From 53873b8444acaa97d85c50caec625b9dbfdfef93 Mon Sep 17 00:00:00 2001
From: Andrey Smirnov <andrey.smirnov@talos-systems.com>
Date: Wed, 12 Jul 2023 18:41:53 +0400
Subject: [PATCH] refactor: move ukify into Talos code

This is intemediate step to move parts of the `ukify` down to the main
Talos source tree, and call it from `talosctl` binary.

The next step will be to integrate it into the imager and move `.uki`
build out of the Dockerfile.

Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
---
 Dockerfile                                    |  21 +-
 cmd/talosctl/cmd/mgmt/gen/secureboot.go       |  41 +-
 cmd/ukify/main.go                             |  64 +++
 go.mod                                        |   4 +-
 go.sum                                        |   4 +-
 go.work                                       |   1 -
 hack/ukify/go.mod                             |  31 --
 hack/ukify/go.sum                             | 524 ------------------
 hack/ukify/main.go                            | 398 -------------
 hack/ukify/measure/extend/extend.go           |  41 --
 hack/ukify/measure/measure.go                 | 226 --------
 internal/app/init/main.go                     |   3 +-
 .../v1alpha1/v1alpha1_sequencer_tasks.go      |  41 +-
 internal/pkg/mount/switchroot/switchroot.go   |   3 +-
 .../measure/internal/pcr/bank_data.go         |  90 +++
 .../measure/internal/pcr/bank_data_test.go    |  51 ++
 .../secureboot/measure/internal/pcr/extend.go |  49 ++
 .../measure/internal/pcr/extend_test.go       |  36 ++
 .../secureboot/measure/internal/pcr/pcr.go    |  25 +
 .../measure/internal/pcr/pcr_test.go          |  49 ++
 .../secureboot/measure/internal/pcr/policy.go |  31 ++
 .../measure/internal/pcr/policy_test.go       |  31 ++
 .../secureboot/measure/internal/pcr/sign.go   |  37 ++
 .../measure/internal/pcr/sign_test.go         |  45 ++
 .../measure/internal/pcr/testdata/a           |   1 +
 .../measure/internal/pcr/testdata/b           |   1 +
 .../measure/internal/pcr/testdata/c           |   1 +
 internal/pkg/secureboot/measure/measure.go    |  86 +++
 .../pkg/secureboot}/measure/measure_test.go   |  40 +-
 .../measure/testdata/pcr-signing-key.pem      |   0
 internal/pkg/secureboot/pesign/pesign.go      |  64 +++
 internal/pkg/secureboot/pesign/pesign_test.go |  52 ++
 .../pesign/testdata/systemd-bootx64.efi       | Bin 0 -> 80896 bytes
 .../pkg/secureboot/secureboot.go              |  29 +-
 internal/pkg/secureboot/uki/assemble.go       |  77 +++
 internal/pkg/secureboot/uki/generate.go       | 206 +++++++
 internal/pkg/secureboot/uki/sbat.go           |  38 ++
 internal/pkg/secureboot/uki/sbat_test.go      |  25 +
 internal/pkg/secureboot/uki/uki.go            | 126 +++++
 internal/pkg/tpm2/constants.go                |  22 -
 internal/pkg/tpm2/tpm2.go                     |  22 +-
 pkg/machinery/go.mod                          |   2 +-
 pkg/machinery/go.sum                          |   4 +-
 {hack/ukify/assets => pkg/splash}/sidero.bmp  | Bin
 pkg/splash/splash.go                          |  18 +
 pkg/version/osrelease.go                      |  52 ++
 pkg/version/osrelease_test.go                 |  21 +
 pkg/version/version_test.go                   |  14 -
 website/content/v1.5/reference/cli.md         |   7 +-
 49 files changed, 1363 insertions(+), 1391 deletions(-)
 create mode 100644 cmd/ukify/main.go
 delete mode 100644 hack/ukify/go.mod
 delete mode 100644 hack/ukify/go.sum
 delete mode 100644 hack/ukify/main.go
 delete mode 100644 hack/ukify/measure/extend/extend.go
 delete mode 100644 hack/ukify/measure/measure.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/bank_data.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/extend.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/extend_test.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/pcr.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/pcr_test.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/policy.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/policy_test.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/sign.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/sign_test.go
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/testdata/a
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/testdata/b
 create mode 100644 internal/pkg/secureboot/measure/internal/pcr/testdata/c
 create mode 100644 internal/pkg/secureboot/measure/measure.go
 rename {hack/ukify => internal/pkg/secureboot}/measure/measure_test.go (72%)
 rename {hack/ukify => internal/pkg/secureboot}/measure/testdata/pcr-signing-key.pem (100%)
 create mode 100644 internal/pkg/secureboot/pesign/pesign.go
 create mode 100644 internal/pkg/secureboot/pesign/pesign_test.go
 create mode 100644 internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi
 rename hack/ukify/constants/constants.go => internal/pkg/secureboot/secureboot.go (73%)
 create mode 100644 internal/pkg/secureboot/uki/assemble.go
 create mode 100644 internal/pkg/secureboot/uki/generate.go
 create mode 100644 internal/pkg/secureboot/uki/sbat.go
 create mode 100644 internal/pkg/secureboot/uki/sbat_test.go
 create mode 100644 internal/pkg/secureboot/uki/uki.go
 delete mode 100644 internal/pkg/tpm2/constants.go
 rename {hack/ukify/assets => pkg/splash}/sidero.bmp (100%)
 create mode 100644 pkg/splash/splash.go
 create mode 100644 pkg/version/osrelease.go
 create mode 100644 pkg/version/osrelease_test.go
 delete mode 100644 pkg/version/version_test.go

diff --git a/Dockerfile b/Dockerfile
index 336f6730b..254f2be00 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -712,15 +712,11 @@ COPY --from=rootfs / /
 LABEL org.opencontainers.image.source https://github.com/siderolabs/talos
 ENTRYPOINT ["/sbin/init"]
 
-FROM --platform=${BUILDPLATFORM} tools AS ukify-tools
-# base has the talos source with the non-abrev version of TAG
-COPY --from=base /src/pkg /go/src/github.com/pkg
-COPY ./hack/ukify /go/src/github.com/siderolabs/ukify
-RUN --mount=type=cache,target=/.cache \
-    cd /go/src/github.com/siderolabs/ukify \
-    && go test ./... \
-    && go build -o ukify . \
-    && mv ukify /toolchain/go/bin/
+FROM base AS ukify-tools
+WORKDIR /src/cmd/ukify
+ARG GO_BUILDFLAGS
+ARG GO_LDFLAGS
+RUN --mount=type=cache,target=/.cache go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /toolchain/bin/ukify
 
 FROM base AS gen-uki-certs
 ARG TARGETOS
@@ -742,7 +738,7 @@ COPY _out/uki-certs _out/uki-certs
 RUN ukify
 
 FROM scratch AS uki-amd64
-COPY --from=uki-build-amd64 /build/_out/systemd-bootx64.efi.signed /systemd-boot.efi.signed
+COPY --from=uki-build-amd64 /build/_out/systemd-boot.efi.signed /systemd-boot.efi.signed
 COPY --from=uki-build-amd64 /build/_out/vmlinuz.efi.signed /vmlinuz.efi.signed
 COPY --from=uki-build-amd64 /build/_out/uki-certs/PK.auth /PK.auth
 COPY --from=uki-build-amd64 /build/_out/uki-certs/KEK.auth /KEK.auth
@@ -761,7 +757,7 @@ RUN ukify \
     -initrd _out/initramfs-arm64.xz
 
 FROM scratch AS uki-arm64
-COPY --from=uki-build-arm64 /build/_out/systemd-bootaa64.efi.signed /systemd-boot.efi.signed
+COPY --from=uki-build-arm64 /build/_out/systemd-boot.efi.signed /systemd-boot.efi.signed
 COPY --from=uki-build-arm64 /build/_out/vmlinuz.efi.signed /vmlinuz.efi.signed
 COPY --from=uki-build-amd64 /build/_out/uki-certs/PK.auth /PK.auth
 COPY --from=uki-build-amd64 /build/_out/uki-certs/KEK.auth /KEK.auth
@@ -1121,10 +1117,9 @@ COPY ./hack/docgen ./hack/docgen
 COPY ./hack/gotagsrewrite ./hack/gotagsrewrite
 COPY ./hack/module-sig-verify ./hack/module-sig-verify
 COPY ./hack/structprotogen ./hack/structprotogen
-COPY ./hack/ukify ./hack/ukify
 # fail always to get the output back
 RUN --mount=type=cache,target=/.cache <<EOF
-    for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen hack/ukify; do
+    for project in pkg/machinery . hack/cloud-image-uploader hack/docgen hack/gotagsrewrite hack/module-sig-verify hack/structprotogen; do
         echo -e "\n>>>> ${project}:" && \
         (cd "${project}" && go list -u -m -json all | go-mod-outdated -update -direct)
     done
diff --git a/cmd/talosctl/cmd/mgmt/gen/secureboot.go b/cmd/talosctl/cmd/mgmt/gen/secureboot.go
index 4fdf039a3..ef8b5b42a 100644
--- a/cmd/talosctl/cmd/mgmt/gen/secureboot.go
+++ b/cmd/talosctl/cmd/mgmt/gen/secureboot.go
@@ -43,22 +43,18 @@ var genSecurebootUKICmd = &cobra.Command{
 	Long:  ``,
 	Args:  cobra.NoArgs,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096)
+		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "uki", genSecurebootUKICmdFlags.commonName, 4096, true)
 	},
 }
 
-var genSecurebootPCRCmdFlags struct {
-	commonName string
-}
-
 // genSecurebootPCRCmd represents the `gen secureboot pcr` command.
 var genSecurebootPCRCmd = &cobra.Command{
 	Use:   "pcr",
-	Short: "Generates a certificate which is used to sign TPM PCR values",
+	Short: "Generates a key which is used to sign TPM PCR values",
 	Long:  ``,
 	Args:  cobra.NoArgs,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", genSecurebootPCRCmdFlags.commonName, 2048)
+		return generateSigningCerts(genSecurebootCmdFlags.outputDirectory, "pcr", "dummy", 2048, false)
 	},
 }
 
@@ -99,7 +95,7 @@ func checkedWrite(path string, data []byte, perm fs.FileMode) error { //nolint:u
 	return os.WriteFile(path, data, perm)
 }
 
-func generateSigningCerts(path, prefix, commonName string, rsaBits int) error {
+func generateSigningCerts(path, prefix, commonName string, rsaBits int, outputCert bool) error {
 	currentTime := time.Now()
 
 	opts := []x509.Option{
@@ -116,24 +112,32 @@ func generateSigningCerts(path, prefix, commonName string, rsaBits int) error {
 		return err
 	}
 
-	if err = checkedWrite(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil {
-		return err
+	if outputCert {
+		if err = checkedWrite(filepath.Join(path, prefix+"-signing-cert.pem"), signingKey.CrtPEM, 0o600); err != nil {
+			return err
+		}
 	}
 
 	if err = checkedWrite(filepath.Join(path, prefix+"-signing-key.pem"), signingKey.KeyPEM, 0o600); err != nil {
 		return err
 	}
 
-	pemKey := x509.PEMEncodedKey{
-		Key: signingKey.KeyPEM,
+	if !outputCert {
+		pemKey := x509.PEMEncodedKey{
+			Key: signingKey.KeyPEM,
+		}
+
+		privKey, err := pemKey.GetRSAKey()
+		if err != nil {
+			return err
+		}
+
+		if err = checkedWrite(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600); err != nil {
+			return err
+		}
 	}
 
-	privKey, err := pemKey.GetRSAKey()
-	if err != nil {
-		return err
-	}
-
-	return checkedWrite(filepath.Join(path, prefix+"-signing-public-key.pem"), privKey.PublicKeyPEM, 0o600)
+	return nil
 }
 
 // generateSecureBootDatabase generates a UEFI database to enroll the signing certificate.
@@ -216,7 +220,6 @@ func init() {
 	genSecurebootUKICmd.Flags().StringVar(&genSecurebootUKICmdFlags.commonName, "common-name", "Test UKI Signing Key", "common name for the certificate")
 	genSecurebootCmd.AddCommand(genSecurebootUKICmd)
 
-	genSecurebootPCRCmd.Flags().StringVar(&genSecurebootPCRCmdFlags.commonName, "common-name", "Test PCR Signing Key", "common name for the certificate")
 	genSecurebootCmd.AddCommand(genSecurebootPCRCmd)
 
 	genSecurebootDatabaseCmd.Flags().StringVar(
diff --git a/cmd/ukify/main.go b/cmd/ukify/main.go
new file mode 100644
index 000000000..efeafef81
--- /dev/null
+++ b/cmd/ukify/main.go
@@ -0,0 +1,64 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package main provides the ukfiy implementation.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+
+	"github.com/siderolabs/go-procfs/procfs"
+
+	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform"
+	"github.com/siderolabs/talos/internal/pkg/secureboot/uki"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
+	kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel"
+)
+
+// NOTE: this is temporary implementation, it will be moved to the imager
+//       in the next round of refactoring.
+
+func run() error {
+	metal, err := platform.NewPlatform("metal")
+	if err != nil {
+		return fmt.Errorf("failed to create platform: %w", err)
+	}
+
+	defaultCmdline := procfs.NewCmdline("")
+	defaultCmdline.Append(constants.KernelParamPlatform, "metal")
+
+	if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil {
+		return err
+	}
+
+	if err := defaultCmdline.AppendAll(metal.KernelArgs().Strings()); err != nil {
+		return err
+	}
+
+	var builder uki.Builder
+
+	flag.StringVar(&builder.SdStubPath, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub")
+	flag.StringVar(&builder.SdBootPath, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot")
+	flag.StringVar(&builder.KernelPath, "kernel", "_out/vmlinuz-amd64", "path to kernel image")
+	flag.StringVar(&builder.InitrdPath, "initrd", "_out/initramfs-amd64.xz", "path to initrd image")
+	flag.StringVar(&builder.Cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline")
+	flag.StringVar(&builder.SigningKeyPath, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key")
+	flag.StringVar(&builder.SigningCertPath, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert")
+	flag.StringVar(&builder.PCRSigningKeyPath, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key")
+	flag.StringVar(&builder.PCRPublicKeyPath, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key")
+
+	flag.StringVar(&builder.OutUKIPath, "output", "_out/vmlinuz.efi.signed", "output path")
+	flag.StringVar(&builder.OutSdBootPath, "sdboot-output", "_out/systemd-boot.efi.signed", "output path")
+	flag.Parse()
+
+	return builder.Build()
+}
+
+func main() {
+	if err := run(); err != nil {
+		log.Fatal(err)
+	}
+}
diff --git a/go.mod b/go.mod
index 20acde17a..2100de0d4 100644
--- a/go.mod
+++ b/go.mod
@@ -76,6 +76,7 @@ require (
 	github.com/mdlayher/netlink v1.7.2
 	github.com/mdlayher/netx v0.0.0-20230430222610-7e21880baee8
 	github.com/nberlee/go-netstat v0.1.2
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc4
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/packethost/packngo v0.30.0
@@ -89,7 +90,7 @@ require (
 	github.com/ryanuber/go-glob v1.0.0
 	github.com/safchain/ethtool v0.3.0
 	github.com/scaleway/scaleway-sdk-go v1.0.0-beta.18
-	github.com/siderolabs/crypto v0.4.0
+	github.com/siderolabs/crypto v0.4.1
 	github.com/siderolabs/discovery-api v0.1.3
 	github.com/siderolabs/discovery-client v0.1.5
 	github.com/siderolabs/gen v0.4.5
@@ -241,7 +242,6 @@ require (
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/nsf/termbox-go v0.0.0-20190121233118-02980233997d // indirect
-	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/runc v1.1.5 // indirect
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
diff --git a/go.sum b/go.sum
index 6aebcbe4d..4f307b5d7 100644
--- a/go.sum
+++ b/go.sum
@@ -1143,8 +1143,8 @@ github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sethgrid/pester v1.2.0 h1:adC9RS29rRUef3rIKWPOuP1Jm3/MmB6ke+OhE5giENI=
 github.com/sethgrid/pester v1.2.0/go.mod h1:hEUINb4RqvDxtoCaU0BNT/HV4ig5kfgOasrf1xcvr0A=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc=
-github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY=
+github.com/siderolabs/crypto v0.4.1 h1:PP84WSDDyCCbjYKePcc0IaMSPXDndz8V3cQ9hMRSvpA=
+github.com/siderolabs/crypto v0.4.1/go.mod h1:nJmvkqWy1Hngbzw3eg2TdtJ/ZYHHofQK1NbmmYywW8k=
 github.com/siderolabs/discovery-api v0.1.3 h1:37ue+0w2A7Q2FrhyuDbfdhL4VPvDTpCzUYGvibhMwv0=
 github.com/siderolabs/discovery-api v0.1.3/go.mod h1:fC6DOJwYQy2QsMCLLTvoScKmBCMNza+VwK2/RHLsoHU=
 github.com/siderolabs/discovery-client v0.1.5 h1:CyaOOynanZdB29v46lyEOaNfPoBnKjjEBwdYbyCZEh4=
diff --git a/go.work b/go.work
index 0b2fb749f..2acb29f8c 100644
--- a/go.work
+++ b/go.work
@@ -7,6 +7,5 @@ use (
 	./hack/gotagsrewrite
 	./hack/module-sig-verify
 	./hack/structprotogen
-	./hack/ukify
 	./pkg/machinery
 )
diff --git a/hack/ukify/go.mod b/hack/ukify/go.mod
deleted file mode 100644
index 246ea30d5..000000000
--- a/hack/ukify/go.mod
+++ /dev/null
@@ -1,31 +0,0 @@
-module github.com/siderolabs/ukify
-
-go 1.20
-
-replace github.com/siderolabs/talos/pkg/machinery => ../../pkg/machinery
-
-require (
-	github.com/foxboron/go-uefi v0.0.0-20230218004016-d1bb9a12f92c
-	github.com/google/go-tpm v0.9.0
-	github.com/saferwall/pe v1.4.4
-	github.com/siderolabs/crypto v0.4.0
-	github.com/siderolabs/go-procfs v0.1.1
-	github.com/siderolabs/talos v1.4.5
-	github.com/siderolabs/talos/pkg/machinery v1.5.0-alpha.0
-)
-
-require (
-	github.com/containerd/go-cni v1.1.9 // indirect
-	github.com/containernetworking/cni v1.1.2 // indirect
-	github.com/edsrzf/mmap-go v1.1.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
-	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/sys v0.9.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 // indirect
-	google.golang.org/grpc v1.56.1 // indirect
-	google.golang.org/protobuf v1.30.0 // indirect
-)
diff --git a/hack/ukify/go.sum b/hack/ukify/go.sum
deleted file mode 100644
index f4506e269..000000000
--- a/hack/ukify/go.sum
+++ /dev/null
@@ -1,524 +0,0 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.44.3/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
-cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
-cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
-cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
-cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
-cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI=
-cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
-cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
-cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
-cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
-cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
-cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
-cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
-cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
-cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
-github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/containerd/go-cni v1.1.9 h1:ORi7P1dYzCwVM6XPN4n3CbkuOx/NZ2DOqy+SHRdo9rU=
-github.com/containerd/go-cni v1.1.9/go.mod h1:XYrZJ1d5W6E2VOvjffL3IZq0Dz6bsVlERHbekNK90PM=
-github.com/containernetworking/cni v1.1.2 h1:wtRGZVv7olUHMOqouPpn3cXJWpJgM6+EUl31EQbXALQ=
-github.com/containernetworking/cni v1.1.2/go.mod h1:sDpYKmGVENF3s6uvMvGgldDWeG8dMxakj/u+i9ht9vw=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/edsrzf/mmap-go v1.1.0 h1:6EUwBLQ/Mcr1EYLE4Tn1VdW1A4ckqCQWZBw8Hr0kjpQ=
-github.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
-github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/foxboron/go-uefi v0.0.0-20230218004016-d1bb9a12f92c h1:6DovecV+FAekIm7XGpB4J3x+cpk1onzGitYNALBNgpM=
-github.com/foxboron/go-uefi v0.0.0-20230218004016-d1bb9a12f92c/go.mod h1:VdozURTQHi5Rs54l+4Szi3yIJQDMfXXYrRLAjKKowWI=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
-github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
-github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
-github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
-github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
-github.com/google/go-tpm v0.9.0 h1:sQF6YqWMi+SCXpsmS3fd21oPy/vSddwZry4JnmltHVk=
-github.com/google/go-tpm v0.9.0/go.mod h1:FkNVkc6C+IsvDI9Jw1OveJmxGZUUaKxtrpOS47QWKfU=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
-github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
-github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
-github.com/onsi/ginkgo v1.16.4 h1:29JGrr5oVBm5ulCWet69zQkzWipVXIol6ygQUe/EzNc=
-github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
-github.com/onsi/ginkgo/v2 v2.1.3/go.mod h1:vw5CSIxN1JObi/U8gcbwft7ZxR2dgaR70JSE3/PpL4c=
-github.com/onsi/ginkgo/v2 v2.2.0 h1:3ZNA3L1c5FYDFTTxbFeVGGD8jYvjYauHD30YgLxVsNI=
-github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
-github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
-github.com/onsi/gomega v1.20.1 h1:PA/3qinGoukvymdIDV8pii6tiZgC8kbmJO6Z5+b002Q=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/saferwall/pe v1.4.4 h1:Ml++7/2/Z1iKwV4zCsd1nIqTEAdUQKAetwbbcCarhOg=
-github.com/saferwall/pe v1.4.4/go.mod h1:SNzv3cdgk8SBI0UwHfyTcdjawfdnN+nbydnEL7GZ25s=
-github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc=
-github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY=
-github.com/siderolabs/go-procfs v0.1.1 h1:GkKjnDfFkupcuLN0w6A/Oy58/8FPAHcmlgiHIaw6M+g=
-github.com/siderolabs/go-procfs v0.1.1/go.mod h1:byGwc3MfF65wg1mz8t3qQ1zlrYhMngEYh1eDzaFAYq0=
-github.com/siderolabs/talos v1.4.5 h1:zFOZwZ6a2wOnLPyWYWXQggnfkAB8syJQzOia7Tg0FMg=
-github.com/siderolabs/talos v1.4.5/go.mod h1:v3RBzw5NlopKUgeRBeRMGWSowQDiOJck63JEb67U/NY=
-github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk=
-github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
-github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
-go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
-golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201109201403-9fd604954f58/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.9.0 h1:KS/R3tvhPqvJvwcKfnBHJwwthS11LRhmM5D59eEXa0s=
-golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
-golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
-golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
-golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
-golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
-golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
-google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
-google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
-google.golang.org/api v0.35.0/go.mod h1:/XrVsuzM0rZmrsbjJutiuftIzeuTQcEeaYcSk/mQ1dg=
-google.golang.org/api v0.36.0/go.mod h1:+z5ficQTmoYpPn8LCUNVpK5I7hwkpjbcgqA7I34qYtE=
-google.golang.org/api v0.40.0/go.mod h1:fYKFpnQN0DsDSKRVRcQSDQNtqWPfM9i+zNPxepjRCQ8=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
-google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 h1:DEH99RbiLZhMxrpEJCZ0A+wdTe0EOgou/poSLx9vWf4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
-google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
-google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.31.1/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
-google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
-google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ=
-google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
-google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
-google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
-google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
-google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
-google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
-rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/hack/ukify/main.go b/hack/ukify/main.go
deleted file mode 100644
index 703f8a453..000000000
--- a/hack/ukify/main.go
+++ /dev/null
@@ -1,398 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-// ukify is a tool to generate UKI bundles from kernel/initramfs...
-package main
-
-import (
-	"bytes"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"html/template"
-	"log"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-
-	_ "embed"
-
-	"github.com/foxboron/go-uefi/efi"
-	"github.com/saferwall/pe"
-	"github.com/siderolabs/crypto/x509"
-	"github.com/siderolabs/go-procfs/procfs"
-
-	"github.com/siderolabs/ukify/constants"
-	"github.com/siderolabs/ukify/measure"
-
-	talosconstants "github.com/siderolabs/talos/pkg/machinery/constants"
-	kernelpkg "github.com/siderolabs/talos/pkg/machinery/kernel"
-	"github.com/siderolabs/talos/pkg/version"
-)
-
-//go:embed assets/sidero.bmp
-var splashBMP []byte
-
-var (
-	sdStub         string
-	sdBoot         string
-	kernel         string
-	initrd         string
-	cmdline        string
-	signingKey     string
-	signingCert    string
-	pcrSigningKey  string
-	pcrPublicKey   string
-	pcrSigningCert string
-	output         string
-)
-
-func sign(input string) (string, error) {
-	out := input + ".signed"
-
-	if err := os.RemoveAll(out); err != nil {
-		return "", err
-	}
-
-	pem, err := x509.NewCertificateAndKeyFromFiles(signingCert, signingKey)
-	if err != nil {
-		return "", err
-	}
-	cert, err := pem.GetCert()
-	if err != nil {
-		return "", err
-	}
-	key, err := pem.GetRSAKey()
-	if err != nil {
-		return "", err
-	}
-
-	unsigned, err := os.ReadFile(input)
-	if err != nil {
-		return "", err
-	}
-
-	signed, err := efi.SignEFIExecutable(key, cert, unsigned)
-	if err != nil {
-		return "", err
-	}
-
-	err = os.WriteFile(out, signed, 0o600)
-
-	return out, err
-}
-
-type section struct {
-	name    constants.Section
-	file    string
-	measure bool
-	append  bool
-	size    uint64
-	vma     uint64
-}
-
-func buildUKI(source, output string, sections []section) error {
-	peFile, err := pe.New(source, &pe.Options{Fast: true})
-	if err != nil {
-		return err
-	}
-
-	defer peFile.Close() //nolint: errcheck
-
-	if err = peFile.Parse(); err != nil {
-		return err
-	}
-
-	// find the first VMA address
-	lastSection := peFile.Sections[len(peFile.Sections)-1]
-
-	// align the VMA to 512 bytes
-	// https://github.com/saferwall/pe/blob/main/helper.go#L22-L26
-	const alignment = 0x1ff
-
-	header, ok := peFile.NtHeader.OptionalHeader.(pe.ImageOptionalHeader64)
-	if !ok {
-		return fmt.Errorf("failed to get optional header")
-	}
-
-	baseVMA := header.ImageBase + uint64(lastSection.Header.VirtualAddress) + uint64(lastSection.Header.VirtualSize)
-	baseVMA = (baseVMA + alignment) &^ alignment
-
-	// calculate sections size and VMA
-	for i := range sections {
-		if !sections[i].append {
-			continue
-		}
-
-		st, err := os.Stat(sections[i].file)
-		if err != nil {
-			return err
-		}
-
-		sections[i].size = uint64(st.Size())
-		sections[i].vma = baseVMA
-
-		baseVMA += sections[i].size
-		baseVMA = (baseVMA + alignment) &^ alignment
-	}
-
-	// create the output file
-	args := []string{}
-
-	for _, section := range sections {
-		if !section.append {
-			continue
-		}
-
-		args = append(args, "--add-section", fmt.Sprintf("%s=%s", section.name, section.file), "--change-section-vma", fmt.Sprintf("%s=0x%x", section.name, section.vma))
-	}
-
-	args = append(args, source, output)
-
-	cmd := exec.Command("objcopy", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-
-	return cmd.Run()
-}
-
-func Measure(tempDir, signingKey string, sections []section) ([]section, error) {
-	sectionsData := measure.SectionsData{}
-
-	for _, section := range sections {
-		if !section.measure {
-			continue
-		}
-
-		sectionsData[section.name] = section.file
-	}
-
-	pcrpsigFile := filepath.Join(tempDir, "pcrpsig")
-
-	pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey)
-	if err != nil {
-		return nil, err
-	}
-
-	pcrSignatureData, err := json.Marshal(&pcrData)
-	if err != nil {
-		return nil, err
-	}
-
-	if err = os.WriteFile(pcrpsigFile, pcrSignatureData, 0o644); err != nil {
-		return nil, err
-	}
-
-	sections = append(sections, section{
-		name:    constants.PCRSig,
-		file:    pcrpsigFile,
-		measure: false,
-		append:  true,
-	})
-
-	return sections, nil
-}
-
-func run() error {
-	defaultCmdline := procfs.NewCmdline("")
-	defaultCmdline.Append(talosconstants.KernelParamPlatform, "metal")
-
-	if err := defaultCmdline.AppendAll(kernelpkg.DefaultArgs); err != nil {
-		return err
-	}
-
-	defaultCmdline.Append("console", "ttyS0")
-	defaultCmdline.Append("console", "tty0")
-
-	flag.StringVar(&sdStub, "sd-stub", "_out/linuxx64.efi.stub", "path to sd-stub")
-	flag.StringVar(&sdBoot, "sd-boot", "_out/systemd-bootx64.efi", "path to sd-boot")
-	flag.StringVar(&output, "output", "_out/vmlinuz.efi", "output path")
-	flag.StringVar(&kernel, "kernel", "_out/vmlinuz-amd64", "path to kernel image")
-	flag.StringVar(&initrd, "initrd", "_out/initramfs-amd64.xz", "path to initrd image")
-	flag.StringVar(&cmdline, "cmdline", defaultCmdline.String(), "kernel cmdline")
-	flag.StringVar(&signingKey, "signing-key-path", "_out/uki-certs/uki-signing-key.pem", "path to signing key")
-	flag.StringVar(&signingCert, "signing-cert-path", "_out/uki-certs/uki-signing-cert.pem", "path to signing cert")
-	flag.StringVar(&pcrSigningKey, "pcr-signing-key-path", "_out/uki-certs/pcr-signing-key.pem", "path to PCR signing key")
-	flag.StringVar(&pcrPublicKey, "pcr-public-key-path", "_out/uki-certs/pcr-signing-public-key.pem", "path to PCR public key")
-	flag.StringVar(&pcrSigningCert, "prc-signing-cert-path", "_out/uki-certs/pcr-signing-cert.pem", "path to PCR signing cert")
-	flag.Parse()
-
-	_, err := sign(sdBoot)
-	if err != nil {
-		return fmt.Errorf("failed to sign sd-boot: %w", err)
-	}
-
-	signedKernel, err := sign(kernel)
-	if err != nil {
-		return fmt.Errorf("failed to sign kernel: %w", err)
-	}
-
-	tempDir, err := os.MkdirTemp("", "ukify")
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		if err = os.RemoveAll(tempDir); err != nil {
-			log.Printf("failed to remove temp dir: %v", err)
-		}
-	}()
-
-	cmdlineFile := filepath.Join(tempDir, "cmdline")
-
-	if err = os.WriteFile(cmdlineFile, []byte(cmdline), 0o644); err != nil {
-		return err
-	}
-
-	unameFile := filepath.Join(tempDir, "uname")
-
-	if err = os.WriteFile(unameFile, []byte(talosconstants.DefaultKernelVersion), 0o644); err != nil {
-		return err
-	}
-
-	osReleaseFile := filepath.Join(tempDir, "os-release")
-
-	var buf bytes.Buffer
-
-	tmpl, err := template.New("").Parse(talosconstants.OSReleaseTemplate)
-	if err != nil {
-		return err
-	}
-
-	if err = tmpl.Execute(&buf, struct {
-		Name    string
-		ID      string
-		Version string
-	}{
-		Name:    version.Name,
-		ID:      strings.ToLower(version.Name),
-		Version: version.Tag,
-	}); err != nil {
-		return err
-	}
-
-	if err = os.WriteFile(osReleaseFile, buf.Bytes(), 0o644); err != nil {
-		return err
-	}
-
-	splashFile := filepath.Join(tempDir, "splash.bmp")
-
-	if err = os.WriteFile(splashFile, splashBMP, 0o644); err != nil {
-		return err
-	}
-
-	sbat, closeFunc, err := parseSBATFromStub()
-	if err != nil {
-		return err
-	}
-
-	defer closeFunc() //nolint:errcheck
-
-	sbatFile := filepath.Join(tempDir, "sbat")
-
-	if err = os.WriteFile(sbatFile, sbat, 0o644); err != nil {
-		return err
-	}
-
-	sections := []section{
-		{
-			name:    constants.OSRel,
-			file:    osReleaseFile,
-			measure: true,
-			append:  true,
-		},
-		{
-			name:    constants.CMDLine,
-			file:    cmdlineFile,
-			measure: true,
-			append:  true,
-		},
-		{
-			name:    constants.Initrd,
-			file:    initrd,
-			measure: true,
-			append:  true,
-		},
-		{
-			name:    constants.Splash,
-			file:    splashFile,
-			measure: true,
-			append:  true,
-		},
-		{
-			name:    constants.Uname,
-			file:    unameFile,
-			measure: true,
-			append:  true,
-		},
-		{
-			name:    constants.SBAT,
-			file:    sbatFile,
-			measure: true,
-		},
-		{
-			name:    constants.PCRPKey,
-			file:    pcrPublicKey,
-			measure: true,
-			append:  true,
-		},
-	}
-
-	// kernel is added last to account for decompression
-	sections = append(sections,
-		section{
-			name:    constants.Linux,
-			file:    signedKernel,
-			measure: true,
-			append:  true,
-		},
-	)
-
-	// systemd-measure
-	if sections, err = Measure(tempDir, pcrSigningKey, sections); err != nil {
-		return err
-	}
-
-	if err = os.RemoveAll(output); err != nil {
-		return err
-	}
-
-	if err := buildUKI(sdStub, output, sections); err != nil {
-		return err
-	}
-
-	_, err = sign(output)
-
-	return err
-}
-
-func parseSBATFromStub() ([]byte, func() error, error) {
-	pefile, err := pe.New(sdStub, &pe.Options{Fast: true})
-	if err != nil {
-		return nil, pefile.Close, err
-	}
-
-	if err := pefile.Parse(); err != nil {
-		return nil, pefile.Close, err
-	}
-
-	var sbatData []byte
-
-	for _, section := range pefile.Sections {
-		if section.String() == string(constants.SBAT) {
-			sbatData = section.Data(section.Header.VirtualAddress, section.Header.VirtualSize, pefile)
-
-			break
-		}
-	}
-
-	return sbatData, pefile.Close, nil
-}
-
-func main() {
-	if err := run(); err != nil {
-		log.Fatal(err)
-	}
-}
diff --git a/hack/ukify/measure/extend/extend.go b/hack/ukify/measure/extend/extend.go
deleted file mode 100644
index 3658ea815..000000000
--- a/hack/ukify/measure/extend/extend.go
+++ /dev/null
@@ -1,41 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package extend
-
-import (
-	"bytes"
-	"crypto"
-)
-
-type digest struct {
-	alg  crypto.Hash
-	hash []byte
-}
-
-func New(alg crypto.Hash) *digest {
-	return &digest{
-		alg:  alg,
-		hash: bytes.Repeat([]byte{0x00}, alg.Size()),
-	}
-}
-
-func (d *digest) Hash() []byte {
-	return d.hash
-}
-
-func (d *digest) Extend(data []byte) {
-	// create hash of incoming data
-	hash := d.alg.New()
-	hash.Write(data)
-	hashSum := hash.Sum(nil)
-
-	// extend hash with previous data and hashed incoming data
-	newHash := d.alg.New()
-	newHash.Write(d.hash)
-	newHash.Write(hashSum)
-
-	// set sum as new hash
-	d.hash = newHash.Sum(nil)
-}
diff --git a/hack/ukify/measure/measure.go b/hack/ukify/measure/measure.go
deleted file mode 100644
index 4873fca0e..000000000
--- a/hack/ukify/measure/measure.go
+++ /dev/null
@@ -1,226 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package measure
-
-import (
-	"bytes"
-	"crypto"
-	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/binary"
-	"encoding/hex"
-	"encoding/pem"
-	"fmt"
-	"os"
-
-	"github.com/google/go-tpm/tpm2"
-	"github.com/google/go-tpm/tpmutil"
-
-	"github.com/siderolabs/ukify/constants"
-	"github.com/siderolabs/ukify/measure/extend"
-)
-
-type PCRData struct {
-	SHA1   []bankData `json:"sha1,omitempty"`
-	SHA256 []bankData `json:"sha256,omitempty"`
-	SHA384 []bankData `json:"sha384,omitempty"`
-	SHA512 []bankData `json:"sha512,omitempty"`
-}
-
-type bankData struct {
-	// list of PCR banks
-	PCRS []int `json:"pcrs"`
-	// Public key of the TPM
-	PKFP string `json:"pkfp"`
-	// Policy digest
-	POL string `json:"pol"`
-	// Signature of the policy digest in base64
-	SIG string `json:"sig"`
-}
-
-// signatureData returns the hashed signature digest and base64 encoded signature
-type signatureData struct {
-	Digest          string
-	SignatureBase64 string
-}
-
-// SectionData holds a map of Section to file path to the corresponding section
-type SectionsData map[constants.Section]string
-
-func calculatePCRBankData(pcr int, alg tpm2.TPMAlgID, sectionData SectionsData, privateKeyFile string) ([]bankData, error) {
-	rsaKey, err := parseRSAKey(privateKeyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	// get fingerprint of public key
-	pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(&rsaKey.PublicKey))
-
-	hashAlg, err := alg.Hash()
-	if err != nil {
-		return nil, err
-	}
-
-	pcrSelector, err := createPCRSelection([]int{constants.UKIPCR})
-	if err != nil {
-		return nil, fmt.Errorf("failed to create PCR selection: %v", err)
-	}
-
-	pcrSelection := tpm2.TPMLPCRSelection{
-		PCRSelections: []tpm2.TPMSPCRSelection{
-			{
-				Hash:      alg,
-				PCRSelect: pcrSelector,
-			},
-		},
-	}
-
-	hashData := extend.New(hashAlg)
-
-	for _, section := range constants.OrderedSections() {
-		if file, ok := sectionData[section]; ok && file != "" {
-			hashData.Extend(append([]byte(section), 0))
-
-			sectionData, err := os.ReadFile(file)
-			if err != nil {
-				return nil, err
-			}
-
-			hashData.Extend(sectionData)
-		}
-	}
-
-	banks := make([]bankData, 0)
-
-	for _, phaseInfo := range constants.OrderedPhases() {
-		// extend always, but only calculate signature if requested
-		hashData.Extend([]byte(phaseInfo.Phase))
-
-		if !phaseInfo.CalculateSignature {
-			continue
-		}
-
-		hash := hashData.Hash()
-
-		policyPCR := calculatePolicyPCR(hash, pcrSelection)
-
-		sigData, err := calculateSignature(policyPCR, hashAlg, rsaKey)
-		if err != nil {
-			return nil, err
-		}
-
-		banks = append(banks, bankData{
-			PCRS: []int{pcr},
-			PKFP: hex.EncodeToString(pubKeyFingerprint[:]),
-			SIG:  sigData.SignatureBase64,
-			POL:  sigData.Digest,
-		})
-	}
-
-	return banks, nil
-}
-
-func calculatePolicyPCR(pcrValue []byte, pcrSelection tpm2.TPMLPCRSelection) []byte {
-	initial := bytes.Repeat([]byte{0x00}, sha256.Size)
-	pcrHash := sha256.Sum256(pcrValue)
-
-	policyPCRCommandValue := make([]byte, 4)
-	binary.BigEndian.PutUint32(policyPCRCommandValue, uint32(tpm2.TPMCCPolicyPCR))
-
-	pcrSelectionMarshalled := tpm2.Marshal(pcrSelection)
-
-	commandWithPCRSelectionMarshalled := append(policyPCRCommandValue, pcrSelectionMarshalled...)
-
-	toHash := append(initial[:], append(commandWithPCRSelectionMarshalled, pcrHash[:]...)...)
-
-	hashed := sha256.Sum256(toHash)
-
-	return hashed[:]
-}
-
-func parseRSAKey(key string) (*rsa.PrivateKey, error) {
-	keyData, err := os.ReadFile(key)
-	if err != nil {
-		return nil, err
-	}
-
-	// convert private key to rsa.PrivateKey
-	rsaPrivateKeyBlock, _ := pem.Decode(keyData)
-	if rsaPrivateKeyBlock == nil {
-		return nil, err
-	}
-
-	rsaKey, err := x509.ParsePKCS1PrivateKey(rsaPrivateKeyBlock.Bytes)
-	if err != nil {
-		return nil, fmt.Errorf("parse private key failed: %v", err)
-	}
-
-	return rsaKey, nil
-}
-
-func calculateSignature(digest []byte, hash crypto.Hash, rsaKey *rsa.PrivateKey) (*signatureData, error) {
-	digestToHash := hash.New()
-	digestToHash.Write(digest)
-	digestHashed := digestToHash.Sum(nil)
-
-	// sign policy digest
-	signedData, err := rsaKey.Sign(nil, digestHashed[:], hash)
-	if err != nil {
-		return nil, fmt.Errorf("signing failed: %v", err)
-	}
-
-	return &signatureData{
-		Digest:          hex.EncodeToString(digest),
-		SignatureBase64: base64.StdEncoding.EncodeToString(signedData),
-	}, nil
-}
-
-func GenerateSignedPCR(sectionsData SectionsData, rsaKey string) (*PCRData, error) {
-	sha1BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA1, sectionsData, rsaKey)
-	if err != nil {
-		return nil, err
-	}
-
-	sha256BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA256, sectionsData, rsaKey)
-	if err != nil {
-		return nil, err
-	}
-
-	sha384BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA384, sectionsData, rsaKey)
-	if err != nil {
-		return nil, err
-	}
-
-	sha512BankData, err := calculatePCRBankData(constants.UKIPCR, tpm2.TPMAlgSHA512, sectionsData, rsaKey)
-	if err != nil {
-		return nil, err
-	}
-
-	return &PCRData{
-		SHA1:   sha1BankData,
-		SHA256: sha256BankData,
-		SHA384: sha384BankData,
-		SHA512: sha512BankData,
-	}, nil
-}
-
-func createPCRSelection(s []int) ([]byte, error) {
-	const sizeOfPCRSelect = 3
-
-	PCRs := make(tpmutil.RawBytes, sizeOfPCRSelect)
-
-	for _, n := range s {
-		if n >= 8*sizeOfPCRSelect {
-			return nil, fmt.Errorf("PCR index %d is out of range (exceeds maximum value %d)", n, 8*sizeOfPCRSelect-1)
-		}
-		byteNum := n / 8
-		bytePos := byte(1 << (n % 8))
-		PCRs[byteNum] |= bytePos
-	}
-
-	return PCRs, nil
-}
diff --git a/internal/app/init/main.go b/internal/app/init/main.go
index 9eb77a2ad..fc67e73d8 100644
--- a/internal/app/init/main.go
+++ b/internal/app/init/main.go
@@ -25,6 +25,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/mount"
 	"github.com/siderolabs/talos/internal/pkg/mount/switchroot"
 	"github.com/siderolabs/talos/internal/pkg/rng"
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
 	"github.com/siderolabs/talos/internal/pkg/tpm2"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/extensions"
@@ -60,7 +61,7 @@ func run() (err error) {
 	}
 
 	// extend PCR 11 with enter-initrd
-	if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.EnterInitrd)); err != nil {
+	if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.EnterInitrd)); err != nil {
 		return fmt.Errorf("failed to extend PCR %d with enter-initrd: %v", constants.UKIMeasuredPCR, err)
 	}
 
diff --git a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
index d571124e8..e91c0eb49 100644
--- a/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/v1alpha1_sequencer_tasks.go
@@ -19,7 +19,6 @@ import (
 	"path/filepath"
 	"strings"
 	"syscall"
-	"text/template"
 	"time"
 
 	"github.com/containerd/cgroups"
@@ -62,6 +61,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/meta"
 	"github.com/siderolabs/talos/internal/pkg/mount"
 	"github.com/siderolabs/talos/internal/pkg/partition"
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
 	"github.com/siderolabs/talos/internal/pkg/tpm2"
 	"github.com/siderolabs/talos/pkg/conditions"
 	"github.com/siderolabs/talos/pkg/images"
@@ -380,43 +380,12 @@ func OSRelease() (err error) {
 		return err
 	}
 
-	var (
-		v    string
-		tmpl *template.Template
-	)
-
-	switch version.Tag {
-	case "none":
-		v = version.SHA
-	default:
-		v = version.Tag
-	}
-
-	data := struct {
-		Name    string
-		ID      string
-		Version string
-	}{
-		Name:    version.Name,
-		ID:      strings.ToLower(version.Name),
-		Version: v,
-	}
-
-	tmpl, err = template.New("").Parse(constants.OSReleaseTemplate)
+	contents, err := version.OSRelease()
 	if err != nil {
 		return err
 	}
 
-	var buf []byte
-
-	writer := bytes.NewBuffer(buf)
-
-	err = tmpl.Execute(writer, data)
-	if err != nil {
-		return err
-	}
-
-	return os.WriteFile(filepath.Join(constants.SystemEtcPath, "os-release"), writer.Bytes(), 0o644)
+	return os.WriteFile(filepath.Join(constants.SystemEtcPath, "os-release"), contents, 0o644)
 }
 
 // createBindMount creates a common way to create a writable source file with a
@@ -863,7 +832,7 @@ func WriteUdevRules(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 // StartMachined represents the task to start machined.
 func StartMachined(_ runtime.Sequence, _ any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) error {
-		if err := tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.EnterMachined)); err != nil {
+		if err := tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.EnterMachined)); err != nil {
 			return err
 		}
 
@@ -920,7 +889,7 @@ func StartUdevd(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 // ExtendPCRStartAll represents the task to extend the PCR with the StartTheWorld PCR phase.
 func ExtendPCRStartAll(runtime.Sequence, any) (runtime.TaskExecutionFunc, string) {
 	return func(ctx context.Context, logger *log.Logger, r runtime.Runtime) (err error) {
-		return tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.StartTheWorld))
+		return tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.StartTheWorld))
 	}, "extendPCRStartAll"
 }
 
diff --git a/internal/pkg/mount/switchroot/switchroot.go b/internal/pkg/mount/switchroot/switchroot.go
index 4cf3e49da..c4f9bf839 100644
--- a/internal/pkg/mount/switchroot/switchroot.go
+++ b/internal/pkg/mount/switchroot/switchroot.go
@@ -14,6 +14,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	"github.com/siderolabs/talos/internal/pkg/mount"
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
 	"github.com/siderolabs/talos/internal/pkg/tpm2"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 )
@@ -68,7 +69,7 @@ func Switch(prefix string, mountpoints *mount.Points) (err error) {
 	}
 
 	// extend PCR 11 with leave-initrd
-	if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(tpm2.LeaveInitrd)); err != nil {
+	if err = tpm2.PCRExtent(constants.UKIMeasuredPCR, []byte(secureboot.LeaveInitrd)); err != nil {
 		return fmt.Errorf("failed to extend PCR %d with leave-initrd: %v", constants.UKIMeasuredPCR, err)
 	}
 
diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data.go b/internal/pkg/secureboot/measure/internal/pcr/bank_data.go
new file mode 100644
index 000000000..0b9ddcdc5
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/bank_data.go
@@ -0,0 +1,90 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr
+
+import (
+	"crypto/rsa"
+	"crypto/sha256"
+	"crypto/x509"
+	"encoding/hex"
+	"fmt"
+	"os"
+
+	"github.com/google/go-tpm/tpm2"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+	talostpm2 "github.com/siderolabs/talos/internal/pkg/tpm2"
+)
+
+// CalculateBankData calculates the PCR bank data for a given set of UKI file sections.
+//
+// This mimics the process happening happening in the TPM when the UKI is being loaded.
+func CalculateBankData(pcrNumber int, alg tpm2.TPMAlgID, sectionData map[secureboot.Section]string, rsaKey *rsa.PrivateKey) ([]talostpm2.BankData, error) {
+	// get fingerprint of public key
+	pubKeyFingerprint := sha256.Sum256(x509.MarshalPKCS1PublicKey(&rsaKey.PublicKey))
+
+	hashAlg, err := alg.Hash()
+	if err != nil {
+		return nil, err
+	}
+
+	pcrSelector, err := CreateSelector([]int{secureboot.UKIPCR})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create PCR selection: %v", err)
+	}
+
+	pcrSelection := tpm2.TPMLPCRSelection{
+		PCRSelections: []tpm2.TPMSPCRSelection{
+			{
+				Hash:      alg,
+				PCRSelect: pcrSelector,
+			},
+		},
+	}
+
+	hashData := NewDigest(hashAlg)
+
+	for _, section := range secureboot.OrderedSections() {
+		if file := sectionData[section]; file != "" {
+			hashData.Extend(append([]byte(section), 0))
+
+			sectionData, err := os.ReadFile(file)
+			if err != nil {
+				return nil, err
+			}
+
+			hashData.Extend(sectionData)
+		}
+	}
+
+	banks := make([]talostpm2.BankData, 0)
+
+	for _, phaseInfo := range secureboot.OrderedPhases() {
+		// extend always, but only calculate signature if requested
+		hashData.Extend([]byte(phaseInfo.Phase))
+
+		if !phaseInfo.CalculateSignature {
+			continue
+		}
+
+		hash := hashData.Hash()
+
+		policyPCR := CalculatePolicy(hash, pcrSelection)
+
+		sigData, err := Sign(policyPCR, hashAlg, rsaKey)
+		if err != nil {
+			return nil, err
+		}
+
+		banks = append(banks, talostpm2.BankData{
+			PCRs: []int{pcrNumber},
+			PKFP: hex.EncodeToString(pubKeyFingerprint[:]),
+			Sig:  sigData.SignatureBase64,
+			Pol:  sigData.Digest,
+		})
+	}
+
+	return banks, nil
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go b/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go
new file mode 100644
index 000000000..15cab198b
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/bank_data_test.go
@@ -0,0 +1,51 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr_test
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"os"
+	"testing"
+
+	"github.com/google/go-tpm/tpm2"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+	talostpm2 "github.com/siderolabs/talos/internal/pkg/tpm2"
+)
+
+func TestCalculateBankData(t *testing.T) {
+	t.Parallel()
+
+	pemKey, err := os.ReadFile("../../testdata/pcr-signing-key.pem")
+	require.NoError(t, err)
+
+	block, _ := pem.Decode(pemKey)
+	require.NotNil(t, block)
+
+	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	require.NoError(t, err)
+
+	bankData, err := pcr.CalculateBankData(15, tpm2.TPMAlgSHA256,
+		map[secureboot.Section]string{
+			secureboot.Initrd: "testdata/a",
+			secureboot.Linux:  "testdata/b",
+			secureboot.DTB:    "testdata/c",
+		},
+		key)
+	require.NoError(t, err)
+
+	require.Equal(t,
+		[]talostpm2.BankData{
+			{
+				PCRs: []int{15},
+				PKFP: "58f58f625bd8a8b6681e4b40688cf99b26419b6b2c5f6e14a2c7c67a3b0b1620",
+				Pol:  "a1c9d366451c82969238eb82a5282f84b6a3d499e540430ecf792083155225dd",
+				Sig:  "bO4F/T6bio7jLJFpi4GsJHjZDj+H5Pq4stjKA5WhkzBNCmE1gQECeOALUfNJ1RW/HKhwSp7KhGFqqnjyg/eXR3c0pVuYUKuAjZz9NMXS4dAQlSLxtNWMmlX3XDst/UKfxB6Z+m2KluJpF3KeAw03tP9lru6nfzaickOs1UL83IO5QgLkCHpUcSloZcya0xS9ETCNBd5gm8K+c9gc7+CmpFLTo1uTxbBK0Mea+3fn7GAZROHPMBLosvTM5D9vplsWIXXAXSaHr/sj5bxOIR+orCQZOdYY+/8ra4oFVXzHc9kkPP3A6mWzoADKryWWIVKPx/DGLi0ExT2fpCNdUoMOacvD+dqDqjVBhcOwoAZkNqve/W/poqaLlKyFTqlmGmv+08WavtShYmCURa4Mn3UFf49BTVkktxoQ+jTMroyit1uK/ppMSjaPwQp2Dd1pRCY4hcFfLwqryy1zRMT/XmZ2e91MYe40Pr9Tom2ZH0YAigDosBPuP6RHt7IypFIgary3louW1dqNLXW8p38Y91nYDKBWI9x0tVn5ufqtk5wkHnExTjUYkTWU98+p5J7urDIhLuX1mSi57Ekq02f+lVLMs85SHfmMfzZl7l7Xi4npYbW+5xHKiAxLnaXVJCHdW0xiAD0VTLer5Oe5nf7FrjSzS39rXoryKfcHFOIxRT1XQOA=", //nolint:lll
+			},
+		}, bankData)
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend.go b/internal/pkg/secureboot/measure/internal/pcr/extend.go
new file mode 100644
index 000000000..75ee2c7fa
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/extend.go
@@ -0,0 +1,49 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr
+
+import (
+	"crypto"
+)
+
+// Digest implements the PCR extension algorithm.
+//
+// Each time `Extend` is called, the hash of the previous data is
+// prepended to the hash of new data and hashed together.
+//
+// The initial hash value is all zeroes.
+type Digest struct {
+	alg  crypto.Hash
+	hash []byte
+}
+
+// NewDigest creates a new Digest with the speified hash algorithm.
+func NewDigest(alg crypto.Hash) *Digest {
+	return &Digest{
+		alg:  alg,
+		hash: make([]byte, alg.Size()),
+	}
+}
+
+// Hash returns the current hash value.
+func (d *Digest) Hash() []byte {
+	return d.hash
+}
+
+// Extend extends the current hash with the specified data.
+func (d *Digest) Extend(data []byte) {
+	// create hash of incoming data
+	hash := d.alg.New()
+	hash.Write(data)
+	hashSum := hash.Sum(nil)
+
+	// extend hash with previous data and hashed incoming data
+	hash.Reset()
+	hash.Write(d.hash)
+	hash.Write(hashSum)
+
+	// set sum as new hash
+	d.hash = hash.Sum(nil)
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/extend_test.go b/internal/pkg/secureboot/measure/internal/pcr/extend_test.go
new file mode 100644
index 000000000..3c061164d
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/extend_test.go
@@ -0,0 +1,36 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr_test
+
+import (
+	"crypto"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+)
+
+func TestExtend(t *testing.T) {
+	t.Parallel()
+
+	hash := pcr.NewDigest(crypto.SHA256)
+
+	assert.Equal(t, make([]byte, 32), hash.Hash())
+
+	hash.Extend([]byte("foo"))
+
+	assert.Equal(t,
+		[]byte{0x42, 0x48, 0x16, 0xd0, 0x20, 0xcf, 0x3d, 0x79, 0x3a, 0xc0, 0x21, 0xda, 0x47, 0x37, 0x9b, 0xdf, 0x60, 0x80, 0x80, 0xa8, 0x3e, 0xb9, 0x36, 0x4a, 0x7f, 0xbe, 0xb, 0xdf, 0xa8, 0x71, 0x11, 0xd7},
+		hash.Hash(),
+	)
+
+	hash.Extend([]byte("bar"))
+
+	assert.Equal(t,
+		[]byte{0x63, 0x5c, 0x18, 0xb1, 0x5e, 0xf5, 0xc5, 0xd6, 0xc0, 0x20, 0xe7, 0x23, 0x39, 0xdd, 0xef, 0xd8, 0xb0, 0x5c, 0x4c, 0x4a, 0x44, 0xb3, 0x4e, 0xff, 0x8c, 0xef, 0x22, 0x6f, 0x89, 0x2, 0x77, 0x2},
+		hash.Hash(),
+	)
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/pcr.go b/internal/pkg/secureboot/measure/internal/pcr/pcr.go
new file mode 100644
index 000000000..998ac5e74
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/pcr.go
@@ -0,0 +1,25 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package pcr contains code that handles PCR operations.
+package pcr
+
+import "fmt"
+
+// CreateSelector converts PCR  numbers into a bitmask.
+func CreateSelector(pcrs []int) ([]byte, error) {
+	const sizeOfPCRSelect = 3
+
+	mask := make([]byte, sizeOfPCRSelect)
+
+	for _, n := range pcrs {
+		if n >= 8*sizeOfPCRSelect {
+			return nil, fmt.Errorf("PCR index %d is out of range (exceeds maximum value %d)", n, 8*sizeOfPCRSelect-1)
+		}
+
+		mask[n>>3] |= 1 << (n & 0x7)
+	}
+
+	return mask, nil
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/pcr_test.go b/internal/pkg/secureboot/measure/internal/pcr/pcr_test.go
new file mode 100644
index 000000000..3331294ca
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/pcr_test.go
@@ -0,0 +1,49 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+)
+
+func TestGetSelection(t *testing.T) {
+	t.Parallel()
+
+	for _, tt := range []struct {
+		name     string
+		pcrs     []int
+		expected []byte
+	}{
+		{
+			name:     "empty",
+			expected: []byte{0, 0, 0},
+		},
+		{
+			name:     "1, 3, 5",
+			pcrs:     []int{1, 3, 5},
+			expected: []byte{42, 0, 0},
+		},
+		{
+			name:     "21, 22, 23",
+			pcrs:     []int{21, 22, 23},
+			expected: []byte{0, 0, 0xe0},
+		},
+	} {
+		tt := tt
+
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			actual, err := pcr.CreateSelector(tt.pcrs)
+			require.NoError(t, err)
+
+			require.Equal(t, tt.expected, actual)
+		})
+	}
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/policy.go b/internal/pkg/secureboot/measure/internal/pcr/policy.go
new file mode 100644
index 000000000..65c433805
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/policy.go
@@ -0,0 +1,31 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr
+
+import (
+	"crypto/sha256"
+	"encoding/binary"
+
+	"github.com/google/go-tpm/tpm2"
+)
+
+// CalculatePolicy calculates the policy hash for a given PCR value and PCR selection.
+func CalculatePolicy(pcrValue []byte, pcrSelection tpm2.TPMLPCRSelection) []byte {
+	initial := make([]byte, sha256.Size)
+	pcrHash := sha256.Sum256(pcrValue)
+
+	policyPCRCommandValue := make([]byte, 4)
+	binary.BigEndian.PutUint32(policyPCRCommandValue, uint32(tpm2.TPMCCPolicyPCR))
+
+	pcrSelectionMarshalled := tpm2.Marshal(pcrSelection)
+
+	hasher := sha256.New()
+	hasher.Write(initial)
+	hasher.Write(policyPCRCommandValue)
+	hasher.Write(pcrSelectionMarshalled)
+	hasher.Write(pcrHash[:])
+
+	return hasher.Sum(nil)
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/policy_test.go b/internal/pkg/secureboot/measure/internal/pcr/policy_test.go
new file mode 100644
index 000000000..349b7c89a
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/policy_test.go
@@ -0,0 +1,31 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr_test
+
+import (
+	"testing"
+
+	"github.com/google/go-tpm/tpm2"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+)
+
+func TestCalculatePolicy(t *testing.T) {
+	t.Parallel()
+
+	policy := pcr.CalculatePolicy([]byte{1, 3, 5}, tpm2.TPMLPCRSelection{
+		PCRSelections: []tpm2.TPMSPCRSelection{
+			{
+				Hash:      tpm2.TPMAlgSHA256,
+				PCRSelect: []byte{10, 11, 12},
+			},
+		},
+	})
+	require.Equal(t,
+		[]byte{0x84, 0xd6, 0x51, 0x47, 0xb0, 0x53, 0x94, 0xd0, 0xfa, 0xc4, 0x5e, 0x36, 0x0, 0x20, 0x3e, 0x3a, 0x11, 0x1, 0x27, 0xfb, 0xe2, 0x6f, 0xc1, 0xe3, 0x3, 0x3, 0x10, 0x21, 0x33, 0xf9, 0x15, 0xe3},
+		policy,
+	)
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign.go b/internal/pkg/secureboot/measure/internal/pcr/sign.go
new file mode 100644
index 000000000..75ad45e0f
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/sign.go
@@ -0,0 +1,37 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package pcr contains code that handles PCR operations.
+package pcr
+
+import (
+	"crypto"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+)
+
+// Signature returns the hashed signature digest and base64 encoded signature.
+type Signature struct {
+	Digest          string
+	SignatureBase64 string
+}
+
+// Sign the digest using specified hash and key.
+func Sign(digest []byte, hash crypto.Hash, key crypto.Signer) (*Signature, error) {
+	digestToHash := hash.New()
+	digestToHash.Write(digest)
+	digestHashed := digestToHash.Sum(nil)
+
+	// sign policy digest
+	signedData, err := key.Sign(nil, digestHashed, hash)
+	if err != nil {
+		return nil, fmt.Errorf("signing failed: %v", err)
+	}
+
+	return &Signature{
+		Digest:          hex.EncodeToString(digest),
+		SignatureBase64: base64.StdEncoding.EncodeToString(signedData),
+	}, nil
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/sign_test.go b/internal/pkg/secureboot/measure/internal/pcr/sign_test.go
new file mode 100644
index 000000000..4e29c5bf1
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/sign_test.go
@@ -0,0 +1,45 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pcr_test
+
+import (
+	"crypto"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/pem"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+)
+
+func TestSign(t *testing.T) {
+	t.Parallel()
+
+	pemKey, err := os.ReadFile("../../testdata/pcr-signing-key.pem")
+	require.NoError(t, err)
+
+	block, _ := pem.Decode(pemKey)
+	require.NotNil(t, block)
+
+	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	require.NoError(t, err)
+
+	digest, err := hex.DecodeString("e9590019f04a00029bb5ac512c3d3dfff0ec0e66418cfb5035e22313af891d81")
+	require.NoError(t, err)
+
+	signature, err := pcr.Sign(digest, crypto.SHA256, key)
+	require.NoError(t, err)
+
+	require.Equal(t,
+		&pcr.Signature{
+			Digest:          "e9590019f04a00029bb5ac512c3d3dfff0ec0e66418cfb5035e22313af891d81",
+			SignatureBase64: "Ylam12MOrPQs2m0AsHzRYBjZwYB1B5W0N4Qq62bNjiV4KgQVpwGTnIA0Rgmdaa1bTL+9+7oZ84H1xR0Q248Yd+2P1ZU5KaSysdoi3nlvotRYUq93HQeVjSLe1WUnoZ56EovP47tPuvLqIHmjPYq3V/EVLS6fD3+mXKZr/Q7sdlUjmGtYO5H0rV39C6Oq4Pwk9WJ4oRRKWwCp4KbxOujJ2ANqJl2QdJJA4WSle8+OML+SomelSDCjwt+s+T+0ZUhCY11Els1PtKO55ySU9N67m7wMIAy7aMwF6vbqyRajFDZN8ad7huhXDpwBGBMaEX5ajm2FseUj+h0EYbAm030FwduqZ9WlTMwp9KUx6dK2uOjckKgItBQfVXFoOo8dl4Al9PDktcmuytogI7o1OdzmJAcrb8BiPLLppmNsEgKR+5+poAsSA3Z0dcREiLbvKm10m7mXHGwRg84knZGSrsbHkD9I3ngeOM3JiPLGGCp4nYjBNzKP4jiygTEgEuZ2ueV9PikwlnM5qaDdByIH+0u3LAJubzN2XyI6TGugNRzdvKRIxtl5dSwRoIptiXInN81q6pw2i27YmzvR16tCTxXFRIcHjxpq5Q4KpVohbYhh4kHiWexbqJMpUPoLVEaw+m+Kh7gMvZlud67I6ldRIjDoy/LSdnsXcjpQFkNoF0ZKhX8=", //nolint:lll
+		},
+		signature,
+	)
+}
diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/a b/internal/pkg/secureboot/measure/internal/pcr/testdata/a
new file mode 100644
index 000000000..5d308e1d0
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/testdata/a
@@ -0,0 +1 @@
+aaaa
diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/b b/internal/pkg/secureboot/measure/internal/pcr/testdata/b
new file mode 100644
index 000000000..b43365601
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/testdata/b
@@ -0,0 +1 @@
+bbbb
diff --git a/internal/pkg/secureboot/measure/internal/pcr/testdata/c b/internal/pkg/secureboot/measure/internal/pcr/testdata/c
new file mode 100644
index 000000000..28924d0f9
--- /dev/null
+++ b/internal/pkg/secureboot/measure/internal/pcr/testdata/c
@@ -0,0 +1 @@
+cccc
diff --git a/internal/pkg/secureboot/measure/measure.go b/internal/pkg/secureboot/measure/measure.go
new file mode 100644
index 000000000..eb9fa5a20
--- /dev/null
+++ b/internal/pkg/secureboot/measure/measure.go
@@ -0,0 +1,86 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package measure contains Go implementation of 'systemd-measure' command.
+//
+// This implements TPM PCR emulation, UKI signature measurement, signing the measured values.
+package measure
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"os"
+
+	"github.com/google/go-tpm/tpm2"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure/internal/pcr"
+	talostpm2 "github.com/siderolabs/talos/internal/pkg/tpm2"
+)
+
+// SectionsData holds a map of Section to file path to the corresponding section.
+type SectionsData map[secureboot.Section]string
+
+func loadRSAKey(path string) (*rsa.PrivateKey, error) {
+	keyData, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	// convert private key to rsa.PrivateKey
+	rsaPrivateKeyBlock, _ := pem.Decode(keyData)
+	if rsaPrivateKeyBlock == nil {
+		return nil, err
+	}
+
+	rsaKey, err := x509.ParsePKCS1PrivateKey(rsaPrivateKeyBlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("parse private key failed: %v", err)
+	}
+
+	return rsaKey, nil
+}
+
+// GenerateSignedPCR generates the PCR signed data for a given set of UKI file sections.
+func GenerateSignedPCR(sectionsData SectionsData, rsaKeyPath string) (*talostpm2.PCRData, error) {
+	rsaKey, err := loadRSAKey(rsaKeyPath)
+	if err != nil {
+		return nil, err
+	}
+
+	data := &talostpm2.PCRData{}
+
+	for _, algo := range []struct {
+		alg            tpm2.TPMAlgID
+		bankDataSetter *[]talostpm2.BankData
+	}{
+		{
+			alg:            tpm2.TPMAlgSHA1,
+			bankDataSetter: &data.SHA1,
+		},
+		{
+			alg:            tpm2.TPMAlgSHA256,
+			bankDataSetter: &data.SHA256,
+		},
+		{
+			alg:            tpm2.TPMAlgSHA384,
+			bankDataSetter: &data.SHA384,
+		},
+		{
+			alg:            tpm2.TPMAlgSHA512,
+			bankDataSetter: &data.SHA512,
+		},
+	} {
+		bankData, err := pcr.CalculateBankData(secureboot.UKIPCR, algo.alg, sectionsData, rsaKey)
+		if err != nil {
+			return nil, err
+		}
+
+		*algo.bankDataSetter = bankData
+	}
+
+	return data, nil
+}
diff --git a/hack/ukify/measure/measure_test.go b/internal/pkg/secureboot/measure/measure_test.go
similarity index 72%
rename from hack/ukify/measure/measure_test.go
rename to internal/pkg/secureboot/measure/measure_test.go
index 331a84577..d52327acb 100644
--- a/hack/ukify/measure/measure_test.go
+++ b/internal/pkg/secureboot/measure/measure_test.go
@@ -16,20 +16,15 @@ import (
 	"strings"
 	"testing"
 
