<Zavec>
With the caveat that I may be biting off way more than I can chew: if I were interested in trying to add touch ID support, has anybody looked at that before and can tell me if I'm way off track with what it would take?
<Zavec>
I see there's a "secure biometrics" endpoint in the HW-SEP reversing doc, and from apple's support docs it sounds like most of the fingerprint processing actually happens inside the secure enclave, and the driver for the fingerprint reader more or less just triggers the finger scan and sends that data to the enclave:
<Zavec>
`When the fingerprint sensor detects the touch of a finger, it triggers the advanced imaging array to scan the finger and sends the scan to the Secure Enclave.`
<Zavec>
Would it then be "just" a case of reversing how the driver for the sensor "triggers the imaging array" and forwards the data to the enclave enough to clean-room style implement it in a new driver, and then figuring out how to hook that up to `fprintd`?
<Zavec>
(with "just" doing a _lot_ of work there, admittedly)
<chaos_princess>
so, the touch id driver per se will be pretty simple, you just need some init, and then forward encrypted buffers between the sensor (on the spi bus), and sep
<chaos_princess>
now, the sep itself is a ton of work, since there is a lot of endpoints, and various annoying bits to make it all work
<Zavec>
I see there's a commit message from amarioguy a week ago on the SEP doc saying that they're stepping back a bit but are still open to questions, and thanking WhatAmISupposedToPutHere for having done some stuff in the meantime, maybe I should ask them before I go diving into the SEP tracer
<chaos_princess>
WhatAmISupposedToPutHere is my github username :P
<Zavec>
Oh lol
<Zavec>
Well in that case maybe I'll start by looking at some of the TODOs in the SEP tracer and see if I can solve one of those, just as a way of getting myself familiar with the whole thing
<chaos_princess>
gimme a sec
<nicolas17>
Zavec: iirc the fingerprint sensor and the secure enclave are not physically connected
<Zavec>
Oh yeah no worries, I probably won't do much more tonight anyway because it's past midnight
<nicolas17>
instead, the macOS kernel driver reads some encrypted data from the sensor and passes it untouched to the secure enclave
<Zavec>
So take as many secs as you need
<nicolas17>
the secure enclave replies with another encrypted blob which the driver passes to the sensor
<nicolas17>
that's how they communicate, code in the main CPU has to transport the data between the two while being unable to decrypt it
JayBeeFOSS has quit [Ping timeout: 480 seconds]
<nicolas17>
so yeah you absolutely cannot avoid the SEP, it's impossible to eg. get a fingerprint image from the sensor, the secure enclave does all the matching
<Zavec>
That's more or less what I figured from the apple "touch id security" doc yeah
<chaos_princess>
quick guide to reversing sep:
<chaos_princess>
1. write an apfs driver, or at least enough of an apfs driver to get the gigalocker file
<chaos_princess>
2. find out how xart read/write works
<chaos_princess>
3. make sure you have backups, if you get the write wrong, you will shred all filevault-ed oses
<nicolas17>
ugh do you need gigalocker to do *anything* with the sep?
<chaos_princess>
4. after you get xart init working, other endpoints will come up, most of them are uninteresting, but sbio is the touchid one
<chaos_princess>
draw the rest of the owl i guess
<chaos_princess>
nicolas17: pmuch
<chaos_princess>
also, if you don't like SKS spam, either ignore it, or boot to single user mode
<Zavec>
Dang, I guess the actual first step for me is to read up on apfs/gigalocker/xart then to see how much of a pain that all will be
<nicolas17>
chaos_princess: I wonder if installing to an external volume would reduce the SKS spam... afaik you don't get SEP-tied data protection then
<chaos_princess>
my trick to not getting sks spam is to not log in :P
<chaos_princess>
even on log in screen you get a very large number of sep endpoints doing stuff
<Zavec>
I think putting some filters on that stuff was one of the things in the sep tracer todo anyway
<Zavec>
That part at least shouldn't be too difficult
<chaos_princess>
i've sent you my mess of a sep tracer, there is a SEPIgn that can be put on endpoints you don't care about
<nicolas17>
how were the timeouts solved? just optimizing the tracer code?
<nicolas17>
ignoring stuff made it able to keep up?
<chaos_princess>
simple, dont put iomon on everything
<nicolas17>
:D
<nicolas17>
I once tried to trace wifi and got quickly overwhelmed
<Zavec>
Oh nice, developer.apple.com has a big long doc about how APFS works
<Zavec>
And there's some stuff about xart/gigalocker in that asahi hw-sep doc too
<nicolas17>
chaos_princess: we should actually write down somewhere the errata for Apple-File-System-Reference.pdf :D
<chaos_princess>
Zavec: warning, that doc contains errors, and some parts of it contradict each other :P
<Zavec>
Of course, we wouldn't want things to be too easy!
<Zavec>
Well that at least gives me something I can get started on reading (and see just what I might be getting myself into) while I wait for my new laptop to come. Won't be doing much of any tracing until that happens regardless.
<nicolas17>
do you have no Mac hardware currently?
<nicolas17>
let me know if you want some small apfs disk images to poke at :p
<Zavec>
I'm on a M1 mbp right now, but it sounds like I need a second device for the tracing stuff with m1n1 unless I've misunderstood something
<nicolas17>
the second device doesn't have to be a Mac (it might need USB-C?)
<Zavec>
re. apfs images: if it's not too much trouble those would probably be helpful!
<chaos_princess>
Just needs usb
<chaos_princess>
i started re with a 2010 (iirc) intel mbp
<Zavec>
we'll see which happens first then, between the new laptop coming (in which case I can do all this from my coffee table) or me finally cleaning off the desk where my desktop has sat unused for a year or so :P
<nicolas17>
lol
<Zavec>
though really that's something I should do anyway
<Zavec>
probably would be better for my back
pb17 has quit [Ping timeout: 480 seconds]
<nicolas17>
I wrote a hackish purpose-specific apfs parser in Python a while ago
<chaos_princess>
Since you have a mac, you can also generate a bunch of apfs images yourself, just with hdiutil
<nicolas17>
scenario: new Mac model comes out, it comes preinstalled with a special macOS build that is not available for download, researchers / data hoarders want a copy of it so they take a raw disk dump
<nicolas17>
but the disk image takes a lot of space because the data volume is encrypted and can't be compressed
<nicolas17>
and that's useless data since you can't decrypt it anyway
<nicolas17>
so I wrote a script to erase the data volume from the disk image, going through the APFS object map to figure out what blocks belong to that volume
JayBeeFOSS has joined #asahi-re
<Zavec>
oh yeah, hdiutil would be way easier good call
<Zavec>
I've never really dug into the apple ecosystem before, so there's probably lots of things like that I'll miss
ddxtanx has quit [Quit: Konversation terminated!]
<Zavec>
Anyway I'm going to get some sleep, thanks both of you for all the help! And apologies in advance if this takes me a long time, still trying to find an ADHD med that actually works for me :P