wiki:HLKTesting

Introduction

Microsoft has some documentation about HLK testing and WHQL signing, but it is quite incomplete, and there is lots of room for speculation and anecdotes. Practical testing is often required to understand the requirements fully. Therefore some of the requirements documented in this article are bound to change.

Different Windows versions have different kernel-mode signing options:

  • Windows 7/8/8.1/Server 2012r2
    • Cross-signing
    • WHQL-certified (HCR)
  • Windows 10 desktop
    • Attestation signing
    • WHQL-certified (HLK)
  • Windows Server 2016/2019
    • WHQL-certified (HLK)

In this article we focus on HLK testing, which allows getting a WHQL signature for a kernel-mode driver. This is the only way to make a driver load on Windows Server 2016 and later.

Getting source code for tap-windows6

Sgstair patched tap-windows6 to pass the HLK tests. His work has now been merged to the upstream tap-windows6 project

HLK test environment overview

HLK testing always requires a HLK Controller/Studio node, plus one or more HLK clients. The HLK client Windows version and HLK versions need to be in sync as described in MS documentation. For example, if your goal is to get a signature for Windows Server 2019 you need to use HLK 1809. This requirement is clearly outlined in the HLK 1809 release blog post. Additionally since HLK 1709 release HLK will support testing a single Windows 10 version only.

According to practical testing done by wintun developers it is possible to get a code signature that is valid for all Windows 10 platforms using the following HLK clients:

Wintun was able to pass HLK testing without any physical HLK clients. But because Wintun advertised itself as a virtual device it had a narrower scope and had to pass fewer HLK tests (~50 in total) than tap-windows6 (68 tests with filters applied).

For the HLK controller you can use a virtualized (Virtualbox, VMware) Windows Server 2016 or 2012r2 instance.

For tap-windows6 testing a support machine is also needed. To be on the safe side use the same OS version and build as the HLK client.

There are some additional requirements for tap-windows6 that stem from generic LAN testing prerequisites:

  • HLK client needs at least 4 virtual processor cores (unverified) for Windows Server certification
  • HLK clients need to be physical computers, not virtualized (unverified)

Also try to get a quality fast network switch. Slow switches can cause issues on some of the tests. However, a cheap 10€ switch may end up working just fine.

Installing HLK software

For HLK software installation please refer to the official MS documentation, check out puppet-hlk and puppet-hlk_tap6_openvpn or try out the Windows Virtual Hardware Lab Kit.

The version of HLK you need to install depends on the version of Windows you're attempting certify as described in Microsoft documentation. To check Windows version from Powershell do:

PS> [System.Environment]::OSVersion.Version

Preparing HLK clients

For multimachine tests you need to name some of the devices on the HLK test client (that actually runs the tests) and support machine (second machine that is connected “back to back” through the VPN). The non-VPN interface through which the nodes communicate with the HLK controller should be named "MessageDevice?" and the tap-windows6 adapter on the support machine should be named "SupportDevice0". Details in LAN testing prerequisites.

You also have to enable test signing so that you can load unsigned ("to be tested") drivers on both HLK client and support machine:

PS> bcdedit /set testsigning on
PS> shutdown /r

Then you need to install the HLK client software from the HLKInstall SMB share on the controller.

You also need the automatically generated test certificate ("WDKTest*") from the tap-windows6 build machine to the Windows certificate store on the HLK clients. After all this you can install the test-signed driver without signature errors.

Setting up OpenVPN for HLK tests

The "Run tests" in HLK fail consistently unless the tap-windows6 adapter has an IPv6 gateway address. This can be resolved by a simple bridged peer to peer OpenVPN setup, where interface settings are configured statically outside of OpenVPN.

The first steps are:

  • Install the latest OpenVPN 2.x on the HLK client and support machine
  • Install the same, test-signed (to-be-HLK-tested) tap-windows6 driver on the HLK clients
  • Configure static IP, netmask, gateway, etc. for the TAP interface
  • Disable Windows Firewall for the TAP adapter / Private networks. This is not strictly necessary, but saves time.

