From 134fe3a0b1b36d6859f643db7ae65f96e01a836c Mon Sep 17 00:00:00 2001
From: vbalain <vbalain@google.com>
Date: Wed, 25 Feb 2026 09:27:13 +0000
Subject: [PATCH 1/3] Add test case for COS 125 with secure boot and multiple
 boot attempts.

The test verifies that the event log can be parsed and replayed correctly against a predefined set of expected PCR values.
---
 extract/extract_test.go                       |  47 ++++++++++++++++--
 testdata/eventlog_data.go                     |   2 +
 .../tpm/cos-125-intel-tdx-secure-boot.bin     | Bin 0 -> 34196 bytes
 3 files changed, 46 insertions(+), 3 deletions(-)
 create mode 100644 testdata/eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin

diff --git a/extract/extract_test.go b/extract/extract_test.go
index 266331b..c28197a 100644
--- a/extract/extract_test.go
+++ b/extract/extract_test.go
@@ -334,8 +334,9 @@ func TestExtractFirmwareLogStateTPM(t *testing.T) {
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			eventGetters := map[string]func(*testing.T) (crypto.Hash, []tcg.Event){
-				"singleBoot":   getTPMELEvents,
-				"multipleBoot": getTPMELEventsWithMultipleBootAttempts,
+				"singleBoot":            getTPMELEvents,
+				"ubuntuMultipleBoot":    getTPMELEventsUbuntuWithMultipleBootAttempts,
+				"cosSecureMultipleBoot": getTPMELEventsCosWithSecureBootAndMultipleBootAttempts,
 			}
 			for name, getEvents := range eventGetters {
 				t.Run(name, func(t *testing.T) {
@@ -603,7 +604,7 @@ func getTPMELEvents(t *testing.T) (crypto.Hash, []tcg.Event) {
 	return cryptoHash, events
 }
 
-func getTPMELEventsWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) {
+func getTPMELEventsUbuntuWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) {
 	log := testdata.Ubuntu2404IntelTdxEventLog
 	bank := testutil.MakePCRBank(pb.HashAlgo_SHA384, map[uint32][]byte{
 		0:  decodeHex("592b3f42ec556a9c093f201124cc7313fdaa4ce40ae1602e14d51f18fbfc480d6a1e196d1c52ad919328410272dc7222"),
@@ -643,6 +644,46 @@ func getTPMELEventsWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Ev
 	return cryptoHash, events
 }
 
+func getTPMELEventsCosWithSecureBootAndMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) {
+	log := testdata.Cos125IntelTdxSecureBootEventLog
+	bank := testutil.MakePCRBank(pb.HashAlgo_SHA384, map[uint32][]byte{
+		0:  decodeHex("592b3f42ec556a9c093f201124cc7313fdaa4ce40ae1602e14d51f18fbfc480d6a1e196d1c52ad919328410272dc7222"),
+		1:  decodeHex("d67b943903a0ac6244e491604f4d4c2090031142847e914add418b058b032aa636a7eb559669b1879b8459963ab63c24"),
+		2:  decodeHex("c286e5791d56d735f1e159bc77c5c0fb04e27a4cb697e74974b98c9db246ac7effc466ab20f42bcd974d2c5e3f1ce7c3"),
+		3:  decodeHex("518923b0f955d08da077c96aaba522b9decede61c599cea6c41889cfbea4ae4d50529d96fe4d1afdafb65e7f95bf23c4"),
+		4:  decodeHex("404e1dfa6118533162df83b88e9e183272d139e8cb306f103251030aa444ba005e2b9c8cdb90c275f707dd29e21d0085"),
+		5:  decodeHex("c50b529497c7f441ea47305587d6ce83e2e31f7b4fab6c13dc0b0c3c900e1d0caf0768321100927862df142bf0465ee4"),
+		6:  decodeHex("518923b0f955d08da077c96aaba522b9decede61c599cea6c41889cfbea4ae4d50529d96fe4d1afdafb65e7f95bf23c4"),
+		7:  decodeHex("6e64b25bab4f2382466f419dae07a4dbdbaaa3ce56c16bb740516c8bc05cb6c3dbc161016739be4e542a7265c4bd1d70"),
+		8:  decodeHex("08052cde78f6561f52a4c37286edac23fa6915e211881770a5ebbbc5fc22411a4805829b9ca4741e0715edbb58aec4e5"),
+		9:  decodeHex("596ecbc8e6077dd980848c6f2ebcc7876321c9228eef86939fc61733d02d988e25a3a06d280f36c8d9c026ba2d6175d7"),
+		10: decodeHex("8dfb3a115f861a7ef67e9670d47fe970f1029be7ca67b90cb851bc3358311ea3fd376b763b40b3a53df7785f75f1a8cb"),
+		11: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"),
+		12: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"),
+		13: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"),
+		14: decodeHex("7dd22d0be1dc4debfbfc5900589ea0940c6276d92edb6fed8625b6ec1f9be341c253d877229c00925c826761760cb355"),
+		15: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"),
+		16: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"),
+		17: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+		18: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+		19: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+		20: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+		21: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+		22: decodeHex("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
+		23: decodeHex("000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"),
+	})
+	cryptoHash, err := bank.CryptoHash()
+	if err != nil {
+		t.Fatal(err)
+	}
+	events, err := tcg.ParseAndReplay(log, bank.MRs(), tcg.ParseOpts{})
+	if err != nil {
+		t.Fatal(err)
+
+	}
+	return cryptoHash, events
+}
+
 func decodeHex(hexStr string) []byte {
 	bytes, err := hex.DecodeString(hexStr)
 	if err != nil {
diff --git a/testdata/eventlog_data.go b/testdata/eventlog_data.go
index 6726180..0e37565 100644
--- a/testdata/eventlog_data.go
+++ b/testdata/eventlog_data.go
@@ -47,6 +47,8 @@ var (
 	GdcHost []byte
 	//go:embed eventlogs/tpm/ubuntu-2404-intel-tdx.bin
 	Ubuntu2404IntelTdxEventLog []byte
+	//go:embed eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin
+	Cos125IntelTdxSecureBootEventLog []byte
 )
 
 // Kernel command lines from event logs.
diff --git a/testdata/eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin b/testdata/eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin
new file mode 100644
index 0000000000000000000000000000000000000000..b00354044a33943032ef82a0d03fcd375757be81
GIT binary patch
literal 34196
zcmeIb2V7Ij_6EA?C80?bDFFoOB=o9uM0yvH5|YrQ6T0-?1yls2Dbi6uK|sI)q6kt&
zP?{n(ii(0LMcxj`{~VQb)qBso=f2-__>sxpd$QM>Z_j+QX7<b)00002@PDVk2c9(Y
zz@T87sxUQQj2jj%wv`MYz{mZD5TFAf01SWv@U8Q>lUo<Ij=%nde0{jX5p;)h|N2w`
zc-cr_8V(miNJwlcDHb3A0A5N}ug&M{57uO)Kx9_0Ra0oVyF0jG1Yw$PC}DtM>j<Xe
z?&{%##lY0u9Gu)R03PslGTe;_MTMm{^TZ2EQcsCK8+y)JEhzxXKAni!PzRg<FTfS>
z1CU^h0Sp06KxapV|NF?m@ctXffI@&$@ZS-O_3)Mz5%I>ldm$Y#!Va5oBR!nFg;DOV
zA`U2w4Hji*<K%|LICwc>14P_?UF~iBCB<z}-mW5&6882oaB;Mhw4Iowy_lqoj1)!`
zV=pR-5JQWiB_-^TVn|U*d!)D|m=Yr{gNCC}lHyW!C{cS1LJEOGilQ;nXbB0pC;|hQ
zk%Gg;Q78mj!p=?{VJ9Ujfe^Mw3wt{`xM9%WKO9o<)K-~QM0}><Ta9qvHCDxtmEK*p
zxa52e0<7%HPK~Iy?CMF)OR;f%M%KEK!}?x|j^^kmrd#K(7Fj_7jzPtubC8A@<CuQ^
zduL|Vsfq0xMZ{dC8-hJ9dEcdP?;!OTbK2Wf$~4B`bKx>&F|M*`04jhQSanP{OAr?D
z0ZWhzc>HaNf&spO=oh7F{!dfu%IH2_E|1ybee0FBPxfIS?;B8q0JW6u+>d)o4JMhN
ziYU8m2y3P2zwnQ2cok34YvlBak{t@%RBHJo*O_#9_r!{sTBfPXoy!kjQr)Om^-H+y
z%JWes*@mc$=PqB|aFMm2aiwSPXBbXX6*ZWyyW2r`Z>*-9z591$K?0@$OF`HchWFR|
z7jzVrG<9ZEJCC;;sSNB3CWQdqYg(6h<IbryC(Jx*G7+!~&Js`Z^$o8;C@od9DHc&e
z0l|sBjzy#U9ZP4d>E@6X9o0+-HN~@%$C^Z)4a)@(N4iOS97`E`$U5He-+o4Sfn5TW
zikzHIyqhsVQ%(UqK20EyL=K+A1zefL1tYLVqCjMEHB%XI2mi1D-q-5dy7R|9AwMg8
z$sw;WFw3pW^suNm1fcp%Ad}yU-M^ep)A|vgrgz_3{`y282Q+sIrE^mTn+XMqW$zon
z8FOlaV&#tGb?%BO#lv2B)*LGw?-$=^%TWE{N~9F@q`=V*pO4j6RcFhP0fgVHi@&8M
zU;<vl1${sZC^Wx*e)>eoq1d_#`Xd5wy|%B(fN2I+!Uy7#i!?IREz32o?umy-5OTvK
z2q+2&@bU2RsmX5c-}QF)vBADQq^Dm6>EpvGh{^b44#q4~;Nd}t0C;#N0s<!^CNLo+
zro}fgLeRo#a0jHc<SIxPCwq4<Hzy>50ZxZINkU7Z<L={zMLM~`Or0=(2s-#K+<9_Z
z$QS0+)>aWlu)|q#XCbr<D(;(!F<vk|53G}`Qy>Nn(=$Tsg>&K(5YX;1QB&81>AN7Y
zpdeS67A64ZD+&i|CRkPBY>X6}-z4BtaD<qs1tWzR?t<8t!~bE;Bk(x?3^N`PKoEgP
z1;8Wl$nhia@PM&NR^vS<%c7PK<e6&)dz99Q9Y|;yKMhlwOmCKFI`G+OE+YSQ(NOXS
z?#5#36mu49Yeralv=u++N>#OQh1$`6>&TB8*(q^XntJ(HtsC6zA@T+aWZXfze1o!i
znak*WgiGe&2N*3p^KpI*lKF6{&kcOm6Ni>L;&-!8zB8BVTWOLQ5Y0F$-2d*Zp4J^?
z;e7L@_ya}WX7`iP({y9I$IYD!n)<`y>(1_KB&WO~8h>NKnL#Y~<>iX@;Rj+2mn^zF
z?w8N|$wnlN$3DfQeCxgv4i{BbbfoiIFzhPgli_a}=k6e2A{aWHn&vTMW4{p)6>K`;
z9cGe0m{e}2U4l=52jHDM3U`82f#rae77uTOkO)oyMsPmd2}(jvLRdTpWu~t$`ZBb|
z3#$lIigTTO$)Cufe26$WH3&WIZVwm0CFLRn3scyS6MtRm!N-9IP&v|OFi@Z7;0B2C
zUVXeKC85oWW?VLT!#MO%kKhe$r+yV*S5JtAiTq2rg4;e)e%0NvH;>KN6)a1B$h|;%
z8c7|Q;A3=#pfSVhxLMUmW?ke1$xv*Itv2<(^W>=DVl6ePV?}q0_Z%Qt9j%(Y*3)m7
zcGAH4sSIyh`;DdGtBFDch<2j+>#JwhC8MA2CwN#xfAiw2eHj~)0oN`XGMboC42t$-
z*PK60tYGmZ^-k*n^3UAFWZB4*gEzYxrX?hOMJiKI((`Awzi>=l!?p!_oy^)Jh+^Me
zEn(2Me<FP2#91k}Wf8IWA+z=>C|YR;`CyevDVnh4K`z(U7wF-Dcc;FlJSWeW2fN-;
zrWaIUGsYxC)nmKu!B%eKG<T+UCcdW!qZ#4u)R|dnbJM1?!Ksl(ru*9y-AHYrz+Mt{
zGU~C1Cny;#jXntVUD?Z^=!Abnf@NAE>C&DT_pSQGp2g2`tWqI`KJJ%yW6g`)f%0%|
z1TI*8p*$_H4g8+;wy!GfOnO2f>CtbK9*oRjWOp4~mMcxWe*aA1pKIeL>E-<QNskxK
zvqgIBo1};1IyHZkBht+Q^Dl`{>TBYYvVe#GPiy}p^1G@LHmz~$e&Nw*W3!f{TxFd{
z4Y*0Er;c|mwgRM<p%ZuoWAezoc^X$MC>U~AKlilw#5ph)6TS~=DVSa+9prN~^AP-;
z43BD%_s|!Sk9E^-l4?0e28hfm^or#&p0V<tF>icV)^F|QRy<hVPmCAZYd}%R{CfXX
z2WhP7?u@6;PacVorns6dVZ6?J%<F;dMVDtKD!ppqd!s1?o4HndUk;y{Z)}hA?A~}O
z7{f|@#elrg-^%BC`5hfhg&C)2$GfHcXae(*ySH9P-d^p(-q7P-pUDq8{mviuvHQZL
z&!;<3&&lFc@qWAO)KhkEpV}f{9e6L>Q<kEBrn#|{Zdb-nkzW~WkZ0e_o%!Z~kKBiQ
zYm{#x!Yo=VGUrIs-tN6wJmLKn`Ta2Q4&;}^KT@<`*z+1A6VLqBi?a0Gal^L;IV(8T
zOgSwtl|PkxO4gL>6CY9;$yc2#fOjxj)^UuiF0b#UkiVcGzIoO)Pi;oxnb7XKd#kH$
zmN(B)pj<n$26lztd#ZG~hIQ!m7~x#*gn(n7vq7YC;QHsTX?zKS`1SQ$)ogQ?yTvO5
zE(n_ArM}nBLz>ELL}{s~NiNgx-PKn6OlcoQEf0p&DB4TFPsi_FPH();9d*LK(++F1
zVp$CCY-hPLd^jfhPI(s%JbifYF?qT=Ww>3ais7o~A!(@AEOAKdeIT(qJ#S8hd3bKJ
zxPzp!>p29g8pw5;DgEmBEj+URlf^<rCNzd$li!PU{`c}4C7q<NuLQn)_WrPAlolQY
zpdUi@aFtA=`by>)&$N2a&E+ali$Np3<_b+(J$eNdp+M+|S+${Lf(&BH?$5R%_9-&`
zkO>OL;HG7zFoKG4%cnFKgicez`OAaPzg2mh5!UGjQdd{)?qOMlQ)=g$AN5f>VBELu
zy+dEf4-MFTXYXxa6W*Enm_h2p-=aPmAnX`6b&#ODU>>O-eU{Wo>^tsD`|oof8=Pf}
z`{*~hPgVI}F`l^CSBwW9!o&Xub^a00jWAyorN)*MlV4qGW%atqcPWolhmy^{{d4(b
z!9K&pwe<V0t2~eRFykDLj<q>Qc@Lygh<6g-846D&)^d?AjO(M4M|9K?Jk~lp*_hVr
zr!18%ds%|@dh>%RVw+UBRio6?Baik&f~YXleyrk-2PG^!9M(#9-?I1=6?2%MSHk<X
zqoE4YRQ>ai@cHV1Pu%+)5zSWXu>tFEE!zz~R3u-lNUpCmK(&&X>)B1!T6^idO?d3W
z-9-y&_ns3JD5P@~um9wK=v>Idl@|7yQ_pQf8d*&}4qGvN9uaHoeruaUMUEZnFgYBL
z|DrI)H(LIpaMu|#A4=|&M|~y!hnK5g3j7q$MK0W=V}g8SDYx(I=1t9CRTWD1KO!uj
z^*Hjv(4PIf-hIV$KTNy>&(W>Q3%3tp{S0HNEBDz_+?EPouTMB3rLZgzuU=WmnZV}e
z$zTmk2@bZ1pPa54<y2mAJX2G?TR$?fEj;HV{!OkSnz@?jn(>J%*E6Q}$UZe99485k
z)2tEOBYFtW;{L@N#;YWB`KBcgH~QpgEFXlHW`@aA30n^DiWx3)3*yg(S!oOVg$nx_
z2~vt(%*{(A%}>9gJ*24;Uq(bk{;B0SFnq&mLu5=u|4E@fR>mR*(Mf+i@}Y}DBcsLp
z3zE!>%Juw%27v)nen*lE3hu&}?&PztS*KY<y%BFLvq3&~dUgh(#F&byH6<MN32Gs{
z^)ggA`+nmx@R07>Ax~tK*VjBZXrJI&3(2=>P?o|Y*SXv_JmJR#0c2V?^i%+ngN0P}
zndh>iG>B4SRp#EI4~dTU@8fwsg%1VN^t|%&Ji6f-RN;Jb`V*)JFVC$o_dgN0e0d6X
zFUQqlFR@p`#{;jf-QRV_pNZx~Lk2h|@h#778+op{@d_~Dc+USjraS$G1&{5_bdDg?
z>2EO|8Bm^ITb-K<EB%(?LjQJx`_j*a&_Yxkz1&@$d|YweSVlPg7OPQy#cBv#&lMq!
z5QR&_5eOM^1W0G1xI>9Ahwy(~!5?u~mBWzqfm5eWuyE?e@}wQ?$;Z5E_TkolHJ7(%
zE@#p|ig*$JP}0wD_-LE=aN;@-%t-U|BA-rHEW?H?mme>_$fwV@Mj)AWukSDMy?4+#
zL21{Zqhm==)HI*m;q7QzTpeqBa7qpMxX&lmVo%l?qM3Wxy%Ucg7%$K!K55}4kkFV*
zzLoiMm((5pU5{Mk7)s?F5d0!CwJ%N9Xng}N9~L;RZFzW&Gr42Vnt!gXTG;UFpq~$i
zWs##9k35}|cb9pJHeEuTVxLV6<`TsO73a_+E32WW5&Y&7V<&X7H4hbCf7I?^MpNY3
zpb#nH=wqMUcFo7hy`GWnyeJf=0$5WdZgE%mb9ngE&9MxyN6J7*H#C~<fEH7at9~y^
zo%mt;goX6m{qXQhTiwv`3V3*F*p6um!=sAA!~gN89`UCd1H~y#yWQ#Dfj9RZ9hKq>
z<CEB<zUF`*r*Tfgn1uf>3xD0Yj?XUTkFQl1_J?rREi@ZJ<_Br6lF4G$WL_?#go<X=
zt|jG`CxsNPqjlSloH4SE@H6w3RfpB$Ek_hH@Q^jLrS-&;)dVpTRSD@|N*hf$OESDZ
zp>an?xZS&oA<67jctlj*6PTx!DDiV|yi*J3ETgA_kuezKGZm^_kIYu@u-QiNbHr8O
zP&k)I;~4HDtuS31`J`JzKd}wpnjO=2bi6_MGzr6W2wp=`!g0b!?+6F^<9m{Mryj1a
zw7VgSSRA7DOOv`2{7+4Xyx2WMjS3KA4Y97M44Fc>V;kT1Tx^?aZ#6)^m;QFdt?>&l
z<?hT&;HVpc=Qc0RJ)dM*9kOitmY2fg|4YQg0cYPLCZ@mWYJN*m@UJNf4q9CQL%RNm
zt!`2xTMSl?od}ndzIxXKGqhLC{C48>`s>W1BP8=KFF<+;ILIcLR?3K)V){_j{E9cN
z*ve_5GKox9!-awJ&W&uvr!?*NZITuOoSL5PTlcf^yq!N;Vue;Cd4>O0(mhbGS8eL$
z{6KvCs?y2Ht2ZvuFs-oAjJ;tbhSn^|y+P4BnC*R>XydH(-~)}w{!Tk|z!mR^mn^4;
