[pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations

From: Fiona Ebner <f.ebner@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH edk2-firmware 5/6] Initialize the Secure Boot dbx in *.ms.fd with the latest revocations
Date: Fri,  7 Nov 2025 09:54:32 +0100	[thread overview]
Message-ID: <20251107085441.5093-6-f.ebner@proxmox.com> (raw)
In-Reply-To: <20251107085441.5093-1-f.ebner@proxmox.com>

Follow Debian commit 45c101a4b5 ("Initialize the Secure Boot dbx in
*.ms.fd with the latest revocations") and pick up the latest
revocation DBX files from Debian's debian/2025.05-1 tag.

Adapt how entries in debian/source/include-binaries are handled,
because it already contains different entries in Proxmox VE's
downstream.

Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
 debian/DBXUpdate-2025-02-24.arm64.bin | Bin 0 -> 4613 bytes
 debian/DBXUpdate-2025-10-16.amd64.bin | Bin 0 -> 24053 bytes
 debian/rules                          |  19 +++++++++++++++++--
 debian/source/include-binaries        |   2 ++
 4 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 debian/DBXUpdate-2025-02-24.arm64.bin
 create mode 100644 debian/DBXUpdate-2025-10-16.amd64.bin

diff --git a/debian/DBXUpdate-2025-02-24.arm64.bin b/debian/DBXUpdate-2025-02-24.arm64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..33520068f2602fbd2c739b7f71e8946f5ba6ccd4
GIT binary patch
literal 4613
zcmd6p2{hDeAIE328|x5lhN4pV&y1Z!6N!+0DZ9ZKjK<grV~wjsH%rolEM;qv<;q@H
zM3F3&glt)&NcQ(X-P^srbKm>E=e*~<=e%?NXJ&rS^L>8L^Z)(7&*%TVVuP~^@(V$}
ze^$7`f3O9fYu#mfL+*1Y5{l%*lq?7Z0F8SP28CjH0VFGjL#!^807t-}ED(T;l|wpK
zH+C5bWrNabobvz;Y^1>_>2Men1{1`A=`h4*?xex6tS8?l!7wuXJ_O1IiX$U1TmT0v
z+#JCw2s1au2m<_!fL)N&($UwQ=<P-&dt>+j9!4XZAe#xn#f$9ig4qr1WVCP!3K<Zc
zDP&)=D;13=Q+&u2M=B8<Ar0(j^uq<k|7AZ~Ut1rI*Fs|f3<lV}4T+Tpl(ATh3J$<3
z+kl}07y`eCKxFLyWQhPE``Z%t{kcR-qPGh<z!z<<t#bmcPY6P52Rgeudb<%A0YHOF
z{8&El0l;ZcUa;U$P8baeh14HB`pBApL&RxhmZy!7oN1nzYBZ0u?=Y<UkUufOm%yQ#
z?G%iU*F?NYLqlwzT~IXmdTzl@`(u5P(Xn?=UxdmVhXtJX2HGg%?aTXIgYOrqu-(?D
z#V<!!P8K-ZR!FZ6Tdkpsa<{xJTPqL`R3&AHM%g7WI~D{R@-%tE^CGG2Yp-{)Bkg{s
z^fv{b3ds<4`of81#hJ~i&)rWNFnF8T70vhL)-TVe2{WCPHKmG`<i{aj6ONObcitTo
z2>7Ix9mOR_E!1^e($i73989U0%#l97e8VCfm~xx~b`fDzvD^Xguw(X)mD`gm)R#}N
z<Khqn<yN9mDw+M!h9=W6I1~cSr9p{cMF;>2tnMyJ1d?IWgRD>ll%`|^1$Hr7c@V+~
zl-%~lss%5b;+x~L)35zHr?yAo`2lT4H$OrHP|s5Zl)u}I>+ftP{B0Hliy#t<RZ&sI
z98>_XN-7vYjFDy!LIe<wKsl}BJLnpD?QR0yrw7c7L!LfJum>y{0x^UUU;yaTPtcFY
zYP(aZKB{tZ0RaKBUf(S(>rD2N^C1z*KE86!6i+$OD4@wf@8Y!>&b4QJ$pDHnSb15n
zTM`QZ4y^3py|S>dL7@mUzyvt;JqBR0$Nu9K1Payn-%mmXxEU)KghICvFaYwS9l_lU
z+7SwoARoHv7oU;k4I`)(%sWgpTm=r~1Y28gcYIjrZY7s{Ou8gxOvq=?PyR^F3){@t
z()iK+-o3TDGxuSmOXH%7o%nVfT`O6AK%20QR$TvjT7;@!9IWQvX3`Ut?J*P+J*hQ)
z$QgY_P23S0b0Nf_hjf*&pJ-+6@#{cEOqDLBARW<HHP(Hh^)yMmT4^$JN@0E0GC?5Z
z4tK4^kjx2}&(qf$K6ut7Mm*BUXs1qY!J{=YUuQbiumbm-Mf_hzeMYL+S4l@M@7+ZU
zeNc8Ww8-jUMgNz)AV=*PQeB<T?j2=-@x_Frz8g(3rLKDU_R^{}d%xQe#3&n*r-&!#
z1CW7}AOoNO#z0O-&aU`x=z}vA3y8e*KjDfRpaMQ35PjG`x$*-V(Pr*MiVOObBZV4-
zHgKen2vi?WM`r@sgiNL~SO^kP5i5@c<S|$k1`8E`3l$jQ{{yc769ro)D-!BUETzh&
znm<geSq2}2*|H&D>5WmP$IE$VyryTut4D2|v7!9ijCe-53Y3LXFFam)7kwx5>Y<6H
z%1gZ*!y^rd!eU_OknU&JQ<*LW#^J3oMi<esottvQ*SBa5vr`?Ni>4k<s$BT$5y_2B
zmX)3s)NTHeJ?E2rD)V+3%#@C0tqM2wHMaLmw#bcT%<WBt&m?_H{LrkohUXXHI#+Q#
z#q-TL;{5ay4l&IKl|DPR5+$g<CCMS@?ys{|V^sI1<gB#Stu>zRpu_L464ag^kiNc7
zvCf$;P5JmmK``PmZ05cF(`)`6ADvSg%YrncgW|$RO$sNkg|HDX3Vo-b5lBIOfbS3Z
z2|*FyTN&~L0skeLME@9of+4tfb3#lZeh?=J9-;+;6x{l}2u7M%fcFm$umErn2mi!8
zZC4Zg@Hs2~`d-8AJ?89csuCWBz!}B}F@!l_3K-Lk=mxR+zXJ(m*I$|U4R}5jvWuVd
zA5a3V3;Gr`E$CGS`~Vs70u&hV`|rso=llcq{(c53)Aohaz+(19$1kBSi@@5X)z_p`
zc5?U8yA~!*Tnp!ND*S?zA-81m{B1r2RaPr`7>Dq=d>MB61aqrfF5D6Lu%<KK%7wev
zvQ;$Ko~8Ho<LAUqU43ljv~4%A)UZ@l6Udf(aP#VGd5h>7T3e}>q)!%UYBQO)?~2&i
z#AUI&(%eb<Tl)|2g)H}l-t6+PW@!zY<xNh>YT6tkpY!Am>1os+lsCSj!aHVX(J#Vs
zWsxoa=skMC2D|8|vldUU$L`6CYtP@XI@d#V6S{OR@>96r7&0+IJuZ5BwDTc;tVAX{
z^@7Jio6uvcCbuG6Wp@7Z&SVI}|26Y)qeJ;Ht|B+Siy+FmeWExtuaOpKsC-8b`3Mz9
z-bj+IRe3Nm-u&);$G+%~mydotkeIBar53rvt$zh?O=w5fZa`9u7X8!;iuSIb($Wli
zCu79vvCrSzWcCU%q>Ohtj^(*_Q;8`mQfv)C+)`3>e5FU+A>Z#l+Y5W<d71mgGf#=2
zk~{OY@Eje7q87F$aoWPhr^z6!Lw$eoO$n5KTVucebl4F~g}dWMe)r2A;1Z^#mx6Zn
zUeyv4iZ%1O`xdFd8(J<;sY!ECn-7}Kxx3RgN4P5P(bSGF6={-W<?ExDRuh8Kn~6M?
