> SK runs on the same high speed application processors as XNU/iOS. To make this possible, additional processor privilege levels are required — likely supported by virtualization extensions
Recent Apple phone and laptop SoCs include hardware support for nested virtualization, including the M4 iPad Pro where an exclave is used for the camera LED. Hopefully the next revision of the Apple Platform Security guide will cover SK exclaves and baseband mitigations for Wi-Fi radar sensing, https://help.apple.com/pdf/security/en_US/apple-platform-sec...
XNU is being refactored into a micro-kernel inspired architecture, aiming to reduce its code base, and move security sensitive operations out of it. The memory space isolation is performed with the help of a Secure Page Table Monitor - SPTM. The code signing, entitlement verification, Developer Mode, Restricted Execution Mode, and other security sensitive operations are handled by the Trusted eXecution Monitor - TXM.
> or most likely via ARM’s TrustZone technology. The XNU source code contains several references regarding transitions to and from TrustZone’s concept of a secure world
> it’s a defensive effort on a larger scale than any other end user device manufacturer is currently attempting
Google implemented pKVM on Pixels with hardware nested virtualization a few years ago, and upstreamed the code to Linux mainline, including cooperative de-privileging of TrustZone relative to pKVM L0. But they have not announced defensive features using pKVM/AVF, outside of Debian "Linux Terminal" VM.
> While I speculated that TrustZone was being used, exclaves may well use the existing SPTM and GXF (Guarded Execution) privilege levels after all. One implication may be that there is no hard reason they couldn't be supported on iPhone 13 and higher, aside from RAM requirements and development effort. Make no mistake these are huge undertakings even for Apple.
Tim definitely carries that torch in his own way, but there was something about Steve's presence that made everything feel more… human? Less corporate? Hard to put into words, but yeah, I miss him too. Thanks for sharing that video.
hehe, it's a good question. When you get to scale, you realize you got there because a lot of humans put you there. It's part of why scaling is hard, business is an art and science that juggles the value exchange between us in society. People still here on hackernews are angry at me personally for decisions at digitalocean, in retrospect, I wish I'd handled the wipe disk thing that happened better, for example. It's both very easy and very difficult at the same time to build a business while trying super hard to love (really actually love as humans love!!!) your customer because many many things want to prevent you from loving your customer (I have government stories too, many of us do). At the end of the day, they are doing the real work, like, the real real stuff, they don't have to, I mean, they don't right? But they will, because it's the right thing to do, because Steve said so. apple here, have taken extraordinary engineering effort to say even if you compel us, we physically can’t give you access to their diary. That is to be commended, and that, is Steve Jobs.
It is weird. Jobs was divisive and (not infrequently) abrasive, and why would you miss a tech billionaire anyway? Yet I also feel indebted to him and to the folks at Apple who helped to produce some of my favorite products like the Mac, the iPod, and the iPad.
Jobs also said a lot of things that still resonate with me. Recently Apple introduced a "classic Mac" screensaver that shows how carefully designed the original Mac GUI was. I'm sure nobody misses the days when app bugs could crash the OS, but I wish Apple were as obsessive now about detail now as they were back then.
Now that I'm becoming an old man, I've taken the time to go back and listen to him properly, to analize his thoughts and words a bit more contextually, and I've come to believe that Steve Jobs was quite misunderstood, both by us, and by himself. When I miss him I think: his thoughts were so very refined for his time, it is quite incredible and I wish he was around to hear more of them. I guess I'm a fan? Oh well...worse things to be.
He's definitely misunderstood. If you read his biography it's incredible how much the author of it misunderstands, but if you read between the lines you can see through them. In particular you should note how he changes before and after getting married.
The biography is really awful though. It constantly misquotes people - Bill Gates is directly quoted as saying something so technically inaccurate he can't possibly have said it.
I also remember that every time his son is quoted it's because he was telling a dick joke. At one point the book claims this is why Apple Park is a circle. Why the author did this is not clear to me.
(Btw, I have an unreported Jobs story about this myself. Actually two. I'm not going to tell them, so feel free to just imagine.)
I don’t remember many details from the biography at this point, but I remember not liking it either. It seemed like it was written with the assumption the reader already knew the about Steve’s more public life and career, and skipped over much of it. It didn’t feel like it would be a good source for future generations to learn about Steve, as it seemed to largely ignore the entire reason a book was being written about him. I also remembering it seeming largely negative, trumpeting the views of critics, and while downplaying the good to balance it out. Though this could also be my memory fading, feel free correct me if I’m wrong.
It was my first Isaacson biography, and didn’t leave me excited for another one.
I still think about how he tried to cure cancer with crystals and then when that didn’t work he used his wealth to get residency in a different state to jump in line for a transplant and still died before his yacht got completed. I don’t misunderstand him at all. Especially the parking in handicap spaces part. Very easy to understand what kind of person he was through his actions. Perhaps we will never see eye to eye, and I feel posts like yours do deserve legitimate opposition as applicable.
