Secure software updates
Security is a process; it isn’t enough to reliably boot the operating system version installed at the factory—there must also exist a mechanism to quickly and securely obtain the latest security updates. Apple regularly releases software updates to address emerging security concerns. Users of iOS and iPadOS devices receive update notifications on the device. Mac users find available updates in System Preferences. Updates are delivered wirelessly, for rapid adoption of the latest security fixes.
The update process
The update process uses the same hardware-based root of trust that secure boot uses that is designed to install only Apple-signed code. The update process also uses system software authorization to check that only copies of operating system versions that are actively being signed by Apple can be installed on iOS and iPadOS devices, or on Mac computers with the Full Security setting configured as the secure boot policy in Startup Security Utility. With these secure processes in place, Apple can stop signing older operating system versions with known vulnerabilities and help prevent downgrade attacks.
For greater software update security, when the device to be upgraded is physically connected to a Mac, a full copy of iOS or iPadOS is downloaded and installed. But for over-the-air (OTA) software updates, only the components required to complete an update are downloaded, improving network efficiency by not downloading the entire operating system. What’s more, software updates can be cached on a Mac running macOS 10.13 or later with Content Caching turned on, so that iOS and iPadOS devices don’t need to redownload the necessary update over the internet. (They still need to contact Apple servers to complete the update process.)
Personalized update process
During upgrades and updates, a connection is made to the Apple installation authorization server, which includes a list of cryptographic measurements for each part of the installation bundle to be installed (for example, iBoot, the kernel, and the operating system image), a random anti-replay value (the nonce), and the device’s unique Exclusive Chip Identification (ECID).
The authorization server checks the presented list of measurements against versions whose installation is permitted and, if it finds a match, adds the ECID to the measurement and signs the result. The server passes a complete set of signed data to the device as part of the upgrade process. Adding the ECID “personalizes” the authorization for the requesting device. By authorizing and signing only for known measurements, the server helps ensure that the update takes place exactly as Apple provided.
The boot-time chain-of-trust evaluation verifies that the signature comes from Apple and that the measurement of the item loaded from the storage device, combined with the device’s ECID, matches what was covered by the signature. These steps are designed to ensure that, on devices that support personalization, the authorization is for a specific device and that an older operating system or firmware version from one device can’t be copied to another. The nonce helps prevent an attacker from saving the server’s response and using it to tamper with a device or otherwise alter the system software.
The personalization process is why a network connection to Apple is always required to update any device with Apple-designed silicon, including an Intel-based Mac with the Apple T2 Security Chip.
Finally, the user’s data volume is never mounted during a software update, to help prevent anything being read from or written to that volume during updates.
On devices with the Secure Enclave, that hardware similarly uses system software authorization to check the integrity of its software and is designed to prevent downgrade installations.