From c16fc04c2d984a595b3f8d27ad588f9a35029fe1 Mon Sep 17 00:00:00 2001
From: Laukik Hase <laukik.hase@espressif.com>
Date: Wed, 30 Apr 2025 16:09:27 +0530
Subject: [PATCH] docs(esp_tee): Revise TEE secure storage and related
 documentation

---
 .../esp_tee/test_apps/tee_cli_app/README.md   |  19 +--
 docs/_static/esp_tee/tee_sec_stg_metadata.png | Bin 31454 -> 0 bytes
 docs/_static/esp_tee/tee_sec_stg_part.png     | Bin 28223 -> 0 bytes
 docs/en/api-guides/partition-tables.rst       |   1 -
 .../api-reference/storage/nvs_encryption.rst  |   3 +
 docs/en/security/tee/tee-attestation.rst      |   4 +-
 docs/en/security/tee/tee-sec-storage.rst      | 123 +++++++-----------
 docs/en/security/tee/tee.rst                  |   2 +-
 docs/zh_CN/api-guides/partition-tables.rst    |   1 -
 .../api-reference/storage/nvs_encryption.rst  |   3 +
 .../security/tee/tee_attestation/README.md    |  35 ++---
 .../security/tee/tee_secure_storage/README.md |  32 +++--
 12 files changed, 93 insertions(+), 130 deletions(-)
 delete mode 100644 docs/_static/esp_tee/tee_sec_stg_metadata.png
 delete mode 100644 docs/_static/esp_tee/tee_sec_stg_part.png

diff --git a/components/esp_tee/test_apps/tee_cli_app/README.md b/components/esp_tee/test_apps/tee_cli_app/README.md
index 2d1060e077..3b4ab26325 100644
--- a/components/esp_tee/test_apps/tee_cli_app/README.md
+++ b/components/esp_tee/test_apps/tee_cli_app/README.md
@@ -15,18 +15,21 @@ This example can be executed on any development board with a Espressif SOC chip
 
 - Open the project configuration menu (`idf.py menuconfig`).
 
-- Configure the secure storage slot ID for generating/fetching the ECDSA keypair for attestation token signing at `(Top) → Security features → TEE: Secure Storage slot ID for EAT signing`. If this configuration is not set, the slot with ID **0** will be used as default.
+- Configure the secure storage key ID for generating/fetching the ECDSA keypair for attestation token signing at `ESP-TEE (Trusted Execution Environment) → Secure Services → Attestation: Secure Storage key ID for EAT signing`.
 
-- Configure the Secure Storage mode for determining which eFuse block stores the encryption key at `(Top) → Security features → Trusted Execution Environment → TEE: Secure Storage Mode`.
-  - **Development** Mode: The encryption key is statically embedded in the TEE firmware.
-  - **Release** Mode: The encryption key is stored in eFuse BLK4 - BLK9, depending on the `SECURE_TEE_SEC_STG_KEY_EFUSE_BLK` Kconfig option.
-    - Set the eFuse block ID to store the encryption key in `Security features → Trusted Execution Environment → TEE: Secure Storage encryption key eFuse block`.
+Configure the Secure Storage mode for determining how the NVS XTS encryption keys are derived at `ESP-TEE (Trusted Execution Environment) → Secure Services → Secure Storage: Mode`
+
+  - **Development** Mode: Encryption keys are embedded in the ESP-TEE firmware (identical across all instances).
+  - **Release** Mode: Encryption keys are derived via the HMAC peripheral using a key stored in eFuse.
+    - Set the eFuse key ID storing the HMAC key at `ESP-TEE (Trusted Execution Environment) → Secure Services → Secure Storage: eFuse HMAC key ID`.
     - Snippet for burning the secure storage key in eFuse is given below.
 
     ```shell
-    # Programming user key (256-bit) in eFuse
+    # Generate a random 32-byte HMAC key
+    openssl rand -out hmac_key_file.bin 32
+    # Programming the HMAC key (256-bit) in eFuse
     # Here, BLOCK_KEYx is a free eFuse key-block between BLOCK_KEY0 and BLOCK_KEY5
-    espefuse.py -p PORT burn_key BLOCK_KEYx user_key.bin USER
+    espefuse.py -p PORT burn_key BLOCK_KEYx hmac_key_file.bin HMAC_UP
     ```
 
