Apple Platform Security
-
Welcome
-
Introduction
-
-
Services security overview
-
-
Apple Pay overview
-
Apple Pay components
-
Secure Element and NFC controller
-
Payment authorization
-
Transaction-specific dynamic security code
-
Pay with credit and debit cards in stores
-
Pay with credit and debit cards within apps
-
Paying with credit and debit cards on the web
-
Contactless passes
-
Render cards unusable
-
Suspending, removing, and erasing cards
-
Apple Cash
-
Transit cards
-
Credit and debit cards for transit
-
Student ID cards
-
-
Business Chat
-
FaceTime
-
-
-
Developer Kits overview
-
-
HomeKit identity
-
Communication with HomeKit accessories
-
Local data storage
-
Data synchronization between devices and users
-
Home data and apps
-
HomeKit and Siri
-
HomeKit IP cameras
-
HomeKit routers
-
iCloud remote access for HomeKit accessories
-
HomeKit TV Remote accessories
-
Apple TV profiles for HomeKit homes
-
-
CloudKit
-
SiriKit
-
DriverKit
-
Camera and ARKit
-
-
-
Secure device management overview
-
Pairing model
-
Passcode and password settings management
-
Configuration enforcement
-
Mobile device management (MDM)
-
Automated Device Enrollment
-
Apple Configurator 2
-
Device supervision
-
Device restrictions
-
Activation Lock
-
Lost Mode, remote wipe, and remote lock
-
Screen Time
-
-
Glossary
-
Document Revision History
-
Copyright

recoveryOS and diagnostics environments in Mac computers
The recoveryOS is completely separate from the main macOS, and the entire contents are stored in a disk image file named BaseSystem.dmg. There is also an associated BaseSystem.chunklist which is used to verify the integrity of the BaseSystem.dmg. The chunklist is a series of hashes for 10 MB chunks of the BaseSystem.dmg. The UEFI firmware evaluates the signature of the chunklist file, and then evaluates the hash for one chunk at a time from the BaseSystem.dmg, to ensure that it matches the signed content present in the chunklist. If any of these hashes does not match, booting from the local recovery OS is aborted, and the UEFI firmware attempts to boot from Internet Recovery instead.
If the verification completes successfully, the UEFI firmware mounts the BaseSystem.dmg as a ramdisk and launches the boot.efi contained therein. There is no need for the UEFI firmware to do a specific check of the boot.efi, nor for the boot.efi to do a check of the kernel, because the completed contents of the OS (of which these elements are only a subset) have already been integrity checked.
The procedure for booting the local diagnostic environment is mostly the same as launching the recoveryOS. Separate AppleDiagnostics.dmg and AppleDiagnostics.chunklist are used, but they are verified the same way as the BaseSystem files. Instead of launching boot.efi, the UEFI firmware launches a file inside the dmg named diags.efi, which is in turn responsible for invoking a variety of other UEFI drivers that can interface with and check for errors in the hardware.