Then generate a shared secret with "openvpn --genkey" so that you can use it in the OpenVPN config. The OpenVPN configuration file for HLK client and support machines can be identical except for the "remote" settings:

dev tap
mode p2p
cipher AES-256-CBC
secret hlk.key
remote <remote>
verb 3

The above setup is symmetric in the sense that neither node is a client or a server, and either one can initiate the connection. This is similar to what is described in the static key mini-howto.

To verify OpenVPN connectivity launch it from an administrator Powershell session first on both machines:

PS> cd C:\Program Files\OpenVPN\config
PS> ..\bin\openvpn.exe --config hlk.ovpn

If you see that connection was established try to ping the VPN IPs (IPv4 and IPv6) of the other party from both ends. If that succeeds, you can stop OpenVPN and let OpenVPNService manage it from there on:

PS> Set-Service OpenVPNService -StartupType Automatic -Status Running

Some have had more luck with the legacy service (OpenVPNServiceLegacy).

Preparing HLK studio/controller

Select the device to test

When you have created a Project the next step is to select what to test. Go to "Selection" tab and select "TAP-Windows Adapter V9" of the HLK client (not support) machine.

Set product type

In the HLK Studio's Project tab you will see a category called "Product Types" at the right, like in here. When you create a new project the "Product Types" section will be empty, and you need to make it says LAN, or you end up doing all the testing work and only get certified as an "Other Driver".

HLK product types are listed in the product type matrix. The way to add the "LAN" product type is to go to the "Selection" Tab, select "Device Manager" on the left, then right click on the TAP adapter and add the feature for Device.Network.LAN.PM (power management). HLK then notices that all features for the "LAN" product type are met and it adds the "LAN" product type to the project.

Loading compatibility playlists

Make sure to get the HLK Hardware Compatibility Playlists (on the main HLK download page), and apply the one for the correct context, e.g. HLK Version 1809 CompatPlaylist? x64 Server.xml. The playlist narrows down the list of tests to the set required to get an HLK certification, removes some extra stress/failure verification type tests designed to help find driver crashes. There’s a “Load Playlist” option in the tests panel in the HLK studio app that you can use.

Adding machines to pool

It seems required/useful to add HLK clients to the pool first, then the support machine. Otherwise when you select the driver in "Device manager" tab HLK will assume that the HLK support machine has the driver under test. This may create problems down the line.

Configuring and running the mandatory HLK tests

Multi-machine tests

Then when you go to schedule the multimachine test, you can change the “role” dropdown to the support machine, and select the support machine (should be there if you have two ready machines in the pool).

Some of the non-NDIS tests that require “a working network connection” can just be given a valid IPV6 address on the VPN network and they will be happy with that. Whenever you see the “WDTFREMOTESYSTEM” parameter when scheduling a test, set it to an IPv6 address the system can ping over the VPN link. This could be the ipv6 address of the “support” system, or it could be some other arbitrary system on the VPN. This might not be necessary if the device under test has a working IPv6 gateway address that points to, say, support machine's tap adapter interface. But wearing belt and suspenders is not a bad idea when running HLK tests.

NDISTest 6.5 - 2 machine - Linkcheck

This test tests plugging and unplugging the (virtual) ethernet cable.

For this test you have two options:

  • Start and stop the service when running this to make the link start and stop
    • Note that you can't do this from Powershell prompt of the DTMLLUAdminUser which you may end up being in. You can still use the graphical services management, or possibly use an elevated Powershell prompt.
  • Use Tapdiag to change link state on the test system

In either case follow the interactive messagebox prompts. You may need to detach and attach the "cable" twice.

NDISTest 6.0 - 2 Machine - 2c_Priority

Use Tapdiag to enable 802.1Q on both machines before running the NDIS QoS test (2c_Priority).

The process for using tapdiag is:

  1. tapdiag /enable # Sets a registry key that enables the .tapdiag endpoint in the driver
  2. Restart the TAP driver, reboot or disable/enable in device manager. May need to stop the openvpn service to avoid a reboot – Reconnect VPN
  3. tapdiag /link:[on|off] # Use to unplug/plug ethernet cable
  4. tapdiag /setq:[on|off|always] # to set the 802.1Q handling. Driver now disables 802.1Q by default.

Note that the tapdiag configuration is runtime only – if you reboot the test machine, you will lose the 802.1Q state.

NDISTest 6.5 - 2 Machine - AddressChange

This will definitely fail on slower machines. It worked fine on 1 year old i7 systems.

NDISTest 6.5 - 2 Machine - E2EPerf

The E2EPerf test seems to fail if the test adapter and the support adapter have different link speeds. This is visible from the logs of "Run NDISTest Client (no verifier)":

ERROR: Support Adapter must be connected at a link speed greater than or equal to the Test Adapter

This is a problem if the support machine has an old tap-windows6 driver version that claims to be 100Mbps whereas the device under test ("DUT") is advertising itself as 1Gbps device. Resolve by installing the correct (1Gbps) tap-windows6 driver version to the support machine as well.

NDISTest 6.0 - 1 machine - 1c_FaultHandling

This test can if you happen to have even one Network device that does not have a functional driver. The failure will then happen at the "Run NDISTest Client" phase when it tries to stop the (tap-windows6) driver:

Error:        Unable to stop driver
Error Type:   NT_STATUS
Error Code:   0x5473
Error Text:   Error 0x00005473

More details are available in the log file ndistest.htm:

Variation #3 StopDriver
StopDriver
 - GUID: {0CCB2729-3A97-4B26-863E-1FA8162F2F99}
[1062062]NDTSupp: Unable to open NetCfg device registry key. Error = 0xe0000204
Unable to collect setup information for all network devices

Unable to build PNP information translation list

[1062062]NDTSupp: Unable to convert GUID to an instance ID
FAILED: [21619] Unable to stop driver

The only hint here that tap-windows6 itself might not be to blame is the phrase "all network devices". In my case on Windows Server 2019 Datacenter Evaluation the problem was a Wireless LAN adapter whose driver was not functioning properly. The fix was to disable Wireless LAN altogether from BIOS. Installing a working driver would probably have solved the problem as well.

Once you get past these failure, at the end of the test OpenvpnService might not re-establish a link. WHQL seems to get the OpenVPN service into a bad state, just restart the OpenVPN service and the test will pass. The test waits a few minutes for the link to come back up.

NDISTest 6.0 - 1 machine - 1c_NdisRequestCov

This test may fail at "Run NDISTest Client" -> "Restore protocol bindings" phase:

Error:        Unable to restore device settings at the end of the test
Error Type:   NT_STATUS
Error Code:   0x15b38
Error Text:   Error 0x00015b38

While the error message is not the same as with 1c_FaultHandling and with 1c_Registry, the cause seems to be the same, as well as the remedy: ensure that you don't have any disfunctional network device (drivers).

NDISTest 6.0 - 1 machine - 1c_Registry

This test has the same issues as 1c_FaultHandling, above. The same remedies apply.

NDISTest 6.0 - 2 machine - 2c_Mini6Stress

Sometimes this test will hit a breakpoint in the NDIS test code. The breakpoint seems harmless and complained about some packets not getting confirmed. If you don't connect a kernel debugger this will cause a BugCheck and the test will fail. If this happens connect a kernel debugger and rerun the test. When the breakpoint is hit press (l) Always Ignore and the test will pass.

You may also get away with just rerunning the test until it passes.