 ### Build and Flash
@@ -121,7 +124,7 @@ help  [<string>] [-v <0|1>]
 esp32c6> tee_att_info
 I (8180) tee_attest: Attestation token - Length: 1455
 I (8180) tee_attest: Attestation token - Data:
-'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":0},"eat":{"nonce":-1582119980,"client_id":262974944,"device_ver":0,"device_id":"cd9c173cb3675c7adfae243f0cd9841e4bce003237cb5321927a85a86cb4b32e","instance_id":"9616ef0ecf02cdc89a3749f8fc16b3103d5100bd42d9312fcd04593baa7bac64","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"v0.3.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"94536998e1dcb2a036477cb2feb01ed4fff67ba6208f30482346c62bca64b280","digest_validated":true,"sign_verified":true}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"3d4c038fcec76852b4d07acb9e94afaf5fca69fc2eb212a32032d09ce5b4f2b3","digest_validated":true,"sign_verified":true,"secure_padding":true}},"bootloader":{"type":0,"ver":"","idf_ver":"","secure_ver":-1,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"1bef421beb1a4642c6fcefb3e37fd4afad60cb4074e538f42605b012c482b946","digest_validated":true,"sign_verified":true}}}},"public_key":{"compressed":"02039c4bfab0762af1aff2fe5596b037f629cf839da8c4a9c0018afedfccf519a6"},"sign":{"r":"915e749f5a780bc21a2b21821cfeb54286dc742e9f12f2387e3de9b8b1a70bc9","s":"1e583236f2630b0fe8e291645ffa35d429f14035182e19868508d4dac0e1a441"}}'
+'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":"tee_att_key0"},"eat":{"nonce":-1582119980,"client_id":262974944,"device_ver":0,"device_id":"cd9c173cb3675c7adfae243f0cd9841e4bce003237cb5321927a85a86cb4b32e","instance_id":"9616ef0ecf02cdc89a3749f8fc16b3103d5100bd42d9312fcd04593baa7bac64","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"v0.3.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"94536998e1dcb2a036477cb2feb01ed4fff67ba6208f30482346c62bca64b280","digest_validated":true,"sign_verified":true}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.1.4-241-g7ff01fd46f-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"3d4c038fcec76852b4d07acb9e94afaf5fca69fc2eb212a32032d09ce5b4f2b3","digest_validated":true,"sign_verified":true,"secure_padding":true}},"bootloader":{"type":0,"ver":"","idf_ver":"","secure_ver":-1,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"1bef421beb1a4642c6fcefb3e37fd4afad60cb4074e538f42605b012c482b946","digest_validated":true,"sign_verified":true}}}},"public_key":{"compressed":"02039c4bfab0762af1aff2fe5596b037f629cf839da8c4a9c0018afedfccf519a6"},"sign":{"r":"915e749f5a780bc21a2b21821cfeb54286dc742e9f12f2387e3de9b8b1a70bc9","s":"1e583236f2630b0fe8e291645ffa35d429f14035182e19868508d4dac0e1a441"}}'
 
 ```
 
diff --git a/docs/_static/esp_tee/tee_sec_stg_metadata.png b/docs/_static/esp_tee/tee_sec_stg_metadata.png
deleted file mode 100644
index 9b755d04b1f0bcc61ec773b8c5fd451a8eb83d44..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 31454
zcmeAS@N?(olHy`uVBq!ia0y~yU}R%pVBF2Y#=yX!m}otnfx+^5iEBhjZbe#VPAY?{
zu``6FYGja+UtFSU?4oL9lvq%pmy(&7UX++yte2NsqH1KMYGja@o|*?$;G18SnUj;K
zYUF0BXP|0ipb=qcsA}w_YGmM(nO9n&YGhDhVHR&@0ud`JQ#E!pG&a;T&{Q=ta8FIn
z&Q~>ZGcqtVFfcSQR5dbi%PdMw%db#1as#V^SXY)>RGgWg2XT>+iJrNhp*cjRI5{yV
z6(Vj35lPA~N=Yq(2pNEcj9pa?994}#Zc{aOhWbU-$RIB<7pgNLF+Eimsy#CWqO~C2
zGRrb0y~3y<Dl99~FwoCE2do0wG?<yW74Aie1sT5iDXBTCMg}Pr5F-ptj7>leFfvG~
zgox-GT9`sa(u-ggflW0s00{(VRzY242zI%VL3(LsN@_7gGgM(oetu3#W&x^Ta(-T3
zYBDrNpb8U<it@`*m8Iq9K)nZ5Q;?Vrvk~GhkU%g-n1V#ZGgC@3pe`}Cgt`wT;gOn|
zo&mMm(gG@xn+Q`36)4U~Ovx{Y=m!g71|%#vi}LeJRB=he6y;Vpr{;h{8y1dWLqW1`
zr0a!;MiD$&Q(|1Yfn}s$u2Dr|zK?UTu5W=)MNt7PeU&BVltP2tKitnXNY%)|6O_+X
zjSPxQDq(54D8Do>B^4A`2CBwR<r$eJslf$_$smp8MTrHf#!eX}xjCxFE}*QImY-J=
z4Al!#o|c)D<D8$956J|^DT%2TY00X_PQ@if`Pr#RGG@sZsYz+7#!h9aMJ1WZi8+or
zndzWhmYbQ90&<EI*l0+qgyw2c?guGPg(Y%Wx<LdTI5hFcA1Iy-zy*$bYJP5NNl_)J
zoPeYb6IdF8W*S3t6H7faGl)IqNU6{a8b=vO3D5*8mIzJw>2Tvg4p%iIoH$gC+@NU-
zzZXEIC0Y{18t+CBha<&%u#bNT?V~--A~`h~YqTd>n3|Y^5(+3D2XVAp4CQDy#)x)R
zBeR?mRb!`=%rcbBZdO<dD(}E~O}7}F*+A8mp<zJ<xXy&hs~VZ5gY<ib!Aw#$aswL%
z5r>I_g^&spn0`=RCdPaXN7rCoBU3Y7cV}Nsn4w8U6uB8@47!U!nUY4uUaDb=X{tH4
zV$agd+&Ix}&=-3aBoupw27|8LgEoDT$~{;jpfrJoIJ(1(LQhZB$zh{809+VBo1+6)
z@mrFT0|sBs4{hor<$xg9VAr59SK7As(o8{6)fgOyNUc2sFu+zInt{RKFA$B0ZxDbQ
zn4rpK@U#P=4Opbq0BIp0Re!}9i3Ol0esWQMadA>&5#gpkqMrcj2&7~dr6!j^I?BcQ
zrJx>|6T}iwOOJ*vc4KJmL!iYDi<H6LV26$@jEsoF-o_pp5oG~Q+lU@DL|{1PC=2Xm
zAGU~si4C5j&k_<ZBO*uPXtl#41-a-OgpGFCxZ{Y3DjdyAtWh=iT9=04VKyU!kq}iz
zh6Y%he%PXF5XKbd5Fk_psirDPtpE+~APws#LI-1$Q}aqd6B@WjX^T>eGpiDlKqIy;
zpmDu|{LH)(@BpZ(ld7qUs<BgIX-Ph0XbC)Gj5-pWm!Fpk>MkG+8^eS^Bg^0sDHm`r
z5Hy4Y8)=3mzto}<8n!GApq(gq%hJ>Y+gLEH0g7C_!o&toJ!ptIC^(uBpfhuztPGu^
z%dNmNDS(j>EQfMJz#JTdW~b2-fz*UxVKkHz0<?HTs>BVU0|lcgfnZ8N9d$4=Fu<A;
zU=4ynUN=Ca9VsP@)(zy<4Mv8BSQ7%QK`_V@0_OM=cp%=$KqE6x)yN>JvLv-w6Vjum
zQW=45eF0)*5!9jtH~a>&AqZb_0&fT!V(k&Y*4GU3IK~{ha&Zg+&HDPd`e8&ZYE)p0
zETmooIHvF{1~E;wNCB<ILhS;m8W~#{B^jFy`dLw2Jwd~vu^7aVh@r65yc9>!(k)eE
z7ic#ODSA=U0!AddfdP2g0BH6jH3egN7v;-zke1+>LTg~;+y)aXO3g_u$t(lSXQ&z(
zL7TVO`eOK(*}xkCMv(PF0ieDuVzCh3asg&raeir0aw=3OC|n4y10rCp8O)d1iX)h{
zC5c7psU>7sYwQeOgaq#e;SV9GYVcYlLMovvn~V%#tLCsTS%O9@Qd<P0P#R68$Vmj5
z4O$omjdTO(A~~Xx3++>>k)bJ~(j5A!6k4W?rc&4nN+SX*UkRjA^s*Fdav4pfkWd8W
za&VDLs4Ru{;*e4)w5b;o8Q_XhtfJQMl(qHJ(o)T^uK-Okw@fkswd+Ca0tW30P$L8E
zv(s4HdZ1VVRqe21Z4fN{#T@O$i0;u^6clgZabGkBD1V{VqUhz5p*d0?5Ek#$FQ3q@
zHG-!<n4Lqnp@(H08d_daX=q_MPfbBv$*?Yfg$348r=c<YXoNWsjZs()m*r`=>J?B4
z1gb)id$TYxSXLhd)e7c7F|;8(nq@(;1+Gj$wFkWWYy|6unV?M~8W~{EvI8|x4DQL}
z*!>2UL)mDE+}8)o!nQU-B)~$@4V_>SXWqCt1_lKNPZ!6KinzCP*=zi+OCPWA2-Ftc
zS{|C+A7q;Jer?wJ1=|D`yQ!2dbz600O{j9qm3y;qXf@pmS$VDFX29$p_lv*O{=fOY
zHvQf2efux>^ZU-*T=(7b{_i=(@Aj&nv{r5G<O*Qa5^!x)VPXE;$Q95ygG+$t3#XO?
zYm%me!3E6~45A7WFPK9bxFo_F1e+6kGaOmx_%Svee5q$??Ze8W?O-5rtwSv2z)KMY
zi8=2kZ9W`wU;`5i7KH-(67y`U+Z>zO5)ZfW{&+sWK45_ZBaghDjBfO{Bk%6+4&0pP
z`{veGZquwQ1~J}DV)N$B`?TFS?To`xuc=S=^UGK)SaoK$dA?Hmxj8eeO11Xv*%R{A
zvhI(?vvYH~<KyF>oSf_)I&X#B)6>)4*T?O>urb+v@#kAQ%@rqXJI`h%yYj7Y*pnb(
zl)|CrKd&e8aGPTIx|oP98G?rn9V&QrMRUi_or$lntz8kmUT#zR`Mga!)Ai%sHYOca
z_$Ss}a(S8WrZsK6(yO#Cix}v{?~{3ZYwO{Qi`_pyogTkxmHMiSzrMb{xH;WFW`CWm
zX7Dl-D|_Pr#_9ltID;!|qs5Q+$sV3x|F84Q%gc{%ZOx9@l)^d7EVt|T_xG=r+e%+w
zJGr~|%9r>1|37+jbMuSq>*e)gcd-;spKFpism0-n%DYeEdNBw3WUZg{FLvWu>NVBr
z)|SkV7v1Ggo^auLv^D#>QtYmhUrHqj0)ajm85(i>YB~j#-3}Z+%pAEn&GqZ6s~gkK
zO5MDt6S>LZK;EGi&R>5xw+3Iixxc<XW^a|~{F+akfByarT<#~kr}DF#o8}_>S$$GM
zH-9Tl{WV#wNIGKgORgi_ZAZJs7iV8z_i5daqvG)oKA*RDe|)SraH-eSj9|{f<>JgC
zJPY34-Mu*F<fI$B%h%7T>S(;T++Y6Bhr|3vw*&+PCR|hvT-RZBtWQ>2UE<sv%jUwz
z#~!ZV|L@S7o0|>O&&hmwaZy=J!YJhggS@<a&h2f!PA*qWv#;rNyl`+xyt*n>NQ@~@
zDJbLauB|Md3!Pd&d^|3H{N}kuuH9Y?J#w~D+y39#S-eTsbCSwL!QPHVF0*H>Xi(Og
z@ZizoUTO0u4#E?gIX>s#-KEODd`GieY;wh)9~*nP<ZP>04BP+ze!o9(UChpis<-#|
z$IFX$Y~OqIZamLAK3S_HoNVFY;csql_n)S{Oh0KtpOmSVn8XpQqhDTLPA!>io*!59
z{cib+n4O#cC_B|Na$GD6{C{ey_SXb~^8Y_>X<iFvabe+bjdztUesV(bwVXjh155X<
ztpe^PGT%;a6zve_Nvd_^i4&~r{_^CcaLTDEobk0^r}n6nB&>+qswHKbrLvgC@Pmtp
zf>QILR&Het4Ub#<Yk!NakKaEnxH;wIq?4bHEby6YWy-|N{IqGAhv9OeBrAn$M)T}y
zwLTwXXA_*-@v>*f;^*h)MmIU~y!rF<^WvnVT|!w&T#Ac&S0o60J%0UM`1-h$HPPF0
zCUS3h^xri_MM*AjTZf-Z${`n4nZU-1gBNy}=U1AG*LVN?d$5_^F#nzn3k%DMgG-p3
zBjg1>zui~+dr|1>u%N|4s$M5FTP2nxAL}{z<KyF}ve9=^gO_+LydK!{I`{Ursmy0(
z3_3ELT!fgEZg0;&-YKlEa82XLd6&DMlhuySwJuM&qIgYnmT9)yZ>4J-F7Zj*g1@Ys
zVpN(Huzz2V$dN;<XGC>!c=_l@ZOLflxBKC+Zl^&YqkD+L!M9$93E}JGdaJ*`JIQ!)
zXK}h^$M-ik7qd6t_$I7ae&x&W_xqKVl$`D@JbEWa$LidCd;4pTl7D}DoBCu!(owF>
z2Ohk8*JuClhqIf7(kg*$S*6ahj;(!azOx*3CUvRYQr#AzAGfDtclrBM`yXd5&sg7K
z<RYS^B%Yt2zf)TAQu_Q_wg0-yM0`RH2#R`KVV`s4mt!*<Z^7?xZ!@|lO%t#(G74H(
z-eKDE;6Xy=^zAM}f&DW+b-Zx&Sqn*>D-r~nx?(vu9#Ee*eM5>+cVANWR-c(h7DZ1u
zVq#)+g7(bN>+EpcJ~?TkQzVDzg&9npd~Alkf`ZN;A05@zI@>L-uTbV~lzuMfVi9Y~
zkzcN>LRRWT>2WV+iV9M=cyNKL;SDh@2iAMq4h9#5S1^cnENuuqaG<>6MP|r>eWDw<
zB;G^|ZJWmxz}VDi=fJw6A$OV3m6==tjK4v}d~Lk_ws~9;u8i8v2mhp=$hx{Ja?RsM
z%Epg;eWRDpJ)ZyI(AV~D>!y7TWZcWt`f1m~YvMaYwUbf}R^++wX?wKs<&R14k`*4Q
zs!y~keKjSam5JxkW9@Bz(S32p-?Hm}h_pLxmy`OsZiC(LkOyzB7NmI1=ZX(MxqKJ%
zEcWJE^E%8eT)Td)Wi$Pmld62+!=I<tBKj-l-Po2T{d(gbrborImBOxhS(QCwv-99<
za?}=gxz5+*m>qs(=PhRgm!G>PPt&tKxM1n(hc&s15*%#LKUaObv4Dw%`C!5Y&x{8(
zTmn2S&7Ui6t8+kJPcV3)Vp3qo%E8uj@aLX+wq`3B4mub}ln6;#%m?XtP!o4vPCBF^
zK|zAYij#MaKVws4LV?}-^nP9~2Lk~fwz(~A=az%?Sj@k^`8b=Xf&>R!v!4_5^WXz|
z2Ne1$grD1W32)>U)l%U<xi(;7Q)GDe`q<g3^H0v4Z(rY*IoU1we4lT{ulK@FPEF>o
zW&5!xXzQ&Vg@3iALNpsU+?Q9X{3KGbcuv_r*M(;!%(8@{N?)kG{!{lQVNcCR8CE;(
zHB*e)Zu8A+jXw7M_`kb<e*4#4-qrZ$=9SLH8#3OREb*Ld78U)yEiRPL)34LXGFZ{M
zt;b`MN~cZa-)8=x#s4>K%(%2CcFn#}oq56sqxlqrpRLiDW!?KHdQRo65X;uRMO&>t
zNSd=|URq}CD7<!W&foufH&`XO#B?;Gb@)2x8l`d_I(+!4=Z!}$S;4{w6IK;1doJ9(
z(s{Ggk2M8_U*xUWGA}PZp0D1YykR*z+wZ#msIRjZWxeb-EX@<}n)Xj<;c>o2@6B~T
zR^H^Av9n<6njN9e<t6Vd8Tj9|dK-kSi(~(1e1E=zoG{PHDUG+k-=0`#7SZtVi@cza
zkkZ@xn|b$I*Y;jG{e7zNVY`lL>S_{t_bZj_|2r{WIdajt;D4RPvh)0Au@bz`uGoNE
z9)Es*K79N*`@DJcjG{h#`ZUS?N~iErUtgBym8WLT^LOFgTqn~X8r|=r{p83-XNhb7
zrQg^T2_D|FZ{o!R=6l&s?%wyhUD6=`Sjrpz-F+v@Cu+nhC_5cmm-xCZzTj{F{g1CF
z3h+qT#WA|XZa(lK%+hgh#lA0_-t-%#2C}jxetC7(JLIR0{I$0>eL6RbX6W@DE6S4N
z3H&OwJh1!m%ky(An_pjFKU-DxV8XN-wN$<tHf)cix-t~AgeJP2{3HM9z)Ab3BFV>}
zna<dn!8_}^cE9{{ox>9E>t0;U*O;VQd~n6Wy&DV9d+PkI6#Mt@wZBQmEv~q`QOTF@
zO|JOyp>E5{Ba?n!o@ka^RT~<)`MJY~XU?DgFLvY6kKcFT)>LnSJvofma_q%c=YMqN
zv2qq<{VMsQyXf7t-`7@nGDRCqzT5EdU^DxN4<8OZJlwu9@i5zt-MeS2GDDmymd(w?
zWOz`4>-U}p=_7ysw+bnmtqYX8%|F-qG~2ryg+G{%Fzhckmyy@HczEt@^QUv-*xME=
zt0x_rq1X{}jnih=_ii>e=U~peQirosbsrZVQPzo<Z#utUBVS5_t=C~^SE%nL*Y25b
zn0UnX<6Q3UDt-9uS=-gs;mYxLU*%Wy_?I*t{Pu1~^>4Q`Gr!r^-7K<*daCZ+e@e5Z
zq0wWjwwT-G^|!SQb~IlUPSXf((|&P(F>le6Q{8E6Z2}hiEzU>~;GWgHy1tL`-eZ9e
z_nVf?Xp>-azGB)|yL(&0mjM4a)*ssg6Dt1xnmWg8&E1dM%Z0eU=Ki{Ss_5w{MI9ZU
zfB*g!l$K5vUsw70*{QB#smXh1Cm2LpO*ZD*p7}l0R75u}%8hsBRN3au%l#kRwv+qt
z_nrHW@U^O^<xIEmo2`%T<O~*HkhWLtQ~K6Z;z#WH<rBWI51(-F>*0(9f&KO(o4B2S
zmAdUJS@$cJGx>nRGK<!!tS5`>ZKpeQ&U!T4i$lXl%9>|;{@+$f?mELraow~lHAe&l
z1r?Q93m-00+jwk(y1(3HQ&kC{Y3J7ToS$zywY#f&s`Zu|>&{HGRkxXHuqW&6uU|#m
z^I}>X_uhJZ{qsYQ>Hq%rI;=6CV^=7WJ;i#nN8oayT|G=Z`&(tNH!D7qYThvW=VvVu
z?MSs-Qq6k%ZwSsb$aP$^wP{AeiCMbKKe;~t{{2|j)a;}qKUS*ch0ju58fu&^$8+t~
z-ogZf{{nMbet-P8h5PPI@k7((o3~z@n!YnjL_y-mlf_c@3wtMPg343BXP@4zlL8gT
zj=l3Q96KojDo@pmE6c)rLB;WcWBwVBQ@};|<efIVSG$3V<ABHNTMCUpdJdk9nRhpI
zvBRH)j{h^~scfrLiSl*t*=qQXQ9aq){Qf+Ci<#>cy$xa+-FSK=e7?&)D~SMWOPo7f
z);JbqmciZX8J82mrFeU3UfG!vuzbn;M8EdX1BwSHC_1w>i@)jp^wED}OiYZ>7Sa37
z9Y1wBnp>j}BxE08va$RwJ!$4g)f{e<W><@qO!@cRlu8dKWtePOoyBUhKi0DJRY>#P
zo7-|{ZxNi|<E_!!(vtA@)>gLDo3|Xic_6i-?6Ln7jj%J9TsPZjB?L6?Uhc27w5ZPQ
z;k&!Mw_fp>@UxlPUi?+ev!8vv!;}60mHbx*W$kj7)=CIuT_=B|U*(jd)%>!;1s#sP
zPAtt*Q!^f~;S%7HimgdG@?ec~kn~?Q2@ba03Z>|UnjmjE2J@Xfmf;NY_JuZet5oeH
z3(s8acfHWX!@_)UfoOb+waF4t&6aUO_NK^M4N&xa{GBB9G~CR#CqVmf(_2v7^f74(
zc!P|1uwelcOS2!N-Om#j9atZQHwZE-v-R<79q4EjWOip1HCV%-%;v_^wzoyhZ+Sy(
zgQAIvh;8+^Bdy%x0V@I&Sy)&WIJI)6#p<jxoS`~D)F|J&f<rm|%n|3Ok1g`nt$Xn&
zH26!_)u3xvbH7N0=tK(5on_V;_I<OszCqbHnVft3<^AW`Iq#ceX|N|c{EAk*oUoYA
zkvF2+OaJb5@1LMpTeU;QyG_4K?BFW-<u2Ol{%fr)Hlzq{N;$)Ey-4)Q{r6M;Pg3=5
zyCr(+@c-NS6ZL$vR)2}^ZoLJm?6!XX_U+gd&0qmJxxVP_d5S9~<IR;Mwmj|YSCV^t
zxs7*Y>bD%rg8a7ouE!tRy|}rGHR{SbS#^mipM3*%SM!T#2QVzI`tJ10BvYX3os8A*
zz9SXu_hkgFowaZB&(~LvpQ|kXSa@zuVVRAZL|jX&*Y4-~@kuxOgA2bOWM=W5w?y~i
znj2DQn;+iXoPJ`yy?sqh&4ZUOH5aq$>+9dyS1TR4In6Xus_9_L%Qcfe-a0$G;QfQf
z&(hZpn&w7D9-pZl{^8Tr>?xW-7JddD8i|Mgu%4P*SGdJY)~=N6u3PWHonQa||1@o7
zf&lCOny*~*ujF?mpJtwDTb#D~OMG@KsET40z8{x!X$dE&+XkwmmV)c3u#+}V+BG@u
zZ1MDCURC#zRVsXSSC4$1#_O(ZEyKKX{-3JnC`EP5a#8s>u{t&8?lxBWW!~!bseBSH
zb%HZHG`ljU8>{SQJj|>*<uhu%Qd-Nww)x5CsI-my3Jl(;Y?HNW(f!SzaE(L$%K8vZ
zKZA~~tc;B_5(Iir$E@Vi%e|*@T~vpaZGPU}fT!I?VXt>j<J!h;5VNNuux`uMvuAl%
zhp%_rSM&4CwFwCZ(N5iB8=f9uyc4jj-8On(e2$1_#cw{HsO^4{<ugRpCCpmi9Ct}=
z4AhZw^F3bo+xOQ0ZE0Ko9e?J+vp#Nr*fJsBf)dH)LY%QBv+H@b#q2EN;O1`Lzu!J)
z>eZ}?v&{4ROim?DUfG#o5Ni4QiS^0@`!nP9IUAMcKXGsQq<F`0bDFZ}B$XeDAGU8i
zxS;0PgV;&sD{gMJwhJ#?<@WVm=a!YhkB|KP{9=)gU6+mN>FLJOJWO1Nm$N>2Z~ZXh
z;rXNPXB!;nyjD<Zosn+cVcKR>`Dw<Rr7X=SFGcD;UZ?DCSanV3&aU!!KS8OGbuFIF
zY)Yl8LWFo`e`{6v%D(c;SAR((3Dc>w+Zaw<Yi561mbz|D<dm%qc`L#-e}!DW(V^%*
z?TnZ7z3|Y*cc#xUsxa8D%^OoW+nwjy2bZRUQmZ!kxCb84yC$(l(d=LXZ)oJQ#TpI<
zA0}qFe@y*$xCvYyv)=7=wd?{F(hoHDovDiex2`uVu->TQ9tdha%N(74lb;*hXcj9`
z7faP;&8aovJ?LN%ae8{>I$3Q{@ly6=pUsOyVdC8h3KBU_v)3H&1DF5SMd4;w!@#zz
zt?B)GV<O0w1owBRmfi9K6+IiKuHPtU9dv;4fI{3X@zq!V`%4<77*ufH+f%8Wi&0G9
zeA2n&%kNN?P`mPTF046g9hMl`*`1v${kGP9#k#1^_mgK>m99E?4m1jJtHb}8>J%p@
zrwwIq|L-@;*^t03xh8t2(D!%uk550<9yoJF!&=cFUypG9RJ^x7YD+-u)@KJ7EK`sA
zFLzk&Y4*wd`}<tiMs2-P(ry-VU=df&{e7|XZY%9Owa!eCCu^$F;l2a|XPY$BXvQYT
z#ohfZ%{TX*WjYf83am2)^17*8zh=8dz1scswv&MX&$RDa(=xtu-4K;%<CE3eE`GdU
zK7ZSXm>QF4r^Q?uD`X<7KRxkW;xjX-PAYCm*xIPXLoJ-2?k7zQos%|C$(5^ir|Q(p
zYp<_~WPZ40u}Fixkb0PQ^u@VWrIVJ=?=~rW6LDsarSUaM<wZJ$VxD`ezCQWLtkkLd
zYR;*J+cr<}zw&?eoal?&^W$%-#R}cN1R66k%fHtXU-wh>UJ<`W`{OMEVXs}Ik1%bt
zc)g_f`MDSO_wTo1KP)&YwjuH5rKLru1O8;*-DTR;)O6<BJWxJd%q5T@z`Q)|>@1`E
zwW-?MJSHj?F@&v)iEK)Ia$@3&B{J^frkoNTm(Lwd&<$S3lc&{wzsvE)-s<wo7ZVto
zcSQ2Y+u4Lw_sLi))$c2RANTitO>J%ApC5%CZ(li`ax~SRn)?tmCUIXrsPCw>MS((}
zto5{nox984PHLBbxoyu;#?!J^B@^CWWIU}=Xp)g5p77!G=fk2;pFDo>Ai*T>&WwZ$
z3zQ|Zf_w}(e*gOVda?I(y&{LB>}}cC*Dds#s%26AP3O}8a=xWMzI#8d_;qQiw=^%C
z;g6#$Un&I&1a@>Nl?c8_cp4yC*z{|GV{;Ev^NZ7(Pg`;ex4n9Kc{#6VqWJ#p+y*bE
zoSCXU-R8_R!RFW>VO!kXSerR+9*x~y`}>;!|Af@@^J1GGetLSkXw^dRv$ISm2ls-8
zEDa0-ZgF^+WL@EqG)|k6rj#TQ%q(ki<b2VS6N-ylW(YQ0NJP4*Dt!?*mo8Mxy1dNy
zsfgQ>^LD>^tjpg`QJ<q4l6R)V@rh_~m(NTiMH?HLlatlA@8=d-e3XS*Tt4^F5yR^e
z@9yqaXP?h;*R@MO>4NFIhlksZu88yPE`1$#W`?2jI(dm%UM{i86~De{URvs{zHmu(
z&OWDBuA-<3K9yhY+`cVc{q4;~X7zoVTn7cVpH{iW?AIfaW7M`b$n(s~BXh0G6~x5*
z<!rn5RDM3j&BoX$ZJxKly<hHES!ZeI(Qa{Po7agPJb~9Gj>Oh}d2vyo^!#jd|7qd^
z0t|++o=fNS&y21#Ul6`NPOb5w`O}u%jpq)mYze)i{?LiD%|+m@Q|Pg+#{zbj<#rrB
z&>|*(^iHggCJPIfxL(iketB<+j;sGqPF9y@WxFV9SSom#L$I<#ML}^<+m%zEH+Pr6
zcbldY*~8Wx;gNfN-P}3TUK~hLyeYI+!cWy=>W0qGM_JqQPOZH1NY6IuNQcFB36~1}
zXaAE9bj7M{{H4Fm>gb}S5!C|Cmg}}MTvXi1_x07))e*ae9!)9P=%@Pb&8||ejcJOf
zL_b_y+Hy+NS`{?l?Ji%da$U^D`iR)78DfRIFR8st+3U3<Hq$mYa?@Y!gmA%T)u(C_
zIxE#q7n!hfu=%OVoLzoXo?9b9M?z_;m2htOA*R1q#SeBIoRqam$36H!gh9tYVIH#&
zO#8}mnI}fN?%}dfk&t;fyZ<v&-La?k=aq}EohgaeO4!DvbVXc$*=pZMjhmF_i@N{z
z%e|6zvF^wNj{7xtw!h<eXTPJLXXd5V`wUE$Fii`3@b7K?1lOIKp}C9x&0ajmE5hq9
z%PG#gg<|^i_PV_DFTSzBEX<L0k#@n)C#6fgCd<6@^<F)#Eg?X6>dQ8k=9jk&m;VH{
zLGP|pkvLPHH!Wcoxa{8b-C+4)a9zOn`p%mfFTrK|%X^3C@T~^5I4#x`Z%$qYt`e42
z^A}sK0cm=$;oRB2nd?CEGv3*rdAR|s>9Cc#bsABI-e@oWJf(VeoO)AZ!iJTHHyZs0
z7qxE=2jBFX4R(uJsYO_tJlNRU3a#kOU{EXh;4;4Br`~{D$s73nQ?+wffn0Fo%EO46
zwcs}Kw}&fpmimIb4706dv^VpEb=lcWUAtu^$lVFS?a8U%7J_xPFW)rPEEH72=e#Od
zbH)x_z5V_WvhC6`u(iIjeN%6?GqE%?H$0sCDBJVR;rlndtOFYo3K$GrzMCc;@;f$f
z*=$b(3mFNMxA{49=7L>N_GnekGF?#x2^lt?IZii<9#~YxvNRuVIA|C%^?uFOW2Gv1
z+Wk=rL{nEyIq+-2S&1i?<=;k?IV`U7{jyY#Gpc3rasK3MQ+A52IQg*~)YfnRSR^aK
zCu`dvTfHs$UytjreOq5%Vw!ua%yI6luQJQ_Uwgv=s?RU)&xzW`$Mf>?Qum#+QVUYT
zHID3;x2b7(#e27~=6>c9kBNtt<!-uu3N+>xS8E=&yENg%L|gSL{x^MEqN^8Oy`C$$
zB}>w8jt$@ckHNCb)?a%EHum=MoUnazJU5Gyp6`46!?J*Jnm&hHd*0fMYm4<m)&(3*
z%iZ|B3uNZK+KBuARtO%RZN5Hm+pXsjJ2Omgm1nmeKD9+D@=^-l<?!tCmIMWfHE)y6
zwC%MdT$b*8-1hLx%wUbkKgB(tziy7SezR_oh1{&GHlVteOI%#MN8Uc}m8_Ih*F4+m
zM~7OuH9}ShFflO&EOcUBy#DA6!{n5Cfh^4zZ)KV~`xwlzD3v*T%k<c*1H2l+uejHm
z-L86T^jNd<Y!j$1jM!ba_Rr;ArP(a3te%YAVmccCzoB+6GJ`%Eto`L;u;O~xv~$ZF
z(hfd&{=8i~e4T=Yg+#Bk`Lu+JZ*L?&JwMMcFE3wFRdp)k;OW!c+w<?cU0V~`yQ_+&
zIk4#Bjgul5bR<fygXXvj%FD02^X!`M?&h}0bF!L6@iU%v@%!_>q$*4FOzV-H<H5L_
z<#01Q|AU7Q8xObhCm(L(6_Poo)^sr9XvTXVt{buvdU1O?c9p(9glJCt?22P)_S|GR
zd9p@Ad4fjxI+;U<4n27Po<BT1ymBVEEu48tqVyyO+u|o(*MB@cJze7I^JdQEKTFT<
zE`J}eu`Dv>+!WT=)ABDp|2*GLkbC+W=T}!QuD|?n?(vUNmCq8k%-83W;cN8%^yJ5z
z$xRaWMM|5}I``&%`Smrs=f^qe_CC2IudlCvaC5Q!t?jQmZa>@}=vc{PwR2Lu%EvQ@
zS}&~rbYH!m`|yg7b{zZ5-77b)(yU?c@7ipyAGhbgmYcyF5?@={)c(>xB0S}96;H>v
zy4DK8>_h!^KYl-p-?VO<uGNBke*MU}?{#wvy>80c?)vSr<>-g9*l5q+6V|qiuB~}^
zHCy41(T>PxOc5(Zb~8D<xU}?$9QoyRMdg~rrza<qr?`M3;b^u^{zVy)KU)N}{(cX6
zxbec`Pd^(!>@MG6SRwuC$tms6Tn0N-iXH#oYfhT_^!s6pJ3EV|g^&GGZZ*1L_Wnjo
z!%h37@5lab%t=4TePAbdy5ZgWZJVS^g?Xc{9E)OgcvRcrdRpvARrRNz-OpECU82SG
ze67Paotqa|1snH-&dbz@TjH{2Q|&Rnql@e1PNvJnT;BcY#QOG&-j!Rb9-dLvi2mgr
zv!ldM^3VMfR$Zc+eZTqNExg{4mvM26Xp~vD@<D-BHdVI2kN^C!$;UGC-(h$Dz~`%9
zdHi+E;%wudem?o@ulPr;lT+7q{al(M$MdY*@SP9`+vlmZ(m%!Gwa;^|363khwls0^
zKG$_~b{2lU_5Q?k_5J_yW(i2JReV2sywd*S?XFFAk=upNN}2b6-Lk0u0Lv8pXhG4_
zp_4+ZzT~v)$?kgi?{D>vFTY)R<V}>Kj+^D)ZrJ;~{4x9f%ummi9(gRP$-aN|X>H0v
z@9FDeT$abZ72Nc+V2k)#mw(&y?=SFdPJ8j{CTH(!^QrYEo;+W?r|U1uJe(%PGt=&r
z&f?a>efPa5Ki$uwrC{CM?9S(5&~fG4>}fNMOZU|r^j_VW@POG*?e{bJ>+6ypnb`j^
zDQ(nwe06oWM)1-dJt9XOX0K?uvupQ0hUSWL#n@R}e*M~%c2;k>bo%-Ej{6n&PSgt3
z3RxfH+-bM!)%zWsrtd0ltT(zp&zJqf<wKD-gg1HnrOMe<F|41*{DeECSnQ0;jePYF
z*YBH8vHnvVvOY-ov3rd?H_yTB@CQd$2KfBR_Yw);8y}{BDXChK0lF4osf+sTiLsgG
zF`f+zcM945_}PE>o$qheD@RNg`ETF%LC)5NzfJHyulwIyyebd2%mNjODfjQ}sZ~BV
z=Qr<RwqGZVw!OX8G_#mlMdC=!-YM0BYa+KXw%Tb=dJy9DMD+4u?&;^W<%2DoLSKh#
z6@Tc7urlY^ufc4V@wF)OUz23_#EZI%b$+)?PTuhTfE?%2{?AX3pWAzTsqfmXQiX=A
zJA7-`#BLLO)Th6Q|Kpd%4MErU&3(GSXQoo>mZIh`)<^QGQV*?Dw&=L8G1ZCP7?F8B
z`bj|CDWO^+|FEw8n^RAU`5H62e6-rm;JiCbE@FQr@4mb{PTzJX_nXbIuiZH3&<mxu
z`OMF~8#+DQS9c~TNcem^D|+hnneS5s_T``dx2fk{T&zIZE0#-twjcQMVt#wZ<wdr8
z*ng>Uu&rNMYjEqgb;=Ke=6$+XrNa&_DGW}sJ*D&PP3|s}aJF*iFYj)J@4un3%rr25
z(yKeWn`P!Coqe!I=+tYa#>(#cLtpLxPw1W<czIo|wL$hh9?nfGUVgb5{6W^*hw0#A
z_h`$#f|t2sxh%KvPhMWz?|bm}*MyFm-(t7R@?AR@sZRYRuk|)Vl9xxxYG>*1v^lSJ
z)#7=$(?Rv}<k(kFUJ7%>>~uMIUs=vwBj0%1k$Y#`zbxD)k)wR9^0c}1QCYivM~~;7
zinU4ai}~=gjAfE0_mrf<jo$P7ZtN)1-jvd}&secc<%sN_=jOGGw*H=NC#Mm<jcHfq
zmkF2K)Vz*tu*>M4^M3n>A6%=at(z{`9O0gEebZu@2Z56ryf<&_eR8XH`KHqfV%)Bl
z&Tf2%_W!q=m>{rQx|Z$hgzkRT?x~0FRzDQ@+O^4Q`}<Yw&PVmN7r8Cg^18j*W5-gj
zpN=L5KJ&~R_2RCrjl7@ocJ17W;5ga1{QSH{$=}V4e8jtRtiR<PUUakZ*QX;1+VP8d
zmif=?Wp;N;T5HI0cs`TZB8PwehIx-PcCu=o5-I+Xzqjoq|JoxyNv-ib5sU({Tr*6B
zUAe^%ZwPFD%CzK$o6N2H9d!>nV;KxhD;Dc0b-j1slYX#R$KjaW+s_{-A3wG0M8zBH
z9pWda9`(GacVBVwlV7d(S9or++BiY;n)jjiZOW;qrexe*vzDb(!{2<Wz+1UhI)~<2
zmP<v4y*)DbgZ0G&7dF?2TmC&Y`}UUf0-t>eZYiKhQof_QZRL$Xi6@pW_dd>i6sGXX
zyN}84Z+lhJ!!@e2rh&#Q&J<mcuK(Zp^kCyJR*%hG#Z70Drn}fY4p`-q>HB?Jf`Y`E
zvVe`(7L>Z1@188CrQmZ@=<l8sN$#m>dy_ypwCdi`NpHizqZ!f9QxC5N&nZTn-yN~(
zF1T%4_Igjwj<4YM;_FIr?`_fGR%YJZ>Ac(Lfm@lj?~_iJfm_cv)_&gf@LDjamAU45
ztj^6maNBfuX`I=eDsU_F>z;1a+iRKpSlV8&|NJ<+zwGtqoE^L(1xf}k;gb_KG?s7V
z+8x@E@F3(6x#ny4O`5D_-(B}<h41S0R4q{j2_aFQq>he-Le{PCEV{+d$0>bZZW$8i
zH7nDXvARv+;Di+k9rvelvaRJUexAjD(80iB`ti-%SAqQ-+UKPFJP72SIj0}rj1C3+
zLCbyN#A5K2!MUd&->lUF1&8C*#TQQO6xqNbv8ev#0Xvo_+1I}n&b@K!NZ<jb1dln(
zW`}DZOqf@9=IsqG0iHQt7Tel4m#cxzP_yJSw%i5^#|5$c+n-P8-LiVss%e5eEX{cA
z0X2!Af2#NvHkFBwvyDg6NaD?(+2;96db_*5o3;rG3U>5t`D@;8_HT>$_VssNFD)so
zKXEjHJ=1~pOu&P;w>?tMJ#AZWlf6<;^`y1x%58ouhgSwKms(SLdt2_MWqEgZao%b}
znjToltN!sr8B3AaiL954BIQI4Rvfq={!Ssb?aGQ<o7Ol+&ux4L8hfhw6xi#vr7(<D
zrbuhyvm_y&tdK>$o3$Ja3O-(pteyYY&w=qbOEYWS^OPe83LRM=g&(jxn9!*0Wf0-u
zlHC13`P?zBX&K+X@wffxPxA-}X;Qpc(<genk?9*ho3N{zgpWwy%{fktO^x0Ceh*)~
zSyBj&j6yl*?B(Fz)SN>XZ+bokN84kYwrhUiZjVLl;?0wffdl$jCC}QqApHpiT<+=W
zz2H>Z^I0Owx)l`q4@COT`ALD(zQl9GEoEGwXg#PYGk30uA7j(Odj}7gi}il4h*}-g
zkg%cLV8yO8CX1M0CigH$S(jfB{a(%u%215$R=ZQyfecMp$8Wfw8JvswUR--KX(!mt
zJME7A;RDb1TP%ovy({GryQ6G`;MQ1W2@bZc`<$%RAt~;}-J79X!5X6C7tR$1d&2L@
zyEm(%Ku&X9yZ*wtPOx{?i^|JF*MjU@a4kIJxeHj2@J{R9tH8NB;I;Oa?u8A?`=@#u
z2=K^!2vL{@QhOlLk(GmOE>rTco{9fuTn!2!<E9TZ7BIDmJ_u<NY);f)*m@aktyo#r
zzE?Skj>1bVni>;4M2;sfy%h$^7F*sf%!yqD?h1B3s#p_p8*KMB+bL_kML@1p43z1g
zniUNyTrO;D-&ESUh~c1vflAlojX}BKPWG*D0o(KfLEdO{DYOY&l?&44cw6q&HC6D4
z?gWj#<6c|Wf^=ovcD}jG1w5iFbo67y$|%-*nr)s}q@vICB`8SfJoC{xQ3x`K?fA#E
zZ%2~AE;%}<lhv{h<lP4r_s-0V@Bz7G!wln_ixw#Fmvg#*aBpg8|9lsP%1<Ic6t1#=
z`rrSS_war5|4vVLJ-xU)JDx|@Am;uOas9Z2TW>UPY$%nTXZKg!a?^8{{c_9!%hPP5
zO>Vz?1<H-Pi=$$jfAfEK`Khn9;Oh0<ueAcr{|`JAxU;8LxV>D?eUi%i@GsCdapIiy
z@~}p6c0#$%oSiJG-u0Q=r6N{81T7ZPy}zkyXJO;QtiN494(4mw?0?((a&r1&pOyLr
zFHgCayt*o<7|o~b+9mR<Ecezn#{B#H94E7#U2`w2dNn9c-keSU`nH#|EjZn8(e;Kr
zqaX?MOp&<#b!%NX?kiWk<(gw5+SQr-=k2!j+wv?9IvCuz^;{<`-p8Ql)90yzjpw&3
ze|+7U{NmwN*5l58$>*A8{&1h^_JdDS_qEvN-lf`N%0{1bi&9Q^_8z>gb4|@%vm-%4
z;?1?`i<=(y8mVeTZxsnz?$?{*Ir*gBUB3OTJ1>hl{mHwwM>1k_j`Nm%^X#g*_9eFq
z@)TBpqSS&#;@i9Xy@tYWN%yBY|N2*Bo@w&Ve$V<fmOjp#xAg{Wj8U!l_QB~Df6(Lg
z`|}e{oN)Z{{k}R&vu#u2iwg@23JXDNzEVHWx3BM;XIq_gd71BtX}Z$Od}p^wnPy46
zy<@ZcQpQP>>55rLF8JR(q!YA4qpGBG|5VLOQ&&&FxTLgpjzxjnI&+^tg*M-0?{q)W
zI~l0(fBC5^Ng{Po7Tk4<)iT%RcivSv>&D|fUGM0vt=UiKUt1duS`U|Xb+J1?XY0z~
z<w-}oM0XTD<?@?vxAy+DAZ?9<3&J#SSuSRp#o9c7{(PA)2M-?1xU*v;%i-DP`43*b
z;);)t=j;wy8FX^R!6_~VGZsmGw&(^ae#i9W)Ku<w@7@XVl)t+(QQ^mz%l?HwKc!|W
zvHdtPQMq?t982@XNruhBnhD_vJL>*geR_Jj-Kz9e!oNR1KYaT(?ZA%e?|OIc-09hs
z1L^~UI^r9&4Qy(EiM+hD^zf6DlMOR2D6p`xEpl$>Gpf=ESkMqSy)VJQOHayrCQ}(J
zTVZb2)m5$8*ViQ;XkeUSoX#g_U)N**?+5eANqg__4x7!vw$)2D=liFp-aVf_A8h$Q
zPpjtpJ6Wx3dfjJcZc4cO$@kZpf0xyh9!{z}Rm_&TNK|89P|e?Grf%B&>Ye2>F_YAf
zr_UET@?)a#L{sl;5mUSGwhG>_e0<?z^C`c>+Nr-cg8I`dY&I82i)Kv=j9cZU_qiio
zQm-X$>VLbR(GqUG-yMJKway4x59v?`XT@!?s`_J~_UDCq{57G{t+^K&Yp3c4Ox*ST
zbx&}*-@_O0ggs`NtlZa!(R-E<e;D;FYo-3tcLx-f@y6~dIoQa|o-*abWq<pHB`+_%
zs{S)y^<cu5l)|(b+cWsM>Y_NNYK2VPZ!cCQvhQ)5;-7c2KWiN3#Z*2$&ngi!Y3G9a
z_l_G+ef*s`XH#8?H2!Y1S>D}Uoou>U$!nPwu=C3&T-?Mu!!$K-i_Q6X8~3$pp@J6q
ztea9#_Jz%zmAK}UQs_q|)ugGpFI-o1Pd}&G{9iiKeWTLR!v6<te{z&{FI#(IQ=~L!
z+l9%;4bi*HpKfw8;_WT3wh8)Ey8Bp!_?F1{8yf=eD}|rCv!m*5`IFO=<Lk|RIe3`&
z{C@O!&-@p;u8I5CM0ck3&VD^V=}PDWc>~6$r^BZ3Yj-}mxLI~r$&0q%-`_vH^j_Ss
z=0Zn?tgyaUXZ!pk&VEXr9nO0SUM{jZEnvE`^5Ux1>FOry?uY!lsA_mYKXzZoGTzyq
z1}VQZHus1fv6fQO{jVCpcvDiwrpTemamlv(TaL_G`FWyUY}IG|rm0@wr5Y#KeLcQ)
z^$d%%{Pw=F3a2Z+z7jnZqN%6MYIs3SOL6<Vb@~TB6hB~E;ypPmKK|O8n@>v~zxiqW
z!hFg0J9X>gcD4!ChFra0D4ccY<A(UueYUgtPOwk?*7Bxl#wnYMFAQ<E>?f{oJX$T3
zxPR^hf2(`-1@c!{Upewa@cwb8=2_xv_pOQZ>hv>H-hJuaj!6v8#i~^wKFhb?o&C*w
zMQ5hV{Jh$SwpAT+Jj(l|`+jYe_BfDf3Tnfh+_$sxx7!@c@6v6&UnZvJ+}_G+{G83h
zpyOwi=69t}e_Nd9i+UDlDSmQub9;1X>1T_oKOA9e<5!+JXq@!&j>4Zsdn6^dRPEHM
zKiG5h#EWTx)BYar@w`!<(BE?D_|H$t&+omxv@C3^mB4|lJIm~@>D}fKH0*ehT>5~G
zbLqNT>(h=ija*M<JY`$UW%6TD=u9oul>3`fJO91uVOUgA>D{m}R-1p#{XJ~)=6Q<0
z?{0LLJ~Mw`gkNHb;NkO)pH&aIELnWj#Xx{Z?f0{;(9;F}oDYA0d!v8)#kxIbC5Z0m
zKKU-PNX;-k|MJqEMmwZWtv7ioCVg~^+xJgXHoOOSbss&}NuL@J_x;q@JxA>y{+eHZ
z;^^5Gnb-Hpvc+%t^x|TeU;d)H{fbX6*!j%+W^2Zpf4y1p)7$8r+j~V-yQYP_s$a2X
zajJ<y$BQS^J}J)JaV^?spM=;s50JBWUpaYMU0_F1=bZiSHhm5^vs5>he^#trq04r=
zqwt=^9_^5O4<AR@yjgbVXz{ZXOZVv6I^B#dn%LbP`>W*0v8mA$Rg1sO<=m*O7&rCZ
zPv7|&Z~rapXFoM{Z9|@%?UOAFJB19_@ZVB;{#(~(-=S4YU#A{Xu)A?-U8=j~fyHW!
zV$S+eop*cfnyXG6JwEBE*TZ*v3p%P?Bj?^OzuLU;(R9(k#et$r-$tt330nF`K}tf+
zf3||S{_AUN@;80E266xI8<*4lFK(=smR#2Dx=prvTjIqx4z-m@8>X%gbgT1xd0^s%
zh-{uiAC@<?erjD-DC~Yx*CTM*jKlS>O?g7K!g{ZoZ9JsUwvVAhkJV>Z=c3l`#2YIP
z7BL372s;1fzs_&7ky~NkL4~;ec_HgL+ju{8e!e^FxWAlq%|$Prl&-InKJ0$zG1Evj
z$~;^9{tc1&6E6Fzy6kS(>fVrkZtk&Zq1J`!fBZ}gzPz~~>bL*XvvcV%cc=ZF0q?K!
zXe&IpT)#qH>|9jR4GTeC4z|#Q4Sx+27h0ctbaeCd6Mr-NTuS&4hu;73+h2#D?~1;I
z)VYUu#Gw7xmXGJ}-3YR5auk)wsr0;eJykzJAXhY-H>$kkcKpE|**wAfY=2gsG>Xdf
z+w&IG3Oj49DV<TxD#Oh)v8&;Ky^F1*>CY#N-_Gqdz17du$I7N$qAt-R(7nuWIm5vN
zD_bsG+FIvCfSQB`Z&bGwSb^G}2Vc&aCu_Eb;oyS}2?j~3*EY<*a0s*(Oh$~y@7c*W
z>s-NI+HNZm?qVLWdPAF;dpE2AH8B$c+mjOeApMRu_08g9;OQ2fR{=U_3?U8E4=LXc
zE#ea3(K?v$dO6dZms_*Dt5mozw=l6Zdl}sLl_kitEo{zLSFk<{r4<f3AR8JFD|InF
zDwa#S_2La^+-XiN&xZen;5N66L`Xw0=Uk>gO~UTXq8;(z)nyiTE5PfWWLQD_VZI3(
zMm*dj?x)IQ&8|Bqobfk9v*<ehg9)sGkxLG1I2aW49!#8bbE9?A?e<TcY)uC@9v7}o
zp9J>Kq{jx6lfkX@zPAtG%=HAfs6G1*`}Bd^<5)Yf4{pevyEk(QsBt&riN%>Gp#CmP
zb8@u>l?+vRU=jACWSVE*DW7fN9!SpH;x*^_z`<)>5Nvkw8rYR<Yx}<5Yy|s)J@1s-
ztte0=Z`gYNXsrBo%dLg7|FT&RIv8Y}QoJdV3l7O!A6&LM1%vf2lettWwfOB$VbEB>
z`G^$%P;eNmn%mlTZZXJX7X8~dFJA>t2UpKIIX?$?N#-2CeKYtf*nq6`g$qAxB-lvY
zQ#@&{ni;tW)Ira=ht@$Cai4J8?C-WLhPXR-TbFoFzOgOonj5PKtI~ZprJ2#DQ}T>s
zx5~|8KYV3nFmG8J_MZ9L!}}`!zOXTRl9vGMnNOZAJwfN|@e@%$-J7>rF`sRA^z}d1
zBdL7WEwe<c(B3EW{%Z9f8vfFzcNg-CZdk$eUH?35(6YnsPyd8Y_cmBD?No_#)4`Ir
zGcMP#a<IAaJgXM;F0fz~;^j%Q)X!8pb#kSPQrG!art2LRH7ahLswg4!n`=Xzu69Cr
zf`nDciaT*K_H}!1&JyBD^Ueriy!~C)F}c67;PeE!{HbdVu9sw9T>Cd%;?8R3Nh+25
zRkh0wey+VKadT5mi?Ve6v3t%7Gj1Pu|MzZwhq}i^CCi}t310vH-&fyuYVDmB-wdU{
ze7dUrMEADGzaKY0i&uPoWolRAtNy?K+V{gB&K@Ydv8~4H)HJO{=cCqE@|&!Q<ZQ0m
z=0537>IBuvvvclui?3gD_fcl@1kGf&9Z$5n*UU6_TYYJBvG$LOQbRBCwNkfPC8p`c
zYHjB^3T@+`$g$;Q+pKD`ih;3>(^xF={i^vX`=TFyzp&}I!Ir!z_IY!oPtAX8FV%MM
zo^ZkIbG0(}cd`8Z{Orp0iwoa-gscsay1ylJ(f>%NZ-&y_6*6qU$=Wq8y?p#ty=nT%
ztd9BexA%B7`UJ7$-{|~!S?tk~Zw^n{ruZ~HJR84XDRR@2j*36}R^OyMWo{ZJ|0;J@
zk+^r4%hZdx+GrcM!H=ImAD)`3&B4d#_V`#YCtLNW4gYUR3G+NUo|vw;sPz299W@!f
zTVB~!*nE0=uCIH4{PE@T&pXS$_j2=a-dxSt+!3H<`nHSjth7e`tHlLV#W-f!%02ZK
zpMG<3ljEQNj~@6&Y|1h&V>#;+V{jv(@tod)1-nn|EPC3sd$;w$2MP%S!CfXl?|yu8
zs?KF!x63x6($pmd-!6q#{62f&=Y;r2y%I-E6cwvY69mkj>;G?@wYKW<>Z+?#G|xq!
znQ0L--&9Lt-TzYVShhabiT?J-u57&TW$+|qQTvL_Q!g4bF0NQ68#nicubRY;*i2#f
zKJBCquC`w5?~i}K>{gMOx4)v($2I%Wg*H}=z#qXk_stMIJWID)XiGRZTcUZ<Cz&&G
zd%WEABx5eSGdJh;9#oAqnxY>Z)8xFSzd%dyc5cp}hRgr$8;^DzR7<|0HT4K<Tkvze
z)1_>N3bSjCCEWe~v~5`#eEOHXO_#&=GGD`s+vDdX7^LL$NR-L{5xwslyCDAmg{Qri
zQ!o6DVdzcpC^7i6pOK|G^w=6-u3pZzYJRzemD?9)+}pr*t3H<B((CHsrOnwBw5!E#
z$_YAt`8cn`zCVA`Zl*xxHg~~(-dn;v&tk(sOFRtDH-|hEOUSsCIbqY)?~3=d@>h4|
z9$%L`J1Ik+|4j5YvDe$%6Fy(c{B`L_tY!I3wj#p~MLW+gZcNO3Al3YB8-w#1Q?~D$
zRHuIXwKBxzc3K%Lo441=w_e_>PHvL%Wo&8`Y+n4+<aaV7s4h9kly^i4ESgYYGC!?e
zX91`{i#X65(Xv?c!Gwf@mVCQ;cdp8<%zN)JYs*gAv(J0p^z+X9Z@S6#T*AL!H+2=N
zW1p<w7EoHA`=?>@tFo88vJYqXv!DOdWBxy;Df(8<G42C0AqRX|-`W0@UU^B};pn8h
zq0^UC8mxHPd2PG4vtIt8&Efx*{Ff!cRu7-MZ`EdUGI(*^#cQiht4f4;r|wcbn6Rtt
zOy)i&KAyIge#!JB3Hv^8U^yOopz+{@53b4*GS^q$H2y5AAYrmAcIJy<&W~G7edn8}
z?fbmB<p;P_?&C*W8NAN0z$AdtPc=!?0ePIuO(UV%lr7ip^|_9N9Qq4aUe-)tHpmDL
zZgQM`y>;!SHYOJ4a@8#lJ9Ao>fh!naOBLzGyr6J&l%97YEW?X&H-mFVhDO!5H=W$#
zdJ6&;I&pAtIJ9z!o)Maq&69RAz3kaG-dhiUU48AbZcc*iN*Uhp4H=F<>fU$ToSHdx
z*A}%5T{j+y#+{D#3zN2X{m6V3qZ7X)=HIV}f7=WGUJyMw<#2lURIN72?&ZqMYGZoW
z{B@Pp`H^Z@^z^Lg+v~EkN{)m+&9J#B7poPs#vo09cI$%q%?8Prd~$4d2<DygysmWj
z*Ke_1+ut?%o;ojMcoVv!_&ds^|4HF4U*Bg92gQEtbpBh{vhvWXGwKHn4wN(O(};It
zbXGB2d$T9=zW?EA%CjdLrFunrJzu~3!P(j7C#I^a|6y7*|9ZgQ5MG_Q-5R$T{7=MP
zU(<5nLVkq(&3Q9C+1b9odN;$OnCYOvdDCq#zhm18bLj2u?GsJ2!=~m*+&&{?Fe7HA
zpyXUm9;?V-C0|_rF8g|6K_qj_eLnZet9&=+BrDvylHdI|{kwALs_zE`G}R<{ZqDXz
zv;Y4?_;`QIqW=Z@A*<p#1)XK~<pdkJthEoaJh%dB*})M5Wr;IFr@3Y>cH`OgDE;U8
zNy|gN%0B93H5PyLy*qqLbN2q@*G*?H-W_g!B{M`l&Ol;QICI<U{qe!egfzdDUdfDM
zcRtQDF}QPf{au&6%f1?Jxb3j!_HMC$IlD(8N^S8fToQ6N6%73R{4#bm64GWl4ZC;m
zj(m5j<DkyZGv{RFC6w;(ZGQg1?#HTI;V<4BGlXV^9h;+BT=4G<E6blh|CQe)x$(5U
zx!Rz(aAga_;qA)%k3KQ{SLD0I`8ywrb5ireM@PF?L~jQT@ocF2n)T%L^z%8#RV2<#
zyRe4o5tH+MzrO+DJH5p<A{caEZ*kf-=e>Q)Z@<Q)b7z-NdFjG&>3_LTZHPgP-TFDR
zau3`KN~rkwhjrhodpvRX;!ZU^;nA~m`^Yrgo#*MPsm>7*5`X^wefa8?*6d4rDvOtR
zPCl0MTm`h3LrHRRlOxZcwXe57Y~N^q;^=Wn;q(U|AFE3|wvUPr?~c;FxT`q3=I*wc
ze<DK+I%?Y9=(4f}o_jb!S>j&4#ieE5-UcdS5=u%+DN7Wti9_~@od3UlThG@p(3%gO
zZ2bctu78y-^7|jgdDeA`K~mHDJE<!ocP%r@<#4z-$@S~hbrD;HZky*FKfn6^{Ne@7
z&V6?*LvFgW9zH!?f1*yLQSHrxx5JYfHkAn!_d4Eq!*h3Ge6m0=XRJ`d58XFB2PZ@%
zY*=IcZ@)>?!KhQ4V%!4`=*>&s&~|~P*)$||X5S))g9|=Qe9>a>mS0(3@a4IL&iWa$
z(=_It@3wQk=A+KRHZ@_xS5ak&oV6COyTNO*3S0sjBS39F=5|(51&I=_f{zmyAABk5
zk<i;L*sSc%BNcb2=$GTlLPicYcedtZbNkO;22Ttuh<%@OTF95N>7ar{&d11UH?GgW
zJ+;$JEn?#$hJy(LJe`l#S)3oeI2Uyv-1d~=4r#bO_0GB{;KBKXBL_MTZkT@I&`Xg5
z4}*}^VP_w-{&_yXe#zN(`MMbk-mVN@{^7+%<>sf6w;a|O&e>DQuyWGue}+=t+dH3H
z_A~j%+d4kXSsJ)LBm3&yZ9m25glvCff4KJdH_6$man+1%|Nj1#j-9u&T2k=5{G)r5
zZ@XPT%@cAUh-=5Pb1OeRox{MuFw4`$F{HyM^J;x(?B|3HQw((4xdIr!atZLf+PX+p
zv;ee=X8F!5Z!|;$)-xPj5T_j##JC)^lx&vw*}fnYg=<*YqU-anX0DrVW}Wq}Zk<{6
z(<^H?2}#U}3ND++bz?6ROY_}$r?LjFh&aZkgP&$?a`DwZP}x80w6npAz)rJ}1E9Xy
koHtFIcZWFiGW}<6UOA~gG<<I_0|Nttr>mdKI;Vst0KV_=ApigX

diff --git a/docs/_static/esp_tee/tee_sec_stg_part.png b/docs/_static/esp_tee/tee_sec_stg_part.png
deleted file mode 100644
index 6b28f413734dcc8ad045ce741377401a8848516d..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 28223
zcmeAS@N?(olHy`uVBq!ia0y~yU_8vgz%YY@4Mgr}ieq4~S1oakD9Noz%gjk-P&Iaj
zuvCo<GV+T{RE=F!jf@ft3iMJk6Vr<lbBp!zQcF~gj8u&b64O)jpbC8Rt1@$P5><`d
zO!W*@jSMs*3=LI{om7nsd@}P&D^!gPDlE+6%}gL-MP;hSj)umDdIp-RMh5Pw$=Ug;
zMs7w1h6V<P28OCe25y-}scHEYszz>LRS@gSQj3Z+^Yb7sGBVLK*E2MS$P_0h=A=Tz
z4Iv^)`9&$IMGzqakdU#fs)3`b5y)+-#?DZ`s2UmMCFVkP1|+7Z>O!?=ra-h7#9L-r
zrleOG6-0$)MH&YBx#xgYAe#m=Gq=LMD6t^JH$NpcN7cw6r2=Avp_v8Ll_`}F5nU5g
zkc*5A(u-jBfDMHR1ZP%39b^c0xRF76X=X}lF+?v^VM%^|PDy3~s$g<{US4W4G(w;X
z6N`%S%Tbl3<>x?s2USy$m=3cM;x3RtFh-DqM8h*vN;04>F}8%d4<zA{nwg#fwc64G
zDv_HAQw$X-&PYtjFNf#{3t@&MEHsPq^Gj55Ny8N7Rye2TfC3v9j$lJUvTmg7g@;BF
zJXKR-T)Kf}q+hO4MPj~>bFi*&flozIfi5g5lqKerLc<&q<i#bGuoPUBUz(Sa3W_2F
zRb!{}jLeeM;DW?tkn-}P!~#`gr;L)^993f%PzEc?FG(zcWC}}=^0dsH9OwL;d`Qwa
zPD@KON={Zab}B9@%Fj+kl1VX3GBY&;XGc(0E=w&cNrk0Yh?5Eu5di@X8~m{W3Uvc;
z>EWK5pPO1zR0+!Tkhr#hr3h#aFtjj-25mVaLBZ5yASES`p&;iaLX&Vh+-Q)fsuAI6
zRyA^irV{+l2Nip0i3xiQT0laFUNM+rnre{(DmF1<(84Im*o<B=XbFo6cnq2n7lUR{
zWrHXNE$JJBgCq}H!eRm*gF`kC!YZB-mIn<D44|0_9)&|T6Iz066e9zAMd2XHgoXwt
z=utRybD<G^%h5qn6B-)88Y;se7aG$y3I|IrG#o~`(1gBGI9PI_;V{aD(BS}-y3j1A
zMAg_SN!7?K9mG&If(WGL=ar}$86digW`(7oj<OR-Lbn(^b^sdYFf=Tv0C(<S@-Tyf
zbMiq3c)Gw$R5fw~>4nK72_sn!>TMzHG%880067Y&ADWnxnGPD6Nlwix0gbyjfjX3#
z$%#3RP>I~kloU`87i)(WwaW`l(6sH58l%<2@D2`Aj}+EoM(&Zq^bMZ=jHMYgzz|~!
zP`}YF#y|-u7&?LhYuM2?`e0oESRFisqYpYdh?M)GK{$M)&l1+?9R|^dIUWRU7Z2a)
zGc<tpJBLC1VU7kFLYq{>I06laPXrpm21SqxP)LP{6o09CDUP6-5LIKBy!^aWRb!`=
z#NrI_AUkLj9jPG$5)Vi$DM>8?HD^F`QO5A$bJ*;Mk*cv1wkAtz3dTeV<wNL5?Gad{
zA-6|hVnwMri6xn3pjiS{BO_=Hf~}E)e;6Dz%nP0)GlGoe2jpjh8=SDI0Yg~(2bS|K
z%q{hx?N^v>#rdU0$*EACpq3-yae9K*Vzl-#tu09`N>42z!&+l!@FW3z+5&$FK~;n2
z3J9r$&O8_yz~-m0PAPz=JVD`vl7b=a{gliyikkbrsU?Xii6x0h&3dqruwDhoTBLkJ
z+lD>TWR)&twkkib1kr9Z26tkh^PkY^W03nmT?rb_O`$g>EzF?l87b!tjh=v^0kr9X
zl#pD&kq-*SksZyJ7zNi5j%IAbc98M{-e>nuODhJg(|`&W!TR?anR%*421%7Asl}SG
zLLmt*3lmW_a)X<MQJK=Vkbqc6<2;X%7+`BHhG3qDwpNky{P6GoV>AbbaQs1Q8>IL%
zhK}gat;DAL_>Cp3(GG7$4&exd#uicp!irI(rk0_x5lmFo$PGyXQr->YsD`zjhC@_i
zj@7{;6)8py%`9M|BP^;dpk>)`h-xh3dS=k7cKBviEb9}7aKVgaXwSj~8n44R4l!r9
zhi)9gT#i(^8d_Kk|9ohOK0{&w3yGoELotMoMk2+bF|7SJjI*J^aEe0Afh8k@5m1yG
zfd-~QgJ;8_MPrC<)ClA^q&$c@Pl7Zxf;#1au^v4Q48V&{K&B4=$q);SQ6yNYM#Gs9
zBaBi7-O`~u4+5KbMXD$;ddH(F6jUU^rs$B_pdBpG*)Id=bR9+twKRdYiRqa_F)SUz
zDHPhlrBVt_t;j5iP&IY|?c4&fBcZ#xKx`LK9Ks}AK=luZLwTudWB{3;h3w42Iw5HZ
z_9gzwO-RZEr8)S#sgVIv+Y~l0J#cf?7>OS~u}8bak7?&HDxI;7bAoDm^4breG*0id
zKh%@7Ax7<Q3Cm}+OVgN^S`6Yu4PKssWAiXr4rQA*a)JQM!ZwCOB)~$@?eJic0;?U)
z3=9eko-U3d6>)E4IrsQp6^}bV<wSsDra{`WgI`=$x@e|qbxu(far$pEfk)E0b&}!|
zAJMKUkuz<BpDDU{%`|>J@nQYGxu5S;-<LgSS3SS_{ND1nb??>h-FyD#@7mI9+ppcq
zo<F(ZW=6`^h3QRK&)w-4{Lp+r_3`~n21Y#%Y%CGeO&U&2HxTrgpyYh4S1^G^#!cav
zt)H4f``32;d~rrK=iMhhTDUa`Ca_2}&TwovX^`e}k~@(_g3+x(a6>o4<V39}N!Gri
zw^wieE%CwPxIjW{F;CRK4dzU%BrDXMReOV4<6l0rnE}$z=;k2Iq^IUwrfGU|hW=p=
z1Ez}|48L!QEm_vD9^=y{R`5Wthe7!OhXE7FWixn88(!S<eo;ItX1B{c39vY$;DnBK
zGkGHWuLw*CFxx8KT4-V|n8-3a|0u@}=Ee&tC)y6mPI?sSBEwiGqNK;<t}f7BH+ONv
z(HlpdCnxsk&X^9ew1+|Y0UL`<nZD{?>Dwtk-tYe(G~cc^<JFawThh<VX~pa?FwMT!
z6SY0hmy`4V-UB5c9vr-~JwJZe|9`(<zFxn78NdCX3HPes@13&$w&3yA>-Tx>|Nn3I
z4t;Y-AThcrNHB$IUN@7p`*tJQB>S3<R`@!ZyS3l%Zb>;QbZc9#^xjXWv`tb@2pDd^
zoxeZ!&(E{w_XBQjO4anAXEQ}Fb{ELlhqd4Dy5HWOzx;4J|82>0$r6li4y=rx`O#0q
zY^Dib=yfni+Tz-#u)XT*tBb|wZQbK*KDKtSoS$#+&u{<7KsS0@&$V^2-sbmfj77D>
zdb-4Pz3$h3myO+15$Mvd>NQ26{`^E`_PxK~?KVj|!eLeTh~;kS^;naP3kr_2I;^bA
z-}wlu`79`Ye(vJu^Y;GoH6I!~tlIhI^*(5ZtPps6XJ@c^Sj}Dwr-rw?4j<a~YLc}L
z?>-yl1XjlAlpC8;y?=eV?4SAh+1aK$XTH7Nen05$uF{qD|Noh!oskecxX|{)0p^ki
z2O6jBZ#J<md*jh>_e;Yx<ATEy-|DZgT(8Gf>%P6U)q6?&{kq?|udb||tZ=N6nf+1&
zBeRRtw~6j@3*+nmPBqKD<+A-wQTJ5SB6(0U>}4>XmHVP1Aw)5uo5wMYTTEv`@N&P4
zrPpJpZ+cMr`r1X??{}QnMr{=mj5#;Qa%IZNNnbAe+jrVskFVd`!SJ#C%}?8}SAs*f
zW`$P0TsmE&{@<S|bLRMbzgNA!L&LGDTU=kQCU0ZVQm-kB&TN95%a(ZZOJ)ZB+m;lf
z8NJ7UTBhnf(}wHs(^zsQCU%SIW?WejxFz+pm{#1Lic`NP{96;cdYZ<h%E!ItO_Ltl
z|No=xQT*x2$tIS|%l-Xjtx5y}Q<wS7<k<f`=SH@Rz01sV?<99!PuW?XmKRnyPa2%+
z7Yc50Z3|xJvvB$Rx><1*4_SY`*?j)UJVm9Qudc4XyvVit$UMcatR~mC-{0N}SGQ_x
znrWQQ_w~)q$!2+XG%hXa5aSlp(OBfaCHZ(?=j-RErh2=yX<V@^dgAfoY9YTHIBPSy
z9bjVGc0%C#(R+9A>?~fHbhNAK$An8q<dnK%+W2I(@??8>HoE^fXZ=3l_O@JC*H`ZH
zwJIk*tl$4{QQhBPOJz=<m|?j1MtseqPW2-nd!$UWF6^oNobl|;%%&RUs|Lpt54UyR
zHqXB|XII%<EmP4YU506Ye|;@EE?eHgr0B9YL!tUX#};Fy_x^T2U6xE=ytP-(cGjn-
zr`6}kY~dEy3)o%uHse^2<RS;IqY)Nu%^?;AKkxtl=Wbp0M!+>_Z}s<OvrMzwVs^c^
zHDFj-@#1Fw{=aHnyC>}0|M8f#>qPOs7YdsLmv{(nRR4RynZI?9`wr`xKOc{O`S<(%
z<%^5mS30$FJ(6^EjM}huW^v15F7?etPfs1noSL~qpX>IwcXzdqF`I8T+7rLuuI*mG
z$I|ZwNrB!UKA*Sejy+nDAkEEd#U<-l%RHyVMB9qxZtJ^)b}DLWT<!n1UXK$l<6&*R
zP%XlH=-AKfP2XL&@wwmRleJQL!uGr6`MI3*^YcW%AOGCWBeQMooSYL+9$FgrAAD$e
z?BlMSo0~cps889q;*t7pv)d^huL50)BQ(zaJ-EO;_g09^T7&bFY|73{9B*&W*Vppy
zm$&z0<q{FNy7Y#7%LRvq9cELO`OURra(UzLH{UK+A}FT%>@3qwudiOJzqG{j%7#Se
zzzfA^O|Nq-J$#t|VN@nNznsX_tp;Kh2NujYAnet{&JgiHf@@uWyQ=Rj6GiRxyEB~r
zKJK?a(##*Z@9VYbM~<%5pU;}N7B(8QTw<R0!}`PF!`&v9|LX7TD0JFBLF{|Y3R^?I
zlKv%2R1yWUuCLSO37oDM>+;o@$ChjT0(<>^KNjs^KX+0oc%o@`nD!%XZ+VI6Gx91N
z$Ay3K&t(v6yvCN?!Dic(_i*PSslYdBTOaNa>GQSy{bsY1`~BMO;<o=PcpvUyxm2Aq
zJ7NC+Gc%13O=QeG{DA5Dmdwjhd$+#+6}zj%(_-0;Z;kWL%(IO?!Q^H)g-<cSA%4rp
z$H#*gyY;#VDs1b&wIx%z<W3D+)t46!x0YFdZ;f*}zdCfa+MFzl>jg_Dt~8d``f@g1
z;McnnMx_%x=VfzLIRwgtqLY6ZPuaKPL3;SaoXHFCN*_C9A<;cmJG?7Iw?qE8$AXHq
zDDx{)g=)gbT^$y5<UMrhk+q)YFsY;B<M*qp!@HB!3V0q^+$lKBtLf*q;`Q!_-=)oR
zK6Itoo)nNXyw<W+=@-LAMWJKP%uEdv8`!&(tvj+3Ivi5=>E5uNWs<2Rqnpt6H)F|@
zz@Aj0qtEBp>!l>TD?YqYD|lIt^a9~x1Kv(ceG9i6lNf#;KJX(t`rDhEM<ZVFU+aFA
z7irXT&`pi$#vx0GL}?!LMK2tx_?fvcwLNBI7oYg#wEljbO|CbtUATJa?FYr^Mk}_>
zGgCO&`Odj1$TlTM?<&bm6jorK%(L)*K}y;Cd%Aj^NzMX7GQ8*0p6|Oci|OKnN+%Ki
z<t%;zT{0H~YB>HL`^?&|E|bEM)F$hk#_T6Jr^e!&u(}`5D*aVIZeBH4bCy0aRV&nM
zj}1enk4Z&}z>YUN-798jC^$W7>580lpC$8vaI53t`}w=ynkB}3_??jzkRg#L)7;qp
z#<T62)dVqjDFIDe3!x5|f)uvnr3HMYPfkpH#2CM;Waa&@?7P`hHr4;HYg&^qW#T#Z
znRiMq`zrnIDoNg+ch@DP@AYAa$}l%~sq8cCKOEm(FqH^Oaotegx7g#~wYC$5N4rFm
zycylZZ%RcPnOyIEeVEfxg#U3*j*r6L<I@<8tS&F}6=p3_;LS;&p(4O>x?u9`H9ijm
z4m@oAcx+mmXWNM|*2{_y7!Nsi2}J4&voHBH@#BG?nKH_&<M;17u}(4SOHSE4ZlRXX
zJeG>GoxcxEY&_h_RyjpKexBbv8_hY>3MME9J?khk)K6erE`DCtkDukTc<7&$r#au!
zjkYw(aB$h5o~|#xSia_i<3mg3R}(T%%sw35+@$2%vt?mroA5j{9_~xYH@uxsaSHaW
zp2eE|?X>>>4)z1`l1(oX6h2%?s^^}!_~wS`T`Mfh-`!cHpnc=k-@D95xSq4T)O2}w
zKv3{yczmsD&+g^N^ON3d<=Cn<b4X59yfo3nkTpvB(hLKej#CL4f||Efo$m;La(u?D
z!XC+TsoJG&2Y*V2*hR(A_FIfDe=gpeaIlfl{G`BZ&Lz$Yk`}xL8$Q%1`{qwll##S~
zUoq|Cg4+cg6E}Uop7M_SQsbGke=S`S?En2x4qX}K>ax6GN8;jwGV7R>jCGtY9ajvl
zG0VDI{XHtyw(pGJT77@JpG(aCq<rl=86al3*j`Eejp(7zj?PyaPYApezR9L~thsFp
z+X>N$N<8LDDswKfI4<Hyd3|lI(s{kBF(107CZu$1O;~@}=l+2iiw+96KRo_xBA<(i
z_?n-)*@FTMd@61-^Dtj3oxr~+cS%>mi;dyT`Xa{|C$7BRm66~gFjKM0O^~faz|V2P
zR>i$NCm1g3ZQ}b;zeaSuyUWDcInFIiJ`MUjmR!kyUfKrjGC0x^lXynKeNO<hpn%e?
z0#ojNGuN*CF=^7y`LF%kH>BC@{vm7RUcjMXZF9I++FVS~+DNqH+d~6~<F?<w+Nf(3
z$EUDNuseR*Z^FD5VGea6LAxhypKtHDKRv$A^Yiob;#Qx2y<UI&kaL>An@7gyZIrKZ
z=sb9H_!#RYahvvCA12RK|79e3N-6Ej@#a2TXAUXemzn}guG%_R<ak_E{K|B+^?3(7
zYo?8et-@ZWMXij7?@5{+o@liD>$T|IGiIBd{|JhH`=9XQq3R;Vr!7s~A@>?*Y^Zy{
z$j*4oJmhmZf5np<vyaYG<l*NKKPG$i^bWgknG^h+zH0H<c?cePJgx1ougfL{2^Yl~
z+ix<h<>g~hD!6}bZ*}>?{4l8w@reqHIG3yv{HR#vZo<6$?EHJpJP!q&{2O(@$p~`3
zxM#e@s9ycok4ckOF8)`N@$gWqQqz~*ALS`k3tp!^lwY(hbahzgE{4r73?wAkcI%%I
z`26$t`~9vPxt{d)u%8fD;dp*xyW{aWIUa`2`UdJR3}uW>&S*~9_uy^vt`C!AXU7}4
