Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Log in or create an account to edit The Apple Wiki.

CoreTrust is a kernel extension that was introduced in iOS 12. It was introduced to perform some certificate validation inside the KTRR-protected kernel, to combat jailbreaks that would intercept amfid to defeat code-signing. Its use-case has changed between versions, hence why TrollStore and its bypasses cannot be used on iOS 12 and 13.

A binary goes through CoreTrust validation if it is not in trustcache, and amfid comes after CoreTrust. CoreTrust sets "policy flags" that are returned to AMFI, which offer information about how the binary is signed. It will also verify that the binary has a valid CMS blob, and that it is not malformed in any way.

iOS 12 and 13

CoreTrust was originally introduced to prevent the 'fake-signing' technique used in older jailbreaks. This involves ad-hoc signing binaries and then hooking _MISValidateSignatureAndCopyInfo in amfid to allow execution of any binary.

After failing the trustcache check, the binary would be validated by CoreTrust. The purpose of this validation was to ensure that the binary was signed with a certificate that came from Apple. If it didn't, the binary would be rejected before ever getting to amfid.

It is important to note that CoreTrust did not check if the certificate was valid. This means that you could use an expired developer certificate, and CoreTrust would not complain. Thus, several jailbreaks took advantage of this by simply signing every binary with an expired developer/enterprise certificate, so that the binary would then be validated by amfid. Then, they would intercept amfid validation and code-signing could be completely bypassed.

iOS 14 and later

In iOS 14, the App Store Fast Path was introduced. If CoreTrust set the App Store policy flag, AMFI would allow execution of the binary without any further checks (provided that the signature actually matched the binary). Additionally, it would also green-light any entitlement that the binary possessed to be used (however, in iOS 15, several were restricted to trustcache-only).

It was with this that CoreTrust became exploitable for a code-signing bypass. If CoreTrust could be convinced to set the App Store policy flag on a non-App Store binary, an attacker could run any binary with any entitlements. The only two public CoreTrust bypasses of this nature are the CoreTrust Root Certificate Validation Vulnerability and the CoreTrust Multiple Signer Validation Vulnerability.

These changes meant that the only binaries that would be validated through amfid were those signed by enterprise/developer certificates, or other non-Apple certificates.