Deep technical analysis of macOS boot chain security on Apple Silicon, covering hardware root of trust from Boot ROM through kernel initialization. Examines cryptographic verification mechanisms, Secure Enclave architecture, firmware loading stages (LLB, iBoot), and the new Tahoe security architecture with Guarded Execution Levels. Details hardware primitives like GID keys, Pointer Authentication, and the Secure Page Table Monitor (SPTM) that enforce isolation between Normal and Secure worlds. Provides reverse engineering techniques for analyzing boot components, AES decryption oracles, and SEP communication protocols.
Table of contents
1.0 The Silicon Root of Trust: Pre-Boot & Hardware Primitives2.0 The Secure Enclave Processor (SEP): The Parallel Computer3.0 The Chain of Trust: Firmware & Bootloaders4.0 The Security Monitor Layer (GL1/GL2): The Exclave Architecture5.0 XNU Kernel Initialization: Entering EL26.0 The Mach Subsystem: The Nervous System7.0 IOKit & Driver Architecture8.0 Userland Bootstrap: The Birth of PID 19.0 The Security Daemon Hierarchy10.0 User Session, Authentication & Data Protection11.0 Conclusion: The Attack Surface LandscapeSort: