Signed system volume security in iOS, iPadOS and macOS
In macOS 10.15, Apple introduced the read-only system volume, a dedicated, isolated volume for system content. macOS 11 or later adds strong cryptographic protections to system content with a signed system volume (SSV). SSV features a kernel mechanism that verifies the integrity of the system content at runtime and rejects any data — code and non-code — without a valid cryptographic signature from Apple. Starting in iOS 15 and iPadOS 15, the system volume on an iOS and iPadOS device also gains the cryptographic protection of a signed system volume.
SSV not only helps prevent tampering with any Apple software that’s part of the operating system, it also makes macOS software updates more reliable and much safer. And because SSV uses APFS (Apple File System) snapshots, if an update can’t be performed, the old system version can be restored without reinstallation.
Since its introduction, APFS has provided file-system metadata integrity using non-cryptographic checksums on the internal storage device. SSV strengthens the integrity mechanism by adding cryptographic hashes, thus extending it to encompass every byte of file data. Data from the internal storage device (including file-system metadata) is cryptographically hashed in the read path, and the hash is then compared with an expected value in the file-system metadata. In case of mismatch, the system assumes the data has been tampered with and won’t return it to the requesting software.
Each SSV SHA256 hash is stored in the main file-system metadata tree, which is itself hashed. And because each node of the tree recursively verifies the integrity of the hashes of its children — similar to a binary hash (Merkle) tree — the root node’s hash value, called a seal, therefore encompasses every byte of data in the SSV, which means the cryptographic signature covers the entire system volume.
During macOS installation and update, the seal is recomputed from the file system on device and that measurement is verified against the measurement Apple signed. On a Mac with Apple silicon, the bootloader verifies the seal before transferring control to the kernel. On an Intel-based Mac with an Apple T2 Security Chip, the bootloader forwards the measurement and signature to the kernel, which then verifies the seal directly before mounting the root file system. In either case, if the verification fails, the startup process halts and the user is prompted to reinstall macOS. This procedure is repeated at every boot unless the user has elected to enter a lower security mode and has separately chosen to disable the signed system volume.
During iOS and iPadOS software updates, the system volume is prepared and recomputed in a similar fashion. The iOS and iPadOS bootloaders verify that the seal is intact and that it matches an Apple-signed value before allowing the device to start the kernel. Mismatches at boot prompt the user to update the system software on the device. Users aren’t allowed to disable the protection of a signed system volume on iOS and iPadOS.
SSV and code signing
Code signing is still present and enforced by the kernel. The signed system volume provides protection when any bytes at all are read from the internal storage device. In contrast, code signing provides protection when Mach objects are memory mapped as executable. Both SSV and code signing protect executable code on all read and execute paths.
SSV and FileVault
In macOS 11, equivalent at-rest protection for system content is provided by the SSV, and therefore the system volume no longer needs to be encrypted. Any modifications made to the file system while it’s at rest will be detected by the file system when they’re read. If the user has enabled FileVault, the user’s content on the data volume is still encrypted with a user-provided secret.
If the user chooses to disable the SSV, the system at rest becomes vulnerable to tampering, and this tampering could enable an attacker to extract encrypted user data when the system next starts up. Therefore the system won’t permit the user to disable the SSV if FileVault is enabled. Protection while at rest must be enabled or disabled for both volumes in a consistent manner.
In macOS 10.15 or earlier, FileVault protects operating system software while at rest by encrypting user and system content with a key protected by a user-provided secret. This protects against an attacker with physical access to the device from accessing or effectively modifying the file system containing system software.
SSV and a Mac with an Apple T2 Security Chip
On a Mac with an Apple T2 Security Chip, only macOS itself is protected by the SSV. The software that runs on the T2 chip and verifies macOS is protected by secure boot.