examples/rogue_firmware_rejected.py

2.3 KB · 72 lines · python Raw

1	`"""Example: rogue actor signs a firmware, appliance rejects it.`
2
3	`The appliance's KeyRing only trusts the legitimate manufacturer. When an`
4	`attacker distributes a correctly-signed-but-untrusted firmware image, the`
5	`verifier refuses it and the audit log records a reject entry.`
6	`"""`
7
8	`from __future__ import annotations`
9
10	`from quantumshield.identity.agent import AgentIdentity`
11
12	`from pqc_bootloader import (`
13	`BootAttestationLog,`
14	`FirmwareImage,`
15	`FirmwareMetadata,`
16	`FirmwareSigner,`
17	`FirmwareVerifier,`
18	`KeyRing,`
19	`TargetDevice,`
20	`)`
21
22
23	`def main() -> None:`
24	`# Legitimate manufacturer (trusted).`
25	`manufacturer = AgentIdentity.create("acme-appliance-vendor")`
26	`key_ring = KeyRing()`
27	`key_ring.add(`
28	`public_key_hex=manufacturer.signing_keypair.public_key.hex(),`
29	`algorithm=manufacturer.signing_keypair.algorithm.value,`
30	`manufacturer="Acme Appliances Inc.",`
31	`)`
32
33	`# Attacker with their own key (NOT in the key ring).`
34	`attacker = AgentIdentity.create("rogue-attacker")`
35	`rogue_signer = FirmwareSigner(attacker)`
36
37	`image_bytes = b"\x7fELF" + b"malicious payload" * 64`
38	`metadata = FirmwareMetadata(`
39	`name="acme-inference-os",`
40	`version="1.2.4", # attacker claims to be a legitimate update`
41	`target=TargetDevice.AI_INFERENCE_APPLIANCE,`
42	`)`
43	`firmware = FirmwareImage.from_bytes(metadata, image_bytes)`
44	`signed = rogue_signer.sign(firmware)`
45	`print(f"[attacker] signed malicious firmware {firmware.metadata.name} v{firmware.metadata.version}")`
46	`print(f"[attacker] rogue key-id = {signed.manufacturer_key_id[:24]}...")`
47
48	`# Appliance verifier refuses.`
49	`result = FirmwareVerifier.verify(`
50	`signed,`
51	`actual_bytes=image_bytes,`
52	`key_ring=key_ring,`
53	`)`
54	`print(`
55	`f"[appliance] verify: valid={result.valid} trusted={result.key_trusted}"`
56	`)`
57	`print(f"[appliance] error: {result.error}")`
58
59	`log = BootAttestationLog()`
60	`log.log_reject(`
61	`firmware_name=signed.firmware.metadata.name,`
62	`firmware_version=signed.firmware.metadata.version,`
63	`firmware_hash=signed.firmware.image_hash,`
64	`reason=result.error or "untrusted signer",`
65	`device_id="device-0001",`
66	`)`
67	`print(f"[audit] rejects={len(log.entries(decision='reject'))}")`
68
69
70	`if __name__ == "__main__":`
71	`main()`
72