z*9Be&gm`jx(N|qqpmsmXd&6$m<ntx2w|eihO&?`h#f}{}|FA5RoXkU$?n+o9EY#T-
zXJADeb(!d<Q6xmS>I}<_x{c!e-i^nf;Y-CHb#es}_C#JD7YM>nPEd)(Y+yLEnHRe(
z#)7`E)dD>H^`F>^u-pP&6&=x?*|hYO4r^uEC8v}F4{!a#R`noph0*PlrZ7CUC_L$Z
zsQ`e)^?z0Bhs0%Z+b_F{6%cQmm-lUqCGgKAW0^-RAJ!c$_w_oz>l_<=KZ*3lZkf9R
z)}p|TY3{_EB*M9muOlNV?|&+)PZJS-WAWY*e-F*sHmd43ZSmSObF;U!hvC?i0x6p`
zQ4>LWp3>&{5rI6<%Dp7Jh!gker}9aP7(#`*RTm^G4CqoG-%Gh6cjcWB(VL`$w<6db
zo%VE<I9#nhyw?WL>Q>srnRQ`}ZuzDa<=WjNpD$!TF?sxcl&%*3N(XkjU~0D9$hwI_
z>ZKw@Mu#`?x?Jp)i{?|$kC;J2*$L)GXYZ5p@T2908@!TXn$5=}nrpZQYIEzWML1S#
z&%1YXt&elx<F!rymbeJM5Z4RP{`&q^0l^?V0{`kZagAnH_g}m3x$rG<{e`^(-RTtp
z^e<i!K)-rLux(I5cQmM=-x^dfoIwQ_7nMRtz$L|`ESRXkcYxAxF$Da}iN9)G|9dL_
zh@|Q+F;MZk3y>e-ec?j)3g~5p>(>|gtTLY=JlNk#A4NK9!*riqqU5;iW#`mFT@2Ik
zX@g_7?Fso(Hh`e#(g2~d+DZ;2kKJ)e;>6v>po4D`FLZ>t%-?DBKh*~lsJX2jP~||%
zVSB&fdHSWb8ugs%XZ%#L3dhy-`m5Z;&4bc+jWQleLmjAoD_?d@thFpr%KNyN#v<Px
zLj$t#$vKXx4@73@_EZIIAuAF34TR1pB``ratz88rRJRm3F6OGZ-*2uvAfKP*I{mP&
zXRL<+LE<Wv5uXX1G*Yh5Zo_ug>pDeH78zlVO7fdWqAD5|l&07`U;)x?3?n>UL#HRJ
zxkXa?aNR#qlu;8Rj(AaEq@+BoJhU_CDIo6bzS(qv!}?5chA_Gv6a0_@!fU13mkTUp
zLw!mat|;~J<!q3|zGFOhnHP5c=H~?m>)S&HnHl7X>*^=$rve8FYFjKaNi3X+i<cPk
z8>0A5#Tgyk-B+b|;bZ;0x_<PcP$QGLT)z-?CN*{TgoI|#^g-j^oB|E!Cw}gW7NLEN
zlPb*FIgZw09ATZe@dcFgD<fpvHP^>o2jiV<`SU^;Kg{kDYS}$~mFDWlsD17n(WI!c
zBqK#yOQdl6#;nMAah-?uRT29j2D<}w%oJXRDkY?o<e6A0RSD;FlRPr?Ed90NAK4Gk
zL-y3WjJnUa<YLJz4K#0SoGU#O$z-d?f>(B3*~pmn`3=l_BHiS!%gesz-%`NtFBGu8
zGX=Z?DWHFw0!mpu^JFSf1m9A?U)ckHdj;FJU7&w$yZo39{+G1<5i#U&^!Fl&&5bT{
zab<};Z>(-jjZ`|N`K&DM4ADN~49qE7eUhR_LaNuO?%z4L&N%djcGP70@$xcN=3cjH
zMD>}z>1V1kt-;m#iZK$#=jafPCarNSZ3CE`_L2`CgtZT&4$^dl0V(===xVt;ySo;e
zMS#64?=LsUygM__&|vuNzO1iDyA)*CfPCn21s<>66Q!@_=!^!u-4dLdBwl4Cw=0I2
z@6~(DeeHF!lBvg$yR6sR)2xtO#?J|JLt0pioKp@wprf48@fK1I5rb)<RMU)5$J?0=
zgASBmX(GLR{m6aw66=+g`bunWUq%*|Njb~t1q7{7qfj&9eWQAQ;i|??#L%egba5<0
zzRf)Uz)(OtK5G(_<@{H~uw#NB5<@T%UGHQ=(G<d$*iN%H19;g#@Y>~|my)t=S%~%<
zF(xy=Y<*c@Pxv$Y{dF36;@OIh-kN4B@15~d&!b4siIm`-9XOQrE=p}g7b|k_<%l}(
zy|Hon4-b<DO6lXgmCEF;g1fnECv**FiCI<(2xkM-_B2Y{VJ~RaX1O3(rsCR?pY*1g
zzW(Tzbyaghu$h%ZpHuv_=%K~xxz3oQFW4;1r!q?A$C3&9x@S5o;zH{`c6QSBdMq@^
z_S_1vd7U7V(y(TkDYCS|;S^R)JoVP08GRE)Q!vYDQA8D!*g6lbWoh?ad87E|3UhE*
zwn)Ei5tgOc>9xdQC-3S^x9bvq18y(~#|5~d7((E<(_Q};YUI2I-YR?c8{WEUm^BSf
za+o}TJWW_8GOB2{Tc}-O_~49R!kA&RX3|Tdz1Qg)Xm&#Z85N}~Oo9XZZgo_Ld<3AA
zBS^`1K7kZ7jCWPY!wX7y`G=V<H+puyS+jjomA@<g?HBghoPU9vi?Jm=F3XvcT3LBK
zHqcdm(f%dVNZ!W;2%vN^Bfr38fbZ;OZm1YS1BK65{I<I>R-&$g^=iwLhYC>OUiD&3
z;7P-iqrw*%iJBI7v8{%gcd0Y39mB7JoITPw(tXh;e?x~Q=*banrmib|fn=aWB^7;5
zn5vSo5^f5}A1Z_?54+Z=pSdE3|CE{7s{k6RKRW~gSf_k1a=gz@!xwINIiMI~s(G}K
zav6X110RjTL7kq(5-3oh<yDstW9I`Hp5Lqw7ky{Ptr*g_A}S}FHa%+e5vu0j(^FAF
z=<gIYwvkm9yL|LtsF3~GrOfa^yn?ZtQDxPBQa@^DuVDyqx|Vv0O)W}0*IYn~=unza
zBpYu}Muks6aK{V15Q?I`P@qG?X9eLiIru#B`u*&?D?uMsPJ2Z0cw(0B&dSKqHmXeD
z3o@#-CcAgJ_zEvglOy6g6~MO+U#8|%d5`nY%Xrb~I<C;4%7hequrt;}fcxpz@yD0O
zdlYA`s|%*+ouN4jge#2+rn{sww31N-`aprY^q6XsI68L|w3OOto**f9z`%Ju^{Pdb
zRjTOh({4u^mwl1W&OM3)tzqlJ<zc0!Aokx*&B3XK3wyVs|C^4Z2TsmGgVS@oz(Ru$
z78pW+2p|SX08)Sqe0~scW+4SY2~Yvl0B$f5_f-GL&-402F~=|Y?Ta{qA?29di*36b
z{Q?3|<eiKlT0L{}#?t_HxrkZ!i2;_|hkYHgJI*OyHo3eXe3w(%)ADS?@78Vqf|056
zECt2dpl4pYGHLE;c`_1&Kf1a9G&eq8Lfn`iGfO|O<O6ab36%P6esGh<aN)>S^ndw*
zgEJxF0Af>99>4^Ay{!&T34{S|;505*FrPNyge2TlLG<Q~Nqjsg(5FPOId2IMj~J{m
z1dP<1zx{GsAasKe(5)m5r^z?hiKd)lHWW0k{ThV<Im*z`OGMqDvKDWjHyAgh?>=V%
z0ZyhqH@1>_Nc70(z=r9Vh86QfiAJFwx4y~iz84&|SE`|a`P$H!`$LOobXwzS{Pkvq
zW=wwW!Cs!R3tVaY(}?c`T7DFWM*9aNm^(Rd#N79e_;nOSe*y&rn9=W0ApCU{h}uI(
zA!CnB<5%83Z6I;9(n(Jvh5%RQSm-mOs;J`JG?Edaatn6pP}BDPO_iNY=Z_gvHnBm0
z+bdnx*Yt(RV=wL(Salj~IC;@uQ2%o>Ae5R@nW!h6;QG#;#SpF)a$<3K2%n7e=C7k5
z_7f=JCis1a0@1Idz;Jx3^BULPB&a}sSxY$kOh2io4g?r)N0%BreX_XGh-s_ucmhFI
zDL5;bs06H{s=D83hvh>7;~RUXRaBTJ`t8k6XT!CqU2BbeO_xHN`&a082RA*86&`$*
zN70w&-ObX_zE~C9@#`pv{{#xSxy9e1K>X_{2%wb_Bv@tL!#<tYt%XSEs4nw9gaG0+
zn0P16P=#F0e3#X1M-%e4^G4aST1S~ZF*?i(s_Rg|zH*MkMQ4`c!|8O%^t_fu;QfoX
zg?p#OV;EWBm1oy)KE*nQ&ok5H$+K_|E3c8h`*jo~egXyYolqe8brdY#yJpBb8$yEF
z3N~8CNgWa{Ce}d!28k#Mf{Wn_a}`HJMUWBv9nu^kL@cr=d_T4xwhyE>1Z#w8E~zig
zeP>R;+Eshe7ClRp@*E+7OP@$x*a0rX4gbbzs~7Cf1$oBqq_9i_{ujTFg5*!2fSca=
zU0ERgbrd>=G~E~$LN1-ZKs8uHXzsUhprHX|$EU`!1$#W6b`((Cz3<%hi8O2SaJ&(>
zwCjCuyt^7l!=S)y%f&UV+spg+9V>4#46L0~bXiI{?@UX7Qz`LbUG~P(teEvl#-zan
zt9<8B8bj8#Uq?aeCs2^w2?erWN8t@oDKxA_oR&uHP;5dd%ZNhhC=mo00x)DwuX`Fk
zT)tFOk6}-(93(YkEnl4C38&F{J2BJ`1(d>r_1Ap7h4eIQBT@O$mjoV1yk(O=FWELv
zXrC4)CES7)$q7g|7S-GP64KsE>G|s@NdE*1QahnQ{_7~12FDt`COcr?e0|#Oy0T9K
zc@WJE1Tc8vrMz3_%?FR$jlrVB%mqPjKZToEovG?DxHi_gceDZuh**~{Yh0w2dyhmJ
zYHv82mr<t0UarWhgiJk`g#*UyX6KFM#Vpc!lVT*v@A6(6{&f^&egXyQolt=MItpD^
zF{R3GK1)Hj#57AQea2@t{LVvwq-P@!PK0!40?!j~SYl+Dp4~{~J%HzURm9`T(JE4E
z5zr8=3o!0KJb<1&5s|oRQ?O4?wf~vQem1;{(DEWfCF!-8fXM1Z64jT-#%gWQ^T)6K
zItofZfr89VC_sN5g#e^8&0zI&7ss^b)5W(EUh8SWFc83XU7eT$kz_~~*6?&j-MaYs
z6-Pxv12!FNspq86pdzABpxuar=k6s11%e=_iTWo6sZHh{?)$hS^OqtY@M;o053r(A
zF)99Bd?=vrKw45sT4oBU?_b%D*5EZ<*q)lcWjiYW1PX|qtw)Mq$Kjr3+2_JS|I%Rr
znE1(K2D*98^>7H#n#HZ|>;rpJQ9UoYUwsS@|AIN^o6FW@<k8P2c7L$<hXQiGlobMl
ztYQ7n9pDUAtCy3?n#?+Tud*L{D?MI(QA6cv@BKP~vt{m<K$$c{A~XB1<Dl|WIP7RY
zQvNy)B}?3%5+`hXZ&Q9q_7$YJy7Jy%2m%<E<)qKZ9H-!xt9UwmZ;fFn)T>#UvVxhL
zl~L*1DPm_RK%65UhEJ1F$xe?TL(AUcv@5pUo2kkWX<?F^E0miPrp02UUNGu1QHzwe
z9!zfR{B;~ue+q{kEl8?g$H7jw5B(-~_?<n=0z9&rahxQ@+Z_TB#k=f1K9$$3WN<xd
z*1BISS}e-Jn9PDXT*T?jf^e=o6bO+;N^uq9XKOw;zy1EfRgL+v!{Jq<#AoP|7xhn>
zj?6rQix>>KO^kiSPH1X)UTgVv9MpaahaGK5>R-pfyY1u=p=gz~Dp)TM^&(T@DT<?H
z5Ma~^+j~ev!A;)kNOWjjw*|G_TpQ)a>J@wV<7Ww6>aU?d;)pcct#cGHdy4VsU24-t
z(`h_HUkx_LQeIkYRb16cxtr)W2w$Vk=V2Po(jgjO`*j@De+q{ktw@?*$Khq0iclh*
zf4Onza2{P2CEk15rWOcbdnJe|V3v9RL)Nf2CTi<rZusP{l0|Lz=Y7P}Vmd^v2?dVN
z0O(=)#{l)d;fwKb9Z~rl?MvEfv&oHx=1WMakw^E<tJW8)gl-9S@rhgL5?%aN9B>SX
z>j(eqJ~jf_(T?2p>o~Z!N1>6PwZ5T;Lz-ZkGPbj<B0dm6mzc>!bC2_xU3n#0Paj!#
zwg80jeN&d<dB*1+UgkJT1<t1ucp%u{9`QMMAXqyX>KbiU(Dk9PlLjcSU9!DpDsnI+
zvGRg2rEstH4Ss>kiqUiJV4nV}y*PnuEWq&R_5$%`tU>x;jx`7Y9^i-r48-jFafq#J
zaPaDmTuQe&E&=@c^ViYiEc);|`@?7fs|4>vy%x4EVvR`v0w6M5+2B-#wiHZJZAC4I
zju#peU8_^?6?XYRW|Jhzp8*B9stQ64kqaW?1uZG+zGQX}E)V$@F)Vy8?9l2ktr<wE
zTqX>B{>tH2>OfiI3ijq{HxQk_LT~>jc3-21YjMfIVk8Kn=L9H$D0zUX2ubLG&X$H_
zvmeFv%4haZU&JsJ5)#t^9OZ)QbiM>?k!}g~i}qXy+}I3m$P*lF{W8LKk7`s6Q9P&A
zy3eSIkVoplv*mZD5J17f>+(n4`#vX!`31FY*6Ek7dfnC!opR^DFx8Q3D%J!A{0bh`
zA_R2V%u01)EI6LkzD{-s<iO*96rM|d`gEB8;IQHc@uQ!~o64l`!c?-8J#kA>!9`mx
zPHqk`+`1|y4-Xe76cX#??gq05r>()1-QBU9E3w>hkZfxC&kY6RF#2bt<7Qm{bJDl+
z{7>Z_m+yZr??nHobZ{i~AIv)r^*=bF{z9hmV1~1DTJL=FvQM+R*;B{s5WqwAEsEfo
zUYW~*d(2ccgvSU5$VgN@YSwMlq4_`vZ!r`=tdE)oS1mS>cyQa4tv}-_9#mMFCeCPD
z=sFOmsFt#?o@y@I%xBKP4HL~n;l~*+0!lT+V12-4oFFS~vcQk1;cG?z7s=~u4Sz%V
zAG8C%q5RvL)ZbA4hVp;U(ED8~f0xSNrSi8i^xLldai{n<SN`V8-(2~dD}Qt4Z?60=
zj>Z0Nc78WI|9j02ZnF4eVEY{gJZ4<hK{f!dHg~G4@!+t&Px>r4Gs0ppe<NGSUgBh5
zjUM-1X-*oEC^r(`wo6jS)*mZaxC%l6D^?=W4x^Q_8=Nv99>HNOeDbIwC*9Z5>hg5g
zPV%@cAPNjJ+!73)`Zfl47o6luH3Tcex1IxV<Mp_J^L~O0IL`s!FJ&YA?FHrk1y_AP
z^4#*H)h)lhp!|fZyB|6>`LnCLA12;mHUIzLy`bP21bqAR<$bK1{9ql6YtJ=2u>^hM
zB%y(Z`lEXxfR5ObF27?saqvwZr&$lGw5~Qu=ddzgPnrEsbY};JB%lCl;igUD$72J6
z4OM0zS+ZIa+fOFG)!8FbW2|S!Miga+cP44&tuBOUj8D&;qCz1W4T{|KZ>eNxj9aCE
zTNS`It~HF~Fx)H!TsQ;3HotOi9RfjLj%}kq?OE*635<@+Abc`^k!70$!@zX7|0ncM
zE<nK;7cMGvP(?<0X`}=wIE`ooPh+ccVwI2SbfzecR|OcGH3NN7o9RGDvfE-ekBtCh
z@a?uSxEkR<3s(HHpGEabl&)}Bc8f-zBda>{u%Ew1XFe<6hgX7twi$F`x*0Zl|14(%
z59j935YPpLKrQ~0fIrnBA0judksu%Xu26n$Zp{90=eV=FZar)8iQBILF`!TNi~KDd
zwq+Rtdf=b&e=Pso{JY=O7TELbpm}um)T!WyP4z(Emc$Lcuiyt=9B$`dd0VA_EB-eB
zn5;gc)hL~fCX<R#fnv_vKp)}eeK&fyaM%{|NB;ja`QPS$syLR9rCu{E>3w&9*=O#<
zii%qjx8rU3f8<|f`_#V`f0zGYdD7Mz71xHh>#qjKWAc;~w{E)~ZwvV&|Noi%Z|h%#
zSH_44lM3kt#-dne2vrZDzxCWVdcS`Ddf@Zl*)90ChCdf8_>c=9%&S(3l&UdE@7iOn
zLjMHgD5fD;rlg$BkQ6$vthjZb?Re`5bcPPDJo4ULW#tQgqPI`~a{R4)5exf=yMxs9
z8n2NsE=kaKt0->Way#A@@OQ~Sh;-!8M1!t|bukz;NVtzQ+%!a(6px?2dt|=o1wp|V
z@xX!YFJBZe1kAv7SZ3Sm{M#|FH~$Uxj{`JKT0lYP{!Y1sFga#1d<~g&7ylruLgYNq
zN3ePCjoz(#xb+FP4V$aLgg}SX=HNe$hyT6OfDhgsl<=i>I~#!hkbdg0`=vbrhB3<Y
zPvrQ6q9K6Vo^^uu#K021v5^Z063X-P`0KB;Qg_Yqtj*)Uk2eN=S6>f}u(LlNO5S)1
zb1Dz=L1si-evE#Z(ee2?1f5ilkeT(kxisPmI%DSJ#?9q}=B%}#RHow*$8cF=;-bVw
z{}<A~eEV*##!t)}BgEqe*Y|<p3u@bK<+rHf;}a6X!8UaZ#UtSSw=FjR<J)0C5)cQ3
zzoY;*SIyz{qyYbMPlOOKv{|OmUeOZtJv()vU6Uj;LtyY71V~Phy`Voda9FzY2*IJM
zo*?6-?32P*(yb-k9vK}oZv$7!g}vtX6gy;g?KoF5$0=2fXUZhG2Z>f<<NO)Rg1fxP
zh#h6gYAR9MzSpm}()cYSsd4K9b=;3?J9%Tlb&LOm2Dp`$Uo<$3n}+hIt{r`>l}tmd
zNWz9}`dWUTVx<pH3LykY7tY8w!2~2&FNi$OP1L-0k~t+bzM#A0JcFc@g3>u1D6pV1
zbs`zHHmE8bwday^2otI2+tL#lrBm#$`h`9Ey!^4YWTreiO-5|O<FS0VW~FhBkA8)f
zt@>j?rJ`P8gnB%YYkL9cF7O&I7=c|oB<PP_8zdwgDY*dNc1WxsLJ;%{jsRVMgI+(#
zzt(>L=Z3(=gt`ka)><U!ny&1gk2%5u0c`BfQim3@JU(bMU^wu+gP<#=&nJfcB<;0%
za-M5$4+Nk<)E>Si7&PrkfiSulg^6vt)nI(8IK)+6erYd#Nrl%@9Zqvvov2r&9BGv)
zPb~e9D}dU4tNnJN-==jP(3kvCP<JPgR<U4(_5!`k<G$g@74Pfkel1ZAJ~E&_j;%B*
z6!*MZ7@#z{3<0#3c8Q3q8Q+qd5Wbo;aOG*gE%^gPTlD$i?kRb{Xtiu8kSzEzIA+PF
zx5AH{Fo=xetf<Ed%u#f5CIouIeM5~sJbQdE7q-=84+V;8-X&ORgbGyq%X2sO^6|!k
zTOE9j-|vq7f9}uzN1f!aJlX$tZ~EK4>2LR@f0KJtoGJB(>C?(cb}2kFpUnO_6SJ_J
zukDe?k`dtULWg#<Rjje<3b3U;eQ`8lV`fiWt0{S7mUu?%Zgn1}yHKEoTTN2$XlE(G
z=&8@8vm?>L2V1Lp6M8V3^XnK@7Ei@Kw*#WgX9Nn(Nm$8iBH6QW9eF1G=uOjy)cWiF
zi{!y;xIjoKy`ypBu-Piuft^klu%$Z+wiUQtUWCCm!XEs-Wu)L*#XlJ-MzQ9#iG1-e
zbq24#cO^B?g^{3VekNtj<4U0YMN{SNBWit2_hib{E?%)+)l!ZA3JAQ&9w;zkO?fu?
