Reputation: 7462
How does macOS kernel verify the integrity of Security.framework?
Security.framework exports functions like SecCodeCheckValidityWithErrors() ref, src that are used to verify correctness of code signatures against the certificate store.
However, who inspects the inspector? Security.framework is signed as well. How can kernel verify it's signature without loading Security.framework beforehand to get access to those functions? And wouldn't that mean that just replacing Security.framework with custom implementation that blindly accepts any signature is just enough to effectively shut down all the code signing protection?
If kernel has static version of Security.framework compiled in, then what's the point of having it as a separate framework? If it does not, does it just blindly trust this particular framework to be untampered?
Background: I had recently replaced a builtin keyboard on my Macbook, and it announces itself with wrong USB PID, so it's recognized as JIS instead of ANSI. It can be fixed by changing a single line in AppleUSBTCKeyboard.kext's Info.plist, but this invalidates signature. And making your own CA with all relevant OIDs is not enough, as kext signature checks are hardcoded to only accept Apple-rooted certificates. The only legal way to circumvent this is to pay Apple 100$/yr fee, essentially for using my own computer. That's why I would like to make anchor apple requirement to not only match certificated issued by Apple CA, but also for any trusted CA, including those provided by user, to make a publicly available patch as non-intrusive as possible, and now I am investigating how to do that.
Upvotes: 3
Views: 256
Answers (2)
Reputation: 23428
Security.framework actually isn't directly responsible for the logic of checking the codesigning of kexts. This is done by the kexttools - from memory, kextcache checks the signatures when creating a prelinked kernel or updating the kext cache, and kextd when loading a kext on demand.
The Hackintosh community has come up with a modified toolchain which allows your own kext signing authority. I haven't tested this yet, as the last time I checked they assumed you'd use some Hackintosh website's central CA, which doesn't appeal to me, and I didn't find the patches they used against Apple's tools. I didn't spend much time on this so maybe with a bit more persistence you can make it work: https://www.tonymacx86.com/threads/gatebreak-signed-kexts-for-everyone.112306/
Upvotes: 2
Reputation:
Apple doesn't publicly document how the boot trust chain works.
However, there's some circumstantial evidence that checksums of certain critical files are performed on boot:
While I haven't tried personally, it seems highly likely that the Security framework is checked as well, so it's unlikely that you'll be able to sneak in a change to that. Consider remapping the keyboard at a higher level.
Upvotes: 2
Related Questions
- Integrity checks for kernel extensions in OSX
- How do these pre-processor defined kernel functions work?
- How to change kernel security level?
- How to change kernel security level from 0 to 1 after `sysctl kern.securelevel`
- where is mac_policy.h to implement mandatory access control kernel extension?
- Test User Approval Kernel Extension Loading on mac (TN2459)
- how can i know user allowed kernel extension from security&privacy in high sierra
- How to understand remote kernel extension code signing?
- How is module version checksum evaluated?
- How does Adore-Ng rootkit gets loaded into the kernel