When you speak ill of Jobs you are speaking on his moral character. When others (incl. myself) speak positively on Jobs, they are speaking on his design, business, and life philosophies, which are quite profound. [0]
How you want to weigh the two is up to you, but it is not a contradiction to say someone contains both good and bad.
Ok, but more or less everyone is going to have a few things about them that you’re not going to like. When your whole life is up for scrutiny and you have unlimited resources, that’s how it is. If you had a billion dollars there’d be plenty of things people would criticize about you. And anybody else who did too.
Sure. On the one hand, everything adhered to the letter of the law. On the other, he used his money to get served before other people in an otherwise similar position would have been able to do.
I personally view that as more of a failing in the system itself (why are there multiple lines to begin with when organ transport is a solved problem?), but it's not unreasonable to look at somebody exploiting that broken system and question their character.
It's not just about the products themselves, but the philosophy behind them. He had this relentless obsession with making technology feel right (it is all from my perspective)
Jobs was more than a tech billionaire. He was someone who had refined personal taste and stood on values and was willing to do what it took to see them through, despite the friction.
And the outcome was a computing company that was waaaay less mediocre than 99% of these other memetic, mediocre gradient-descent chasing privacy-abusing, ad-supported companies.
Apple has raised the bar so high. And the DNA of what is manifesting is Steve’s insistence and vision followed by Tim’s clarity of execution.
Look at the Apple Architecture moves. They got Intel’s hot, slow CPUs out of the device. And replaced them with excellent, quiet, fast, efficient CPUs, with UMA and great features.
It’s hard to nail every detail when you have the surface area of Apple 2025. A huge huge company with billions of users and dozens of device families and services. But the bar is high for most of what they do.
I could easily be wrong about this but I don't believe Jobs or anyone else at Jobs-era Apple became a billionaire because of it. Because of early infighting/getting fired, ownership was too dispersed for that.
He became a billionaire because Disney bought Pixar.
Steve believed at his core that locking down devices was the best way to extract business value from users. That's why you can't install any apps without telling Apple or get your location without sending it to Apple. He also believed very strongly in good marketing, and he jumped on privacy marketing very quickly after the Facebook - Google privacy spat that coincided with the failure of iTunes Ping.
The company shift to privacy was more about getting pulled in front of Congress over the location data being accessible via USB as part of iTunes backup:
Source: people who were at Apple during that time period.
I think people underestimate how traumatic it was culturally to Apple and how Apple generally experiences comparatively little turnover vs their other major tech peers, so the responses to those traumas linger. Same with the brouhaha over the CSAM tech that they attempted to bundle into the iPhone that ostensibly was trying to preserve your privacy and they instantly got smacked down over it.
> He also believed very strongly in good marketing, and he jumped on privacy marketing very quickly after the Facebook - Google privacy spat that coincided with the failure of iTunes Ping.
I have two thoughts about this.
One, if you tell yourself a story strongly enough, it becomes real. Especially when you can structure the company to force it to become real.
Two, "marketing" is usually used disparagingly to mean something like "advertising that brainwashes customers into wanting something", but it's more like "knowing what people are going to want by the time it's ready to ship". It doesn't necessarily even include advertising. So in this case people do want privacy.
Same function at Apple. There isn't a separate "product" division and there aren't "PMs" with power (though there are some job site postings for them… in the marketing division.) That doesn't make sense at a functionally organized company where the execs and designers decide everything - Jobs and Ive were the "product" people.
IIRC the advertising people are called Marcom or "marketing communications".
I'm not sure it's so much about extracting value exactly but Jobs long believed in making sealed appliances that people couldn't and wouldn't have to tinker with as opposed to more easily modify able computers sold by competitors
> Expandability, or the lack thereof, was far and away the most controversial aspect of the original Macintosh hardware design. Apple co-founder Steve Wozniak was a strong believer in hardware expandability, and he endowed the Apple II with luxurious expandability in the form of seven built-in slots for peripheral cards
...
>This flexibility allowed the Apple II to be adapted to a wider range of applications, and quickly spawned a thriving third-party hardware industry.
...
> Apple's other co-founder, Steve Jobs, didn't agree with Jef about many things, but they both felt the same way about hardware expandability: it was a bug instead of a feature. Steve was reportedly against having slots in the Apple II back in the days of yore, and felt even stronger about slots for the Mac. He decreed that the Macintosh would remain perpetually bereft of slots, enclosed in a tightly sealed case, with only the limited expandability of the two serial ports.
> Mac hardware designer Burrell Smith and his assistant Brian Howard understood Steve's rationale, but they felt differently about the proper course of action. Burrell had already watched the Macintosh's hopelessly optimistic schedule start to slip indefinitely, and he was unable to predict when the Mac's pioneering software would be finished, if ever. He was afraid that Moore's Law would make his delayed hardware obsolete before it ever came to market. He thought it was prudent to build in as much flexibility as possible, as long as it didn't cost too much.
