Page 1 of 1

macOS "Secure boot"

PostPosted: Sun Oct 01, 2017 10:38 am
by jihlau

I'm told that macOS does not implement "secure boot" in the way that say, Microsoft does with its use of cert validation and tpm storage.

But is macOS equivalently secured in the boot process by other methods, or combination thereof? If the firmware is protected by a secret, SIP is enabled for the OS, then is the security obtained comparable or the same?

thank you


Re: macOS "Secure boot"

PostPosted: Sun Oct 01, 2017 9:08 pm
by morpheus
MacOS is anything but secure. EFI is readily accessible and modifiable in the first partition (/dev/disk0s1) which can be mounted FAT. There's some reference to that in the first edition book, and more will come in the second edition Volume II.

With MacOS 13, Apple introduces eficheck (in /usr/libexec/firmwarecheckers)

With the integration of eOS (BridgeOS, whatever they call it), they might eventually move to the embedded ARMv7k doing some of the work.

Re: macOS "Secure boot"

PostPosted: Tue Oct 03, 2017 8:42 am
by jihlau

I had thought that disk0s1, the EFI labelled partition, was not used as a boot source. That was given to boot.efi which is in/System/...
At most the partition was a "staging" area for firmware updates.

Anyhow, as there is barely any such thing as "secure" - its just relatively secure, at some time, with some processes around the thing - is the Microsoft "Secure Boot" technology superior, or is any other one?

My question is a comparative one. For example MS "Secure Boot" can be turned off; as the fuss by non-MS vendors showed when it was first introduced. Or taking the back off the box and moving the jumpers to reset the bios... Or how does a RHEL/Fedora/Ubuntu desktop rate, comparatively?

As a secret protected firmware in macOS that only boots that OS and defies all others, how does that compare?

Is "Secure Boot" the only way and is it defined by the presence of an immutable certificate in firmware that verifies the OS?



Re: macOS "Secure boot"

PostPosted: Wed Oct 04, 2017 2:05 am
by morpheus
disk0s1 is not the boot source, but it DOES contain firmware that gets flashed. I.e. you get access to it, and you're basically done and can install an EFI level rootkit. Every two years someone on BlackHat re-discovers this.

If they wanted to implement secure boot, they would have to mimic what iBoot does - verify the kernel cache in an IMG4 container, signed by a certificate with a chain leading up to a hard coded public in a chip.