[HN Gopher] How Secure Boot Works on M1 Series Macs
___________________________________________________________________
How Secure Boot Works on M1 Series Macs
Author : zdw
Score : 121 points
Date : 2021-12-29 14:33 UTC (8 hours ago)
(HTM) web link (eclecticlight.co)
(TXT) w3m dump (eclecticlight.co)
| willis936 wrote:
| This is an interesting walkthrough.
|
| It would be nice if the code blocks were more distinct from the
| comments; some combination of indentation, vertical space,
| coloring.
| javajosh wrote:
| Type F12 and then paste the following string and hit enter, ya
| hacker:
| document.querySelectorAll('code').forEach(elt =>
| elt.style.backgroundColor = 'lightGrey')
| lovelyviking wrote:
| _" When Apple's servers go down you lose the ability to do low-
| level recovery on these machines anyway, since DFU flashing
| requires phoning home to get a ticket for your machine as well as
| low-level configuration data"_
|
| https://news.ycombinator.com/item?id=29704923
| judge2020 wrote:
| This has been a thing on iOS since I want to say the iOS 7
| days, ie. the introduction of shsh2 blobs, and it ultimately
| hasn't been an issue.
| InvertedRhodium wrote:
| Unless, of course, you need to perform a low level recovery
| when Apples servers are unavailable, for whatever reason.
| Then, it seems that it would be quite the problem.
| afandian wrote:
| Or they do the equivalent of forgetting to update a root
| CA, orphaning your machine, as happened to a family member
| of mine.
| rubicks wrote:
| Could anyone explain how the firmware (implementing UEFI, I
| assume) interacts with the components described here? My
| knowledge is limited to Tianocore edk2 on amd64 platforms.
| monocasa wrote:
| There isn't UEFI or anything like it. iBoot takes that place.
| danieldk wrote:
| There is no UEFI, only a simple boot ROM and the first stage of
| iBoot is in NOR flash. The rest is all on NVMe. There is a
| detailed description here:
|
| https://github.com/AsahiLinux/docs/wiki/M1-vs.-PC-Boot
| [deleted]
| CraigJPerry wrote:
| How does the boot wallpaper get selected in big sur or monterey?
| If you boot an m1 imac, it will use a wallpaper that matches the
| colour of your mac.
|
| I can see all the wallpapers are part of the blessed / sealed
| volume, what i can't figure out is how it's choosing with
| wallpaper to use?
|
| To be clear I'm talking about the very early boot wallpaper
| before file vault is unlocked. This is not the (user
| configurable) login screen wallpaper. This is a fixed choice.
|
| My best guess is an nvram key but i didn't spy an obvious one.
| argsnd wrote:
| As I understand it product information and iBoot1 are stored on
| an SPI flash chip in the device (which is hard to mess with
| from an OS unless you're quite determined to, but basically
| unrecoverable if you do), iBoot2 reads this information and
| uses it to select and fill in a device tree that is passed to
| your kernel.
|
| I think you might be able to find this information if you do:
| ioreg -p IODeviceTree -l
|
| My machine has: "housing-color" =
| <01000000000000000000000001000000>
| saagarjha wrote:
| The details seem ok, but the nomenclature isn't: iBoot only
| handles hardware initialization and kernel bootstrapping. Once
| you've got system logging set up the kernel is in control and
| you're into XNU, which is doing all the MACF, BSD setup and
| whatnot. You're not going to get iBoot logs unless you set up a
| serial console.
| zaxbeast wrote:
| completely insecure if you are not the only one with the key
| sys_64738 wrote:
| Which key?
| zaxbeast wrote:
| The secret key that Apple holds?
| xoa wrote:
| For the record, I'm in favor of legal mandate that hardware
| owners have the buy-time option to enable adding their own keys
| to any root trust stores on their devices. However, that'd be
| in addition to Apple's keys and wouldn't be about the security
| of Apple's keys, because Apple is part of the fundamental trust
| foundation if you buy a Mac or iDevice. Period. The devices are
| massively vertically integrated, right down to the core silicon
| which is completely custom. Apple has absolutely unfettered
| ultimate low level access opportunity up and down the stack. If
| you completely don't trust Apple, then you absolutely should
| not use their hardware at all. So some level "trust Apple" is
| simply a security axiom on this platform.
|
| And they've shown that to be not unreasonable at least when it
| comes something like root private keys. Fact is they've been
| operating for a long time now and like the rest of the big
| players that hasn't been a leak issue. It's not _that_ big a
| deal for a big player to physically secure such things to a
| high enough degree that it 's unlikely to be a limiting factor.
| Dedicated rooms, full offline, hardware backed Shamir's secret
| sharing for m-of-n key signing ritual requirements etc etc.
| lovelyviking wrote:
| >If you completely don't trust Apple, then you absolutely
| should not use their hardware at all. So some level "trust
| Apple" is simply a security axiom on this platform.
|
| It is not about trusting Apple or any other company for that
| matter. It is about tendency and attempt to make it a
| norm/legalize to sell personal computers without respecting
| right of the owner to have a full control over their own
| computer. If owner cannot fully control own computer this
| computer cannot be called 'personal' anymore.
|
| This practice needs a push back as it completely
| unacceptable. It should be made illegal to sell such devices
| if that is not already the case because you can be left
| without working computer just because _link_ to the company
| isn 't available for some reason.
|
| Company goes away and you are left without a working
| computer. Internet isn't available and you have brick instead
| of your computer. This is crazy and even more crazy that
| there are bunch of people brainwashed enough to the level
| that they do not even perceive it as a problem. Probably
| because they can't think 3 steps forward.
| GeekyBear wrote:
| > It is about tendency and attempt to make it a
| norm/legalize to sell personal computers without respecting
| right of the owner to have a full control over their own
| computer. If owner cannot fully control own computer this
| computer cannot be called 'personal' anymore.
|
| I have bad news about Intel CPUs.
|
| >[Intel] processors are running a closed-source variation
| of the open-source MINIX 3. We don't know exactly what
| version or how it's been modified since we don't have the
| source code. We do know that with it there Neither Linux
| nor any other operating system have final control of the
| x86 platform.
|
| https://www.zdnet.com/article/minix-intels-hidden-in-chip-
| op...
| lovelyviking wrote:
| therefore I've said this before:
|
| _The full control of devices you own is absolutely
| essential. It requires a complete transparency of basic
| components like cpu micro-code, firmware and hardware
| otherwise it can and will be abused._ [0]
|
| _.. unless everything is absolutely transparent
| including microcode and hardware it is not acceptable as
| freedom respecting solution._ [1]
|
| then I've got unexpected opposition from the one who is
| making linux for M1 ( marcan_42). If even him fail to
| understand the consequences of accepting such hostage
| situation with Apple devices and claim _" Freedom isn't
| the answer."_ [2]. If even he is ready to downgrade
| discussion to the personal disrespect toward people like
| me [3] who merely trying to point out the the danger of
| the hostage situation while go 'easy' on Apple and ready
| to justify all of their current mistakes then we have a
| serious problem. I do not wish to use the term "doomed"
| but probably we observe limited ability of highly
| technical minds to resist to the primitive brainwashing
| and manipulation the big companies provide by presenting
| it as a norm to trade 'freedom' for the 'safety' . Some
| people can't even think a few steps forward and
| understand that by helping companies to promote such
| agenda we'll end up with loosing both 'safety' and
| 'freedom'.
|
| [0] https://news.ycombinator.com/item?id=29658817
|
| [1] https://news.ycombinator.com/item?id=29675597
|
| [2] https://news.ycombinator.com/item?id=29676524
|
| [3] https://news.ycombinator.com/item?id=29691816
| smoldesu wrote:
| marcan seems to be part of a new breed of hacker, less
| interested in the "why" we do it and more interested in
| the "how" of it. Works pretty well for tackling a
| challenge like blindly picking at a black-box ISA/SIP,
| but I don't think his project has the kind of ideological
| understanding that keeps the libre desktop alive. Getting
| it to work is one thing; building a community to maintain
| your work is another.
|
| Unfortunately, that's going to constitute a lot of the
| people you encounter these days. Half-measures are better
| than no-measures, but I really do miss the days of
| vigilant software development instead of cleaning up
| Apple's scraps.
