[HN Gopher] How Secure Boot Works on M1 Series Macs ___________________________________________________________________ How Secure Boot Works on M1 Series Macs Author : zdw Score : 121 points Date : 2021-12-29 14:33 UTC (8 hours ago) (HTM) web link (eclecticlight.co) (TXT) w3m dump (eclecticlight.co) | willis936 wrote: | This is an interesting walkthrough. | | It would be nice if the code blocks were more distinct from the | comments; some combination of indentation, vertical space, | coloring. | javajosh wrote: | Type F12 and then paste the following string and hit enter, ya | hacker: | document.querySelectorAll('code').forEach(elt => | elt.style.backgroundColor = 'lightGrey') | lovelyviking wrote: | _" When Apple's servers go down you lose the ability to do low- | level recovery on these machines anyway, since DFU flashing | requires phoning home to get a ticket for your machine as well as | low-level configuration data"_ | | https://news.ycombinator.com/item?id=29704923 | judge2020 wrote: | This has been a thing on iOS since I want to say the iOS 7 | days, ie. the introduction of shsh2 blobs, and it ultimately | hasn't been an issue. | InvertedRhodium wrote: | Unless, of course, you need to perform a low level recovery | when Apples servers are unavailable, for whatever reason. | Then, it seems that it would be quite the problem. | afandian wrote: | Or they do the equivalent of forgetting to update a root | CA, orphaning your machine, as happened to a family member | of mine. | rubicks wrote: | Could anyone explain how the firmware (implementing UEFI, I | assume) interacts with the components described here? My | knowledge is limited to Tianocore edk2 on amd64 platforms. | monocasa wrote: | There isn't UEFI or anything like it. iBoot takes that place. | danieldk wrote: | There is no UEFI, only a simple boot ROM and the first stage of | iBoot is in NOR flash. The rest is all on NVMe. There is a | detailed description here: | | https://github.com/AsahiLinux/docs/wiki/M1-vs.-PC-Boot | [deleted] | CraigJPerry wrote: | How does the boot wallpaper get selected in big sur or monterey? | If you boot an m1 imac, it will use a wallpaper that matches the | colour of your mac. | | I can see all the wallpapers are part of the blessed / sealed | volume, what i can't figure out is how it's choosing with | wallpaper to use? | | To be clear I'm talking about the very early boot wallpaper | before file vault is unlocked. This is not the (user | configurable) login screen wallpaper. This is a fixed choice. | | My best guess is an nvram key but i didn't spy an obvious one. | argsnd wrote: | As I understand it product information and iBoot1 are stored on | an SPI flash chip in the device (which is hard to mess with | from an OS unless you're quite determined to, but basically | unrecoverable if you do), iBoot2 reads this information and | uses it to select and fill in a device tree that is passed to | your kernel. | | I think you might be able to find this information if you do: | ioreg -p IODeviceTree -l | | My machine has: "housing-color" = | <01000000000000000000000001000000> | saagarjha wrote: | The details seem ok, but the nomenclature isn't: iBoot only | handles hardware initialization and kernel bootstrapping. Once | you've got system logging set up the kernel is in control and | you're into XNU, which is doing all the MACF, BSD setup and | whatnot. You're not going to get iBoot logs unless you set up a | serial console. | zaxbeast wrote: | completely insecure if you are not the only one with the key | sys_64738 wrote: | Which key? | zaxbeast wrote: | The secret key that Apple holds? | xoa wrote: | For the record, I'm in favor of legal mandate that hardware | owners have the buy-time option to enable adding their own keys | to any root trust stores on their devices. However, that'd be | in addition to Apple's keys and wouldn't be about the security | of Apple's keys, because Apple is part of the fundamental trust | foundation if you buy a Mac or iDevice. Period. The devices are | massively vertically integrated, right down to the core silicon | which is completely custom. Apple has absolutely unfettered | ultimate low level access opportunity up and down the stack. If | you completely don't trust Apple, then you absolutely should | not use their hardware at all. So some level "trust Apple" is | simply a security axiom on this platform. | | And they've shown that to be not unreasonable at least when it | comes something like root private keys. Fact is they've been | operating for a long time now and like the rest of the big | players