This is a really interesting deep dive but why does the article hedge so much? For example, in the first few sections it says things like "... typically reveals the following sequence" or "The Boot ROM sets a specific control bit in the AES configuration register (e.g., AES_CMD_USE_GID)", which makes it sound like the author wasn't actually sure if any of this was accurate and was guessing.
It's AI assitance. If you search for "e.g." the page lights up like a christmas tree. There's 90 appearances if "e.g."
I have never seen this frequency before.
Or maybe fully AI-generated. There's many factual errors in the article too.
> e.g., AES_CMD_USE_GID
Sometimes people mix up “i.e.” (“id est”; “that is”) and “e.g.” (“exempli gratia”; “for example”).
Of course, only the author knows if this case was a mix up, or if they really wrote what they meant.
For anyone looking for a more memorable mnemonic, learned them as "I explain" and "example given".
I smell AI writing assistance. Which is a shame because this is otherwise very good and well-collated information about Apple's security. But AI loves to use bullet point lists just for the hell of it and it makes the information here smell way less reliable than it actually is.
I'm also not sure if it's 100% accurate. My (possibly wrong) understanding of the guarded execution feature is that each GL is paired with a normal ARM EL. i.e. GL2 constrains EL2, GL1 constrains EL1, etc. XNU lives in EL2 so SPTM lives in GL2, and GENTER/GEXIT move you between ELx and GLx through a secure call vector. In contrast, this guide refers to GL0 being the "standard XNU kernel context" even though XNU lives in EL2 on macOS. Furthermore, on device OSes (iOS/iPadOS/etc) they put a second kernel in GL1 and various enforcement policy tools (i.e. code signing policy, camera indicator policy) in GL0[0]. So I'm not sure how macOS putting XNU in GL0 makes sense?
[0] XNU source refers to this concept as an Exclave, which itself can be grouped with other isolated resources as a Conclave.
I think the article is being stealth edited which is a bit annoying; its explanation of guarded execution is now closer to yours, which I think is accurate.
There's many factual errors in this AI slop.
For example, it says quite unambiguously that the bootloader is encrypted directly with the GID key (loading the LLB ciphertext into the AES engine), but that's not how it works, the GID key is used to decrypt the LLB's KBAG into an AES key:IV pair and that is used to decrypt the LLB.
More:
> The behavior of the Boot ROM changes fundamentally based on the "Security Domain" fuse.
>
> Production (CPFM 01):
Security Domain (SDOM) is a different thing than CPFM. And production devices have CPFM 03.
> CHIP (Chip ID): Identifies the SoC model (e.g., 0x8101 for M1).
The M1 SoC is 0x8103.
Due to Brandolini's Law I will not continue to list everything else that is wrong here...
All of these errors have now been stealth-corrected.
New strategy discovered: Ask LLM to write article, nerdsnipe HN into correcting it, feed corrections back into LLM until people stop complaining
They just fixed the KBAG thing.
This quickly went from Brandolini's Law to Cunningham's Law. Learn how Apple's boot process works by explaining it wrong and waiting for people to correct you!
Perhaps using AI assistance is good OPSEC. It could help to shield the author from stylometry or author profiling.
And then the author posts it himself to Hacker News. Nah, that's not opsec.
Incredible article. int summarizes it well:
Final Thought:
macOS is no longer just a Unix system. It is a distributed system running on a single die, governed by a hypervisor that doesn't exist in software. The kernel is dead; long live the Monitor.
Holy cow I was reading and reading and then I realized I was only 10% through!
It's long because it's AI-assisted and they're all bullet point lists all the time.
Can't seem to load it. FF on Android. SSL problem?
Working ok for me
This is top 10 for greatest HN deep dives. I learned something new almost every sentence, and could not complete it on my first attempt.
This is top tier. Well written and insanely detailed.
This is a really interesting deep dive but why does the article hedge so much? For example, in the first few sections it says things like "... typically reveals the following sequence" or "The Boot ROM sets a specific control bit in the AES configuration register (e.g., AES_CMD_USE_GID)", which makes it sound like the author wasn't actually sure if any of this was accurate and was guessing.
It's AI assitance. If you search for "e.g." the page lights up like a christmas tree. There's 90 appearances if "e.g."
I have never seen this frequency before.
Or maybe fully AI-generated. There's many factual errors in the article too.
> e.g., AES_CMD_USE_GID
Sometimes people mix up “i.e.” (“id est”; “that is”) and “e.g.” (“exempli gratia”; “for example”).
Of course, only the author knows if this case was a mix up, or if they really wrote what they meant.
For anyone looking for a more memorable mnemonic, learned them as "I explain" and "example given".
I smell AI writing assistance. Which is a shame because this is otherwise very good and well-collated information about Apple's security. But AI loves to use bullet point lists just for the hell of it and it makes the information here smell way less reliable than it actually is.
I'm also not sure if it's 100% accurate. My (possibly wrong) understanding of the guarded execution feature is that each GL is paired with a normal ARM EL. i.e. GL2 constrains EL2, GL1 constrains EL1, etc. XNU lives in EL2 so SPTM lives in GL2, and GENTER/GEXIT move you between ELx and GLx through a secure call vector. In contrast, this guide refers to GL0 being the "standard XNU kernel context" even though XNU lives in EL2 on macOS. Furthermore, on device OSes (iOS/iPadOS/etc) they put a second kernel in GL1 and various enforcement policy tools (i.e. code signing policy, camera indicator policy) in GL0[0]. So I'm not sure how macOS putting XNU in GL0 makes sense?
[0] XNU source refers to this concept as an Exclave, which itself can be grouped with other isolated resources as a Conclave.
I think the article is being stealth edited which is a bit annoying; its explanation of guarded execution is now closer to yours, which I think is accurate.
There's many factual errors in this AI slop.
For example, it says quite unambiguously that the bootloader is encrypted directly with the GID key (loading the LLB ciphertext into the AES engine), but that's not how it works, the GID key is used to decrypt the LLB's KBAG into an AES key:IV pair and that is used to decrypt the LLB.
More:
> The behavior of the Boot ROM changes fundamentally based on the "Security Domain" fuse. > > Production (CPFM 01):
Security Domain (SDOM) is a different thing than CPFM. And production devices have CPFM 03.
> CHIP (Chip ID): Identifies the SoC model (e.g., 0x8101 for M1).
The M1 SoC is 0x8103.
Due to Brandolini's Law I will not continue to list everything else that is wrong here...
All of these errors have now been stealth-corrected.
New strategy discovered: Ask LLM to write article, nerdsnipe HN into correcting it, feed corrections back into LLM until people stop complaining
They just fixed the KBAG thing.
This quickly went from Brandolini's Law to Cunningham's Law. Learn how Apple's boot process works by explaining it wrong and waiting for people to correct you!
Perhaps using AI assistance is good OPSEC. It could help to shield the author from stylometry or author profiling.
And then the author posts it himself to Hacker News. Nah, that's not opsec.
Incredible article. int summarizes it well:
Final Thought: macOS is no longer just a Unix system. It is a distributed system running on a single die, governed by a hypervisor that doesn't exist in software. The kernel is dead; long live the Monitor.
Holy cow I was reading and reading and then I realized I was only 10% through!
It's long because it's AI-assisted and they're all bullet point lists all the time.
Can't seem to load it. FF on Android. SSL problem?
Working ok for me
This is top 10 for greatest HN deep dives. I learned something new almost every sentence, and could not complete it on my first attempt.
This is top tier. Well written and insanely detailed.