> Burrell decided to add a single, simple slot to his Macintosh design, which made the processor's bus accessible to peripherals, that wouldn't cost very much, especially if it wasn't used. He worked out the details and proposed it at the weekly staff meeting, but Steve immediately nixed his proposal, stating that there was no way that the Mac would even have a single slot.
> But Burrell was not that easily thwarted. He realized that the Mac was never going to have something called a slot, but perhaps the same functionality could be called something else. After talking it over with Brian, they decided to start calling it the "diagnostic port" instead of a slot, arguing that it would save money during manufacturing if testing devices could access the processor bus to diagnose manufacturing errors. They didn't mention that the same port would also provide the functionality of a slot.
>This was received positively at first, but after a couple weeks, engineering manager Rod Holt caught on to what was happening, probably aided by occasional giggles when the diagnostic port was mentioned. "That things really a slot, right? You're trying to sneak in a slot!", Rod finally accused us at the next engineering meeting. "Well, that's not going to happen!"
> Even though the diagnostic port was scuttled, it wasn't the last attempt at surreptitious hardware expandability. When the Mac digital board was redesigned for the last time in August 1982, the next generation of RAM chips was already on the horizon. The Mac used 16 64Kbit RAM chips, giving it 128K of memory. The next generation chip was 256Kbits, giving us 512K bytes instead, which made a huge difference.
> Burrell was afraid the 128Kbyte Mac would seem inadequate soon after launch, and there were no slots for the user to add RAM. He realized that he could support 256Kbit RAM chips simply by routing a few extra lines on the PC board, allowing adventurous people who knew how to wield a soldering gun to replace their RAM chips with the newer generation. The extra lines would only cost pennies to add.
> But once again, Steve Jobs objected, because he didn't like the idea of customers mucking with the innards of their computer. He would also rather have them buy a new 512K Mac instead of them buying more RAM from a third-party. But this time Burrell prevailed, because the change was so minimal. He just left it in there and no one bothered to mention it to Steve, much to the eventual benefit of customers, who didn't have to buy a whole new Mac to expand their memory.
> exclaves refer to specific resources that are separated from the main kernel (XNU) and cannot be accessed by it, even if the kernel is compromise
Also interesting:
> It’s not uncommon for mid-cycle releases of macOS to gain new features in preparation for the next major version. Perhaps the most fundamental and significant added to Sonoma 14.4, together with iOS 17.4, iPadOS 17.4 and watchOS 10.4, are exclaves.
> In macOS 15 and later, creation of a VM running macOS 15 or later can configure an identity derived from the host Secure Enclave, enabling access to resources requiring Apple ID including iCloud. This is accomplished using an exclave of the Secure Enclave.
I would particularly like to highlight the work of Dataflow Forensics and their much more advanced work dissecting SPTM without the benefit of source code. I enthusiastically await their promised blog post about exclaves and hope they will answer many of the remaining questions, provide gory disassembly explanations, and correct all my mistakes and assumptions!
Yes, they're saying that there's some stuff they didn't cover, and they hope the Dataflow people will. But the first couple didn't really answer much so I'm not particularly hopeful.
That is underwhelming! (But also.. that's *this* discussion.. and the other discussion is already linked by GP.. so I'm not really sure what you're aiming for here)
P.s. @gnabgib thanks for all your excellent dupe postings! I used to do a lot but life got busier. You are appreciated.
Edit: @thrdbndndn: My bad, yes this submitted article is the one that sucks. Thank you! If you delete your reply it will make things less confusing, but no worries and best wishes.
This was an incredibly well-researched and well-written deep dive. It's rare to see such a thorough breakdown of something as technical as exclaves while still making it engaging to read.
For now, I think existing exclaves such as the one that displays the camera indicator do not really apply to macOS (since MacBooks have dedicated hardware for that), but in the future there might be exclaves that do.
> since SPTM is not used according to Apple documentation:
Try reading that footnote again:
> Note 2: Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) enforce the execution of signed and trusted code on all platforms with the exception of macOS (because macOS is designed to run any code). All of the other security properties, including the protection of page tables, are present across all supported platforms.
It doesn't say macOS doesn't use SPTM. It says macOS doesn't use SPTM to prevent running unsigned code, since macOS is supposed to allow unsigned code (after the user jumps through some hoops).
I'm not familiar with that level of knowledge, but from the look of it you can attack the enclave itself to escalate privilege higher than the kernel enjoys? Is this piece of hardware something like a co-processor?
An exclave isn’t hardware, it’s an isolated piece of software that deals with a certain sensitive operation that you don’t want the kernel to have access to. So if you exploit it, then yes you have access to something that the kernel doesn’t–but that’s the point, because the goal is if you exploit the kernel you shouldn’t get access to that.
If it’s all in software but the kernel has lower privileges, I’m curious how they’ll be able to update it? And if there is an API to update via the kernel, what’s stopping a push via a malicious source pretending to be Apple?
