(Notes on) Apple Silicon Macs

Apple Silicon Macs are general-purpose computers running macOS out of the box, with Apple not providing official support for 3rd-party operating systems.

However, Apple doesn’t block that from happening in any way. It’s just run-of-the-mill undocumented hardware, with firmware preloaded so that we don’t have to deal with it. (except for 3rd-party silicon, such as the Broadcom Wi-Fi firmware)

On the big CPU core side for the M1: A very fast one, clocked low (3.2 GHz) on the Apple M1 machines. The little cores are no slouch either, being clocked at 2.0 GHz.

The CPUs on Apple machines implement a superset of the Arm specification.

The added extensions include:

  • An Apple implementation of pointer authentication, hardened against known flaws.
  • WKdm compression/decompression instructions, those are used as part of the virtual memory subsystem for fast memory compression, reducing RAM requirements.
  • AMX2: A set of matrix math extensions, that can be used for (but not limited to) machine learning acceleration.
  • GXF: Guarded execution extensions. This extension adds _GL exception levels in addition of _EL ones.
  • Fast IPI mechanism through model-specific registers.
  • an ACTLR_EL1 bit to flip the memory model to TSO, to accelerate x86 emulation.

On the software side, macOS nowadays is a flexible UNIX that has three tiers of applications:

  • iOS applications are the most sandboxed ones, and have Apple code signatures. These cannot have JIT permissions for example.
  • Sandboxed macOS (and Mac Catalyst) applications are a tier above that and can be unsigned, as in not by an Apple-blessed certificate (or by using the “-” signing identity). These can have JIT permissions but cannot have full file system access.
  • Non-sandboxed applications which have restrictions on certain paths such as Downloads by default, which pop up a permissions dialog on first use. Unrestricted file system access can be enabled for those through Security and Privacy -> Privacy -> Full Disk Access. A Developer Tools category also exists to exempt the processes that an app can spawn from Gatekeeper protection.

Customised sandboxes can be ran through sandbox-exec, with the sandboxing rules language being a Scheme dialect.

System Integrity Protection can be disabled through csrutil, and you can then load kernel modules afterwards. However, without SIP, the DRM subsystem can be nonfunctional, as such disallowing iOS applications using the FairPlay DRM to load.

The root filesystem is also read-only. This can be disabled. However, the system always boots from a snapshot. Blessing the modified root file system to create a new snapshot and then rebooting is required to make the changes apply.

With MacPorts (or Homebrew, which has some peculiar technical choices), a wide collection of developer software is easily available on those machines. Hypervisor.framework, which is accessible through an unrestricted entitlement on macOS, allows to spawn virtual machines on the platform.

The title was edited on February 3 due to external comments. This post was intended as a short summary on the hardware and the software side, diverging from other parts of the computing world.

Leave a comment

Your email address will not be published. Required fields are marked *