zxjWG;X<yq=rI5as&kZO(KaxCsM@5Fi=QHJxEDaUAvC;L}7#g$%+-40hC=`fH|39GP
z-=4XDJhlID1P9NM2pSZE;vcIEj;dvy%CGj(BjCb313n_#4E1~jv0W=KpmrpT@51`t
z$Ko9<@};+BSiPjmhaJvrduEI$&p}Ww5R0hYKGqXM%i*714%fHgNQk$i9wLo+lKd&c
zK9&MGsh=PZ+_Gx#4xg32)@0nB-4|)$vOn^%Y}RJHluaa|c1cH@?aUcZkvnq1!BWV#
z?35x-JaCw_zMbPOg>#%$rC057!ZnSmJ5M>^s4osGs71B@sw`B!D*ManLj1h#jdI%~
zk7AUX%~4!%rFWz#Lqx&6bworVhrX>K%X_=qn@U>}<7~Z-l7}lY-(!D06nUA{P!$ms
zZtD7hI%3;(I56BRtw2h+rSasc6wTrytrf*o{Qh;sw^ud<0Dm54t_E1cu?7zv_AgFc
z4Af_{`@qU_-Yk*saCdW-@0B|G*UhWjI$)&Bllf6q{3goGdX6D`Lt_E<nZRl<f#;Eu
z8xP>INu$@vl$1ad>#Kw;DP}zqS=UBBFheKfwue#P$LkAlgx}LmSCvN5`;Hj#p?LqI
zfAV=P<BGU$b6b=m)-Oq;XFZ7v!d876Gj4KGy5saZvt9%ze_)HnY4&;=T!UZt&D@ww
zo$LuOGro#vy{#_YU4O~1$Ua-MRKly3hq@6ETrXE<=LVN|vun<<BP!6cxo>qd=l6^^
zJD&8?dL-4jN~*!Ls{Z4_%OwiR3UQRK)UUE#ZT!so#6|i0*^sBpLa>~UWOhP3bVltk
zU0tE>l>Jc1OXnqVW_^BzkeH(Ri<~m#@qN}or1yDf9<!ed`iXugb#-H?>;=sFvJp7v
zTG*jif-9>yRoJMJn{n9;e>valj$>j&CpBUBnDtfjfdf%FdM!9{=hS!wR7dI|T$#wk
zpilfsn!@5fOGRdVZCt+lq^PTIRt5W9gmF}3wnxX_XWN3Z=uX|E(XV*^vYvKQOrqus
zdb+=rP(@0kvEB&>qq1Ih(O2<(1>R|ao6F4kJJnX}tb0Qzi<36=gqK@1R+{!2AE_l+
zTlOie9$3=sWYz}^it^?n<G1Y8pxZgecRO(eatm^q+O@}x&&MZlk>r^5t?GAFBuX-t
z9H=^egGx^?zbUa1YtKI}Hz&`3c0gq^npy8udHp_J(`5aAdQrGUu7&^6p4#JGO<S3)
zn4Ld4>Q1pS>v35JpCPns3gm5I9b+uRl<t#HI&(5prss~RK#51XTbcEFiFTOdVL7_)
zoaYs~#>Rp1jS-1}6=&Om-sP2B+eY=6^%}GbOOp|sPWKKgR$i1)Sja^QDQ6T%==_{^
zASClzw+yrX4({#ITwnjC0hCJFVaFFV=mI>T*{gV<$&uIOmVn+RX8qzD8_n*b*RSsK
z)x3Me{?4>C-P0gX#@(M&*t~bGw85BJf8%CWQ{YjZ5~A9!1!HZUqgcc9t?3pX*2(Ud
z79-BjOfl;lOu0&0p1Zzmsj4=IX=Ja4SL4pLpA$%*Xum<}cSpo9>w5^jYVha<4`IIY
zLQh-YdmcES^!;xyj(F8Pe&f9g31imZ#_aYzEAak>UcH%>Vy&C7lB-6l?@u3dsVw3r
JC!a`L{R6gwL0kX;

literal 0
HcmV?d00001

diff --git a/debian/DBXUpdate-2025-10-16.amd64.bin b/debian/DBXUpdate-2025-10-16.amd64.bin
new file mode 100644
index 0000000000000000000000000000000000000000..07a95e2b09cc8c0e3ec40e035ca4c3cc30fadfc4
GIT binary patch
literal 24053
zcmd731yCJ*x8{qxdvFQCVM8FeLvRQd+}+*X-Q5Wm+=9EihaiFA?hZl1&HK$cXTIBe
z&Yh}THC2<MlJwrc{p{7<tDpZ`tDB$j&~Vt8xDfyO=QqmV|3O`%<;>McubZDqMV7Jq
zaDF!V3JOH|1qBJoiVi}BL(~tIgfxMMfr5mE03pL6(uYch-lIaoL*@q}U4R1rz8DC7
zkPi(72?d4y{;wQ6T-$2!+^aeNzrKY1ABF$;2qf}fIKZD38H5N2tqKE&4W+8giVed2
zX9EEnNzK5?+``t(+0K>~1BCX^i}2X+N+!lOcDBZ>q#)vdUO~dfm9sE%v~#jEbtV_J
zbF{Z}G;p@~`w4mw?LY5BV^jPu-zS$5mmwDwCT9b&vVutQQQ0^^9IPCyT<lyRZq2`&
zAO39<6cGA<Bt#I1`G15+^FKpWv#>R`b8{kB75^wjE@R?BF79q*ZeVL>^3Mh+5R&rW
z58vMt038U4{`Y`GB0&X0LPGpvXAFr@@7kMibtn1Eov|WLaZy<8w3>BO!eVhu+g?ZW
zVEJxfPGzHe<DO8WC^lZGwX<ryWyl>3ZSQ=){z5>wX(3aZ8uSE{PBD06{+U-Kgzxdw
z&^odfUqonw()QA%{n2*cZMK~mh7^5MyGU+s4VMZGGOduL+rxP<dh@jzD>{v9t%8d8
za>M{mtG4!3Qjy4e%DZ|(l($&kP*JQ5u2bXCuIzKIW1$|Wjdn{eHK|{CU6|<7XmmTY
zQb~8vhjaJ_<BLzM5zmd+hR0RZ_k<KK*Ys$=ucq#mwyFGtik!K6>tWq!&>@alLv`T(
zH>V=-;N{<)*Z7Y%y(OoCf`){EEDVIS_<KZ5KsbMoE(tXZ>OV=!00#*J8OW&s2_pID
zRWukp7#tbsfQYd^Mk5tclf1WE(r!6x`zRpsf8NG~5diTO@qoDgGtH3yyEMc5*SEmH
zVxzLLadUrQW#9m@bAMn5k^Lh>1w#PB^T#oK7M;u&C>l4zn$ucVt@N5`iqr#r{s$m~
zQ2@z-Wb&o*B|^o`ot^D@SXkWL+?Z|tGo_i0>}*)<tt{;9omh+<ty%si%HJgao4caI
z|75P-KYuZSJ}|MdGyi>?nhgZfheP<guduN2kdQDcASKYJ|J(*ag^K-ezrw`P+3ElL
zOPoO{|3r=r3Hb^G1%mkZbo_fY|4m0o2vIxHFH3SBL^(J)q7Of#aw8G*39-?Q-Ys6C
zT4Us|ni0gvhTpKVUGP7Am_5F;D146{kUmS~fcvt^vlc9Uy)t23sj7{c+PO`Uz#lsx
ziS;OSS9s*cm6X<!4(WlNE}F<fcrrK|4|-?k7QhLgFngHSu{?8At{LrAFt~8Y%O}i5
zbLK?_%52zy{PIHoGya=yIkWkEr=KCId4LkWjycpp@SV0!@(^;TPgtOp4g>A9<XN07
zHNmy|zNy4!YeM4Yj%|V@zjF5M9)j5MKFo6Rt;z|ytA^W`$G}I<x)hteR(QqIc&tBe
zc8i@N69+s=m&abN{EF_a14sJ{E2e)v@Zhfp&ioG#L^42{4gZ(*K?4pJC?Mhgh_CR1
zxc{D_zt+e0KYiujtdU&B+``eA{F8yBvj@4Hfuog)v%R%}kqNnyot^VPUijA$Kd`a0
zf!JBu{=*CZwaM|%=Kl?L{l9a;frG}#?kcr+weR|m_Mg-|#h`THQGZJBI@9mfqMz6t
zpZK+IYZ|e6W8y2IZ6kl>!cB@Dy4?t_%gkcjzim!fK-}Ewfhny75wA;L!+pv${;KFV
z5~2`C9y;}hWi#(Ju;=t}a_UCe(vSyPv~`R6<qz!d`2m~?%q^;j82jcT61kJ=-Rwua
zzQx}0`GWzL-HfxhQP3wbS5Zg((odq8SjfJO5{cHUdoU5lx9?$&F(Bz3c7F$9^Sx3d
zvY5Mmd~H+cTCH-RS1*4;oAcn`$ui-cprg-wcGM_1u1-9^<G}VGf;!pJo5*pUJU2@0
zt?>{F_6YOaRw_Nn@q)LA!~IVeRQT(HG9ZlqGCy2Mn7^ws#J@S<|I(S>{MQF?pkPo)
zksy>ITp$b~L?ML#8tLClA06f&nNSe=fB66`2>P!b{J%U;+*C<)(^nm{dqF;zN)>^Z
zhtjeXr2Wq)$Y4}K${@vjg?zbCng1}PzupDzdH*szdq+EC7o-0&rN62BH*fzY?cZGe
z$NWG{e}6z6|CrzZf9GQ{`ZwGA@4vwraQQ+9{ymuU!Qr<!$plbi^n6eBiNq+2`LmY?
zN~Wb}1&uDA@et)qMXs7h9?h+smWo~&#&?^>S5RhM_oYPcoo!R$>c%JwY9nt7^<WoP
zhGs0LBxTr|k9Foiw>`HlZSL@e41cm#*gprK1dde;Q`=`-9sY?&UrZ(2-A^W~r$>pA
zd8MVp@Va00E}nI5g&pxYMUPL+?)$TD=WC7bHQy`#i(N658+}*z^AZ7U>J5B}$hUmA
z7lb!g4xcCTLaB<v#!Ft*edjIAa1(q3uKcifQKKUH!h(;tr#eM<tC)h5Vl5doy~Q4t
z$^%B2h}$=m)*&z-GWmP;Yd7CF7KYE7yg?$|uk<eJ4Gfd#s$)SN#0j%|iDB;GZrb1L
z-`JU?2|iC2Ij4(?|0v8GKxDS`TU5hj9JS*GB2nSSh4*XO+viWhLLM7T3P_eTuC_|2
zsTN)}==Wi;Gva+!$~XaJPav3b&JPAZr7eiqm&{KWpr);pQNB-GQ+ia@U35SfeAF)+
zfbXLSynMMj@L<#LUaBmn#E}{6U6MKW5me)--&1gDsMUw2RIX0&AX&%~Cc_O?v9Di4
z<v{nYWp`{#)91bLI4-Cs)+xYi2^%~lx@%0Mw&Tj%PI!#;Nbk2mYc3=vhfRAJ!>NW?
z9Jubm!Emu+&nIfk(7)EM9aNM5Fvk|$oy!^sIq>%~>-k$8g96h3FL1~Iw&wo#s{P+e
z@V_-AOduqL_#~I}1XFv)44WC;=E@K$jwJb>|Mz!^w=!anFnql^zgAA$%V#RlQLWnV
zDDEZHu2(r%RPbbt_`c~D`U?qt<l06Dk=m8_t7RV6MIL<2AK`gu;3%1pcYJ5NY*E$q
z5Y|ocXAd!_FX(_LZM1Uc1d6bH^C)?}mGbipjXb{+3oB>arqt38=NvnxRC$`~U$5Wg
zW?jgwQZrx6tnUmBCOXg7$?Ic&^-2;J{iMVnY|svZ;BFEdTz;(L9Zn>s_+l(^vW5=d
zRgu#(%X7QSthN$fjL?P5`-|=?`DX_{_drS3T_L^a!>Pjy!^W46RQdF;)7Vj+Xs?<b
zkh5)`vDokM26|;bB??uR3IG0(Buabo>0e7W1nBQSotckr8qjQVo%*yl`*H3v{te3(
ztlg+kF9{{2Z)O!pij?+j>V=|9_2q=g5>4`ufcz~>P~l_t(?TM;BkkLj9cXd(Ijs=*
zw^qC<K9#maQ=UM6aCzxV=++1mVof={ogcGP7^;BrJ)=CrxtWJ$FgkiCkS9C|ZjrGz
zDaIl%>v9N4RRU3<8ZLb2lg!ArqSItRf&=pXWtksQi;VNt`qgcMrfzSl5t=c$Jx(Lo
zoS808l~GKAy!ulz;dx4dhUm8^J!*{nb-^83^-*1<7ML(P7xRiV2OzJU&|mO`NdZ+-
zPP$56?Y5bxV~042cvk-@gR*;4Bk>5xFTBI`C9!mf>U~=gQ{dfh0?(Mw<7Gwd(>dO$
zf2Vsr3*={vPH69Z+mtVjnYw*m-wzei{|e31$Nq!I%*b{*zH0;I>4uJ#8u)m=L@_R%
z+Lr2jpYuI#w*A30anZio!wHra1M=}t`)C#m?}cIn@KMa!R_f;vH)yD7)|>dH=29F>
zZe)QxhF#^+^vR1nh}ZeXKi@xnYsQ};$u4%-d5Yp1FVs96$m7fNAZv*ZmB6=u7gB&_
zC*_~!HZ+?`erQBvrYifHhyvspGN#{&Fem=`pw}(ak4l4Jox3UHY4<Aj#9|c>X_3JV
z<eBXg%tA}<ofOHw5|CA(lh`+^4Y4toQPr1zZ)H%d@d5IJQ(1ZI0v9<dO0~arcLMsF
zFKnE7oID&<W9_jmrv#jUyu<{80nHX%X6Ocw)j8ul#>1edjn&Er3iEy<#%+4dbs+C>
z6>m33DdnqD_|dT9ZQAn)2DuyhEw=gL_Hy_5i;)YE4_x7$YPdrXoytk;pADPL(h#2H
zKfpj!w`2JEnNv;A49G_=NNQZBG~UM4lqVxw8kkisc!t}?eM~aOccd895N`$YF|h>^
z)B8xo@D)xb<Fsdrr{DRmKG__EKUFQDb^A*a1NrLXYF0%WET_|ya%MA3?o-yX5Hk?Z
zd&=|&PQ<bwnqPqY0AgpQgiF=ZN@6)>V>7{1bn=&vjAVyJc&$2-@5B3^f&37DZ)x2b
zeE>0SV=0kr(Bf#6777h5i2)S+@m^wIsvnRaMSpLK-?INZC`|=>H0=`E>G+-B(ifE0
z?auBYvx=1{AaAUuwT$JS$&6F=`Hr1TsmAI7<+m7wyN1i*g*=n-qBxKjA0DZ8L7Hxt
zeCAa0F~<63ELXjhz&9EBc2q9J!fZVj$OkMv$>uV922z_?$pktzj~CSnTpb>hZ{*YA
zy*>HT77FBB>95jP5n!_1hn*7_REZo=7U`=B7rk~rBJQxcpWDg-`OTc_pdMyBT5R?C
z<5?0ns)pMmG!75=A7cC`gTMJmbAUYeN*`_Pjf`H(d&XwBZA|C`p_LMUBk5AO+tE4*
zI07gj&vu)PQjoKRRnRNG_Z(qtO8YwD?I|+0i}l_ohHd~E%x^K~^~MWRtFLhd4(?8>
z)oTtUENPL*-#t6rQTR+twXp#8M_~2&6!N*;Y(=h&hF}_UQiGu>HxrpY!<E&xH+KKA
z1M*Ard%x~>n4C+BKO7mpVBzo3A>(N0YJW&6BoaAqye$IqS8g>5S*r<=2YH3sz2D^7
z(`8|*(@fYH`D&%q<UV`?^B?oGk8HzT#HJ$x5x<g-&ajekGrPqb`i7Z&hNUtK@<oCA
zIB}bC4w`w>n?+(%=&ybup}7r|?@@bXSY^@abZoxn0{JT5-H09u`Ls2y`tJA2Qj*P9
zEzqv(tLk-s7R?&JXo2PbhGKL0N!w{L=;JV&<sEEX3MC_qfm+KzZ)@N5klx2#p#FeT
zMX<ipy5<!1M2Vc0C*m?3D3Z|RSV?Gm;CQTT0?a>o5-xu4()tx-$oeE9GZN}<${uWv
zfTVX)ss^J6#QDH@qWA>d(s`#{Y}!(Hs!l`VJ=OJUl}Cn0$Cn<uP|SrEU_8;#Qi}*`
zguCSwz1T*QRBZ5UX-no;@#+aCbmxQQ=k`GUY;oiK>QptC-s9{8S%zT^FKI>s>o#)p
z3%rV5HIgHkzqPI3?p*x&ifK<=`b4=iz(ui5N`Z3AM55sQ>(k{7cLz{^DHC(nS~6z-
zsY8WC2LAEE4Am4dSu$={hOGO_US1>|$X|W2;b>H`5Dxo_Dl}$Jr*U(w&A4&Y@?v~n