z7_v9CsQ1n>x8c0+{9$2U%VQyi!#<oXuk!!JeO)c0FnLeq=dKQ>Q_ozO?QUFdE^l7J
zd{0d4=L5#5%oP({R&hURyJP9WD9Ce3!r<SH*N&X#eM$!|JG*rBzR1Y=*TI!(^QL)`
z1>5hs2>VM79SH&Nct0^2KJ?#mT)y6Bsl@U5-`~HNTlSsvIO|dO4zr0`PD_~Xvg|t`
z=O+JHaH_KD+i7WGmlp;w_ch*}P<G@q$KB7d(p~Xq*dA@4tmZ0pv&L0PDd5fRLpPgs
z9S(Nb?>)Z%;EBU44u3wrx#5c4H`|XjF4dn^on30eN;p^^%v3wNT5Dnc0q$MA>dZ!e
z9=6N>aZ)Lcx6ssxJ2Z_q=;;P&ji`h3_CAlZc$2;3(vq~VTGuj!5~t}zwj`&!#)o{I
ze06t73P<a)d%QN>61oyv8m9L|wJyJzw6Je|&;jeV^2S>A<x-dAI${JaHn2=A`uzMZ
z>#qOb*&_F+PO)N+o-qG;rIm~Jjga<<Zi*aoTyIvpCL4FInyfh4F1#=7K!9@V_rKro
zce7u!sb@LlzU0kqCrhcupp6|XCd_I~@6zCYnI7V%6v|bZ=+C}GNwhblZ?;rW+y&12
zZI;a^nAiGF<uR1|-nyB|@}OhG<fLUUm|xm{OBbBkq%q;w;mr?!mT8$MYFmrfSC@yC
zoVY&2nLqGp=OVEbHwPgFwVAeu9lpCxVZYgsAlT9%Ah`1I!jCx*Rh$JBf=<ojWn|bC
z6ZXYb)IQR3xso%79Fy}BCNcNaS(1{68Wf&3Ww~ouJFuT#taNI7BTpf3#n%sJ9}Q+E
z3v8>FJ9pg8s7I*i_P+R~4UI=`y2`w0pWbu-@vV%;eN~K2jn5gKdY&AtiA+3_Rxh3t
zb4+c+9xb;9!3!M@T1GAGy!^*%c5bsba(U8meWT)6mTB&SE$?ruIYgZ3J#5{uy`MMw
zjpG63hVlkupC9!iZ3+8%tIa;>*zWgAoLB5*s&GQMy)v+q<-M?q<crnf2iQ|OL|D7H
z9&I+{Ji7c&<<%Yr<plP|kQ9!f!*SBzxGwyes91EzqJg{V@IAgmb#szG=BP<3c{yKc
z4=P(ywqa%8XYUT7jq^J~B$e#<yku1UF)uUd&C!Rx5*67T9lXyk7RZXsc_8Z6xUZ_Q
zMD<zomB#&NBdi^czLQv<^&v^zFiukW0LKwIrnnT2PX~^fuaeo=FVw+v_PvCXeQ%br
zfYhah`%*ei@U!Y>q#af9>i<~h;Zmv)GeLA+d#${QzmdtwYvN@~vIE6rUaS^>(SLv8
zF5zmOJK(Vf(D*|F$C54{!J~~g1bSCaQoOXJ<KKs8j3J*E=15Oe>~i|R$~9%n;wKU<
zU9}#QdCsm6nh`oXt<x;7q+3Mqo6*Pg1?%G$9AJ1p*KfX^F5kSOWXKps0?U#U0#j>O
zOfb3Jy|ssF*3R(0uo<i-Vam=E6uVLbjx^ai3Mh2&r5>%&SJ4VB)St5T@g2@t&%-r8
z)Y*qbJ=!CCPPb7e@J#dJB^FkKFIJ0p*aV(zTg-VQ{mC&7119izhQ~xjC6hl3ghVuh
z>#N(sP71WIa4hQh=iq1YJ84?<;{^S429Mq<{m7YIDR=VwY7vbm2M-o62`n_@PrZL*
zJ<qqR+%j9-Ch`Ssvgkj0R+Xc`x8IxP;N=7s3C4JqprxK4!$f7G*b6N^Rc?46VayJh
zFzcw*t|QHR-R9^YZVdkXVB5Ov)v@h29eC~K&VpRjV9fEOmYG+{c@D41{k<!HU+a)?
z472$5;OD1k+3yFl+Y7!hw@1!ZDV8mMnho~A10JR~6{jD)n$EMazkLN)`qw!>EYv*&
zUivLb_}HaB(|mhNl)?#t`No~A*5`bF*%pxW^u963;}0~L{w&IKfB3Z9m}#PWL+#oV
zryJ5A)UnLq5lt!i^}))^?&Io1qI=rk+19r71x9(zf0>qhz2tMN(VV}N^A>QIJT5(G
ze=(($H}N3<`?+pxr&x8hJ{B|P%?my;*;fDV#MM_s7p~eHGUsjMu7dTaoc~5`3QsVa
z;(BKB|B11|FV0LXonl$7*t$AKcGsWvy(J2Y!gr?$^QXVrzJ)#f!rNotyNaLe@;;p;
zX>TgQ{7`)LZvT4O`_7e{o-dbDm0rPEo@#QN*;JzRv~!u6Pur%BpA!^gEnF@0G}jhP
zUG1EnKf~?0@g0xWPs{!lHBXcN5vOwS2fMm`rkGNf)t+Rfr{|`$c8Ofud~d_!=N$oS
z;-`G%ZkpQ4QTIAtTeJ9=51ZtpA5)`3I%YQTD5vu4=v?2G<htT{XyuDSzm(|*Q#86G
zbS5r5bgPsnHF;f|(&OcA^Yb1{dm4o}ACg@Ra#5(Dg7eKK-Vff^-_$<YB)rOAyI!NE
z>HoZ5%g4*x8g6CWJvRMqWAP^rcfkmj69K#i=Dlf8!zZ&%R)k2aIh+0|>A$ASfAeRn
z+TntLO>fr3UYdV0z*oSht!KUzQ`X{A>G*Bz?<Tds$#I&z@Qvu<d-g>qgTm@e6OAQ}
z>asXi^rjhw9QOa7are`Nx$!&`7QUJE^=rCO$l*yRCwvTccF5h5_xSX;1F@eb%;lZD
zP$x<5?^f;qR*y4Wj~U3V4T#v?x6r38OT$fW{{hy&7dPxal(J%3{Vw;{)7szsnZc7P
zSUid6aP7H(#J5&$Zue%qj&Oal?%<D=iR*9w$SUu9d`9lYwDvV+29l?gj-{+<nDITp
z>{(WT8;||+_-hN;x}RR$)vG^wVd{&&Wmk0hZ{CbhJDlNBeL^p8>;BxQ`~ja2=LZB%
z=6HPk$4P|+w}0H)#?GiFoBwM~w4BkdhJDjc27Ej8@xuJ6@xG@7yK}BAdpql5&-_^$
zCGhY7xi8pnGTS-Bqdn>whP}s*#W?=#S=cjQs?Mh^>&MAHzOVm6K*1sp^7yF~i63oc
zCk&=EY3iK+xG?9;RRy-X${z8#_Y?QMi1~P8t?b|6XvY-y*Jk@<Bv+jb-fokUE*zXP
zW7GPT86s<%PMpdY)%^c=29Kn@Da#eN*Jk^2`0uFl-@JK5MDmng+}3)Jr~4=A*%W-x
zm}^lPb?4osrQTZ-E@oxj7MkDtF)wJ|&Z8kqUP;ZBIiIqkP4DsYHu=d5rRtCZ`tu9<
zNj$y#_OkaZ)U&nsES-K@{rZZD3lHtNYc!>I=PVTod(%H}r0zR(s%w99NIMpEZsVEO
z*jv}v*_7zEpA2C1)IK$TcR=Z?sHHY*BeqVA%laqM`@4wEwxpg_>dt=U$%^%N!X1C_
zXmI1SN#2n6IQys^%e>-Ock9)hLpe|PrW;K;bo%#}rJ_&wn_b^)lIbI_Y`UxKmEA`H
z*}uPAIz+awpL;6hM9Pb`%#*GL$Vf(2S1=!ZrDx=`S4_=0`_t8{-C!4_M68T5{#ARQ
zQR>Qi<-LF31)Q3oXgk+-w$JXKaNVEVIyCB8zRTU5p{+6B(4^>xYe41|h0juNxr}&%
z-iQlUFA$8s>HTtA`<uUqo!b&uy_*udC#zmN<;UrBd%vVzS2RhDsjpgh)Ot(iX}wn$
zcZ%AE?p|emB0!X-^<z};&cylY>&@dz<{f<O`h3#FX@`PjWTYwtqdppk9XJ;5+Y|Q2
z@s;(FgFBPEHymS^jABu~wW~Gg-|6Z4m(T1x{o<p$)^eS<S6*(OvZYEmw0Z;6WX0v4
zQ$yyR4B)hz{#LSR)|8V0zVp}j^*MZz?BRL-Z-&cj^LGM)4-edv4SLq;QF!TzWl7fm
zBsFI>XVtgqMj=i8Cj)rx-Y%ZWv(;H@A2*xwVX^gJ76r~<eoy?!o4AaK$;bHKpG!HB
zvSP`acj||?9Q&oGwf5r4gS&e3SNKeP6J?RB+dU)d|A#k{tIl5By0}^M|H<I=7gIid
zK9IaN<K>-;n%O5ND9Xmpw_SbT^yutQyYJ7~9rpFe5ea+Kp9Yev9xkuml2>`+T>r@c
zF~k0UVKxV!Jo#+$_IImY{(?wVuB;mA$qRiGV>~As*O`6XZKNYnXBgQ1gt;G_CQf*0
z-1`!_-6my&TfCZc<PnvV8yqj6`*QWl&bV?<503@j>S4x`MYBR2e?Kxdy7DtN^zO0g
zCj&g^Zhimo)VVg0jh;ql%DhEi-Pt&^gYS1)zPEhuk1j6}ZHM>!{!Yq1@!`ZmWjC+y
z`^%TdncbT^Yl}*!lv(zQhMuhp=RDio7Q7&?>cj4+TjwWs%(9umbM?dJw{uRMJEoc<
z(HIoKta){JRAAkNhres%md5V>zo7b^j#md)eC1wy*&9z~b)5<(8n`L5^)6BT+qUG=
zY+ZJ<)2}9#)Y~5W^D0-lasHP@rhFZ&f0Sm{UCpgodxKf><MG*cucx*1Tzm0a$Y{#k
zZPve{1OKJZDp_>${<-C;pWV8XW^Kv5d?9ve*M(0%lVb!W@5Qg;QoT3bL;Bj9<-hc8
zoQ>7aFW{PbI(T{9+zy#-AsZ9UD6i~%c;I}ZXopJ8t;<DWZyL`u&E!eF5cK|ZN(HO4
zb+usFl>cw+Pnvw%oWH{Pb(=}emylaqO2xO<eaxJw^)+{5z`yEG(-txw{w=-o;?$70
zAKPF4*!b9F$$NocbvM7iy7lxq*F1~%!!xWmbr{5&hzJ_iHL@hWEiK%oJn_P}1Gn~^
z33WXr*W$VL?>)EeHYwK+rD$}|aQ~lhYQIjV^9Aj2uRWJVQ*ONIe4g=t-`^`MpGTYQ
zc%R^vzsLHkeDi^H^|L_^$8H6fJ-b%Gb;X;%E?jeZ@A_FbPLmhj`5Gx#RI&0~nh{S^
z!io&T8K2ZsbfrVg@_x>HI4{0_F@IH^L$h10NB*|T$z?gWJ#+78IA6^U+rA`v;iBmY
z;un+8tiPvtuZR6{x~D61*(KRd1Ib<9a+@|Mg4zd3DL)R+S-R-?luYi7hm*Em*_0`J
zYT8#TDT@@DP_I4R$9k)-Yux>^uX0DP<-NJPDh>**`t;$irm$u4FP_|p-4oxf4GLtG
z%yzyxBl_^kn<p-?o@?oHU&^33c_C8;AJ0`?{+pWM-uFbFvw4+V_Fj8;Z(FwPyshRx
z&fjgezj~MawSK;2SFy#(f}e+;Zpl4eCMde^-rHC0ZGxKT{*<Y${Z~4b$>>^}TN96R
zO8HtwrJLG9KRo>|UcI}wcYRi_rJ#FT)+12u`+on$S5-OLVqsJEUzoe~=<DnE-d}FK
zw8YbSed)gmd@?p()!Ucp1#qfMmQ}Bn_MJK57xQ6;MPYxVuB3b9N6$FHla#F29QJA-
zsN&kyyI!<f!T52(E#{e(Ki_JHOF#K8wCkzjZnZw1RKdwTJn3hn{l3nx@AjK-Ioqhn
zVg0u&8)K6@PXshC`+4W>mckSNdOljNR4bi*;m7-9OaF+mnnZ5?Szo@2DWtC5D)~(Q
z0;kHgZ_8iB`R`c&oTpCielySarb9LMcaNE`I~maYrsTA9nU_!7rVh_Zio4|PihAl|
zw#+&w5x>J<Cwx+uxNq$mroT!LIp<lI_lcePHPLUrjcQog%S)+VQL|LIvgYLFoVhBH
z_UFon%egf(dG4z6ufG{_Le5B1>%{r4PrLuR-j$6mT@raYy?SB8_9r>__Itu2PcvYB
z#gY6M2mD_MKVDvX{MwacKR)If?XTaED0ym*o$ytSn+i{j?(QyME@xX6us!cC$N%@Y
zoBqmuTkwCuN0WpXC9kfnR4p~H3+jDuJ*i5<zOnB8&HIJVZ=_1U*fm%9=JIY((RA{}
zg}3^z))lxbZOysw<kG%=-`z&Fo_P+e-6D&^?`5oR=-IklN3M4#(~6aC$CT@gQpCG-
z9?#<`)mq$^Z77+=5cpcvNmg%)iu3mUE2L9?RDHkx^1JQ+;E$J%_LeUf`ugrpyI5|N
z%Z-&Kn~p9vyxyt)czN5hyvNz9!79ed$CaIDo@`mTKCkkGpXI|(u8%iJ%2eiE;)n>W
z+rEFr@2%5hGtc!{n$#Vu$O>BCSy7&KaguB1q3^;=K2DH5a4bg5@cloe)RC;_EV<>%
z?_CPMT7q3G*N49rU8Avoop|Z&=bua6vrisdeSM#t`OJCwH)rho^(Xt*&RllWj9U#{
zk}HFjOG_7<wk&3~-){HNr!DIjw6ZwQnxbKy`u)pxr?$MhK=XSJo7FOP-`?98-4OMl
z?@!3Kq{xpmR~Br^Fnsp#z@c-t686?BVr3WK{t>m2-N^Xai3?m&zhZRNoV6?1UlfP_
z{CFvMe)($2|3xQ%1iYIaYp*m%+eDi04!^W*YgI|!)K{y%O}QVnvFrWWe}5kPXI<Z7
zn|puH-Phr+ULp$>=kqR%&fo8fNEiCY{CVx&PhN1+tY2~S_Gb2l>t5Zv4{Dxz&E!cH
z{QN@xjPMchx9QUC@6yl3x|z!F)la=L|2O}|d-uOzzPQ&uOUb#KyJBZxcGTV^)2-E?
zMYUp|`2|{R{`lPYk@Nmk;nSBkaL(tbDmQXVNzU^xd!_-h?yfC!?`j4HzLTJ}0LP{)
zJC~n?c0D3h4wqN)3d?`}oBBLXE6O7N)C!(s(s5B{E1h$ruJvn3hG~UGzTy2PxA1`E
zy3S;^i<j1Vi%i&PcBL|T-T$+;*TR-vJDs)Wy-i)#>w@1IYR=`J9@}kF!jFT>YF8r{
z^Ch0qTi-j+ue);eQtY9bVww|ot9-54&u)8l#k}ixmerc}-pjk+x=rRrPUbnSxi@C4
zUXZ@$X2x-sQ*$-BMKxo5-#Uf6wFm#-;uG;vX;-hlds`OMMNq>V)Ie8rY<p4l>5635
zl|9^NXKnXc;&%VlxBGIBN@p6oni#Q2hOG^p>UAgbP`2D{v)rYX_Gi+KLN0U{@TMAt
zI7e;&m}*oq-6kddFvz7Ul4f}qr%qdc$6<H<@5z2|<9$?5U0rTeF1|Qlji<vxk}cZG
zz3rRG;jFI9_pa`BH<Vnp@I=arw)yWa?s}?dZ4YT#7=$-wnG}}fuL@gjswyAn=RIxx
z@?E`Fmrm{%Yj5Xa&YAsick98Ze@#C@;Wwpsr|BG~uSt-i#S+CWVmh(ivrN~y##Yri
z)&Da(T`}>!xJmN0q+g|vzkHam@X)V0a;J{P@Fs#{7OA^sD0xar&9iNO@BhA8+h2NG
zJm{OI7aJvIy~o;gRebZw3EU1MTh7-p`Yup5j$<`>c;>s-!i4$_d5=#|Tv!{Kumse`
zg0^^EzF)P^7rk$MW|pdPX!QyvQLTd6_jezQHkEfb<2sejlL~P)xInyl6BHL|6M3}5
za;3hU(iW>ZHc`>NjqBF&loc%Vm?v^fUO3C8#9AF%KPpM8rTl#_JAeC=lb$axE%Pp&
zZaaH_vQdgr$OSt!XVnigctRguwwre{z<SBU-3bQ%AJ%#CW`4dFJLToAo+%OQMDEV6
zP!Bb#)0(2Id1>iCspXzmQ;z>ItTW<x0qW(PS}=bXs7N~3rtBPfM8~b|McJ=2kx_fg
zv{l#MbI}gV6{?r}`<rE|R$#|9{n;lV4i(=!apC3nd$w||%6q)pukBu__s3^<UQTNd
zwKez+4pYar7qjNn%)7Skz8c>>eeYWi#bRp~e15Kf;ppSlGk8iTKirjBV)wW=L}UHD
z>ytHCxJ9%TG4@KG+10z=O0sHw`^f;`eVZ18GWTYWHre}fDFP4N99v#qTDJ64s&|J;
z=F%g(U)<wbsu_Ll^`kZ(W>=;>^JjVXu@B1rh{&zoz>{iJ!j`uCeD8W2lNwg<tVW-<
zpn}SBzGs}XSWS+0Jz2inTYTY{mwUT2?4+;h=AAGQIFfTlbjo>&Q$JQdJdTz~b==w%
z4kx_*bkfwPZP(=`(mf`bY<`n(1!W%QoxfLeAE=hI^v&}A9K;6dx8#8Oqnkb2o}Zh`
zU-dM5-N^%>HvWQI8A+|ibe?OuHIF-a-Y#=$KI!8t_bN5A(6jB;hQI2UDuU`l4?oVg
zS^o1%04Svd8}D2BUN*2=K==MezC(+4Jyl#STj<%gNrCm1eBjgTTRS-7+Ix3O{pgv`
zRhQXwqJTBkZ+>Uil$-@c3#V+{_4c5T^4ogFzDxgn+M=!)7>Qq8`{!er*V$t+zWI{&
zrhgE<XA4mK>(RW0b5C12wdwiI-(a|Xv1<5ngSxCAhN#_$jTy?$tzRu|P1g17WcKrn
zdHB4+=oKjatm5<p^^!qlg2d#7OiA~gZ_Zflc=8A9f%A(VFTDN3NV4t1a{<*AyPhik
zE-{p>Qd0YQiaD$<vXt9i^3^Jtu;`V>i)Zp&Ex4Lnb5m{ytWnsb?96)Pkbm1PwbzHZ
z4JB7`ww?^&wZFZX+2x(rrwb3h8cE)orZL|*q`{A;wA=9d2bq;liP?LiKWsLw6z2&t
z+E@4N{KSQ`0ziW^;NhZ$|3zP)Je4nNQ{Qs<*d437e^o|xSwCKy?faO>uakG;mOwA4
zR&G2QAht2WYqHfxKUGc}X364{Yj01nwkk4lO|pIX?o`T(wjFtorR7srv{h~Z7h}Po
zV(gGlTb}R3movnri&>vuo|D$bY-D~eu4Em^@2g&J1{D&=B8|4Zesp@B)3*J5-g$Q>
zPmLF=c>fPEx^w@<26jO|c2>ced6g%!+Bc_YSkKmYEiZfOeO$myo~tQ`f2@4C{PvGu
zTiLl79an7GuQor9*QFOc_LK!`skK`At}?K_&YzmRPE83^#@#(OeQq+i#tL+9<Kmm9
zqc-ig^Uw1#k?u1$-$|+T+0b{I|IH%i%uN?~Z*phtoOfG)($5!Gr{*j2KHU*`zDm;G
zwDY)hUAzCg#Wm()*M42?`f!W+`!bui8A%?M7BXD!ypp#VufH^0&cA-~lf|#M-c5Ty
z^YIq@hf!X$6?bpT-u2Vzx|;lgJuf>prJPxoI;&^CRL{pY`3t9}J`K~FynT~YLAaau
zO=j*kTbWM*_8N(aib5||oj&}p=FP-~(uYkr5A4)de&ELPV`I_c5T~;z_kH9oeLCg-
z=A?)=uceD^jY4)R_m`S7{kgL<%Erc0mZPO{e~HiJ^$YtNdTf)8LXKN6Tc@zt#&Byv
z9FMZVWDbMR(OWZp+6;d(d{_h>xlR#CFq-1n{o4pMEP8<Bhziq1@3yey`!htO^}7T?
zBe`x4>L4+zzz5leAVmW190fWPqi*=L6@Fp(5F`m&ZI{6ENBKa?iw$XCUSIET<CRu>
zcWF;$@vB=~S066#*?W4vb$K5fpNt2ul*xi7)~|cks(lOa+Pmn<la#8jSHm-3U0L~P
zx@q>cCH(e(CTvQ*{CQGy#esn9QsO!h4*UOpo4tW?-`eu`_cZr=`}kZb_1@Q~!nEx~
z!S!{qj})W#)mX;vshD_bnyxo98_$B>@Au7C_|h(4H{;p)`Tn7+!+0&`UR@o2`NTx!
zmEP0!rkLl)t*_g0u9aIn<MJ}!FK;%Vzcf9*PP1;lU2T<CzygM?xwpgq?AYr&%cN7v
zEXU*QEYro=>vp<Lc+?@Nydw4Vw7mJdw4ar~yrc?VE%*IiwMpI`i&?hSX11SBD6g9l
zZQ{e^CU#!DM1Y0kZ}!zyqP+5UHd4#vg^O*<-bm<1ZfcP-&+|FjExue-JFH@D_PaYf
zHLYyx{#0aLSrO>7##%}|v76`gbbbHb<?qG#rS^O~*v#I&_5JPb{dK=ys(Ytc6h3lM
z{IO(-%Bp~cP3&dUd4u*I@8;S6?^m|toDU_-eP%jwi|Z}Pyu2)MZPeD7-k-_+wr<+t
z>y{|H_XRjPG2N~CeD+ae!{GzECQKJr^T}E*DM>Nn>7AM0pLKPW;GA=d-TQ-XZOLp^
zo~h<5)nt5H*M=je{_oe4KR*f!Hy=6D#U`oezw_hI&(Bwuyu5Tst>*XJ?MqsDDvd8}
zOURv=c&tbA<-XtV7F!lS>uBd@*-`N^DRIZOHIa{9+ZMa`i_QDn$jrVXW@pitkH_VM
zudRuEc`Z8McjlLumzQf6KRcsY|Gk&TvEl!}-|K(ap7_4)cHUwkRj-cUyLL|13hlbI
z)Z6{_wY9rH8K`g_-ctPhT!)`^)V%4!>V6#VOnt(aPW!YKWqtm9-d=c7c1qragD0o!
z%ZutpO?h^9wtBhZyIko;+v;x|k_vw#R|F`oKOqpUu{rImP~<kN(pN7Ooo^dIZQOQZ
zgKM{#N!AsOQ&Y9Y6}^s}H$HFU+{!Kf&1-TKhg`)2M!|!&ACCxM*_`grG%@eyCRdk=
z8_Z0V(=>yRc?%spAs{<Z>-L7kW`ziI^9g2k6a3t&KOAH~dW&Dy>dCXr-FbN)y8FLe
z^7d&nQ)O1lxxB2`<DznD|MR}taV$=IpR-0PS}3Q@5{WdiIPE=MPjq6{+gn>_@_g-b
z`IWWpgh09DmdzO#l@eb(ysPkpedECkv#Z-aJhA`rfY~w1viR8&$7VK8eU9G_3dXxr
ze!N)Rf9coP*RlR>9dR4OIrwGQCLQfkGP<)dxqZumN5u!~4Rt0jtbOTx|G|n!k+N1L
z8t=nzw+Ce|(U)8_fz4F##^F}o)|?Odd#k=Ky0f!b`))V;ZD)sBJQFXyxwyEU<M->U
ztJU9iZSns4>gv&BHbIR0QYt<?a6C0pnVnbCsO8r7eE-?z`C|5;QYvmL+^u)r61pbB
zaAWz4XKa^_%~RwNikfFr=~6ZQJI~W4$5J%fr{9#;OtVO+|NqzAcfQ?Rt?+A~S1MI+
z?tCA(FC}8J8}G!IA96QjhOP?f%-^82r7F|th)v=J!Dr=fZUnyhoA_9Kp1P8=MBQYb
zjhX#d682V=zC5X(9k@O3?h!dDrNffOX#sb4mA<^}Z!dav+Kp<H+4-|XSWS|T^$7lM
zoviLJHg(ngn$Nu_Ht*iqD{DP%mRYXX*Vos@Upt5DTsr;l)atu?`aI6}p1d%R#j5<B
zPwnq-surngf@vowwcgsAo&LVb=9C%JzLXc0iWXXP)VA`j-PXA6guv7#3Qkja{(nAi
zpA;;|FL&bX_YBq(e5@uNd}o=YLi`t6FuCh*%fGJ|w0fpdDwjvwJa_F0<;VZAE1mH$
z*KXDDsAgc65oP35TIH6iY5tnSKr-t1sm<yf1vfXP#x+0O^Y7zv`EPnB7Uw7*NXd}i
zwSjkwYg^)M+4~wk94)v0@n1IiVb;^2#<Ip@)vUau(>n!OX7D7tOxVNYrVu8Opwunu
z>2}>}2G3&eIGbp<2EhQ=hMQrc2WQBfPm!3M^wiam>77%9@W*$P*w3q(GQCrE{&p`S
z{xJ(<*jEcd6aC9qId)9viRHaL_2kip-PJSof}1|dLlzf5l4MkKKECAqzkSIUKDB}?
zg$q3llNY8r{4DB$ten<!QE;g_l=8xA=23@tS4(GnYLQ^<<|uGFt`xBGy6(A?6FSwu
zh0F?H(#K#g{z~GL=px?67pl&6ak5uU%O=RSPS-!jk>S+9yHHI*v+87kI8%)*WPxbo
z4)=zW7euuV+?%U?<iKRmZ0ru#1Fb11ICt&1daOeyrhnhdon9^s4`v%N^)xgd_|F)V
Xldi$=nL(d{fq}u()z4*}Q$iB}l(Qh_

