Howard Oakley on Booting the Mac

Howard Oakley has yet another new blog post on how Apple EFI works:

Booting the Mac: Will my Mac boot from this disk? A visual guide

There have been multiple recent blog posts on Apple EFI from this author! Eg:

https://firmwaresecurity.com/2018/08/30/booting-the-mac-bless-and-what-makes-a-volume-bootable/

https://firmwaresecurity.com/2018/08/26/booting-the-mac-visual-summary/

https://firmwaresecurity.com/2018/08/26/whats-stored-in-mac-nvram/

https://firmwaresecurity.com/2018/08/24/booting-the-mac-the-kernel-and-extensions/

https://firmwaresecurity.com/2018/08/10/booting-the-mac-loading-boot-efi-and-secure-boot/

Booting the Mac: the kernel and extensions

The whole purpose of the BootROM and EFI phases is to get to load and run the macOS kernel and its extensions, which is what boot.efi, the “OS X booter”, finally does. Although boot.efi doesn’t suddenly vanish, from here on it is very little needed.[…]

Booting the Mac: the kernel and extensions

mOSL: Bash script to audit and fix macOS High Sierra (10.13.x) security settings

Settings that can be audited/ fixed:

enable automatic updates
enable gatekeeper
enable firewall
enable admin password preferences
enable terminal secure entry
disable firewall builin software
disable firewall downloaded signed
disable ipv6
disable mail remote content
disable remote apple events
disable remote login
set airdrop contacts only
set appstore update check daily
check SIP
check kext loading consent
check EFI integrity
check filevault
check firmware password set

https://github.com/0xmachos/mOSL

 

AppleSupportPkg: ApfsLDriverLoader, AppleLoadImage, AppleDxeImageVerificationLib

ApfsDriverLoader
Open source apfs.efi loader based on reverse-engineered Apple’s ApfsJumpStart driver
Loads apfs.efi from ApfsContainer located on block device.
Apfs driver verbose logging suppressed.
Version system: connects each apfs.efi to the device from which it was retrieved
Supports AppleLoadImage protocol provides EfiBinary signature check
WARNING: Please load AppleLoadImage.efi right before ApfsDriverLoader, or just put it inside drivers64uefi folder of your Clover bootloader

AppleLoadImage
Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware.
It provides safe EFI binary loading into memory by verifiyng it’s signature.
Also gives ability to use native ApfsJumpStart driver from Apple firmware
WARNING: ApplePartitionDriver needed

AppleDxeImageVerificationLib
This library provides reverse-engineered Apple’s crypto signature algorithms.

https://github.com/acidanthera/AppleSupportPkg

Booting Secure [on Apple systems]

http://michaellynn.github.io/2018/07/27/booting-secure/

PS: A few articles on the new T2 processor as well:

https://www.computerworld.com/article/3290415/apple-mac/the-macbook-pro-s-t2-chip-boosts-enterprise-security.html

https://www.digitaltrends.com/computing/apple-t2-chip-brings-deeper-secuirty-to-macbook-pro/

The MacBook Pro’s T2 chip boosts enterprise security: Secure boot, even for Windows installations on a Mac

Apple: new/updated T2 chip and Secure Boot support articles

Re: https://firmwaresecurity.com/2018/07/12/apple-releases-new-systems-with-t2-chip-and-uefi-secureboot/ and

https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

the latter Apple support article on Secure Boot has been updated recently:

About Secure Boot

https://support.apple.com/en-us/HT208330

Mac computers that have the Apple T2 chip

https://support.apple.com/en-us/HT208862

Apple releases new systems with T2 chip and UEFI SecureBoot

https://www.apple.com/newsroom/2018/07/apple-updates-macbook-pro-with-faster-performance-and-new-features-for-pros/

Apple macOS 10.13.6: UEFI SecureBoot support for iMac Pro

Re: https://firmwaresecurity.com/2017/12/13/apple-secure-boot/ and https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

there is more info on Apple Secure Boot:

https://support.apple.com/en-us/HT208864
https://support.apple.com/en-us/HT208937