I don't think it is accurate to say that the kernel has lower privileges. It's just something the kernel isn't allowed to do, while the exclave has a list of things it isn't allowed to do. Also exclaves are shipped with normal software updates (verified by the boot chain, not the kernel).
I wonder if it's possible for app devs to use Exclaves. The thing that irks me about Apple is that they invent this new amazing internal stuff but then completely wall it off from devs, leaving everyone else (banking apps, wallets, secure messaging, etc.) to continue running in unsecured user space.
My crusty squinty morning eyes read that as
“ it can lead to a complete system compromise, as all the operating system’s functions are bundled together in the kernel’s single “breakfast of eggs”.” .. now I wish this was the idiom.
If most of the stuff the user cares about is inside the "Insecure World" bubble of the diagram, then this whole business is, like, for shit.
It serves only the platform provider, who can decide which programs may or may not be installed based on whether they are aligned with or against their competitive interests.
This is just plainly false. Passkeys, biometrics, app permissions, and a suite of other user-centric privacy features have clear benefit from strong isolation from an "insecure world" kernel.
Delegating key derivation and/or password validation, combined with secure UI state indication, to a more secure execution environment can be a big win for security, for example.
I could imagine a passkey implementation with some extensions that allow securely presenting what the user is consenting to and how ("enter your payments PIN or password now to confirm a payment of $x to merchant y").
It's of course even better to do that in tamper-proof security coprocessors such as Apple's secure enclave, but TEEs have the big advantage of having access to much more memory and faster processing, which allows doing more complicated things there more easily.
They can also always lean on the secure hardware for actual key management, but handle more complex user interface operations in an environment that's still more secure than the main OS.
Android has supported something just like that years ago with "protected confirmation" [1], but unfortunately it's only available on Pixel phones and hasn't really been picked up by app developers as a result; the situation for Apple is of course very different, so I have some hopes that if they launch something comparable it could actually see some adoption.
The most likely attack model I can imagine is that a jailbroken phone still won’t be able to violate certain functionality (eg a recording LED remains lit, various supervisor functionality can’t be disabled, etc)
Oh; so the camera LED and camera data path would run a remote attestation protocol with the exclave, and the exclave would make sure the led is on whenever it’s forwarding on data from the camera?
(Though I’m not convinced that will actually work on modern apple devices, where the led is pixels that run through the compositor — I guess the video driver stack and window managers are also exclaves in this world?)
I'm not sure how complex modern display controllers are, but I could imagine a simple priority hardware overlay functionality that an exclave has access to (similar to the dedicated "cursor overlay" functionality some older GPUs had, as far as I understand).
Once you have that, you can take the idea further: Displaying an indicator that confirms that all your keystrokes are going to an exclave validating your password, for example.
The much-hated touch bar actually enabled just that, for Apple Pay payments, as far as I remember: It could display something like "touch to confirm payment of $x" on its own screen in a way that was impossible to manipulate from macOS – now here's an opportunity to bring that level of security back without requiring a dedicated display or taking away people's beloved function keys.
The article mentions the display controller runs an Apple OS so I could see there being a secure way for an exclave to call into it for the onscreen indicators.
I would expect that to mean they're not included in screenshots so I'm curious now whether that's true for the iPhone 16.
If it's running as their user account then they can see it and remove it. The point of the admin account is to prevent this by obfuscation and permission hijack.
> SK runs on the same high speed application processors as XNU/iOS. To make this possible, additional processor privilege levels are required — likely supported by virtualization extensions
Recent Apple phone and laptop SoCs include hardware support for nested virtualization, including the M4 iPad Pro where an exclave is used for the camera LED. Hopefully the next revision of the Apple Platform Security guide will cover SK exclaves and baseband mitigations for Wi-Fi radar sensing, https://help.apple.com/pdf/security/en_US/apple-platform-sec...
> Apple specific additions to SPTM
SPTM reverse engineering, https://www.df-f.com/blog/sptm3
> or most likely via ARM’s TrustZone technology. The XNU source code contains several references regarding transitions to and from TrustZone’s concept of a secure world150+ TrustZone CVEs, https://www.cve.org/CVERecord/SearchResults?query=trustzone
> it’s a defensive effort on a larger scale than any other end user device manufacturer is currently attempting
Google implemented pKVM on Pixels with hardware nested virtualization a few years ago, and upstreamed the code to Linux mainline, including cooperative de-privileging of TrustZone relative to pKVM L0. But they have not announced defensive features using pKVM/AVF, outside of Debian "Linux Terminal" VM.
The author published a follow-up post and revised diagram, https://randomaugustine.medium.com/more-speculation-on-excla...
> While I speculated that TrustZone was being used, exclaves may well use the existing SPTM and GXF (Guarded Execution) privilege levels after all. One implication may be that there is no hard reason they couldn't be supported on iPhone 13 and higher, aside from RAM requirements and development effort. Make no mistake these are huge undertakings even for Apple.
I think Steve truly believed at his core, very simply: your laptop is your diary, and they have a responsibility to that.
I don't think Tim would be CEO if he didn't believe what Steve did. It's so weird, but I really miss Steve.
https://www.youtube.com/watch?v=Ij-jlF98SzA
Tim definitely carries that torch in his own way, but there was something about Steve's presence that made everything feel more… human? Less corporate? Hard to put into words, but yeah, I miss him too. Thanks for sharing that video.
Sorry I am sure the article about enclaves triggered this thought about Steve for you. I cannot how one led to the other, can you may be tell us?
hehe, it's a good question. When you get to scale, you realize you got there because a lot of humans put you there. It's part of why scaling is hard, business is an art and science that juggles the value exchange between us in society. People still here on hackernews are angry at me personally for decisions at digitalocean, in retrospect, I wish I'd handled the wipe disk thing that happened better, for example. It's both very easy and very difficult at the same time to build a business while trying super hard to love (really actually love as humans love!!!) your customer because many many things want to prevent you from loving your customer (I have government stories too, many of us do). At the end of the day, they are doing the real work, like, the real real stuff, they don't have to, I mean, they don't right? But they will, because it's the right thing to do, because Steve said so. apple here, have taken extraordinary engineering effort to say even if you compel us, we physically can’t give you access to their diary. That is to be commended, and that, is Steve Jobs.
Thanks for the Steve Jobs clip and this valiant comment on complex subjects.
[flagged]
Me?!? I don't even drink alcohol. I'm just being expressive, last I checked it was allowed??
Commenters are getting increasingly cynical on here. I wouldn’t worry about it.
If we lose a bastion of being able to speak quite freely in front of other intelligent humans, that will be a shame.
Don’t worry, the more reasonable of us on HN helped to flag that troll comment into oblivion.
Thanks for sharing your story.
[flagged]
I never said I disapprove.
This comes across like a manic episode
It is weird. Jobs was divisive and (not infrequently) abrasive, and why would you miss a tech billionaire anyway? Yet I also feel indebted to him and to the folks at Apple who helped to produce some of my favorite products like the Mac, the iPod, and the iPad.
Jobs also said a lot of things that still resonate with me. Recently Apple introduced a "classic Mac" screensaver that shows how carefully designed the original Mac GUI was. I'm sure nobody misses the days when app bugs could crash the OS, but I wish Apple were as obsessive now about detail now as they were back then.
Now that I'm becoming an old man, I've taken the time to go back and listen to him properly, to analize his thoughts and words a bit more contextually, and I've come to believe that Steve Jobs was quite misunderstood, both by us, and by himself. When I miss him I think: his thoughts were so very refined for his time, it is quite incredible and I wish he was around to hear more of them. I guess I'm a fan? Oh well...worse things to be.
(the article is good but giving you the hn for comments too: https://news.ycombinator.com/item?id=2131299)
He's definitely misunderstood. If you read his biography it's incredible how much the author of it misunderstands, but if you read between the lines you can see through them. In particular you should note how he changes before and after getting married.
The biography is really awful though. It constantly misquotes people - Bill Gates is directly quoted as saying something so technically inaccurate he can't possibly have said it.
I also remember that every time his son is quoted it's because he was telling a dick joke. At one point the book claims this is why Apple Park is a circle. Why the author did this is not clear to me.
(Btw, I have an unreported Jobs story about this myself. Actually two. I'm not going to tell them, so feel free to just imagine.)
I don’t remember many details from the biography at this point, but I remember not liking it either. It seemed like it was written with the assumption the reader already knew the about Steve’s more public life and career, and skipped over much of it. It didn’t feel like it would be a good source for future generations to learn about Steve, as it seemed to largely ignore the entire reason a book was being written about him. I also remembering it seeming largely negative, trumpeting the views of critics, and while downplaying the good to balance it out. Though this could also be my memory fading, feel free correct me if I’m wrong.
It was my first Isaacson biography, and didn’t leave me excited for another one.
I still think about how he tried to cure cancer with crystals and then when that didn’t work he used his wealth to get residency in a different state to jump in line for a transplant and still died before his yacht got completed. I don’t misunderstand him at all. Especially the parking in handicap spaces part. Very easy to understand what kind of person he was through his actions. Perhaps we will never see eye to eye, and I feel posts like yours do deserve legitimate opposition as applicable.
> Do I contradict myself?
> Very well then I contradict myself,
> (I am large, I contain multitudes.)
When you speak ill of Jobs you are speaking on his moral character. When others (incl. myself) speak positively on Jobs, they are speaking on his design, business, and life philosophies, which are quite profound. [0]
How you want to weigh the two is up to you, but it is not a contradiction to say someone contains both good and bad.
