Thursday, June 16, 2022

Rapid Security Response

Howard Oakley:

One of the more enigmatic features announced for Ventura [and iOS 16] is Rapid Security Response (RSR), described as:

Get important security improvements to your devices even faster. This isn’t a standard software update. These improvements can be applied automatically between normal updates — without a restart.

[…]

The only practical way is to install those patches outside the SSV. macOS already does this for some of its bundled components, such as Safari, which has been installed on the Data volume, together with components which are changed with security data updates, such as XProtect data and MRT.

However, the Data volume isn’t a good place to keep patches to sensitive parts of macOS.

@never_released:

The cryptex (CRYPTographically-sealed EXtension) additional images are stored in DMGs and are an extension of an existing volume. There are two cryptex images present on Apple OSes being released this fall, App and OS.

[…]

As macOS Ventura only supports machines with AVX2, the x86_64 and arm64e dyld shared caches are no longer present on macOS installations for Intel processors, as they are unused there. Apple Silicon installations will also not get an unused x86_64h slice anymore.

[…]

As such, this design allows to save hard disk space in addition of allowing components to be updatable without breaking the seal for the system volume.

[…]

A new BootPolicy element, spih, representing the Cryptex1 Image4 Hash was added in macOS Ventura. This makes the Cryptex hashes part of the Secure Boot trust chain.

Previously:

Update (2022-09-14): Juli Clover:

By default, Rapid Security Responses are installed automatically, but Apple has implemented a way to remove them.

Update (2022-11-02): Apple:

In a future update to iOS 16, iPadOS 16.1, and macOS 13, Apple will add a mechanism for shipping security fixes to users more frequently. These responses are included in any ensuing minor update (not upgrade) and, on a Mac, update content appears on the Preboot volume (through symbolic links in /System/Cryptexes/).

Update (2023-07-25): Thomas Clement:

About the rapid security responses, you can’t have them set to just ‘check for updates’. Either it’s enabled and it will auto-install or it’s disabled and you will never hear about it 🤔

2 Comments RSS · Twitter

Genuine question: Can anyone explain to me the benefits of the signed system volume? I never understood why it's necessary, given that important system files were doubly protected before its introduction, once by unix permissions, and twice by system integrity protection, and I wasn't aware of system files being tampered with as a serious issue in macOS that needed addressing. (Do correct me if I'm wrong.)

I ask because I'm aware of some serious downsides to it:
- System updates became massive
- It prevents or at least significantly complicates legitimate changes to system files, such as Apple's own updates, or changes desired by power users
- The APFS features it requires are not as bug free or transparent as Apple would have us believe
- It adds a lot more complexity overall

In my mind it would need some significant upsides to balance out those downsides, but I'm not aware of any, other than maybe one for Apple: it gives them more control over our computers.

@Bri Agreed. The only potential feature I can see being helped by this is the "Erase Assistant" for wiping just the user partition and restoring to a known-good state. But that's only supported on the newest T2+ hardware. Theoretically the updates could have been made _smaller_ by FS deltas, but it clearly hasn't happened like that. Ultimately, I think they should probably have just stopped at a dedicated system partition, and they should have made it easier for the user to make that read/write (maybe just temporarily) to make needed power-user changes, possibly marking it as "non-authentic" in the process but otherwise under user control. We are already seeing limits to Apple Silicon Macs based on whether SIP is on or not (no DRM if it's off), kernel extensions are going away (breaking useful functionality) and we can't clone boot disks anymore. Let's face it--these machines don't actually belong to us anyway.

Leave a Comment