-	_ "embed"
-
-	"github.com/siderolabs/ukify/constants"
-	"github.com/siderolabs/ukify/measure"
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure"
 )
 
 const (
-	// ExpectedSignatureHex is output of `go test go test -v ./...` when systemd-measure binary is available
+	// ExpectedSignatureHex is output of `go test go test -v ./...` when systemd-measure binary is available.
 	ExpectedSignatureHex = "e5fbb57a24951ad4c1621c7b1aa3071d0220d71cb8b498ff7f68ef431d70ee82ab12e6355259253366c839e2ec3dbb92caedb3398f5ceb6aa973666317d4a7f7"
 )
 
-//go:embed testdata/pcr-signing-key.pem
-var pcrSigningKeyPEM []byte
-
 func TestMeasureMatchesExpectedOutput(t *testing.T) {
 	expectedSignatureHex := ExpectedSignatureHex
 
@@ -42,7 +37,7 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
 	sectionsData := measure.SectionsData{}
 
 	// create temporary files with the ordered section name and data as the section name
-	for _, section := range constants.OrderedSections() {
+	for _, section := range secureboot.OrderedSections() {
 		sectionFile := filepath.Join(tmpDir, string(section))
 
 		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
@@ -52,13 +47,7 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
 		sectionsData[section] = sectionFile
 	}
 
-	signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem")
-
-	if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil {
-		t.Fatal(err)
-	}
-
-	pcrData, err := measure.GenerateSignedPCR(sectionsData, signingKey)
+	pcrData, err := measure.GenerateSignedPCR(sectionsData, "testdata/pcr-signing-key.pem")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -76,17 +65,12 @@ func TestMeasureMatchesExpectedOutput(t *testing.T) {
 }
 
 func getSignatureUsingSDMeasure(t *testing.T) string {
-	tmpDir, err := os.MkdirTemp("", "measure-testdata-gen")
-	if err != nil {
-		t.Error(err)
-	}
+	tmpDir := t.TempDir()
 
-	defer os.RemoveAll(tmpDir)
-
-	sdMeasureArgs := make([]string, len(constants.OrderedSections()))
+	sdMeasureArgs := make([]string, len(secureboot.OrderedSections()))
 
 	// create temporary files with the ordered section name and data as the section name
-	for i, section := range constants.OrderedSections() {
+	for i, section := range secureboot.OrderedSections() {
 		sectionFile := filepath.Join(tmpDir, string(section))
 
 		if err := os.WriteFile(sectionFile, []byte(section), 0o644); err != nil {
@@ -96,12 +80,6 @@ func getSignatureUsingSDMeasure(t *testing.T) string {
 		sdMeasureArgs[i] = fmt.Sprintf("--%s=%s", strings.TrimPrefix(string(section), "."), sectionFile)
 	}
 
-	signingKey := filepath.Join(tmpDir, "pcr-signing-key.pem")
-
-	if err := os.WriteFile(signingKey, pcrSigningKeyPEM, 0o644); err != nil {
-		t.Error(err)
-	}
-
 	var signature bytes.Buffer
 
