{"id":453,"date":"2022-06-14T15:30:14","date_gmt":"2022-06-14T13:30:14","guid":{"rendered":"https:\/\/threedots.ovh\/blog\/?p=453"},"modified":"2022-06-14T19:24:15","modified_gmt":"2022-06-14T17:24:15","slug":"a-quick-look-at-macos-rapid-security-response","status":"publish","type":"post","link":"https:\/\/threedots.ovh\/blog\/2022\/06\/a-quick-look-at-macos-rapid-security-response\/","title":{"rendered":"Quick look at macOS Rapid Security Response"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>Note: most of this post applies to iOS 16 too.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since macOS Ventura, Rapid Security Response is supported. This allows for lightweight updates that do not involve going through the full upgrading flow. It also allows for smaller operating system installs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">cryptex<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The cryptex (CRYPTographically-sealed EXtension) additional images are stored in DMGs and are an extension of an existing volume. There are two cryptex images present on Apple OSes being released this fall, App and OS. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Currently, support for 3rd-party cryptex images is not planned on macOS. Cryptex was first used for the iPhone <em>Security Research Device<\/em>, as a way to add additional binaries with custom entitlements.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As described by Apple, cryptex(es) not being visible to mount(8) is a design decision:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Cryptexes are not visible in the mount lists since they are not mounted.<\/p><p>Cryptexes are extensions of an existing volume and should be treated as such, therefore they do not get listed in the mount list.<\/p><cite>Answer from Apple to FB10135388<\/cite><\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">App cryptex<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The app cryptex contains Safari (and the password pane), which are no longer in the data volume.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OS cryptex<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The OS cryptex contains the dyld shared caches and some additional libraries. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Those libraries are often related to Safari, but also include some others, including <code>libstdc++.dylib<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The list of the (partially or fully) included application frameworks outside of the dyld shared cache, often resources only, for a macOS target:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>OpenGL.framework\nHelloWorldMacHelper.framework\nWebKit.framework\n_AuthenticationServices_SwiftUI.framework\nAuthenticationServices.framework\nPasswordManagerUI.framework\nJavaScriptCore.framework\nSafariServices.framework\nSafariShared.framework\nSafariSharedUI.framework\nSafariFoundation.framework\nWebBookmarks.framework\nWebDriver.framework\nSafari.framework\nWebGPU.framework<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">dyld shared cache<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">As macOS Ventura only supports machines with AVX2, the <code>x86_64<\/code> and <code>arm64e<\/code> dyld shared caches are no longer present on macOS installations for Intel processors, as they are unused there. Apple Silicon installations will also not get an unused <code>x86_64h<\/code> slice anymore.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Notably, the <code>x86_64<\/code> dyld shared cache remains compiled for Apple Silicon machines as Rosetta does not support AVX(2).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As such, this design allows to save hard disk space in addition of allowing components to be updatable without breaking the seal for the system volume.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mount paths<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Currently, cryptex contents are accessible via <code>\/System\/Cryptexes\/{OS,App}<\/code>. Platform specific mount points are <code>\/private\/preboot\/Cryptexes\/{OS, App}<\/code> for iOS\/tvOS\/iPadOS\/realityOS\/&#8230; and <code>\/System\/Volumes\/Preboot\/Cryptexes\/{OS,App}<\/code> for macOS.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On macOS, the current cryptex DMGs are stored on <code>\/System\/Volumes\/Preboot\/[Volume Group UUID]\/cryptex1\/current<\/code> together with the corresponding trust caches and personalisation information.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">BootPolicy (Apple Silicon only)<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">A new BootPolicy element, spih, representing the Cryptex1 Image4 Hash was added in macOS Ventura. This makes the Cryptex hashes part of the Secure Boot trust chain.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">By separating some of the most often upgraded components to outside of the sealed system volume, Apple makes rolling out updates a less heavyweight process. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This is good from the user perspective. It allows Apple to remove most of the downtime associated with OS update when a full one isn&#8217;t needed.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note: most of this post applies to iOS 16 too. Since macOS Ventura, Rapid Security Response is supported. This allows for lightweight updates that do not involve going through the full upgrading flow. It also allows for smaller operating system installs. cryptex The cryptex (CRYPTographically-sealed EXtension) additional images are stored in DMGs and are an&hellip;&nbsp;<a href=\"https:\/\/threedots.ovh\/blog\/2022\/06\/a-quick-look-at-macos-rapid-security-response\/\" rel=\"bookmark\">Read More &raquo;<span class=\"screen-reader-text\">Quick look at macOS Rapid Security Response<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-453","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/comments?post=453"}],"version-history":[{"count":14,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/453\/revisions"}],"predecessor-version":[{"id":470,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/453\/revisions\/470"}],"wp:attachment":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/media?parent=453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/categories?post=453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/tags?post=453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}