SUMMARY: 15.4_19E5209h | CoreTrust | AMFI Research | Load Trust Cache | unsuitable CT policy | iPhone 11 | iPhone 12 | AppleMobileFileIntegrity_research

Question

SUMMARY: 15.4_19E5209h | CoreTrust | AMFI Research | Load Trust Cache | unsuitable CT policy | iPhone 11 | iPhone 12 | AppleMobileFileIntegrity_research

xsscx opened this issue 3 years ago · 0 comments

SUMMARY for PR42 using 15.4_19E5219e

With reference to PR's https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 using 15.4_19E5219e.

For 15.4_19E5219e_Restore.ipsw, AMFI_Research is complaining about the new Entitlements in https://github.com/apple/security-research-device/blob/main/example-cryptex/src/cryptex-run/entitlements.plist installed from macOS 12.2 (21D49) on X86_64 as shown in Console log for Xcode Version 13.3 beta 1 using 15.4_19E5219e:

default	08:52:51.037405-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.AXoRC0/usr/bin/cryptex-run' is adhoc signed.
default	08:52:51.037436-0500	kernel	AMFI: '/private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.AXoRC0/usr/bin/cryptex-run': unsuitable CT policy 0 for this platform/device, rejecting signature.

when using Apple Feedback ASAN & UBSAN Makefile contained in PR https://github.com/apple/security-research-device/pull/42 and Xcode Version 13.3 beta 1 using 15.4_19E5219e.

AMFI_Research when personalized and cryptex installed from macOS 12.3 (21E5206e) using 15.4_19E5219e does not thrown the Error :

cryptex-run: unsuitable CT policy 0 for this platform/device, rejecting signature

when using 15.4_19E5219e and the default Makefile https://github.com/apple/security-research-device/blob/main/example-cryptex/src/hello/Makefile and Xcode Version 13.3 beta 1

For M1 T8101 macOS 12.3 (21E5206e) the Result of this PR42 with Xcode Version 13.3 beta 1 is:

AMFI: constraint violation /private/var/run/com.apple.security.cryptexd/mnt/com.example.cryptex.GfvfKO/usr/bin/libclang_rt.asan_ios_dynamic.dylib has entitlements but is not a main binary

Starting Entitlement for libclang_rt.asan_ios_dynamic.dylib for Xcode Version 13.3 beta 1

codesign --display --entitlements - --xml /Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.ubsan_ios_dynamic.dylib 2>&1 > default-asan-codesign.plist
Executable=/Applications/Xcode-beta.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/13.1.6/lib/darwin/libclang_rt.ubsan_ios_dynamic.dylib

Final dstroot Entitlement for libclang_rt.asan_ios_dynamic.dylib for Xcode Version 13.3 beta 1

codesign --display --entitlements - --xml com.example.cryptex.dstroot/usr/bin/libclang_rt.asan_ios_dynamic.dylib

Executable=/Users/xss/example-cryptex/com.example.cryptex.dstroot/usr/bin/libclang_rt.asan_ios_dynamic.dylib

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.private.security.no-container</key>
		<true/>
	<key>com.apple.security.network.client</key>
		<true/>
	<key>com.apple.security.network.server</key>
		<true/>
	<key>platform-application</key>
		<true/></dict>
</plist>

Those Entitlements are equal to cryptex-run, which throws the unsuitable CT policy 0 for this platform/device, rejecting signature as noted above from X86_64 macOS 12.2 personalization and installation. Perhaps @TorgoApple can offer insight. In the example Apple Feedback Makefile of this PR42 there is no provision for codesigning with the comment:

# TODO: Figure out if codesigning is actually necessary

Note

debugserver + SAN Libs work as expected when installed on 15.4_19E5219e from macOS 12.3 (21E5206e) when using Xcode Version 13.3 beta 1.

(lldb) process attach --pid 298
Process 298 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = signal SIGSTOP
    frame #0: 0x00000001fdd4f500 libsystem_kernel.dylib`mach_msg_trap + 8
libsystem_kernel.dylib`mach_msg_trap:
->  0x1fdd4f500 <+8>: ret

libsystem_kernel.dylib`mach_msg_overwrite_trap:
    0x1fdd4f504 <+0>: mov    x16, #-0x20
    0x1fdd4f508 <+4>: svc    #0x80
    0x1fdd4f50c <+8>: ret
Target 0: (OTATaskingAgent) stopped.
Executable module set to "/usr/libexec/OTATaskingAgent".
(lldb) image list
[  0]  /usr/libexec/OTATaskingAgent (0x00000001025e8000)
[  1]  /usr/lib/dyld (0x00000001028c0000)
[  2]  /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (0x00000001d35a6000)

Occasional Results of PR https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 with T8101 on macOS 12.3 (21E5206e) when using Xcode 13.3 Beta 2 - Build version 13E5095k

kernel	AMFI: '/usr/bin/debugserver' is adhoc signed.
kernel	AMFI: '/usr/bin/debugserver': unsuitable CT policy 0 for this platform/device, rejecting signature.
kernel	AMFI: '/usr/bin/hello' is adhoc signed.
kernel	AMFI: '/usr/bin/hello': unsuitable CT policy 0 for this platform/device, rejecting signature.

Takeaway

80%+ Installation Success Rate using 15.4_19E5219e for PR https://github.com/apple/security-research-device/pull/42 and https://github.com/apple/security-research-device/pull/49 when using https://github.com/apple/security-research-device/pull/48 with T8101 on macOS 12.3 (21E5206e) when using Xcode 13.3 Beta 2 - Build version 13E5095k. As noted in prior Issues, the AMFI complaint is intermittent.

cryptexctl device list

udid                           name       build      BORD       CHIP       ECID
00008030-001538D03C40012E      SRD0009 19E5219e   0x4        0x8030     0x1538d03c40012e
00008101-001418DA3CC0013A      SRD0037    19E5219e   0xc        0x8101     0x1418da3cc0013a

Prior Fix

https://github.com/apple/security-research-device/pull/48