 	sdCmd := exec.Command(
@@ -109,7 +87,7 @@ func getSignatureUsingSDMeasure(t *testing.T) string {
 		append([]string{
 			"sign",
 			"--private-key",
-			signingKey,
+			"testdata/pcr-signing-key.pem",
 			"--phase=enter-initrd:leave-initrd:enter-machined",
 			"--json=short",
 		},
diff --git a/hack/ukify/measure/testdata/pcr-signing-key.pem b/internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem
similarity index 100%
rename from hack/ukify/measure/testdata/pcr-signing-key.pem
rename to internal/pkg/secureboot/measure/testdata/pcr-signing-key.pem
diff --git a/internal/pkg/secureboot/pesign/pesign.go b/internal/pkg/secureboot/pesign/pesign.go
new file mode 100644
index 000000000..dd9e4de18
--- /dev/null
+++ b/internal/pkg/secureboot/pesign/pesign.go
@@ -0,0 +1,64 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package pesign implements the PE (portable executable) signing.
+package pesign
+
+import (
+	"crypto"
+	"crypto/x509"
+	"fmt"
+	"os"
+
+	"github.com/foxboron/go-uefi/efi"
+	siderox509 "github.com/siderolabs/crypto/x509"
+)
+
+// Signer sigs PE (portable executable) files.
+type Signer struct {
+	key  crypto.Signer
+	cert *x509.Certificate
+}
+
+// NewSigner creates a new Signer.
+func NewSigner(certFile, keyFile string) (*Signer, error) {
+	pem, err := siderox509.NewCertificateAndKeyFromFiles(certFile, keyFile)
+	if err != nil {
+		return nil, err
+	}
+
+	cert, err := pem.GetCert()
+	if err != nil {
+		return nil, err
+	}
+
+	key, err := pem.GetKey()
+	if err != nil {
+		return nil, err
+	}
+
+	if signer, ok := key.(crypto.Signer); ok {
+		return &Signer{
+			key:  signer,
+			cert: cert,
+		}, nil
+	}
+
+	return nil, fmt.Errorf("key is not a crypto.Signer")
+}
+
+// Sign signs the input file and writes the output to the output file.
+func (s *Signer) Sign(input, output string) error {
+	unsigned, err := os.ReadFile(input)
+	if err != nil {
+		return err
+	}
+
+	signed, err := efi.SignEFIExecutable(s.key, s.cert, unsigned)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(output, signed, 0o600)
+}
diff --git a/internal/pkg/secureboot/pesign/pesign_test.go b/internal/pkg/secureboot/pesign/pesign_test.go
new file mode 100644
index 000000000..ad8ad1b96
--- /dev/null
+++ b/internal/pkg/secureboot/pesign/pesign_test.go
@@ -0,0 +1,52 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package pesign_test
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/siderolabs/crypto/x509"
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot/pesign"
+	"github.com/siderolabs/talos/pkg/machinery/config/generate/secrets"
+)
+
+func TestSign(t *testing.T) {
+	currentTime := time.Now()
+
+	opts := []x509.Option{
+		x509.RSA(true),
+		x509.Bits(2048),
+		x509.CommonName("test-sign"),
+		x509.NotAfter(currentTime.Add(secrets.CAValidityTime)),
+		x509.NotBefore(currentTime),
+		x509.Organization("test-sign"),
+	}
+
+	signingKey, err := x509.NewSelfSignedCertificateAuthority(opts...)
+	require.NoError(t, err)
+
+	tmpDir := t.TempDir()
+
+	require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "test-sign.key"), signingKey.KeyPEM, 0o600))
+	require.NoError(t, os.WriteFile(filepath.Join(tmpDir, "test-sign.crt"), signingKey.CrtPEM, 0o600))
+
+	signer, err := pesign.NewSigner(filepath.Join(tmpDir, "test-sign.crt"), filepath.Join(tmpDir, "test-sign.key"))
+	require.NoError(t, err)
+
+	require.NoError(t, signer.Sign("testdata/systemd-bootx64.efi", filepath.Join(tmpDir, "boot.efi")))
+
+	unsigned, err := os.Stat("testdata/systemd-bootx64.efi")
+	require.NoError(t, err)
+
+	signed, err := os.Stat(filepath.Join(tmpDir, "boot.efi"))
+	require.NoError(t, err)
+
+	require.Greater(t, signed.Size(), unsigned.Size())
+}
diff --git a/internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi b/internal/pkg/secureboot/pesign/testdata/systemd-bootx64.efi
new file mode 100644
index 0000000000000000000000000000000000000000..216f5963d31e4f0f70afe60099ccc8d361311bb7
GIT binary patch
literal 80896
zcmeEvd3;nw)^>Lm(m=uu2oeRQ(MA(lOw>4u5bcHpZ$n2To4BJ$#B~_b4RK@%c3Qby
zufvSsHZHghugi!F0$~dY5J1I%3n(h!0@XAK3PJ#(zvrpCodlfs{k^~MukVj9O5b~{
zPMtb+>YP)jPSvejdZXk2`p=7!WhD;BosXnB=GMG@X9CdyN57=@Ne+kgi^H+4NTt?X
zgKH-5bDd6Jcn=u<oy0#U{*!<6a7|IS?Hpt9APY5Lns4l6Lbke91^=ht*-l6G|CIlK
znb$8kt}=+SY_lZjS6uCOBv85?jxqfv{`t<^gSR^zg@i-%uE6zh0zzHA4u`j&f^uXf
zBdyHlNiMFf{=5!HZNG{;@4x-7yT@M0bh3*)z3dNg-hO|sm^kh}hvQF#n_$CT{vY5f
z?zo-p*h#o58?N9#zyaHz$2t@*XWMXB`~hwt(ft3v|93f{N8-UV_3++o-AtW5(CN^P
zqwz9b53kOyuh-41V%x(-TdzX5K6r%<R6!uCivwD$n_jPOtcsUq>XBM)PObJ~t&#dB
zpu<J4vWzyjRw4=)&9xuvfuuk;jxC{-qQ+Z&tg+aWomZPz8?cH!Za%q@lY(mEWnPqb
z19`BAZe`qkw$o8_9t&FeuenG?(L!9r*)I@Ribpp`cwBn#E^UD{m?};(IlMZnUN@Tb
zBfBQJbfY0UB_2oftc=iEz?H3V-Jo#2Ok5kEcQ||_Mh*v^xu9Z&w-tT5k>U}T?3DFC
z&oV2ioA|4m?+o6jTjwl*A=8cTb!&>p<zIID_8-j+Pi*d}FMlJ$vE%9F-jC_VcLC#0
z&}iJ}$rQhQPO>|D2%d$kB~%{fXX)V$PQrj0ojsy+Be6D+3q8^DYf*Dvt=RWZmLB2B
zMuW3JWzZ`!Bp*`iNOO3vJ8yH|`V#(M8!sDAKGuu_*U|PU+73h)sAgZzW^Z{8IpNj0
zH{Ig9nSBHjHpX=W?GTG#Ep-!j<fU$`jkcQ!g9H-eA}iu>+$ej#-gmukly9Wp_yo+;
zjT6Il<1>lIxXcqkkGddcp({~$2Kjz7>>~RxjdT<>;vz<YfYO}ZrIEN6nFT%!TAMP!
z;j0?pIlt7{rA6K$Ys~Zg&b>@?Xw|fsC3*2d+KS5tc&iVGvUD>!;B3;3<f<vD4oC1@
zJzk54*qNwcGAo$-2<nW~hPL?Q4Y75oC-_dObGL78n!^Vi=!Bx-1baY%Y1My*p!nmf
zV>?kra6laSmm<H^nj9BH5-`^TrqnnR9gM4P4)BOvyOMN&d@aykPRe%qs;&gVR|3Yj
zwv8j!K|;1skiiUqO>zR9pg#fhyin#)t9U@Xs^Gj(o3#!HvUC#+EH%bKIC5jjC3!!x
zCj!O}c9!oJ->tse>dE@wd?WnE@4B(YW`3sl+wbvspfDCNqPjNtBR#S{NF4|myAHk@
zFm_YZT;liRq@6t!UY&Up5!R0!K1?^ScIibYr#l>zsCgHjiC(){_1gYa*=yNtz^!@D
zf~m%F-S}<37V4^7o!3;MUtl(LYhsnSi)=BHb#stQH_y;59YQ@66!fVZebX)Vz7bS1
z9ZGgX5io+70vZ9{K+J4Qkj=YX3J=NH+682kq)Fi!ugEC60A!p+GOU0n%eEjvw8rXk
zNq?dp;0aiFdUD0cf0M8QFcQp#E~Vsciw)JoQ#|eqLx-qIC>`)*ml`{ka4Z#{Z$$wJ
z%vN$ITQ3Afp^vEuxi!p({H_{;x~u=;a8L#6!BO$iF~!URy?1JOfV4uDq%FK!H@1Sg
zP_2#e=wr|*vupU+$sm5>!Sf=UgT2GYPK3N(?Zd;?sNZ8(@+SOqlJTeT$&;Z`v7r=>
zOB>Qof}zO7gR3D8_wm>j4G>C)qlQ1RLgWP7#OsW%v3~IlMq?}m4Bc#`MK*`dh5YU~
z2AE9T^x{n#Zi2Xp-pyXJ@`EWbEAhPAXy)HZFf4$XS}QpS*?_(I?I^*zWE_`G9|P#>
zTHQ+h4JdT2q>)8+W0SaHwgc8lhjd8;0)u%GoCMvdLn7!nM;bh1lOEo=T@N3<E|`w=
z8Nkt%gGG3UGhxF^P&I7$70-|u*l?fGxY$wUaFl~tHy2w&KGn@@Axa0zec_|7$rosg
zHi!4*>SH(Sg&TD3>P@;eFplA?E2^t2FYZ5ZOz=V)gu-<b_n^YUwZSt^$!v$rn2;6J
z`;A8CSp%Jc!rF=y-ADtXHoCJ8s4Ln?v(g4BX_TQfJ-#jhfJfxw5xKBp)sLb}pozz!
z4dSUL%Ed!2@wmFl6cKfkC8nqwx2RAz+2S5`;}y578(oZ6H)Y~lbu(H#@fG-DK2#}+
zWXe)-#v$_5J<PL1^y0m-{ibMl+>oGPC)n(bap8bY-^f-tYwPoBp@kUhB8Nk1OUd2X
zMX=p|<51o<z5gw)ikNPe!07DO%@k-suILWIt*#BF>hb#6ca&&3S^&2Ofq|+XjbERM
z-h$_l7!F{Q<X8&tqS!M=H*fZg*A0%;sdpACrO%>Z91eAddUxyu^}bc9w?X&9D#}fA
zI%4PP#upSGnt**B0dt#z8K+>bI1g%g=93tPr(frQ1q`L-?Ta1)6H1MS5@Vwt*%lgr
z!TF{piqZyfWg{3P?gt;xWuIf<)s6k)0hmEFZ4ETxRstgFCYAIa2((6cGJQ*^WPW2S
zO;YA{x)HsHdg6|cr0LAf+ec$DX$65+LJ1rqas<}bKz(aODh#nSJ}BxEM`&`5?S7*{
z?8WU851>(@5`ANBUhTm*btB}JCi-XH7>O>Jni(+e&uu7?j(B;o5gMa6luV!r5Z6eX
zGX)OCMA!%NISbY&6_C)MV{_T))#w}1YP3+J_q?g6jo$35>k_v1a}A9CwGE0}`M<|`
zDSE0c82$Df5(^<Y>^Hv1+vZ#3^cQ{`EQCn-jc-Z|e+nKLVix}d;e@|s7Ju8Mo0TqM
zg3#*PU<Zuq7jW42tt~z`j-hRJ?2{Xdjiy$l`9|bzh6C}NZk$Z`U|0M}NeX;KnsS$J
z(9K)?@PfOB1loP-V|QRQ{9a%DVMB5IoTZOl%M`Z`XA<K`gLr8j35E*PhW@Pl7%Tr@
za392Bu*;|muZvf2#@Ho294r47=6r)3keilQYm~sO$~>A<-3od#W%rA_;iLcrW(2}e
z!;a7k8)13sVjt^E>D=P4ibKNUL#k8Yr=?E7d<&g2jx2=8Bs9o(J$y8}Pf}TC?46JK
zEHq>wpmn3#^E4jObT%qr!71cjws-{s4}sP6<sIzWqG!MzMY#<u2Z<dGtooA23mx;;
z-#xLvzO?5}*F1T{o$yDEfM<+yz>S+dqjj^2Qgyv=B&C^S;OKaxB5w_trbU*~YwUlY
zC%fVaV80L8^A79Q91rbGEBr>#Q^u~z1j478g(20g8;^OY3>=*yb$gNUoM%20Km?3J
z`knw7h?^0fTv@AIR{4=EPlV=Rm+4LK%UNxa11;4ar7M_MyTp+KM|}xr+H5Ask#!nd
zpgSl7_55X+31bBP90g|<%trrD)~#h8_|1+Q7b~#xx1K<6*P$zsc_aHb;3?1-H#_cN
z^muyb<MqYOF1(fhG;9lnU;;%9oe0wTQ-DEE%A)vXH37)HU`8|u-s<r+(Hg0oH+u@g
zKRC6>txQGB3-nDwFRa(XgOI>>^yvn&hJdU*n22JJmlE&wuS}5SU(rkma&@A})fRPz
zYKYMWP@(}kDXyeK7;A~5EC4qi&mVZI&}cD&#Iai!kp*yn^fc{}H+c_SUR3_cLE@=w
zBfgaOPpf`hX0nygkxbuWQ0h?PW94rEaKKomWWl+IwXnOz&$U3JSkPIjk67>vt>JDl
zAJ^C&5TtGhQm}vWHe-?^ZELHU$`NVdGkT;`l=G)Zr=#dGTtr{sml$Dj#7#ER;kZWM
zB8Qu`fiPL(3JI`ZT!O1^DqVsi?!H7S;y1)KW3|+`Qw(Hc_`+<)Z+y-PjdZIycQsSr
zKw&Z#OxGdwt`)t>AS7gpVSmLPy1gwJn1pF(><12cm>qA^svY2409}(Q<uyp-v^`)P
zqc+2QLAga2%n7P%wdyZ{&$j|URe?glY2h`jfXpusU)5KuhUTlsfbp})h52Wpmt-Ps
z9spfNNs#^NHcBRlnZHTS>qbeXn1XxBYu^%>tm)wGZaQ#Aq{=St)~zx)VZ;-u)wSYP
zft(+%3m7|L9X1^g6mAG;gEs^$Z#*w<d<~)dfzucxLQ`<-Z85hVZb+h$gpE2T24i*z
z6WN}PaBB|_p^XG$8p6BsB>!*z8%l>)7qqtjavo_LLd;Cj(9}Xe(-2}@mcHc_%oLy<
zQy{MR(fL!B@FA>r7`C#Z-e_9MQC^Dn;zA!{OTve^n=m;Frl*2Ad=`eb%@*K|gS4Gq
z6n7w!CvIsZ4%R}Q>51{MB=0arFmf5nd7nqmTh9W}G7QzQodN4r&jK=&R+c|-cml8$
z_^G5dtde<;DUC^3M_iTpddxG=&Yy2z6|ToTTkYo^_Ep%|1NL<>u2jETd0pmNhpX82
z2?!zKy)Y-%O;D>x_G#5!@l+n3TGkI@12cNKM9<VBPvK4vuR(Amf7pJ~zhA5$u8LPb
z#5^lM1(h+q!!VT|8OwBXLbnnW{v5EXJ(4)9OKo3p^_zJ%@Z}QtF^{A;vR<q1B@?6>
z0}5CH%)NATj%No**R2U<;yR22lKkUxWLu^fi>hiR#2k-oH0onxLEjxsX!FGVlru6P
zgGwbEJvv~%YV$k5;Ys!hA}0a!Ej2iyZ=g1IFS&Iy(Mti?JaDhNPRe1mU2XpABd84l
z87Qqw{Q9%>6?%{_3-+>VoA)0ggCL`$1Eu6Mf@0;*L0PdvmFX#UTKu(jsVckFm}q*d
zQa7;F%vPncL~-j<L+n!HqhHElM%7iuQo~x6a*GbFOLewOO^D8GRq8lBpzf_oWs9w`
zR_*$3pK4cS^qy9wK4Pg|$b!bhy~iwByxh9fd|9g6Q-z+2=CvyLEDOG^3ZBOS;@;N9
z{$dxK$zsP&kPOwf2Uu*9ET&cOL`DGo&uv}wa=Ykk7F`L5Vf3*fEDMkTDL?&&?pJ_v
zLyu%M#R1;O2xtrf23|3)6nzdif~NL<h(jws|9RGmu@1#B_EwgOt_Kvmo<>D}W3@=L
zpXcLQjT65~8C_;8JH_Y+rdate|HhHu-;AxS3`Ta^3=Fs)S$IDw%#_n<lIc45X22-L
z++cUWD8Ya-(i@OrqWj&taSNvl&@e}NL&=!?9L@8E{(k`#;3E8$pG8NCfFeBO<`~HX
zi}Ks-#hq1FCJu2H8D1v!*%5>?DHRkA(KzS(QuCoLQr%&o$yqA!R$K$tW1dENwbPN$
zXS+6NcSQr9;CMj|Y|S=5kRW1y1#*m%GP>`5>Tz$`_1=qm`7j%Z#I5!NWkXzNKUDFd
zSU$k(5m(rE6GX0kH(p#|-;EL7?Yq&U6Yiqf7)mLDsd&hXi|>WJY*Uxd)#Vd)S*tE9
z)n&1|yo(FPa1E}KH)4nEc{Os;|G!B2|DYId2S>M4M!phEr&?wKY!(K;0VqSEsie1o
zU=;_F>;N410{)=CZ>CXK6X*%a7}&<BIh&64Ck%f3afzLWsaj(23lQdZ1>;dLM=|df
zUtlB$@tD_fI4gh@oVN$8yk$Mmz!QM0>y-u%eWFDsNXyMY8U?9@o-;Hh052Gdb)Tn9
z+^_mpixf&o5GsA3-gqhxKg5BjBW@25;=q$ekZ?T*o}v42i^+KzwT+fHM#FFAn^BcM
zcc@B_d?p73)a^F}1`hnU854QoUPCxFZCM~eKz0B$mH{XL&W)D($Gb878IL%y3@e<8
zI77`W4w6=W2aNmRTp=#epJ1uvY+mZScyD*}bREGHP>R_`!yq{ir|Uh2Y#5C>KjV;?
zIVcxmC&ht{nT|<Jz`T=S`Rjn4vi3eQVKUD`Feg(?*rfz#ym*jhj6s>P`G9@dhJ94Q
zb_Xo%e=}^Ug3XFP$PvTJ-vjrCs7JSe!?$b(KUaafqtYR>@=I;(IW6GXV%JXzO7^44
zpd>rmO<~Wm!H*#wgy(=5uUG`|hCv13I7AlnCDDB)?am<D9b=F;x}65!%0GBOHF||A
zdnt;5B`5+E!R8uw!1blk%~sKxL0+1H758(J7P|mg-nFq*DlENZjYxkT>0+!*)FStz
zMmXBV#-M`e3s5xV&$7#TRXMUz7bkv9H1uv(YYft(mndS(ZSal?9FCo5UnZ%wN}TYb
zP+AI8mLGlH#Oan+B4|?oLjIBoKsI`ab)Wly=m6C8SWD2ZK^R)@^JEP%rnsA;4II&|
z{3N@o*U?EFU>4W|-FWdA*=@sN2{GTqSOP7^B9O5P*sT1|;HF`Cxa}eG>!C6ZHT}?>
zSQ_T%n3zlm7-OMSQ#=#IrAUt62(00U3LILsg=Ro}A*>TrR7;|Vn~#uIzy!lFE%VuN
zEl6%Ko$Z+*I>C8}jUf3LaVm19vj}sSO)H8pKYD5VJtRe1sqe%>Fb)yB$x?UsKv_WY
z#-GqfFZ`-FG(ps2=*)}9P<Fd$*h6rrs)+mmYM+-uvi+hG4@Bt_57>7F!jR)UY$9xG
z_g>Pbb_}ED8LMeDTiH}Qp2gte=O;1k4=cOZhi1kq`USCbP7Dsxe)a$i*Y9eo6^u*4
zO#T@JFTntuw>dmL2mv{v%|R?XJT2(Jf@fjfR2KqB(Kk`;w03f49DR{8VorxcIVlTP
z387#XKot^xO5^mcxDTc>&elmcFV)Sd4&n66U}RzJQn{|y25iK@2uZ0xXk@BX1o6w=
zGI0<R-AHtck9ApS>5;9mer9PfvcB>{b9gYaxzb&@NqdazSK8lh!>>7LLSe}S?XlrZ
zd6A2>H*)y}6D_}SQU;y!_6^r(?5(7ln5iF~uV!20<>S?GHr`S$JFf7r!GgCuoXhem
zCuq24;@SMOTgUukodijQW8k8MPsBq>dHa0k;A~79t39tu{-pNtpc<|pn_gWX>qVTs
zS_X#v=3r=!@)>Xsr>0uE`QpTblDtDCPlgRpGMB5*@aR*&Ln@e^SdRu))efu6lRvPS
zy-w}&o72WG1_4#@<=lE<Lns9)W5k_hY!73E!EP%NdT@xxmLbK;x9ABO+o5Gsr%`7x
z&>UV{?Rg0xNJsD`Z!;pGz7Mdnh1qsV-acf$f;=a#FDoE>T7ibh;2~FR<v58S?|V)}
z+7S`U0{=>?f7Gh?z#i(>2a3_wGRb(6buAL%W|8~w5jf;$>6Y&#>&yg?TwI*WthkKs
zDwuIIhUHCr^un(zAlqy8oX>PwAm>XR6LHtX3>A{d*~;ROQv6^^5p-C^PJ}sVXMoaQ
zxVpma$GQjB42GB~J7gGlbvXzrtk<=HTN%6EqMLJ+XoTzA=!Ksl{P{I}0p$kde9daz
zsxpwn=IVu8D>~`M*LqGJDYR|`+is?t%@_%EJQn~!g4GqKS|gGXiLjj~EUXmPVHLBE
z%by@JTg<K{SC&ax6qj$Ol~^VP5@tUDp`nb5bCJ&GVEA9@0{a4(X-lECCOE~9ECgJ+
zWP)3_x+73m%Y*`(16p_k%5W?ySjmCv8fyUT7tp>TtK;;L>@iYyf>X_0dSM*7M2y;C
z{u*@(e@-JL6yZL2@VP_G^qpu>uzh($%5`qkTNm4%x7lxEaTshsZs8E~GOWAMl$w55
zxtZQk57#B>g-sP5%CU~yw%kY`3~CW=R_HqK<PAi6T?KItB+lB{_qaWqYsjmkIdO96
zW=Jf?MKpT=xLhrJPc{wnZKwF`J9s;CM7H_I5yys-0Pg{S3aRuS7*zlJ3%6ACEFaX6
zGR5r>AAcK<4{)AUTi$D1pKxuj@_|OmLtJy;tUEWC`x;U@(=$jp18!+*Np(D!uJo<@
z5+t~)H*3{@2ZQOdWd#Z`=x7h$hJGyVKh33uN8*mG%=Ims03anLfb@c2P0WDQHY}$4
z2DFkLOvuu6urB+3z=<X5?}QhcUs^aVE0iNH1d-&fSH?-d<5FhEu<gKUrC!I2R=iGh
z1ULwf2En<iWlEj3YH8nq8d8hmHLUF#3p&l({5fD3=)(#-ND|`HMT%f4;jS7*bU=B{
zUfl`)DH3HNE<~B>>%_AtR9g5zR;ag_@eQc7GFE;^G?Lg|q%?It5@gNrIo650?OM?K
z!7MdYl`;~gfLNBA$WoF9mbw(B5=JVr56h#_9-46x+lFNkC};kAyJ7J#%@ZdlqJH!`
zvndWTl8KOte5SgP{%qYE9WRZ*hJ7LXM#&cZPzX+3%({b}s?wxymlvlj6mx>yK-+cz
zg=CZbIkiMr;NK(yIja~L)ph53-MLE4_>k479y~`40PMMDyUxk*cw~ObOeg||POo>U
zH6qOksneYs<Sr!_5vwkf%vKGC%mlQ7P5y908-HOupk0j_?`n4-2b@p8O5e0!PgW))
z23Hr$1B&m)cbFg^SV)3o`{AwT#Z{K2Cy6hS<Exr>lOvdpe3w<}6cx)Ij_?VmZY`76
zUO(%wK4YVIpym*5!37RJi{W_iuZjx-)$g5&)NpM&9zwa1ebPV4#mYm?xyi_|^2h(k
zOHsF7n5E=*bU5OlXw@|+6Mc{c5pa&Yg&WQT&i)!s)?rBSOT<o{<#5BXnjIKCTMr*=
z7i@>$3@y?ZWyJ3&5Ivu0!p9~}9){m5C-=Z_Z>{>@unv>+aNka=PVXWiGNM?L1t|kp
z>EWh7X^$?2f<tJ3#5_SCn=(Upu8Z$L0mQ9uK;h_f%;t)JJ2;}VQF8JF^05sb1AO$#
z$7DRd2~bo_U?(1FdgVhB9x!utM9UJmQjvl+6G!yQM2ZV3`(R{bfwp*{$%^)1_TqFv
z@*fN^h+<M<<HQ>!WCkEFLyBE(dpsgCtgxix;aQ-JewD!687VUp57@y_{g8Uda1hU4
z!oJOv#RE`VuBtIO8odfbUKhMwUwmI{N<Jn0RKjCbhV*BXG|CTED_R9uIoNY3M4}c>
zZ{L#djE%L6&0WQ%N=c*yM_IiPK7sb|3|6qE9ShM26(W+Ph2La_s04oAN3fQ$?y?X7
zGFhvt-iaD9>R-K;n7N}2L&%TOGM2<V`D<WZ)``STla@f*q2R^h<t-e0+t5ry^SFbc
zK>RLkQ_*yk@f(9}aAR;*>}*j1@Vxc@hQV15G!=;FNT6#9L<0)RMdQIY(#dPKM8KO@
zOG;L=c57O8-eK`7E3hG=v9>B*PTpfbl*}qGlU~*|z^j%?Mp%8;fVZF@w5F^xy#-d;
z$?&lx?a?<;KHQX|RW~A=1wb$~T^iAq5DO|O9M@H>a5f&rckdETnK@7@x4=}Z&~sQ|
zL5Oxu)&d`JjwhFrg=+z?W~H3ujTg7wf(-;}5XNqVDz0<Nl{^)G78ip}&11A1C1tSC
zu7swx0{}=+w#05P62dl4kZUA;VLC>h#8~SQ|9V<2H=U31EkRYdvdp1H-iNCs<Ijv{
zW!y%`HvqFC>BTst6TMfWhmCHeG!_iCE`w*sDH)xff`Id9m`}&SSEbE_Ir3?9SHU^a
z{!!<1Zz?f94Psf4Yn5=g;vbba6#GuP9dHq3+NnIIJ2?g(gAe?jwt$>Mxd2?<F&t3H
zyP;N!0|P{PxDcFz?GL4vH#pshcvgF=91aJEXusTiCKm-z8udBBVPYChdq^m{j9YP)
zJ<QQ|OaNWOju$Rjs{&iG;4kd~qcGE$OFpdnK1E+8QnU{@>unp!ohp{gy^@2TLZUB8
zSa(t_D=J(UykD<@DDn?RzcF|#iC~qix(Zi@jUo}0v`I|}pQKMrc!wEwSJZR`JgpjQ
ztddtd;96K$F(`UHyGyk<fuyCytsC17NE1XSNR4hrNTdeijzeGd{durm6ED?^lu^Ey
z1Hxoj{tQ@ih$_r?xXGne*Hdi6O&BKrio57iMl@<5Xz_#ir#l;wcc%8}t4y}KJiQmd
zV^bbRI>(BpX_K*`sHuncNHy}KT&+Shx(Wt*dK^0d9%+Mw=-n&|A~<doqH&W4@F@jP
z)g<X0K5?M9g$>6&2b2NGiRRh`Ic7xBq-YO2fj0XSG;(rB!qWg(;3?{m*~+B<n`19B
zY3qMxyMFkc?V1cU_JA_6yB^-tl_N{ILFT<^w>g@|hRclyxnyKvqgH(lg%I5Q6ZY>V
zlee8@a#xZ(qmHeS&!5QWJq|~zdY(n9@0Qr_#BDRW*9a$P35~(KK}L!!y`Iqh0nLD=
zQW##T%ux@Kz^+wNGzzGUP|=5PVBbNmW|GdZKy)TiOz1i52$d-RBZD-6lol*mA=NQ`
zC35V{n^NL%b8C%^CofY_MpQhz6>+3>r<W`D9VsqxY{$;I$0gR&3XNl-k4l}5!2#ui
zfcd05bg6FHMhSW-Nie<?cL45m)R-<QVuD{Z7dee;tvU;}O0bh|t-3u)XoWRBQG1|p
z4IB$B6xgj&ZEXRKie<3BQMnP+W<(-WG%)8~ltn8726!zhdL+2ik<+z(2{K)>E3lM_
z$zuTHOW~f1&gDKcIFd8Pa-R__#m%Z1w(!;ma_ZqS2b^o7n6AKZd=_xl2S*dpEnrb;
zb9?Q^EJe@2N`5J>;4pC-6N2spIoSW$%u;T&NC$MRkwJpQFmP(82hWuyPr8F$PAj?j
zOP0je;N(Or0*O`xO5`MUx1RGYCIiLyQ&9iGZKhnK#%4mvC-QqL?)~6aM}NGwe2@t-
zDIa7Mmz<34(c_;)m!V1EsBXkC1w|gXz**m#=wRZ4bdSd{#_><2d?n+n5o}?CfXf*J
zmg|mfOy~xOQ@g<UvS=osNXp43uIn@g+SX!cb`k`19}?Jm>@;-C2+-p*M%eU}B8b%9
zA74lFDuoj3XS`xu#X5_lG=e!UHqyz83iQG?6VLa<ot|_KhbzLtKXdrQd)jdfkV^Uu
z5*X639fgGMtwFMGjdZf<g>yW$c+{$ggEGk}kQKQ9B*+Tf4<>&S+ao!KN}=au_DGh7
z2RNoeV~fWmbUc>ohcoQLj>~8oam68jijG)}p%;h+9SgDZ6R-deWSRJ!4|3GzSj*|$
zY+R*>BtDu?>Whu<^VUb#!>?d%m5JJ-uN;ZTrAS7f!5t=WUBGp?DA#|*xo5GdyUj9J
z!1QMMM)<TvtF%QMe5<0FWvljNVqRJf>qkta0sG)@lYZ|Q)PW!r;$(UIWN3l(6M|Qg
zUW|B~0C~J(+yRESB%j4Ipp?c-I!=kEJ=b3)N=PKKr1<Cx{CxK}=Gf|hoYBCIr6((2
zzOT`0dt$ZBYP~(N+A{{gB5fWU$v}Mmzu^&xbH)NAq~&SU;Rt5YGvO_=-$J&WiXXcJ
z&q$|Wa4i5%dQ0ZF$h7e-B)(51aB5u#?(7EOawG<<UXwN=SX&0y8QcUT#p?>}p9!!<
z0MpGfY|Is=%Bo6aEkTx9=58)}FY<-^-;%}^$YWp$!EP}e>2MwUT#O4s34Pn6N)W)}
z;qMV-TopbBzj=>eEB;(I>wMxlIG3G-w`cM{031RVTJaY$H<h{X!#t?m_fO5;eLKlb
