The iMac Pro 2017 arrives in the office in 2 days, and I have a bunch of questions that I want answered. We need to be able to support the iMac Pro for Winclone and Boot Runner, but more importantly, the new security features and secure boot are expected to be in future models of Macs. I suspect that Apple is introducing these new features to try them out first on a smaller segment of the Mac population before rolling them out to a larger audience. So once I unbox and get the iMac Pro set up, here are the questions I want answered:
- As of 10.11 and the introduction of SIP, the “bless” command could not longer be used select the startup disk programmatically. The systemsetup command could be used to select volumes but only macOS volumes that supported SIP. Windows volumes could not be selected. With secure boot of Windows, does systemsetup recognize Windows startup volumes if they support secure boot?
- How does secure booting of Windows work? On x86 Windows on PC hardware, you can provide your own certificates that are trusted:
When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:
- The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 10, the Microsoft® certificate is trusted.
- The user has manually approved the bootloader’s digital signature. This allows the user to load non-Microsoft operating systems.
I doubt the Mac supports added in your own certificates, so that may rule out secure booting for Linux. However, you can get a signed bootloader for Linux kernels, so it is unclear if that will boot securely on the iMac Pro.
- Is the EFI partition (/dev/disk0s1) still accessible without booting to the Recovery Partition? Apple has not limited access to the EFI partition in the past and this is important to making Windows (and other EFI systems) bootable.
- Can SIP still be disabled from the recovery partition? Are there changes in SIP functionality?
- Are there any command line utilities for interfacing with iBridge / T2 embedded OS? The T2 seems to be doing a lot more than just being a secure enclave for trusted certificates:
Introducing the Apple T2 chip, our second-generation custom Mac silicon. By redesigning and integrating several controllers found in other Mac systems — like the system management controller, image signal processor, audio controller, and SSD controller — T2 delivers new capabilities to the Mac. For instance, the T2 image signal processor works with the FaceTime HD camera to enable enhanced tone mapping, improved exposure control, and face detection–based auto exposure and auto white balance. T2 also makes iMac Pro even more secure, thanks to a Secure Enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities. The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD’s performance, while keeping the Intel Xeon processor free for your compute tasks. And secure boot ensures that the lowest levels of software aren’t tampered with and that only operating system software trusted by Apple loads at startup.
- Can you still use rEFIt with secure boot? Does it support shim?
- What are the certificates that are trusted to boot the macOS and Windows? Can you modify the trusted certificate store to boot other OS’s?
- macOS has a warning message found in software updates that mentions re-installing Windows with Boot Camp assistant if secure booting of Windows fails. What are the requirements for
- The new Startup Security Utility allows you to turn Secure Boot on and off. What settings are changed? Is this store in NVRAM? Does the selection revert when clearing NVRAM? Is there a way to turn it on (but not off) from the command line?
- Secure Boot requires a network connection to verify that the certificate to verify the bootloader has not been revoked. If you are on an airplane and reboot your computer, does the mac fail to boot if you cannot get online? How is this handled?
- The UEFI spec supports Secure Boot. Apple uses a modified version of UEFI. How much does the secure boot conform to UEFI standard?
Hopefully I’ll get most of these answered once it arrives. I’ll be posting my results!