| 3 Oct 2024 |
 emily | I don't think T2 involved UEFI either, since it was basically a proto-M1 | 22:40:10 |
| emily | maybe on the Intel side of the equation, but Apple's EFI implementation is old enough and quirky enough that I wouldn't be surprised if it wasn't | 22:40:33 |
| emily | but yeah I was talking about the Apple Silicon boot security model | 22:40:44 |
 raitobezarius | I am quite certain that T2 has UEFI firmware | 22:41:00 |
| emily | https://support.apple.com/en-gb/guide/security/seced055bcf6/web ok it actually is EDK2 for Intel | 22:41:19 |
| raitobezarius | (and it's even publicly documented as such by Apple itself afaik?) | 22:41:19 |
| emily | I don't think the T2 itself boots via UEFI, but it's used as the root of trust for the Intel CPU's UEFI boot | 22:41:39 |
| emily | is my understanding | 22:41:40 |
| emily | (maybe we're referring to different things by "T2"?) | 22:41:49 |
| emily | (I'm referring to the T2 chip itself but maybe you mean "T2 Macs" as a whole?) | 22:41:59 |
| raitobezarius | Yes | 22:41:59 |
| raitobezarius | The UEFI firmware _is in_ the T2 chip | 22:42:16 |
| emily | right | 22:42:16 |
| raitobezarius | I agree that the BootROM and all that stuff is not UEFI | 22:42:54 |
| emily | In reply to @raitobezarius:matrix.org
The UEFI firmware _is in_ the T2 chip (you mean, it stores the x86 UEFI blob itself rather than just pinning a hash/key for it? I wouldn't know since I don't know much about the Intel boot stuff) | 22:43:11 |
| raitobezarius | In reply to @emilazy:matrix.org
but yeah I was talking about the Apple Silicon boot security model Yeah then I have no idea what's going on over there, so I believe you | 22:43:31 |
| raitobezarius | In reply to @emilazy:matrix.org
(you mean, it stores the x86 UEFI blob itself rather than just pinning a hash/key for it? I wouldn't know since I don't know much about the Intel boot stuff) Yep | 22:43:38 |
| raitobezarius | It makes it available to the Intel CPU via eSPI | 22:43:47 |
| emily | I think for Apple Silicon they just threw out basically everything about the boot chain and replaced it with something modelled on iOS boot but with a great deal of extension to support third-party OSes | 22:43:53 |
| emily | I expect the way the T2 chip itself boots up is more similar to the way an M1 boots up if anything | 22:44:09 |
| emily | fwiw there is a lot of good and interesting documentation on how Apple Silicon boot security works out there (both first-party and from Asahi) | 22:45:33 |
 ElvishJerricco | I read through most of apple's first party security documents like 5 years ago. At least back then they were very approachable and clear about how it all worked. It's good stuff | 22:46:22 |
| ElvishJerricco | oooh there's more of them now: https://support.apple.com/guide/security/welcome/1/web | 22:48:42 |
| raitobezarius | When I read that iBoot supports APFS only, it feels like my jokes about having UFS for ESP taken seriously but shipped in production | 22:48:55 |
| ElvishJerricco | they did that for the intel macs too sorta. They made an EFI driver for APFS | 22:49:40 |
| raitobezarius | The grub of apple but good | 22:50:28 |
| ElvishJerricco | hey man I've booted btrfs with EFI :P https://github.com/pbatard/efifs | 22:50:54 |
| raitobezarius | Funnily their whole recovery mode is exactly what I want to see implemented for NixOS via the UEFI recovery mechanism | 22:51:01 |
| raitobezarius | In reply to @elvishjerricco:matrix.org
hey man I've booted btrfs with EFI :P https://github.com/pbatard/efifs I know but I refuse to acknowledge this repository | 22:51:14 |
| raitobezarius | Do you know that SUSE use that in prod? | 22:51:22 |