z{U$>S4l_Xo0|PR!>@v$zVC7`@#n+eN_5fH~7J!UW+347+VN1LSJR*4$-qINDyMe1P
zyD$v;%uyb0)W3`y^)s*sncMSTMIGEfpFdevhW3s{S#GVD{U~X^4k;*{{fELE6NO(&
z6uux)cxxi1GgAEKC~Q7aJ^XDV<M<evQIN>knaKEFWq1=AKP58Os|+j=D^$@$#sXwO
z81DX<J=6CdToAA*vst_YP|fUr1dzzP&dy_<&3X5zykU0U_pS4;QF%Anc|WwyyF}#;
zxAT5X<kcdqawhZ4!6U*=NkPx#&fsbs*;o(3OAPs2a2x9qZb}a2;ORn`3E2}TkPP*Y
zi?1+S0qe#rPLe)#U8pDa?^+qVzDMLlLmCS8`;3>OD{&Fq@4`LZp1NQ+>FN~Lh43y=
zetRNjhmtZ`Lsw~$(ASeugUmWFkupxzX)i1Q6$|!E<X(+j@g~L?|FXY7aDCgW?%&*z
z(lryr`1{|AY5X+anQbVweGrsSjJx*K!YqXttPkE0FkbcOPEtNcT^B!|*x8HK5SqaW
z%*DC~mwzo~bmFt0b|4Y)EX*WAT^Qq|)YHm&aTVKP-TdY?a5w5fvPmXFgSoNq@3#`!
zNIXmXWFSjSRcV<CSz@9T_B&-p$i;=N9$1^o6wgABusazGT-Y6tmrEq17@!bfYoQXx
zi3tSfs|--7G9E}|v{M<`iHv&^8Nb{@`sS$VmtE?PMCRu*b7ZqN+?vQ(ij06c6>GVD
zZ$ld20z2D}mpy=>6E^U%F^B`Y#1nvv?E>-5dQ*}>QK@iaGObAUB{Dc~4_HN6@VE8w
z)bY6Q+Zp%R2?++|0t(hn*|U5=hNlMYtczrpuCmTXmN}A(cz&~V0>vnS-XZI?s?eXZ
zPt1{($mUE^{B$#UVa+@>>pW&{K$htDu^Ow{<>-_&;aLlxterRqmuMxYHyFM+qKNiP
zxf*vIyQ@TLJ`h{^zih!pzJM4)Bs+DYOIq6FOl`KaWhs7R)cDxM#UP@JYifRj>v;88
zV}r3+CYScaiOUj*f_;GZOJIPgy-4yQzZm%u-hmdcmmwoYd_HhSG3{~q3vV5RY2v;{
z09vU5Xcllb0>eULK&OeDfFo8T=Kjm!z`K|iLA@8RqaVOPm3VXmT?<Bw5WGs%w7?m~
z01kXbdjToN0w!9|Eo1OcTzH)*U>uQ49^sGR9U|z&{T?%pJE|Ox(6B@ZEatP9`_PP7
z5&&c+c6{tTXDm-8*g>-&u~Ha2mrhCy-isYblMpeiPm$7hos85?sJK8kvDsHQzT)!O
z1U=^{oP9<%vSP)}1?h|dDoZasUQrOk7I)mk0bCAaqL4|*ZFKm6>1M7N2HHcp1D**W
z`Xw~o8ACX03ib+b3?D|t$GzIz2Cw_1cb1A2YsE)rJtkK@w33b9nJRInO5r-qEvPA0
zX5)fZ-3R_+R|MEROW_BFpd^6zSX~LIS#xB~5_qP9B5khdZ{OQpqykY}b@MrUB{`Xs
z6iO9WH-bLccI-`3-d4*yAaYAHdzMZZ<Ra97ORM)mY=>*#KWOeoAsA-wNrSB}lM<Ui
zsSshM5iY32(ejqbf9J-9+U9K*PXKc)RrGj5jrzd<DoAF0c^j^90umJfaX%mqUPXuE
zu9g;HRuFj%povB(LRy+&b!od=<<fPG-O^H0LaMN+Y<)`^@IwOUo(2q6dcD4-s{g>K
z)qh7Fp8t*(8?VSiqt)u&t<M7;dW9-1)~-?(1!e+UC+r6YAKu~vL@rl+_A&~9OXHD@
zO&r%_Q(Ev$5x5=dyiLgs#CKoxV;Cn$(<@}mjMbF@ZoRofH-1tZ^?f6*AH^LEE{LRV
zblC)Kuv1CA7$u9TmjlP>hLwdVmTsiJA+raL#_dzM6}OB*t=RQeWY8n1M`c(o#uNhO
ztmW%aW=VI{A26%}+;hXF<;6|Fn5*L=enqeOjkRJNt}w!~j>RwKb-U?~xp>vanp?oI
zj}hS|U`2>RU;Ox0_B%P)WJhPjh<FKQrfQ(a9<!yr)vX8#06;b`R)kgJsR?}1B5pR<
zR5;CrOhXjeE!x4#2F&HGs^(x@-oGu2SsA(C$T3d^!my8Ne!%z@0=Wi~<zLn;=}TMQ
zqrx8Nh#PpYt8_kglr9iGpGK8d$<y3TH|}W&(mRw&yaytM6X3VZLlGB>h$_yH%+zA+
ztOLNRk7%ijO|M%`EsBj*CEB7|Oy<OkqljYaOo?+Qm&>jE*%Dtw?n^dqnJq3=$c{KA
zvYgFC)_M+elf<#S5^Ust{QOC>d>v?+FUfz6IiRjeL?35u%g0N|ns^UM{`~+C7_Tu=
zH=gHyKJfykumNKau`M6XbSr<Hf|5_h^J570Phj(7vyT{c9}pRl1*nZJKn&n~6x0DD
z>2cJ_3iyl)%2;%aB7`Nx6DwH3a?&auRrhSVc!>Ar^HOTK>F?K9N$x_*AK$FdEu_8s
z8g#WSHh^V`%9oIhs?P$koi>r628@mMH&H@YN8js)6mu>M>*hj*b9ol4={kTpQn(;2
zD(86#XGAgqP-?F~He%$h$wYtx_yx_QRrGg^$>JG|zHqYNWp+nq^L>}@op56=&qjH?
zu9XE9;;g(Dx`on%VSf(3sZ1|lgNe)p7%sDUvE-B95ZQqzN0r0T5ZQ}6{2y<K9I)@!
zMzZkiTpKw{UC!pEA<`Wes0I5X8@IUR;v&-iNvaS`ACp3bSjg%iZ&uN*XhzK|NQ8ZO
z8i}B-gKAkJFNQUbiH60lK@;himSQVcwTs9tm21sq$$)VZJ_Cp+sMxy#`KYjZe=;k4
zO`@^#U-*=Auv;ucHfI4)C*~^b`7`a@7i4ZQU9}rE#bdXFu%MkiU1hh!yWMli808f}
zE+|V}aaVFEh7FM~;B-XSGDn8rG1IBg)I2&5=%W2Vo*~(5%3mWQ02=Kno0nf;*O;+F
z3fyp;RGz`$4fT@yGp+n?Hqdi}*f!4JGm%1OZ;}RTc@r>-IZGvN;>G3UXM}0drT77O
zI~&2jkOi^s*UXTG>|(NOtdT(d(?->i)zgV!0xPick0Oy^<$pjx;b6{r%?Q3uAh?nU
zE>;K**$8_50RhE|2zJ7|R*m~If#AdmAo!UB7+ho<!H>&MZvt1>h+tkbf(;1-%ZT7@
zh2R?-!7B=Z4~nXUVqrHR;LA(KTn8u?qk#vRyr-(et;=7CvKXx7svzX4N^H7b67{)_
z^IC~htA6ejVOwwK=BXMrr8}U;5j`J-0q@C=6<f7aARsV~s8c~aX5-k0&PC7JIH-To
z?Y~PL6K#l(6hsDIsg*h!U5R|f(BS}yzK$}ea*7T9oCMdZpCOc)(2slV+-V9~J2}aZ
z&QL{7%mv8k+f`=TVh~yty9-DQ?P6Caa!{ZuR!Rr?k4kgS)lz8?6;;N(2<)Fe$*o8|
z^a-eJ<}+;TT^M(whmNy{q`ip>-djaOma{nvX{<y}J+pa!OQ?e>?Uz!r*g5**4j_fp
zV44){08;Bv0nlawErK)p3W<dp$(HS?Yev++#ifIdbpxQ;4dkf4tF=#8vOpYq6q|h_
zZZyUDpK6`1YJC<#VH+D9m)VrCmM|u4_A+D}CG$_ieFq&MwhbJUWt7PUA{Q}Ob7?9A
zR%m96i{W3{>|$8?&wy2QCh(H`JaK52LUyj*99mRk+)Qw0q6C{dTV$gx!0I4Y&e8H`
zE^Y0;wBTmJfR%q+qTtiSZ7OSY`IYjXNW?|zo@9!1)qN)KJE?nGs(^7=G}NLs=5kf<
z;h7PdNbw#LXGYG$?Gedd<T`@AKprt*M6bjJ4XXl~KY@MlF_<DUNQ$+5CQyr~K1689
z<N-EvtVH-l9KkePC0Uu|A$ClvOtA%#cIM>O)~t2`hw^VQFy+hPUWqKnr@b^QN-_eL
z(x1igx-*vTy5Ww2Aa8+0OHtXWFMeg%d!ZA5{>wyk?gDWY$8y{Fz`mry^u#WQzaUH4
zR9p}G667jS4C)F*<jb`H<;v__PPm1Qtjv_IG(5)fo6+dIF~P{Ity)g|%vQ+ZQ8fn3
zE6@mdj!8{a0y)I;mDwfd+3&BTPq(1U?f2GoqjY}jx6n%$$aj-@j*=VgplZY$<<5Bw
zNSK~E0{!J+tc4$u)yUx*^VDWbu$(O&Vh-3Laxgjrg=~3(6$2sVG|YMHeM@d9HY>FN
z#9+7P4&6#MaU0+}!Mc&+N%YwPm`~i>XhIoc0}{9;b0S4yIUa1M0dJNDcs!5tpQnES
z$IBd-6)@#<z*xw7aUmjXw39o+&c)DKlSWCf@<*-UrRW4M(Yp_0&!XaPD4j7?Ad6zU
z1|MvRV>X;<I9-+{NwV^H*1(7R2|YqJh8!mPn)Qhp+=PU5#Jf}9TZntK%(rARd1ri0
zOJilkP#%2PfD7Xb*zBXczV+faSlp`R-Pp<WRx>)S1S<@Ee8SiL=lgiJQrl63Db<M1
zVB4_V@s!#TiM}NjipL6f3r{&d;5|8%k^W@r*#PG2Q7+K2SJDAI1Xl`V%Wb(NheNs}
zI8ltBD}zOMw|bRtv!ti!S76}V6xS>!c||=)9!~MN3Xk$VJQ!oPoJ$>e0mw@I2*pZ`
zK8YUpW5-ISAI%u=Z@_kHR2LWXq2=M_-C4C({a;W{zN4{_VlU=~xXUP2i#$S|wdP7)
zz>C?k8QaA+2rW85i`<251QpZQ5lRXn7)@ZTbv3K>+JN!Al9T6U?<xmgd~5eE-sDgv
z(WCGSmuHfIF7H7&xFlJQ?LT-mi~4uii&wL%f52TU_Ph^3879SqH-QMR31Yz7rjw}r
z2z+L~zPS3-+~q2_+Rnv>Pep_(`yz5}w!+whEt0LJ2BKh6j!KPbnZAa>1*sqg+ruP3
z5p1j!BNpQ22I);;b5*#>Ir&cs#60H3%3ryJL}7(@Mxk6k!0Q-(b5f=12EKEGH#0;R
za6iF_^moAs$$rIH;a&m(2rq90mmDD+C6>Q=EudE>M(rryWI?zBd-D6gMxcsrpkN(t
zxEUNO&Mj|M6e4GR>>E^w7X-wy1$b5-Iv52`2Kv7(%l2<6D_HPq7R2IzGe)G!wSWx9
z*<Bd?4!(*vIQ;Q7v1NWMg)g~Wy8-6F!kizZUQPM2itYu){=&6dWE5ycL*1Ybkwy43
zG^(w~_h%PV%zt8F@sFeYIn#;Fp5G?I0%F@c#A%Uy-ST16&W;0m&T0luu+bdtJ@^Lf
zr_5F6-(UE7h5s7tZ1;z!xg7FPzbWfMvMWuJJV$m|(RwUxNB@Nr8xTj%9Jn^+e7tWJ
z4<-A}E5$O{G4K_^WmoJ~Y~rQKw0bQ@0a1Xy!jvk4_a$kyPpS3Gijsj<11@!h3a>E-
z90AHpoqqFLHy2he^qbea7^d6>vJGkMMaE#FkgW0>SG&Zaf3w!Lco{EIV;O5)iw<Iq
z;M@PQMyzA}=NkW6a%zna|DnduSEI%evc}MmKz})?R`^t_@@*NB%|HteU>O6gvYX>K
zHPQbx{O8&DKZLcHQ(2{I0b{RjJx>7^KR~$<s>o*77I6};MP5NWtCrK*ao~gtb73a#
zur_8cq)%ikt9X;;WC0wGV??$}ag#IoDCS@&Pru0#^dt~riAc&1hB?-YKzdGV)bzd*
zsLPsBhq__^kld}r^_$MM;lCC*gFoxxzm9i=IQ?a<v2zf^3ojSA#h5&oNuhQPa(dg2
z9cHUFjv@Fx9xtBtwi|SnRPPI2Z<h%TwM76U%!+xi%?SK001|P-nJ5kW*-u-fd;@c#
zY^6QO4C5H07|=FBO0sVuc7DTkHX;t7fOx7BD!ON;G$Nx68K^%vqD3h=KbeX`C}`z(
zU5IL11$W`AJyA`mk#R_yNAO~ZN1Ti03@r6vUE#-Q4ef#XJk#;|Uux)LdmIYFz*bbE
zpcgsv1UccFKofws3?bEF6pId%Jv(STQZPRWKjd|U(&CNL{zyiMkp*EzxH&~dZj8v&
zNW#-Rb(xO~nnt!I-n1P6&8aC(1xZ*)XOpa=2fsv3i?H?*eh7<Vmh^M9neRwF9$txs
zHm&+)`Cvi}!Fn7W@ee+Sm(Ij9#?xv%VPtGr#nFe<{49nH#62QSay0cV;iMIW%myLS
z=t9-;woJe{>Wf29*jz4-ftPMltgJts{&AdaFuSMBwnyFfS+5*f4qVDoDhyQf4|{nx
zV9Ib2B$^G^O`nc8^XKa|%?q~1$OWj%flQovBxi;}9E@iYtD0w~vL&^mEk?%ZzgU-P
za}-OI7!u-TScj9~x;eZOfH(U{&s2nE!PU<1<3aTV_Xf9^c%uZ9tUag5&^+<ggGB$3
z7Y0!L2+_qf{!BiLAO4HlXd?<3_X6UG*n>oyJt7(20312?xY&&JST{nfYXz|r<0+ia
zXP9IyC-cRB@m|W&1-Oh?V}Pq3GVvtE6p>$2Zx!X$qUo>5_dIdN)^hR+jceT&>cn;L
z0r*s%Xe--;*D9CG30+6oB(=6;o1D-Y(0!ULM`&=u92LnoF_+V#iSN)Z=*}(j%*v@x
z+bc26;c;;Blq%=NE^I{?I-zAIei|SM-tli(@$yQtTxyS4g53eQr`RD%+6H}n@J-3}
z(MSRF$M9k*1x$jpm=EQ0cwIPNW%D9tm}FT#-?_Hq4Ag8dVW9xTAf7opq1ZAwoS{G=
zIj>`2fJQ_IK_j8j#3!qtpzv4XlF-~?5Xzb_T(Yh`@A6W#n{$m5QE6C`F+d>l6EG`A
z%LwU{c#x>76snoH$QRt^$^>e06P3zPkp?coqY=*nqg>H7u0&WHBgh6M8i~Xp61h^k
z51b(uD6now2}DCFi0XA_t~t6(%{EfGEsKH&CDskgg*z>BA*$tqkD7IwvOE{iq&qJ6
z+RLc77#{|CRQ_*Tsh~OD#c((VDdjwGeVrYowBQ$vs<>w@q88~<?3;o{zdaubrOuxw
z!atRBerO@p?dmt0i=syfG{oxcM$={z!97*7_F#wD7=1BxgMU@A5rO2_Bs!e5*8?8k
za`a?Pd!;%f7syU2N5CUGUP#=Ttl8KrE@?&O&{kBQjr7>PP|kS(M9qX3sS;S;+bv7v
zWVR~0{WX-ZV;G;Qdv=Lv;JsoFy6!Nd9uTvu27xB}N&fI!toAZ`Xb#05iuJ*ZIQ7nV
zL7pfqGUzF+0c?njA=n)){vxr;PFK78?5Z)cOK~zH6jj(s@(yz#UQm`|Eb?1Xm!qi5
zlE4ec@M6s!O{ky$j7pU;J{xA$3#vva;vdFXLLEtiL?cJ;3F(O@x)qY~ES-FAbLlpO
ziPZvtwZnVhTu}`~a3SUq`X|US@V5hgRizfeX|X__nz5V9kBD|OFCnUd0%Iz>-HsHX
zY>YEr`=mV;0!b_?8l@OrEVd~zx@eK_z<R_{$s>ji+6K(AWw;6AwLgWIGukl);<Go&
zMA-`rM(j2Q=8ALusHxfVN}uFu_#{~U%Rl-Svzmi>M#(%8e@M2YWEVPgGj$b=P{ho}
zQW5zmE=BjsHw9lpg3dTC|EloHacB}el;qF^n<@@x3!etf_S%eD=@nf@pp5FKE`h=w
z!D5h+4qiaWzV^aol$z29fxmK*-4MHe$XW70uWojE?<c%1$B>YCqrW61h@&8eB4;?}
zRJ%d1l^@02Nti$fDD<Q3v)^fZU?uGN`Ev47eEl*7NOrW?$a`f%#cry$wVd)LK9uQ_
z2NZa`f1P?ENtnF@t+vHTwCy2D31Mdld_{W|=JVeqMy~AUZ4(bD{Of>I@Be%wE)_gW
zdOP=L&%&@8`(9kEK$=+X`Rbkno#?9W<%rl`-OHga{*tV~OZdw`vgqO?NhOQ1CSU&p
zwkf2F#Z0lrt>byqx89aGa9W)opiZomM}~6tdHV|3qF2}`?CpUO!T|9TE<Aqbb9iww
zU{yqzR~5{A3T7RINR0Ag<I_M715J6`qR#-J*!*j@@f#+#k8-Q^o*`DsRes|HCVcag
zL*JD24|+TmUlbb${8n+qG0^OeT_J-y19D=j4>Psx0cWgyM*m6ohJMi&RV3-o14QzZ
zIVdGkTlpP&ny;WB<uh4|tKdafk{T@Je~~SN1xw`HTUOD9NEYv32sd-laK5$|ns=jp
zZfD}??ZlBi_E9qTqCn04s)dbIaI0uLE+TjpR@y!@4)}~ix-}f{X4Fl@`OH|@<IBk>
zK<s_xAsoN+iMD8H5?YBJ^BcHW_YICOu1Ko*0^6V0)}#O}H?v#8dY9-U2@T5je$8y0
z-%-r4)P8eBeTra^0;5;3`IvAV63%n=e9cF^ZUR{~h(xo$E>M)_lhO^4bmKFSV*DbB
z9TdQ8As}{J?7n7VAGkNP9~{BEx!~iviXVJcQz0(Bb*m!4m&Rs;Vd%?`$wWR+ynxKD
z(-sZV@ls0Y1HW?(N?_B++2-)>eyh~!8x7KL0`2ll^XR`Iku7|-DaWx71yG)gb`lrf
zIEJd)JlEKg?^H`}reQ?f0~g^yOY|8hQ!>$gk6>?wW5!hz$K6$qQ<=5MA%KUccgA6y
zd*odf9GD&QuDe5vU`pb^8R&&qr)UubRUGE^*cSQ@5fxjn|GuBvopBbbPz)C@fnGY>
z@D{57N$@f%L{baDmmKm8xiMgxU8V-}PCMydo#BTia$btC&YR)Crl*BQh5wpT7AiA`
zxpb?zizB?l85*RogcLdOue0v_tlXS4h!mBFk4>GNjbHENj`-~xbX!9j%fm<8PCg^n
z#Tv5GZ#4No6L^oLYNs<qnVUMZa~n>d!%Y{2YVb0g2fgDnM|Q`dsptWaCoUwp5T4Dd
zAr-KPHq{v|4OwU>{c>CZzZR}ccZOcXj_dF-=cK0&*EvJ~FuhPUG2a=QxoHn-Dm#e|
zF-PES@!nnT*e(ss^+iYuCk}zE$3gZmvg?Ku3bAO;(y*s2n;Xk=dGrkSKF34-5CIGQ
z39nLwG`wyRx~<f}iT>+D*T;qij4e#L(@wcL`V{!ZS2DVxh_02ajrn!s070%qiC{m#
z#V%u6XvJo{k{iLX#yH0pa6OTLn+<+r9n3y3+#G99n0%BcjL}dU*%nOp8~w4}A($M%
z2{`ZzQ?TvtQjCs{7=}+AXt<7)rp9p0^bwRpv_w$>r0@_}LGdOai+x};;!GBtD-&-s
zxr06y(v|wkH)K^xQ@t0bB%D#bIjHgA_hHrRL)R>(9jLE5<_vabCVmcw3Xzd7Um<6K
z&_y`Z_yV2>-&T&V$UMheb<&APIQkAec4+&H_ThTV=d9-{s-xbzzHu=Wgu>KzQXk`3
z`1|eQJw800HR;^)aQxO_*5vf?{=T?%YERb2(r`0Peewf>SuYRlM8{C-A6^1w%m6Bw
zm0#iWK^db9)G%;}+~@(ATL~jA6wU-vFo$pv*Iog5oVF^>#%?kEJlZ>&G%AWwFZLpV
z@nQ5l<cepOoFlh{ok9Q|%^FO2NWfnd^6{q=u!b<*6ilgtslY{SEIfsP%{@;e;PUhT
z7X)xmVd5hJ2Np>V?0)Ao4)h@mEI5h$Siu~{MU;{N`Qq>iF#@&QtYG6y_z20BEq8t!
z>xH+nD^l|I#k%9gZEnUOtH2cJw_uo91!w^8u#f&eg+ouFrkVk&@@rM)gHI>0f-ulc
z64+b8jK)R0RnS7<`|eW+e3g&?YXW1Z6DWtL>mVH;tRkLx5Hb3rl$gsw!aStK`eNv%
zFyJl39Ox5HkvWDVQKn3sew%K5Dn3Q^7~b!MF7q(fugZ%}XL$)U*MrfqNt_MKg?W8f
zJ-jL@_5+fRiZqpkfWX=$Kz9K2`p{3&51jJ##inV&j(Dx@=(JEzsT$F@RQl0rL3!%a
z^LQjOS=#JaZnojq3EGx}16`rhsl3^OAAH#Whb~1QU}>6XS9!RpZzwbNhP*CpMiDN&
z6*xjT<+th9&<ly=SUWyz)epjv!z<4H0D@y<!cF}`U8Cb<T2ntQav$yzCCbgS0Avlv
z7yw=F5Ecl<e}ockC#A;5@zzX68WSete4qNH7?|~2Iga{omAWP=whv~n@GEUD)J-q^
z8I8bp*2hv%kM_5H816tzZV2VU%tPhjD|5BTZAc|AVh32mj_qLq`_XikT}doa$tfAA
zXAcgJ_Zyhff9lWq*q`$oLSO+yuxmFp!2{B@Ya7L(bJ?}p%m}K`A`jrVv~aKX*d#ta
z-T}YS8}WnAYMO@A3Hf{zesIo}{GbUA_OyB}{mS7OIoxkzRnWjk84@oDjZYEo%i-uF
zoo0TUuK7R1N&?PCCJ4VKaV@@9vDYobZf^N1g&_}$Dpf^r5}fA$LPD?rgL4WBa(9ue
z4TWWNRU+hhRd!vcg4<tH;92nNn@@oZ?;Vf0X5m&EA?)M!qmStMjAo1z+rbm=&$<tw
zs(qEJYPg5Rt#}El>deQqs^}{eM^fMSaFrj3IjBW&_?AOoaarhvZ||7=^k8`W00{6j
zE1pu78?aKJ2e53^ipM(t7U}wWuQ!-8IzC&*N!1G_!F0^-0!Hdz02}KA&uo06kf~=9
zXS}RZF|1CPgAC}vPM5miI_P*G!m{3#%~Z5hW#O<W5Ruu856cZzPqP_V;~hgv#^YF|
z?B)~WgY6j?E!wfgCS(h4RG0kEgscbA?-RB#^;KN3l^e^C`7hyiZR*STbzVmj(IaRm
zMl4Vd%G|@iCUh#Ju;JARvE?sh7*ftj?M>Wxhaig`<puts#1Bh=?LDb~;=PIgadMgI
z&GfC{&`UrafEOu19K|BDI4x#YnLISyx43H40T-#MVVOW-Jx=20mzv!2mCn+8Yum-k
zaJ0y3w>>%LYUKdXg?VvZ9x>HNzhbAW_OKw@1h>xVSkedS@!7bOxuph9GyFwjVmGLk
zj!`_2@FWWUSjnjcryxy=MVzOf=kp|tSeP$UKoaC@3R6~lL+9(^<9L7eVj8O%$Jrw7
zkwVrxBgTj5nanU#-SEEYab2w2f~1I0!bIx|nBTup)A23`aibflKk{Pcf6EJ&M<=tV
zJm@vaMzTqM8o>A^K8l~~z$2Adi>v`N>5tN-c(Aw87~YW{OqD0Z9Ind^CWqJM9<Hkm
zCZ*R_eV<ITI|aUS2+7IXBH-5+1w0q%t9H2Y?tZ4;c0;Tjn^T671lG8e;avPx$(I_~
z<)=y`TH<H80f-0>wiYKKX+~Pn8S1GmDrR*fWOb+t@rx8stew8JlU)bJ00v<_zQuyB
zQ4E_PTZ%py?eAT}$$X5G5MDk0v>B}W=Eezq<&($%`dwqyb@vSCp@=KK`>%nszd65P
z2$8{nzV{glL-jBn;U*6xO7jM?3%CYE)x<zk>~TZT2Y(J3wRmqrv|8DW5Y{R?W23|n
zN$a^h+>AtbG5sk<DLQZ%eEwlB{BN9r*2%-X$U!+9@b~WQK_f0ujd0VrpW@ZL1Q({J
z7sUwyMcl&-2BlZi>WIgwgt<V${P=GPGYU!K%Zo{HuP0?2@pY45FllOTq8u#Bu!^%v
zA3H21UY4aKT^e{cW|$ZMu=<$d#3{>;G7ubUt2ZQHf*W}J4asNWMp3Ii@xhPfSbgu<
zjOy7};8~XazG8z`y$Zn7@kKtI7lTcKZn@0a5G;*O1JQC%Ba*f1p?HekE8CH}Qz8N`
zHKv6tQyi7}c1g6H+0qoD_qE6!c+87OeYl{dZ=sOvzeMAj<8a|C9NOb@6@BcDm@RTh
z)VE@l6%*h=&O~GNv6tx2=tpn{;b+h+@oW<m7t<hvmhQ9I!?2L}3_uFL17&pfU^`5T
zcnYo-s?8^@fO){|?kUD}E(K;F4QFn&_02d@fN9O7LDUGIlxSf$4_PCBGQ}Af&ne?B
zU3-VGG~K;kjt7vP^Np?8*rC0%Mn3|x1*fJ{OS^csWMxXMgemIOoCK2!lBQqm)#fzd
zQ(JL((g`+&u7dQ=-bBVVGgKdoqcJ|k?5`OJXJ)O=R?bEAMfu`7C#$_jQpX<chr-R-
zIO9#DfU8d|TB&^%>gG=@4(Ette-4qK9JJ0E+KBQ{GpL-@A2`7()?uX{U=|eW)XyT;
zy$zAZyoh4|_*1+Ty?~2IhDV^I-P9eI-un#dKa;}v&Radc)y1i((S$uPpigqbbu5If
zCAIP+aR;%xq6sE49&(pqv@T~Iom3t7GU#g+{hMLC7yEF8sk&-9hR)im=}sJW%CC5}
z6wF}33{~(FRWQVY<tV5vx*CzWCi`PiataB}fWxDIO4+nEL)jKI0}}yGFOQ>mjf|97
z`N;}n>3dK#L>ZgE@UVq2I30^D+5V;^_c$)%KyTis&If*)U1`KP$5@(pGZ#K8Ur597
z=Fpe6tk)v;AbX?becFI|nTNq)i1I^R_T&jUm|SG=o^L8(Uk{Gwkn_0x;;}QJa=kBu
z0*%Ibbld#alyhAoNeVPSkNB(KNW-WtxRAiepq#wu2AYiHrOF$;zo(>>8)Z<n2K0(K
zz$0D&V1r|NJO%v=+hH5`4qzz-@3b!ip7L=aesIs~B0d2<QngHVC>7l}j@0%Hz5u+c
z8KKxW?+wYmT3mQm?r-b{&fq%}W~73dqF`RZMOYU}7ME<~h2Qw$NC=0!#(ibAdC81n
zu%aXA?l|<C*&mNQ`<fxs5q9GDGa&8Rd7DoeEVOF6CRpyniyGIm4r9CExj)==Q-YjX
zh`QXz@Aly<DFdd5@~a+lI{A^Gj4lA?Djj^TjA?Ue@A{6xx-wV4aVR%3<r3osP?}i(
z0V$zk6if+S8L$SWpupDuYANhfh0kv;yaAcAaI`1!9pS#fvk=IOg^IOBW0UYkPKrOg
zH-*c4AGyhbjFWR@WWQMZ5SqM^%IwDdP^VujIRYB#EoIyVtg$puSp!Kf<7-D)g&hT2
z??i@}hN@@|b6MG22)0qkUd8ps8_1E_GLBdu{f+_!Zo{vmAO96)BinW(RBRF}-%Hz~
z%kWpl0UKQ&Yl9Dq;iWs`&lJ}(l4o^U_Yo>Y=>olX60F9;96W|sqvzxo-x6`}5qLdU
zempLSNG)R6zj5anX6*q+AL@X~XRL-w6p_aF@re68ZPCc2^8Uk<LKjLY-!5Ys&>?us
z`$Yq5$1%}p<uZ9&AN!zKedh9%asI*i5WQ(=1Q_JRJ&e&k2mqfVo+Ak}UBP_&FA38R
zN#bV&rsX8)Gd<@7cz_9eineGVI&MmKig@4{Dd6HPl+AC{iZ7UeaZQuae|{>iL99ZW
z(movGBZu{odHb+sTXQ(@3hf$w)z9g}b?0x*VfG>D!-NSOVUtTz_{nA%qi$rjQW6}0
zXB@?e_S~_f3_a9mwVOr;R^eV3&uykPUd+a2sm3KKj9J9k5f~G1M9R<Z=@@a3uLmx=
zZKru__7nx!)e-n%B88-pt8Xig)#D<TAvg@LHn@Q~tra@(W!GJ<lV1;(3Qfng=Fm4w
zzj!pg0@c|HU2vL0^K_v63SgBgbWtz(Ffb!%>L6^~#hN|0T!0m7zfLKF0IPPSQ%t=|
z8e6>L8b&ekhv{Tv=w6;Z<EG@8y#xHp;(gQvFm0G}7|i|@HsIxFPmkfleIPbohO>JW
zYcX@h2TIuk<{7Bd-YoRr)r`Tkz;;BR=b{GmLOBBJJFM5AGJ78lH}9c!fa2^u;p^#C
zJv!_7k=*B~RsyEf3`UE<po?GUrKkiKj%v*&w<lq)Rxs@q%$4t=ht38cA;@xcJc0BY
zUBT>rP2#zNc)q64L&vk(H!lB*FM59X?sLDq=JT%%xBse3pS$1K!F}u5`clr9@K?pJ
zhUJRi?xwoPp#du!yO6<gGqWtQ&mww{lbqx6s|C#`#@kb?#e~M(53U^SGhUL;x&sMz
zCKpLsK9nbiG5N_rYw(YH5l*XjPM(6rSm_6e=aqqDkKRQ{AjB-Z)Z_rk!KFFmB5`Ap
zgyMkG;y_Eme$cdc8)&kFFl&(G0!cT+3DULYG^Lg_Q7C{XF`I(Grap*rN<QFv=@LRx
z0apoo;%o{s6Y09H=33J|65Ht0tY*vit+<+H^}Ts5z-(W~UeTgFEPNIHIDrIN`8{wC
zdC12lb`d|&!R^0vyzMnrgRp;5um@j}utSj~lFmoxEpP5=11FFqI-8>4lCS3TMTtz2
zF&@Q?I_!4MY*~<}am2UJ@XhMDIEw}u9RN@ID!EDfD|(1BYnGjL5m<E%S|i6~vKZ4O
zhz9U`dB(;m9OjhU_Lr{*mEhee9|2Pz4RwP(MQf1T;tJ~F>DV`XC(PQ9%s?fGiQuE7
z7=M~YnzbrhM}c0^++_58ZmUj4V{q1~Ekj%pHrvA}KsTiX@RP-~kg6}=ho``FY3)z*
z=x>q~+LFOfpN^6PFzf&)dpufSI<>tjR!cj|vqov_WE4<(1IodrSVPgWV4GUL#ORIB
zE`Xndsxh;cQO7ee0zo8l(9MYKh#tr^>T%EnzR#FhfgKN=FQNUC1pC_#IEk9pIld-7
zo3G@v9kEZjD0``lwnzsug%j&f=x4~*H;?o1&1ul&S7Gv<5GsCX8V5LSvAy;2n6Nxs
zk7Be6ww03;7KA8UjGX8?R?^w}eK#C9V~;>MEpm4fQRIhSCfIfixQG-<%K=SBxB=QO
zy4}t^`4x1Awk84;4A_mhFc=V>PXw~VxB~k)p5(g>!6k?B9z*DTIMNt5^Mem790op1
zyl<Bj=-^X4u%3bfy9g%3y3=u_3JwI1YdR{mx*XL(1^u|hdSH8-bb)&kz@8L!Q2-A=
z0lk~WUNJj+<j$t^kpcJGx)X<@Lg~C>L078C_i9+<dlc}}@ZNrw_>CL%xlOGBJEyJu
zyD^7D3scd;=t@aN-vf1|0(2r8hrKaSi(&8;)n{ns3E1)37;Kcdpnf1(@e&>-*Wee|
zwCpJ=K`Pzwn&zVj@CX($jTQ~&PkQ8f%Z!ID0!E_+qntHoo8B^<5gFcb0&buJd6FQl
z-;(s5!zRPCS|ikJpS#5(nr76(7aFwck7fH(Gub{_J*@E#)e?8~9p2CcB;;CB7nj?K
zl(<T%7^N@n0!aM9DQLiELPbnJ5Cb-@=q^bRSD{`G4SzbN{=Z>Tk*K0o%{&{2QzKAb
zjKMJ3E_<8?&!(LlcNJ+Z<?uE>jtz`lL8S5e=q0?uhfEbaQ4p>+B-<rElt|Rb`iEfz
z{y;4ojmVwe+li8wP|p7lxTCjy7TAJlQtIa{fT=9Q1017ZiT)T{*bhPaZ(<8`WQC{4
z7M^?!B7Potik`pZQC^A$;v)V9cIq^qEwP2ap_5TBVhiP7Z3PCY&B60@^U*9PA^#>V
zPn@5QbOsEWSZ-YAi+xou!`WCG*N=QZ0fSmYbTF(EBrzkIRcEWJ7d;}YcChL`sG47>
zPhLdS6`YG^asWKeimd$SUX-Bk;Ub)*5<^4(MLd{f;&pNnLO-%=0!-9e-FTm=QclGr
zX$nn6?E8{fXbm=WIM;K|y_CUmVbQHL-jsoI<4ppMwm+mIO}&gAe2LKMadZhhzl<3x
zXzFRfO!<8fIDS=Aa~w-D(WqbtOyaP_p@YtYZ^k-M%=mnveAcxUQ!nyX#oGmY;Wtz6
z^z2V-lb<9Tx#$Ji$nF4+?g1SEa~#5`heH{7k&*lR{w!ntc&M71?FinEa3*peyaE04
zDOkO>q<3GRJe~2#R|w*bU9TTGiW-rHEkx@W);p>n`MTVvtw_l%hvd6x^5XbTn{fbv