TDI filters and LSPs are not allowed

This test may fail due to broken network drive mappings. The hints are available in "Infrastructure -> Execution Logs -> WttEa?.log:

2980 4496 2019:5:31 18:48:8:90 Error: 0x8205aaaf, Error 0x8205aaaf   winsockerror code of 11001
  File=sdktools\wtt\jobs\wtttransportproviders\wttcommtcpip\src\wttcommtcpip.cpp Line=656
  PersistManager:EA:JobCancel::token::57M710T->
--- snip --
2980 5488 2019:5:31 18:48:11:210 Error: 0x800704c3, Multiple connections to a server or shared
  resource by the same user, using more than one user name, are not allowed. Disconnect all
  previous connections to the server or shared resource and try again.
  CRunManager::GetLogLocation()::(null)::CAUSE:Error returned from EnableShareAccess to the root
  of "\\controller.hlk.local\HLKLogs\EaFolderAccessCheck\4825BE12-3B91-4414-B8E2-5AD703D69BB3"
  File=sdktools\wtt\jobs\runtime\wttexecutionagent\eamanager\runmanager\src\runmanager.cpp Line=2379    

If this happens you should see a network share that is unavailable:

PS C:\Users\Administrator> net use
New connections will be remembered.

Status       Local     Remote                                     Network
-------------------------------------------------------------------------------------------
Unavailable  R:        \\hlk-controller.openvpn.in\HLKInstall     Microsoft Windows Network

The command completed successfully.

To resolve, unmount the network drive:

PS C:\Users\Administrator> net use R: /DELETE                              
R: was deleted successfully.

Static Tools Logo Test

The Static Tools Logo Test checks for the presence of a Driver Verification Log (DVL) log file as described in the official MS documentation. The verification log does not have to come from the same build as the one you install to the HLK clients, but it almost certainly has to be based on the exact same source code.

Tap-windows6 buildsystem runs code analysis automatically for x64 Release builds, so build that variant as the first step. Test analysis files are under directory tap-windows6\src\x64\Release named as <sourcefile>.nativecodeanalysis.xml. Results of the code analysis are not enough, as you also need to Creating a log file for Static Driver Verifier.

Creating the Static Driver Verifier logs is a simple process once you know it. Launch a x64 Native Tools command prompt that comes with Visual Studio 2019. Then

PS> cd tap-windows6\src
PS> msbuild C:\users\samuli\opt\tap-windows6\src\tap-windows6.vcxproj /p:Configuration=Release /p:Platform=x64 /target:sdv /p:inputs="/check"

Note that you need to "cd" to the "src" directory. You also need to provide the full path to the vcxproj file. The SDV tests will take quite a bit of time so don't wait holding your breath.

Once they pass you need to merge the results of SDV and codeanalysis. You can do this from Visual Studio 2019 from the "Extensions" -> "Driver" menu, or using the command-line:

cd tap-windows6\src
$ msbuild tap-windows6.vcxproj /target:DVL /p:Configuration=Release;Platform=x64

The end result is a file called tap0901.DVL.XML, which you should copy to C:\DVL on one of the HLK clients, after which the Static Tools Logo Test should pass.

Various known issues

Failures to Copy downlevel NDISTest binaries

An issue that occurs in many tests and which looks serious, but is actually not that, is the error at "Copy downlevel NDISTest binaries", where it starts to look for non-existing files from the Controller SMB share:

Cause : Failed to Start the Task

Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis62\ndprot62.sys"
  Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis62\ndprot62.sys"

Failure : Failed to Start the Task "Copy downlevel NDISTest binaries"

Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis62\ndprot62.sys"

Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis61\ndprot61.sys"
  Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis61\ndprot61.sys"

Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis61\ndprot61.sys"

Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis6\ndprot60.sys"
  Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis6\ndprot60.sys"

Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis6\ndprot60.sys"

Cause : Failed to Copy File : "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis51\ndprot51.sys"
  Dest : "C:\hlk\JobsWorkingDir\Tasks\WTTJobRun76257277-2193-E911-82AA-080027895339\ndistest\bin\ntndis51\ndprot51.sys"

Cause : Cannot Find Pattern "\\controller.hlk.local\tests\AMD64\nethlk\ndistest\bin\ntndis51\ndprot51.sys"

If you mount the share manually on the HLK client you'll notice that either the entire directories or individual .sys files are missing indeed:

