Authorization Plugin finding user entered FileVault password after Restart

I'm developing an authorization plugin to provide 2 Factor Authentication (2FA) for macOS. When FileVault is enabled, macOS Recovery prompts the user for a password to unlock FileVault FDE (Full Disk Encryption) before macOS can startup.

The FDE password entered during Recovery is saved somehow so that after macOS starts up it can be used to log the user in without prompting them to re-enter their password. This feature is configurable with setting 'DisableFDEAutoLogin'.

We would like our authorization plugin to implement the same behavior. The first place I thought to look for the FDE password (from within our authorization mechanism) is in Context value kAuthorizationEnvironmentPassword but it's not there.

Is it possible for an authorization plugin to obtain this password the same as the standard login mechanism and if so how?

Up vote post of peter_at_trusona Down vote post of peter_at_trusona
661 views
Posted by
peter_at_trusona
Reply
Add a Comment

Replies

Is it possible for an authorization plugin to obtain this password the same as the standard login mechanism

Yes.

if so how?

I’m not able to provide authorisation plug-in support here on DevForums (this technology is just too obscure and too time consuming). Please open a DTS tech support incident so that I can allocate time to help you one-on-one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

This came up in another TSI and I finally worked out what’s going on. This isn’t a solution to this problem, but rather an explanation of why there’s no supported solution to this problem.

macOS has a mechanism to pass a credential from FileVault to the authorisation subsystem. This mechanism has changed over time. It’s also different between Intel and Apple silicon. These machines use a very different boot sequence, which necessitates a different implementation of the credential-passing mechanism.

This mechanism is not documented for third-party use. Some folks have reverse engineered it [1], with varying degrees of success. DTS doesn’t support such efforts.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] At this point I must reiterate that stuff you find in the Darwin open source is not necessarily API.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment