Protecting data at multiple layers
June 22, 2020
Apple devices have multiple encryption features to safeguard the system and people’s data. Some capabilities are enabled by default, and developers only need to be aware of them in rare cases. Other features, such as Data Protection, can benefit from explicit design decisions to select the best option for protecting people’s data.
macOS Big Sur is adding two new data security features: signed system volume (SSV), and Data Protection for Mac systems with Apple Silicon.
Signed system volume
In macOS Catalina, Apple introduced the read-only system volume, which is a dedicated, isolated volume for system content. Now, macOS Big Sur adds strong cryptographic protections to store system content on a signed system volume (SSV). SSV features a kernel mechanism that verifies the integrity of the system content at runtime, and rejects any data — code and non-code — that doesn’t have a valid cryptographic signature from Apple.
SSV helps prevent tampering with any Apple software that is part of the operating system. Additionally, it makes macOS Software Update more reliable and much safer. SSV utilizes APFS snapshots, so if an update cannot be performed, the old system version can be restored without reinstallation.
Hashes and seals
Since its introduction, APFS has provided filesystem metadata integrity via non-cryptographic checksums on disk. SSV strengthens the integrity mechanism by switching to cryptographic hashes, and extending it to encompass every byte of file data. Data from disk is cryptographically hashed in the read path, and the hash compared to an expected value in the filesystem metadata. In case of mismatch, the system assumes the data has been tampered with, and will not return it to the requesting software.
Each SSV SHA-256 hash is stored in the main filesystem metadata tree, which is itself hashed. Additionally, each node of the tree recursively verifies the integrity of the hashes of its children, similar to a Merkle tree. The root node’s hash value – called a seal – therefore encompasses every byte of data in the SSV, which means the cryptographic signature covers the entire system volume. During macOS installation and update, this seal is verified on device to ensure it matches the Apple signature. The seal is also verified at every boot. Specifically, before the kernel is loaded, the boot loader (part of the secure boot chain on Mac systems with the Apple T2 Security Chip) verifies the seal. If the verification fails, the boot process will stop and prompt the person to reinstall macOS.
What kernel extension and other developers need to know
Signed system volume is transparent for most developers. Kernel developers who must interact with the root volume can do so via a new System Integrity Protection mode available in the
csrutil command line tool. When you enable this mode, it allows the tagging of custom snapshots using
apfs_systemsnapshot, which you can then boot into.
Apple will soon release details about the new SSV on-disk format. If your app handles data backup or forensic search, you’ll need to do some additional work to understand and validate it.
In addition, it is even more important that bootable macOS instances be created via ASR volume replication, or with the macOS Installer. Copying content into a new APFS volume manually or using tools like
rsync does not preserve the seal and the required cryptographic SSV metadata, and will therefore no longer generate a bootable macOS.
Data Protection on macOS
Data Protection brings per-file encryption keys to all Apple Silicon Macs. This means developers can choose to provide even stronger protection for customer data on macOS by cryptographically locking files when the data is not being used, or when the device itself is locked.
Each file’s metadata now defines a Data Protection class for the file. These classes dictate when a file can be opened, read, or manipulated. For example, the Complete Protection class guarantees that the file is only accessible when the system is unlocked. The Data Protection class can be easily set and changed by using classes like Data in Swift and NSData in Objective-C. iOS and iPadOS developers already familiar with these classes will be able to use similar code on macOS.