diff --git a/docs/en/api-guides/partition-tables.rst b/docs/en/api-guides/partition-tables.rst
index e2d1cd3220..9392c1b009 100644
--- a/docs/en/api-guides/partition-tables.rst
+++ b/docs/en/api-guides/partition-tables.rst
@@ -185,7 +185,6 @@ See enum :cpp:type:`esp_partition_subtype_t` for the full list of subtypes defin
     .. only:: esp32c6
 
             - ``tee_ota`` (0x90) is the :ref:`TEE OTA data partition <tee-ota-data-partition>` which stores information about the currently selected TEE OTA app slot. This partition should be 0x2000 bytes in size. Refer to the :doc:`TEE OTA documentation <../security/tee/tee-ota>` for more details.
-            - ``tee_sec_stg`` (0x91) is the TEE secure storage partition which stores encrypted data that can only be accessed by the TEE application. This partition is used by the :doc:`TEE Secure Storage <../security/tee/tee-sec-storage>` to store sensitive data like cryptographic keys. The size of this partition depends on the application requirements.
 
     - There are other predefined data subtypes for data storage supported by ESP-IDF. These include:
 
diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst
index cbae3878dd..1292eb94fa 100644
--- a/docs/en/api-reference/storage/nvs_encryption.rst
+++ b/docs/en/api-reference/storage/nvs_encryption.rst
@@ -14,6 +14,7 @@ Data stored in NVS partitions can be encrypted using XTS-AES in the manner simil
 
     NVS encryption can be facilitated by enabling :ref:`CONFIG_NVS_ENCRYPTION` and :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` > ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC`` or ``CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC`` depending on the scheme to be used.
 
+.. _nvs_encr_flash_enc_scheme:
 
 NVS Encryption: Flash Encryption-Based Scheme
 ---------------------------------------------
@@ -104,6 +105,8 @@ It is possible for an application to use different keys for different NVS partit
 
 .. only:: SOC_HMAC_SUPPORTED
 
+    .. _nvs_encr_hmac_scheme:
+
     NVS Encryption: HMAC Peripheral-Based Scheme
     --------------------------------------------
 
diff --git a/docs/en/security/tee/tee-attestation.rst b/docs/en/security/tee/tee-attestation.rst
index 780229f606..7634d852c1 100644
--- a/docs/en/security/tee/tee-attestation.rst
+++ b/docs/en/security/tee/tee-attestation.rst
@@ -88,7 +88,7 @@ EAT: Header
       - Currently, only ``ecdsa_secp256r1_sha256`` is supported
     * - Key ID
       - Identifies the key to be utilized by the device for encryption and signing
-      - TEE secure storage slot ID
+      - TEE secure storage key ID (string)
 
 EAT: Claim Table
 ^^^^^^^^^^^^^^^^
@@ -173,7 +173,7 @@ Sample EAT in JSON format
       "magic": "44fef7cc",
       "encr_alg": "",
       "sign_alg": "ecdsa_secp256r1_sha256",
-      "key_id": 0
+      "key_id": "tee_att_key0"
     },
     "eat": {
       "nonce": -1582119980,
diff --git a/docs/en/security/tee/tee-sec-storage.rst b/docs/en/security/tee/tee-sec-storage.rst
index b72f0a8e7c..ad269779c0 100644
--- a/docs/en/security/tee/tee-sec-storage.rst
+++ b/docs/en/security/tee/tee-sec-storage.rst
@@ -3,105 +3,72 @@ Secure Storage
 
 Overview
 --------
+The TEE Secure Storage service provides persistent storage for securely storing sensitive data, such as cryptographic keys, cloud credentials, or other general-purpose information. It uses a dedicated flash partition of type ``data`` and subtype ``nvs``. The TEE ensures both confidentiality and integrity of the stored data.
 
-The TEE Secure Storage service offers a persistent storage for securely holding sensitive data, such as cryptographic keys, cloud credentials or any other general-purpose information. It utilizes a dedicated flash partition of type ``data`` and subtype ``tee_sec_stg``. The confidentiality and integrity of the data is ensured by the TEE.
+TEE Secure Storage adopts the :doc:`../../api-reference/storage/nvs_flash` partition format and uses the HMAC peripheral-based XTS-AES encryption scheme, as detailed :ref:`here <nvs_encr_hmac_scheme>`. The AES encryption keys are derived from an HMAC key programmed in eFuse with the purpose :cpp:enumerator:`esp_efuse_purpose_t::ESP_EFUSE_KEY_PURPOSE_HMAC_UP`. Please note that the TEE Secure storage does not support the :ref:`NVS Flash Encryption-based scheme <nvs_encr_flash_enc_scheme>`.
 
-For enhanced security, data stored in the secure storage is encrypted using a device-specific encryption key with ``AES-256-GCM`` algorithm. Additionally, the secure storage provides interfaces for performing the following cryptographic services from the TEE using securely stored key material:
+.. important::
 
-    #. Message signing and public key retrieval with the ``ecdsa_secp256r1`` algorithm
-    #. Authenticated encryption and decryption using the ``aes256_gcm`` algorithm
+  - One eFuse block is required to store the HMAC key used for deriving the NVS encryption keys. This key is exclusive to the TEE and **CANNOT** be used by the REE for any purpose.
+  - The HMAC key must be programmed into eFuse before firmware execution, as TEE Secure Storage does not support generating it on-device. If no valid key with the required purpose is found in the configured eFuse block, an error will be raised at runtime.
+
+Additionally, the secure storage provides interfaces for performing the following cryptographic services from the TEE using securely stored key material:
+
+  #. Message signing and public key retrieval using the ``ecdsa_secp256r1`` and ``ecdsa_secp192r1`` algorithms
+  #. Authenticated encryption and decryption using the ``aes256_gcm`` algorithm
+
+.. note::
+
+  As per the current implementation, the TEE Secure Storage partition **must** have the label ``secure_storage``.
 
 Internals
 ---------
 
-The secure storage partition is 4 KB in size, of which only the first half is used for storing data. The partition is divided into slots which hold data objects. Each data object within the TEE secure storage is encapsulated in a structured format, comprising the metadata and actual data.
-
-.. figure:: ../../../_static/esp_tee/tee_sec_stg_part.png
-    :align: center
-    :scale: 80%
-    :alt: TEE Secure storage partition
-    :figclass: align-center
-
-    ESP-TEE: Secure Storage partition
-
-Metadata is represented by the :cpp:type:`sec_stg_metadata_t` structure, which contains details related to the data stored in a specific slot of the storage. These details include information such as the owner, slot ID, data length, encryption parameters, etc.
-
-.. list-table::
-    :header-rows: 1
-    :widths: 35 65
-    :align: center
-
-    * - **Element**
-      - **Description**
-    * - Owner ID
-      - Application ID defining the data ownership
-    * - Slot ID
-      - Slot ID for corresponding owner ID
-    * - Encryption: Initialization Vector (IV)
-      - IV for the encryption algorithm
-    * - Encryption: Tag
-      - Tag for the encryption algorithm
-    * - Data Type
-      - Type of data stored in this slot
-    * - Data Length
-      - Actual data length
-
-.. figure:: ../../../_static/esp_tee/tee_sec_stg_metadata.png
-    :align: center
-    :scale: 80%
-    :alt: TEE Secure storage metadata
-    :figclass: align-center
-
-    ESP-TEE: Secure Storage Metadata
-
-.. warning::
-
-    Future ESP-TEE framework releases may modify the internal data structure of the TEE secure storage, which could introduce breaking changes in existing applications.
-
-Each data object in the secure storage is encrypted as specified in the **AES-GCM based AEAD** encryption policy with a platform instance unique key of length **256 bits**, stored in the eFuse.
-
-The TEE Secure Storage feature supports two modes (:ref:`CONFIG_SECURE_TEE_SEC_STG_MODE`) for determining which eFuse block stores the encryption key:
-
-  - **Development** Mode: The encryption key is embedded (constant for all instances) in the ESP-TEE firmware.
-  - **Release** Mode: The encryption key is stored in eFuse BLK4 - BLK9, depending on the :ref:`CONFIG_SECURE_TEE_SEC_STG_KEY_EFUSE_BLK` Kconfig option.
-
-All the assets pertaining to the TEE secure storage are protected by the APM peripheral and thus, are inaccessible to the REE application. Any attempt to directly access them would result in a system fault.
+Each data object consisting of the type, associated metadata flags (e.g., ``WRITE_ONCE``), and the actual payload is encapsulated in a structured format and stored as a variable-length NVS blob in the secure storage partition.
 
 .. note::
 
-  - Currently, the TEE secure storage supports the storage of two types of cryptographic keys:
+  As per the current implementation, all data objects in the TEE Secure Storage are to be stored in the ``tee_sec_stg_ns`` namespace.
 
-    #. ``ecdsa_secp256r1`` curve key-pairs, including the private and public key components
-    #. ``aes256_gcm`` keys, including the key and initialization vector (IV)
+Currently, TEE secure storage supports storing the following cryptographic keys:
 
-  The internal structures for these key types are as follows:
+  #. ``ecdsa_secp256r1`` and ``ecdsa_secp192r1`` curve key-pairs, including private and public key components
+  #. ``aes256`` keys, including the key and initialization vector (IV)
 
-  .. code-block:: c
+All assets related to TEE secure storage are protected by the APM peripheral and are inaccessible to the REE application. Any direct access attempts will result in a system fault. Future updates are planned to add support for additional key types and general-purpose data storage.
 
-    #define ECDSA_SECP256R1_KEY_LEN  32
-    #define AES256_GCM_KEY_LEN       32
-    #define AES256_GCM_IV_LEN        12
+The TEE Secure Storage feature supports two modes for determining how the NVS encryption keys are derived (see :ref:`CONFIG_SECURE_TEE_SEC_STG_MODE`):
 
-    typedef struct {
-        /* Private key */
-        uint8_t priv_key[ECDSA_SECP256R1_KEY_LEN];
-        /* Public key - X and Y components */
-        uint8_t pub_key[2 * ECDSA_SECP256R1_KEY_LEN];
-    } sec_stg_ecdsa_secp256r1_t;
+  - **Development** Mode: Encryption keys are embedded (constant for all instances) in the ESP-TEE firmware.
+  - **Release** Mode: Encryption keys are derived via the HMAC peripheral using a key stored in eFuse, specified by :ref:`CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID`.
 
-    typedef struct {
-        /* Key */
-        uint8_t key[AES256_GCM_KEY_LEN];
-        /* Initialization Vector */
-        uint8_t iv[AES256_GCM_IV_LEN];
-    } sec_stg_aes256_gcm_t;
+  .. note::
 
-  - Future updates may include support for additional key types and general-purpose data storage.
+      - The valid range for :ref:`CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID` is from ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) to ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`). By default, this config is set to ``-1`` and must be configured before building the TEE application.
+
+      - The following commands can be used to generate and program the HMAC key into the required eFuse block:
+
+        ::
+
+            # Generate a random 32-byte HMAC key
+            openssl rand -out hmac_key_file.bin 32
+