PS> net use X: \\controller.hlk.local\tests
The command completed successfully.
PS> Get-Childitem x:\amd64\NetHlk\NDISTest\bin\ -filter "ntndis*"

    Directory: x:\amd64\NetHlk\NDISTest\bin


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/30/2019   7:07 AM                ntndis51
d-----        5/30/2019   7:07 AM                ntndis630
d-----        5/30/2019   7:07 AM                ntndis650
d-----        5/30/2019   7:07 AM                ntndis660
d-----        5/30/2019   7:07 AM                ntndis680

While this step fails, it seems that it can fail yet the test as a whole can pass. The failure reason icon (see here) in this case should be "Canceled", i.e. "A user canceled the test, or a task has been canceled because the preceding task failed."

HLK clients can't be activated

If you upgrade HLK software on both controller and client/support you may end up with a situation where you can't put any of the clients into "Ready" state. You may be able to resolve this by removing the machines from the pool, and deleting them from the default pool, and then restarting HLKSvc service on the clients.

Packet transmission too slow

This can result in test errors like "Expected minimum of 237 packets but we received 200 packets". The test allows one second after all the sends have been completed for all the packets to be received.

Disabling verbose log printing in the server makes it more reliable.

Packets reordering

Packets can (rarely) be reordered in flight, which causes an assertion in the test driver. Hints are errors such as

  • "1 total breakpoints were hit in the protocol driver while this test was executing"
  • "Out of order indication"
  • "Dropped indications"

HLK doesn't complain if some packets are lost, instead these errors are raised when out of order packets are received.

The OpenVPN architecture has some inherent race conditions that can cause reordering of packets. This has happened 2 or 3 times over dozens of runs, and does cause a test failure, but a rerun should pass.

Address Change test failures

You may encounter failures in the "Address Change" test. It’s a combination of a few factors:

  • OpenVPN client sets the network link status around a second before the server actually starts forwarding any packets to the client. This is quite possibly an order of operations bug in openvpn.
  • That would be well and good, but the address change test has extremely aggressive timings
  • It starts sending packets almost immediately once the link status comes up, and stops listening for packets less than a second after that.

This failure seems to be related to newer OpenVPN versions. Logs for reference:

(Test system connecting after MAC address changes)

…

Wed Feb 20 22:03:43 2019 us=810407 vpnclient-nopass/192.168.1.36:1194 Data Channel MTU parms [ L:1581 D:1450 EF:49 EB:411 ET:32 EL:3 ]

Wed Feb 20 22:03:43 2019 us=810637 vpnclient-nopass/192.168.1.36:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Wed Feb 20 22:03:43 2019 us=810765 vpnclient-nopass/192.168.1.36:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

 
(Other system starts to send test packets)

WWWWRWed Feb 20 22:03:48 2019 us=680899 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood

wWRWed Feb 20 22:03:48 2019 us=681534 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood

wWRWed Feb 20 22:03:48 2019 us=681869 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood

…

wWRWed Feb 20 22:03:49 2019 us=158052 vpnclient-nopass/192.168.1.151:1194 MULTI: unknown unicast destination [00:ff:e9:88:37:ca], flood

(Other system is done sending packets)


(Openvpn server starts forwarding packets at around this point.)

wWRRRWed Feb 20 22:03:50 2019 us=472525 vpnclient-nopass/192.168.1.36:1194 MULTI: Learn: 02:02:04:06:08:08 -> vpnclient-nopass/192.168.1.36:1194
…

Another side note – The “unicast destination [00:ff:e9:88:37:ca]” in those messages is incorrect – those packets are actually directed to the “02:02:04:06:08:08” address. The flood message in the patch is showing the source address.

HLK client version mismatches

The HLK client version (e.g. Windows 1809) needs to match the HLK version (HLK 1809). If there is a mismatch there can be some setup issues (some semantics of driver verifier configuration changed, or some of the test components might have failed on the OS version).

