osquery icon indicating copy to clipboard operation
osquery copied to clipboard
verified publisher icon osquery

Port the `secureboot` table to macOS

Open alessandrogario opened this issue 3 years ago • 3 comments

alessandrogario avatar Jul 15 '22 20:07 alessandrogario

Looks like this won't work on the newer macs. Tried this on a M1 mac running Monterey 12.4 with the following error: E0718 10:48:21.134940 92276096 secureboot.cpp:151] secureboot: Failed to access the following nvram variable: 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy

New to the Kolide team, and I've been looking at the secure boot for macs last Friday.

Here are a couple of articles I've found some useful info in: https://eclecticlight.co/2021/05/26/big-sur-11-4-brings-localpolicy-and-recovery-access-to-m1-macs/ https://support.apple.com/en-ca/guide/security/secc745a0845/web

Micah-Kolide avatar Jul 18 '22 17:07 Micah-Kolide

@alessandrogario, @directionless I updated PR to disable secureboot table on AppleSilicon. Also the table will be empty if the secureboot feature is not supported. It will be great if you could review the changes again.

kumarak avatar Aug 23 '22 19:08 kumarak

  • Mac hardware pre 2016 (No Secure Enclave)
  • Mac hardware 2016-2017 (T1)
  • Mac hardware 2018-2020 (T2)
  • Mac hardware 2020+ (Apple Silicon)

Ok, so now we know:

  • Mac hardware pre 2016 (No Secure Enclave): behavior will be to return no result
  • Mac hardware 2016-2017 (T1): I don't know if any of us have hardware from this era, does the Kolide team have a test system?
  • Mac hardware 2018-2020 (T2): developed and tested for this :+1:
  • Mac hardware 2020+ (Apple Silicon): behavior will be to not compile or provide the table with Apple Silicon binaries.

mike-myers-tob avatar Aug 29 '22 17:08 mike-myers-tob

Resolved conflicts and updated to latest master.

Smjert avatar Nov 01 '22 16:11 Smjert