Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for additional Apple Silicon columns in secureboot table #8215

Merged
merged 3 commits into from
Dec 15, 2023
Merged

Add support for additional Apple Silicon columns in secureboot table #8215

merged 3 commits into from
Dec 15, 2023

Conversation

zwass
Copy link
Member

@zwass zwass commented Dec 13, 2023
edited

Add the additional columns "description", "allow_kernel_extensions", and "allow_mdm_operations". These correspond to the options presented in the Startup Security Utility.

This has been tested across all the possible configurations on a M2 MacBook Pro with Manual MDM enrollment.

Closes #8195

@zwass
Add support for Apple Silicon in secureboot table
04bdd4e 
This adds the additional columns "description", "allow_kernel_extensions", and "allow_mdm_operations". These correspond to the options presented in the Startup Security Utility.

Closes osquery#8195
@zwass zwass requested review from a team as code owners December 13, 2023 18:47
zwass
zwass commented Dec 13, 2023
View reviewed changes
osquery/tables/system/darwin/secureboot.mm
@@ -176,17 +184,120 @@ Status getSecureBootSetting(Row& row) {
return Status::success();
}

Status getAarch64SecureBootSetting(Row& r) {
@autoreleasepool {
// BEWARE: Because of the dynamic nature of the calls in this function, we
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pattern for accessing SPSupport.framework is adapted from the connected_displays table. I think if another table is going to use this it should be refactored out into a helper function.

@zwass zwass mentioned this pull request Dec 13, 2023
Closed
10 tasks
@directionless directionless added this to the 5.11.0 milestone Dec 13, 2023
sharvilshah
sharvilshah reviewed Dec 14, 2023
View reviewed changes
osquery/tables/system/darwin/secureboot.mm Outdated Show resolved Hide resolved
osquery/tables/system/darwin/secureboot.mm Outdated Show resolved Hide resolved
specs/secureboot.table Outdated Show resolved Hide resolved
sharvilshah
sharvilshah approved these changes Dec 15, 2023
View reviewed changes
Copy link
Member

@sharvilshah sharvilshah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't been able to test this by enrolling a machine in MDM, but the code seems fine.

@directionless
Copy link
Member

Looks okay on my MDM enrolled m1:

osquery> select * from secureboot;
+-------------+-------------+---------------+-------------------+----------------+
| secure_boot | secure_mode | description   | kernel_extensions | mdm_operations |
+-------------+-------------+---------------+-------------------+----------------+
| 1           |             | Full Security | 0                 | 1              |
+-------------+-------------+---------------+-------------------+----------------+

@directionless directionless merged commit f972f69 into osquery:master Dec 15, 2023
16 checks passed
@directionless directionless changed the title Add support for Apple Silicon in secureboot table Add support for additional Apple Silicon columns in secureboot table Dec 15, 2023
@zwass zwass deleted the secureboot-apple-silicon branch December 15, 2023 16:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless left review comments

@sharvilshah sharvilshah sharvilshah approved these changes

Assignees
No one assigned
Labels
aarch64 apple_silicon macOS virtual tables
Projects
None yet
Milestone
5.11.0
Development

Successfully merging this pull request may close these issues.

Update the secureboot table to support macs running Apple silicon
3 participants
@zwass @directionless @sharvilshah