zW#qWQWY}vJwW)Ha_qS4Zg$utFQ9kL2ccCJ@3b4%V3wAF`5blh&e&eJ?3rZEi*gJ{X
zfz!lA9K3w&gi-bmpwERrD|3-KYSp0nu<!6mdkxFWT<=4}g!~}DGm$(Jg_0zt2xC&1
z8ta8uZDdQU9<@DtqKGqY8^sMaLIFuSVUN~KzDasaos{u9%lIz0%$0>x&4g}{bRds{
zL9X_`=f<a?u&ZO(I1Hzq{YiRIDozC(lq*^mhQ`<<eO$0g3Zmbrb8aA$v@ozo=<YpR
z<^JvwhQ~}$RS0mPWLXC$TF0poIFK2B`(PA*PxjL%_quc}>q^Y)wV@7B;N9?UrEd9`
zsCg`!fTwWRLfProe20yS$-;M|zR9QJ4woL02xp2lvs6O)5GJ(WPS{Z$Wd*Ts)QQZ_
zynpbzvR;--BwKkyJfTHzha0$-)L~YfQp?W6k|tj4O&ctD&zp67YWYBqXVDh3!tbZ`
z!S!OKq1l=X`ov~bOoLIT6FDKtr9)|A)0}=c+-6tRMxW`LO+@ZzdA^T5pQ~vy(tV8U
zD|8$@upVAc?zsJvV2)^nBuo^BJ68HeIRx$0;i<PX0S*_`qF!}AKN>>#kO2ZLiHO}K
z?PN*1#|3?VnXG!%B1?z7k1!{_rJPTH{ccq-=;YjDU%r$;G41HJK=}HoG$Y*`In`l_
zd?r=Yum*EXPFLWWi5`0svz6>8@6Oz^MK=FHIq^;9l)q8#_zTDViO`;Adi)fP!9lDX
zJC7n10=SP%RNjarX1`Q*{6me5gaI-j{iNT3?TL~PDM5*<)8bH|$<X>1$C>Nzq7$Od
z(H2a_St>MW71CB+4RjH>bMWYLv~!hpOs@5NxiM;O|3~H1p^RT4X9+_{z=T||FgVQW
z8-;TDj_!kzKKYC`I8>~_<VoZZ_aq7eXs)kRTBYp8m*z(XlNVg?v8a0~W}LqM$lEH=
z|Gvz%1t_roNxGBfBf_D%X66X*CA*X;UDnS96)(=ON3>VyF!S->sh}Kq;ppmq9gm0H
zj*TXf=_`f2G1%?G{#{wuQ!OefG2D;xqn|l7m?%ki)rE5e0t}X9EPB>odpR7r^qdc&
zU8RA#A0JbCPv@PnkC>L?Vh-rWA<|VGBbHm8%6{i|HxE25;h;;AYN(Ry&{>D4Qt(ug
zhSMG6f!s0YA}STrLYZ%Jey<U@bq~hf2de=82BY1T^LHObSTcw|xe0^xMutCRcna?7
zq?K+lWg(hDrriajrK;mR_NpK^jrv_5+W|P2m(~M@n^55NRRy9}0gaK&xWwb1AZcZ@
z_<hRzkJz$tV*>=^ypt?ghna!7<NSlK-7lScKI<fP4K%R-AOly7n-93@oL2zM#T|uo
zfjPN?JBz`TU_s<C7`XPu#~&u*9pJtBO~ls~7Y7O}!JOQjunHnR-d-XuPIkBiSd1%r
zJBE3Il;?+Z!h&C5Zth+fZy#3-czbYbIA4s5f)otp?&j_8f>FR?0}y{cFoFvr5E7zr
zILsS^^1;<W1*C@u(#zG|3+C(O1ung@al>GR-M}5sY_K3P!`xh*Z2XW|lq1^RK>-c}
zcR3SAJ9#7RTrg<xs*5`k?cwAmjPXag_@FTgM=@S*7#AT|ceD?<Nu9lum#ZJr3j^Ca
z_7=h=SNQT98?2X;g9EtJ(sn8vlnc_^Ti64MbyN`XMQ-KW&DRO-gcR9M^W{#sP0(yG
z;4WTXC=93t%t;0zAq)z^fW;9!MtQk=+kg!NY%AcfQqTv-v`tJjRTWfZB%~!JRaJx}
zl~h%Q#MQ(lg_I=`szOq#GU6&yYBJ!4O=9H1-xQp_8ax}9qi?19&jrP@1xCq@=p?^_
z0D8@iMeA-NLb<nUl@t<W+uwu;l%~Scb?pvPkWdJAUWEc?v0AKScrwQi2w}~R<h+>h
zJViq;P_M}LNHA!8uqcZCY;jzV`i0w%-lCvci&h_R{7k`7{+9(u`FFwDtT2Cn!GTMt
z!ewM6C4{8K)s=<R)x}kXl$9hTgp`z})J2t*Bt=D4q`oUSM3Tb2O^*lmszY{PJdC}f
z#U08f3<0Q*C}|zLmAUuGLr8Vt#>fXe;?)o@)%GL(LK|r^i)@#m0E2I>T?Nl0X|f@b
z%T8{u36HoJ7z?&pWYsP3T4n|JYrev>qb+Evc$f?!hMwRPe@+D&l{+zxFUHHs-U-~r
z>^JG)i0bbo9ki<r4qa@3FviQv-OI)f<B0SHtr`U}*dLc%k^VMzPVU|cLWn<|MPqzH
zQU&=P<gU%|R|K|6T_Rv|5wxoi9J~XLT7^+w7$g>>!0C&-EGQ`G<t_+^iNmF&BqXI_
zTRMRT!Y?u2FQyiU%SeI}!4C=W<B!PO5h*Gm3BzCzk|-GoF%;5XR6<NlLP`qU4HF@0
zCk3~Y#vqYMJ4v*J7}5?cDT9_k$RJQM_Gn4Cgrtl(9Q>u7gbYjuErq~HN=jkCAHt=@
z?d%a!xZMaa;u4~E7#VvpJ8)x6P_P)<-d;k|9$}9H_s;|m#n3XK3<Oe)^Sg>j!>My%
zR{qot7LHPzLY8tPEuA~^;HH?Uv>uZyXUf%GF0A#?lc~83Vb`v@vK!e)+DlJ8U2X$6
zbnF5~m$jYu5}YsBRDdJWGLB5gFP_L)#;Y43NQGJlJ?HG@oU%-mI1;SH54$ip^OF_v
zH;Mm!t^Xgj?SH%?{!9z<M@9Up)c@bBh+TUfbu`L}iEc@$-OFT}%CGZ%2D)PSl&h*I
zbwHBEB7`qbw}B`3oz{!q4&hhM`op`_1_YoTU_}fp(0&|R?2>+$j!`%#Csl#cK%}8(
z+V0*Z{p@|xSU&SQ>os@pR{^1=96G_WY?^;%N-4QuK_eC9Pne03^41FTKMZkRM>Jee
zjBjg1;fpQ)+o1XdgX-69?Y}bKzhm%B#_;qWJ3RBXw-h49bEF5KJPIv<0E(wxBiYU>
zOpkU1m@`N-zXCVx#6zZgUsMWcHDurlY=#1ySNd($#EI_?=~7JIe)Zy&QVTlmk+LJ%
zOqVdKG-RW(wCYJkTm#;fv)AQrdZ0KHxWDb-g54vetM_KZ`e#$>n=V4*`nA?&;(Pi2
zom0Ta5T2EKVj<9VBX_QwThX2A=vd|JA;N`R_r#lC3kEXAisLJPAP{;fxdH`Pd&BUi
z4jfL_a7ZsRKh<m)mA}^BcE|Q&j=WX8JNC2sXY#{`DilnuoqWd&FAT6IJOkgJ{$c6;
z?mzww{l~wj0r|IVxZft+Uzu>A=iEP!<AyMV4|bR4H%mC`YbmkW=9ctb3j;kFjk+J>
zM=~y-+`YgvW6AE4W6&d~5F)SZ^Jx6x1Hn)DP~g5+SX-5tB*77*6T8P^tR5sHP5d3b
z9HN^&Blbo;J5<!lm3DsZOl!_4llH!i3bigeQ0flDG2pxRKM&k1TCu83K9oHF#ztD2
z{;?GE(bF2N5a8ISbc^#fetFpAw6Cl_rydbu{_Ob*&o+z)&10gI%Oed1(jT!aC&rLi
zJ_B51(5>Xm&pB$wck^;}4$0}J8{L(Y64Xm?>@+hrXqbq3`S9dhNf;>Aws$HJi~v&W
zNnG?@_<Fp%A@qI?lUr!Bz@k-&U5!|3nss*-xN$j(Tu(*&!7lv4gVM^?^JP%M1JK9P
z<z)3;I%|0^3Du!MW=_c`F7u^}U1S7z#Lg+mn_NJuGrW0b#<+)x{)ABZt;*fEOio9k
zmImsjM*RIh4ZQ$qXlt|wH{uP_5JvX*FcxmG>)#*7`mfRu=huD7-#qkJJj4mQ^8T|U
z6jj-yK@nFjn(7J5$Uhu97k6dl&}j%TLa1;wD7s1_<x>3x=UCY*Z@A8)3~!C;m0P@i
z)N6ft4;0|gg1n&(@Uf*4Kj?=&Fvf2b(bVyR!0y4`?)M*z6_4%Fs#+fT#Ah}5sO1f&
z*4OVbD=1aX9~|M`bb@4r@$z*-VZ33QZoc3kGR{TP*J^2)sEv2}4`1t(T<H!GJ{@|H
zDW3uY)am&sca3<JGUw*bMCJ%2V~>TjSQjIYC@zYq7LU#rKml@LygODiFPP55tCCz{
zrHW)ttuFELJb5Q6k`@&^US&F2qwkxvGakYS_Jw`mf?#nzn|4rZ%Vi5V&gAEWb%YuD
Jpg>){{~x-j>M;NS

literal 0
HcmV?d00001


From cf376a8cc7c48736702771f5698c8089cf18143b Mon Sep 17 00:00:00 2001
From: vbalain <vbalain@google.com>
Date: Tue, 3 Mar 2026 10:18:09 +0000
Subject: [PATCH 2/3] Relax parsing strictness for scenario where a separator
 event could occur with any calling efi app event.