+            # Program the HMAC key into the eFuse block
+            idf.py -p PORT efuse-burn-key <BLOCK_KEY0-5> hmac_key_file.bin HMAC_UP
+
+Tools
+-----
+
+The :doc:`../../api-reference/storage/nvs_partition_gen` tool can be used to generate binary images compatible with the NVS format for use with TEE Secure Storage. Since TEE Secure Storage stores data objects using a custom structured format, an additional step is required to convert input data into this format prior to image generation and encryption.
+
+To support this process, the :component_file:`esp_tee_sec_stg_keygen.py<esp_tee/scripts/esp_tee_sec_stg_keygen/esp_tee_sec_stg_keygen.py>` script is provided for generating secure key blobs corresponding to the various supported cryptographic algorithms. These key blobs are then referenced in the input CSV file (format described :ref:`here <nvs-csv-file-format>`) and passed to the NVS Partition Generator utility to produce an encrypted images suitable for TEE Secure Storage.
+
+Refer the detailed steps given :component_file:`here<esp_tee/scripts/esp_tee_sec_stg_keygen/README.md>` on generating key blobs and encrypted NVS partition images for TEE Secure Storage.
 
 Application Example
 -------------------
 
-The :example:`tee_secure_storage <security/tee/tee_secure_storage>` example demonstrates how to generate ECDSA key pairs and AES-256-GCM keys in the TEE secure storage and use them for signing messages and encrypting/decrypting data.
+The :example:`tee_secure_storage <security/tee/tee_secure_storage>` example demonstrates how to generate ECDSA key pairs and AES-256 keys in the TEE secure storage and use them for signing messages and encrypting/decrypting data.
 
 API Reference
 -------------
diff --git a/docs/en/security/tee/tee.rst b/docs/en/security/tee/tee.rst
index 8f3dd2582a..7886577d9e 100644
--- a/docs/en/security/tee/tee.rst
+++ b/docs/en/security/tee/tee.rst
@@ -96,7 +96,7 @@ Example partition table is given below: ::
   # ESP-IDF Partition Table
   # Name,         Type, SubType,     Offset,   Size, Flags
   tee_0,          app,  tee_0,       0x10000,  192K,
-  secure_storage, data, tee_sec_stg, 0x40000,  64K,
+  secure_storage, data, nvs,         0x40000,  64K,
   factory,        app,  factory,     0x50000,  1M,
   nvs,            data, nvs,         0x150000, 24K,
   phy_init,       data, phy,         0x156000, 4K,
diff --git a/docs/zh_CN/api-guides/partition-tables.rst b/docs/zh_CN/api-guides/partition-tables.rst
index 7b6b620d75..3209f1aab3 100644
--- a/docs/zh_CN/api-guides/partition-tables.rst
+++ b/docs/zh_CN/api-guides/partition-tables.rst
@@ -185,7 +185,6 @@ SubType 字段长度为 8 bit，内容与具体分区 Type 有关。目前，ESP
 .. only:: esp32c6
 
     - ``tee-ota`` (0x90) 是 :ref:`TEE OTA 数据分区 <tee-ota-data-partition>`，用于存储所选 TEE OTA 应用分区的信息。此分区大小应为 0x2000 字节。详情请参阅 :doc:`TEE OTA <../security/tee/tee-ota>`。
-    - ``tee_sec_stg`` (0x91) 是 TEE 安全存储分区，用于存储仅能被 TEE 应用程序访问的加密数据。:doc:`TEE 安全存储 <../security/tee/tee-sec-storage>` 将使用此分区存储包括加密密钥在内的敏感数据。此分区大小取决于具体的应用需求。
 
     - ESP-IDF 还支持其他用于数据存储的预定义子类型，包括：
 
diff --git a/docs/zh_CN/api-reference/storage/nvs_encryption.rst b/docs/zh_CN/api-reference/storage/nvs_encryption.rst
index 49dd20d283..dfc7ad7ce6 100644
--- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst
+++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst
@@ -14,6 +14,7 @@ NVS 加密
 
     根据要使用的具体方案，可以选择启用 :ref:`CONFIG_NVS_ENCRYPTION` 和 :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` > ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC`` 或 ``CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC`` 实现 NVS 加密。
 
+.. _nvs_encr_flash_enc_scheme:
 
 NVS 加密：基于 flash 加密的方案
 -------------------------------------
@@ -104,6 +105,8 @@ NVS 密钥分区
 
 .. only:: SOC_HMAC_SUPPORTED
 
+    .. _nvs_encr_hmac_scheme:
+
     NVS 加密：基于 HMAC 外设的方案
     --------------------------------------------
 
diff --git a/examples/security/tee/tee_attestation/README.md b/examples/security/tee/tee_attestation/README.md
index 7972351391..8718725475 100644
--- a/examples/security/tee/tee_attestation/README.md
+++ b/examples/security/tee/tee_attestation/README.md
@@ -12,7 +12,7 @@
       - Digest (SHA256)
   - Public key corresponding to the private key used for signing (in compressed format)
   - Signature (`r` and `s` components)
-- The token is signed using the ECDSA key stored in the designated slot ID of the TEE's Secure Storage. Subsequently, the resulting token is handed back to the REE in the output buffer specified in the secure service call.
+- The token is signed using the ECDSA key stored with the configured ID of the TEE's Secure Storage. Subsequently, the resulting token is handed back to the REE in the output buffer specified in the secure service call.
 
 <details>
   <summary><b>Attestation: Sample Token</b></summary>
@@ -23,7 +23,7 @@
     "magic": "44fef7cc",
     "encr_alg": "",
     "sign_alg": "ecdsa_secp256r1_sha256",
-    "key_id": 0
+    "key_id": "tee_att_key0",
   },
   "eat": {
     "nonce": -1582119980,
@@ -109,7 +109,7 @@ Before the project configuration and build, be sure to set the correct chip targ
 
 Open the project configuration menu (`idf.py menuconfig`).
 
-- Configure the secure storage slot ID for generating/fetching the ECDSA keypair for attestation token signing at `(Top) → Security features → TEE: Secure Storage slot ID for EAT signing`.
+- Configure the secure storage key ID for generating/fetching the ECDSA keypair for attestation token signing at `ESP-TEE (Trusted Execution Environment) → Secure Services → Attestation: Secure Storage key ID for EAT signing`.
 
 ### Build and Flash
 
@@ -123,10 +123,17 @@ idf.py -p PORT flash monitor
 
 See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.
 
-### Usage
+### Example Output
 
-- Use console commands to dump the attestation info: `tee_att_info`
-- The generated token's signature can be verified using the script given below.
+```log
+I (438) example_tee_attest: TEE Attestation Service
+I (1008) example_tee_attest: Attestation token - Length: 1538
+I (1018) example_tee_attest: Attestation token - Data:
+'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":"tee_att_key0"},"eat":{"nonce":-1582119980,"client_id":262974944,"device_ver":1,"device_id":"4ecc458ef4290329552b4dcdccb99d55e5ea7624f24c87b27b71515e1666f39c","instance_id":"66571b78918f4bb7ae2723f235a9e4fe1c7070ae6261ce5df7049b44b1f8a318","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"1.0.0","idf_ver":"v5.5-dev-2978-gd75a0105dac-dirt","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"5213904fd8ca7538776bdf372c08c13138f20b2fac3503bc878f19c6e36a710d","digest_validated":true,"sign_verified":false,"secure_padding":false}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.5-dev-2978-gd75a0105dac-dirt","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"65c905fc0fc135fdfa8def210d1c186627cb3a17ecb2e7f020b56411b2d2fc76","digest_validated":true,"sign_verified":false,"secure_padding":false}},"bootloader":{"type":0,"ver":"01000000","idf_ver":"v5.5-dev-2978-gd75a0105dac-dirt","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"9efd37d29266f3239f7c6a095df880f1e85e41505f154cfd3bbfad4b8a2b18dd","digest_validated":true,"sign_verified":false}}}},"public_key":{"compressed":"02ce0188c61b0118c86ca20af7e01185dd687c6698b2265a288fee845d083e9066"},"sign":{"r":"362e2053bab26c779559793b2eae89e96c1a058e5fffc49d544d07b934ce3b32","s":"fc5f0e4d329fc6e031cbf425ef62d4756b728392b2a77282baa1f15b554d2716"}}'
+I (1148) main_task: Returned from app_main()
+```
+
+**Note:** The generated token's signature can be verified using the script given below.
 
 <details>
   <summary><b>Attestation: Verifying the generated token</b></summary>
@@ -181,19 +188,3 @@ assert vk.verify_digest(signature, digest, sigdecode=sigdecode_der)
 print('Token signature verified!')
 ```
 </details>
-
-### Example Output
-
-```log
-I (416) main_task: Calling app_main()
-I (416) example_tee_attest: TEE Attestation Service
-
-Type 'help' to get the list of commands.
-Use UP/DOWN arrows to navigate through command history.
-Press TAB when typing command name to auto-complete.
-I (476) main_task: Returned from app_main()
-esp32c6> tee_att_info
-I (6206) cmd_tee_attest: Attestation token - Length: 1525
-I (6206) cmd_tee_attest: Attestation token - Data:
-'{"header":{"magic":"44fef7cc","encr_alg":"","sign_alg":"ecdsa_secp256r1_sha256","key_id":0},"eat":{"nonce":-1582119980,"client_id":262974944,"device_ver":1,"device_id":"4ecc458ef4290329552b4dcdccb99d55e5ea7624f24c87b27b71515e1666f39c","instance_id":"77eb3dfec7633302fe4bcf04ffe3be5e83c0513057aa070d387f1e8350271329","psa_cert_ref":"0716053550477-10100","device_status":165,"sw_claims":{"tee":{"type":1,"ver":"1.0.0","idf_ver":"v5.5-dev-727-g624f640f61d-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"6e6548a5d64cd3d6e2e6dc166384f32f73558fbd9c0c0985c6095d643f053eb5","digest_validated":true,"sign_verified":false,"secure_padding":false}},"app":{"type":2,"ver":"v0.1.0","idf_ver":"v5.5-dev-727-g624f640f61d-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"7f10992d4bb32c497184fd2da0e3a593b235d82bde24de868c8eb4636d4b7bdc","digest_validated":true,"sign_verified":false,"secure_padding":false}},"bootloader":{"type":0,"ver":"01000000","idf_ver":"v5.5-dev-727-g624f640f61d-dirty","secure_ver":0,"part_chip_rev":{"min":0,"max":99},"part_digest":{"type":0,"calc_digest":"2cdf1bac1792df04ad10d67287ef3ab7024e183dc32899a190668cbb7d21a5a8","digest_validated":true,"sign_verified":false}}}},"public_key":{"compressed":"030df5c5fd9a4096a58ba16dfc4f1d53781bab555fc307d71367f0afc663005174"},"sign":{"r":"c3a0fc8ce3cd1dec2a0e38c4a63c03bd1e044febd5847178fe304b06d48b3eaf","s":"c8e34bc5d854e728cffdfd701ea09deabc9a9a22c4b06f312a61a1448a56b8b1"}}'
-```
\ No newline at end of file
diff --git a/examples/security/tee/tee_secure_storage/README.md b/examples/security/tee/tee_secure_storage/README.md
index b83898d454..6ecc359260 100644
--- a/examples/security/tee/tee_secure_storage/README.md
+++ b/examples/security/tee/tee_secure_storage/README.md
@@ -8,19 +8,15 @@
 - This example demonstrates the ESP-TEE framework's Secure Storage with two workflows:
   - Signing and verification
     - Create and securely store an ECDSA `secp256r1` keypair in a protected memory space i.e. the secure storage partition
-    - Sign a message in the TEE (given its digest) using the ECDSA keypair stored in the given slot ID
-    - Retrieve the ECDSA public key associated with the private key for the given slot ID
+    - Sign a message in the TEE (given its digest) using the ECDSA keypair stored with the given ID
+    - Retrieve the ECDSA public key associated with the private key with the given ID
     - Verify the generated signature in the REE
   - Encryption and decryption
     - Generate and securely store an AES-256 key in the secure storage partition
-    - Encrypt a message in the TEE using the AES key stored in the given slot ID with the `aes-256-gcm` algorithm and generate an authentication tag
+    - Encrypt a message in the TEE using the AES key stored with the given ID with the `aes-256-gcm` algorithm and generate an authentication tag
     - Decrypt the ciphertext using the same AES key and validate the authentication tag
     - Verify that the decrypted message matches the original
 
