Apple Silicon machines are designed first and foremost to provide a secure environment for typical end-users running macOS as signed by Apple; they prioritize user security against third-party attackers, but also attempt to limit Apple’s own control over the machines in order to reduce their responsibility when faced with government requests, to some extent. In addition, the design preserves security even when a third-party OS is installed.
… these machines may possibly qualify as the most secure general purpose computers available to the public which support third-party OSes, in terms of resistance to attack by non-owners.
If you run a third-party OS on a Chromebook, doesn’t that severely compromise the security of the Chrome OS system? If I remember correctly, many Chromebooks required you to take out a screw to install another operating system and the process prevented secure boot from functioning on the primary Chrome OS installation.
What’s nice about Apple Silicon Macs (from my understanding) is that their secure boot settings are per-OS, not systemwide. You can still perform all of the signature checks on a macOS installation without doing so on a Linux system on the same disk.
Without some kind of physical intervention by users doesn’t that leave macs vulnerable to a persistent attack? Like an evil maid or trojan that installs something like a keylogging hypervisor that boots regular macOS. That would be indistinguishable from the perspective of the user and probably macOS yet could easily be malicious.
reboot again because you forgot which buttons you needed to press on the keyboard :D
press correct buttons during boot
Enter the recovery OS
Enter the administrator password
Change the security setting
That said, I had to work on a chromebook for a while and that didn’t require a screw or anything to get into the unsafe mode, it was also a key chord.
There are a few critical differences though:
Changing to the insecure mode on a Chromebook erases all local content
From the article it sounds like beyond allowing you to launch a untrusted OS the security features are available to multiple OS’s (this is purely my reading of the article, I could very well be wrong). Whether linux or what have you support/use it i don’t know.
You’ve now shifted the goalpost from your original question (original goalpost was “vulnerable to a persistent attack” due to not requiring something similar to Chromebooks’ screw removal, new goalpost is alleging flaws in the SEP). I’ll no longer be responding to you.
Up to the Apple A10 by the checkra1n jailbreak (to bypass the measurement by the SEP used to lock data access on access to DFU for more recent iOS releases).
On the Apple A13 onwards, the measurement of the current SEP firmware version (by the monitor) is a component of the encryption key, making such attacks no longer able to have user data access.
Apple’s approach to third-party OSes is essentially “have fun”. We do not have any expectations of direct support, documentation, or additional development effort from them, nor do we expect them to attempt to hinder third-party OSes in any deliberate way. They have explicitly developed the ability to securely run third-party OSes and bootloaders on these machines, and left the rest to us.
That’s… honestly way better than I expected from Apple, and I hope they keep it up. Kudos.
One consequence of the boot picker being implemented as a macOS application behind the scenes is that is has full accessibility support (including VoiceOver), which is rather unique.
That’s awesome! I don’t know of any other boot menu that’s so accessible. Does the firmware in an Apple Silicon Mac have any other interactive UI? I don’t suppose there’s any equivalent of PC BIOS setup in firmware.
This, and the bit quoted in another comment about being the most secure general-purpose computer that allows a third-party OS, makes me feel good about my recent purchase of an M1 Mac mini, even though I only plan to run macOS directly on that hardware, at least for now (I’ll probably play with Linux VMs).
That’s awesome! I don’t know of any other boot menu that’s so accessible. Does the firmware in an Apple Silicon Mac have any other interactive UI? I don’t suppose there’s any equivalent of PC BIOS setup in firmware.
The firmware intentionally tries to do as little as possible, so there’s no UI or even input outside of the power button. Any UI is just the boot splash drawn by firmware or you’re already in some form of OS.
I’ll note the closest comparison is probably OpenPower stuff where Petitboot is in play - theoretically, you can do something like macOS with a11y in preboot, because preboot is just Linux kexecing another kernel. In the Mac case, macOS is just UI for NVRAM stuff for iBoot to do next boot.
Interesting:
I’m surprised to not see ChromeOS mentioned here, reading this analysis it seems it would stand up fairly well?
If you run a third-party OS on a Chromebook, doesn’t that severely compromise the security of the Chrome OS system? If I remember correctly, many Chromebooks required you to take out a screw to install another operating system and the process prevented secure boot from functioning on the primary Chrome OS installation.
What’s nice about Apple Silicon Macs (from my understanding) is that their secure boot settings are per-OS, not systemwide. You can still perform all of the signature checks on a macOS installation without doing so on a Linux system on the same disk.
Without some kind of physical intervention by users doesn’t that leave macs vulnerable to a persistent attack? Like an evil maid or trojan that installs something like a keylogging hypervisor that boots regular macOS. That would be indistinguishable from the perspective of the user and probably macOS yet could easily be malicious.
It does require physical actions. You have to
That said, I had to work on a chromebook for a while and that didn’t require a screw or anything to get into the unsafe mode, it was also a key chord.
There are a few critical differences though:
The article answered this.
It relies on their SEP being trustworthy which doesn’t have a great track record…
You’ve now shifted the goalpost from your original question (original goalpost was “vulnerable to a persistent attack” due to not requiring something similar to Chromebooks’ screw removal, new goalpost is alleging flaws in the SEP). I’ll no longer be responding to you.
Wait, when was the SEP compromised?
Up to the Apple A10 by the checkra1n jailbreak (to bypass the measurement by the SEP used to lock data access on access to DFU for more recent iOS releases).
On the Apple A13 onwards, the measurement of the current SEP firmware version (by the monitor) is a component of the encryption key, making such attacks no longer able to have user data access.
That’s… honestly way better than I expected from Apple, and I hope they keep it up. Kudos.
That’s awesome! I don’t know of any other boot menu that’s so accessible. Does the firmware in an Apple Silicon Mac have any other interactive UI? I don’t suppose there’s any equivalent of PC BIOS setup in firmware.
This, and the bit quoted in another comment about being the most secure general-purpose computer that allows a third-party OS, makes me feel good about my recent purchase of an M1 Mac mini, even though I only plan to run macOS directly on that hardware, at least for now (I’ll probably play with Linux VMs).
The firmware intentionally tries to do as little as possible, so there’s no UI or even input outside of the power button. Any UI is just the boot splash drawn by firmware or you’re already in some form of OS.
I’ll note the closest comparison is probably OpenPower stuff where Petitboot is in play - theoretically, you can do something like macOS with a11y in preboot, because preboot is just Linux kexecing another kernel. In the Mac case, macOS is just UI for NVRAM stuff for iBoot to do next boot.
[Comment removed by author]