---
 extract/extract.go      |  3 ---
 extract/extract_test.go | 20 --------------------
 2 files changed, 23 deletions(-)

diff --git a/extract/extract.go b/extract/extract.go
index 45c6aef..87f6a1d 100644
--- a/extract/extract.go
+++ b/extract/extract.go
@@ -432,9 +432,6 @@ func EfiState(hash crypto.Hash, events []tcg.Event, registerCfg registerConfig,
 				return nil, err
 			}
 			if isSeparator {
-				if !seenCallingEfiApp {
-					return nil, fmt.Errorf("found separator event in %s%d before CallingEFIApp event", registerCfg.Name, index)
-				}
 				if seenSeparator4 {
 					return nil, fmt.Errorf("found duplicate Separator event in %s%d", registerCfg.Name, registerCfg.EFIAppIdx)
 				}
diff --git a/extract/extract_test.go b/extract/extract_test.go
index c28197a..5753dd3 100644
--- a/extract/extract_test.go
+++ b/extract/extract_test.go
@@ -542,26 +542,6 @@ func TestEfiState(t *testing.T) {
 				AllowEFIAppBeforeCallingEvent: false,
 			},
 		},
-		{
-			name: "failed with valid boot attempt before Separator event in CCEL logs",
-			events: func() (crypto.Hash, []tcg.Event) {
-				hash, evts := crypto.SHA384, getCCELEvents(t)
-				var failedEvts []tcg.Event
-				for _, e := range evts {
-					if bytes.Equal(e.RawData(), []byte(tcg.CallingEFIApplication)) {
-						continue
-					}
-					failedEvts = append(failedEvts, e)
-				}
-				return hash, failedEvts
-			},
-			registserConfig: RTMRRegisterConfig,
-			wantPass:        false,
-			wantEfiState:    nil,
-			opts: Opts{
-				AllowEFIAppBeforeCallingEvent: true,
-			},
-		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {

From 3b6657efe480b345c2b0994072a8b7d672da235e Mon Sep 17 00:00:00 2001
From: vbalain <vbalain@google.com>
Date: Thu, 5 Mar 2026 05:10:04 +0000
Subject: [PATCH 3/3] Address review comments

---
 extract/extract_test.go    | 4 ++--
 testdata/eventlog_data.go  | 4 ++--
 tpmeventlog/replay_test.go | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/extract/extract_test.go b/extract/extract_test.go
index 5753dd3..a4baa7d 100644
--- a/extract/extract_test.go
+++ b/extract/extract_test.go
@@ -585,7 +585,7 @@ func getTPMELEvents(t *testing.T) (crypto.Hash, []tcg.Event) {
 }
 
 func getTPMELEventsUbuntuWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) {
-	log := testdata.Ubuntu2404IntelTdxEventLog
+	log := testdata.Ubuntu2404IntelTdxA4HighGpu8GEventLog
 	bank := testutil.MakePCRBank(pb.HashAlgo_SHA384, map[uint32][]byte{
 		0:  decodeHex("592b3f42ec556a9c093f201124cc7313fdaa4ce40ae1602e14d51f18fbfc480d6a1e196d1c52ad919328410272dc7222"),
 		1:  decodeHex("ba1ac69c213175dc72db1493bd5bdfa4799028fe5d5c2bb41ddccc6affa50ba01f189d4639a77afbedd6dd6aff1af3b4"),
@@ -625,7 +625,7 @@ func getTPMELEventsUbuntuWithMultipleBootAttempts(t *testing.T) (crypto.Hash, []
 }
 
 func getTPMELEventsCosWithSecureBootAndMultipleBootAttempts(t *testing.T) (crypto.Hash, []tcg.Event) {
-	log := testdata.Cos125IntelTdxSecureBootEventLog
+	log := testdata.Cos125IntelTdxSecureBootA4HighGpu8GEventLog
 	bank := testutil.MakePCRBank(pb.HashAlgo_SHA384, map[uint32][]byte{
 		0:  decodeHex("592b3f42ec556a9c093f201124cc7313fdaa4ce40ae1602e14d51f18fbfc480d6a1e196d1c52ad919328410272dc7222"),
 		1:  decodeHex("d67b943903a0ac6244e491604f4d4c2090031142847e914add418b058b032aa636a7eb559669b1879b8459963ab63c24"),
diff --git a/testdata/eventlog_data.go b/testdata/eventlog_data.go
index 0e37565..fd8ce92 100644
--- a/testdata/eventlog_data.go
+++ b/testdata/eventlog_data.go
@@ -46,9 +46,9 @@ var (
 	//go:embed eventlogs/tpm/gdc-host.bin
 	GdcHost []byte
 	//go:embed eventlogs/tpm/ubuntu-2404-intel-tdx.bin
-	Ubuntu2404IntelTdxEventLog []byte
+	Ubuntu2404IntelTdxA4HighGpu8GEventLog []byte
 	//go:embed eventlogs/tpm/cos-125-intel-tdx-secure-boot.bin
-	Cos125IntelTdxSecureBootEventLog []byte
+	Cos125IntelTdxSecureBootA4HighGpu8GEventLog []byte
 )
 
 // Kernel command lines from event logs.
diff --git a/tpmeventlog/replay_test.go b/tpmeventlog/replay_test.go
index 3fee08d..b241aad 100644
--- a/tpmeventlog/replay_test.go
+++ b/tpmeventlog/replay_test.go
@@ -596,7 +596,7 @@ func TestParseEventLogs(t *testing.T) {
 		{Ubuntu2104NoSecureBootGCE, "Ubuntu2104NoSecureBootGCE", extract.Opts{Loader: extract.GRUB}, []string{sbatErrorStr}},
 		{Ubuntu2404AmdSevSnp, "Ubuntu2404AmdSevSnp", extract.Opts{Loader: extract.GRUB}, nil},
 		// This event log has a SecureBoot variable length of 0.
-		{ArchLinuxWorkstation, "ArchLinuxWorkstation", extract.Opts{Loader: extract.UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true, AllowEmptySBVar: true}, []string{"found separator event in PCR4 before CallingEFIApp event"}},
+		{ArchLinuxWorkstation, "ArchLinuxWorkstation", extract.Opts{Loader: extract.UnsupportedLoader, AllowEFIAppBeforeCallingEvent: true, AllowEmptySBVar: true}, nil},
 		{COS85AmdSev, "COS85AmdSev", extract.Opts{Loader: extract.GRUB}, nil},
 		{COS93AmdSev, "COS93AmdSev", extract.Opts{Loader: extract.GRUB}, nil},
 		{COS101AmdSev, "COS101AmdSev", extract.Opts{Loader: extract.GRUB}, nil},