Unmount disk mac single user mode9/13/2023 To accommodate that, macOS offers to copy a user from the current boot system as the Install User, and the primary admin user, on the second OS. Handing off Ownership to the Install User is more of a problem, as users are only created once the installation is complete. Creating and changing that LocalPolicy thus requires Ownership, for which the same password is required as for access to encrypted internal storage. To be able to boot from that second OS, it requires a LocalPolicy with an OIC attached, and Ownership has to be handed off to an Install User created when that OS is installed. M1 Macs always start their boot process from their internal storage, even when they’re then going to boot from a second operating system stored elsewhere. By default, that includes all users added after FileVault encryption is enabled on a Data volume, for example. So any user with access to the Volume Encryption Key for the internal storage also has access to the OIK, and has Ownership. This means it’s normally protected by both user passwords and measurements of the operating system and policy.” Although there’s only one OIK for any given M1 Mac, and by default only the primary admin user has access to it: “The OIK is protected with the same key hierarchy as described in Sealed Key Protection (SKP), with the OIK being protected by the same Key encryption key (KEK) as the Volume encryption key (VEK). Apple states: “Access to the Owner Identity Key (OIK) is referred to as “Ownership.” Ownership is required to allow users to resign the LocalPolicy after making policy or software changes.”Īny user with access to the OIK is therefore an Owner. Which is also available as a downloadable PDF: SettingM1Mac1Ĭreating and maintaining LocalPolicies requires a user to have access to the private OIK in the Secure Enclave, making that user an Owner. From then on, whenever the Secure Enclave signs a new LocalPolicy, it attaches the OIC to the Image4.”Īt the end of these processes, the Mac has an OIC, kept in the Secure Enclave, which is used to attach to all LocalPolicies for that Mac, a private OIK, also kept in the Secure Enclave, RemotePolicies which are signed into the ucrt, and a UIK for Activation Lock. The OIC is sent back to the Secure Enclave. If the BAA can verify the certification, it certifies the public key, returning the Owner Identity Certificate (OIC) which is signed by the BAA and contains the constraints stored in ucrt. BAA verifies the OIK certification request using the public key from the ucrt stored in the BAA accessible database. After the device has a ucrt, a certification request for the public key which corresponds to the OIK is sent to the Basic Attestation Authority (BAA) server. The ucrt and OIK are then used to obtain an Owner Identity Certificate from Apple: “When an Activation Lock/ucrt is successfully retrieved, it’s stored in a database on the server side and also returned to the device. If the UIK is certificated successfully, then that User Identity Certificate (ucrt) is used to sign in RemotePolicies, which provide constraints for LocalPolicies. If it is, then certification is refused and that attempt to set that Mac up fails. This is sent to Apple for certification, where it’s checked to see if it’s associated with a lost Mac using the Find My Mac service. ![]() Also created is a new User Identity Key (UIK) for Activation Lock. So during this creation of the default state, the OIK, the private half of a public-private key pair, is generated and stored in the Secure Enclave. If any OIK already exists, it’s destroyed as part of this process.” The private key is referred to as the Owner Identity Key (OIK). During this process, the restore environment creates a new pair of public and private keys which are held in the Secure Enclave. As Apple explains: “When macOS is first installed in the factory, or when a tethered erase-install is performed, the Mac runs code from temporary restore RAM disk to initialize the default state. There are two situations in which an M1 Mac needs to be set in its default state: when it’s brand new, and when it has been fully erased and restored in DFU mode using Apple Configurator 2. Apple provides details in its Platform Security Guide, so here I’ll try to explain them, and their problems. Knowing now that on M1 Macs there are not only admin users but also Owners, this article looks in more detail at how Ownership works, particularly in setting the Mac up initially and when installing second operating systems, such as a copy of macOS on an external disk.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |