Posted by Brajeshwar 17 hours ago
What made it a security nightmare?
... game over. That's one well understood fact back then as it is today. Where's the security nightmare?
Apple devices provide a good exemplar because of their significant investments in security, but it’s not the only company making devices about which you can say physical control is no longer an absolute proxy for logical control.
Take for instance an Apple silicon Mac (or for that matter an iPhone). Generally speaking you could steal it from someone but without the credentials it’s more or less a brick.
Apple silicon Macs in particular have firmware that requires certain base actions to be authorized with the password of the “Owner” account, which is (typically) the first user account created on the machine. Without that, it will just stare back at you.
Are there vulnerabilities that could enable a bypass? Probably. Are those in the hands of any given evil maid or thief? Exceedingly unlikely.
What stops me from writing a malicious firmware implant which tampers with the local database every time the computer boots, and inserts itself as "known good"?
I don't see how it's possible to monitor the firmware from the OS, if the OS already implicitly trusts the firmware...
Also: Does anyone know of good resources for learning about firmware security from the ground up? Seems like this article already assumes a certain level of background knowledge.
That's interesting; does "normal" PC UEFI pass a device tree to the OS? I thought hardware was enumerated at runtime.
This device tree is describing fixed (per BOM/schematic) hardware. Things below that hardware are still enumerated.
I really wish this had won out over ACPI. It didn't, though, so Arm Server ready is all ACPI-ified, complete with the tooling trash-fire that the ecosystem entails.
PowerPC OS X probably expected a device tree provided by Open Firmware so when they switched to EFI they probably added that boot.efi shim so the kernel didn't have to change much.
It doesn't really matter whether the bootloader or the kernel enumerates hardware.