Apple today shared an updated version of its Platform Security Guide [PDF], providing a comprehensive overview of the latest security advancements across iOS 14, iPadOS 14, macOS Big Sur, tvOS 14, watchOS 7, and more.
For example, the guide provides security details about Safari's optional Password Monitoring feature on iOS 14 and macOS Big Sur, which automatically keeps an eye out for any saved passwords that may have been involved in a data breach. Apple also outlines the security of its new digital car keys feature on the iPhone and Apple Watch.
Apple updated its "commitment to security" preamble, touting the security advantages of Apple-designed chips across the iPhone, iPad, Apple Watch, and Mac:
Apple continues to push the boundaries of what's possible in security and privacy. This year Apple devices with Apple SoC's across the product lineup from Apple Watch to iPhone and iPad, and now Mac, utilize custom silicon to power not only efficient computation, but also security. Apple silicon forms the foundation for secure boot, Touch ID and Face ID, and Data Protection, as well as system integrity features never before featured on the Mac including Kernel Integrity Protection, Pointer Authentication Codes, and Fast Permission Restrictions. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use javascript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.
New sections have been added for Macs with Apple silicon, outlining the security of the boot process, boot modes, startup disk, Rosetta 2 translation process for running Intel-based Mac apps, FileVault, Activation Lock, and more.
As expected, the guide confirms that kernel extensions will not be supported on future Macs with Apple silicon (emphasis ours):
In addition to enabling users to run older versions of macOS, Reduced Security is required for other actions that can put a user's system security at risk, such as introducing third-party kernel extensions (kexts). Kexts have the same privileges as the kernel, and thus any vulnerabilities in third-party kexts can lead to full operating system compromise. This is why developers are being strongly encouraged to adopt system extensions before kext support is removed from macOS for future Mac computers with Apple silicon.
macOS Catalina was the last version of macOS to fully support kernel extensions. Apple says kernel extensions are no longer recommended for macOS, noting that they pose a risk to the integrity and reliability of the operating system.
Starting with macOS Catalina, developers have been able to use system extensions that run in user space rather than at the kernel level. System extensions running in user space are granted only the privileges necessary to perform their specified function, which increases the stability and security of macOS, according to Apple.
Apple includes a document revision history section in the Platform Security Guide with a list of all new and updated information.
Apple also has a new Security Certifications and Compliance Center.
Top Rated Comments
I mean, sure, yes. But also: "Apple continues to reduce the ceiling of what's possible in macOS."
I've already been avoiding kext-based apps where possible for years.
If DriverKit supports enough relevant use cases, I don't see a problem.
There won't be any third party GPU support on Apple Silicon. Why would Apple sabotage the developer and user experience ecosystem they have been painstakingly bulding?
Made irrelevant by the new virtualization framework. Parallels Preview runs on M1 without any kernel extensions.