[0]: https://youtu.be/cHuqhQmc4ok
Ok, but more or less everyone is going to have a few things about them that you’re not going to like. When your whole life is up for scrutiny and you have unlimited resources, that’s how it is. If you had a billion dollars there’d be plenty of things people would criticize about you. And anybody else who did too.
He didn’t jump the line, he just got in multiple lines.
Sure. On the one hand, everything adhered to the letter of the law. On the other, he used his money to get served before other people in an otherwise similar position would have been able to do.
I personally view that as more of a failing in the system itself (why are there multiple lines to begin with when organ transport is a solved problem?), but it's not unreasonable to look at somebody exploiting that broken system and question their character.
I know very few people who would't use their wealth to try to save their lifes, or that of their loved ones. It's kind of what wealth is for.
You know that's still bad right?
Why do you only pay the minimum amount of tax?
There's plenty to not like about Jobs as a person, but Apple exists because of him (twice).
[dead]
You have delusions of grandeur.
It's not just about the products themselves, but the philosophy behind them. He had this relentless obsession with making technology feel right (it is all from my perspective)
Jobs was more than a tech billionaire. He was someone who had refined personal taste and stood on values and was willing to do what it took to see them through, despite the friction.
And the outcome was a computing company that was waaaay less mediocre than 99% of these other memetic, mediocre gradient-descent chasing privacy-abusing, ad-supported companies.
Apple has raised the bar so high. And the DNA of what is manifesting is Steve’s insistence and vision followed by Tim’s clarity of execution.
Look at the Apple Architecture moves. They got Intel’s hot, slow CPUs out of the device. And replaced them with excellent, quiet, fast, efficient CPUs, with UMA and great features.
It’s hard to nail every detail when you have the surface area of Apple 2025. A huge huge company with billions of users and dozens of device families and services. But the bar is high for most of what they do.
> why would you miss a tech billionaire anyway
Because we miss new instances of the great products they created to earn all that money.
I could easily be wrong about this but I don't believe Jobs or anyone else at Jobs-era Apple became a billionaire because of it. Because of early infighting/getting fired, ownership was too dispersed for that.
He became a billionaire because Disney bought Pixar.
So what?
Steve believed at his core that locking down devices was the best way to extract business value from users. That's why you can't install any apps without telling Apple or get your location without sending it to Apple. He also believed very strongly in good marketing, and he jumped on privacy marketing very quickly after the Facebook - Google privacy spat that coincided with the failure of iTunes Ping.
The company shift to privacy was more about getting pulled in front of Congress over the location data being accessible via USB as part of iTunes backup:
Source: people who were at Apple during that time period.
Example: https://www.nbcnews.com/news/world/government-officials-want...
I think people underestimate how traumatic it was culturally to Apple and how Apple generally experiences comparatively little turnover vs their other major tech peers, so the responses to those traumas linger. Same with the brouhaha over the CSAM tech that they attempted to bundle into the iPhone that ostensibly was trying to preserve your privacy and they instantly got smacked down over it.
> He also believed very strongly in good marketing, and he jumped on privacy marketing very quickly after the Facebook - Google privacy spat that coincided with the failure of iTunes Ping.
I have two thoughts about this.
One, if you tell yourself a story strongly enough, it becomes real. Especially when you can structure the company to force it to become real.
Two, "marketing" is usually used disparagingly to mean something like "advertising that brainwashes customers into wanting something", but it's more like "knowing what people are going to want by the time it's ready to ship". It doesn't necessarily even include advertising. So in this case people do want privacy.
> "knowing what people are going to want by the time it's ready to ship"
Isn't that Product rather than Marketing?
Same function at Apple. There isn't a separate "product" division and there aren't "PMs" with power (though there are some job site postings for them… in the marketing division.) That doesn't make sense at a functionally organized company where the execs and designers decide everything - Jobs and Ive were the "product" people.
IIRC the advertising people are called Marcom or "marketing communications".
That seems very unlikely since nothing of that sort was ever attempted by Jobs on their desktops.
I'm not sure it's so much about extracting value exactly but Jobs long believed in making sealed appliances that people couldn't and wouldn't have to tinker with as opposed to more easily modify able computers sold by competitors
https://folklore.org/Diagnostic_Port.html
> Expandability, or the lack thereof, was far and away the most controversial aspect of the original Macintosh hardware design. Apple co-founder Steve Wozniak was a strong believer in hardware expandability, and he endowed the Apple II with luxurious expandability in the form of seven built-in slots for peripheral cards ... >This flexibility allowed the Apple II to be adapted to a wider range of applications, and quickly spawned a thriving third-party hardware industry.
...
> Apple's other co-founder, Steve Jobs, didn't agree with Jef about many things, but they both felt the same way about hardware expandability: it was a bug instead of a feature. Steve was reportedly against having slots in the Apple II back in the days of yore, and felt even stronger about slots for the Mac. He decreed that the Macintosh would remain perpetually bereft of slots, enclosed in a tightly sealed case, with only the limited expandability of the two serial ports.