zN#A<gCk^Da-o_^IJB0A_7gzs^$&?xNOmKLo#)bc+H_jAVa5(~Yz57=Bm*I}c&exn6
zMZhe}*O`~9dMFnC;I4H5(W)|7MFaKs&B<_CDUL|Z?qxb^CkJ<->=}uo2lbkC?3td*
zBpYvlyuUn$tdV&;O&NN1tW=~LECU@o0d*#1wt{j2grkZSI*@M_gv-!~iz0tSt?Xrd
zekP+f_Ykyo%Z2gKwehA@Mh9Duj$Wff`ViXWw5<F;-Yy{EODuY{{d6<mlbVru%_1`e
z%b(E`4j8yATh+|h258i+<24lySXqv;bbYP3X_z#o7*$|A?5Kqd>hFnT89o!$fKbZT
z7g~wuXwWvc3Z>NRhNyExfV?*M#qP%bBk#ti_yAt)S%b<NNhyUj!}kqJ19)@Uzq)|@
zFO8bd2x4&C(MC@jA?Tp|Ni4UI^c0C2=(SpX8hcn^>pOa3LFSAiXz`EM&76jb(c~#f
zm{4l@1ObLc5<Rn&VkS_3r6w2FhF^=TDMT40-4Pz>+X3-_(mK4EHrb(0Imv1b<WV*#
zAnv?<AN1r;Kg2<G+b41%@llN>y!gElMNO_nc?0AbDASJ$ta1j5R3i_Wy=r$Jw6A3z
zBwy}6^z@Q-4Wy?5c}|l>iyp1tQ6gR(nDM+6oCif&b|E=Pml~&*q3)I?>_FbV;dHEG
zWEoL_d<);7vAW?Rm#UCkR(irV?BH5Cg%vD+GE}~l<)|LiMN|-t3Ckqh<>S90vlc3~
zvJ<#A{}l?s3e>-BxKrdsRgpH2!LI5{I4>Q{6G16ntrtMngnRTwMc@bHLj^{fZv>O8
zaGsE(q%EX8qfJga=v6n`MbO+BqE{1uygR-z21R&jL!Hxn>Fr7K60NbrXGFgY4o`Jb
zLm5sNL?FKxVu$VLk-;>oP;kSRcEUEd{MF8D&j4rWi@-DQ<n0KM4=Al4bs;<^tN6OI
zrh8~X(sOi1&)Oe_lTeCd_PL}P%-`~gen1J%3yi&rK(zVBh$>U(F!<^^HX_=-`qM1f
zV1TVJ-yM5qZeB)jnRCggo<E;C3QOZ(f0~&p>9gc0>8J3-2F8Q<JF*Nt<V`fH(?ix*
z->?%q4QnavPfu}CZT=-J?FlkK9>)#Tz=HWlO7IY>iJCNRlEIGsyX9>X=#m7gh$R^n
z9>~*86sgD;f);QShJ!7%ak8yoASf%nv?9hAX(472guwb2rs>$20DG$0gH3Tle)EMB
z&~n$ZY)6aVn_s;Xka(4ZKz$ws=dPM+hNPgXK-{_aCDZ({e&2?-un*F@&P7xo&%o*#
z;gCQwn+mN`b}#n=2E9xq7yB{oq_1)kkska(Z3F4BKz;ErE4d|uc`cq~e|TpoPn`x$
z$@;H!!iWe>!Yq+thdMxBJ^qo>fnwMu{xsKU#Fxk9{aOCq#g_s>vH@}Itf3CDdR~V#
zbG%*J2TI0VX&p+#ersyM?vC;dGJEFKZ%KHf3aq}eIhtitTkoG3D*9%R*OuU-cersv
zCj1GM%&gfVap4WN9(CQD^6nnVbuXFQzO^TXwv&Z^@|!d(88kgjo<bZD1IxE*>;lo=
zNoKz2V_$m==&-5rryyAB_TMwjC>~YU2g0<#{auGDZwLx2+ngU#qD9DVs@O~&x%rkl
zywl#FvW9Kpb_d2MRECr(OrksmsCIgHJyznh44yfq{b3x@2o}#}{vr?Lw{4ysawu^6
zwlj~ygL7%cE7<Jp{PyM1l(T$QmdHMU`NNhBtEMWRgCu`cywf+PO(MC?W9AA9!WX7&
z*1TI?gc+dzw_P}P^lmG)(6skS@Of{WtcpzFw{;UpYCq7^PafJ!0eP>{aTTK}bV#yB
z1l^W4x7o_MpaDT?HGRHb>?_9OK@T9GkVcG?)*Y)g6wF;Y5My-Q@>ucWDmQ+>!dvDx
zHZpAq<U3q`W4yAVYd2=(nzqkFD@gBh7O||KbKnsxOKzKP;Q@J*>z;g~V5skgt&Ys;
z_qw_nq}BwsNeW&J%vO7ABM>J*{+)*j`nK@ZG-+wjM`VuA<uz_!QLSPIf=59lM9$Xt
zjX-|C51FSS;3QlX@}!uKGhj(Zldw-A{GFAO{r*WqIW-rMmv|*IsuOB@hB@`X#%A49
z{Hevvf{(6KeS^#2_cX{>2jnB<+_^u*v87KWXdXB-UxOA4OfzmYB%-ev8La9<Ai?G*
zWO(q=QxG|K%qzJL_IuXld-fgsL~)7V1N{dr3mu_Jfcl(8{+x0(hEP);D6EkTE#;hP
ztXKwkNU<Q*D4!$u;SwM(6cxpPTTv^jL@32U4aMqGfn`v)Mgb>hbtN%{L!k`T|EeHB
z{$khZ?H9OV{ib!(vlsRKO`}_D#b(*`<#>OdN*qu>;(GROC#0W!5;g}hWqb0a2iBo3
zI9(;!Q*2dLa%=So$mbClovPvYCpR!(BALS1iIr%5A!}00`7IM$e=#tr-wWj1NoH-7
zArOr0sHmX7mfG>Zrsf5Q<Myb@VD&AA{TUSm@=$vemSg9}kV0g|swZ8`LUqMgpEFMr
zQw%t()g_rPn}NLTpFhZ2kP=Z|$+8&VODhW|ipaymw_x)k;l|b9F1FPIdDK2xmt(^7
z&#jj{t!w&QCtn5>A=tO#+rL@gA*p0h$pZNx^?<8lH70wF#u1}W1gf-&hvJ5In0ljQ
z@Rj$S2Wnvbn!psz__q@=u8Cc$R+@ney;W@u9!}GhbXi?dPr<t{RzQ6e#l?8Lfh0^R
zSDn((KoKj(Ke?7gSB}a@4G@?(Y};Rfyb&3KS_6Uj2gdlJbYvNffhO85{;s!8ht^n;
z+pD!dDuH~mz58!(gVfY$p2O@+9d%RR&~V1Pk<lL!W<{y(o;Q3zzU=Myv4x)^&D>e3
z`6>B!1b1~6#Vt;?Kd$r7D4ZIi!0Npem^?IL&f)mlIai02T{|a#A1t2Lhr9i5Cb<j}
zkX{5(AMRMIYR*=n+T?c;mHOJbH^DArk6ydqu$k*#4pBNi4v<Hry%37Jr`{tmTXNtk
zJ?l_PWule1wB-oH<HbW0ZmI(EBvI<UFD*Z#-cOv7>ZS4AvoE7v<8KS<)T!|?<cF7{
z0C^ge;QE}<OCzjW%krJ$mi31<9|Y7ut#IyFd{Y|vR|z1`N=QGb^{FQd^lc)kHTlaM
zT!FJnmGcOe0g3j`R189}c@bL`TWVm|fX#HJ?yvEjZbs5mZOjK=N{s1jTm9kmd9d^Q
z!IO12D4ey55&ok@xTW>_75-jbTLSWH$f{>pb(U^AFdm+LYw<DrLjn|BjdU^*L#8>!
zjxSGpt&oGvy?9Qw9AL+j_hA2+J%*z<G49Q<MX*_T2A=Tj-87=2>=!7DBn2l8puPb2
zyNi}Dnm@h>o3$Hz2J`WYQf%vVh^-!sa0>e|(SluHLP$e48qKxIW!uP*C7qBwuOuKf
z^q_qW77>yzy_+^L|M_UvO^veHn{O5DJcK=2w{9Hir|x9etu~`$=b}?#2G$R%?IrL$
zPAE}!x=z-xKAeU}s2Ec#JD($Z1}@%aeosjS#&1%;KS8hz-Osv?skH7ihC0eNmxrI>
z9584H3akIc3U+?ogMx~N-?xX&bt{_j4+|u&<5u`6t~z|Csdh8BiJ=1P$Ni)xz9F*l
z5_{GWCylDM42xY9G;6bxN$C>A>)U^VpaI4cSlK4|gUWjP-X!xGM?>x`o?!uj`LYlR
zIqOp>?KC^s{>CINpjf=oFu`%%UHvGtNgwj4<ll7rcK%EM^XQD^G+6$p1vQ?DB_19m
z45?n;_;aM>REhJU8S-5G@w)0Mb`RMG#*<b$*oL`4cHXXI3HwtXw@rd+U}#dx@tF`>
zXPbhZWe3P-(30<+L<|3{mRYKhybUxz6fLp;u3fy<IVs>Ro1E_m<g=;s#z7={!`!|<
zTr!L{&aFP|kgL5o!Pr{OMB(JQ5Ci#~xz%PCU1vO+tHTYRx)A6>A-=mZm?Dp&71(88
z%1>oLzH<ii-QkiN#`ixiHN?I4^mG>i4R<eh1@+k4P-$gTgFwDZROfz@ww&HOrr|lj
zNkYqQx8geS-pbqcQP3i~nGmf1?f;~8eS%R;Qn`aaY!x+&$enL8doAzMQV6HJO+1tZ
zmT%+i5STT`sLlh$;oofAiiA_~5Dw-Z{Z~tSxg1A6d4T!<MC^%eD+ObBgs0||Z)DfW
zCVU>D%{h{LO2Rm<#N|aWF#ew$`Y$MKjj}=WSFfS*&~pe$7L`{csR$1>Uq!7RKZ4C4
zw$l@CqB;hXT24c!0;f#vdU3S!#$OoV+h$6$Zic(Nf%<1b#imjQh+h>fhjuX5A=>E*
z;y0jh@v3<vsc2(;nZeHQHQBtu;9&}ekl?5{Nx@Rt_?Eqf4_n)M+=7*xlwM3SQ2!>@
zX2~Hog;&2ofw8LuDTQLK+H8edM9YU~icisJ8Ek!*2{kXCH|hBG_jY^C^Q#Dq!uU+}
z6x*{sW~o4e{y`pC|C<9*Ej#ZiJRGztc`ef8+ShBxj(sz?{%JN~jJL5W1g!r;ayddK
zu|F#Me(n6$rcq(ILBLPLlH)yMYrmDkvWufGF#gn?PsyLY`~U1We2t}3jlhZ|Bi>aH
znL~}}^C~EtK?IAZXxY7ap!16g#}9;uRt@I9;;JXCBd;nPOOBI9P_i)#P@l`jLVKM_
z+;xL!Y~pq&*ZrqrO@?Yu%cCnCCohCY@;4xF|3w_>s)}3Hq6+Cx-EuEAoBSct33s1*
zI3)Xg1e0O~kk?j+ePbDN$QdDSk3awW*qpZ2TX;OH<ohbw1g4&nCs_WNmSg9i_Pybf
z%NEh$rrA4{)_Ef|xIZaZ8Gh>q34L`5)L)(8+w4KxsjY(v`|g<kC~@0or&g%Z<wfI9
ziX&gyHUQ)gAh>n9&|uU84j>fW8`^FQ)Glms6DUf&HS{dEsNr6KJaNP7*wqNu^w)-@
zSZs$s45<m|JMa{C%PO>HOxC_mVEqV`+N%RPJ>E{lH|L}tSD3GpWd?Lhr7z}lO*KZ`
zFsxwxvXnA}2by)(l_F|Ian83NzBvpbi;KoE>?ba5g(1YwVDsu&<?~hC2c@aql0!Py
z4v{@PzVGOFQWIYf9F_WuG*Xd)@n<k`WPUBakC-!WmBnn8)U+br6E&<oZ4e`#An@ik
z_5$+IchYppk>OphE6}>gh+jETrcsustfpg)Q7GV9<0`^{JnWJ$t^>P@ft?oGVsK_-
zuLFIH0u+0)`w2bQZ~Gn`uzC!koigI^kVuaFRS?%u(X!SzEsN3me5=BKXubDMUQ97i
zpA0`C^n6|SY7H__ybY~7fIT!6vJI8vl|S92SK0eC3CMq7{!T((w*j3<i^W=IhlDh}
z24xVTyq7Y1&RpBp@A3)A3(ua_x%IHg<Nq>IyAIxETSK`egv=DPf;|7G*g>7+2ILK<
z1`6G}HK2O_RBzj}cc=a6u!Y0j;vrsd+uOc<;seVcbEmmGV!BSHLzS~v4Y%?jGtrE+
z07Ao83dZDs_d_vY^G2KYqd9@-P?U!TKj)|CVsg3dt*CHp>~<2;iB$=SB(V8_W1n51
z_i<u+T6!wcP_=Um4k_&S<LM@yc;R}}QSz=pVEpk$w@-t+o=t1k$>BKq<eQFlu0JZ&
z=120-_0jPEFl_<(1QW}mb17b~xB1QQ*d%wh7SxJIBxAx+nzSID5ZRuTfqYsqA)=U=
zA?kJX(vTu!WqhW~i>T-3&Kw<`zpDXN09bvJRiog#Xmz_#n%3Q^CzAC=4rU`tvi~f`
zH3=y&?v)E{KAHPn5WRx{xrgl`KD%I`f}P;BpGUkHm71ckG0d{?h!Gf1%R=LRh?jT}
z8l<<^_R{C7<FsKqv|3Y5ehD6#W5v~LAm0x86Z(C-QMNC!zfJ9DlF>+IyepP-jQFP*
z<Q<!8DX{gr?_-)qZ?Z4WO_QEu+3mNQC_7t6FY|WP1TO7v5q!%?p#A_8<}k{%ZuIq2
z!pjv&xDZ8EkabDqI%B&>N-y$l_&ksw$}ui(;oc$oVkV;Giw|o_FvUk>H)qQpPe?R8
zvrP#$-(EJ2Y@`W6FbnNvZ`|ozxqqt^z-!?|nb}JJrC5%f=oY9CgUs8{ec1H7a*4Jj
zjy<rr|4!a)_bW~tN$FP@<!{n=Kps;hf5JN+X8lf9LsC-C(zjnx9^X#8r1NYsKPeeG
zX#&X8hPz)fM`c@&-$4%Z>&d5USE64(*Y?Sa;Uq8!w36WhdFG;VOES{B@2dw)Dlc0$
zr*C-+H)HmP<}l;wH57Kuz~*~G3u7B}PVVvk)3Q97vqYLma#3w!TotKXt`qKJDr@^d
zeFZ3-=bgv!w3!j4j|)E=uq58iet3SHcs@h)XT31oGaJZj)Bj=bjPyKi7tN+7d9oBy
zfY{}zl)EGCO%rdrM2p}7@)?U&`3t^E?=fOJUF}(9@chH32Tn|+<g808O4a|g{RHwQ
z2&I0Co%hNNGX9S#N9*fE54Gcskv`nqqnE^3`@|tYzH=VI8Zu9ZD_D7Gncd}krkaUk
z+pCKKBOB4jLQQ2lu=&z>hKvwwe3Nyz>a!__>e$8n<<vW8;~8;ADuWH(%}FpnTsVtq
z4&1h`d6LTugpY>_TT4Q!m>_v$SETy%V#i6t4~*wmJ{HL|o=@GDArr=piah~mrR6nD
zzCe!^h$dbtd=RYu+@W@?sdPlwktX&me}KA3{yEhYcymY-RNpR`k6>5>_I$z~l}+y%
zyez!8Cvg_HNwPC2*lUyezPgzt;R`J`&k-1Z9@Z66gl*z;;E0p1%J_TZy7!)Fi0RR&
z^-8P5^uQRbKD<3h{AD}PxArJ4rHx3DWr*$3Bv&|Fzb(BkqlXFA$qn4!`L~$ylbRoL
zqS<9l(cWG|`L*oBDO9|7LrZ#e)qBEa2J%!m%s3(n-(KaPU1pGtLfvSB3EMuw;>6pZ
zy~SUTY|a4k366wc4NV){S^N<%2|_RmZB=T1*rqy#9r++*%DIz+t*5JzuYTn@gb;<>
z%;((^Ss;z^Z`egqfsffSNn}6bnsR{p85*bZu)C6tc@#+qMXE+eA?=j1gv&N3XsJE>
zWY3cUKwjb-A+fueu?+J8A}^C(7sVEtTd#p9BSHX+TIEIvS{{&p?BL9~PT9MC>)4=B
zjKGqIhFau*p_o2oj?)aQ1%2}o$Zz{yKcl^pclY+_7j=IQ*Cl;XEj^s#)04CildXKM
z0;^|ae{LrtDKcim(nm?R#iyobAwi}!;Xsqh8W%66k0Z7M^|c}{%inV3^AjxBL(lp(
zJQY3M!dqYdZdq7vc}Gdf0X9E`@RLo!Qp2vpLKL7d6=0&;?yb(=X<S29FGzb&^`T%1
zsK25A6Y(?Q2I_R3YmRMfu(|n{!%USr>EaplJX)ctp>-fHd8013Ie21%LcKRcWu(0c
z*%@fyHvln@i;i?grP?qC<ZC?YgpBoxdeVI)Bx*<#q$#6e7bvHGLN^!P+2j1#Hv{s6
zS~~?Lm1@#CA1^ltWh?3Cawfgvg}8DZ)Y{nwG>Bz^{Na+*_|)15_Kl)%#xjbVBl-D~
zG<1o>T#5o6sgnZl^?|(UjK2W&r{(?lz|76Y2V9AXtf##!#Q=Nrlg6Lzo)OPLo>o|S
ze?~fwz*n2Ud(-QkV--v1?3*jE6Zd5N=7e<R6Ci&&H?Hbvi&1fUl5;Sob4r`Jm{h@Q
z@n+U&#N|&fdG-$=A74E<kn!2MRH}EDOU&rHmO-<Gy11YGSz&*<UA=?~Y<@LnQdXa!
zlL@OS<ke#l@qs-PW_!hg6hHXQ(^tsyr8TgA1V4O9x`cGijyZLD6rzf_f>`Uog!9S~
z>!2@Tp=!JC5EzdoTHr^OW{CtP*yww%Lias7NiOH6l?7ka==U`B&y~hNp0s*_QM#jE
z>7(eTqo8Hg1nXDnn>kt?UhHs`0a?m5uz3Q-l~2UgzR#KW{Cis-p0&SsX{z(;&$r-{
z6N(A0e~_I5^{J6I+CounK1PToEP#GQ5$7Y^rHnFeAxP7ygx-^-YXN!gyquD0&9I<U
z&PF}McE+JH!QvXf{VLan8uV}Equ})$FQ|X7jB31j+N6;iN)M}U1Y=Rm|4O@iJk#sN
zNDvMz9>K$hS<=<QXMzk2nBX<pzM*#&-=dt-HN}X$c~H5>RDkh_C#wy_5{aY6QHI1l
zakGrMx7*2;a)#1IRCq+Kc3yzZ_cRIQo#E8B2o^Z-0z)tEksHmJ<yYJtTs{rMh4!%>
zf$gs@Lvu$I-bU-MR~LO#^SvC`8mu?H4*uszT3K9z5UnY|c>I3-fg6w;05KJdyK(Rl
zymVnU5P#c)lke@tJHuev@CWh<!bgPiR+l%6jI>{7X5W_4{`mUc3g_9^SNU9wO8*ti
z|C4U11TyTuu8_)R7OcI6F*2jwAF_tNYTuV3s7Fd_1DpR;lZ-`Hc+32v7%YENNOham
zN$^Qb$JIi+J^^K-@zSUT7*F?D5svs3vPyNyrx|{4?q=^LdQY4{xk1h1uz{X?kwPHf
zPv^_gUv@swqiAng;Wn4~ZjULGYmM6G_1G={Y{V4o{@sX6b!1GV7@?YjV`!%Q&^}4!
zeyPh1JxhC0BMTjS#u`w6g;d)>sUSw6sjlXzO3L}#M0)6{%QYtqsonW>kF6D~|6OT#
zJ0AI6cQ524;ydvH^BjGeGQZR7!J1%(6vs;%3$T7_lW66sQsP5Gw3J)=!YO2&Qrf$c
zx(JyKlNh3uH_B0zz<BmJA*kO`67@4nIIGsNges8NdyAQ6GP~~%+I)GPiV_C$H%mtg
z{nXH~T(fBH+!yDoEUKKzz0$hkzg4y0YfvwL2lBT>JuT0hZTm#7<2-A$%~+;6@=0;u
zz4O!^rFbT&A2)&gi+DoS+-|L@sF5RzgA`rhk9w*v!X<A5KTc8w-1#P219@!Y=2q$Y
zG69ddwBx%eB+z|^uLj)?!Z|9hj>?d{S3Ho%#Ym6gpV%b7dY4*u;03k+xbVUEraJ0H
zWwMdBcpw%mKe_aqhhObvCe=-Xd6`4&Pl{g^Y8^82DCp*gU3mTN*n#>I_r=$NSfOP@
zZg<vy=!1WZC6C+n9v^I`+a{d;i0*n1<dq7?<XWkEj3aww4y-qrIxKn0M_8#$>)^<B
zPHY(qmVvyQ1xsHGs(&W$4q}6t%db;M>S4QIdKbC!i{C-TVei4_3GN?0YOO!+o1a&&
zwv{%zd(|k`d(cCn`ELssKD>Pm1Y3VSp_1F+3#zw`BcD-gm|v7EwOrYAN8ujc^zioK
zQ@e5j;|ZZwgNQ(69c(6aTEECG#?oGdIx@M@5>n~?C;)*kxC-QBl-a(0QuA!COZQ89
z`2tgqh;C`PWk?}ne5=xgC*TiOpT{nhL%+${{~<il4ni!bdsS0<W6Bgo_4M`S6>15o
zlMbk##4-BI9<ty>o{he#V3yQccK#estOwNyr@2k@-S1-`AfNf0T6j;OvO_JnU2Mhl
zcN6?Od<FSl_n|4aqdSSSjshTG^zF~~+c|CJC+&t%(5nA0-~DL9%IKK0G8%4+v~Aug
zAYT@=FQC?Wfiqf=#7c*D;B)PlHbT-dz-OH#xJ90g47R>EkblZSwWv=v5?rii{7~O0
zHLqzIDsX8o`UTSx6U*;2P=6{~Y%}Ds96BZYij7X+UFF=D)po{>-*mA{7fBM11k6tk
z5DGa@EilhN6Vr^fjdjbHENr1SqpM)oQB+bBcJ!hE^$&-Mynhs}BNxRm7R6eBj5Tpo
zyB9Qt^x4rRICHjL1dIO#WXKVVMl#S}0_}fJv_3ybCg#+lkI1=9u`a>Von->lH!;-2
z;ip9V61?(b@`)%nn|IknB>AYIHI%l4MxcYB5y<<)P)#-OxTI2)Fgj*cjFA0(Kq}?l
zSdCJ80aAs*>)kw%ho-&%h1IBZ{<Ul)$O-y=i=Lo-(D$UUXJrDT2FiPFu;;a)*To@d
z_(Ta3Q!jFyq})aV^AVn5?L_+#Tjw~)SUte{9XOrj)*}dRPx@cY5}O-ov2uIe_{!XF
zajmtk=qLQV2Ecd_?=4bUdt++**%OXs_)J=^JgB1e2DdAai)lDlI^TiKXOQ^F9nTdy
zyJ2(*Tn|*+BY*rtK)kb@6{F<-`ggh$9}Cn+GK7b(yyB6!Ughw_$=H-sYJy!pHV74A
zQJYuaqgm(y@^~7t+gT2_%R8=`VigY-aHI9w)D?HE6YeK__Y_3XVCM_Jud&rMX|gYc
zIO5ly@T>$LoS@!_hxYLh2WONMjC>SO|IN)XG}59F$886E<yJ_i3)dCvoLZQRjw3wj
zT3EJ)JCJ{?n-##$EWX)x^RNV(js5y~`0@%X<rsftEHZG8{-_4zS(U$S!>XxpCwzom
zcAd7Z()@&`GSgHsS^hjV+aa-`0OUV3Pd0s)RUcQ0(6V84dWfMz=;*ZIeWB(S?_}LR
z3+Mpy+!d#E91*1FsawtO+lNv}YN`ljtv;bLWzqJlb7)$E)f>{1PK9p@3)eV~*wh@>
zpW9haa8!}xp|UUjv`(5^MJEFFKZRimi)T_iw(+;$@fVkmgbEfel|_&dFfTImI5#PP
z`KQY8a$l(97m%&!so&Z6C_25^6PiTD->Hvug67ZGPgp>G-TGm3(R$^|j+6FaSJyPG
zI0zI1j%fG6wo8uU3~Okxd4fsc>Ub1L_YZP=&Fb)6N=a!q$pyDBVdU_KL&QjWW3c=&
z1C3(tEn^^xppvsRT_=Bzgey-wycPrvAJUgQyk{~8#$%^Esdd9%mnDxghUKkcrUajp
zo;Q)+?&E!p`}xfYJD5K^G(nzme*Ed+=4jKRpe5{`MxoBn6kZkLb!}d(aBuYp)OVYl
z9yL~o^M4icUSqZF<M=gORo35BT%IDf!erc>2UeeZBQCWfJ2v-CToz$(bM(y?=(x0p
z2><TDYZ%zF`f08T)b~r308KZyOcexg9bizf{H{GCp!72q@kG=y50&Dt1-t(eyr}0H
zfxTeU`tj&e60K^jAC8}<<c|76r~%F)vZGQAs2_%JiMwyw38xghOlTlU%*(fCa+ZRr
z0{#1S=zD>U=nRmLZg{B<zqv`Qv<`DHh5BG~Ss6?z6H>v%Ep=PHpM8D|<l~Eil&nO!