Controller misuses support machine

The controller seems to arbitrarily pick which machine is Support and which one is under Test. If it has trouble picking name one of the TAP adapters SupportDevice0. Picking the options in the UI didn't change the behavior. So for the tests you are baby sitting pay attention to which the server and and which one the client is. The server will run a server.htm in NDIS test so it will be obvious.

Driver parameters

Not sure if the below had any effect but was changed when doing this test:

In OemVista.inf.in: *PhysicalMediaType = 0x0 ; NdisPhysicalMediumUnspecified

This was done to be consistent with what was in constants.h, but it also seemed to get some tests passing.

Test-signing issues

You may encounter the follwoing error when building with EWDK from the command-line with buildtap.py with --hlk switch, which has test-signing enabled:

SIGNTASK : SignTool error : No certificates were found that met all the given criteria.

This happens even though a properly named (e.g. "WDKTest samuli") certificate is present under cert:\CurrentUser\My. This problem was probably caused doing a "Hlk" build from inside Visual Studio 2019 Community, which created the WDKTest certificate automatically, but in a way that EWDK was unable to use it.

This problem can be resolved by simply removing the old certificate. For example:

PS> Remove-Item Cert:\CurrentUser\My\91047502F73D5410C106E05CEC8A990219810FBE

Then just run buildtap.py with --hlk to create a new test-signing certificate.

You will also need to export the new certificate from the certificate store. For example:

PS> Get-Childitem Cert:\Currentuser\My\F1E725722C5BB56757B6D261D958425869213089|Export-Certificate -Filepath C:\users\samuli\opt\wdktest-samuli.cer

Then import that certificate to the certificate store on HLK clients. The puppet-hlk_tap6_openvpn module handles that part automatically with Powershell DSC.

HLK logging

HLK controller logs problems mostly to event logs, so when tests are failing in an unusual fashion you can possibly find out why in the event viewer. When you have issue putting an HLK client into "Ready" state, for example, have a look at the event log.

The HLK tests fortunately provide tons of logging visible for HLK Studio. Check sections "Error", "Task log", "Infrastructure" in the context menu for the test in question to see what you can find.

Debugging

It is possible to get HLK into strange states. For example:

  • HLK clients / support machines do not get into "Ready" state
  • Launching two-machine tests fail with duplicate database key errors

Some things you can try to get past these errors:

  • Restart the "hlksvc" Windows service
  • Reboot HLK nodes (controller, clients, support machine)
  • Reinstall HLK client software and reboot HLK client
  • Create a new HLK project
  • Create a new pool and move HLK client machines there
  • Delete HLK clients from the pool

The are known to work sometimes, but so far I have not been able to establish any logic here.

Addendum

Tap-windows6 as virtual network device

Changing the TAP interface type to be a virtual adapter in the INF file does not seem to work. It seems to mess up the NDIS tests which looked for a device that advertised as physical to assign a SupportDevice?. Maybe this is something we can eventually work with Microsoft to fix.

Note on reboots

Reboots seems to happen randomly during test setup. This can be a nuisance if you are monitoring the services window or the network connections window. Helpful to make shortcuts to these so they can easily be opened.

Firewall rules for HLK server and clients

Installing HLK software automatically opens ports in the Windows firewall for HLK traffic. In case HLK controller and HLK clients are not in the same switch some firewall (e.g. EC2 security group rules) might block HLK traffic. Here is a reference for the ports which need to be open for HLK tests to work:

  • OpenVPN peer (udp/1194) <-> OpenVPN peer (udp/1194)
  • HLK clients -> HLK controller tcp/1771 (HLK Server Receiver Port)
  • HLK clients -> HLK controller tcp/1782 (HLKSvc Receiver Port)
  • HLK clients -> HLK controller tcp/445 (HLKInstall Samba share)
  • HLK controller -> HLK clients tcp/1771 (HLK Server Receiver Port)

Outbound traffic is assumed to be unrestricted. If not, adjust egress rules accordingly. Also note that IPv6 traffic needs to flow properly in the OpenVPN virtual network as HLK tests require IPv6.

External links

Last modified 7 days ago Last modified on 07/08/19 17:31:37