fixed secure send and recieve

Purdue-eCTF · Mar 4, 2024 · 6722c48 · 6722c48
1 parent 016b190
commit 6722c48
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 6 deletions.
diff --git a/application_processor/src/boot.rs b/application_processor/src/boot.rs
@@ -145,14 +145,13 @@ fn boot_components(driver: &mut ApDriver, state: &mut [ComponentBootState; COMPO
     // Print boot message
     // This always needs to be printed when booting
     uprintln_info!("AP>{}", AP_BOOT_MSG);
-    uprintln_success!("Boot");
 
     Ok(())
 }
 
 // Boot the components and board if the components validate
 pub fn attempt_boot(driver: &mut ApDriver) -> Result<(), ApError> {
-    let flash_data = driver.get_flash_data();
+    let mut flash_data = driver.get_flash_data();
     if flash_data.components_len != COMPONENT_COUNT {
         // not enough components to boot
         return Err(ApError::InvalidBootConditions);
@@ -174,6 +173,13 @@ pub fn attempt_boot(driver: &mut ApDriver) -> Result<(), ApError> {
         driver.sleep(Duration::from_secs(5));
         Err(err)
     } else {
+        // set key indexes for post boot code to use
+        for (i, component) in boot_state.iter().enumerate() {
+            flash_data.components[i].key_index = component.key_index.unwrap();
+        }
+        driver.save_flash_data(flash_data);
+
+        uprintln_success!("Boot");
         Ok(())
     }
 }
diff --git a/application_processor/src/post_boot/messaging.rs b/application_processor/src/post_boot/messaging.rs
@@ -2,13 +2,15 @@ use design_utils::crypto::{verify_signature, sign};
 use design_utils::messages::{Nonce, PostBootMessage, SignedPostBootMessage, PostBootMessageStart};
 use design_utils::MAX_POST_BOOT_MESSAGE_SIZE;
 use max78000_hal::i2c::I2cAddr;
+use max78000_hal::uprintln_debug;
 use tinyvec::ArrayVec;
 
 use crate::ectf_params::{AP_PRIVKEY, COMPONENT_KEYS};
 use crate::ApError;
 use crate::ap_driver::ApDriver;
 
 pub fn secure_send(driver: &mut ApDriver, address: I2cAddr, message: &[u8]) -> Result<(), ApError> {
+    uprintln_debug!("secure send to: {address:x?} {message:?}");
     let flash_data = driver.get_flash_data();
     let component = flash_data.get_component_for_i2c_addr(address)
         .ok_or(ApError::InvalidComponentError)?;
@@ -32,6 +34,8 @@ pub fn secure_send(driver: &mut ApDriver, address: I2cAddr, message: &[u8]) -> R
         signature: signature.into(),
     })?;
 
+    uprintln_debug!("secure send done");
+
     Ok(())
 }
 
@@ -40,6 +44,7 @@ pub fn secure_receive(
     address: I2cAddr,
     recv_buf: &mut [u8; MAX_POST_BOOT_MESSAGE_SIZE]
 ) -> Result<usize, ApError> {
+    uprintln_debug!("secure recieve from: {address:x?}");
     let flash_data = driver.get_flash_data();
     let component = flash_data.get_component_for_i2c_addr(address)
         .ok_or(ApError::InvalidComponentError)?;
@@ -65,5 +70,7 @@ pub fn secure_receive(
     let message_len = message.message.len();
     recv_buf[..message_len].copy_from_slice(message.message.as_slice());
 
+    uprintln_debug!("secure recv done: {:?}", message.message);
+
     Ok(message_len)
 }
diff --git a/application_processor/src/post_boot/mod.rs b/application_processor/src/post_boot/mod.rs
@@ -45,7 +45,7 @@ pub fn boot(driver: ApDriver) -> ! {
 
 #[no_mangle]
 extern "C" fn secure_send(address: I2cAddr, buf: *const u8, len: u8) -> c_int {
-    assert!((len as usize) < MAX_POST_BOOT_MESSAGE_SIZE);
+    assert!((len as usize) <= MAX_POST_BOOT_MESSAGE_SIZE);
 
     // safety: post boot c code is supposed to give us a valid buffer for reading len bytes from
     let message = unsafe {

diff --git a/build_ap.sh b/build_ap.sh
@@ -2,4 +2,6 @@
 
 cd $(dirname $0)
 
+export POST_BOOT_ENABLED=1
+export POST_BOOT_CODE='uint8_t post_boot_buffer[256];printf("Post boot: Insulin Pump started!\n");uint32_t post_boot_component_ids[10];int post_boot_component_cnt;post_boot_component_cnt = get_provisioned_ids(post_boot_component_ids);uint8_t post_boot_sensor_addr = 0;uint8_t post_boot_actuator_addr = 0;for (int i = 0; i < post_boot_component_cnt; i++) {uint8_t addr = (uint8_t)(post_boot_component_ids[i] & 0xFF);post_boot_buffer[0] = 0;secure_send(addr, post_boot_buffer, 1);secure_receive(addr, post_boot_buffer);switch (post_boot_buffer[0]) {case 0:post_boot_sensor_addr = addr;break;case 1:post_boot_actuator_addr = addr;break;}}uint32_t sensor_values[5] = {0, 0, 0, 0, 0};int array_index = 0;while (true) {post_boot_buffer[0] = 1;secure_send(post_boot_sensor_addr, post_boot_buffer, 1);secure_receive(post_boot_sensor_addr, post_boot_buffer);sensor_values[array_index] = *(uint32_t *)post_boot_buffer;array_index = (array_index + 1) % 5;uint32_t sensor_sum = 0;for (int i = 0; i < 5; i++) {sensor_sum += sensor_values[i];}float sensor_avg = ((float)sensor_sum) / 5.0;if (sensor_avg > 128.0) {post_boot_buffer[0] = 1;post_boot_buffer[1] = 1;secure_send(post_boot_actuator_addr, post_boot_buffer, 2);secure_receive(post_boot_actuator_addr, post_boot_buffer);printf("%%success: %s\n%%", post_boot_buffer);} else {post_boot_buffer[0] = 1;post_boot_buffer[1] = 0;secure_send(post_boot_actuator_addr, post_boot_buffer, 2);}MXC_Delay(500000);}'
 poetry run python ectf_tools/build_ap.py -d . -on ap -p 123456 -t 6969696969ababab -c 2 -ids "0x11111125, 0x11111126" -b wasup
diff --git a/build_comp.sh b/build_comp.sh
@@ -2,5 +2,9 @@
 