z2DJv)<{}n*zq?{&<>(0{Ddqlj8JJg80-Nt8d_tU^&M|M@1sSge&Nm~g&t2f;bHPps
z8Pj~HT7KpL>gQv4ewI&4&sKv`n2jveI>u7RAnaeh+eE%(BsOvCU;y%kpqD*uI8Qxf
zml0GX5WHDG<gv@fbe8;<(8U5W{~$Dwuam0J4aD4%q<PxFivf+ldo%goq|+|IY5yzh
z;62nTSiRKhf%`KLmd3Bx+%H-fo9Qk=Nzsp?Kxy8TTT5vEY8LGLwu`+)&q#Ohs_af2
zrJV=tqkm80W2cRY3cWjNxIQHVtLJ-FynjQfLBW?<$XLa42=3s#S+V4Tq9j?zc!~>6
zc83ARKXtD|QhJzBnfl!>66Z6m6uDo{5A-1rZCenHk2cK=*!<^52j-JO*7K?H+pHuM
zcik$zF>acRDL&m7L6Xc18P0B?{?80i8VBc8WK<tPR1*W&Ye#{(3!ZqzsAE2Ba)$5;
z93X#`?btgNs;e(n@v3IGh&8`1sEETFrhGnqerkWFZXOKeFUP)DLTITiY%v#m<#v%C
z?!q$sD$2OM>ir;!zZUj28OYyDNoXL2<-<Y=<UVAtqi`+#2pki3dLSo09uPhEFaxX4
zpO8DKEswN+^Ot2`83#;=-0Zhmv8@=j&=?}X@8|k!1NBi*+=KkSnjOPv1!Qb)AuX8x
zMx_0D)^fW`%^&OT_S^vE(Znbis&4*10=dmfYD6y12^+pq&+93P*0_qXVlvzC4aj4!
z6a-7Wbn!*L{j+@>ZWO(_^xJzr@zdv?Dzt<#MJh1AA}JQ+Ve}Rr1!Xunnl>8b-Qg9z
zf8q^;VmD;+tf|QK1nN^gFLZ-~r}oNzhwCbFQz0Y$+8D7{&)qRlB_S@oIRNY5-^q5U
znK(ouPt@LLqyNI@i3o&#vQr>e8i$j3x`RLi^M`lVICLYcT*(370%ZDY!l+hg&!%eI
zp{&|Z^CyJATlE9uVIaz#xDBZzR-`l`@k&;fsbeko4wI)egpLYX5jYT#1M+MZX2Y+&
zEjBIR7+~!WA|obn*{7#L$mu<9J5Imr;=Ta+_isN%pl8Ru`u1uoClXyb(p2Q;TcHsL
z*aYOoQcO4M0eN26)OAD8HBdWl=irneAI)2owD-yfs-#}f*6}k~{-Z!%1&-_%HG$5K
zMQrICSM}*rSLnLbiq1iiVnTTt>um?v{T+4l^dXd2<t*1Z{%*#^9Sl877pYA_<+&vL
zC=b3eR3@OlrbKNW3Cr>%_YlqOUbpn0WqragI+i-YPZ-x}s&n6|fV{3*_giEV*t<J|
z_;B;0<Uu4*1+^BOL0&;H=J7jpGie}ipsZbvBVq6?Ig#TTr1N+|-e__9>{mkjJLpFw
zPoEw=khdTz6qa{4qz>p%%&I{i$9sCm#M8cHlqY~TMo;%U84k!>Z(gO_p?oyw&G(_R
zK?)X&opv3{sSEl;*Kd0o7aIrmyoB}3iXrrs%J)dE$$5N!MPpA%@2^Pp*zYRy^Lf9`
zwSm<GPL@wPSGl7jA#7dQhG-9nklj@KEKKa-&1yB5zE09${gLyxY;v2CFT}H{KQdzI
zQk$wId>oG+Y~K{F;+&vWppydQ_jYnDL3P-W^k_*!!IKhOw&7IXC`goMr6M8GYjqF2
z0`h)z3{x?qUize$M~<EM%a&NBZh`GY#43IvgW6t#7hvmG0CVjl(<M)Mij-q^RX09)
zQ=D}!MT(kmGcA+`(q$u9zZ{^GUcHk(P4i+ZIlRI6j3gai?nLF?PNnpRi%Z(koF5oZ
zBuHDY%lq^1Z3;Qhl{kDO;TtG)Dg{2AT`G=LPo@uG`JYIj{Z1srne6Lj`q<Jn{18Gy
zRT5J!A3ee{^~YEH46u48@j?AApJ5L2BSEc>o5r@hTR@#Q`$&LH(J1H}`NIk#FrH+b
z+edZfv}pKet2$5OvXAIHqOW66WW|i3j%8x{H(>R1ZfBXQ^pEyje(imT`w<%jEmU`g
z%av;+OGkF+Or0P2K>aGbHByEGhg5FGx8}V5=e?n4zKZkg53gp+PB*r(`e6C?_py_?
zR|q1fbJpGVt}YUrcAxa{vZq~YLZ#wUNK>V0pnj82%MZRpz2mByDbdg5)*<%-l;XD4
z@(X8fcV(M|@X<hiz#fkfZm&U!n#YjiL!y+&<SYT#Mog^Sh@C4Z+nx;A`a9v2I@=Fd
z^}Lg7zxeZ-36Up`<#?+S*0n8!(|(gk04(382!B6MS<YrdEKyle)$%>?Y48~Y=LeeZ
z#vN)~m&;)T<C(|rfl<=-YILCrGIXEXB!4l*@d#>jimZerecR=-2ljlz)^s@Wg+q$C
zI4q2ha{$_6<`(J;I&M-;`$eFAQD_g?d}e>SvtuYq>r?}Uu9<0!A=ND_%Dj$VVr|B`
z<?<U#To*8&%d{^J`I${Z<&gugKI<bvZl!rE-~MdiRJ0=cB&unF-G6yqG>`RRh~{Gz
zYQWv6ZQnQLQ`zF33x8$2F>vQVh~oz8i=(}c(2OZ-di)r86(AHekS)Wq;!OOV_B||N
z%qfEnZ2l0t=Eg=VS0P;(tZ$v~wUz7ma*8OP_KuLn*hxw{atsNmKkb+6gNQ-(<xBtV
z`2DZS`?@&jq8Sf^dtA6bIX7IfXF#5T0xB>6y^;;dWNuhhc+&62{D`oA8luQh2Xm7(
z<z;mskNxG^>-0$lzp0sXt1!Si?nl_7T#yA$ef{a^i*+Fy7+-OwM4R}CQBR4`FslL?
zY~VE-rkxAD%fYK~<ErM95Czn~QbBP0_|mw%e6+VN9vtGraEv}pr~P5hNs&nWUJ@z{
z$Y)rSsHW&VeMk?@TBWx~vzl;yYwlpB-T9SH`**l7CD`$?QjzleouFyqCK9zCCtioQ
z<UH_D`k}G&nUf#(rso_?-v(c<*G$m+$&U1^j)PO?%T{yn7S0ag-fcPPj<N^>tlt?=
zDVp2Zpx635qcM6#)yHP0d=xD<xBX}>7HXKa9aaX6f7N?rb`^6QrefXJkR~XOqn@hS
z{{pn;#ZDStcvoluR=<VAO`~}ISoejTCBHRe$K*Z4+YEA1b?cObvZh{n7YcSiV#=g1
zg<>)|{c+iF_a0Ss5JuGW1aa7)1Z8-j00Q5&2pA7tB3!J3fgO{h^5KsFyfQz^L_xXU
z=1BD}v5eNhlPh~5zvPa8Z-iL4L$2bEFs{aPgc9qsDNN<TBf=FDNFWm04CE)snd4}b
zPh3XN%7?UbxX(%+Pu1Xz4?)`j8m^P?nZTa^@k+k<q{ms8B}(6h(8VkO0pjXmJXR*f
z%lU}fgu;O*1=OFOE4||F*cVZdwxwCSHox>juzRF5p^Zn+Pjs@i*ZmFTFTTyp4~o0{
zZ!I@F#x}{!g*VO@*p38U_au`<Ugac%{XWh?K&WZ+22RsXAkt&0oM!N&$hgisqY=sP
z>h%e1&TSMxeF{}MGTz^}Onh@`b3V6*xIHfj`Q2t*=GRL@J;tk_!PcXP>u81J!=)Wv
zha!!^?n?(3ZT1*FgFHUlYb3$A8HQP)e!JA0rR$iscwB{4K8dcNCKGsT+lG43x2Z!?
