WIP: Provisioning data exfiltration

chrysn-pull-requests · Feb 27, 2025 · b4170e7 · b4170e7
1 parent 3de94c3
commit b4170e7
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 2 deletions.
diff --git a/laze-project.yml b/laze-project.yml
@@ -121,6 +121,15 @@ contexts:
         cmd:
           - ${CARGO_PRESHELL} ${CARGO_ENV} ${CARGO} ${CARGO_TOOLCHAIN} ${CARGO_ARGS} embed --${PROFILE} ${FEATURES} --chip ${PROBE_RS_CHIP} --config-file ${EMBED_CONFIG}
 
+      provision:
+        build: false
+        workdir: ${appdir}
+        cmd:
+          # FIXME: Output to stdout just clashes badly with
+          - ${relroot}/scripts/provisioning-processor > /tmp/logged 2>&1
+          # just like embed
+          - ${CARGO_PRESHELL} ${CARGO_ENV} ${CARGO} ${CARGO_TOOLCHAIN} ${CARGO_ARGS} embed --${PROFILE} ${FEATURES} --chip ${PROBE_RS_CHIP} --config-file ${EMBED_CONFIG}
+
       clippy:
         build: false
         workdir: ${appdir}

diff --git a/scripts/cargo-embed/Embed-defmt.toml b/scripts/cargo-embed/Embed-defmt.toml
@@ -5,7 +5,7 @@ gdb.enabled = true
 enabled = true
 
 up_channels = [
-  { channel = 0, format = "Defmt" },
+  { channel = 0, format = "Defmt", socket = "[::1]:1338" },
   { channel = 1 },
 ]
 

diff --git a/scripts/cargo-embed/Embed-no-defmt.toml b/scripts/cargo-embed/Embed-no-defmt.toml
@@ -5,7 +5,7 @@ gdb.enabled = true
 enabled = true
 
 up_channels = [
-  { channel = 0},
+  { channel = 0, socket = "[::1]:1338" },
 ]
 
 tabs = [

diff --git a/scripts/provisioning-processor b/scripts/provisioning-processor
@@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+
+"""Helper to take provisioning data from another process.
+
+This binds to [::1]:1338, where it parses text from there for provisioning data
+(semantically a statement that "This is a device with board=... and
+DeviceId=..., and the public key it has generated is ...").
+
+So far, that information is merely logged; on the long run, this should store
+keys in a local Authorization Server, revoking earlier identities of that
+device.
+
+To play race-free with other scripts, it terminates its main process when
+everything is ready to connect, and listens for up to 60 seconds for a
+connection on :1338. Other input methods than TCP sockets might be added if
+they are needed for where there is no `cargo embed` that pipes around stdout.
+At that point, the input method will be guided by arguments.
+"""
+
+import json
+import logging
+import os
+import socket
+import sys
+
+logging.basicConfig(level=logging.INFO)
+
+s = socket.create_server(("::1", 1338), family=socket.AF_INET6, backlog=1)
+s.settimeout(60)
+logging.info("Provisioning processor ready, listening on %s", s)
+if os.fork() != 0:
+    sys.exit(0)
+
+(conn, addr) = s.accept()
+s.close()
+logging.info("Connection received from %s", addr)
+needle = "Device provisioned: "
+for line in socket.SocketIO(conn, "r"):
+    line = line.decode('utf-8')
+    (_, _, found) = line.partition(needle)
+    if not found:
+        logging.debug("Ignoring line without provisioning information: %r", line)
+        continue
+    remaining = found.strip()
+    logging.info("Processing provisioning line: %r", remaining)
+
+    details = {}
+    while remaining:
+        current, _, remaining = remaining.partition('\t')
+        key, _, value = current.partition('=')
+        if value.startswith('['):
+            value = json.loads(value)
+        details[key] = value
+
+    logging.error("No method for provisioning established yet, discarding data %r", details)
+    break
+conn.close()
diff --git a/src/ariel-os-coap/Cargo.toml b/src/ariel-os-coap/Cargo.toml
@@ -28,6 +28,9 @@ lakers-crypto-rustcrypto = "0.8.0"
 lakers = { version = "0.8.0", default-features = false }
 ariel-os-debug.workspace = true
 ariel-os-embassy = { workspace = true, features = ["net"] }
+ariel-os-embassy-common = { workspace = true }
+ariel-os-hal = { workspace = true }
+ariel-os-buildinfo = { workspace = true }
 ariel-os-random = { workspace = true, features = ["csprng"] }
 ariel-os-storage = { workspace = true, optional = true }
 ariel-os-macros = { path = "../ariel-os-macros" }

diff --git a/src/ariel-os-coap/src/stored.rs b/src/ariel-os-coap/src/stored.rs
@@ -92,6 +92,14 @@ impl StoredPolicy {
             }
         };
 
+        use ariel_os_embassy_common::identity::DeviceId;
+        info!(
+            "Device provisioned: board={}\tdevice_id={}\tedhoc_kccs={}",
+            ariel_os_buildinfo::BOARD,
+            ariel_os_hal::identity::DeviceId::get().unwrap().bytes(),
+            credential
+        );
+
         info!("CoAP server identity: {=[u8]:02x}", credential); // :02x could be :cbor
 
         let credential =