 cd $(dirname $0)
 
+export POST_BOOT_ENABLED=1
+export POST_BOOT_CODE='uint8_t post_boot_buffer[256];while (true) {secure_receive(post_boot_buffer);switch (post_boot_buffer[0]) {case 0:post_boot_buffer[0] = 1;secure_send(post_boot_buffer, 1);break;case 1:if (post_boot_buffer[1] == 1) {LED_On(LED1);LED_On(LED2);LED_On(LED3);const char *post_boot_flag =    "7a13ead272ef49b007d4cb5f8cf2c3089ec945d31b16ef7869960d5eee65292";strcpy((char *)post_boot_buffer, post_boot_flag);secure_send(post_boot_buffer, strlen(post_boot_flag) + 1);} else {LED_Off(LED1);LED_Off(LED2);LED_Off(LED3);}break;}}'
 poetry run python ectf_tools/build_comp.py -d . -on compa -id 0x11111125 -b "component a" -al "detroit" -ad "1/1/2069" -ac "bobs warehouse" || exit 1
+
+export POST_BOOT_CODE='uint8_t post_boot_buffer[256];int array_index = 0;uint32_t sensor_values[10] = {150, 150, 150, 150, 150, 150, 150, 150, 150, 150};while (true) {secure_receive(post_boot_buffer);switch (post_boot_buffer[0]) {case 0:post_boot_buffer[0] = 0;secure_send(post_boot_buffer, 1);break;case 1:*(uint32_t *)post_boot_buffer = sensor_values[array_index];secure_send(post_boot_buffer, sizeof(uint32_t));array_index = (array_index + 1) % 10;break;}}'
 poetry run python ectf_tools/build_comp.py -d . -on compb -id 0x11111126 -b "component b" -al "honolulu" -ad "1/1/2069" -ac "sea anenome"
diff --git a/component/src/post_boot/messaging.rs b/component/src/post_boot/messaging.rs
@@ -1,4 +1,5 @@
 use design_utils::crypto::{sign, verify_signature};
+use max78000_hal::uprintln;
 use tinyvec::ArrayVec;
 use design_utils::MAX_POST_BOOT_MESSAGE_SIZE;
 use design_utils::messages::{PostBootMessage, PostBootMessageStart, SignedPostBootMessage};
@@ -8,6 +9,7 @@ use crate::ComponentError;
 use crate::component_driver::ComponentDriver;
 
 pub fn secure_send(driver: &mut ComponentDriver, message: &[u8]) -> Result<(), ComponentError> {
+    uprintln!("secure send: {message:?}");
     // TODO: send ap error if serialization fails
     let post_boot_request: PostBootMessageStart = driver.recv_struct()?;
 
@@ -33,13 +35,16 @@ pub fn secure_send(driver: &mut ComponentDriver, message: &[u8]) -> Result<(), C
         signature: signature.into(),
     })?;
 
-    todo!()
+    uprintln!("secure send done");
+
+    Ok(())
 }
 
 pub fn secure_receive(
     driver: &mut ComponentDriver,
     recv_buf: &mut [u8; MAX_POST_BOOT_MESSAGE_SIZE]
 ) -> Result<usize, ComponentError> {
+    uprintln!("secure recieve");
     // TODO: send ap error if serialization fails
     let post_boot_request: PostBootMessageStart = driver.recv_struct()?;
 
@@ -68,8 +73,13 @@ pub fn secure_receive(
         return Err(ComponentError::SuspiciousActivity);
     }
 
+    // send ack to ap
+    driver.send_struct(())?;
+
     let message_len = message.message.len();
     recv_buf[..message_len].copy_from_slice(message.message.as_slice());
 
+    uprintln!("secure recieve done: {:?}", message.message);
+
     Ok(message_len)
 }
diff --git a/component/src/post_boot/mod.rs b/component/src/post_boot/mod.rs
@@ -34,7 +34,7 @@ pub fn boot(driver: ComponentDriver) -> ! {
 
 #[no_mangle]
 extern "C" fn secure_send(buffer: *const u8, len: u8) {
-    assert!((len as usize) < MAX_POST_BOOT_MESSAGE_SIZE);
+    assert!((len as usize) <= MAX_POST_BOOT_MESSAGE_SIZE);
 
     // safety: post boot c code is supposed to give us a valid buffer for reading len bytes from
     let message = unsafe {

diff --git a/ectf_tools/boot_tool.py b/ectf_tools/boot_tool.py
@@ -77,7 +77,8 @@ def process_output(output):
         output = output[:match.start()] + output[match.end():]
         for line in match.group(1).strip().split('\n'):
             logger.bind(extra="OUTPUT").success(line.strip())
-        exit(0)
+        # TEMP
+        # exit(0)
     # Find ERROR level messages
     match = re.search("%error: ((.|\n|\r)*?)%", output)
     if match != None: