Boot ROM Security on Silicon Macs (M1/M2/M3)
10 hours ago
- #Apple Silicon
- #Boot Process
- #Security
- Booting is the process of starting a computer by loading the operating system into memory, metaphorically pulling itself up by its own bootstraps.
- Apple Silicon (M1/M2/M3) introduced a new macOS boot architecture resembling iPhones and iPads, following a chain of trust where each stage cryptographically verifies the next.
- The Boot ROM (SecureROM) stage is the first to execute, built into the SoC hardware, unalterable by software updates, and initializes the processor while verifying the next-stage bootloader.
- The Boot ROM contains Apple’s root of trust to validate the signature of the next component, reverting to recovery mode if verification fails.
- Device Firmware Update (DFU) mode is the fallback on Silicon, waiting for a host computer to connect over USB and restore a valid image.
- The Boot ROM is stored in read-only memory, minimizing attack surface and ensuring only Apple-signed bootloaders are accepted.
- Boot ROM exploits are rare but powerful; Checkm8 (2019) targeted iPhones and T2 chips, but no known exploits exist for M-series chips.
- Apple’s strategy for Boot ROM security includes minimal, formally verified code, hardware revisions to fix flaws, and eliminating legacy BIOS/EFI vulnerabilities.
- The Boot ROM does not support booting from arbitrary external media, reducing potential vulnerabilities in early boot processes.
- After the Boot ROM, the Low-Level Bootloader (LLB) runs, which will be covered in the next article.