that hasn't been a leak issue. It's not _that_ big a | deal for a big player to physically secure such things to a | high enough degree that it 's unlikely to be a limiting factor. | Dedicated rooms, full offline, hardware backed Shamir's secret | sharing for m-of-n key signing ritual requirements etc etc. | lovelyviking wrote: | >If you completely don't trust Apple, then you absolutely | should not use their hardware at all. So some level "trust | Apple" is simply a security axiom on this platform. | | It is not about trusting Apple or any other company for that | matter. It is about tendency and attempt to make it a | norm/legalize to sell personal computers without respecting | right of the owner to have a full control over their own | computer. If owner cannot fully control own computer this | computer cannot be called 'personal' anymore. | | This practice needs a push back as it completely | unacceptable. It should be made illegal to sell such devices | if that is not already the case because you can be left | without working computer just because _link_ to the company | isn 't available for some reason. | | Company goes away and you are left without a working | computer. Internet isn't available and you have brick instead | of your computer. This is crazy and even more crazy that | there are bunch of people brainwashed enough to the level | that they do not even perceive it as a problem. Probably | because they can't think 3 steps forward. | GeekyBear wrote: | > It is about tendency and attempt to make it a | norm/legalize to sell personal computers without respecting | right of the owner to have a full control over their own | computer. If owner cannot fully control own computer this | computer cannot be called 'personal' anymore. | | I have bad news about Intel CPUs. | | >[Intel] processors are running a closed-source variation | of the open-source MINIX 3. We don't know exactly what | version or how it's been modified since we don't have the | source code. We do know that with it there Neither Linux | nor any other operating system have final control of the | x86 platform. | | https://www.zdnet.com/article/minix-intels-hidden-in-chip- | op... | lovelyviking wrote: | therefore I've said this before: | | _The full control of devices you own is absolutely | essential. It requires a complete transparency of basic | components like cpu micro-code, firmware and hardware | otherwise it can and will be abused._ [0] | | _.. unless everything is absolutely transparent | including microcode and hardware it is not acceptable as | freedom respecting solution._ [1] | | then I've got unexpected opposition from the one who is | making linux for M1 ( marcan_42). If even him fail to | understand the consequences of accepting such hostage | situation with Apple devices and claim _" Freedom isn't | the answer."_ [2]. If even he is ready to downgrade | discussion to the personal disrespect toward people like | me [3] who merely trying to point out the the danger of | the hostage situation while go 'easy' on Apple and ready | to justify all of their current mistakes then we have a | serious problem. I do not wish to use the term "doomed" | but probably we observe limited ability of highly | technical minds to resist to the primitive brainwashing | and manipulation the big companies provide by presenting | it as a norm to trade 'freedom' for the 'safety' . Some | people can't even think a few steps forward and | understand that by helping companies to promote such | agenda we'll end up with loosing both 'safety' and | 'freedom'. | | [0] https://news.ycombinator.com/item?id=29658817 | | [1] https://news.ycombinator.com/item?id=29675597 | | [2] https://news.ycombinator.com/item?id=29676524 | | [3] https://news.ycombinator.com/item?id=29691816 | smoldesu wrote: | marcan seems to be part of a new breed of hacker, less | interested in the "why" we do it and more interested in | the "how" of it. Works pretty well for tackling a | challenge like blindly picking at a black-box ISA/SIP, | but I don't think his project has the kind of ideological | understanding that keeps the libre desktop alive. Getting | it to work is one thing; building a community to maintain | your work is another. | | Unfortunately, that's going to constitute a lot of the | people you encounter these days. Half-measures are better | than no-measures, but I really do miss the days of | vigilant software development instead of cleaning up | Apple's scraps. | kmeisthax wrote: | You're not giving Hector Marcan enough credit. He was on | Team Twiizers and fail0verflow; groups that did a lot of | hacking to open up closed systems. It's not like he's | unaware of the customer abuse that happens in the | proprietary world. | | The "look beyond freedom" quote probably should also be | looked at with the context that he's talking about the | FSF, which has an odd habit of being extremely absolutist | in ways that actually hurt the user. Like, they'll point | out that Wi-Fi cards with proprietary firmware are bad, | but then endorse very similar hardware where the firmware | blob is in ROM or some features are lasered off just to | conform to the "proprietary ROMs don't count" rule. | Marcan is arguing for creating a gradual sliding scale of | "proprietary, user-hostile, and/or insecure" to "Free, | user-respecting, and/or secure" and then looking at the | trade-offs between them, rather than just creating a | really high bar based on what made sense in the late | 1980s and sticking to it forever. | smoldesu wrote: | I'm giving the dude all the credit he deserves. | fail0verflow is amazing, the stuff they did with Nvidia | Tegra/Nintendo Switch was nothing short of miraculous and | insane; that doesn't change the cards at the table | though, and it doesn't make me any less skeptical of | where all this leads. Again, I've got no intention of | stopping people who are making progress, even if it's | progress I disagree with, but he still has to prove | himself here, and I'm not entirely confident that we're | going to end up with "Linux, but on the M1" without a | number of asterisks trailing the statement. That was the | case with the Switch, that was the case with the PS4, and | it's unfortunately crawling in that direction for the M1 | as well. | cmurf wrote: | I agree it's "your own device", but Apple's EULA makes it | really clear it's only your own device insofar as you can | choose to destroy it. They retain a residual right over the | hardware, a partial ownership if you will, when it comes to | what software is on it. You aren't buying hardware. You're | buying an experience. You don't have the right to | experience arbitrary software running on it, even if you | trust it. | | It's one of the reasons I'm not using Apple products | anymore. | jahewson wrote: | > Company goes away | | We're talking about Apple, one of the most valuable | companies in the world, sat on over $100bn in cash just | "going away", in what, the lifetime of a laptop? For me | that's 3-5 years, for others maybe 10. That's an absurd | premise. The probability of that is so close to zero it | doesn't bear consideration. | throwawayay02 wrote: | What if it's broken by legislators and the pieces are | named something differently. Want to bet no apple.com | links get broken? And their certificates? | | The point is, if I want to buy a personal computer and | stuff it in the closet for 50 years to use later, that's | between me and the creator. Not Tim Cook. | duskwuff wrote: | > hardware owners have the buy-time option to enable adding | their own keys to any root trust stores on their devices | | Would you really be more comfortable knowing that your | hardware vendor had the capability to produce machines with a | low-level, unremoveable backdoor? I'm not sure I would. A | feature like that can be used against users more easily than | it can be used by those users. | zaxbeast wrote: | https://old.reddit.com/r/degoogle/comments/rosdbu/100_foss_s. | .. | | take a look at the "Why not Apple devices?" section | KerrAvon wrote: | The private key held by Apple and used to sign code from Apple? | Yes, this is how modern crypto works. Some useful background | reading: https://www.schneier.com/books/applied-cryptography/ . | lovelyviking wrote: | The OP statement was about insecurity that comes with signing | code with anyone other than the owner. | | It doesn't matter how secure communication between Apple and | Apple device because even if it's perfect the owner is not | secured from the Apple itself and those who Apple would love | to communicate with. For instance oppressive governments. | (here the result of such communication: blocked app that | oppresive government didn't like https://apps.apple.com/us/ap | p/%D0%BD%D0%B0%D0%B2%D0%B0%D0%BB...) | HunterWare wrote: | How do you secure something when other's know the secret? There | has to be some "secret" (aka key) that some definition of "you" | only knows, that the system then tests against (hopefully via | some kind of asymmetric system or hash). | rovr138 wrote: | Public/private keys? | | In this case, since others already know it, signing something | is