zws?bn1Z%Hr?R*@>Iqf7pl5b+$wGT&jVjFvd>)WwlSX#JSH$&Jl)2FOd8??K0?7mXx
zUVq^szc%QQC;&IBre;dj4yI%CA5P)l0mBySfFFK-q)i}ahaa0(rgn6MG6Tkj6>bUx
zCX>%Wp~|%tCB3m%9qRW)>t3_|3RW*=O1Y6Ts%mN{M^M+zumX8Pb}YVhfxed@_)tc!
z1AT(9ro?hqt!~QR5AWC!uC3Hh#a8M(k+&J2xCUidqRiQ|BG)FUJvCfa;*Wm{T&LGF
z$h>SC<b7c1E4C(hN^3SsOBALo>V=ZfiInNUOX%+Ls=L=cC%b#_^AN(m2qt6D?X?US
z*avu<$*>Qdu-yU5H+q4y)ntU<tz{%1i&)swKiGv(V__pcVV{Go6kqDbrCdpOt`+Zq
zfU1YcWK4i;ChxZmBtJDYl%f^Hmhy<?B0t7Zt0zZnC82u2S#rwE*gy>X{Rg=!uE1_e
zMEExc)6h}rNinFva5uhUg4bu~s=in#%VQIg<neOZ9Y*@7SS?Ax33{zaVaNluD-Owe
zB!}9~1BWhB9C{t|3D_nN7$w?cW_%+V!6Un1Av5*DwZZmP1JV$kMKnEjz)tVT^z`!Z
zfUE6{{W5IXwcgTKYAYJ6j$-9HT<gZ|%&vO8VOAOf7(Ysovn9wP?y<6AaBpB^K|@lx
znZ{-R?S$h8#Hp2C@QEnB@W{kGz3`;=kJ{Mz#RaPniortYIkVE!if5&8GZwbw2*4q0
zN?Y}nCXm@0%NaJ7KLJZDr@Xju72Ze$j$UBv)!4j{G8kC!ZJ5xH0A%*WjB+1OT<7Kk
zi3=+lGz6pz0}|=NYm(U6cZXiM3J0^th8GuX#O$eXOYj<P#bpH`tgzS`wbF-efK|uN
zn(Xq0SGi#nekrlaR+eZh)+JJF-Fzy6>4-OQE7D@%EiPC)rJeR-9galD$!MF6Mns&k
zm!rAvGi2SrOdPKlZj9Xka@U0hv*uCSqLc^OnrX$T#b>O-ntn^&i&m++7p-efX61|Q
z%E|c;fEeg%Cw4&VYtgJ$6eObATVXzH#!-2#{QI7fl5-Llu?Y?Y!rq9UfjcQ{(;W4)
z($B13A9T%3&*Ue1ep!p{c2WXlP<#f_lq)p76q-h&nbjIioAQP<Y_CEmoyiaPw8Mvc
zFjcI>_6nS7kC6a;X_CDXa@7}XfZGzUot25rTL<$tgO|EiQr7~}uD-l*17axnfJC{O
ziOnXV{dt?q<&LttdIWro;|w|lvqdru5=Jk6c;qnGClF_BPd|_mtmwg4*QR8np+LNq
zA*Gg*y~R#iBdZTMGc`#p{SQS!H3sFD!l+QI{uhiFu^h}h3<_}g&);axtO^*~6Ka6%
zf(0T*CD+a>!5M^F^(X*9XezryYQo2zA%4(kRJ4f2;%o3pfM_?|8lTSCy#xH65wFEB
zckUc_YSqjM@8}_4^N+$LO0WYGYzM(Q11w2<<Ph$|J2bff9D9(cnj{P%B}}sRNTY;F
zTatonY$RcRmoS8sFe%z2SV{n%<Rz(u$(ynBBq5Fxjy*wwX5rqZ`ds=E;p3^39>gk$
ze4R&*v&FNDiyS4!D&LHqwE*_bI9i2E=!{i6+W5jdu7chax2-MwbmEp6mX@KDUsd$h
zouBAA9~H&7U`?zO&UVD>i8GG!xGL?@B^Wt5x<MqPZ{uD9P1furbkHbJn%TO{q#t4e
zLD~b-Cf1{i)C6WGtY*#Epagnw=aak?J@9u3@On&Y5Q(HLAx?`$wT+ObPsQ5^d<G1-
z35a6XiEgmUe&;3xL6R|G!*RGV5u}C1rK$PVw*W8hVjE)Y5{zdltZTQbs|itc)OG(q
zKxb|VM)9qfuR>n^IKABX8XMMPh<#^leikK!DzR3T=!g=cH>jKBh3&m57{u?*TBIMv
z2H)K&H@!*RZzVq@Q{F#Giwt58MGT)@fzp+m*n4&Ks!(mLCzTQF`A07b_K5zBO3KY7
zP@+XrQ6kD(%drj`<;0{sTyT*V87X_VmYbW3%}&@ThPM)bB5^ol>+rkI_xTYx<bVk5
zA=9c6E#(RLM{f@GEH|g8$dw#w%6mwE*9p^fOe@A_+Xif^UN7|-u(yQTRBsEF#;#|<
zzM*0~cwv18l$+P4fYMun;N#V8*yJGADXvaIbuQKx9D_aLU9~4xm6sH5@@h{sc-=>X
zuNWKQOFfUI4evUATJfRS-(gR*$S)9>*u~}j@nwcxy!C)#!EUIrzaw~#AG^WO6;bZ1
zA|vP2#@a7%#?shF-{h%aH-$%<zq4WMY95uW&%XeR9O%(KxCj$gjmF+M0*3?CT|3K(
zjb#JcP9BV%u6VscZgZa1(VEzZ9jVx(>_4(|LJs`T!`P)i5$oNnV&8LrZu`8$FoT_R
zBQ4ejKYqjI{m_ZA<gjr7F&4PAYCAiQ{hJLMuy)c3i!^H05T7nUk{W#JOBFl~N-s_(
ziTP77LkFd$pfn2m4LNTDO~%JdhOsj_L+8uuUU*16+CiPFD;1gF>C@R-oYP*0YZc*f
zTn7$+g6ah9LlOCbx$($7_*$%Tz(rd1l_cb_Zq1RYG7ishs7ovaiz#on5v7$8!fd~W
z@6Un6uOQ_h@%g`knO9;}0kgZ;NHtvXY#qC`=_}z0yY{w=tiuvb^~+3(SF2h~RhxI#
zCG7I*?J#d(2HKXnBpq;IdpkA`AtUL15hbJ>(pdyZ<o41c!*Iv5h}o7|X#)zUUpSzL
z_INr{t+E~P2DC>Vgs?ImgJ$x(Cu2MR9pBlCe{Yq|uR3;~_UKNq8|nVBou3Rie~o{?
zw%BtX+-#dd3{0_kNb2Q`#c=8AjQu#X*wa7uUDXs%FYHxV5AGn{?Tmel#!LVa;bRw1
zJ`?+M>RdWLG*N{VoafGr7``M^?Wx2aJ`#c%<edN0-n+m@SzQ0aPb7hW;6{rYt;mCh
z5|o4li3TK^ghY2SNF;z1(Iq4sva-p>y+H6%g8_9}*V>l;)StEuUinpRX}v+9kO&G|
zt%z0de%B|)J66C8dB5K?^XzUywC(TxzwhV$yq_)~^6bu>nK^T2=A1L<oS8?yOFhmS
zBb?QZh!a}HiqONW9oOB2nw>prkOU}vcsH!@h%IyjfHcnRlC{3FV_CYO=G?c3$r)W|
z0RTSkddJF%1jR;36R0ao<@j*La?f@Y%7WliwCfs-ETo*A(nYs0gY8dFF}n8R`~R+E
zQEY739azuMS(qidx*+V)lamdQfdrxXJ2N!Bbw3IASZfCewptNP<&$8FNX}R(>d?fC
zP6odZ58}j=$wu@4^Isy8k{itbePyrR#EAsQLl?tkr!+fOcTTAd9X-VxIuaqGP;wp_
zGG*?%3`X1|c77e+LxyOvp6e^JCS4C(945tN#?t6Xk8Wn!-3$+sPKVC;w{bhFYa&oV
zME$>AwC1R;16V-+W{c6Iy0)U!|8BgUQMl!Ig#$u^fn4RWw8+m%Q*eW>uVibqTJCv8
z#<PgFz`NE4EjejDdWbj5K)1jFo!0#)FBuGjAskNG-82?m2c-s)1UqG5DCXgI`&*Co
zG%b**H?!-vs5ifZvvpER2Bt5TF4HyB8I1EUUDvYd*sx7tR_!CO*t<$4A?@26iJY4K
zf}~&$&SrE^ac)il*D#41?2XxRFwGWLrMDayz4RwMEAc!c{tw{13NE<A8>W)l9)o*9
zx{ha4*gInGl0kKECJUI0Z$RigA~Z)a`=7^{ROBN{XDYVsXkAO6ZmbeLTCK`pV93~^
zIF%yWV8y$kNvy7z)j<xqozaH`PARe#xTnAwy+N0JNQne!)-)91<VP&6O2&XTRL%2s
zAdzxjMmMRkf|=ba!uyoLmjQP@+H$GzA?FY@yL{VCNU^u_*l}o)do#4Nb^=36Ja_{i
zMN82|D-#Z53Rk{vI8=o_s2$0Dt}SmJk2+!(NI>|~V<>RPwRYvv@{_V7FpB%u?$;@E
zhjKgdByI+Z45ZK<=!z8LJd4`DC9DZx6O6_YtJHT`-t9Lkj7BMpGKkT&>BMg0kA-N?
zo+qr~>@1?fiZ+rVOnNz#y{h7919wlq<tXm>B$Z|YN9+3zJSUz}7pb`EFxX3O;->3)
zj0=izqf+I9`?mEXSO-UphToWT2qt@&(&^5N>=rT2K$c=gN5kwhKqij5qzUgh!P%hg
zsaY8^`!owR36WvlFEL!4;9^aYtJPY!RbI3eFD<zVc}Wf5|NDQxVYv|it+O%V+-4FU
z8CI^eE)ir5(mIEvlh&nNmjl_<WpGzLEh<MB7fu`$PG#T}mjK?@@(BzD$(Dj6wWWa0
zEU`G?7WSQ?A8T6!EDQneGD`|~1V0cqfft5%Y(*JX!sAceNJ8~PV+amQ-x;Q0z_F)T
zS`+(@=?smL@oXU87g(h|H!a}!V@C5{^HswKUXOSE^mJ5A>Ifry&qZ5VAFG%|^e3X8
z>_k1-(|yEv7?@*G5f`&m1bb-l^%GeQ9sFNPHO|e~EFJ%4Zpu*=B?wq8iF_*|4ta1A
zX8sR~!HJU@_c}T^-#W*2U~1|<oYSVS1BNoX*)U<oaTf})2{hKA7<k($>=T}}T80>R
zj@({hNa!r~%1L)MZVmgOx7SmzfCe=yYbZNW0cYf?EPM(*(#jnyKD+SQ<&H<*Et^!E
zH8ixtdJy|aDTr6%C>k=<mq@`QmUaw#lEg5INezO-TPhK}V<7^NhG{Q8IvIA`1@PQj
zlA)Ii04LkH{fRtxp^EdH!x!fjLI$Tl6|Ukqp6`_Rx?xSUK*<lgBu2UQF`RV6#zQ>v
zSm>wWq+JLv1{#c)1;ryTT#>=u$753G@1hB?IKvf5LBy_@^I4lSvhxzRb|03^hI+mg
zY$3^OSbHy#g-c1TQuqt$H_lK_L+#jZL6P=KuGd(>ID7~9I13MPhcTW3a|-&4#78jR
zwLsX=h^JUHMg>CydFR^F*)g#A!Eethc5S}3VVdu{tT!7N+mJ29k0OFBq+DHvJvXgq
zQzW<?O;f$-bgmzcZ}J20RbROi->|MQ;1Yo&RtQe0VswO~U)(1;^L{Wz+k^61gY>~@
z1cUTYLctScV$|nQCk4iZ40%B;AV`uFkvJdBEgp+V)SVTPMd-I5M$#4vF6jcp7K<-6
zE~H2o$Gdo_I4PUum_(kqov7%pc#h3Q-~-(vc58TXVg)bUO>}0_-*gOk&|}1|bz8kH
zf=V!y_BrR)kBYJ8?ves(Z51YBG_i@GzYe>isrRt6v#6yaIP8GyFZMW)cCJnKSim*S
zfk)J0?IA&y6u)&gfOB&^NOQxDlk^4Z5<-JU5CfRDFp36wvl%J^Whyxv$P_L$dgz1E
zOLVTL2C7CtFM=s~43|<E<kt}ik8>N=x~<smJQ!GPL`eEOfYod;uKU%1o||YS;%w=*
z#DG=_qFiVbMF&;m9Ix>+Sc$+YV@JQdiU`F6`?cG!eJHCTJhQSDyTW~+Iste?Q@8?~
zh+ctRc!Np7Nq4b65rL3@3AsmSKPF@*WrnizbbvDLS!^d(a0#h|{qIW5!M7wSXN^?!
zjVtmc;w&c;OX8N)g|g_S=|4MCD9HG!f7S(zhp8{KfmB8?o!UvSV{4H&pi`Q*42CYs
zl_UH(@^|Y-Mv-f}Fj6Z)1SGm@UWg}P@oqDF($a}Im?I)!2V&9=<A}ovqIsi^Q><($
zdgV?u9U6*m&yS$n(=q=`A~-<--iYpe4noBW=Cj|TtpK*=iL`rBCdIlApcXHBjt;vG
z31Eu(a`+as$cEAU+#OiG^N<0a?R~Os^iSZo=CpvMNn6Zh@xu~WVlp@1y=i9t>mL?P
zWsji<q>UsDmS~1^%eA>3C%ig#WErO{ga`FUQ0q!Y4S@Uil1E|qRaqWDCF`Lq;981`
z*sveL1duc~Y#CFs=;`ax<BQOPN(-7RJ*!0y62U2JzgKMfFIYpe|9HdUto$npCP8Z`
zJK}*g#Q4fAoWvxaig`n}%1U!?Zdg|GkKB7^;f!?%%W3ny;a{)#>c_Xg2I)F(C}*h2
zjAC317)z7D2(UfOU361KC>mERH2K6xh$q&I*<+LJWE>8NB5n>xJn_D1C3TBgXo`qj
zgcEdxpT)-T3?sY)kJF7%rz(o|4PP1cE1JD9FwpL*HVhW(IXC;3T)kj+XmhFV<@Pq!
z%i+2ozdHQg-3@;Z;AoAgl)Asgys8OZgAijc>_MGI5(#P)+YEb>tpsK)1ulDo2sJ%^
z?9oJyn$j15{F}%cJ{q@n7)1u=bNC4K;zT0^p@1UYgYhfN2!GMNfecG`=;%a;4mnNm
z9bClhgh?7<P6_^)jTnGC*hvm|F;^3D8;R{x2=m33SH+7+hN4P5tcS%-*~{bq8&08C
zIZXgbd{m|EA=?nVH;;N-ia4Dvux=)Hk;l}A6oUN-OWyhlK_tgwVJC;-SVzTCsl%Ha
z88U^?)uLjJJVI9ok-CsGWO&#RKN%iXg6lP7!_tT@c6`9I;Qea_-2-@p26azs#f5)I
z@k~B%6lnu3pD4#xaW4+QS_6QS3W>&B##tB<N9_F1uS0Exs<vBHZO`Fht>=Cd*0$kT
zK`=BQ#rscb2uF;Ybv^rsXb^0U;aq`h73w4L+`aerC9!jk+FqJ^1S-Ulx(I@dOOLAC
zUYgGPcej^C77p27dc-hf?!D^*+})v%6;`0GVmqLc(*n94R703!#EM|mVIXYWPXs>s
zyTDO-o)aV(b|aCdOi<y$bj9QoXW%}Uc*dM&GVXl8ij8}TctLazI78S2d2Aq$ArCJ#
z%OWSCC+HK=mQDmt*n1Zu*1O2b3&A1EvL;sIER>1~t&~}cz)%zYDAxVRwpNgwAo&sW
zOAW@bq;&mMsE8_Drw+mz6<b2<HfL{EPKz(3)NH!7C8#dvMEHODoD`u>PCm^6f>DE9
z2P(*4osr>LR`**%3%H@IviIQ3kYyOf`UMb}85nWoQ-<#QNEg~mfwJ`??FE3e&sp5V
z-(atC-01g!8Y<hI){im}oOm7l&|nOMfE!i}F+d2?ZVVh(A*S+6YOZXd?6-QjvatHb
zf}XO<U8kmIg(q-jDdiwmFn0xI3iXk$e{i!1vJF~=nyxR$3P$ZL0jdpEm|+)2Pz15|
zV()(jQpxNcgEj1DPy_7P^j|e|3KhMGhqYbKbLqoBlL&N_Ot6AR1@tEZ-9evTKZk$p
z)r|81(2Vd}o&l_QM1Veeu=;f2LMyWNL(Ss+0@Wo*lz*Vw)*=oK76wM(?MJuUzg7*O
zg73ht43F-SwqmoJ0N*Hp!3yAD4KPb5`Y<GB7*fwVg3)6KCh>Nw)RV$`c0-H09a!am
z%(FvqbR}usKB&U6)eI;QW=`w>CVZ!I6<5ZYxDAOM)#ju~Iob9(Rt_16vbeWou3T6r
zmoo4UFKn}p#cesM;dI=9lTzU*``GblISxWS-u)Uw4;{{pWEl9gbnQq(4G~yLdF%2k
z*1o@?ThQ~HT$@Je%g~*FN$A2baZsMrJ7YIw-H-BIg*1_YMGD@)_7;5Qn*^U`cI5u7
zzw>uYy}dqZ|05j;d)Qgjq2fsCqKn=jZ+2x=KbV-*^r~I?{aNp_Qi>ALjkJ>XbrCkg
z#`{tU$5pY;7Fd;7aa}K^q7ddYE+s8aZ)wJ>y;oj~q?TsBtNTi3wl-&`IIg{nUs2)T
zP~nDC@CP?w|3x?;mKqL_Vh03dV-IDuAg==5=95at>a6|v26rXjL$j+QTAS6pfq9~)
z-XMh9dtVv&=M+X!Q6dyvgQ)|5D%vZ!cR3$L&*RZ`D>+02XTX4NddUU@a~XH(msH~P
z#!OgjNwpqYbjZG=6Jaict4AW#u${)fV}&?zU}0m7=naCEyc!&K)0<RdOW2r_G1=D0
zPkMS-1O4pL)mf={#7gffx(iRob-W98`KByt3p~#4Sh*bE^1q61%91exouo>j6nRL$
z+_vBzj0KjWNuK9)atp?t>rFJFa!(30vhh_0lkJYjk24i&j+G}d=gj-%WnYe!!&ziS
zRs|kwuU76;VCclp*fe^qvGyI;eab#L{`eS(I1Vkt6fINphAi$0)D}9eht-ZYC<lNH
zFdInrT<nZuH_=B&xupezauVyr`n`mYqWkgaN);XDe(A3a3}0`6S<VG8bG8~5ir2gf
zU`$s@VvL}9xuFxu`ANa8OB&|No-aC_SeG%m^`SpEaGNq|g?IwPGx4@M_84=WbZ||2
zH2^JjleB9s0aNZ`6o8%Lj9}}%K!gf}L&DU6H^Q$x18`k(xvgFN3>G(8oUzdDYUc#w
z_|PnCFifh>=uljm=2*Fx)QFZt--N71P1n551e(ZKXT6B8qAe+mU{Egu3)qF!I`}fb
z!t=1hP!0;rimcaJELxs{46d%!6j;ZQ{63RW)hBpbcO786oZXl!b9vkDCAe-_)-i{!
zm_oA!FtQQ7UCq9YafXFOsHV7@_KHcgtd|CESIeRogJs`24E6f92hCg`K!NVddB=Ln
zGhM4VYw!-!)^7%cE_6ok&uU?Hj4Mf_0*G@W-y9Yiv=NKc=zcTKVZdeZ`ozaWqY--0
zowgC}V2oBLxC-`cI3WuysEeoB6rWlP$<j4X1`mc9x^gS6l+#HZnBqFZ$Mcn<5O8H#
zP9EyS6DkllN|AvqUu@M=GQ|q&;C?0-pbT`%=CzW(m*v|;R`xn)H#>iqXge@3<gru)
z>I(PBWOd+j^x47o)hWoQ{f!Wi0kS!yEihp;!6pE+1Gj!81V*S|i_4#!IGat4@f)Zb
z5LRni&P)woC}%4#Xt`qSVd3*|McoOE?}MxQO04D{o@ay+_tB{*RyrP;I);CK!at+=
zCyReh=AV=JXH+Frq5F9|DKx_FVJHOAx78UrA*=g3HK~*zq!@l4fZ&vMe0Kn4qV*%W
z^n}X6omYVgz-x~F7Q7BLzyv<RgD0k5pvP<^V6G+%7!G0D70ioxSQZ>uE`+gQAHk~T
z5)9D{1pAc&ThFR?Pv<3H9k{Y_@mEmyzNv_1ozXoD1;(%d!c$map(^lm7PyBRXBnKA
z4y$E17eMG^4AdJ?s;&9xa@i{6puXb~E#!(`i9C!R?#SDkT`}pM(22OosjD0TA8FC4
zL%Rn=rw+#*51$~o5|2;20k$pEwn)Jo$4D<h{ysEp-{SY;6+(x>#3imIts(%dK1B9m
z1z_M|y#t}*cy!M2=($s%wjY)`Pt_@OV-dix$Tg}6OIqttL<MZe3f3~=+7GbX1OHjw
zfhaOTiN*6+yhRnCs*2ypV1~<3Jn|2@#Sj($k~xuYtWwm0rE_{+v?{f3`Pa4AB1jJ7
zmtBm@&`++5o;NUd0WKT*+P(Ccy6Du*x}3vP>i(zaAeuy6BYaaG^RR{FEJ@fWvDwW@
zg{v%SXJAu{-DrP7p|%z{Vb;8j2WL(Ea<X3#hD;Mku23*riT<BqKyhs*o4}`qsQ*>e
zIme2ZkPuxwMe_9ZTf8EPfo_|TRo8k|88jG*p}OT)rPf~SSn*qYr}E1n4%r~^Plojq
zlyW>82D8A)CVhS<Hbo4}889K94bEwOEK*LkIUS)hD8bXaPb^+_c?$1>8&m9fWS?`=
zXMqzDI6i18#M0-^v7f;MJZK5*U&9YCTg5P^@J`oe2xfj-x<{5A+<|+lmS28Y?X}@&
zqoueaGo0G}I-_Dzvv?CFxR|~7`8~a#kb)JAB~zDyCN0mBxaR);GLUc|ss{;6@Ev5n
z0*_u~evB~t70d_)GYJptJcu>DhPgOzBiI22_Eob~<wR2V?xY30lrUc_m|Y5{2aoOt
zT@rqW3>mHyptK>9=`0Ktx}~m3D_3c7+HfckGH=}h`f?1WM?RB%?UVubX~(y%%OD8m
zRYdmNou^&=LU<*4(XCwDgj+KuzF#~Y%Rf@x8?p38;0=8Xx*!ZNE3zzLL=6>U!Wp|=
z^aQ#r#e{@?C^jyf8}qX=_ueOOP6TFq@8flcB*>-cS^Ei?hM?_xONAi2u0dzx3*JS5
z5ei_N0+@C+2>Zo{B&=M;%6d*B*og}4HwujJ^#Rw@2cS|2Fj4_rsQ}gx;F0N(C+IC^
zC9ff&UDOloQWeZf!u*m_DDMJAIalPfOQ9Y=r_|z^v}xx-S~5Zva|<_zy(B|NM~CQM
zoeUY6Tg*gyHTa?-!r3=#VN0cpBRYU4j-x0=rQ}OJRT*8PNn-a`SR5LzEIYC}Ky@u$
zAFw+lu;su|VkI1j7qcXa-U1+~uPdbKmzdF01*EpoJZ7Vd+b4lu;R3=abctOdg%_MZ
zra+@-;PW_~0JQPVvBJ-G6?9K!M%R4#2^1GF>Yn?RudI#GDu56?mUf{snr`BSSaBDv
zIgUqf&%%V_3__-Q-4(VaH=qSDkp)zi7C0Bbk}X!Vm$mNPeiHGG4a-`>M}en`kD@Ri
z)F0pAeuk<sTQ8>0BHA4k7n)C^UQA6m)2wT$`Vk|5Iw972aPt|6Bi#*Oq%g;j$vBcK
z&^SO9F-s>ACX7gU0EJNv%mG+AYN<IMeMtI+(-pFVhdVJoa5hm6IVy#5#);4$v9B60
z+<D*>tYSy^h%-a2H+7dm7d4ON+xC+f5i4mKLqNpOQe96UNpDB0@)QsVhr7O_6?gCN
zW$E{bb*vpG5~GASHq?ai#XkAD{G+w9d`2uGB5-p#H3PT>$z%XJY6Us4#@w!=*r?d4
zInlxCZ^H5h6TmCB6%I*x8^#I#B(y9L6kRJRkR|gmUWj092J65!8Lc7>#thctqk&-9
z5G-p9{eU1d=VxU@Wp%7LnOka(hIK5pS&Ulx=20vjEBa%IO!*9c*BglSo8EitgzhW9
zC?zkWRCBIh{@$twK5zNQ6-=ReZ*4pk$ucj<<|;+Jg>l~#D#mVobGo30mz~Yes)S|Z
zBQ)B5I@MZfS#p65Hq!e?vS_8_=B?It8#7K%(CeyH>meq^(ssk6!8bPVa&E9)EEU+r
zH&Ne>wiI&=5SPit?c9)XwA_%@#*~=O!St!XfDrrm#d6_dPP`^A=F>U9O4ggmrnkP6
z8_B}>EnRX1v5Z4num*&+&W9PCrSdVm$=WMd-~b>(gu73*#>43#S7U@mx;7ty>hNiS
zi3nEeZd#1MTq;eZb?+2na8xoBy)djzR%ZcVNF_xD<YrnAAdU7J@Z5S@7vs0JbI90j
z?(addg0+~P93mk_{Ni@z*7Hvj^V$G!<zzyAf|VOxC{Bbv;6+jhi$|07*3*!Zh?NR^
zy3PPg!r?X4{zQPY+M4+e`Yu5C0;n5jffNbDGZL@P0`yaWwtiy6qA{x(;5=Ll0dZwk
z<;bOj(E!}lG=ixP+mx_2O$2>P@xCKmA%z~x1Orx(-V;$ruj0S%r}$MUPAQiLvO{jl
zbYcrU6<v)yN#Tz))&{B;&QaGw;Dr;AWU;grSQ9cI`1+XEZMd05NOgKIQaM%}$F^Io
zfqVhiilO`wEBMD{9FBdU(<yIbFZq>Tc!k_c7UPzLFH8aZ0$?-<L(a-MTTDboxAK&3
z>(?WfnyBd;g2Y{xsPHA2w}DC59jr4}@HO+7e{Hnjel3_fi~a=XfHJ+fc#W#E<%#$J
z_v~Y0c>$AHi;RLv(^*}S3lHlLz?tJ&NyBCnNi$dYE{33)>2sxOc!(9dj}@$r_rtOB
zY3Q6J?OZ3WZ?A-K#wPPl?xkY|zW`X*FDS?RjP$Mv@iZ=al<1HY{i9a4;t;=BljQ$&
zPAh>ew8NF&So{<YP^cjlAkT054D(w_Em^b~B?q4d0<}N@FAoz8WpUYaP1YkBl67ux
zRIs0STBk7$_a3ZdogbONLL?*IYMIhVygL|4S;cDOg3!!VnYY&G`Mo-bb(3wqCTZ~6
zaT%psALS8*-!7ML8b5P0rV2J?@d|)Zz3f5Yd#E?8n{_QBP13D<q%5Vo&0%0pO*b9a
zK1qUL><ZgiUmr5Y3YIn@QB!k>j1cR<$S>enljywU`&7+6T6AS|Whk-}gjR3gWIM%n
zflB9@P*of&f2qr0;Pen;l2fhV06A9PWoP$4#&ql#T;|98@sZJ^0dP8Crz%^K)uM~f
zRce|FvxrwOr5|T$IYlC+Cjl!2ec^R~NOx`lE99r8YpAZjUp%Fv$5_#O0EQE&v{eyP
zA}_?#OwFv4E+Kod#R?u_3%Z{)X%T(sU>NJ|hKb+S^|?&!J>r|k+i4i_CVRx2Qmnfr
z!>+*@Yf81&p}csZHpGQ?w55YB#U)}wb{{Gc*>t56hnmNcF8K;;u$;QrgynQkg!BOq
zfU^5>C>v*fMLKWC;RGBq-3)eQSncYE^(#EP$$0fi_|5B>dpmQ{Z9S)B`e&xqs=pOm
z^W+;fZ3v}47q5_4Pi8*&!vtL-&&uYv*oXryBo~Aphfe}L-+3Jw%ePTEOWMg|GdKIf
zIm*ZsO?ziKwgS|c^iJo_%fJzTPr}6tUTNf`=nFi$VO%WwEnp3?I9)|3aVf*tqM$51
ztR<im09OhiH%_w%C|;Ua!3_$KwRXRNi(RNNKo&u9c&s7<8*#Mg5|o3_uxBSW2xGCu
z|CriGdIhEuHb<h@MTZ?v7#fK#abMgs`UL$8zCirms`{0Ii&GD0hVIiAEN$EHHAo?G
zB9UO99s|`>pKc}8f2*Fq)gV2;08rK)uS%c(M*!KUCIa530M{$PsnVy&^KiMqi6wi9
zqF<muMdS(T%#XP!p~?)Kg+ySV5qTN-_Kcpbe+v2xz>*a%OFA|p8@pL9ad34k6mhib
z$Oc+O*H^#sZuF^N?LrhYt6u;6VaA)c3^?@${>-rM9FDTQLY_9lG{+<GqQZW}X^!Au
zhKFpIUg546xOLI&*XY1(=U?nPtDGC-^&uh#%lx*VDP(XYOCgi0)*D(woCuIhqbqoz
z@&{7~hZLU=M2=5JWEs1Y#u_pSLeuKaXqb?u_1TY93t~dfW_~vEqdGs&+Ntw}9M}=~
zute}KR-KO<N09G$q#|pO<B?fe109cqve54<aVO^;zrz5c=T3d0)zhzVKoJ=uH>)xx
zBl2SWl+}6}*Q4);>C?$;16RnFgLG7O$OqA0`&a=g*tnP&7q!)4F2S-EzrpI~grUQZ
z{ZlaOkYvq$84cs8=pbZSM;?nme;uurWSj$grJSdjCPMVUB2Q)E2p=cVht@~Wp%{2-
z2J}Q3Y<>MQ-h~DT-Z56P#lb4K0?@T-Aim<$;@W(a{#J(guUNrk4Q$=c`pA3pcWo{%
zb%6W`HnF^S5xK2=+0e5UlRgU%DaS5wObKoTMc=Wtzbys*0Sk{6oXCox|L&0jUDq&!
zted<MaRo3iaRv@Kf$(A=z}1J?0)2?0BURC3bx}Ip)NF_q%!4&`Ll!WGEpG4Kyh$c=
zdgKFFbSah%l$7bQ8QIuD$IgZFVU2{WQm%;5Nz)g9m52HnSj!gP0llY1D<+!OpJAGo
zgR^+2sjGE+o~!lXfbbt(;3zN|z}trVDYG(4){jAxF8D63QP{Akh!aEzEq;ZSqP_=F
zA37GDbwXxEq}#d}m3E&8CyWc~FdZ@BKR_=!9k_GRVsC~!w0Vs-ooSWz6z}a|MCjzO
z%h7ezcb%7yqI;)8f_B3iAy?+OqC>|qnuFJHeF3wqFaXv7T@DID>*IOO<vfC5gb^GF
z;`SpNU^d+k>n#PqS~e(G8oo_BFW)9}x|g>_M<^F#VLygacKik-k1)?i0^R%2@AghX
zz2NzJ!TDP}tkocZgu4F2nl7d#$BMm#ij24wh%^3AcJPo#W7!c*E$q{aF6Q^m@0?tF
z*Rkh(?&2n$mY4PoJ<o0VpCji^qS^}e4MszZi&B56M1Tq8oQIOVLd$4QA;XImI7BJV
za7NM&vgZ+u*wLwi1nYxNCW`8oU(C#0ef;Dj>Nzc;b0Fw=?)dvw7Y_gYeDWP94VH2V
zQ157X)l3HZ@hp8=@Tx}AekaX<bsc@TkQzeTb*hA<EF)D~RV*z6QqrzsKIAtpIX}8u
zO2PG*=1)qkQmK8TSH6UaSLO~!9+%tD6oVHI<L(<A9Ka1=l2|euGfajMx1-?_7L4Mz
z&7=T@W%8w4;LPCv6i6A4l^=1KR+7cYs!NNYDe#%Z`#Lw;ubwAKz?*5QWpt(}=-PEj
zGZ%O`<|I{E1buLv3gd<Z$I9Jo1q+sMImcEHc+;Tv_;GAooX<X`_;HxYDqudf&gN^x
zkc$IJ@YS(2mO7(7(I3Q$TX~cr$Ulx(d0<19VLbr{g1}j?;2VzmK{5JsJZ(GEE^uzB
zyzk-#=e%i5m8jG$_dQayC*!r~$!Z?pco|8SWI17XrO(neL~Dp18}Ay7VXyE^AtzDf
z4IrA1Xhtx`)my2R6-eWdg?d8NzaSH0uD$BEIyc+cRH5eyWY}12L=lY1Bs8Wq`Ygm%
zF^pJ|7(=nCV-x|JwhN%d49lSR!r)mJ@HH*pKlr;KK>2Rp#tkd7x?9+dg=}AZdjL_7
zSfGQEL>VS#bFTk02{T)*{}&X@=XhAFpQk2_yV3q(jfF)dvK5|&Bj9F;71e>8S$Bdb
z0LdI62}X!85pZS9gecBLs0+LjcXz>5<PdRY{gvhiS=7|)#No2F3R7GT24SJMvVBFU
z;Y)~avQ7l027Cj?M9^uyO=GFoxjuQwGpu6S^#W39$B&~YWUm)(y}+7!A_7IAE#WBk
zU`IZ#xi@k5{5(4QtT)h0PCmMyzm>^7YzvW~XnWGJ@--yo_uzu*I{;H?{fW>(b%Vvm
z;4P1(jUqJ1YClV(LF)zrA+UGS9!D#7Pe%7$EFan4x_|hRzbyaeTu);-{P6MvjUkUO
z{J`?By^S7M_-?uO3s6s#ME1Zm`)j`O<)+9E_;ycj?KwKMa{V!=3He_{I?7Nt!cZ{J
zyd5Io_kCXB_#;>|ZgO?*gR?*FJ28-Tx+Z-V9NBd)(HZ*^?iyD}4|{{TJl@Y!y-x4r
ztOJ$p`<$oK$dT-$IOj+;y^i8Iqi1)&dgzs0^Jz&UC(%<^hAbOH7E4QEB@}kWBo0U|
z0lGip{8PsKg5RA92v}(Gu!f8B!rcNTi>R{SGO3jTy4X)Y)nnD;#U|QY+duo{y^H$H
zz!WxfI0puf9gj4#xCqTWu#-c?^IV8jlMA%~)6&Huqze@<>bV3^97xRn^x}t8x`gq?
z3Ql1q*q&V`S>g8pS~*)KU80h3I<O#JL!GCRwjk-=SqiF9CEbstp>tHyXe31*$DZhB
zB(BwPe6t~vYLK+0R>6G-CWItfKqr-{qz_e65t44#P`g#qDM;$5Qc&Ae(y>TdTdtD+
zBuS1HJkDKm{kSY0Y^h$W$6e4D(0bcVMY$7MH3FIONciWTBfuyH@Li1n{8uH2HuG7M
zc0bQ0U~hu=k3ESuQ^tnfL2y0be^cQ5@aTS)uS$9$06n>N2i`e4X(l5W5rB+E)^p)p
zjC-L3rY40<I9Zcc(O0ON?qN;I&hIS3Xcc{df;lh)$UXcw9-7zzEgf77$H5RZvs<Da
zz+rGlFM@0Dc?1y-U{*t&QG}?(oVe;7abDY?9lj4K1m@MXha}T?dqOl<V+(96SY%Rq
