tqoq2Uml>AZGNa5bUoHIO)2o2wQrYlaCHXrAtdAj&H!{Z5%HcWsiEfQ%
z=vOiZI1bc<mTIcd+r-`o5Cr4h^hL=cu?JLocyOZ0WKMAI>nQv!RKvEOHzv|nxwJCu
zsZ@{JD4GujYm~S&<+*_|&Z{^fS6zOBZvHDv=glWTfeblRHX>KXc_{g`3YZvhCu3{{
z)D@61wjRDA;CvZy&Fv#>eoMx1c}PsKnN{#N4A>8M+QY4{eev}Z1%GcSJHeE@^tZJ*
z;k)$k8qQaMoC25Txwo1)pBM}`8927)mcQLA(6$06^0^n*sa#(l0sa9@4ESSaL~d`!
zY1=nP_m)#1pgZF|sle?e`b%%uJw|G}e1yp=_#0-}4|nOW*aF+*>+1^szKG49z)?1|
zZAQi+H~VmY48&0j?=a3!Bu8aze|QD*QJ{?eow4|L&dY#_0q>KmN0;#)aLL;^js}i<
zbADTa-+Xke5I!!CGU+8J(!<@yB-#&m*)PNvsKM7o3jThG&2Iyj^0sO#TF*#LjEKhk
zy8@q<YV0qJb8xwEbeu=667_d{Arz1v4t4`i0TTl@GR8De0b<io#sY(YjPIJ~<Ocgr
z`83$fD)<}9emHREugqT!{+_Gguf%Iq)WaS6+!pz=lT5Jv4iTpl7<-Kpr{;P196Ih5
ztp#G@*_H<WzJx0<j{KCm8)<rRz8jdBu#j<jfY=0z#yZiIalRb5=2?r)!=o`AUk8g#
zkOi)Nj`qV{_HYSigTKdcUa#QuuY;3JIr$oE-oT?1ki5w$aB3;8OW?ReoIGO_)DPrV
z0jY(NW=nGAdXNJq2K=5ez6Ju<{i7{$s6FW~!u2Tyj?1yRbHu4FCknVvY=SIs9h)#X
znRPg8O_xXH?=PbGu2k^(W%9KbaOrZpwjxd=O&`vWC~#^mt~WE*HZrz9yaFvMAhmn4
z=}HaH0ULpd0V}D$!=!hYkBK=qr4~k-{owen0?+%g-C3o#NSsbGSp}a}dU&M4NV5h0
zKB?gIC)oTBXfdU=Zj?Qh23`j+_NxlKTB^M|#+eJc0WE6YZdw(veW9A%I2)`7E#;8w
z+tx77Nal?)&haW|`ARPw3hIGtZqp-98oaFUIz4=(`*nD53bB>X4V`2zRnS@DHZIb7
zbj&#<Yk*M^ucI0NJtc0<^YT;1IiH&81mdk3KU#7XkX$&~RDiKy4KOjFo-t;Vk2Rd*
z*GBf;M>2PuY_3+|x(=I1sqwOXBdg$d$a^20@1;b+wK>)wpX(I-zKvd5rKWdV*(tFY
zWy%?Q5|FsZQ9HGab1Jn{$+<1>{C%5)0+IuxsM}GjM^82%#*~AS=XZmipfoDmo+9Hv
z4_w#Xa%}FR#!dRh$?T=L_d8@>)9m5<;PXlazh5JNx5sWNbEzxi%X%QEz^|qJT*Wve
z8fv#Ry#1)9S3r7!Tz`%-$AEW$i3!g$&YscOrFwnFuAdIZk5vks7h|&q=)~Cio>lNW
z#HP&W?)|ntcgOZ`6#TBm<_{yk9sGVpLF6sJKKQUifnRHN`5t2pY`C5*$Zh|m6e}Qm
zl(L^N%KSHYBgVY@J7e`_4G{#qkFg|&yml(%k1`XLcu#AX8+GVu_HcP$idGLliM^{)
z?1}5F70!!d8uy-fV}xZ~n^XJ3?<FOUE%ox1jCFMMnuA8%8u|HivJ{Y5PXwdQ_rYI*
zi3uMt&i_Vphs+_RI;7r4vrZmu?o{Bt7Mni=wx%^WTK}^OzK86w>hy5Y!TLRr^9BXq
zAH`<ZXbcU_J7QDTL}R1eIut)vC~$18PTydx!--uG#Qol`j_Bea<5mHiV^UAw0k6iG
zXX_Yi0w@P=Ipu3j=8sd@uO4mw23o6&LT{HjaVJ%dnmt_B;ac&re(#O_cR-=~w)VW0
z#8hnOn+<LsFXKxu9c>1Kj}&;e#{YH3Is`~=yXEAqB}W07qiz5C56-Uu6BFtfXAbBL
zN~?$L-&hUg`g1*St-;-_g=$oJTK}^OzK85@Wz^Pk*6%Iwd#Qr&l4C<bY4b})w|iX`
z_;MQ1$g$RPR%%*m+xPL(XMuYUWc@9%9b@+A{32*A4>WF{&v@HJ<GW{;pGBF+q{dD$
zvy?QL9Q8oWy-8c6>FeS09&tN|UZkY`wP;_iHV5UCY4)0<3p}p?^-6qOs?|Th|9~jR
z9e!thKGgkV6%??&Tl)7t;8|c|#G{P06Hp*lfJyOVjOhWM0<LxV7@LQH0vyZZDRw^2
zD)=8_Q+FM1_5Ug3tXJ?~`d2TIhnR{FwOqHwpM?rs+sfVNm@~c+=^(Z5kMt{Gb7@Cn
zx-{lodY<w2j$Y?UN-kL~zJ*^OC}{C}xNaBm)yx{{;bVAzxcfOM#CN?OE}B^Vcj3HT
z!T;6R{6RE^yuO%(!>*rX4I^urw)(E?`<@||yGL3iK?m<caSBMyk2Sl3*MNx$e`cJ6
zq8yr>kb08-VYQf`q`@`81l~V4L7A`RkX7Ii;(JE*J)hS18hpP?!GFo^=~2$fI7v9<
z{f4rqF*aJuJg3CDrJ8<^vHk-jK?Uzau?k2WWq)q0IRoTCOEGtO+gprr1h74`SpQu;
z-}=)DzwS}cpbncuBF-{bXdaeFdV9F+iH|jt6=EPc{5a?iG$W9oZRz25{csR|y$)Q~
zT5GnhXPl};>5!jl{?W}9kh&RXb_UCUQN#z>9z^bxB`$xg27BV)3I+ZvvAH*BuDtvI
zEsv}M2m8JhZ4TD|zWD!%0*Cjoc>r*)dodQpADLIiv9=j!-UOO8_%8Mj0#1L6yBPZZ
zxegR)Tnmij{Z8X}om?k}R%7=Ra<wAL9|vwbGa>sMHm3)3t^=-X=wWPjjmB{1bSs90
z$2j)G-E*+};bLF&u>SYL|34^j$YFDIw11)Tosq@pB5QH^o;6wHjN|nf_wj4Y>8r6_
z35xO7KR1aANFN_>z5-qX#xd4m?@aQhDv`M(^>Ye)z2nXGj(IogI6eC8YaG|`HjY^Z
z9`=1H+O==@f+QB#DR7W@+(8c3a86zo+Spa#+bHk}Xv`m1=aty}CP*H4?@{pz$mi>&
zm)ZQ;;4pv0)(q;Vb7FJH)=nS%`=dkNjdiyMn}@~5-Ez_C;qtx|?fSR=OCAmZb)Zp4
zSLeU;+U#!XuPql^k-}frI^%gwV7#ey%zrla%0Z#t`R65F0ohZSz~^ly@Y>G=YNvSA
zVPh`n4wB2>@;(wD*8&&3o7#AZHF)o69Ug}QG8d0$FU36%`@WPo;%MXXH8{Mfz+(e8
z2LSuMKykz*-!Uxz8hkt#tOrf=snEY)!_FQcUvK>5)1-jR&(Z@Xn4fW8156R9$Id*k
zb(A+#5}G@b)8pBPoM<jCf@@nkT@#$j`t{V9_}lnpopYIB>}#5F^Z?;7k?XdJX0dY~
zHm9!-Cb1r!6jMwJ=>fKnccpgbpuxr>b*SU{6N5|P8%O*K;p?B{P61m#U5NSoBJw83
za~FVKz@2XzmZXj+nQig&1<+P6F66!q*z6zminwaW#?O5ZpGXg%$XpahJWp%rHIvv+
za32#xJYEAkL~+r`DHk@kMg!4$0>3pnk>8J)$i7nHT0G5j<GU7g!Qa~`P66p_r}Eu}
zllTs~N%Xb+v6$!B8i}Lk3uSBjxAgEIfYk-?Y)_jvu(>-Z)WiIrXE|jRxP-xJF<wtt
z9tXqYBLyz&$?u=V8khVdX`f+r=!vg4fm{Jv)bgAG(RE;)c~~f4|2#Je$Y&={<684n
za{<T!lLwaY*qwnJUo@@Adn{zlXL;tsv7?W@6WcYhY9YFx%6@o$G3yAQ5S#Js3EAGY
zHDf-jz(x386-<UtQa&f#TAs@q$i}oc=LI0&dc2kAbd7AZHip0bi>ZL*_GGgocpjJz
z;xQh#dz3HI8<T!mj$7gLGacmDQ61!QIWPtU!PFSFkb0j?5AS%)I?BoJrNlKi%ifc`
zhBBGgDco}r&M$*6fuv`t^-ugf)%3yNJAvd@N8+}E$9)r|gQNG-tpd`6E&6j_157)3
zl3dv%%9pcJk~6|@iuo?QR<*;eJ?<^t{~k6E1a9Nfo;4e@tOB2q*k)qmBXfo2@>9<1
z75J>h=26iYan7;r#jmyd|E0$c_<U~%^r+)8r?U@U=6iT+qHYGa%Q|R^=>l#BrVTvB
zeR~00cWIDD>Q>e#Q_QqBc(uj3z5AZPZudx&IQ6hG%PMfPdns|wNtVlwaCuFEkHqid
z=)KaXlLu)yW;E2-6h4bL#XQiCCQovIZ;%FN-bXD3B>vLtrt*EmQ~7Ppsr2zp@ho|=
zPt*^mr6^x4uPx!Tv;|Hr@yz$OY1oZ-A4T%Oj+s^96b5Io4j21z9WvJGd^f{X-lMu{
z-sKyQmLC5icDIX_Q?c5~x<hoC!tVu6H4lT9czwj}M@9WRE%Q^cy7=d}u7Kpgxl!Jn
zL_MtsrU{-SSN5Z}C8t`qk+gfnU*UB+zsYbq?|b+>r>6W0{d-k|?I5@yW?gLG%PMfP
zJv`2y(D$=A4T8@`1x~ftJQ5@=L)-R8{FOLQ<+Z2N&121U$#MHE>aj9aHQ6>}e{Zo0
z*nZcIT$$e_UtXYh?;qvTnJKFQJ0}JBKfMW`Li=?~&wC2HTY+Mg&;R){<{7-EdB*4F
z+LnCG@3u2|fB2cK!)5-9^RT(MD_SmBiq&P<&6Ffo#pq~tk#)!(;ISy)Hs(+B{|>3+
zQ;Zh=x$P?;b!+hr&VK_hf&-#FNz3b(O<BsEb0$6Z4D&QF3dmyLYSwhzIR3VAvOU}_
zw=kGSuZw%Ww!Ny77|mCRlf?dIIQ5C0my2Am^R?vJSHa`pLvSRp*O@NH@HW0U3fSII
zMy?+P_K*7aG;$@4hwb6thsP(tIL2!19STaLjO8YCh-+SU9UeC?$vasmoM}dYdIetV
zu=!J9$0<$J3LjPUu`&M|=OOg(>ZpeoZqYx}E0Amjq#wv$%30<@U=;8?Hn#<((Lu&N
zi@g;0+(PE<_}Ag0qUE#~=eHDiNe+}|esYx|c5htv$IGI<O;>ik9j`zV6_9I(X{IN5
z4j2W@iQca!<CNl%em9LC?w(s1oI?*U1uq-3PK>=sftTdKGO#@;Ma2A=UIDK_J_?*o
zou1A2d7sVamd-ZDF>0}Q1Ss8pr1YV)>EZ6V*&Z(3;yz@Zc}~RZ6nNznxP6Mv{{b*7
z0l&EQ^y7I2(yG98>T?Fyo9FP^j&tbW?(rfvdx6p^Bx9dL4|mTkWDhD+GH%je&oN&I
zZ!2(<T$l$cK<Q%VNA?PM1=?1?_P0LN=_^2^htCPJ%n`ERUaCW@ho8%y@p<&{QgO4q
zIuW-;O0ipx-Q7W{BIn2T3U~$DQs6>rQ~J-jTr;0*J_W`x)?n{2(3Tha_gRiv$J|6K
zyACfEKk2P<9d$0hHF+-kDemJ}hs_aD4?nNOG1SizKY~{veF{ijp3i63rkfjqQNVNb
zfS#bV+DM<9&R&Xpjv@QSrCW!Ks+QZ{oZnL5CpmEs=mbg|LqED#z$>t+0@B0J<FgRw
znKyt@z=hFkV&|8*{)MOXaQ7TT>}IgLskU+5Vq;i?4|gi?lbm=5><8jv<j3&}cm+DD
zfb`b$%}7uWjAML^z5fJ3FssD%Z+T`N^Ao-7UP>wZ+hu4g<DYL%1R8M^o~K3EQgMIJ
zO-J+CKh7(#IVxcLT4(C>US4xF&T+nZ3Y%Mj(yJ>zWLby1=NV!%Q*w?rmU|M*6$%_B
zH<p4eOU|?OndCk23M5AXSyNrW?=fV}KY{xmo;BytQ{w-Q!j=@)>fsl#4xd2}FZKG=
z#<GeyE>Mc)D(rqQ;#taTj+SEUZ}SRljtWT4%X?BTFlPdzfDf^GFi3{Fw#Q`^c!ubh
zlpZee911on@RS^x6@BMO60WO~kyYLcuR!S(kp6uk?-#ky{0<leJc7;cpmZFYjx4|R
zav^&u?zx7+OnSK3FZE$#x(gitqQFyf<P~^+nRBU``tiL2UIFPjGx)B>8KxE($H-xC
zd{pa6=xq{h%Qx$or|4$)Qj)+^e7KO$RL(HhD)1Dp8^8b%1Q+=}?wg2LpkxZjdqiea
z>lab$7tz1n<1K9N14>45lYzyTi&%%d=Nhudkc@S>kQSaZ%uhJ4Q{XDOvJg~*O(ga=
zcm=!yF)1*U`kTq;r)ToJ6*KAKu5l5st6gMj5>@AxbJjW6nXJQQFGcJp;jlb=;m_|C
zxJs_P4ZZ=Az}EZV71;a~koA+S!)Kb4K|OHY!#84caLL~f-aN9>b7rv)cg=SeJ$w#5
zywvZ1Z{#aHFNxwi!#USR?Pi(Nqxo6hm+lX*fL9=11*F%^GTqoqc?cK<ypGMUfOvVe
zH=5l)$|~>;gNy0mN#T1rx{EKfO<%AIXvFww>~0O(Q{CV174QnUR>0QxA=KZ8O7(pe
zb~CI^U3*@fJ<HpD51+$2{E~$6wOqF(4o@h>cn$GAB8qX}gvGhIEb-6w3M5+rx%R!5
z?|{A7%mhXOwb(o|s_iQhR@)cj&&BMexaKWAJZW>5?3Y~%=9tOO`Tk44Ut+&JigmKH
z-h1a2_~Ixa`=pne9a%U22^a<Zj-JsIBu_K(=@NRld){_GJZYRI)|Z%l!Ab?rk~?pJ
zJwWne?LG1ed=V9pb(zI5&KrSIz?o71PTCq=;%T{O6*$|y6tSPA!}joM_%2Z3+?YG#
z1G%=7-;no*SHLTvtAM=Lb-C$E&D{@-0^Y&qen6K;q1MH(%UFlI=6*SQDOa!`F8U_v
zkU2$sy3F(g>z(tqI{pT`TP2QrlH%Zf@d~(7!1nO(Qg0suqk!A#Wi`N+$8POd{#gay
zwudK?x8?k0IKQO8TXJX(I1&Uwn9#Vp%_48jD^MB*=2BmCSu0*)E&)aXpJH<$V+5Q_
z!?C?l#jm-n!(H>A%R2l@v=#12JA|{W$FDFmobztfajy9l+$$2vKWXvs{&)onRp3hM
z_)4=gcnuf@yh06cpXfTa8e|o?+jV#nd${C_oxcx;_lFAHC70d=dx1i;(?8EE;1y^~
z0lCJ#D#9-~*8!t|nXLE95?#kugRBDgkbQ&<cH4?V>F%?<yW-yi3fvoWX>t_%UnW$8
z(y8x9_6iiQz}3{%)qDqRXqEt@fDf^G2q@lHO$*{*$X<$j4Z`3WdbsGE#6x<x_!jbe
zdm(eUd;XGB&oD;M#A=YlxOktu0v%Pr_VB~0uTOwcz(e$~ZlI$cmF98c-_`VR_ZozJ
zZYq;#{x%18gZp0;_)AW$1IN<KgW$S^=Rs+*&yVUAC`<v{w<_r`*8!t|I&7X8$Tf5t
zdiXW;aQ8Zd^snUi@Q}|`USsAe@Ndkk+p*mV6qc+0SzZCJz@`dFZ~dkDI(QQp1-y#Q
zoxrAJC+!xiMOHxryO)x54J`lf!+({629jIvb3O8H&Pj{B_s1)cP6e)|mVO1UGt+=k
z!fe){Wz=r+HIi%mYgvc8*CM2EWfHG}?cv?wzeGWU#{8NS%p)JJPeDE;KV!Xzo4W#1
