#!/bin/bash
# Boot QEMUv8 and run the C-01 PoC to reproduce the PKCS#11 heap overflow.
set -e

ROOT="$(cd "$(dirname "$0")" && pwd)"
BINDIR="$ROOT/out/bin"
QEMU="$ROOT/qemu/build/qemu-system-aarch64"

# Verify required artifacts
for f in bl1.bin Image rootfs.cpio.gz c01_poc; do
    [[ -f "$BINDIR/$f" ]] || { echo "[-] Missing: $BINDIR/$f"; exit 1; }
done

# Build QEMU args (matching qemu_v8.mk defaults + virtfs share)
QEMU_ARGS="\
  -nographic \
  -smp 2 \
  -cpu max,sme=on,pauth-impdef=on \
  -d unimp \
  -semihosting-config enable=on,target=native \
  -m 1057 \
  -bios bl1.bin \
  -initrd rootfs.cpio.gz \
  -kernel Image \
  -append 'console=ttyAMA0,38400 keep_bootcon root=/dev/vda2' \
  -machine virt,acpi=off,secure=on,mte=off,gic-version=3,virtualization=false \
  -object rng-random,filename=/dev/urandom,id=rng0 \
  -device virtio-rng-pci,rng=rng0,max-bytes=1024,period=1000 \
  -netdev user,id=vmnic \
  -device virtio-net-device,netdev=vmnic \
  -fsdev local,id=fsdev0,path=$BINDIR,security_model=none \
  -device virtio-9p-pci,fsdev=fsdev0,mount_tag=host \
  -serial mon:stdio \
  -serial file:$BINDIR/c01_sw.log"

export QEMU
export QEMU_ARGS
export BINDIR

cd "$BINDIR"
rm -f c01_nw.log c01_sw.log

echo "[*] Starting QEMUv8 for C-01 reproduction..."
expect "$ROOT/c01_check.exp"
RC=$?

echo ""
echo "=== Secure World log (c01_sw.log) ==="
grep -E "Panic|panic|PANIC|assertion|overflow|ERROR|TEE_Panic|TA crashed|killed" \
    "$BINDIR/c01_sw.log" 2>/dev/null || echo "(no panic keywords found — see full log)"
echo "=== End of SW log summary ==="
echo ""
echo "Full logs: $BINDIR/c01_nw.log  $BINDIR/c01_sw.log"
exit $RC