Big Sur 11.4 is unusual for bringing two completely new additions to macOS: a Kernel Extension AppleVPBootPolicy.kext and a Private Framework for RecoveryOS. This article explores them, and considers what their appearance brings for the user.

AppleVPBootPolicy

This is a brand new kernel extension in /System/Library/Extensions which is installed on all Macs as part of macOS 11.4 but is only loaded on Apple Silicon Macs. It’s also unusual in being a single-architecture ARM Mach-O executable. It’s small, just under 400 KB, and as its name suggests is concerned with Boot Policy and ARM platform security.

Each bootable System known to an M1 Mac has a file which determines its security settings, known as the LocalPolicy. These determine the security level (such as Full Security) to be used, and detailed settings for features such as SIP and MDM management. Users can only configure those when in recoveryOS, using the Startup Security Utility there, although LocalPolicy often needs to be generated when you’re running macOS as a user, for example when you attach an external bootable disk and want to restart from it.

LocalPolicy files have to be heavily protected, or they could be exploited in an attack. Each is signed by the Secure Enclave Processor (SEP), and a single-use pseudo-random number called a nonce is used to verify each LocalPolicy. This ensures that a type of attack known as a replay, which could be used to apply an older, lower level of security, can’t be used.

These are all the concern of this new AppleVPBootPolicy kernel extension, which gives its sub-system as com.apple.private.security.bootpolicy, something you’re not likely to come across much in the log, and has a nickname of boop. It works with NVRAM (specifically relying on the IODTNVRAM service), and gets and sets variables stored there. It handles nonces for different LocalPolicies for recoveryOS, local, remote, software update and customOS. The last of those is interesting, as it suggests that Boot Policy may be moving towards accommodating other operating systems, perhaps including Linux.

This extension can reset and update nonces, it interfaces with AppleCredentialManager (ACM), and works with the Image4 files which store LocalPolicy.

One tantalising glimpse given in its strings is a type of Apple Silicon hardware with an internal code name of Aruba. Your guess is as good as mine as to whether that’s an old system like the DTK, current or future models.

If you’re good at reading ARM assembler, you may find this new extension an interesting browse.

RecoveryOS private framework

recoveryOS is the operating system which delivers the M1 Mac’s wonderful new Recovery environment, or 1 True Recovery (1TR), from a separate APFS container on the internal SSD of the Mac. When you start your M1 Mac up in recoveryOS, it doesn’t load its normal macOS boot system, but iBoot firmware and the Recovery system from that container.

It’s therefore more than a little odd that macOS 11.4 now contains a private framework which presumably gives access for Apple software to some features in recoveryOS. As Apple now gathers the contents of its frameworks into dyld aggregates, it’s no longer easy to discover further details about them: I leave that as an exercise for the interested reader.

It will be interesting to see what becomes of this new private framework.