zN7tJ^;19qk-~((P4AP;r)g!B*L&#j2NxTk?bNcn{eO=FMn>so1XYB5pcrDVAvEIwg
zS%G@`s;t3(WsU<IfKk9AY<2<ZP}=H|RnQ@1?U_l14pxJm@by&%9VEx<!B}APFCCfT
zz4QtsPk|e#p&NKV;XHolVV*Gx*nrI;K-T)n<KL1;;_E#2Qrzni1~<~fMf0Q|;^R&1
zb<8uf6?ACKv!~Evn^fqL^muvyHeUs#R_B>7Q%6gIQNT;s6#MDX_(puafgbK&54#Re
zix%SN4eWv4U_MaLLUQdDum?y_Zg@|<0!dRqu4U!>tZ(E!BR87M!N<Tj#QDLa*iXwE
zT;d}={6>1XTOCAGyABuoX*jG7o$-5-V=dNV?-sCca5HQDn^K}j8e-;s+<X=IHFflB
zQw@%$rk(@!z!Zshv3DRym#)%NZlZ@5&%e2TAw4UD-E`<-br3CvfDMlHSVle^54xr<
zFVYb;@8#yKfb`m1qW-lby=E48511lw3w2tZnx54dd+A*_)5DA7-jZ%%a2q{bG)~K5
zwfGWRyjY|jAM^Zc$%Q?m&uFG?UQbKByq{hHQQ+pNhgER?9#~AzSr1H}sO7moiuzTW
zdY14Pe{Z3O=g+x4jl$s86!!4>Q9hhepdK5^gQZa}+{|~zOK$nYE8rD~M*-W*wxsWj
z0Dl5GU^<8=cw7$<kFPFA5ub0Rhj*N7M>Vl~DQTP2tRDY{9xL+HWI2zY1hxgDsmmyN
zTV4ULKt~jix|5!BtJ#fxfSKSQz_f!p?jIS*`t6Ps*6nThd>cKyeV*;<(ENV84j21r
zIwXz@_zsoZculrrn!L~Bt^)gzHyPi%(-ds)>lao5spH%D4VL-lo8SiU5p``^!7}du
z3P`6Mwr6Eq;no`Gj@%w%GXv74%iZ`Zn#^Z!Z9yAxpKn(4n1!G(r~>KY>Am#|Yz_)Y
z|5?Dk<^pqgu+ZEGYJq8nY;YHkTbR-s7QYv=4&RhlbDsJB9|pJ6!_%mXje8e-U(|vw
z>&S;C;3wSICF<R`r!@APLk)Y5UID33i|*9y&%lHHUkeOa$^Qp{^y*}}WgGYiCpTEg
zUWBZ})2fZ=vd|1bk53ykS;zm6fq|e0koi5mard5k1vWPYq-JehZ^8Lk_P!tGd=03I
zZcnQo!s!my;djux-6EvVWm2n+o!fe$$x`q*Jo<6&5%uk~&P!>{QSY}`z@-9GzjsD`
zuLpJAD_F$eX+DI@o%HZK>EUh>((^KrR%z5nUY{2K?=W8lTSq*kulvI*;1%!+BuN3;
z%fE{reiuF5EyCa)dZ4^U=nt=eSHLUa70^-O9(wFO^zeJ=;cgLfjgrBpj^Ey@SHLUa
z74QlK(O!^74`0M<nv3b-Y2Rz|IpP)Y3U~#QtiZjjlNYfLzn68mOGpowy%gWWlN^2T
zn^(Xqkah(Y)590j!xz)T-NNpr$Q<DhuYgy;E8rE-QQ$s$?0xj``{?0rVfRwRzCXMI
zUIDLwS3pOB2k5c))5Gtlhr2}>Jjh;(*!PE5z$@St@CxWC@E|?*L3;Ru^l+DWfc^0M
zeGk_Onz!l|@CtYZ8Webl9{vzL{2_X{TZF8^Gt3KKYOjD-z$@St&{ALtJ$4B_d<i|=
zEkfpm3^uhq_jbJkUIDLwSKwiK?8Ef%hw0&N5%T-cncxxM!+nx@1-t@Y0W}34rN=&M
zE&#?ct_~ijhl_oGcm=!yUIDLwjslO-V;?g=2ls$Sz_VZ(SOMMxpMdpX127HP$oW&S
g8oUqQ1h0bs1CN45V0f_9l+nj^{PtG80?G>fKUt^p%m4rY

literal 0
HcmV?d00001

diff --git a/hack/ukify/constants/constants.go b/hack/ukify/constants/constants.go
new file mode 100644
index 000000000..3a57361f9
--- /dev/null
+++ b/hack/ukify/constants/constants.go
@@ -0,0 +1,49 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package constants
+
+type Section string
+
+const (
+	Linux   Section = ".linux"
+	OSRel   Section = ".osrel"
+	CMDLine Section = ".cmdline"
+	Initrd  Section = ".initrd"
+	Splash  Section = ".splash"
+	DTB     Section = ".dtb"
+	Uname   Section = ".uname"
+	PCRSig  Section = ".pcrsig"
+	PCRPKey Section = ".pcrpkey"
+)
+
+// derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36
+// OrderedSections returns the sections that are measured into PCR
+// .pcrsig section is omitted here since that's what we are calulating here
+func OrderedSections() []Section {
+	// DO NOT REARRANGE
+	return []Section{Linux, OSRel, CMDLine, Initrd, Splash, DTB, Uname, PCRPKey}
+}
+
+type Phase string
+
+const (
+	EnterInitrd Phase = "enter-initrd"
+	LeaveInitrd Phase = "leave-initrd"
+	SysInit     Phase = "sysinit"
+	Ready       Phase = "ready"
+)
+
+// derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308
+// ref: https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html#Description
+// OrderedPhases returns the phases that are measured
+func OrderedPhases() []Phase {
+	// DO NOT REARRANGE
+	return []Phase{EnterInitrd, LeaveInitrd, SysInit, Ready}
+}
+
+const (
+	// UKI sections except `.pcrsig` are measured into PCR 11 by sd-stub
+	UKIPCR = 11
+)
diff --git a/hack/ukify/gen-certs/main.go b/hack/ukify/gen-certs/main.go
new file mode 100644
index 000000000..bb0e290b9
--- /dev/null
+++ b/hack/ukify/gen-certs/main.go
@@ -0,0 +1,82 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// gen-certs is a tool to generate UKI signing keys and certificates.
