Boot Parameters And EFI
The booting process is a very interesting topic from a security perspective. In an attempt to understand it a bit better, this short post only scratches the surface by mentioning two useful built-in tools and what they can do.
nvram (8) command provides access to the firmware’s variables from user mode. The most interesting description of this tool in the context of the boot process I’ve found in Vault 7: CIA Hacking Tools Revealed. No surprise here :) As an exemple, let’s print all the exposed variables:
csr-active-config w%00%00%00 fmm-computer-name M%e2%80%99s Mac SystemAudioVolumeDB %f0 platform-uuid %00%11"3DUfw%88%99%aa%bb%cc%dd%ee%ff SystemAudioVolume 0 bluetoothActiveControllerInfo %08%00%0f%0e%00%00%00%00`%01%00%00%00%00%00%00
It can also be used to clear all variables or delete only specific ones.
An interesting issue observed by the article above is that Although
nvram -p claims to print all of the firmware variables, it does not print any of the variables that belong to the Efi GUID.
bless(1) command-line tool can be used to control and modify the boot characteristics of the system, specifically related to where and how the system would boot from. This article explains it very good.
Basically, every bootable volume must indicate the location of the system folder. Let’s see an example:
$ sudo bless -info / finderinfo: 91 => Blessed System Folder is /System/Library/CoreServices finderinfo: 440178 => Blessed System File is /System/Library/CoreServices/boot.efi finderinfo: 0 => Open-folder linked list empty finderinfo: 0 => No alternate OS blessed file/folder finderinfo: 0 => Unused field unset finderinfo: 91 => OS X blessed folder is /System/Library/CoreServices 64-bit VSDB volume id: 0xA38A81DE2AE452DC
In this case the blessed system folder is at inode 91, and that path is
/System/Library/CoreServices. The “Blessed System File” indicates where the secondary boot loarder resides. In this case, that is the file at inode 440178 and is located at