| ▲ | How to check if your Apple Silicon Mac is booting securely(eclecticlight.co) |
| 100 points by shorden 2 days ago | 22 comments |
| |
|
| ▲ | saagarjha 2 days ago | parent | next [-] |
| Note that checking anything in userspace on a compromised machine does not actually prove that the machine is not compromised. It is very easy to boot insecurely and then make everything lie that the boot was secure. |
| |
| ▲ | Citizen8396 2 days ago | parent [-] | | Recovery exists in a separate partition protected by SIP; it's set up this way to so that 99.99% of scenarios require a local, physical attack. "recoveryOS" is also bound to the specific APFS volume of the device. There's more to it than that, but you can be reasonably sure that recoveryOS isn't lying to you. Sure, you can make an argument someone gave you a special device with a fake OS... but anyone willing to do that has much more simple ways to fuck with you. |
|
|
| ▲ | bduhan 2 days ago | parent | prev | next [-] |
| I had to do this today for a Universal Audio Apollo audio interface. Glad it’s on a dedicated machine. https://help.uaudio.com/hc/en-us/articles/360057137692-Apple... |
| |
| ▲ | Barbing 2 days ago | parent | next [-] | | Interesting. They need that for lowest-possible latency? And it should be fairly safe? | | |
| ▲ | arcticbull 2 days ago | parent [-] | | Assuming they're USB devices they shouldn't be a reason to do this... Apple moved third-party drivers for USB devices and audio HAL extensions to user space, so there's some minor overhead choosing DriverKit over IOKit. Everything I've dug up says it's low single digit percentages. I wouldn't be developing USB drivers against IOKit anymore personally and I'd be looking to move over pretty aggressively before Apple drops the hammer. | | |
| ▲ | nottorp 2 days ago | parent [-] | | How about file system drivers? If there is such a thing any more... fuse and friends... | | |
|
| |
| ▲ | SebFender 2 days ago | parent | prev [-] | | UAD drivers have always been very creative... lol |
|
|
| ▲ | userbinator 2 days ago | parent | prev | next [-] |
| s/booting securely/running only the code Apple approves of/g |
| |
| ▲ | arcticbull 2 days ago | parent | next [-] | | Not exactly, distribution conversation aside this is specific to kernel extensions. Apple's been moving drivers out of kernel space and into user space for several years [1]. There's a lot of good reasons for doing so, and not a lot of drawbacks. I'd consider this to be a strongly worded API deprecation notice. [1] https://developer.apple.com/documentation/driverkit | |
| ▲ | bapak 2 days ago | parent | prev [-] | | You can run unverified code if you build it yourself. You can distribute unverified code by just paying $99/year to Apple. Not great, but still no need for specific code approval. | | |
| ▲ | cyberax 2 days ago | parent | next [-] | | Not if you want to use some features like bridged networking. For that you need to go and beg Apple for an entitlement. Or you have to disable SIP entirely. | | |
| ▲ | Barbing 2 days ago | parent [-] | | They respond to the begging as incredibly well as they respond to feedback/bug reports, right? | | |
| ▲ | cyberax 2 days ago | parent [-] | | To be fair, they _do_ respond well in this particular case. But you have to write an email to a developer somewhere in Apple, as there is no established process. |
|
| |
| ▲ | Gigachad 2 days ago | parent | prev [-] | | You can run whatever scripts you want without paying anything. Pretty sure the signing thing only applies to .app programs. |
|
|
|
| ▲ | Barbing 2 days ago | parent | prev | next [-] |
| Useful, thank you! Looks like the author just enjoys helping fellow nerds. Nice |
| |
|
| ▲ | daft_pink 2 days ago | parent | prev | next [-] |
| The problem is if you enable filevault then you can’t ssh into the mac remotely until someone locally logs in. Means I end up using filevault on my laptop, but not on my desktop. |
|
| ▲ | ostensible 2 days ago | parent | prev [-] |
| `man csrutil` |
