Signed System Volume

From The Apple Wiki

Signed System Volume (SSV, sometimes referred to as Sealed System Volume) is a security mitigation introduced in macOS 11 Big Sur, iOS 15 and visionOS 1. It aims to use signature verification to prevent a device from booting if the system volume has been tampered with, protecting against attacks that involve modifying operating system files.

During installation of an OS with SSV enabled, the expected hash of the system volume (named the root hash, with IMG4 tag ISYS) is also placed in the filesystem. When the device is booted, iBoot verifies that the contents of the system volume match this root hash. If it doesn't, the device will enter Recovery Mode, and will need to be restored. Trying to mount the system volume as read-write, or writing to it on a booted system, will result in a kernel panic, triggering the iBoot code path that detects the change and enters Recovery Mode.

SSV does not apply to other APFS volumes. palera1n in rootful mode takes advantage of this by creating a new APFS volume, referred to as the "fakefs". Rootless avoids writing to the system volume by changing how jailbreak packages are installed, instead using a /var/jb prefix on all paths. The path is a symlink to the /private/preboot volume, working around some sandbox limitations imposed on binaries located in /private/var.

To bypass SSV, a BootROM or iBoot exploit is needed, or any other exploit that can achieve code execution before the kernel starts. Without a method of repeating the exploit on every boot (an untether), such a bypass would be tethered, needing to be re-exploited manually by the user on each boot to avoid entering Recovery Mode. There have been userland solutions demonstrated, such as making use of bind mounts to apply files and directories on top of the existing system volume, which remain untouched.

While SSV was introduced to both macOS and iOS at the same time, it was initially only enforced in macOS 11.0. In iOS 14.0, the ISYS IMG4 tag was introduced, but it was not being used. In iOS 14.2, the root volume is sealed, but it was not being enforced with the kernel panic and iBoot checks. In iOS 15.0, these enforcement mechanisms were enabled.

Restore bug

On A11 and below, an SSV-bricked device can be fixed with a restore. However, currently, breaking the SSV seal on A12 and above leaves the device in a bricked state, as it causes restored_external to panic when trying to restore or update. An Apple engineer appears to acknowledge that this could be a bug, rather than intended behavior.[1] However, to date, it remains unfixed.

External Links

References