Skip to content

Proof: add INS 0x10 EchoHash (32-byte echo) + reproducible speculos harness #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Proof: add INS 0x10 EchoHash (32-byte echo) + reproducible speculos harness #159

wants to merge 2 commits into from

Conversation

@viosvit
Copy link

@viosvit viosvit commented Sep 14, 2025

What

Adds an experimental APDU instruction INS=0x10 (EchoHash) that echoes back exactly 32 bytes of data and returns 0x9000. It’s purpose-built as a minimal “proof wire” to verify host ↔ app ↔ speculos connectivity and demonstrate deterministic responses for attestation workflows.

Handler

  • CLA: 0xE0 (SDK filters CLA)
  • INS: 0x10
  • P1/P2: 0x00/0x00
  • LC: 0x20 (32)
  • Data: 32 bytes
  • Response: same 32 bytes + 0x9000
  • Errors:
    • wrong CLA → 0x6E00
    • unknown INS → 0x6D00
    • wrong length (LC≠32) → 0x6E03 (StatusWords::BadLen)

Reproduce (container already running)

Container exposes:

  • host 6001 → container 15001 (speculos HTTP APDU)
  • host 9998 → container 19999 (raw APDU port, not needed here)

Sanity (unknown INS):

curl -s -X POST http://localhost:6001/apdu -H 'Content-Type: application/json' \
  -d '{"data":"E0FF000000"}'
# -> {"data":"6d00"}

Echo 32×0xAA:

DATA="$(printf 'AA%.0s' {1..32})"
APDU="E010000020${DATA}"
curl -s -X POST http://localhost:6001/apdu -H 'Content-Type: application/json' \
  -d "{\"data\":\"$APDU\"}"
# -> {"data":"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa9000"}


Echo a real file hash:

VAULT="$HOME/vios_core/naorix_out/naorix_reflection_2025-09-13T03-21-04Z.vault"
H=$(shasum -a 256 "$VAULT" | awk '{print $1}')     # 64 hex
APDU="E010000020${H}"
curl -s -X POST http://localhost:6001/apdu -H 'Content-Type: application/json' \
  -d "{\"data\":\"$APDU\"}"
# -> {"data":"$H""9000"}


Length checks:

# LC=31 (expect 6e03)
curl -s -X POST http://localhost:6001/apdu -H 'Content-Type: application/json' \
  -d '{"data":"E01000001F'$(printf 'AA%.0s' {1..31})'"}'

# LC=33 (expect 6e03)
curl -s -X POST http://localhost:6001/apdu -H 'Content-Type: application/json' \
  -d '{"data":"E010000021'$(printf 'AA%.0s' {1..32})'AA"}'

Proof artifacts (captured locally; .gitignored)

proofs/<timestamp>/echo_response.json

proofs/<timestamp>/wrong_cla.json, unknown_ins.json, len_31.json, len_33.json

proofs/<timestamp>/app_install.apdu

proofs/<timestamp>/app_binary_sha256.txt

proofs/<timestamp>/speculos_log_head.txt

proofs/<timestamp>/git_commit.txt

Notes / follow-ups

This instruction is intentionally minimal and side-effect free.

If maintainers prefer, I can gate it behind a feature flag (e.g. --features proof_echohash) so release builds exclude it.

Happy to submit a follow-up that turns this into a challenge–response/attestation primitive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@viosvit