zBe4oopgm8K=k<j`9z(FyN4>~|>j;ytVA>T-6|r;xOU_PsMv=-L0Ho|tYswQi!GSNB
ze<E8YN;|`P4fs&Yh6=OQny+~+T-~C%Y++Sgclx9q_%6fNsQ9dH;_L7#@O}fuVX5G2
z<R8FDw@+4xjZ%nB#UnBJHxK~pmFvn-0JokG%x6DCT*|UiA^1~4XgeC)x)ahPX-#J<
zw6La=5IPnJRYZnj?F;)z!iV$Az7O~p)k4e%@krqFDgj&ypC$z`nD{*YG@6aP$&n>C
z>4b<pW*yxdoBt-(!eQ*7UvLn-J4EibEoh;cNS#I^N7E#F8@+DdqFOw-Ku|I@N-7G!
zlK>qG;57xXWI9lq0F+?HejBwiFbi+#fUyMXGSwmIo_LSc(-*?j%S}e)B_&kFtFCqn
zd5NQoJX2aPx|p>Xs<IS7X~guG;baM|#gUib%)>&`P9Ex<Fl}{&PlVS1FB{r5JpvOK
zb#las!XrrS!UalkGMP$r57UNeC@v$KvBxD$wqna3k`~J|$@@s^x#F8`YPGSWOQjTc
z+9JZK6_T;z540<_<<20XE>?tk$Sst75s$>+ehRv_gCBFU{Yn9hs{kb}#OqNX7Oe`=
z*B@F%TnfsKTPvERGxA#Ndnw`R@W+H^;tgFD+!woA-#y5%x+O=~O>Mn$%s~Su#yh4*
z&XO*7<L#eU9A+H{7jZ@8pai+&g#~q`+sn*@6b=LF&piyt;L}3Y@I&q&Vk73!QUt!C
zwU2ZED%62~oa~;B>uT9x9N8$5#5g$K-1y*6oHQ>iK+jvy5_*0sC;%qB5sw6E9wNYU
z1<<Sjjyw;fdFDx*G?5obn1w<Z3GN%uDZ`_>P~S7GMI9pI(Bj9~o&tYx5xn*hujEPY
z<3QOXp>vw6co`{)y-L#I0b2{jn2$K0d*Qg+)?de7#W1$7R(N+{?9s8e@kn%RBLRM`
z0Dh+c3a6oCU+y5aG3H!0STR8NL+czcJsr^sB?Fu=HJr;SewuI`$L7)$$L48=b-tP2
z`Bui@9gfXI9Ghnj7`&tN?aaYDOQgH5O=)NgpB8R4j@^ew5@UG<h{@i@UrCYBx!KzV
z*h>F!Z~umov5l^~=1XtC#3Rw$2MBN<n#VZ*NdZg)H?syNdi(cyZ|6b>SB8x6<<i^q
za6K1rgY*_x5S6Cj&$PqfoJn`0$Iih!@Oy}QOdEitO#M9--=PUJds-U4XY20+kuY-*
z67rxb7c$X)Q<Lj2$#nWu-s~Ko^Hs!F=%nX-5}h#L3oq?=zH2UUIR?4?B}IZiTqHEw
ziARD)KPAA+3LvHce&Pg;-iB0ETtLqV&i9GrTPm3KNKS1?bF8hFLc{U9a>$rZt%)}3
zdPd*8UE!WIqm_u~L71PxsAI3xB&l>SM#{bn?3;Ol@(7}QQj&;oC5)x8-mPGo&IQ)v
zfVC)~yTZe)&|dzK*XoYL4EPdo@@j$eHZ%PVNNjGUA?^`!{i*l|KCptg)J8g`JMbba
zqzt3g6RZ_y?GVt_(S0`5#bK`jt@bY!78fWi4*nEa-19gJ#U|o1o}p(@Gd~Hh20P>6
z{P6L-o{Lw<@v<?zx$(gG@SY9miP8NWFBDTZP`<?%w@D!DNHnpKO$<ztDf|iQ#){5E
zOV(62Ay=<~>sWaY5Nmwn;ic==;Rmd6WP6qi`mXc`oygqEtJg3wGPWXQa^%vqI=YeM
zf-!YrU{^PcCe~rN)65JHK_;4;v_Je&QV^e@78|jRTgyY#iF<&U{fezph3if*mtF&R
z4Po>vwoX(qE-uO7Hm<&S_}N7S8>70tZ?1HE7iMMmZfEpFL~Vr{U6F$b$8$yATW=T{
z#*A3%6wFV)nr_lor~U3b5C8`)=9uU@H%Q?#ol)$7FdpOhZd6kDOJLA`wrb`k)y!@@
zx*9+=SITz0IW_#dipW(oWx}Eb<yY|n**|Rp#w2R8pq4GtlVS;6#;TiD)di~RpW|Vz
z+KOVaoN1sSBH!3$96#eOokyC>(SSbN4I>hl)Z6idY{`!FIsGm3l4{jAl~!0){VDO3
z8UdSBqpHBJA7<Ei{In<+u*56lnA{U7efSL!ZjY!wTy~+1!n1fVI3j+}`7*++QZUmM
z%vL<CJ062NzX|DvtM$8-C3)vZr@T`Uc@ML+dp|UQlAae=cKi&ls4wf@j|JH6?0F{q
z4g&ToB2&6?i*9)5++?~YzZU_vvz#($_;gff@*KY%$m_%?X|DG)FlfJ1A+?^{!B|la
z<ae*V%v!?mkPKMEY6a6%0>ryIG4@-2*?8gLvm59p!u<p<Y+*ar{LiSoz|02q#g!B(
zk7>sJIc$H>;&3T3uUr6mIi_X2y8!t;Rgj>Vg|bHDw`5S&oMgR)cynfCTHoLs8-PWP
z7Y^_wAj+~PUF!lm#Nw4v<>Z7k$;oi+S(Hq0Wu<aDBeT&pQ8~fiZj(lo0RYxEc^TQ)
z=qa%3O=(0*>0oK}o9@m+Xw`q`UJp&+tnIN>GVv}ZhEPE{q~%N#{bmrceYzs(RBqm5
zMHganBt*>;0-Ub^PEr6HN%5snmXe}IXAo?L0{e#Bb{NTuW$lA185c~CJR>2aIsh7x
zc%YAtv{AB2y`Y^kJlzPN1C<QKg}kW+DS@wvEhn5IYq?huQ5M2`xjwKi{{()I-;(8#
z#C*L70~bL5bjyt_o)p2AC#Vv4i<Gp!n*vY9VHGJKSm!d64N&nz0ogrb!|}NFL_%1)
zx-s;k1b(RIMIsP|%46uB?lHny=#F{I70E?iM}y$|)EQe$Evj9qE<K`|)-xaLMy(5^
zc}z2PG<FO~i6O<@*^|6}=I9qra6B<rb5gN4;CRMg8k@Akz8)lR?^NW!l9rBG(dQ7Y
z<l=j6`%f)l9#b%L70ioxSPzI~l@k^;P81Prs{+ecV2|JdF5Y?;xZk%hV_*?yR6-}-
z!avs69|3*5D_zkF3NyS|hj9=vd{C<^AadA&$Xj?X8joiw*4}G9O>{=jv~FZQ929FU
zze$-d<h+;E4O29DYji-O3M{3QMd>rbKSl*=+?^;(EgReBa+wyuhI=`+dN#4It?IQO
zyiEePD03wo4%xc@>ZK5*@%x@XS(hSLEJJ%Z6=#8Y?KXI9^eO}Jp~J1Wx>?cV>D?dE
z0`@$9&7;|fMM`F2`w8wYFaOIqe*ri0WHe;!_=0`2a2K{qarT#)p!XmU5-hFr0vWo6
z1t9A&f1z;w48a3rESYmIHTqpVD?4P7;7TWu4)5gQVdv$X#Gnpt_y)PZDs^Urjua{=
zo`Z=luj0fQ^V7n0BWvbVc8b+lf0S?Bf~ifeu%4@d5r~&3;)@Ra4x)>3f}CB%y(k19
zco)iu%>vVt0|EB+!~Xk?TH}jS&hHB0{D<JGcGichHetE0EWSRJl{#<hx<}rhx^CwC
zrRxU2U;1t}24jxA4Ei1*z+>c*t&u%=nd|%2R8m{t`Ih)?XuCE=8>J(A-mm5a=y@h|
zoT#zPZaIEnlFhn%vviP`D61FxM7fzvj2=5h%HR*Sit0WV3)a5&pc=$)VYb5hiy_In
zU?WHtOB*cI!3C;&Wh|YW<L)O?Z%h3AmU2OX5#V4Mr4#&gw_t>bFvnBE2EnsvHDEyo
zKH;0nl%WDvKT005r`f(3CTN~tg^nmWfpt8)sv?@5|H|}exZXAC_0SmS;_gh>fQBYH
zkf<zt*0KlXAP;Pj<r&?B;0o^kyE2Z-+R>T^PytRk9_~yvmAEkwtu=J%s*IMeug1aX
z=9HfBMcu<&zD^C#!jIJO`Hn{`aZqe$_iOpMq72@CL_|9ye0$>i)^R@v+UT(9jN(3@
z$)eu#?JKA@R!~H<;FLcD0xo<AfiMEVacT%};ozv8Dwk^gy<Pf^9kH;~zOKh*f~$5q
z%Nu@Zjo@7sa_S!|7yNd$Y(6PG?6G&QFFX3XFIL|?Zkn0_>u=3{Z{xG(JF8_bSpQAK
z0tCY;!rOr99!vpI>bF|sfiF7bXt`ow=F-8@Dr~~0W^~VYuFuc;P51RV&mYN^gM~>(
zvHri0F>V@jcIR~dG_9$uR_)*Dn7I)X!ai_ym1@9x4!#)F{#MHsX(N}uf;Zb8gL73x
z1s5iKJz&X`#jEmg3GCG&9I%2BchXaVN6QM|$8AXvP^DBkaF65Ir<}19ASYkU{|bDX
zOl=-2WgSr{-r*rmyeifeo72<%fSf^n%sCd<I&XE2eX;v*GT}6Xy$B8oOgP~YGD*lT
z5Ao_I4l#n@2NHf+z2Zh3$2~1|mBd_EJO%0^r&fsS9B6|%&HZu0N0_`?DmZys&Q1+a
zEnekMDQ@|0K)47D9#K7^tW0(6c70%9_V8(soLHs_zkcg)|FV1kuVfpBJDRX3169*;
zU-IGDJq|(@gS6*S+x;5WOK%J1NF##awGzfF5(Jajh#A-uF(e){8B9^d)>8n?M-Q|L
zR)+c9UczM#g9i+?;2j-!^wN7x!jvkQn1Wf0hxIuu^v)z__IK8dU(*Coa5LH!r!`HX
ziQBcnI_AnD-ioXR>Xdf0r4VwUWF}7-fT+M!>l+n#H~dZxrJ8$=mAe3^W8V>VhQUGA
zdP!yj7YemJ1peRg2cU$>Tu)(BMveFh=lZebKd;+a^YD30sduh_<YNEE-<*DzETbmc
z$kB-CVCmMiT@-tdJI@3<j#fGIw86e640}h|p3#S9>OsxI1LJ+Gh)sD71VXQM%p=?b
z#pI+5_@|zKnmAFKoYA2#_2#QTqo#H|`3GhcVz#G6rxaS>@n8(5|FPXy$9?sc)}9;0
z@AQ24r35b~GEPL2Q<PqMB*MsNz^qMwC)l&%&3UK;^NxZz|H*05;gdzh$4}q}1V#Oa
z$aRu38J2o=2#*zS6X(TzywB4`k?aKXwbn@*bML`7alUX{cOuDMXl2qL4bXJ!2!889
zeO<H2JL0!bD7eq49SGd}`dg;;D!<{N1NVYaeF8)dF-IRp#`0}4n|rCJtwkr#MW>rn
zap@1<OVmN9a42Iv3E{Xy9xI=0J}Lhz1n~csmFob#kfY`Dlpie_ysGp^9abvh^df1m
zqS1@+4d*>EqvB>^Xpf_hL>A*E`!P6ug{`4|B<>1)$ErCQYE!pUJofKzIUI;sS!@~f
zC*NF7%pR#sfdpFenKODqmUGhcVo$iAHJuE^L4bT!)1`P=zlQL0j)nGBpXQ7JJf+(?
z>9yd)2+yRi;#23?53Muq=VX<G0>9z8^IIe&>{H9vChdlXv=kPF<rO6ZU9rX#-f9ck
ztz+}@9s*FSvQjB|n%FTf|A@B_Ks$7BlN&`e$n9BNr;u`*Yb+two6sj<eYnEf!~-UK
zC>fpIP{7G_;B};q=_2qJ1^ha!J0KRzSbv68iXQJw31Az#zXBWpn^+uS2Vhw=Z~{6V
zotMgqnT^U)qw~`7NRQ4NipS9CybL@tqVtC1F+4gi6Ax&78;Vi5f`=P1l+mFrjweeZ
zLt7~_TK8v!KX$ct6jwxEik1{cm*EQiPWZ(-BTsZ%LrOY39i2}ME6e{|N#sEOXVJ^P
z9dMah()r||l+PjuJ3k%J`NR>(%Rh*pB~zS}5NH!_#{wK$h8sUJ%Od~Ce}(TJAC6d+
zj4~|z^fC}S6_}p@8GwtLKEr<aE_A%}$$_0a4$t2a`Mk4pQ2q{Jcw5PUp}#AM>`Osf
z`KV8^%=SH3HtMai`~&5Y-AFu8KI+*NEAn0ElZSOaGc5m^$brtzA^FdgMV>3me{$3T
zz?ESwoj~W|2`OD=k@recwx?kIe^VSfrabaddE~hg*k~eOmqiXnp6#NmJY{HBdCL1K
z2-hr2!E7i?fg7_7KQmH7S;Nax7%ST9%Q6wh#8*K?Q?tq<7>mQu+tf&DDjw;P(scGc
zQaTimj7Vt)9>XK0!|}+Bl)|Kuwuc+HsG2j*Q!^0+`xvG9a@?(uxP=(e(VR`@1?_<5
zWLpTM9;VYK80|1ax@b|piFV2Li{2l6>B>JW+DMnxAm{qP-o`1D|1slkXXIQ&<6b@U
zhzoA0PrD7j@T$rCUTPhA+%s=pgkRjBM$R=O7iKfMBzhqvp3;_IM$PT8fU~g~s<9R}
zb}|~nHGbG>RivD2LKR!z44~Gp&sdtaz7XHW?wl5zH6RbA_7GFv@YA{XE*Ffp&e+dV
z@jfDF=ck9ohQ0t$BLZ*6j?Om^FX^;0M<cGz=<G_zD>+d8^0)BI==^X*N#~nCM$+IN
zk+O|>(W&tDU6I%M=77OK;0tH#6L1)Oc$fp3zk+mn*}4QQH@_n~yw&kkWY$W#iKBIY
zdKkuNi?Jd}-qIxh{5ovHZJ(3}-$B-eWt8o()7Xpi2Etqel+mve1=EO!b@U%G`lYZ<
zeTyXx<{B(PK+KjF08Ssf4}_SI=bE&S_uM$nJqV>42buQXRTgc?E>HQcEYg5-UzW6f
zSG)ufhvj)?G@5@{()!-n&_`R}$GBh`Sy9M|^J1xI5xfi+ezm^YA%X!yFf9+S)*XxY
zo_%xn5|1nL+Vt4O6H30?HXwYwtM$DO*)e|D`p((lcX$DqT<+C<7TzLSG4>N!4vUw7
zmgRYJY?@x&){l$P?B2UK7qgd<?bcCf7>D6vQ^5e=>~N)QgVB~2;!@mq!uvkohg?m|
zlUpQq<1ShvkyR1%<mn1vkLd;*`M`Qg#8$XT@WJ~_BNu0bqh=;sQD)1@O5QR?<sQbd
z<sa<<7SQh>qVf!$2dx`MAf@E5$l8HS&RcLWD#5Ra$VEPnETcuanUBPL!^);HD!N)q
zXzll6>ORZ2u>pm{R($(^`!mA`8ZO*OTWfd`Wl?Q}@bu$%5Qt1SJopwiOi69PFF$^T
z@Vge@>j2q^XDxm&G?w9Sjg(~iBESWbYBL4e2k2bXI|~rKYxAPLYScoAT4NmQV!mp7
zDWHA$X9B`!EXChtfM%N>{0$oQXmu%IS#tto_9wZ{T);X3=@Wcwbs5uGj9Q30d(Jxj
z_!k29P52eU_e2W`oY;~vTK*Y1^3O2l8|B71pyYg`)R=*Pvy#3w8>br+fuEvT|FGv8
zGmY6OYs0GAj5r-~KtVrfT7z1WQ|r;sTKprm43t;+&j2LT5FKP(2ndcZsYJTjFea!~
zjht$XmV&f%&d2X&^gbEW3aKTGbOR+g3;gIgA$<5&ty`Nfc!bcd7vDICO!$io++}$d
zzJt&zu@Oa(V;I>eHx`L?Ql}5Knn(*7<3Yc%c=nzr*?=625?&1#0NhNZ1f*JyE%8$G
zm-RGB9(%9qt;cT<pqkKfS)W$zkvEY}_<+ocpul@T^$@<*${hRGO4gtq4|+x1RJn>I
zI<bx=z?7p|DNrGd{%p)2@Oz}F9&xnF1sjf!Js+8uz*hB+^OWl@fce4|LKqXj*%Ou}
zec2Xg?#%xi<xSMc^}$uaHPVD%fh5`__fcU^I`*a**l7|ars8{};J(OE--AdY?WW^d
zi|6;l_vRzL;p{vYYUg~JZB(HyI5~hh`3LFJfckTiXgR?sz&h<+56g4q^-evf53T<-
zs99*a>5v|sgA{Tfa!j>6lIi0DmTHB%gc=-Cuh2`a*}m(~2VCvdn2Y`@>h{JyndUZ~
z6lb4--g-bO@>H(>WK0s{*%zu9^sL5w=1l*-G8KRz)omW5U=y6gk6iMW`Di^cKJ$Tr
z7b8Sj!kIK*<_PJ;(G0}bP!Kuxnn>_jQmzKPm<nrxKTk)EH7Ls#{h(wBc{W!3HdWSO
z0yD~=1poZkYqIfa0DrB+s!ZUOs9Q;d9AHw9{!q%X{=_d^8rYIUNd;3z$c8_(Hm;fk
zM}-|mB$L@^9h$vHH<_!GzBcwbpbt5HU+zMjJ;);$=*v^M8kFqpyG~5eHG1<T_BeUg
z&et-T(!=gs|Fg=LG0C&kp3k->kXZN0Q1*CpC4>cAa^Vn0q5qba$$TSMvL!)pIJ?zy
z%wfVLTFuQJ9}LutU+DLT#(V0#<HI4ZFSp((t;#v8#OL$ZREIp3e!nlfyv|$Uudek3
z%Bn-v<IJG<a?d#PCrx9`q9U{W9GAOl_SC86RaM3)w|imO>kD}s-3?)%+rPvUsPp-k
zW~%~?D8p}KjhP-cX@>k}oj1_1v^wB1y@;C+)K%Ab%tqt{!%a>8K*&>@Ym^59{(u?u
zgiz}ub4JkBSnCC1UVme7vN^iJ=-UU@oLgf|_1AjLV7))=tCboTddz^Qx~AS!Yt;DB
zR%6H*GR!as^H-gBQO;S7Zlndgo}f9!bd}9@PcNBkOh-(=8S*xG{9)ka5sXKN&0wxE
zWVA16Rt7x5pjq9x%v|hQ#@?`IZ(|t5DX*Gp0`1F~dRf>T$~947$PlB}v&38DF>=nC
zQ=W59RgO^#Y)9u!Y&J&cp5hCR_JwosAD~9%%<@^Ye(FBIWIAq_pI&lqx!YByzsxD0
zS>>8>zM-GYD4p%9DC3tRV?G9Ceg&{-p3izh-jENB8^p{3l12kafRhP1-de*)7z4v@
zR0oh4^3;UF0q9nzPt;h30v?ayZS;l$(9fEL;s(3TY8Ps{g#$7a7)P|Chia)e#6}j8
z96`U&V>VzcWUSa*jI^m}s0r&1cp9pac$S%G1eXOvo`%{SnI01gCYsqmXY4q0HacZi
zHF;{hb$akoNABpn3E^?(98Y5{NG+JDG{ZD|RfK66#C(}-qQ)V}v_C%1=~~m<P`!xw
zVSo%%(gJ2vbpVt@A#?U@SDBq@7c`S8HrWJ@s#-xan2aV$DxBi&#%KHz!Mj)0NqHLM
zzNO6>RUlyU3OL!<9Iu=B1wAzwMw1kjy3K5KY-}$O-Hl+qx1m?_@$T`<tjg(!WcC?Q
z@A%O^FY3QM+>HNb@n}55@uuu`ldV?R*vV!CmQzlhKTzYb(fJ;jdT(v5r}6uNIDd3*
zyavvYCDnocn)yDMUd{9al+=t_>#3^_`$A@-H)_6+RPnq74)M%*o*%0Y{3rwj<C!ds
zPq2CkrXktSvO_Zk!c*%F`2&Y!R)<6W9L=`+W=fttq55V@rTnwd<7tX#281nhgmM;w
zZTM>zdy?B!GfUPc8V&e;zR9M)u1*a^f0+%{jp1tF_vd@-a)Q-$dNTA^fjw9ByvrdY
zNg4rm5w(9$?qYQ9`*Rzrxop0tD5mugGB|QC-DvXABGY71$c^}@T^=5fHNcF-$6FgG
ztxgnfoRlcPDW;YtC1OH=T~ns?N;KnaEIxk{+`Km=W+cT-pG3vl`Xnm;o|LGHlJ_Si
z0(~t3>_m~*jnzK0rke9WP^$5VDgPD;^PzMWj%w3Ggewxgrq5Fs8pkiSSQJ9ba3Fwb
z46YlhmtquMnwE{8=0h@+psA^^Zd}x_oSB*=cuWDq`hq0JxY`N@M7LHc^f)J^RIkzk
zCuM{7I?wGTrnJ;sq-(1-MN_JEQK(b~{2_mh-)92TTAz}EO6a&n=olg}G><oCH&!o%
zv;?01CQqXops=j<1|XOH!WbGL%taM35{y)RRg6qy0?`#DRmN!OG4@ndBMABi4b7E|
zVqraKIj(S-BEB%L!j4QY_;3h9R~P}5YT-kD8&awLwUf-C`j$%0``)rP1M9c2o!MV$
zGPb^jnARU`e|)cR+5TYqtLsoU2Azv+(9qn@0L$!K`JsjSt6EP~VMqq4XOPA9tt%O-
zzgpDVfi7IjNg|UqfEf>7HcKnIn$>wZ8!=lNbPGRFWJaT>3ZjjB0m|S+$>ffKp9P`a
z290u&9cGnMR759ao-BN0zT#5znIa18`F>j`s{?zf%{3LW$%<!?I;CAui^KV+<bo1)
z(A2P_@OYr-<r+=guPhAL)p-Kusb=tUV-!KC{Odv&c`wd6OL(%IJlO!YN`2DbatonK
z@w;GlPBoNX;VWQX)eRnV406VB{mPedrgu@JKL9EV5oJB)oTa*FUU{WCN~e&4Y7%qZ
zb5vyMYi4MZzoB|Dv#4lm_HMJw27~Z|qT=R7q%wC}=p{$ZE#J}iM$c0DZqJ#32h4)C
z#-)JW8qs71YU(uw7I~qd_g}>3fHI}NpZ}@(S4Sll^+UsG^gxLC8_-?NbE<1=xv`RV
z6EyZTW4?qu#7K>a<mU!!!DziTMs7_*Ep{}pBKm^?4^0*L9CY;b>^!OW{~;MYJ@?`N
z4LaS1X#i|hKk%!M@98-RScitc9%cL1`S1Mx-?Y#AUmT^{ZPV>n0I#Qp_w-CYrl;rd
z<9d36$M*ERh2KN<@3bR(dhGxAAkY5(uRQ;NI!He?E!<5qPhjk%v~UMKK8Pewt?ZYV
z5iI^u%SmOx6421(7L@?oF9p(snG<pcL)D?Mq)?8z17SJ`<fE6NJKX5KER6PaeQHH6
z@-%v|+oa9a{^<Or0qkDw?YleVciTM3hO?g<9uuq|<N?&&fVJqaq46T*ZSuuC=MB1p
zwQg>y?3&cGSASWnTHS78&H!Nv_fkxC|I(m4u2LuJIHbIWwIOsqYjroXGG8s7CN`cn
zeT0#?*?wqQlZPjd^(VQ!rmdYN&qLY=;UVj3D3uQvlpE{X4Q>pg`Zy-ZA6;H+6G7>|
zyDs2waEm>lH-56lVPHu5D52`cr0}DJvIHe%+vTPI7#Vwr;~<`9T8ZMr9X!++R8tFE
z(88Kpqul4gY_rF2#==W6hcO4Qm{jYjE<AlgO-?~gZEem(&l!0+)ipKwId!K^Sa{mR
ziM12Ym{f3;T{>t?n3%^8Xsjy?8u=3>iMIK^q~h;jcp<2#P}cbZ2c+CGv2i~TjC_Z>
zEDRW|d%Fo0<YGW8r=l`JDwh+XJur9DSV>P7$1vFl8kS#}J=$JY2U!Z4)flSwjSoUK
zZ(Ni^>t9Y%Iw*&gU*~N$n*6~KpRia2Vcn^BH~QT*)xr2!+UfCu(O<CA1EGFOB+_kk
zIJw0Hi7CZh7uwcJJ_MNTDX7f`Ob@Ikv}@RMsyfg>G17nL(rTD+kc(}kDyU>ivm2W~
zW10Nzjj?Xr4dxR-K6ab^=W{twupWZF+C1e@bPG9QOzmr*JOl*heoT|vCRm!s^D71U
z=-@c@pd^>ym8dd%ba>q8@MxF`p@lRaf*q!SZ2R179{4r+U{1wQC3=yZk0pn3@7=%T
zeD1sK!kRDksvkTN!`{0*bQF&)eRon#-$McJFfqy$1|C>zZ9A>9I@=l!fuQm<hnvhM
zy_bUdd9k;t3FDe;Q0p>kLkl5mM5+79PfY&uc^Vgm>cybg8$X2=D+SL%%U~(Otr|QH
z*kalAlY9{bK&@8~lgbNHy=(8cd@qos^16K^q2Pcym_Ddiu&L<%VqX<VwuNHf)#lCl
zwE-`!0)12^PE8ZT7pP9`A6ctNr-Z%pP}{k#jtd`pGeou8rS{ik9}SpQD?=(3v_AMy
z*^7@Kb#>KFA9&d@v$W|Aipd_>OZUb>iLDEBPn(-WF5w}4sz~_Jdizo5gB{ZAPcL8q
zjL`mwV1W(7tr|LHrh@t9DCP)~Bsn)IYU9q0nou*m2jgUy0S^Z^8)J>U{0XN`EI9p)
z!bv5iQ_ITFNlK^&=l9eZuJheh<+HMbO*v;R1S=h9=I7!6>0=F5AG{Fi3+J}s)+!NI
zG0Z%-8<H>Jo-pD2GENho5;n3M!#>|w0}QaC8jQsl2D4VEIk!>Op4%vu*TSj84T-%=
z$WyG>sNk4-=zcL=jgbCc3}STvOAb4LWRrnW3OKz2S%*=oR%6KTH-prujPtQK<fMeR
zT{x7k^+M`xGBHG<G-kldf@uon-yepNIB3lA`@+~))%XK}a8t<sS%*HMN|=*tz17Ba
z{<V!f(vs{GjglJFK$}e?6&iq}+9n7Wj})yI4q|Z2Yr?rB<zz+yw!|m6n(^NY#T8|^
zrcSTan9n+Ami;wu<FP5F_A*|Ya<s+Hkgcvaw9H)M_4~wOVoaSmRo7LH#erU{-pqtq
zDnM&+_Jm3Fli9yc%NvV*vjB=}We<oCCa^FpP2ivn;E)a8Aj)z;4OgX!X^Kt<LBGa2
zpSLDtIA_Jtt_ll%Fpi5G{Yx9oMZRTC^%x!>M%S#v&X&F)H9+>SDlkm!Jz4oV+=VJ8
zBuH|2;pPgEU1mc+35&aUti8_c=Y~srdKwzl|6BC;=e>zEJ1>ef8}`qDyHCSz!IOFa
z?EmRL?03-4zw*CyaZgWQ_<d-HX{RHPbsUN3DjdqT>zk1D{YIAWQ-@t2)7kf?aIijE
z+Aa$Cm&(%9gpvHlFm4X%{ZVE^w_3h#?O4L%vp=$*s-ymlZ8S_w39h4<OueVM7P~NV
z^B^>VaKl1RApdmWlk~gLt_)A`7I$4ESVc{}<}@l(R)Xkp$<XnA$RYbBTVDY0tZ7=t
z7VUcYyYLV`tM-}TvDAe0rc?FZE~%b&y>_Yw4S1AU!blx3+!*t2{p@e+i)P#(dTRE}
z{HN=$?nyO<8ADK{w@gUH)=Wmk5TnXe+zlfJtMQ%6Goy#>h%Lq}FxF2+!Y~T39x03p
zV+6(`iC+4l7ODWrh>yi6StAh@>bqSpRrY_s*4bz~u_0i5SOEVR_tbw~eYH`ae-V|i
zB)98ivm^+vBfifuqhZhD@&{9ad1iEQ^5}3ebW`Xjbn-(Us}E{POv1iRG<d3mU?ym$
z))TA=c*T=UdDDa+jkTU;TIFWD&YyMK1aZ12K_!{Q!OKK{vHcKcwl~+4n`A$Nm9=&(
z6sSh{n^lY4-Ow6WIdvwyu%eUL6GuNoO%3^O4NbcNFmj_Bx9l>on_Z;g`p!GM8kC>#
zuapNIYg6?eGW)R_LpinHU=3A@WuOyx@v;<X*K@-KU@W9F&h7OZw6Io|%$#M6&MTao
zgUEsSp9yo}4(BiRrSDTvw)+7`qk9nqs?tZ*exW~oJ~=;mKR}GdJMN}RdT574v4>2D
z|J)s-8QFj#SOpNk`VGg6GEc$};SU<q=NVLhq{B*f(v(5LW$=kjy-Gz7D$5n+?S3@r
z-G<sUz%r#9vBwAbO0@^|8O+ibqHn6MK;i6GsIo4Mi??o>8>6B=`Zuwc586?NOss-B
z{~`1UU{3iPa)Qtd`z$t7Wx;8W73Qm62vg{i{3Io}x<;g`IrIE;Mez1ftVPkMn&t^q
z$r7IBUkuODA!c}$iM7C7QOoL~(j*Mj$$GW&JqgANE$SP6+T~V-$<XEN5W|D*by7bB
zc4nUnsME(A&NaR-+gBY}<VnUxdYDwXG%GE@;Q%M8<ReO>FGzA7Ans!FfrStgjbdM?
zlGz8rK0UMvFAll}KVp*njoun)Qt)t!FRUSHl<Wr7gb@|?hieyuW&bFsZYh9&(yuxn
z)QbLVN$e`^eXL9hS&RLSSE7L4nEn&^<ao8@n8;a>J&anXNw;t09OEQatYQOV_9$PK
znM$o8{<YV&odS)PO1xVQ7FI9x%f8|TYZlT)q7t~c_zRl0Y|jGlUgpZir5Y~Oe)4SS
z3H{{3bA#zp?Q_@r{fqkpunYgQvfAH8LzKc*+~aib2TfWZ5_@#aLAt#!tPXINPBxXJ
zj0J1L!4M#;`nb%@2JfPJM5g)cLOBZq-kQbcGVGj89TqTZh%qct1-9LzCm?QS95!6s
z6eNYMRda)5JI0fZW??7-SmRCDmtp;=n2$q{NM1R%14}v=_g(ij32@P}SHeQjW!e&w
zYe8FT0niwbOf%cAFTfJ@SflkZJ7yB+f03e0qKO!7#&{>2MiV(z$Wd{kiL_cox51W!
zzqy#PVdOLN@;sv)|LtdTPNk&tZ*nT<usua&4ki7bpc8B(R2+^P0B0==<D>d6jt3aq
z7;)pqHvW(mfH*GEt{C$n!d&Umj6g6X8kZ*(7+FsZl-ep|_!&d(hbGE+cKgGKFlEG7
zhM&GINqlIHu?$=DPyo(=MuaF=`yjhjESmu%KyO0=LShUAG{VXkC^Ty7!;Op0DMet~
z4EVzgU^=1?1J%n|3_+tF?ofhM2=ie4hfffjP-R)r59Pk(Hi44|bq90B(3Ojg=l7o$
zs=_GtJ`bRJ%<1Z0B1Q&Dkl*oXYk-W<K%jonZqN3Vc(<vA@xi)rH~D4%<(7V^Jmu%Y
zQ0b49Wo7!ePy!w_JE@uU5d{>MTe}dR*tlatgxuVh(Wsl0C0~(_B>}z|f-9lH<HmaB
zA%gfv=M#Mx*nOVrMt7JyxTN$z_0l+aa(Wn@I(;HcsfpZP<(LnJ{Ri{8<>e^H`Ff&V
zRcjLdKhz%k_e1U3`SJD=^&ZlW^jGbFHAxJ2)%4Tc{OdksX)S5s%HnjxHyX7Q-!U!b
zOrKr~4Shxc`WIC3%bN{GHkoG?nc|1b&pE3eW9|v$DuZ+)I^U*guwkLsAH>wcp2P2H
zh~v-3I2UbvlAJQ*gZ0%D3Qh-B{o4ewZbHq#GKghkC|GRel^9*PEQFPt^y!<=T}D#2
zT^{&(VZdO;y+67<x8eQd8pbW-SC#&v?2OBv{ifsLyI*;@>!QczO#1xD&wqN?HD~|w
zg-cGj@0Q;W+LLlo>rtCm=4WlaYUu3H#hU{M|MYsxy#rspE%f<qot@s>-o5tR&7VH;
zn@-2mYldd|$93iWenn{7tN*iZ{>#@NSTgg1vu<g4B7g0UF$30Zzxt<J_8$J`6X*Wo
z-WM*Yd1~OIv15m?9P;Rx!cjlY{kCD;^dAi?teO=Z;@LRl(j~c1KDK=2xWF&hSX=Hm
zukQG@P0{lnyYm9y_T#KyK9@D{))!Y69PwpS+oc)Dbl!Dby6=n=E0#LPJiKY$#0Q6-
zFlpNF_nbfDsoO8w>(8zK<eHx&zU%Jh;mtc%q#w5ZhOc`z-_-4^yldZ`2R47veAyE%
zy~*{TU;icraKv2fXLhlZvh!0?>>qfZs((-HlWv2&KTg3P)X$6@_1o0Xar$|deooU*
zyL|I$3jSyM8PU(%^z&Z*d{jSo=;to|d_zA!)lXxhs?VXHKi1DI{hXkmQ}lD1e$LU)
zYW=)aKbPp|wfcFZe%`8|cj@PY`nf|tU(wI^^z#e-Gzt`cN9gDA`gy8;PSMXw{k%v&
zYxMIn{cO=sn=Uu%-?!@L-TL{?Q>#9>>c76?AszV)oTA#de=jLjzpvEKzyA5S-II&{
ztNhMQFYi2Jk%tH0dVOxtaI5vxeleE)R;*sY_;HVhyZ>K=?>is+*7u*^|7R(1GCn#)
z(FIGx<le_Rcs_&>|7Y9$Pi_C-p@6HbDA_bUM4xynItfF6(h#1FDmp0{fCqd|qN)Es
zpZ{M_Ah@tPG%kN!RcXmA9P^SRQR8%4eJIovoIHN~B7`G_7t%yLK2R@FMBK!VhrxW|
zc<wUCvv6)h?GQarP~EJ0+jm)O!XNGNLDdcf$JqdwL*wk)by}|1Ki;k&7hX_*kk#;M
zR`3*Ezh#p!3t~%;-Fx-I;CL88eZleGU@+`~spmhRAEp5AJzgOY8Es};c3W|qv#qji
zZrg&k`nIOFmbUBLZfd)wt*vcs+q$;(Z5?ep+IF_>X?wHHYWu8hf19x;eND!i%r)kk
z>@|673fB~`ajvOcGk48`HT7$n)-<naS#$lGo7UX2rftpIHS5-_U(>N>$C{mM_N@7A
cjd4f%9eH;Y-m&10`a6CY!T;p`KS_cA3;Bo?NdN!<

literal 0
HcmV?d00001

diff --git a/hack/ukify/constants/constants.go b/internal/pkg/secureboot/secureboot.go
similarity index 73%
rename from hack/ukify/constants/constants.go
rename to internal/pkg/secureboot/secureboot.go
index 147b5e3ca..ed6b301b4 100644
--- a/hack/ukify/constants/constants.go
+++ b/internal/pkg/secureboot/secureboot.go
@@ -2,10 +2,13 @@
 // License, v. 2.0. If a copy of the MPL was not distributed with this
 // file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-package constants
+// Package secureboot contains base definitions for the Secure Boot process.
+package secureboot
 
+// Section is a name of a PE file section (UEFI binary).
 type Section string
 
+// List of well-known section names.
 const (
 	Linux   Section = ".linux"
 	OSRel   Section = ".osrel"
@@ -19,14 +22,16 @@ const (
 	PCRPKey Section = ".pcrpkey"
 )
 
-// derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36
-// OrderedSections returns the sections that are measured into PCR
-// .pcrsig section is omitted here since that's what we are calulating here
+// OrderedSections returns the sections that are measured into PCR.
+//
+// Derived from https://github.com/systemd/systemd/blob/main/src/fundamental/tpm-pcr.h#L23-L36
+// .pcrsig section is omitted here since that's what we are calulating here.
 func OrderedSections() []Section {
 	// DO NOT REARRANGE
 	return []Section{Linux, OSRel, CMDLine, Initrd, Splash, DTB, Uname, SBAT, PCRPKey}
 }
 
+// Phase is the phase value extended to the PCR.
 type Phase string
 
 const (
@@ -35,22 +40,26 @@ const (
 	// LeaveInitrd is the phase value extended to the PCR just before switching to machined.
 	LeaveInitrd Phase = "leave-initrd"
 	// EnterMachined is the phase value extended to the PCR before starting machined.
-	// The should be only a signed signature for the enter-machined phase.
+	// There should be only a signed signature for the enter-machined phase.
 	EnterMachined Phase = "enter-machined"
 	// StartTheWorld is the phase value extended to the PCR before starting all services.
 	StartTheWorld Phase = "start-the-world"
 )
 
+// PhaseInfo describes which phase extensions are signed/measured.
 type PhaseInfo struct {
 	Phase              Phase
 	CalculateSignature bool
 }
 
-// derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308
+// OrderedPhases returns the phases that are measured, in order.
+//
+// Derived from https://github.com/systemd/systemd/blob/v253/src/boot/measure.c#L295-L308
 // ref: https://www.freedesktop.org/software/systemd/man/systemd-pcrphase.service.html#Description
+//
 // In the case of Talos disk decryption, happens in machined, so we need to only sign EnterMachined
 // so that machined can only decrypt the disk if the system booted with the correct kernel/initrd/cmdline
-// OrderedPhases returns the phases that are measured
+// OrderedPhases returns the phases that are measured.
 func OrderedPhases() []PhaseInfo {
 	// DO NOT REARRANGE
 	return []PhaseInfo{
@@ -69,7 +78,5 @@ func OrderedPhases() []PhaseInfo {
 	}
 }
 
-const (
-	// UKI sections except `.pcrsig` are measured into PCR 11 by sd-stub
-	UKIPCR = 11
-)
+// UKIPCR is the PCR number where sections except `.pcrsig` are measured.
+const UKIPCR = 11
diff --git a/internal/pkg/secureboot/uki/assemble.go b/internal/pkg/secureboot/uki/assemble.go
new file mode 100644
index 000000000..24a346948
--- /dev/null
+++ b/internal/pkg/secureboot/uki/assemble.go
@@ -0,0 +1,77 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package uki
+
+import (
+	"debug/pe"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+)
+
+// assemble the UKI file out of sections.
+func (builder *Builder) assemble() error {
+	peFile, err := pe.Open(builder.SdStubPath)
+	if err != nil {
+		return err
+	}
+
+	defer peFile.Close() //nolint: errcheck
+
+	// find the first VMA address
+	lastSection := peFile.Sections[len(peFile.Sections)-1]
+
+	// align the VMA to 512 bytes
+	// https://github.com/saferwall/pe/blob/main/helper.go#L22-L26
+	const alignment = 0x1ff
+
+	header, ok := peFile.OptionalHeader.(*pe.OptionalHeader64)
+	if !ok {
+		return fmt.Errorf("failed to get optional header")
+	}
+
+	baseVMA := header.ImageBase + uint64(lastSection.VirtualAddress) + uint64(lastSection.VirtualSize)
+	baseVMA = (baseVMA + alignment) &^ alignment
+
+	// calculate sections size and VMA
+	for i := range builder.sections {
+		if !builder.sections[i].Append {
+			continue
+		}
+
+		st, err := os.Stat(builder.sections[i].Path)
+		if err != nil {
+			return err
+		}
+
+		builder.sections[i].Size = uint64(st.Size())
+		builder.sections[i].VMA = baseVMA
+
+		baseVMA += builder.sections[i].Size
+		baseVMA = (baseVMA + alignment) &^ alignment
+	}
+
+	// create the output file
+	args := []string{}
+
+	for _, section := range builder.sections {
+		if !section.Append {
+			continue
+		}
+
+		args = append(args, "--add-section", fmt.Sprintf("%s=%s", section.Name, section.Path), "--change-section-vma", fmt.Sprintf("%s=0x%x", section.Name, section.VMA))
+	}
+
+	builder.unsignedUKIPath = filepath.Join(builder.scratchDir, "unsigned.uki")
+
+	args = append(args, builder.SdStubPath, builder.unsignedUKIPath)
+
+	cmd := exec.Command("objcopy", args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	return cmd.Run()
+}
diff --git a/internal/pkg/secureboot/uki/generate.go b/internal/pkg/secureboot/uki/generate.go
new file mode 100644
index 000000000..5a0caa09b
--- /dev/null
+++ b/internal/pkg/secureboot/uki/generate.go
@@ -0,0 +1,206 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package uki
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+
+	"github.com/siderolabs/gen/slices"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/secureboot/measure"
+	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/splash"
+	"github.com/siderolabs/talos/pkg/version"
+)
+
+func (builder *Builder) generateOSRel() error {
+	osRelease, err := version.OSRelease()
+	if err != nil {
+		return err
+	}
+
+	path := filepath.Join(builder.scratchDir, "os-release")
+
+	if err = os.WriteFile(path, osRelease, 0o600); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.OSRel,
+			Path:    path,
+			Measure: true,
+			Append:  true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generateCmdline() error {
+	path := filepath.Join(builder.scratchDir, "cmdline")
+
+	if err := os.WriteFile(path, []byte(builder.Cmdline), 0o600); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.CMDLine,
+			Path:    path,
+			Measure: true,
+			Append:  true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generateInitrd() error {
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.Initrd,
+			Path:    builder.InitrdPath,
+			Measure: true,
+			Append:  true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generateSplash() error {
+	path := filepath.Join(builder.scratchDir, "splash.bmp")
+
+	if err := os.WriteFile(path, splash.GetBootImage(), 0o600); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.Splash,
+			Path:    path,
+			Measure: true,
+			Append:  true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generateUname() error {
+	path := filepath.Join(builder.scratchDir, "uname")
+
+	if err := os.WriteFile(path, []byte(constants.DefaultKernelVersion), 0o600); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.Uname,
+			Path:    path,
+			Measure: true,
+			Append:  true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generateSBAT() error {
+	sbat, err := GetSBAT(builder.SdStubPath)
+	if err != nil {
+		return err
+	}
+
+	path := filepath.Join(builder.scratchDir, "sbat")
+
+	if err = os.WriteFile(path, sbat, 0o600); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.SBAT,
+			Path:    path,
+			Measure: true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generatePCRPublicKey() error {
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.PCRPKey,
+			Path:    builder.PCRPublicKeyPath,
+			Append:  true,
+			Measure: true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generateKernel() error {
+	path := filepath.Join(builder.scratchDir, "kernel")
+
+	if err := builder.peSigner.Sign(builder.KernelPath, path); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:    secureboot.Linux,
+			Path:    path,
+			Append:  true,
+			Measure: true,
+		},
+	)
+
+	return nil
+}
+
+func (builder *Builder) generatePCRSig() error {
+	sectionsData := slices.ToMap(
+		slices.Filter(builder.sections,
+			func(s section) bool {
+				return s.Measure
+			},
+		),
+		func(s section) (secureboot.Section, string) {
+			return s.Name, s.Path
+		})
+
+	pcrData, err := measure.GenerateSignedPCR(sectionsData, builder.PCRSigningKeyPath)
+	if err != nil {
+		return err
+	}
+
+	pcrSignatureData, err := json.Marshal(pcrData)
+	if err != nil {
+		return err
+	}
+
+	path := filepath.Join(builder.scratchDir, "pcrpsig")
+
+	if err = os.WriteFile(path, pcrSignatureData, 0o600); err != nil {
+		return err
+	}
+
+	builder.sections = append(builder.sections,
+		section{
+			Name:   secureboot.PCRSig,
+			Path:   path,
+			Append: true,
+		},
+	)
+
+	return nil
+}
diff --git a/internal/pkg/secureboot/uki/sbat.go b/internal/pkg/secureboot/uki/sbat.go
new file mode 100644
index 000000000..e526f8b2c
--- /dev/null
+++ b/internal/pkg/secureboot/uki/sbat.go
@@ -0,0 +1,38 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package uki
+
+import (
+	"debug/pe"
+	"fmt"
+	"log"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+)
+
+// GetSBAT returns the SBAT section from the PE file.
+func GetSBAT(path string) ([]byte, error) {
+	pefile, err := pe.Open(path)
+	if err != nil {
+		return nil, err
+	}
+
+	defer pefile.Close() //nolint:errcheck
+
+	for _, section := range pefile.Sections {
+		if section.Name == string(secureboot.SBAT) {
+			log.Printf("section size: %d", section.Size)
+
+			data, err := section.Data()
+			if err != nil {
+				return nil, err
+			}
+
+			return data[:section.VirtualSize], nil
+		}
+	}
+
+	return nil, fmt.Errorf("could not find SBAT section")
+}
diff --git a/internal/pkg/secureboot/uki/sbat_test.go b/internal/pkg/secureboot/uki/sbat_test.go
new file mode 100644
index 000000000..13f7f8023
--- /dev/null
+++ b/internal/pkg/secureboot/uki/sbat_test.go
@@ -0,0 +1,25 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package uki_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot/uki"
+)
+
+func TestGetSBAT(t *testing.T) {
+	t.Parallel()
+
+	data, err := uki.GetSBAT("../pesign/testdata/systemd-bootx64.efi")
+	require.NoError(t, err)
+
+	require.Equal(t,
+		"sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\nsystemd,1,The systemd Developers,systemd,254,https://systemd.io/\nsystemd.talos,1,Talos Linux,systemd,254,https://github.com/siderolabs/tools/issues\n\x00", //nolint:lll
+		string(data),
+	)
+}
diff --git a/internal/pkg/secureboot/uki/uki.go b/internal/pkg/secureboot/uki/uki.go
new file mode 100644
index 000000000..27c817cda
--- /dev/null
+++ b/internal/pkg/secureboot/uki/uki.go
@@ -0,0 +1,126 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package uki creates the UKI file out of the sd-stub and other sections.
+package uki
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/siderolabs/talos/internal/pkg/secureboot"
+	"github.com/siderolabs/talos/internal/pkg/secureboot/pesign"
+)
+
+// section is a UKI file section.
+type section struct {
+	// Section name.
+	Name secureboot.Section
+	// Path to the contents of the section.
+	Path string
+	// Should the section be measured to the TPM?
+	Measure bool
+	// Should the section be appended, or is it already in the PE file.
+	Append bool
+	// Size & VMA of the section.
+	Size uint64
+	VMA  uint64
+}
+
+// Builder is a UKI file builder.
+type Builder struct {
+	// Source options.
+	//
+	// Path to the sd-stub.
+	SdStubPath string
+	// Path to the sd-boot.
+	SdBootPath string
+	// Path to the kernel image.
+	KernelPath string
+	// Path to the initrd image.
+	InitrdPath string
+	// Kernel cmdline.
+	Cmdline string
+	// SecureBoot signing key path.
+	SigningKeyPath string
+	// SecureBoot signing cert path.
+	SigningCertPath string
+	// PCR signing key path.
+	PCRSigningKeyPath string
+	// PCR signing public key path.
+	PCRPublicKeyPath string
+
+	// Output options:
+	//
+	// Path to the signed sd-boot.
+	OutSdBootPath string
+	// Path to the output UKI file.
+	OutUKIPath string
+
+	// fields initialized during build
+	sections        []section
+	scratchDir      string
+	peSigner        *pesign.Signer
+	unsignedUKIPath string
+}
+
+// Build the UKI file.
+//
+// Build process is as follows:
+//   - sign the sd-boot EFI binary, and write it to the OutSdBootPath
+//   - build ephemeral sections (uname, os-release), and other proposed sections
+//   - measure sections, generate signature, and append to the list of sections
+//   - assemble the final UKI file starting from sd-stub and appending generated section.
+func (builder *Builder) Build() error {
+	var err error
+
+	builder.scratchDir, err = os.MkdirTemp("", "talos-uki")
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		if err = os.RemoveAll(builder.scratchDir); err != nil {
+			log.Printf("failed to remove scratch dir: %v", err)
+		}
+	}()
+
+	builder.peSigner, err = pesign.NewSigner(builder.SigningCertPath, builder.SigningKeyPath)
+	if err != nil {
+		return fmt.Errorf("error initilazing signer: %w", err)
+	}
+
+	// sign sd-boot
+	if err = builder.peSigner.Sign(builder.SdBootPath, builder.OutSdBootPath); err != nil {
+		return fmt.Errorf("error signing sd-boot: %w", err)
+	}
+
+	// generate and build list of all sections
+	for _, generateSection := range []func() error{
+		builder.generateOSRel,
+		builder.generateCmdline,
+		builder.generateInitrd,
+		builder.generateSplash,
+		builder.generateUname,
+		builder.generateSBAT,
+		builder.generatePCRPublicKey,
+		// append kernel last to account for decompression
+		builder.generateKernel,
+		// measure sections last
+		builder.generatePCRSig,
+	} {
+		if err = generateSection(); err != nil {
+			return fmt.Errorf("error generating sections: %w", err)
+		}
+	}
+
+	// assemble the final UKI file
+	if err = builder.assemble(); err != nil {
+		return fmt.Errorf("error assembling UKI: %w", err)
+	}
+
+	// sign the UKI file
+	return builder.peSigner.Sign(builder.unsignedUKIPath, builder.OutUKIPath)
+}
diff --git a/internal/pkg/tpm2/constants.go b/internal/pkg/tpm2/constants.go
deleted file mode 100644
index af6f958b5..000000000
--- a/internal/pkg/tpm2/constants.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-// Package tpm2 provides TPM2.0 related functionality helpers.
-package tpm2
-
-// Phase is the phase value extended to the PCR.
-// TODO: once ukify is part of installer refer from here.
-type Phase string
-
-const (
-	// EnterInitrd is the phase value extended to the PCR during the initrd.
-	EnterInitrd Phase = "enter-initrd"
-	// LeaveInitrd is the phase value extended to the PCR just before switching to machined.
-	LeaveInitrd Phase = "leave-initrd"
-	// EnterMachined is the phase value extended to the PCR before starting machined.
-	// There should be only a signed signature for the enter-machined phase.
-	EnterMachined Phase = "enter-machined"
-	// StartTheWorld is the phase value extended to the PCR before starting all services.
-	StartTheWorld Phase = "start-the-world"
-)
diff --git a/internal/pkg/tpm2/tpm2.go b/internal/pkg/tpm2/tpm2.go
index 316798e1a..2cf6aff65 100644
--- a/internal/pkg/tpm2/tpm2.go
+++ b/internal/pkg/tpm2/tpm2.go
@@ -28,23 +28,23 @@ import (
 )
 
 // PCRData is the data structure for PCR signature json.
-// TODO: this is copied from measure, once measure/ukify is part of installer, we should refer from here.
 type PCRData struct {
-	SHA1   []bankData `json:"sha1,omitempty"`
-	SHA256 []bankData `json:"sha256,omitempty"`
-	SHA384 []bankData `json:"sha384,omitempty"`
-	SHA512 []bankData `json:"sha512,omitempty"`
+	SHA1   []BankData `json:"sha1,omitempty"`
+	SHA256 []BankData `json:"sha256,omitempty"`
+	SHA384 []BankData `json:"sha384,omitempty"`
+	SHA512 []BankData `json:"sha512,omitempty"`
 }
 
-type bankData struct {
+// BankData constains data for a specific PCR bank.
+type BankData struct {
 	// list of PCR banks
-	PCRS []int `json:"pcrs"`
+	PCRs []int `json:"pcrs"`
 	// Public key of the TPM
 	PKFP string `json:"pkfp"`
 	// Policy digest
-	POL string `json:"pol"`
+	Pol string `json:"pol"`
 	// Signature of the policy digest in base64
-	SIG string `json:"sig"`
+	Sig string `json:"sig"`
 }
 
 // SealedResponse is the response from the TPM2.0 Seal operation.
@@ -306,13 +306,13 @@ func Unseal(sealed SealedResponse) ([]byte, error) {
 	// TODO: maybe we should use the highest supported algorithm of the TPM
 	// fallback to the next one if the signature is not found
 	for _, bank := range sigJSON.SHA256 {
-		digest, decodeErr := hex.DecodeString(bank.POL)
+		digest, decodeErr := hex.DecodeString(bank.Pol)
 		if decodeErr != nil {
 			return nil, decodeErr
 		}
 
 		if bytes.Equal(digest, policyGetDigestResp.PolicyDigest.Buffer) {
-			signature = bank.SIG
+			signature = bank.Sig
 
 			if hex.EncodeToString(pubKeyFingerprint[:]) != bank.PKFP {
 				return nil, fmt.Errorf("certificate fingerprint does not match")
diff --git a/pkg/machinery/go.mod b/pkg/machinery/go.mod
index 184ad9184..7ff78ec28 100644
--- a/pkg/machinery/go.mod
+++ b/pkg/machinery/go.mod
@@ -18,7 +18,7 @@ require (
 	github.com/mdlayher/ethtool v0.1.0
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8
-	github.com/siderolabs/crypto v0.4.0
+	github.com/siderolabs/crypto v0.4.1
 	github.com/siderolabs/gen v0.4.5
 	github.com/siderolabs/go-api-signature v0.2.4
 	github.com/siderolabs/go-blockdevice v0.4.6
diff --git a/pkg/machinery/go.sum b/pkg/machinery/go.sum
index 7f86138a4..186f1d313 100644
--- a/pkg/machinery/go.sum
+++ b/pkg/machinery/go.sum
@@ -107,8 +107,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk=
 github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/siderolabs/crypto v0.4.0 h1:o1KIR1KyevUcY9nbJlSyQAj7+p+rveGGF8LjAAFMtjc=
-github.com/siderolabs/crypto v0.4.0/go.mod h1:itZpBsJ9i0aH8jiHAuSlKCal7hni7X1aDYo6vGVl5LY=
+github.com/siderolabs/crypto v0.4.1 h1:PP84WSDDyCCbjYKePcc0IaMSPXDndz8V3cQ9hMRSvpA=
+github.com/siderolabs/crypto v0.4.1/go.mod h1:nJmvkqWy1Hngbzw3eg2TdtJ/ZYHHofQK1NbmmYywW8k=
 github.com/siderolabs/gen v0.4.5 h1:rwXUVJlL7hYza1LrSVXfT905ZC9Rgei37jMKKs/+eP0=
 github.com/siderolabs/gen v0.4.5/go.mod h1:wS8tFq7sn5vqKAuyS30vJUig3tX5v6q79VG4KfUnILM=
 github.com/siderolabs/go-api-signature v0.2.4 h1:s+K0GtaPHql4LdZzL72QvwPMzffY+KB0mszORDK+5/w=
diff --git a/hack/ukify/assets/sidero.bmp b/pkg/splash/sidero.bmp
similarity index 100%
rename from hack/ukify/assets/sidero.bmp
rename to pkg/splash/sidero.bmp
diff --git a/pkg/splash/splash.go b/pkg/splash/splash.go
new file mode 100644
index 000000000..de0ffcc63
--- /dev/null
+++ b/pkg/splash/splash.go
@@ -0,0 +1,18 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+// Package splash contains boot splash images.
+package splash
+
+import (
+	_ "embed"
+)
+
+//go:embed sidero.bmp
+var sideroBMP []byte
+
+// GetBootImage returns boot splash image.
+func GetBootImage() []byte {
+	return sideroBMP
+}
diff --git a/pkg/version/osrelease.go b/pkg/version/osrelease.go
new file mode 100644
index 000000000..767ec1dcc
--- /dev/null
+++ b/pkg/version/osrelease.go
@@ -0,0 +1,52 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package version
+
+import (
+	"bytes"
+	"strings"
+	"text/template"
+
+	"github.com/siderolabs/talos/pkg/machinery/constants"
+)
+
+// OSRelease returns the contents of /etc/os-release.
+func OSRelease() ([]byte, error) {
+	var (
+		v    string
+		tmpl *template.Template
+	)
+
+	switch Tag {
+	case "none":
+		v = SHA
+	default:
+		v = Tag
+	}
+
+	data := struct {
+		Name    string
+		ID      string
+		Version string
+	}{
+		Name:    Name,
+		ID:      strings.ToLower(Name),
+		Version: v,
+	}
+
+	tmpl, err := template.New("").Parse(constants.OSReleaseTemplate)
+	if err != nil {
+		return nil, err
+	}
+
+	var writer bytes.Buffer
+
+	err = tmpl.Execute(&writer, data)
+	if err != nil {
+		return nil, err
+	}
+
+	return writer.Bytes(), nil
+}
diff --git a/pkg/version/osrelease_test.go b/pkg/version/osrelease_test.go
new file mode 100644
index 000000000..8b943ed05
--- /dev/null
+++ b/pkg/version/osrelease_test.go
@@ -0,0 +1,21 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package version_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/siderolabs/talos/pkg/version"
+)
+
+func TestOSRelease(t *testing.T) {
+	t.Parallel()
+
+	// simply verify generation without errors
+	_, err := version.OSRelease()
+	require.NoError(t, err)
+}
diff --git a/pkg/version/version_test.go b/pkg/version/version_test.go
deleted file mode 100644
index 5a27bec2d..000000000
--- a/pkg/version/version_test.go
+++ /dev/null
@@ -1,14 +0,0 @@
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-package version_test
-
-import "testing"
-
-func TestEmpty(t *testing.T) {
-	// added for accurate coverage estimation
-	//
-	// please remove it once any unit-test is added
-	// for this package
-}
diff --git a/website/content/v1.5/reference/cli.md b/website/content/v1.5/reference/cli.md
index 6856e78d1..f839a0b96 100644
--- a/website/content/v1.5/reference/cli.md
+++ b/website/content/v1.5/reference/cli.md
@@ -1552,7 +1552,7 @@ talosctl gen secureboot database [flags]
 
 ## talosctl gen secureboot pcr
 
-Generates a certificate which is used to sign TPM PCR values
+Generates a key which is used to sign TPM PCR values
 
 ```
 talosctl gen secureboot pcr [flags]
@@ -1561,8 +1561,7 @@ talosctl gen secureboot pcr [flags]
 ### Options
 
 ```
-      --common-name string   common name for the certificate (default "Test PCR Signing Key")
-  -h, --help                 help for pcr
+  -h, --help   help for pcr
 ```
 
 ### Options inherited from parent commands
@@ -1638,7 +1637,7 @@ Generates secrets for the SecureBoot process
 
 * [talosctl gen](#talosctl-gen)	 - Generate CAs, certificates, and private keys
 * [talosctl gen secureboot database](#talosctl-gen-secureboot-database)	 - Generates a UEFI database to enroll the signing certificate
-* [talosctl gen secureboot pcr](#talosctl-gen-secureboot-pcr)	 - Generates a certificate which is used to sign TPM PCR values
+* [talosctl gen secureboot pcr](#talosctl-gen-secureboot-pcr)	 - Generates a key which is used to sign TPM PCR values
 * [talosctl gen secureboot uki](#talosctl-gen-secureboot-uki)	 - Generates a certificate which is used to sign boot assets (UKI)
 
 ## talosctl gen