Explore the new system architecture of Apple Silicon Macs (Wednesday, June 24th, 2020) Apple Silicon and macOS Security features Applications and Rosetta Boot and Recovery Intel Macs Multi-core CPU GPU T2 chip All are separate components Apple Silicon Combines all three into a System On a Chip (SOC) Allows SOC to have a unified memory architecture, CPU and GPU sharing memory efficiently. Also allows technologies developed on iOS to be brought to macOS. Intel CPU cores: All have same performance Apple Silicon SOC cores: Asymmetric multiprocessing (AMP) * Apple SOC have a mix of performance cores for when your app needs maximum performance and power-efficient cores for when less CPU is needed. * Cores support the same architectural features and can all run the same software. * macOS will use all these cores simultaneously. - Apps will be moved onto the appropriate cores depending on the performance requirements. No new APIs are needed to take advantage of AMP. Use the existing APIs and Apple Silicon will provide performance boosts when running tasks that benefit from the new unified memory architecture. For additional API-specific details, please watch the session video. Using Grand Central Dispatch will help you by allowing GCD to run your tasks optimally across all SOC cores. Security: By building their own chips, Apple was able to build some great security features into the iPhone and iPad. By moving Macs to Apple Silicon, those same features can come to macOS. Write XOR execute Kernel Integrity Protection Pointer authentication Device isolation Write XOR execute: Memory pages cannot be both writable and executable at the same time. Pages which can be writable and executable simultaneously can be a security vulnerability. However, many Just In Time (JIT) compilers rely on memory being writable and executable simultaneously. To account for this, a new API (pthread_jit_write_protect) will allow pages to quickly switch between being writable and being executable. This works per-thread, so two different threads can see different permissions for the same memory page. This will enable multi-threaded JIT compilers to be both fast and secure. Kernel Integrity Protection Apple Silicon includes hardware support in the memory controller to make the OS kernel code immutable, or impossible to change or alter. When the kernel is initialized: * No modification * No new code loaded Once the kernel has been loaded into memory, kernel integrity protection prevents memory pages containing kernel code from being modified or additional pages from being made executable. This prevents attacks which would inject new code into the kernel while the kernel is running. Pointer Authentication Pointers, or memory addresses, are cryptographically signed to guard against misuse Pointer authentication code (PAC) is stored in unused parts of the pointer. The PAC is checked when the pointer is used. Pointer authentication is enabled for the following: * Kernel * System applications * System services Apple is not yet ready for third party developers to start using pointer authentication, but if developers want to experiment on their Macs, here's how! 1. Disable SIP 2. Run the following NVRAM command: sudo nvram boot-args=-arm64e_preview_abi 3. Add arm64e to the "Architectures" build setting in Xcode. Documentation: https://developer.apple.com/documentation/security/preparing_your_app_to_work_with_pointer_authentication Device isolation: Intel Macs use a shared Input–output memory management unit (IOMMU) On Intel-based Macs, all PCIe devices thus have a shared view of system memory. On Apple Silicon, a separate IOMMU is used for each PCIe device, which means they have separate and not-shared memory mappings. This restricts devices to only accessing the memory which they were intended to access and prevents devices from seeing what other devices are doing. Older PCIe drivers which try to get physical segments directly from IO memory descriptors will not work and will need to be updated to use the newer API before porting to Apple Silicon. This circumstance would only occur these days in a kernel extension. While kernel extensions still work on Apple Silicon, they're increasingly inconvenient to use, both for developers and users. Loading kernel extensions on Apple Silicon will require a reboot. TL;DR: Stop using kernel extensions in your apps. Start building System Extensions using DriverKit. Rosetta 2 Rosetta runs: * macOS applications * Catalyst applications * Games * Web browsers * JIT Compilers * Metal, directly on the Apple GPU * Core ML with Neural Engine Rosetta starts working from the moment your app gets installed, via: * App Store installation * Package installation * First launch of an app (if installed via drag and drop.) Rosetta will start translating all the executable code in your application. If Rosetta isn't triggered by App Store or package installation, the first launch of an app may take a few bounces in the Dock longer because Rosetta will start the translation process then. Security is integrated into this translation process. Translations of the application are all code signed, tied to a single machine and get refreshed during OS updates. When the app is launched, the OS loads Rosetta's stored translation of the executable code. Rosetta then emulates x86 64-bit processes, down to the system call interface. Everything is translated, including system frameworks. If Rosetta encounters code not included in the original translation, it's compiled on the fly. Hardened runtime protections are also all fully enforced on processes running in Rosetta. For debugging with Rosetta details, I recommend watching the session video. Native applications iPad and iPhone apps will be available on macOS, when running on Apple Silicon. Apple Silicon boot process * Boot overview * Start-up and macOS Recovery * Boot security * Login and data protection * Recovering your Mac Boot overview: Based on iOS, iPad OS Secure Boot Enhanced to support - Multiple macOS installs - Multiple version of macOS - macOS Recovery flows Secure ensures that each startup component is cryptographically signed by Apple and that the boot only happens after the chain of trust is checked and verified. Support is there to boot from multiple macOS installs on internal or external media. Support for booting any version of macOS signed by Apple. This will help make sure that future versions of macOS will continue to be able to boot older versions of macOS. New macOS Recovery flows Startup experience: Press and hold Touch ID or Power button to launch Startup Options, which is part of the new macOS Recovery user interface. Existing startup keys' functions have been replaced by Startup Options' user interface interactions. macOS Recovery: * Startup UI with integrated Startup Manager * Startup Disk * Mac Sharing Mode Mac Sharing mode Replaces Target Disk Mode Uses SMB file sharing to provide file-level access to user data. - User authentication is required to enable this service. Startup Disk Focuses on selecting the security policy for each of the macOS boot volumes on the Mac. - Full Security - Reduced Security Full Security * Enables security model like iOS * Enables external disk boot without lowering security protections Reduced Security * Run any version of macOS, including those versions which are no longer signed by Apple. * Install and use notarized third party kernel extensions To use Reduced Security, users must authenticate first in macOS Recovery. The csrutil tool in Recovery also provides a number of security options. Macs running Apple Silicon can maintain a separate Security policy for each macOS install. You can downgrade security for an older version of macOS, while having full security enabled for your daily driver macOS install. Login on Apple Silicon Unified experience with and without FileVault - Rich user interface with accelerated graphics Smart card support - Built-in, CCID and PIV compatible VoiceOver support Data protection Always-on volume encryption - When FileVault is enabled, this encryption is tied to user credentials. Apple Silicon Macs also support secure hibernation. Secure hibernation offers full protection of the memory contents via integrity and anti-replay protection. Recovering your Mac macOS not available (Sad Mac) Use macOS Recovery * Re-install macOS to recover What if Recovery isn't available on the Mac? On Intel Macs, you can use Internet Recovery On Apple Silicon Macs, you can use System Recovery: System Recovery - Minimal macOS install - Separate hidden APFS container - Lets you reinstall macOS _and_ macOS Recovery Apple Configurator 2 - Erase and install macOS, including System Recovery (if System Recovery is itself not functional.