z88^5Iuz3jXFP1xDb9E0SCE<RKI~NuBPj{G@NIFbr4T?Sp?~uTbPhE%Z&F%2PU64K&
zz6rX>{zC3EM0y{+RK#!wvYSJn8!#U3{htwI=@~6!j4kgLUlP!iG)MQ`<y4kfZ6Qn`
zKNkuEd2$2>1IUNPpKIiH3TxlY3>h&W5C^82D0G6v^zn1AegSz>r{AkrtayA`8KXuF
zD4bcz<XLdBKO@9b$gp&OSx)2ud4yRW%{mVqiNYZCZ`)#=;nX-AucIAjSd=vVDsy=+
zBtSk_nFIr=Cz>`$u!^tvdy7#gHr3oE!2^FzeLW8RSgtXUcXDT@3m7<?MajoUow1@{
zSE*|{RK$ALUok+z;NDIm1oGkrrQwbOw@V%kGEg|e)T5tm6o!YK&oph>KJJP8@q-=z
z753?ZTdLI0=f{f5p1zf>ktZ0Z3_|4D=$}@<uUmbZ1nR@ZAFa%R=+wGBu=+xX-+$x_
z(Z;Bvw8U(G8Cl4Q!~yH?9#NBU9hBl}?8Mc7_I-$2qIJ&`p-@nRFJs#sB-qUZ^OG!@
z2m94p10?nx;qUJ(R;TE@bS=Eing`e-Be2tMR>0P;8<MYUtpzxH%J*FDH>(NeLvZ_~
z{we!Epm1wf`=%Yh?mtR)Jw{j9bU7!T?gVjLH4v4}n<VQSI5$6y@uA{xHI)PR*Luw5
z2u_QmwS3efW0gllWpbAQJHcY06AwP^VNZY#tUkoZPVi@vKPip6gCBpiG!x4n6126=
zn(4A4KbtcWL4g74Zy5}SV1D&=_9vs^ep4I5a3jsy0S7S~KFF~YwO^611mtJw-l}^0
z(%_U0`x!4xa+CcsL43xJp4>FSI;XV3ee?tJ)&@j#bnlkj;*hM65H*8xtU82#R8ie(
z<%Q@QI~lwV19=1_Ltoa;Q3&BGP@}%w;nBf}W@i&cW1|lBB=#u*6Ij0!X=}cuS&P1y
z7S!FUI-Q<1n-mANs<!R$1b<9ceyafq)Tb3@$)|-XOv<#+Qw&QN5)XXUCpA0DR$+8c
z6=bd^cm?uj`gR4A<~Gf$vKa&IoJ+pO4++ZW?;56W2-tr*AIlO0d2IcN3Lc-K=r@<#
zs&Q~)t7_kwvyVL%cI9%66RVi^z~(cz#lo6n7}iGRCMiF{4IUN`97Nl)otc?w-)sw$
zn5%%@A77hRTR^;^Z@~W}m%nVg!xa!vIHUmzs#Y6ZhrRtx0Cs<YG~rqBOsJhf-|hae
zknCOGLD*D61F4evnTOV{ASPQDF#cD|=}rwpsl1k8o0_neAo5<^MF-Ln@isG&1C7{l
znI#|}O}b(!_;HqRXgAJ=(f1`Kw#TC!D%riQEwk*Fzx84p$m<HX<oQVuz-=b@zRU=v
z@b$3>eqi=;5D~mbQ*Di00jr;*4?_*)?KvqT4OSFeT-gcI1KfnG4irC6t8^02dSsLU
z^_Sl|eW*mm8taBxUkd!&!VC4RYB**6_%?>W9{=q<F)xrmX^!Z1+I*DPSGdtsE7GDh
zU#hH|GO&p}yNJ=HW}LJG^3uf@d7miHp3XQ>QBNIB<S5GiKD;uJciy0pY#+6W4-Moi
zmurKddLFaGW~Iox&KzYDaU`5q5j82#bmE`{{1?F17tfx~&&gioEmY83H$IZCDu@wb
z%>6kCKW~kcgc{F$!Tg^|qc00KZ&zA@B5Jqp+KsA<u1#X%*M;BO9?Z$0m!Kgqo*f#v
zxHeC*Q4`z&-*g9$z~FqNwD}QppO=~$C;xZ9+JXFJ^C&7$OAx>E+uJ2Y8{x+c<m|5$
ze~blRtAE4#<mE~N`9WzR{cm6G^2M8*(5gFvBHW=}+XOD}_=UZ`G-_?<Cjt5KNBU44
z`FawQk~&B6w)uOIx~R2dV%O(Y+qU|g5<IZ$J;&F<xi4Ty$x3X9t*x}54e1w(+iJX9
zbgyJmINgn|E>J&<j02YOS+CZnLO0G!;v(QD?IPuhM%9*b>vm-0mvjjrzdg9C8_Y=}
z$kI{pmh{4b>;b{`_@1Z&eraz<vph<?2FRZwa${F?^2@g97Gk^LXGW<Oq;v2=*X+V-
z79AYVqV)m!hRtvo>iZBcXQD(Bn3qIXY($#r_#&DCl~()xg4h<Yeql1dp*Si2n=O%v
z<R_8nb}d;iT~Vn6&&fl-Mo}N*<!7M&i0=!mbJ}lciUoR$Z<q-T2j`J6dWVC1o!Zfa
z!VC2&KtA`)FJmPRc0yI1k{%NcanWj0Zi18VK37bCx)Sz@c{G5$(VhF-m$Gz^2;<lH
zEzZIrK4mOCvD+KMrf2=Qd-~{L^&9fQg*#V_a0PT;SatAp3^#~z{FnVe)dr=}@$=r=
z#Vt^OtGdsjRm1WlY10q6DEyF}ogv)mDm`(Sj-Em~QJyrg^JOJUdpy2lyNnrkH7~)m
zO}B_#3c_3WwEOf>lgJg+p#s$3lnq~%e4h=gYHlu7wEd87qZ(^6@EpoRs6Zkl5jF4q
F{{XMjn*RU*

literal 0
HcmV?d00001

diff --git a/debian/rules b/debian/rules
index 316a7b7727..0f217730ea 100755
--- a/debian/rules
+++ b/debian/rules
@@ -167,7 +167,8 @@ endif
 
 # Usage: $(call enroll_vendor,<var-template>,<output-file>,<uefi-arch>)
 enroll_vendor   = virt-fw-vars --input $(1) --output $(2) \
-                    --enroll-cert debian/PkKek-1-vendor.pem
+                    --enroll-cert debian/PkKek-1-vendor.pem \
+                    --set-dbx ./debian/DBXUpdate-*.$(3).bin
 # Usage: $(call enroll_snakeoil,<var-template>,<output-file>)
 enroll_snakeoil = virt-fw-vars --input $(1) --output $(2) \
                     --set-pk OvmfEnrollDefaultKeys \
@@ -262,4 +263,18 @@ get-orig-source:
 		edk2-$(DEB_VERSION_UPSTREAM)
 	rm -rf edk2.tmp edk2-$(DEB_VERSION_UPSTREAM)
 
-.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64
+update-dbx:
+	rm -rf debian/DBXUpdate-*.bin
+	set -ex; \
+	tmpdir="$$(mktemp -d)"; \
+	git clone https://github.com/microsoft/secureboot_objects $$tmpdir; \
+	for arch in amd64 arm64; do \
+	  bin=PostSignedObjects/DBX/$$arch/DBXUpdate.bin; \
+	  date=$$(cd $$tmpdir && git log -1 --pretty=format:"%cs" $$bin); \
+	  cp $$tmpdir/$$bin debian/DBXUpdate-$${date}.$${arch}.bin; \
+	done; \
+	rm -rf "$$tmpdir"
+	sed -i -e '/DBXUpdate-/d' debian/source/include-binaries
+	ls debian/DBXUpdate-*.bin >> debian/source/include-binaries
+
+.PHONY: build-ovmf build-ovmf32 build-ovmf-cvm build-qemu-efi build-qemu-efi-aarch64 build-qemu-efi-riscv64 update-dbx
diff --git a/debian/source/include-binaries b/debian/source/include-binaries
index 2d863865bd..862b8adda0 100644
--- a/debian/source/include-binaries
+++ b/debian/source/include-binaries
@@ -3,3 +3,5 @@ debian/legacy-2M-builds/OVMF_VARS.ms.fd
 debian/legacy-2M-builds/OVMF_VARS.fd
 debian/legacy-2M-builds/OVMF_CODE.secboot.fd
 debian/legacy-2M-builds/OVMF_CODE.fd
+debian/DBXUpdate-2025-02-24.arm64.bin
+debian/DBXUpdate-2025-10-16.amd64.bin
-- 
2.47.3

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