sufficient. | HunterWare wrote: | Yep. The signing is done with public/private (aka | asymmetric) keys and some kind of hashing mechanism. | kmeisthax wrote: | Well, if you want to distrust Apple software you probably | shouldn't be trusting their hardware, either. | | That being said, I actually think this is a reasonable way to | do secure boot. The default OS the device ships with can be | validated, but there's still a proper owner override so you can | boot into Linux or whatever. They even use the SEP to validate | that the owner override has been tripped _by_ the owner. The | first user account you make gets handed a key generated by the | SEP that can be used to sign kernels, so _only_ that account | can actually use the owner override. This is a good way to stop | evil-maid attacks in their tracks while still not locking the | user out of their property. | | My only real complaint is that Apple's gone to great lengths to | ensure the iOS side of their business is completely unaffected | by owner overrides: | | - If you boot into an owner-signed OS volume, macOS disables | it's iOS support | | - iPad-fused M1s won't generate or respect owner keys | | This is silly. If individual iOS applications are sensitive to | owner overrides, then they already have devicecheck APIs to get | a cryptographic attestation that they haven't been tampered | with. The SEP could flag those attestations as coming from an | owner-signed kernel and picky banking apps[0] could check for | that. | | [0] And Pokemon GO, because it's easier to blacklist jailbroken | users than to enforce a rate limit on GPS jumps | jeff_vader wrote: | It really depends on the threat you are planing against. If for | some reason I'm target of US government - I'm screwed anyway. | If my concern is trusting the laptop after I left it in train | station and got it back from some random dude - it's good | enough. | lovelyviking wrote: | How about much simpler scenario, no threat at all. Just dumb | bug in software that puts your computer in DFU mode that | says, please connect it to another Mac. Nice isn't it? And | then you should run and find 'another mac'. What if there are | no other macs around? What if you travel and have no | connection to the internet or it's limited ? This is not a | hypothetical situation, this is exactly what have happened in | my case. And then you are stuck in the field without any way | to recover your machine. Nice isn't it? | | _" When Apple's servers go down you lose the ability to do | low-level recovery on these machines anyway, since DFU | flashing requires phoning home to get a ticket for your | machine as well as low-level configuration data"_ | | https://news.ycombinator.com/item?id=29704923 | mlyle wrote: | > Just dumb bug in software that puts your computer in DFU | mode that says, please connect it to another Mac. Nice | isn't it? And then you should run and find 'another mac'. | | If your fundamental firmware-stuff is screwed up on any | platform, you are going to have a bad time. Being able to | plug into an off-the-shelf machine and fix it, or to plug | into another PC running special software, is much better | than I'm accustomed to. | lovelyviking wrote: | >If your fundamental firmware-stuff is screwed up on any | platform | | Sure I just have an impression after some googling that | this DFU happens much more frequently then one would | expect. Certainly I didn't expect it to happen in the | first day after purchase but it did. So perhaps this | pleasing 'much better' ability to fix it by just | connecting it with another device that you probably do | not possess(in my case) comes with another pleasure of | having to do it more frequently. If that is the case then | I really prefer the state to which you are accustomed to. | argsnd wrote: | Just use https://github.com/libimobiledevice/idevicerestore | on a Linux or Windows machine. | | Yes, if you don't have internet access you have a problem, | but I'm personally happy enough with the benefits of this | security model that I'm willing to accept the tradeoff. | lovelyviking wrote: | >I'm happy willing to accept the tradeoff. | | For now ... Thank you for the link but may I suggest you | to think about the future and where it leads. | [deleted] | lovelyviking wrote: | >It really depends on the threat you are planing against. | What about oppressive let's say Russian government while you | travel let's say in Ukraine and then occupation occurs. Not a | fantastic scenario by the way ... | | It really doesn't depend on the threat at all. It's about the | model of the