Big Sur 11.4 brings LocalPolicy and recovery access to M1 Macs

submited by
Style Pass
2021-05-26 08:30:08

Big Sur 11.4 is unusual for bringing two completely new additions to macOS: a Kernel Extension AppleVPBootPolicy.kext and a Private Framework for RecoveryOS. This article explores them, and considers what their appearance brings for the user.

This is a brand new kernel extension in /System/Library/Extensions which is installed on all Macs as part of macOS 11.4 but is only loaded on Apple Silicon Macs. It’s also unusual in being a single-architecture ARM Mach-O executable. It’s small, just under 400 KB, and as its name suggests is concerned with Boot Policy and ARM platform security.

Each bootable System known to an M1 Mac has a file which determines its security settings, known as the LocalPolicy. These determine the security level (such as Full Security) to be used, and detailed settings for features such as SIP and MDM management. Users can only configure those when in recoveryOS, using the Startup Security Utility there, although LocalPolicy often needs to be generated when you’re running macOS as a user, for example when you attach an external bootable disk and want to restart from it.

LocalPolicy files have to be heavily protected, or they could be exploited in an attack. Each is signed by the Secure Enclave Processor (SEP), and a single-use pseudo-random number called a nonce is used to verify each LocalPolicy. This ensures that a type of attack known as a replay, which could be used to apply an older, lower level of security, can’t be used.

Leave a Comment