3 Oct 2024 |
emily | (I'm referring to the T2 chip itself but maybe you mean "T2 Macs" as a whole?) | 22:41:59 |
raitobezarius | Yes | 22:41:59 |
raitobezarius | The UEFI firmware _is in_ the T2 chip | 22:42:16 |
emily | right | 22:42:16 |
raitobezarius | I agree that the BootROM and all that stuff is not UEFI | 22:42:54 |
emily | In reply to @raitobezarius:matrix.org The UEFI firmware _is in_ the T2 chip (you mean, it stores the x86 UEFI blob itself rather than just pinning a hash/key for it? I wouldn't know since I don't know much about the Intel boot stuff) | 22:43:11 |
raitobezarius | In reply to @emilazy:matrix.org but yeah I was talking about the Apple Silicon boot security model Yeah then I have no idea what's going on over there, so I believe you | 22:43:31 |
raitobezarius | In reply to @emilazy:matrix.org (you mean, it stores the x86 UEFI blob itself rather than just pinning a hash/key for it? I wouldn't know since I don't know much about the Intel boot stuff) Yep | 22:43:38 |
raitobezarius | It makes it available to the Intel CPU via eSPI | 22:43:47 |
emily | I think for Apple Silicon they just threw out basically everything about the boot chain and replaced it with something modelled on iOS boot but with a great deal of extension to support third-party OSes | 22:43:53 |
emily | I expect the way the T2 chip itself boots up is more similar to the way an M1 boots up if anything | 22:44:09 |
emily | fwiw there is a lot of good and interesting documentation on how Apple Silicon boot security works out there (both first-party and from Asahi) | 22:45:33 |
ElvishJerricco | I read through most of apple's first party security documents like 5 years ago. At least back then they were very approachable and clear about how it all worked. It's good stuff | 22:46:22 |
ElvishJerricco | oooh there's more of them now: https://support.apple.com/guide/security/welcome/1/web | 22:48:42 |
raitobezarius | When I read that iBoot supports APFS only, it feels like my jokes about having UFS for ESP taken seriously but shipped in production | 22:48:55 |
ElvishJerricco | they did that for the intel macs too sorta. They made an EFI driver for APFS | 22:49:40 |
raitobezarius | The grub of apple but good | 22:50:28 |
ElvishJerricco | hey man I've booted btrfs with EFI :P https://github.com/pbatard/efifs | 22:50:54 |
raitobezarius | Funnily their whole recovery mode is exactly what I want to see implemented for NixOS via the UEFI recovery mechanism | 22:51:01 |
raitobezarius | In reply to @elvishjerricco:matrix.org hey man I've booted btrfs with EFI :P https://github.com/pbatard/efifs I know but I refuse to acknowledge this repository | 22:51:14 |
raitobezarius | Do you know that SUSE use that in prod? | 22:51:22 |
ElvishJerricco | oh no | 22:51:30 |
ElvishJerricco | are you serious? | 22:51:33 |
raitobezarius | Their immutable distro takes btrfs snapshots for new generations | 22:51:40 |
raitobezarius | And grub just shows the snapshots in the boot menu | 22:51:49 |
raitobezarius | Then they do sd stub iirc | 22:51:54 |
ElvishJerricco | wait so they do snapshots of the ESP? | 22:52:24 |
ElvishJerricco | wait not that can't be; the ESP still has to be FAT. | 22:52:50 |
emily | In reply to @raitobezarius:matrix.org When I read that iBoot supports APFS only, it feels like my jokes about having UFS for ESP taken seriously but shipped in production I think it might be more APFS (volume manager) than APFS (file system) for the really low-level firmware stuff | 22:53:01 |
ElvishJerricco | Which part loads the driver and uses it for what? | 22:53:03 |