+package main
+
+import (
+	"flag"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/siderolabs/crypto/x509"
+)
+
+func generateSigningCerts(path, prefix, commonName string) error {
+	currentTime := time.Now()
+
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.CommonName(commonName),
+		x509.NotAfter(currentTime.Add(24 * time.Hour)),
+		x509.NotBefore(currentTime),
+	}
+
+	signingKey, err := x509.NewSelfSignedCertificateAuthority(opts...)
+	if err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(filepath.Join(path, prefix+"-signing-key.pem"), signingKey.KeyPEM, 0o600); err != nil {
+		return err
+	}
+
+	pemKey := x509.PEMEncodedKey{
+		Key: signingKey.KeyPEM,
+	}
+
+	privKey, err := pemKey.GetRSAKey()
+	if err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func run() error {
+	var outputPath string
+
+	flag.StringVar(&outputPath, "output-path", "_out", "path to output directory")
+	flag.Parse()
+
+	if err := os.MkdirAll(outputPath, 0o755); err != nil {
+		return err
+	}
+
+	if err := generateSigningCerts(outputPath, "uki", "Test UKI Signing Key"); err != nil {
+		return err
+	}
+
+	if err := generateSigningCerts(outputPath, "pcr", "Test PCR Signing Key"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/hack/ukify/go.mod b/hack/ukify/go.mod
new file mode 100644
index 000000000..426a44cb2
--- /dev/null
+++ b/hack/ukify/go.mod
@@ -0,0 +1,29 @@
+module github.com/siderolabs/ukify
+
+go 1.20
+
+replace github.com/siderolabs/talos/pkg/machinery => ../../pkg/machinery
+
+require (
+	github.com/google/go-tpm v0.3.3
+	github.com/google/go-tpm-tools v0.3.12
+	github.com/saferwall/pe v1.4.2
+	github.com/siderolabs/crypto v0.4.0
+	github.com/siderolabs/go-procfs v0.1.1
+	github.com/siderolabs/talos v1.4.4
+	github.com/siderolabs/talos/pkg/machinery v1.4.4
+)
+
+require (
+	github.com/containerd/go-cni v1.1.9 // indirect
+	github.com/containernetworking/cni v1.1.2 // indirect
+	github.com/edsrzf/mmap-go v1.1.0 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
+	golang.org/x/net v0.9.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 // indirect
+	google.golang.org/grpc v1.55.0 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
+)
diff --git a/hack/ukify/go.sum b/hack/ukify/go.sum
new file mode 100644
index 000000000..a38c38e22
--- /dev/null
+++ b/hack/ukify/go.sum
@@ -0,0 +1,300 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/containerd/go-cni v1.1.9 h1:ORi7P1dYzCwVM6XPN4n3CbkuOx/NZ2DOqy+SHRdo9rU=
+github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM=
+github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl31EQbXALQ=
+github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ=
+github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-sev-guest v0.6.1 h1:NajHkAaLqN9/aW7bCFSUplUMtDgk2+HcN7jC2btFtk0=
+github.com/google/go-tpm v0.1.2-0.20190725015402-ae6dd98980d4/go.mod h1:H9HbmUG2YgV/PHITkO7p6wxEEj/v5nlsVWIwumwH2NI=
+github.com/google/go-tpm v0.3.0/go.mod h1:iVLWvrPp/bHeEkxTFi9WG6K9w0iy2yIszHwZGHPbzAw=
+github.com/google/go-tpm v0.3.3 h1:P/ZFNBZYXRxc+z7i5uyd8VP7MaDteuLZInzrH2idRGo=
+github.com/google/go-tpm v0.3.3/go.mod h1:9Hyn3rgnzWF9XBWVk6ml6A6hNkbWjNFlDQL51BeghL4=
+github.com/google/go-tpm-tools v0.0.0-20190906225433-1614c142f845/go.mod h1:AVfHadzbdzHo54inR2x1v640jdi1YSi3NauM2DUsxk0=
+github.com/google/go-tpm-tools v0.2.0/go.mod h1:npUd03rQ60lxN7tzeBJreG38RvWwme2N1reF/eeiBk4=
+github.com/google/go-tpm-tools v0.3.12 h1:hpWglH4RaZnGVbgOK3IThI5K++jnFvjQ94EIN34xrUU=
+github.com/google/go-tpm-tools v0.3.12/go.mod h1:2OtmyPGPuaWWIOjr+IDhNQb6t5njjbSmZtzc350Q6Ro=
+github.com/google/logger v1.1.1 h1:+6Z2geNxc9G+4D4oDO9njjjn2d0wN5d7uOo0vOIW1NQ=
+github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
+github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
+github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
+github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
+github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
+github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
+github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/saferwall/pe v1.4.2 h1:Vzustn1KS7uHvh6gpWfSlmgZbkWFNxEKHV0DOSuCV50=
+github.com/saferwall/pe v1.4.2/go.mod h1:SNzv3cdgk8SBI0UwHfyTcdjawfdnN+nbydnEL7GZ25s=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc=
+github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY=
+github.com/siderolabs/go-procfs v0.1.1 h1:GkKjnDfFkupcuLN0w6A/Oy58/8FPAHcmlgiHIaw6M+g=
+github.com/siderolabs/go-procfs v0.1.1/go.mod h1:byGwc3MfF65wg1mz8t3qQ1zlrYhMngEYh1eDzaFAYq0=
+github.com/siderolabs/talos v1.4.4 h1:S09NZ+1lf81O2m3ui5C2e2s5eU1UaBH04tNj9HH4b/M=
+github.com/siderolabs/talos v1.4.4/go.mod h1:wHI43aCA5pf596PO/rOvtXS6hDDTgB1ffmuXDQRWfEU=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.8.3 h1:RP3t2pwF7cMEbC1dqtB6poj3niw/9gnV4Cjg5oW5gtY=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
+go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210629170331-7dc0b73dc9fb/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19 h1:0nDDozoAU19Qb2HwhXadU8OcsiO/09cnTqhUtq2MEOM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20230525234030-28d5490b6b19/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag=
+google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/hack/ukify/main.go b/hack/ukify/main.go
new file mode 100644
index 000000000..657f5b271
--- /dev/null
+++ b/hack/ukify/main.go
@@ -0,0 +1,308 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// ukify is a tool to generate UKI bundles from kernel/initramfs...