| kmeisthax wrote:
| You're not giving Hector Marcan enough credit. He was on
| Team Twiizers and fail0verflow; groups that did a lot of
| hacking to open up closed systems. It's not like he's
| unaware of the customer abuse that happens in the
| proprietary world.
|
| The "look beyond freedom" quote probably should also be
| looked at with the context that he's talking about the
| FSF, which has an odd habit of being extremely absolutist
| in ways that actually hurt the user. Like, they'll point
| out that Wi-Fi cards with proprietary firmware are bad,
| but then endorse very similar hardware where the firmware
| blob is in ROM or some features are lasered off just to
| conform to the "proprietary ROMs don't count" rule.
| Marcan is arguing for creating a gradual sliding scale of
| "proprietary, user-hostile, and/or insecure" to "Free,
| user-respecting, and/or secure" and then looking at the
| trade-offs between them, rather than just creating a
| really high bar based on what made sense in the late
| 1980s and sticking to it forever.
| smoldesu wrote:
| I'm giving the dude all the credit he deserves.
| fail0verflow is amazing, the stuff they did with Nvidia
| Tegra/Nintendo Switch was nothing short of miraculous and
| insane; that doesn't change the cards at the table
| though, and it doesn't make me any less skeptical of
| where all this leads. Again, I've got no intention of
| stopping people who are making progress, even if it's
| progress I disagree with, but he still has to prove
| himself here, and I'm not entirely confident that we're
| going to end up with "Linux, but on the M1" without a
| number of asterisks trailing the statement. That was the
| case with the Switch, that was the case with the PS4, and
| it's unfortunately crawling in that direction for the M1
| as well.
| cmurf wrote:
| I agree it's "your own device", but Apple's EULA makes it
| really clear it's only your own device insofar as you can
| choose to destroy it. They retain a residual right over the
| hardware, a partial ownership if you will, when it comes to
| what software is on it. You aren't buying hardware. You're
| buying an experience. You don't have the right to
| experience arbitrary software running on it, even if you
| trust it.
|
| It's one of the reasons I'm not using Apple products
| anymore.
| jahewson wrote:
| > Company goes away
|
| We're talking about Apple, one of the most valuable
| companies in the world, sat on over $100bn in cash just
| "going away", in what, the lifetime of a laptop? For me
| that's 3-5 years, for others maybe 10. That's an absurd
| premise. The probability of that is so close to zero it
| doesn't bear consideration.
| throwawayay02 wrote:
| What if it's broken by legislators and the pieces are
| named something differently. Want to bet no apple.com
| links get broken? And their certificates?
|
| The point is, if I want to buy a personal computer and
| stuff it in the closet for 50 years to use later, that's
| between me and the creator. Not Tim Cook.
| duskwuff wrote:
| > hardware owners have the buy-time option to enable adding
| their own keys to any root trust stores on their devices
|
| Would you really be more comfortable knowing that your
| hardware vendor had the capability to produce machines with a
| low-level, unremoveable backdoor? I'm not sure I would. A
| feature like that can be used against users more easily than
| it can be used by those users.
| zaxbeast wrote:
| https://old.reddit.com/r/degoogle/comments/rosdbu/100_foss_s.
| ..
|
| take a look at the "Why not Apple devices?" section
| KerrAvon wrote:
| The private key held by Apple and used to sign code from Apple?
| Yes, this is how modern crypto works. Some useful background
| reading: https://www.schneier.com/books/applied-cryptography/ .
| lovelyviking wrote:
| The OP statement was about insecurity that comes with signing
| code with anyone other than the owner.
|
| It doesn't matter how secure communication between Apple and
| Apple device because even if it's perfect the owner is not
| secured from the Apple itself and those who Apple would love
| to communicate with. For instance oppressive governments.
| (here the result of such communication: blocked app that
| oppresive government didn't like https://apps.apple.com/us/ap
| p/%D0%BD%D0%B0%D0%B2%D0%B0%D0%BB...)
| HunterWare wrote:
| How do you secure something when other's know the secret? There
| has to be some "secret" (aka key) that some definition of "you"
| only knows, that the system then tests against (hopefully via
| some kind of asymmetric system or hash).