society you wish to have and what values you | promote. | | It's about who you wish to be responsible : the 'big company' | caring about your safety and taking your freedom on the way | or you caring yourself about own safety and preserving | freedom on the way. I do not really think there is a choice | here because the first option will always be abused at some | point. | | Freedom does matter and it comes with responsibility. _THIS_ | is the main issue here. _THIS_ is what separates society with | responsible citizens from the society with 'irresponsible | people' who wish to trade their freedom for 'safety' | resulting in loosing both (and democracy itself after some | time). | hraedon wrote: | All sentiments like this one and those similar to it elide | the facts that 1) we've _tried_ relying on "user | responsibility" before, and excusing the comically bad | outcomes through victim blaming doesn't change them; and 2) | we didn't get together and vote Apple the only manufacturer | of computers. | | If you don't like their model, choose someone else. Why | should average users who would otherwise be served | perfectly well by Apple's solution be required to be | "responsible" for some subset of personal security you | think denotes a "responsible" citizen from an | "irresponsible" one? | smoldesu wrote: | User responsibility and device safety are not mutually | exclusive. You can keep the iPhone exactly as-is and add | a developer mode that would pretty much shut up every | nerd this side of the Mississippi. | lovelyviking wrote: | >If you don't like their model, choose someone else. | | Many follow their example and without push back there | will be no someone else because average users my not | understand consequences unless they are educated by | people who do understand them. Like with many other areas | requiring certain level of expertise to understand | consequences of certain desicions. | | > we've tried relying on "user responsibility" before, | >Why should average users who would otherwise be served | perfectly well by Apple's solution be required to be | "responsible" | | Do you believe in choice? If you do then average users | should have a choice whether to rely on Apple or switch | such functionality off. Without having such choice people | become less and less responsible. You can say they choose | by buying such machines but I do not think this could be | qualified as a choice just like accepting EULA. It's not | really a choice. | danieldk wrote: | Additionally, many of these security measures are put in | place to prevent that rootkits/malware can compromise the | firmware, boot loader, or operating system. | diontron wrote: | which is literally the case for any security system lol | zaxbeast wrote: | Yet companies still try to convince you otherwise... | BoorishBears wrote: | Show me where Apple says they protect against attackers who | already have your passcode. | zaxbeast wrote: | That's not what I was talking about... secure boot and | locked boot loaders are "protected" with keys held by | manufacturers... | BoorishBears wrote: | Then your comment doesn't make sense? | | You wrote: | | > completely insecure if you are not the only one with | the key | | What key is shared between you and the manufacturer here? | There's signing keys and there's passcodes, which ones | are you "not the only one with"? | zaxbeast wrote: | > BoorishBears - What key is shared between you and the | manufacturer here? There's signing keys and there's | passcodes, which ones are you "not the only one with"? | | because you don't even have the key? not sure where | passcodes came from | BoorishBears wrote: | _sigh_ | | > completely insecure if you are not the only one with | the key | | This implies you are referring to a key that the user | has. | | What key does the user have? | | A passcode? Password? | Jabed30 wrote: | [deleted] | xfr wrote: | There are several inaccuracies. | | Everything after "Darwin Kernel Version 21.2.0" is XNU, not | iBoot. This is when macOS starts according to the diagram. You | don't see logs from iBoot. | | I have no idea what this means: | | > The end of the kernel-only phase, which is entirely iBoot, | comes almost 20 seconds after the start. | sys_64738 wrote: | > I have no idea what this means: | | Userland is instantiated. | grishka wrote: | > You don't see logs from iBoot. | | IIRC there's a serial console according to Asahi Linux people. | Not sure if iBoot logs anything to it. ___________________________________________________________________ (page generated 2021-12-29 23:00 UTC)