AppleSupportPkg: ApfsLDriverLoader, AppleLoadImage, AppleDxeImageVerificationLib

ApfsDriverLoader
Open source apfs.efi loader based on reverse-engineered Apple’s ApfsJumpStart driver
Loads apfs.efi from ApfsContainer located on block device.
Apfs driver verbose logging suppressed.
Version system: connects each apfs.efi to the device from which it was retrieved
Supports AppleLoadImage protocol provides EfiBinary signature check
WARNING: Please load AppleLoadImage.efi right before ApfsDriverLoader, or just put it inside drivers64uefi folder of your Clover bootloader

AppleLoadImage
Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware.
It provides safe EFI binary loading into memory by verifiyng it’s signature.
Also gives ability to use native ApfsJumpStart driver from Apple firmware
WARNING: ApplePartitionDriver needed

AppleDxeImageVerificationLib
This library provides reverse-engineered Apple’s crypto signature algorithms.

https://github.com/acidanthera/AppleSupportPkg

Booting Secure [on Apple systems]

http://michaellynn.github.io/2018/07/27/booting-secure/

PS: A few articles on the new T2 processor as well:

https://www.computerworld.com/article/3290415/apple-mac/the-macbook-pro-s-t2-chip-boosts-enterprise-security.html

https://www.digitaltrends.com/computing/apple-t2-chip-brings-deeper-secuirty-to-macbook-pro/

The MacBook Pro’s T2 chip boosts enterprise security: Secure boot, even for Windows installations on a Mac

Apple: new/updated T2 chip and Secure Boot support articles

Re: https://firmwaresecurity.com/2018/07/12/apple-releases-new-systems-with-t2-chip-and-uefi-secureboot/ and

https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

the latter Apple support article on Secure Boot has been updated recently:

About Secure Boot

https://support.apple.com/en-us/HT208330

Mac computers that have the Apple T2 chip

https://support.apple.com/en-us/HT208862

Apple releases new systems with T2 chip and UEFI SecureBoot

https://www.apple.com/newsroom/2018/07/apple-updates-macbook-pro-with-faster-performance-and-new-features-for-pros/

Apple macOS 10.13.6: UEFI SecureBoot support for iMac Pro

Re: https://firmwaresecurity.com/2017/12/13/apple-secure-boot/ and https://firmwaresecurity.com/2017/12/20/apple-kb-article-on-secure-boot/

there is more info on Apple Secure Boot:

https://support.apple.com/en-us/HT208864
https://support.apple.com/en-us/HT208937

Apple: periodic reminder: set your firmware password

Re: https://firmwaresecurity.com/2018/05/02/apple-set-your-firmware-password/

https://support.apple.com/en-us/ht204455

What does NVRAM lock/unlock actually mean?

What does NVRAM lock/unlock actually mean

Jun 26, 2018

So, recently I’ve realized that meaning of “lock/unlock” in context of nvram on iOS is not understood correctly by many, so I’ve decieded to make a quick blog post on meaning of those words.[…]

https://stek29.rocks/2018/06/26/nvram.html

 

Howard Oakley: Hidden caches in macOS: where your private data gets stored

Some time ago, I proposed that macOS 10.14 should be named Gormenghast, to reflect its many concealed and neglected features. These can trip up its own security and the protection of privacy when an old system within macOS is quietly storing sensitive data in an unprotected location. A good example is the latest vulnerability in QuickLook (or Quick Look, as Apple uses both forms).  Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places. If you’re concerned about protecting the security of your data, these should be places to watch; if you’re a forensic analyst, these are often rewarding places to look.[…]

Hidden caches in macOS: where your private data gets stored

ApfsSupportPkg – Open source apfs.efi loader based on reverse-engineered Apple’s ApsfJumpStart driver

Apple has a new file system, APFS. This causes Hackintosh people lots of grief. There are lots of Apple APFS binaries online, and now there’s this:

https://github.com/acidanthera/ApfsSupportPkg

Implementation of AppleLoadImage protocol discoverd in ApfsJumpStart Apple driver. This protocol installs in CoreDxe Apple’s firmware. Gives ability to use native ApfsJumpStart driver from Apple firmware

Credits:
cugu for awesome research according APFS structure
CupertinoNet and Download-Fritz for Apple EFI reverse-engineering
vit9696 for codereview and support in the development
savvas

exploit_playground: overly-commented exploits (and Ian Beer’s getvolattrlist bug)

Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented 😉 ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.

https://github.com/externalist/exploit_playground