| rovr138 wrote:
| Public/private keys?
|
| In this case, since others already know it, signing something
| is sufficient.
| HunterWare wrote:
| Yep. The signing is done with public/private (aka
| asymmetric) keys and some kind of hashing mechanism.
| kmeisthax wrote:
| Well, if you want to distrust Apple software you probably
| shouldn't be trusting their hardware, either.
|
| That being said, I actually think this is a reasonable way to
| do secure boot. The default OS the device ships with can be
| validated, but there's still a proper owner override so you can
| boot into Linux or whatever. They even use the SEP to validate
| that the owner override has been tripped _by_ the owner. The
| first user account you make gets handed a key generated by the
| SEP that can be used to sign kernels, so _only_ that account
| can actually use the owner override. This is a good way to stop
| evil-maid attacks in their tracks while still not locking the
| user out of their property.
|
| My only real complaint is that Apple's gone to great lengths to
| ensure the iOS side of their business is completely unaffected
| by owner overrides:
|
| - If you boot into an owner-signed OS volume, macOS disables
| it's iOS support
|
| - iPad-fused M1s won't generate or respect owner keys
|
| This is silly. If individual iOS applications are sensitive to
| owner overrides, then they already have devicecheck APIs to get
| a cryptographic attestation that they haven't been tampered
| with. The SEP could flag those attestations as coming from an
| owner-signed kernel and picky banking apps[0] could check for
| that.
|
| [0] And Pokemon GO, because it's easier to blacklist jailbroken
| users than to enforce a rate limit on GPS jumps
| jeff_vader wrote:
| It really depends on the threat you are planing against. If for
| some reason I'm target of US government - I'm screwed anyway.
| If my concern is trusting the laptop after I left it in train
| station and got it back from some random dude - it's good
| enough.
| lovelyviking wrote:
| How about much simpler scenario, no threat at all. Just dumb
| bug in software that puts your computer in DFU mode that
| says, please connect it to another Mac. Nice isn't it? And
| then you should run and find 'another mac'. What if there are
| no other macs around? What if you travel and have no
| connection to the internet or it's limited ? This is not a
| hypothetical situation, this is exactly what have happened in
| my case. And then you are stuck in the field without any way
| to recover your machine. Nice isn't it?
|
| _" When Apple's servers go down you lose the ability to do
| low-level recovery on these machines anyway, since DFU
| flashing requires phoning home to get a ticket for your
| machine as well as low-level configuration data"_
|
| https://news.ycombinator.com/item?id=29704923
| mlyle wrote:
| > Just dumb bug in software that puts your computer in DFU
| mode that says, please connect it to another Mac. Nice
| isn't it? And then you should run and find 'another mac'.
|
| If your fundamental firmware-stuff is screwed up on any
| platform, you are going to have a bad time. Being able to
| plug into an off-the-shelf machine and fix it, or to plug
| into another PC running special software, is much better
| than I'm accustomed to.
| lovelyviking wrote:
| >If your fundamental firmware-stuff is screwed up on any
| platform
|
| Sure I just have an impression after some googling that
| this DFU happens much more frequently then one would
| expect. Certainly I didn't expect it to happen in the
| first day after purchase but it did. So perhaps this
| pleasing 'much better' ability to fix it by just
| connecting it with another device that you probably do
| not possess(in my case) comes with another pleasure of
| having to do it more frequently. If that is the case then
| I really prefer the state to which you are accustomed to.
| argsnd wrote:
| Just use https://github.com/libimobiledevice/idevicerestore
| on a Linux or Windows machine.
|
| Yes, if you don't have internet access you have a problem,
| but I'm personally happy enough with the benefits of this
| security model that I'm willing to accept the tradeoff.
| lovelyviking wrote:
| >I'm happy willing to accept the tradeoff.
|
| For now ... Thank you for the link but may I suggest you
| to think about the future and where it leads.
| [deleted]
| lovelyviking wrote:
| >It really depends on the threat you are planing against.
| What about oppressive let's say Russian government while you
| travel let's say in Ukraine and then occupation occurs. Not a
| fantastic scenario by the way ...
|
| It really doesn't depend on the threat at all. It's about the
| model of the society you wish to have and what values you
| promote.
|
| It's about who you wish to be responsible : the 'big company'
| caring about your safety and taking your freedom on the way
| or you caring yourself about own safety and preserving
| freedom on the way. I do not really think there is a choice
| here because the first option will always be abused at some
| point.
|
| Freedom does matter and it comes with responsibility. _THIS_
| is the main issue here. _THIS_ is what separates society with
| responsible citizens from the society with 'irresponsible
| people' who wish to trade their freedom for 'safety'
| resulting in loosing both (and democracy itself after some
| time).
| hraedon wrote:
| All sentiments like this one and those similar to it elide
| the facts that 1) we've _tried_ relying on "user
| responsibility" before, and excusing the comically bad
| outcomes through victim blaming doesn't change them; and 2)
| we didn't get together and vote Apple the only manufacturer
| of computers.
|
| If you don't like their model, choose someone else. Why
| should average users who would otherwise be served
| perfectly well by Apple's solution be required to be
| "responsible" for some subset of personal security you
| think denotes a "responsible" citizen from an
| "irresponsible" one?
| smoldesu wrote:
| User responsibility and device safety are not mutually
| exclusive. You can keep the iPhone exactly as-is and add
| a developer mode that would pretty much shut up every
| nerd this side of the Mississippi.
| lovelyviking wrote:
| >If you don't like their model, choose someone else.
|
| Many follow their example and without push back there
| will be no someone else because average users my not
| understand consequences unless they are educated by
| people who do understand them. Like with many other areas
| requiring certain level of expertise to understand
| consequences of certain desicions.
|
| > we've tried relying on "user responsibility" before,
| >Why should average users who would otherwise be served
| perfectly well by Apple's solution be required to be
| "responsible"
|
| Do you believe in choice? If you do then average users
| should have a choice whether to rely on Apple or switch
| such functionality off. Without having such choice people
| become less and less responsible. You can say they choose
| by buying such machines but I do not think this could be
| qualified as a choice just like accepting EULA. It's not
| really a choice.
| danieldk wrote:
| Additionally, many of these security measures are put in
| place to prevent that rootkits/malware can compromise the
| firmware, boot loader, or operating system.
| diontron wrote:
| which is literally the case for any security system lol
| zaxbeast wrote:
| Yet companies still try to convince you otherwise...
| BoorishBears wrote:
| Show me where Apple says they protect against attackers who
| already have your passcode.
| zaxbeast wrote:
| That's not what I was talking about... secure boot and
| locked boot loaders are "protected" with keys held by
| manufacturers...
| BoorishBears wrote:
| Then your comment doesn't make sense?
|
| You wrote:
|
| > completely insecure if you are not the only one with
| the key
|
| What key is shared between you and the manufacturer here?
| There's signing keys and there's passcodes, which ones
| are you "not the only one with"?
| zaxbeast wrote:
| > BoorishBears - What key is shared between you and the
| manufacturer here? There's signing keys and there's
| passcodes, which ones are you "not the only one with"?
|
| because you don't even have the key? not sure where
| passcodes came from
| BoorishBears wrote:
| _sigh_
|
| > completely insecure if you are not the only one with
| the key
|
| This implies you are referring to a key that the user
| has.
|
| What key does the user have?
|
| A passcode? Password?
| Jabed30 wrote:
| [deleted]
| xfr wrote:
| There are several inaccuracies.
|
| Everything after "Darwin Kernel Version 21.2.0" is XNU, not
| iBoot. This is when macOS starts according to the diagram. You
| don't see logs from iBoot.
|
| I have no idea what this means:
|
| > The end of the kernel-only phase, which is entirely iBoot,
| comes almost 20 seconds after the start.
| sys_64738 wrote:
| > I have no idea what this means:
|
| Userland is instantiated.
| grishka wrote:
| > You don't see logs from iBoot.
|
| IIRC there's a serial console according to Asahi Linux people.
| Not sure if iBoot logs anything to it.
___________________________________________________________________
(page generated 2021-12-29 23:00 UTC)