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"html/template"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	_ "embed"
+
+	"github.com/saferwall/pe"
+	"github.com/siderolabs/go-procfs/procfs"
+
+	"github.com/siderolabs/ukify/constants"
+	"github.com/siderolabs/ukify/measure"
+
+	talosconstants "github.com/siderolabs/talos/pkg/machinery/constants"
+	kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel"
+	"github.com/siderolabs/talos/pkg/version"
+)
+
+var (
+	//go:embed assets/sidero.bmp
+	splashBMP []byte
+)
+
+var (
+	sdStub         string
+	sdBoot         string
+	kernel         string
+	initrd         string
+	cmdline        string
+	signingKey     string
+	signingCert    string
+	pcrSigningKey  string
+	pcrPublicKey   string
+	pcrSigningCert string
+	output         string
+)
+
+func sbSign(input string) (string, error) {
+	out := input + ".signed"
+
+	if err := os.RemoveAll(out); err != nil {
+		return "", err
+	}
+
+	cmd := exec.Command("sbsign", "--key", signingKey, "--cert", signingCert, "--output", out, input)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	err := cmd.Run()
+
+	return out, err
+}
+
+type section struct {
+	name    constants.Section
+	file    string
+	measure bool
+	size    uint32
+	vma     uint32
+}
+
+func buildUKI(source, output string, sections []section) error {
+	peFile, err := pe.New(source, &pe.Options{Fast: true})
+	if err != nil {
+		return err
+	}
+
+	defer peFile.Close() //nolint: errcheck
+
+	if err = peFile.Parse(); err != nil {
+		return err
+	}
+
+	// find the first VMA address
+	lastSection := peFile.Sections[len(peFile.Sections)-1]
+
+	const alignment = 0xfff
+
+	baseVMA := lastSection.Header.VirtualAddress + lastSection.Header.VirtualSize
+	baseVMA = (baseVMA + alignment) &^ alignment
+
+	// calculate sections size and VMA
+	for i := range sections {
+		st, err := os.Stat(sections[i].file)
+		if err != nil {
+			return err
+		}
+
+		sections[i].size = uint32(st.Size())
+		sections[i].vma = baseVMA
+
+		baseVMA += sections[i].size
+		baseVMA = (baseVMA + alignment) &^ alignment
+	}
+
+	// create the output file
+	args := []string{}
+
+	for _, section := range sections {
+		args = append(args, "--add-section", fmt.Sprintf("%s=%s", section.name, section.file), "--change-section-vma", fmt.Sprintf("%s=0x%x", section.name, section.vma))
+	}
+
+	args = append(args, source, output)
+
+	cmd := exec.Command("objcopy", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	return cmd.Run()
+}
+
+func Measure(tempDir, kernel, signingKey string, sections []section) ([]section, error) {
+	sectionsData := measure.SectionsData{}
+
+	for _, section := range sections {
+		if !section.measure {
+			continue
+		}
+
+		sectionsData[section.name] = section.file
+	}
+
+	// manually add the linux section
+	sectionsData[constants.Linux] = kernel
+
+	pcrpsigFile := filepath.Join(tempDir, "pcrpsig")
+
+	pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey)
+	if err != nil {
+		return nil, err
+	}
+
+	pcrSignatureData, err := json.Marshal(&pcrData)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = os.WriteFile(pcrpsigFile, pcrSignatureData, 0644); err != nil {
+		return nil, err
+	}
+
+	sections = append(sections, section{
+		name:    constants.PCRSig,
+		file:    pcrpsigFile,
+		measure: false,
+	})
+
+	return sections, nil
+}
+
+func run() error {
+	defaultCmdline := procfs.NewCmdline("")
+	defaultCmdline.Append(talosconstants.KernelParamPlatform, "metal")
+
+	if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil {
+		return err
+	}
+
+	flag.StringVar(&sdStub, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub")
+	flag.StringVar(&sdBoot, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot")
+	flag.StringVar(&output, "output", "_out/vmlinuz.efi", "output path")
+	flag.StringVar(&kernel, "kernel", "_out/vmlinuz-amd64", "path to kernel image")
+	flag.StringVar(&initrd, "initrd", "_out/initramfs-amd64.xz", "path to initrd image")
+	flag.StringVar(&cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline")
+	flag.StringVar(&signingKey, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key")
+	flag.StringVar(&signingCert, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert")
+	flag.StringVar(&pcrSigningKey, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key")
+	flag.StringVar(&pcrPublicKey, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key")
+	flag.StringVar(&pcrSigningCert, "prc-signing-cert-path", "_out/uki-certs/pcr-signing-cert.pem", "path to PCR signing cert")
+	flag.Parse()
+
+	_, err := sbSign(sdBoot)
+	if err != nil {
+		return fmt.Errorf("failed to sign sd-boot: %w", err)
+	}
+
+	signedKernel, err := sbSign(kernel)
+	if err != nil {
+		return fmt.Errorf("failed to sign kernel: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp("", "ukify")
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err = os.RemoveAll(tempDir); err != nil {
+			log.Printf("failed to remove temp dir: %v", err)
+		}
+	}()
+
+	cmdlineFile := filepath.Join(tempDir, "cmdline")
+
+	if err = os.WriteFile(cmdlineFile, []byte(cmdline), 0o644); err != nil {
+		return err
+	}
+
+	unameFile := filepath.Join(tempDir, "uname")
+
+	if err = os.WriteFile(unameFile, []byte(talosconstants.DefaultKernelVersion), 0o644); err != nil {
+		return err
+	}
+
+	osReleaseFile := filepath.Join(tempDir, "os-release")
+
+	var buf bytes.Buffer
+
+	tmpl, err := template.New("").Parse(talosconstants.OSReleaseTemplate)
+	if err != nil {
+		return err
+	}
+
+	if err = tmpl.Execute(&buf, struct {
+		Name    string
+		ID      string
+		Version string
+	}{
+		Name:    version.Name,
+		ID:      strings.ToLower(version.Name),
+		Version: version.Tag,
+	}); err != nil {
+		return err
+	}
+
+	if err = os.WriteFile(osReleaseFile, buf.Bytes(), 0o644); err != nil {
+		return err
+	}
+
+	splashFile := filepath.Join(tempDir, "splash.bmp")
+
+	if err = os.WriteFile(splashFile, splashBMP, 0o644); err != nil {
+		return err
+	}
+
+	sections := []section{
+		{
+			name:    constants.OSRel,
+			file:    osReleaseFile,
+			measure: true,
+		},
+		{
+			name:    constants.CMDLine,
+			file:    cmdlineFile,
+			measure: true,
+		},
+		{
+			name:    constants.Initrd,
+			file:    initrd,
+			measure: true,
+		},
+		{
+			name:    constants.Splash,
+			file:    splashFile,
+			measure: true,
+		},
+		{
+			name:    constants.Uname,
+			file:    unameFile,
+			measure: true,
+		},
+		{
+			name:    constants.PCRPKey,
+			file:    pcrPublicKey,
+			measure: true,
+		},
+	}
+
+	// systemd-measure
+	if sections, err = Measure(tempDir, signedKernel, pcrSigningKey, sections); err != nil {
+		return err
+	}
+
+	// kernel is added last to account for decompression
+	sections = append(sections,
+		section{
+			name:    constants.Linux,
+			file:    signedKernel,
+			measure: true,
+		},
+	)
+
+	if err = os.RemoveAll(output); err != nil {
+		return err
+	}
+
+	return buildUKI(sdStub, output, sections)
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/hack/ukify/measure/measure.go b/hack/ukify/measure/measure.go
new file mode 100644
index 000000000..b58c6cd71
--- /dev/null
+++ b/hack/ukify/measure/measure.go
@@ -0,0 +1,259 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package measure
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/sha256"
+	"crypto/sha512"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/google/go-tpm-tools/simulator"
+	"github.com/google/go-tpm/tpm2"
+	"github.com/google/go-tpm/tpmutil"
+
+	"github.com/siderolabs/ukify/constants"
+)
+
+type PCRData struct {
+	SHA1   []bankData `json:"sha1,omitempty"`
+	SHA256 []bankData `json:"sha256,omitempty"`
+	SHA384 []bankData `json:"sha384,omitempty"`
+	SHA512 []bankData `json:"sha512,omitempty"`
+}
+
+type bankData struct {
+	// list of PCR banks
+	PCRS []int `json:"pcrs"`
+	// Public key of the TPM
+	PKFP string `json:"pkfp"`
+	// Policy digest
+	POL string `json:"pol"`
+	// Signature of the policy digest in base64
+	SIG string `json:"sig"`
+}
+
+// signatureData returns the hashed signature digest and base64 encoded signature
+type signatureData struct {
+	Digest          string
+	SignatureBase64 string
+}
+
+// SectionData holds a map of Section to file path to the corresponding section
+type SectionsData map[constants.Section]string
+
+func calculatePCRBankData(pcr int, alg tpm2.Algorithm, sectionData SectionsData, privateKeyFile string) ([]bankData, error) {
+	rsaKey, err := parseRSAKey(privateKeyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	// get fingerprint of public key
+	pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(&rsaKey.PublicKey))
+
+	sim, err := simulator.Get()
+	if err != nil {
+		return nil, fmt.Errorf("creating tpm2 simulator failed: %v", err)
+	}
+
+	defer sim.Close()
+
+	for _, section := range constants.OrderedSections() {
+		if file, ok := sectionData[section]; ok && file != "" {
+			if err := pcrExtent(sim, pcr, alg, append([]byte(section), 0)); err != nil {
+				return nil, err
+			}
+
+			sectionData, err := os.ReadFile(file)
+			if err != nil {
+				return nil, err
+			}
+
+			if err := pcrExtent(sim, pcr, alg, sectionData); err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	banks := make([]bankData, len(constants.OrderedPhases()))
+
+	for i, phase := range constants.OrderedPhases() {
+		if err := pcrExtent(sim, pcr, alg, []byte(phase)); err != nil {
+			return nil, err
+		}
+
+		sigData, err := calculateSignature(sim, rsaKey, pcr, alg)
+		if err != nil {
+			return nil, err
+		}
+
+		banks[i] = bankData{
+			PCRS: []int{pcr},
+			PKFP: hex.EncodeToString(pubKeyFingerprint[:]),
+			SIG:  sigData.SignatureBase64,
+			POL:  sigData.Digest,
+		}
+	}
+
+	return banks, nil
+}
+
+func parseRSAKey(key string) (*rsa.PrivateKey, error) {
+	keyData, err := os.ReadFile(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// convert private key to rsa.PrivateKey
+	rsaPrivateKeyBlock, _ := pem.Decode(keyData)
+	if rsaPrivateKeyBlock == nil {
+		return nil, err
+	}
+
+	rsaKey, err := x509.ParsePKCS1PrivateKey(rsaPrivateKeyBlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parse private key failed: %v", err)
+	}
+
+	return rsaKey, nil
+}
+
+func calculateSignature(rw io.ReadWriter, rsaKey *rsa.PrivateKey, pcr int, alg tpm2.Algorithm) (*signatureData, error) {
+	pcrData, err := tpm2.ReadPCR(rw, pcr, alg)
+	if err != nil {
+		return nil, fmt.Errorf("reading pcr failed: %v", err)
+	}
+
+	pcrHash := sha256.Sum256(pcrData)
+
+	tpm2Session, _, err := tpm2.StartAuthSession(
+		rw,
+		tpm2.HandleNull,
+		tpm2.HandleNull,
+		make([]byte, 16),
+		nil,
+		tpm2.SessionTrial,
+		tpm2.AlgNull,
+		// session hash alorithm is always SHA256
+		tpm2.AlgSHA256,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	defer tpm2.FlushContext(rw, tpm2Session)
+
+	sel := tpm2.PCRSelection{
+		Hash: alg,
+		PCRs: []int{pcr},
+	}
+
+	if err := tpm2.PolicyPCR(rw, tpm2Session, pcrHash[:], sel); err != nil {
+		return nil, err
+	}
+
+	policyDigest, err := tpm2.PolicyGetDigest(rw, tpm2Session)
+	if err != nil {
+		return nil, err
+	}
+
+	policyDigestHashed, err := hashFromAlg(alg, policyDigest)
+	if err != nil {
+		return nil, err
+	}
+
+	sigHash, err := alg.Hash()
+	if err != nil {
+		return nil, err
+	}
+
+	// sign policy digest
+	signedData, err := rsaKey.Sign(nil, policyDigestHashed, sigHash)
+	if err != nil {
+		return nil, fmt.Errorf("signing failed: %v", err)
+	}
+
+	return &signatureData{
+		Digest:          hex.EncodeToString(policyDigest[:]),
+		SignatureBase64: base64.StdEncoding.EncodeToString(signedData),
+	}, nil
+}
+
+func hashFromAlg(alg tpm2.Algorithm, data []byte) ([]byte, error) {
+	signHash, err := alg.Hash()
+	if err != nil {
+		return nil, err
+	}
+
+	switch signHash.String() {
+	case crypto.SHA1.String():
+		digest := sha1.Sum(data)
+
+		return digest[:], nil
+	case crypto.SHA256.String():
+		digest := sha256.Sum256(data)
+
+		return digest[:], nil
+	case crypto.SHA384.String():
+		digest := sha512.Sum384(data)
+
+		return digest[:], nil
+	case crypto.SHA512.String():
+		digest := sha512.Sum512(data)
+
+		return digest[:], nil
+	}
+
+	return nil, fmt.Errorf("unsupported hash algorithm: %v", signHash)
+}
+
+// pcrExtent hashes the input and extends the PCR with the hash
+func pcrExtent(rw io.ReadWriter, pcr int, alg tpm2.Algorithm, data []byte) error {
+	// we can't use tpm2.Hash here since it's buffer size is too limited
+	// ref: https://github.com/google/go-tpm/blob/3270509f088425fc9499bc9b7b8ff0811119bedb/tpm2/constants.go#L47
+	digest, err := hashFromAlg(alg, data)
+	if err != nil {
+		return err
+	}
+
+	return tpm2.PCRExtend(rw, tpmutil.Handle(pcr), alg, digest, "")
+}
+
+func GenerateSignedPCR(sectionsData SectionsData, rsaKey string) (*PCRData, error) {
+	sha1BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA1, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sha256BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA256, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sha384BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA384, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	sha512BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.AlgSHA512, sectionsData, rsaKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PCRData{
+		SHA1:   sha1BankData,
+		SHA256: sha256BankData,
+		SHA384: sha384BankData,
+		SHA512: sha512BankData,
+	}, nil
+}
diff --git a/hack/ukify/measure/measure_test.go b/hack/ukify/measure/measure_test.go
new file mode 100644
index 000000000..5e3340561
--- /dev/null
+++ b/hack/ukify/measure/measure_test.go
@@ -0,0 +1,163 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package measure_test
+
+import (
+	"bytes"
+	"crypto/sha512"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	_ "embed"
+
+	"github.com/siderolabs/ukify/constants"
+	"github.com/siderolabs/ukify/measure"
+)
+
+const (
+	// ExpectedSignatureHex is generated by running main()
+	ExpectedSignatureHex = "12e432978d18c9f720b3fb922cab180ca025ecd5f918966d1f878ae93f1eedbc6b20885d5a9f1c4ffdd4bf2dc3c25dc1097b6c5109d9c9a90128eff20056ace7"
+)
+
+var (
+	//go:embed testdata/pcr-signing-key.pem
+	pcrSigningKeyPEM []byte
+)
+
+func TestMeasureMatchesExpectedOutput(t *testing.T) {
+	tmpDir := t.TempDir()
+
+	sectionsData := measure.SectionsData{}
+
+	// create temporary files with the ordered section name and data as the section name
+	for _, section := range constants.OrderedSections() {
+		sectionFile := filepath.Join(tmpDir, string(section))
+
+		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
+			t.Fatal(err)
+		}
+
+		sectionsData[section] = sectionFile
+	}
+
+	signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem")
+
+	if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil {
+		t.Fatal(err)
+	}
+
+	pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pcrDataJSON, err := json.Marshal(&pcrData)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	pcrDataJSONHash := sha512.Sum512(pcrDataJSON)
+
+	if hex.EncodeToString(pcrDataJSONHash[:]) != ExpectedSignatureHex {
+		t.Fatalf("expected: %v, got: %v", ExpectedSignatureHex, hex.EncodeToString(pcrDataJSONHash[:]))
+	}
+}
+
+func TestGenerateSignatureUsingSDMeasure(t *testing.T) {
+	if os.Getenv("UKIFY_TEST_USE_SDMEASURE") == "" {
+		t.Skip("skipping test that requires swtpm")
+	}
+
+	tmpDir, err := os.MkdirTemp("", "measure-testdata-gen")
+	if err != nil {
+		panic(err)
+	}
+
+	defer os.RemoveAll(tmpDir)
+
+	sectionsData := measure.SectionsData{}
+	sdMeasureArgs := make([]string, len(constants.OrderedSections()))
+
+	// create temporary files with the ordered section name and data as the section name
+	for i, section := range constants.OrderedSections() {
+		sectionFile := filepath.Join(tmpDir, string(section))
+
+		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
+			panic(err)
+		}
+
+		sectionsData[section] = sectionFile
+		sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(string(section), "."), sectionFile)
+	}
+
+	// start swtpm simulator
+	tpmStateDir, err := os.MkdirTemp("", "swtpm-state")
+	if err != nil {
+		panic(err)
+	}
+
+	defer os.RemoveAll(tpmStateDir)
+
+	cmd := exec.Command(
+		"swtpm",
+		"socket",
+		"--tpmstate",
+		fmt.Sprintf("dir=%s", tpmStateDir),
+		"--ctrl",
+		"type=tcp,bindaddr=localhost,port=2322",
+		"--server",
+		"type=tcp,bindaddr=localhost,port=2321",
+		"--tpm2",
+		"--flags",
+		"not-need-init,startup-clear",
+	)
+
+	if err := cmd.Start(); err != nil {
+		panic(err)
+	}
+
+	defer cmd.Process.Kill()
+
+	time.Sleep(1 * time.Second)
+
+	signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem")
+
+	if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil {
+		panic(err)
+	}
+
+	var signature bytes.Buffer
+
+	sdCmd := exec.Command(
+		"systemd-measure",
+		append([]string{
+			"sign",
+			"--tpm2-device=swtpm:",
+			"--private-key",
+			signingKey,
+			"--json=short",
+		},
+			sdMeasureArgs...,
+		)...)
+
+	sdCmd.Stdout = &signature
+
+	if err := sdCmd.Run(); err != nil {
+		panic(err)
+	}
+
+	s := bytes.TrimSpace(signature.Bytes())
+
+	signatureHash := sha512.Sum512(s)
+
+	fmt.Println(hex.EncodeToString(signatureHash[:]))
+}
diff --git a/hack/ukify/measure/testdata/pcr-signing-key.pem b/hack/ukify/measure/testdata/pcr-signing-key.pem
new file mode 100644
index 000000000..26f0efd92
--- /dev/null
+++ b/hack/ukify/measure/testdata/pcr-signing-key.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKQIBAAKCAgEA7qhAkdtZxqkIP79DDGin9eaJBeNlJsClJTcbaXbNfk2QJGT3
+lqo9ErXQQftwYWLGo+kVd8puhnHGPkLW9apT1/ZmUJEFwxV5xws0RllGVPhUga+1
+oubHUqhEiy707S4RrUEMk/o9wqmtnl2hY5FxMeQn2o7xrpcNhm8FtHpvQrT0MsbC
+1cS1ytZH/hwPy/QIB9bx+ugOha6wtQBnpgix1BhHC/NwDIYPg+ONpQSCu9gkXVtL
+GlKfmjscUANQtBuVKa5NflrjkHw7NAdKYdKpMnmzr0yu6Tn/2oNmUiJAwHz0BXpf
+b4Yn8n/IoKJQ5Tv1g6d30wxxpBd0lbwSe9MLRchIDJ5aFRybyRxaPGT17U3yEVzb
+V78kIFtocaqkc1ise8remZ0wxHzuolbTZD6oswt7C9jMLvfMAQ7JtENXrpDM//Xz
+dRLzyTWKOjhG0YmKKRY6cIrPkugM0PHGCE3RMSH1FmPMrWWBNAMwS0Zba0Wm1b7v
+dw5fKeE8txH+IpA3IaE9AytYk0ig98ZgmXmBV0sgxmJ/94scEF+sDg65LIkSEJMz
+f6q30UghbJJoP7eKOoDX9KBrR+POEsWm/EcU5jTEQTHMU+qKtj5KD6TUn8R8yi4w
+CnyZ7uJLUqm8Ou8MzEZWbrsrbMvrewPDAHn0QQvb2tDtBgn6oH192jpkzckCAwEA
+AQKCAgEAkiWcrPU7i+lVMNxqLb4lJPOQ83cmKU4Nk7WkZrgm7PKIk5D1AWGs1rla
+GB3m2uxHIncI+3uOpWwk71m1E2nDwFuWmj3E3otXMKnO0Em5RS1xap10SJa0dwyu
+NOGDgX8Vuhg8oJ28lmmb9X/25edZ/yhts2yX2ceMs8dnIfdcDOiNJk8LXycAAH+q
+RJVgoxAEnvBk7LaQthKdCap+znFCnNRlJY9lDXZHKAgAZI5XlLquwjC21B7GuAb8
+to7hK/o8JPMlZ3w3IPLCuoDAbxk3Hb7jZzU5Y39uC50t2pw5NOcP9A7VRJFOAzV3
+Yc8kZMyL85xpR2e2a7slXNB4LTW3D0zy/fSO63R9cLNrlp+I9p7xDgz1mylo8FoW
+T1TyNAWo/gIa7r43Ufp/C0lrWSd5gkz2nMVWiFl8M1lpx7zDSZk8U1sKzFZswmFQ
+h5On7kxo14gUdzogb1hrJuEI9Ke52kRb4YMm094LFI/BWQ89QF0NXJ6CSkb2MyWc
+f0kyfEMRUbmHi/EfpQlKK2uhOsxXdhZN2VP4nl1Yg0xxv0cLSMcP7DdJPso5VSC/
++wF8ni7+GMEDtntMEGjuXjq/zypyjptaRKpw4iRqxydUqa0C1PovzDoUDn7eKJBv
+2p9evDG8zWenZ7g/VYWy4ZtpwVa3SAXeeuLmdllphPp6n6uweFECggEBAPiSb2IY
+O33JRmxQeqrc6cmcv1l4AbedSr3F7X4DC+HZCkG27bZlzMBqbAQichC/pPhx544S
+CBxB7e1Qsqjw8LLNea0sQsRbVXMSQpwBqjJ2g4mCN4S/hPQHSeESODPz/OaZrQq5
+iVSckrAlbgFs8HepOLxTQQVVp97m+vrnwlh7SZj/CXXi5QcZ4tHPNTFLLtwCgBUA
+X0Ausn9hpeHrud8imzQuPXJRgBMaF0BYRUxj0fjp3sty2ZfjiPjhTrdSCWOiJUSb
+onDb6kyYwN/hBEt7JNbSbC7viOM72/TwJQqDn4Bw8C7E0kiy3ZpQiCdyOYWnyDZP
+SyDhAM4nHLNYss0CggEBAPXJ+DMmLCPkE5OOElxGU+JIPM28+5jhKn+HcswAS5VV
+6tp1m8gIrmgwTpXA9aGi9BjPHzo6y3s1sNYHp3lGr5nSdgQaYuLvBR56FE0RXVP7
+bUHiN//R7a8QTkyYCqdrQNxLAzEARBNZaMIhMPfPXDDevFZWunAxIDXxC9IVRpjS
+VjmKwqLuk66uInko4qEn34NiU25x+VpDOjz0fia58VTlL9WrYy0w/QANVlg1JKRq
+wjjx4kWnmCQ1qQeagB+xqJtrEc/GK4z6qY/OC0pKZA26t6sXhkmn0zQshmwSAZem
+/QtEW3lDmsfAlvEibJUSshXz3ygWz4v21nWocF4gXu0CggEBAPgwXf43686gVSx4
+/sHzaYrgcz5F0JEhACuToJmdORP7vX33xEnGQzYsDEXkjreiYnmeYXE9F9P/EC1P
+0dNVHz+oYcFC3DdqaltG9DMIhoN0ScnWttBY2cs+K8oKgwt8phspfdmjfzd4Tg6K
+kNfjigYwdHG1Psqwx7iMMDStiyMFlmqo2y1Vqw/4DL0ogxgA1XzfEjvl7zUKazc8
+rIBy+VeOGiFzue6W6aYo+uZIPIkVceVyvf2tYw2BJpY5gHsR8kYE8+kY7Ix7R+nK
+62meJsem4RWNbG9AxBD/B5P84z8oRO3d1jMcWko0LYeSuR+JsV1+NS3k5kKh5kfw
+TXvVKFECggEACMp4fhvXaFE4AgcK0RIS3f0Hb7Raq1UiV/1YNcOs8GJqS/X45Gar
+Fj7kEKceIfHaGSkPTN3deUKqWH1dmBDXJwFIB02KS+OQo05qe3crh11uwvR8XEH9
+5k0G/+ZQOzyyzS5BpvcDeE2yWX8maTaZbYYJ5myjrm+TX1qHubPZGo4rV1OHMpyl
+25GO2haERI9Qhzp1EXYyHPBanOOBv5DW+NpZo6LFoVAnPGE9vVnpPZgz6iV8mlEs
+N99TdFoqSvfnt+dUc8H6vMgaWHJeJQIUIgmTmCL3QpsmCq+s/yCFvg7S7hw7yVKJ
+rqtMusMobwyEIhTe3mgydCcX9I1Zt4Qg4QKCAQAnnNjOMflzEz+TvGNPUyVyzXef
+xRs2XBDipX/vPK7L3VvgiXGQuOAq4PYj7NdYHfIiVmFeqz7eY9gMmQyoscMwVPCm
+X+FuHepHXfcxUjQwnpFa/lAqpNxspgU09CQXW5hUkIdWblZePtRiGKvlo51CdzU5
+KlOylrIXl6opsApdrgSCduBtuR9uz2Cn3NiaG0Xe2x67VphclNaW+RATU4bUJEMn
+9aO8k+wp8CjlJ1xjSrhqIIBHGMmouyK5J0r3S3vRlTCLEjGpGq8+Z9shVkfuDk6N
+HOB2KZ1LN68eOYb4eZFKE+l2nGylFsHlOtkagX1IxtVoW+a5vDenGBNd+gC9
+-----END RSA PRIVATE KEY-----
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
index e27ca5813..7ad01be59 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -370,15 +370,6 @@ func WriteIMAPolicy(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	}, "writeIMAPolicy"
 }
 
-const osReleaseTemplate = `
-NAME="{{ .Name }}"
-ID={{ .ID }}
-VERSION_ID={{ .Version }}
-PRETTY_NAME="{{ .Name }} ({{ .Version }})"
-HOME_URL="https://www.talos.dev/"
-BUG_REPORT_URL="https://github.com/siderolabs/talos/issues"
-`
-
 // OSRelease renders a valid /etc/os-release file and writes it to disk. The
 // node's OS Image field is reported by the node from /etc/os-release.
 func OSRelease() (err error) {
@@ -408,7 +399,7 @@ func OSRelease() (err error) {
 		Version: v,
 	}
 
-	tmpl, err = template.New("").Parse(osReleaseTemplate)
+	tmpl, err = template.New("").Parse(constants.OSReleaseTemplate)
 	if err != nil {
 		return err
 	}
diff --git a/pkg/machinery/constants/constants.go b/pkg/machinery/constants/constants.go
index d6815972b..737c564b5 100644
--- a/pkg/machinery/constants/constants.go
+++ b/pkg/machinery/constants/constants.go
@@ -865,3 +865,12 @@ var DefaultDroppedCapabilities = map[string]struct{}{
 var UdevdDroppedCapabilities = map[string]struct{}{
 	"cap_sys_boot": {},
 }
+
+// OSReleaseTemplate is the template for /etc/os-release.
+const OSReleaseTemplate = `NAME="{{ .Name }}"
+ID={{ .ID }}
+VERSION_ID={{ .Version }}
+PRETTY_NAME="{{ .Name }} ({{ .Version }})"
+HOME_URL="https://www.talos.dev/"
+BUG_REPORT_URL="https://github.com/siderolabs/talos/issues"
+`