-### Notes
-
-- Secure Storage currently supports only the `ecdsa-secp256r1-sha256` algorithm for signing and the `aes-256-gcm` algorithm for encryption.
-
 ## How to use the example
 
 ### Hardware Required
@@ -33,24 +29,26 @@ Before the project configuration and build, be sure to set the correct chip targ
 
 Open the project configuration menu (`idf.py menuconfig`).
 
-- Configure the secure storage slot ID for storing the ECDSA keypair at `Example Configuration → TEE: Secure Storage keypair slot ID`.
+- Configure the secure storage example key ID at `Example Configuration → TEE: Secure Storage Key ID`.
 
-The TEE Secure Storage feature supports two modes for determining which eFuse block stores the encryption key:
+TEE Secure Storage follows the NVS partition format and uses an AES-XTS encryption scheme derived via the HMAC peripheral. It supports two key derivation modes, configurable via `CONFIG_SECURE_TEE_SEC_STG_MODE`:
 
-- **Development** Mode: The encryption key is embedded (constant for all instances) in the ESP-TEE firmware.
-- **Release** Mode: The encryption key is stored in eFuse BLK4 - BLK9, depending on the `SECURE_TEE_SEC_STG_KEY_EFUSE_BLK` Kconfig option.
+  - **Development** Mode: Encryption keys are embedded in the ESP-TEE firmware (identical across all instances).
+  - **Release** Mode: Encryption keys are derived via the HMAC peripheral using a key stored in eFuse, specified by `CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID`.
 
-#### Configure the eFuse Block ID for Encryption Key Storage
+#### Configure the eFuse key ID storing the HMAC key
 
-- Navigate to `Security features → Trusted Execution Environment → TEE: Secure Storage Mode` and enable the Release mode configuration.
-- Set the eFuse block ID to store the encryption key in `Security features → Trusted Execution Environment → TEE: Secure Storage encryption key eFuse block`.
+- Navigate to `ESP-TEE (Trusted Execution Environment) → Secure Services → Secure Storage: Mode` and enable the `Release` mode configuration.
+- Set the eFuse key ID storing the HMAC key at `ESP-TEE (Trusted Execution Environment) → Secure Services → Secure Storage: eFuse HMAC key ID`.
 
-**Note:** Before running the example, users must program the encryption key into the configured eFuse block - refer to the snippet below. The TEE checks whether the specified eFuse block is empty or already programmed with a key. If the block is empty, an error will be returned; otherwise, the pre-programmed key will be used.
+**Note:** Before running the example, users must program the HMAC key into the configured eFuse block - refer to the snippet below. The TEE checks whether the specified eFuse block is empty or already programmed with a key. If the block is empty, an error will be returned; otherwise, the pre-programmed key will be used.
 
 ```shell
-# Programming the user key (256-bit) in eFuse
+# Generate a random 32-byte HMAC key
+openssl rand -out hmac_key_file.bin 32
+# Programming the HMAC key (256-bit) in eFuse
 # Here, BLOCK_KEYx is a free eFuse key-block between BLOCK_KEY0 and BLOCK_KEY5
-espefuse.py -p PORT burn_key BLOCK_KEYx user_key.bin USER
+espefuse.py -p PORT burn_key BLOCK_KEYx hmac_key_file.bin HMAC_UP
 ```
 
 ### Build and Flash