Embedded Files
Post date: Jan 10, 2018 7:34:28 PM
With the new (well, fairly new) MacBook Pros, Apple has introduced some new embedded security aspects. As with any new technology, not everybody has caught up with some of the new implications.
For example, the new TouchBar actually runs an embedded OS. It's probably similar to watchOS, which is itself descended from iOS. This OS has all the built-in security features of iOS, including image signing and verification. In the new iMac Pros, Apple has taken it to another level and uses the embedded OS to manage the boot process.
The problems begin when you add software that isn't aware of the intricacies of the embedded OS. For me, this was my macOS firewall software. I am not a big fan of applications I run calling home without my permission, so I installed a firewall that requires applications to ask before making external network connections. Commercial software of this nature include "Hands Off!" and "Little Snitch".
The Touch Bar has new daemons that listen for connections (even using link-local IPv6 addresses) and new software verification processes. The embedded OS image used by the Touch Bar is actually loaded by the EFI firmware. When the OS is updated, a new embedded OS image may also be required. The embedded OS image update process fetches the the image from Apple servers over the Internet. Unfortunately, this is done during the boot process, when standard GUI applications are not able to provide or receive user input.
On my system, when the new processes reach out to the Internet to fetch the new image, the process that would normally ask my permission is blocked, leading the connection to be denied. This can actually prevent macOS from booting and cause big problems. More than once, I have had to boot into Safe Mode (by holding down the "shift" key when turning on the machine), uninstalling the firewall kernel module and then rebooting again to allow the embedded OS update to proceed.
Ultimately, the answer was to identify the processes used by Touch Bar and create new firewall rules to allow these updates and daemons to make or accept network connections. Unfortunately, as the Touch Bar is still fairly new, the process names are still changing.
Here is a list of firewall rules that work for me using macOS Sierra 10.12.6:
Allow EmbeddedOSInstallService to accept incoming connections
Allow EmbeddedOSInstallService access to gs.apple.com on port 443 (HTTPS)
Note: Access to additional servers may be required
Allow biometrickitd incoming network connections
During troubleshooting, I also added these rules, which may, or may not be required:
Allow All Applications access to the following servers on port 443 (HTTPS)
skl.apple.com
ig.apple.com
gs.apple.com
gnf-mr.apple.com
gnf-mdn.apple.com
gg.apple.com
Allow All Applications access to the following server on port 80 (HTTP)
gg.apple.com
More updates to follow, I'm sure...
Page updated
Report abuse