Medium Security boot policy
Medium Security is somewhat like a traditional UEFI secure boot situation, where a vendor (here, Apple) generates a digital signature for the code to assert it came from the vendor. In this way attackers are prevented from inserting unsigned code. We refer to this signature as a “global” signature, because it can be used on any Mac, for any amount of time, for those Mac computers that currently have a Medium Security policy set. Neither iOS, iPadOS, nor the T2 chip support global signatures.
A limitation of global signature schemes has to do with the prevention of “rollback attacks.” In a rollback attack, an attacker places old, but legitimate and correctly signed, software with known vulnerabilities onto a system and then exploits those vulnerabilities to take control of the system. Many global signature systems don’t attempt to prevent rollback attacks at all. Those that do often do this through the use of a “security version” or “security epoch.” This is a number that is typically covered by the signature, and evaluated after the signature has been verified. The computer needs secure persistent storage to keep track of the largest epoch value it has ever seen in signed code, and to disallow any code—even if it is properly signed—that has an epoch less than this.
A vendor wanting to roll the epoch signs software with a new epoch, one that is greater than any previously issued software contained. Firmware detecting an epoch value greater than the latest observed one in its secure storage updates the value of the epoch in the storage. It then subsequently rejects all previous signed code with epochs less than the latest stored value. If the system doesn’t have secure storage, an attacker can simply roll back the epoch value itself and can then roll back and exploit the software. This is why many systems that do implement epochs store the epoch number in a one-time-programmable fuse array. When the fuses are burned out, the values can’t be changed. However, this also has the limitation that an attacker can simply burn all the fuses in order to render all signatures invalid, thereby permanently preventing the operating system to boot.
The Apple global signature scheme doesn’t include a security epoch, because those systems are inflexible and frequently cause significant usability issues. Protection against rollback attacks is better achieved by Full Security mode, which is the default, and very similar in behavior to iOS and iPadOS. Users who want to take advantage of anti-rollback protection should retain the default Full Security policy. However, the Medium Security mode is made available for those users who may not be able to take advantage of Full Security mode.