> Mac hardware designer Burrell Smith and his assistant Brian Howard understood Steve's rationale, but they felt differently about the proper course of action. Burrell had already watched the Macintosh's hopelessly optimistic schedule start to slip indefinitely, and he was unable to predict when the Mac's pioneering software would be finished, if ever. He was afraid that Moore's Law would make his delayed hardware obsolete before it ever came to market. He thought it was prudent to build in as much flexibility as possible, as long as it didn't cost too much.
> Burrell decided to add a single, simple slot to his Macintosh design, which made the processor's bus accessible to peripherals, that wouldn't cost very much, especially if it wasn't used. He worked out the details and proposed it at the weekly staff meeting, but Steve immediately nixed his proposal, stating that there was no way that the Mac would even have a single slot.
> But Burrell was not that easily thwarted. He realized that the Mac was never going to have something called a slot, but perhaps the same functionality could be called something else. After talking it over with Brian, they decided to start calling it the "diagnostic port" instead of a slot, arguing that it would save money during manufacturing if testing devices could access the processor bus to diagnose manufacturing errors. They didn't mention that the same port would also provide the functionality of a slot.
>This was received positively at first, but after a couple weeks, engineering manager Rod Holt caught on to what was happening, probably aided by occasional giggles when the diagnostic port was mentioned. "That things really a slot, right? You're trying to sneak in a slot!", Rod finally accused us at the next engineering meeting. "Well, that's not going to happen!"
> Even though the diagnostic port was scuttled, it wasn't the last attempt at surreptitious hardware expandability. When the Mac digital board was redesigned for the last time in August 1982, the next generation of RAM chips was already on the horizon. The Mac used 16 64Kbit RAM chips, giving it 128K of memory. The next generation chip was 256Kbits, giving us 512K bytes instead, which made a huge difference.
> Burrell was afraid the 128Kbyte Mac would seem inadequate soon after launch, and there were no slots for the user to add RAM. He realized that he could support 256Kbit RAM chips simply by routing a few extra lines on the PC board, allowing adventurous people who knew how to wield a soldering gun to replace their RAM chips with the newer generation. The extra lines would only cost pennies to add.
> But once again, Steve Jobs objected, because he didn't like the idea of customers mucking with the innards of their computer. He would also rather have them buy a new 512K Mac instead of them buying more RAM from a third-party. But this time Burrell prevailed, because the change was so minimal. He just left it in there and no one bothered to mention it to Steve, much to the eventual benefit of customers, who didn't have to buy a whole new Mac to expand their memory.
Related thread, "Apple rearranged its XNU kernel with exclaves", https://news.ycombinator.com/item?id=43314171
An overview from that piece:
> exclaves refer to specific resources that are separated from the main kernel (XNU) and cannot be accessed by it, even if the kernel is compromise
Also interesting:
> It’s not uncommon for mid-cycle releases of macOS to gain new features in preparation for the next major version. Perhaps the most fundamental and significant added to Sonoma 14.4, together with iOS 17.4, iPadOS 17.4 and watchOS 10.4, are exclaves.
https://eclecticlight.co/2024/08/20/sonomas-unfinished-busin...
> In macOS 15 and later, creation of a VM running macOS 15 or later can configure an identity derived from the host Secure Enclave, enabling access to resources requiring Apple ID including iCloud. This is accomplished using an exclave of the Secure Enclave.
This is not correct
For what it's worth, this article is much better.
For more detail, there's a 3-part series on iOS SPTM and TXM:
Aug 2023, https://www.df-f.com/blog/ios17
Nov 2023, https://www.df-f.com/blog/ios-17round2
Feb 2025, https://www.df-f.com/blog/sptm3
Somewhat less detail, actually.
DF blog series source reference, https://randomaugustine.medium.com/on-apple-exclaves-d683a2c...
They are being polite. The Dataflow blog post barely goes beyond running strings.
> They are being polite.
Are they? The article's closing paragraph advertises a _future_ Dataflow blog post to the reader. Their follow-up March correction is consistent with the Dataflow Feb summary, https://randomaugustine.medium.com/more-speculation-on-excla...
Yes, they're saying that there's some stuff they didn't cover, and they hope the Dataflow people will. But the first couple didn't really answer much so I'm not particularly hopeful.
100% agree.
The discussion has been underwhelming:
I read TFA and wasn't sure what to even make of it.
That is underwhelming! (But also.. that's *this* discussion.. and the other discussion is already linked by GP.. so I'm not really sure what you're aiming for here)
Only attempting to share information. Is there an unstated next step (or next-next step) given Apple's moves?
A gentle suggestion for a more interesting / entertaining article currently on the front page with a glance: https://news.ycombinator.com/item?id=43311696
Hatching a Conspiracy: A BIG Investigation into Egg Prices
https://www.thebignewsletter.com/p/hatching-a-conspiracy-a-b...
P.s. @gnabgib thanks for all your excellent dupe postings! I used to do a lot but life got busier. You are appreciated.
Edit: @thrdbndndn: My bad, yes this submitted article is the one that sucks. Thank you! If you delete your reply it will make things less confusing, but no worries and best wishes.
He's saying you're posting the HN URL of this very discussion to.. this discussion.
Who is this author? It’s a very elaborately, well written post. Great job. Having followed exclaves myself this is well done
This was an incredibly well-researched and well-written deep dive. It's rare to see such a thorough breakdown of something as technical as exclaves while still making it engaging to read.
I wonder how this will affect macOS security, since SPTM is not used according to Apple documentation: https://support.apple.com/guide/security/operating-system-in...
For now, I think existing exclaves such as the one that displays the camera indicator do not really apply to macOS (since MacBooks have dedicated hardware for that), but in the future there might be exclaves that do.
> since SPTM is not used according to Apple documentation:
Try reading that footnote again:
> Note 2: Page Protection Layer (PPL) and Secure Page Table Monitor (SPTM) enforce the execution of signed and trusted code on all platforms with the exception of macOS (because macOS is designed to run any code). All of the other security properties, including the protection of page tables, are present across all supported platforms.
It doesn't say macOS doesn't use SPTM. It says macOS doesn't use SPTM to prevent running unsigned code, since macOS is supposed to allow unsigned code (after the user jumps through some hoops).
That document is wrong and has been wrong for years (FB13803014)
I'm not familiar with that level of knowledge, but from the look of it you can attack the enclave itself to escalate privilege higher than the kernel enjoys? Is this piece of hardware something like a co-processor?
An exclave isn’t hardware, it’s an isolated piece of software that deals with a certain sensitive operation that you don’t want the kernel to have access to. So if you exploit it, then yes you have access to something that the kernel doesn’t–but that’s the point, because the goal is if you exploit the kernel you shouldn’t get access to that.
If it’s all in software but the kernel has lower privileges, I’m curious how they’ll be able to update it? And if there is an API to update via the kernel, what’s stopping a push via a malicious source pretending to be Apple?
I don't think it is accurate to say that the kernel has lower privileges. It's just something the kernel isn't allowed to do, while the exclave has a list of things it isn't allowed to do. Also exclaves are shipped with normal software updates (verified by the boot chain, not the kernel).
Oh thanks for the explanation!
I wonder if it's possible for app devs to use Exclaves. The thing that irks me about Apple is that they invent this new amazing internal stuff but then completely wall it off from devs, leaving everyone else (banking apps, wallets, secure messaging, etc.) to continue running in unsecured user space.
Currently no.
Very interesting
My crusty squinty morning eyes read that as “ it can lead to a complete system compromise, as all the operating system’s functions are bundled together in the kernel’s single “breakfast of eggs”.” .. now I wish this was the idiom.
> Apple may use SPTM to manage transitions between the secure and insecure worlds
This, because they don’t have TrustZone
Why Apple doesn't use TrustZone?
You'd have to ask them. My general guess is they design their own stuff first and then try to get it standardized.
What impact does this have in the user
It makes your device more secure.
If most of the stuff the user cares about is inside the "Insecure World" bubble of the diagram, then this whole business is, like, for shit.
It serves only the platform provider, who can decide which programs may or may not be installed based on whether they are aligned with or against their competitive interests.
This is about process privilege. Apps and services are a layer above.
This is just plainly false. Passkeys, biometrics, app permissions, and a suite of other user-centric privacy features have clear benefit from strong isolation from an "insecure world" kernel.
How so? Isn’t this just the xkcd authorization model?
https://xkcd.com/1200/
I tried to read the article, and know what all the words mean (sel4, enclaves, virtualization primitives, etc.).
It all seems very complicated and error prone, but I couldn’t figure out what the attack model is, or what the security objectives are.
Eg, what sorts of things run in exclaves, and under what circumstances will a persistent kernel level compromise on my laptop protect those things?
Delegating key derivation and/or password validation, combined with secure UI state indication, to a more secure execution environment can be a big win for security, for example.
I could imagine a passkey implementation with some extensions that allow securely presenting what the user is consenting to and how ("enter your payments PIN or password now to confirm a payment of $x to merchant y").
It's of course even better to do that in tamper-proof security coprocessors such as Apple's secure enclave, but TEEs have the big advantage of having access to much more memory and faster processing, which allows doing more complicated things there more easily.
They can also always lean on the secure hardware for actual key management, but handle more complex user interface operations in an environment that's still more secure than the main OS.
Android has supported something just like that years ago with "protected confirmation" [1], but unfortunately it's only available on Pixel phones and hasn't really been picked up by app developers as a result; the situation for Apple is of course very different, so I have some hopes that if they launch something comparable it could actually see some adoption.
[1] https://android-developers.googleblog.com/2018/10/android-pr...
This is apparently already a thing
The most likely attack model I can imagine is that a jailbroken phone still won’t be able to violate certain functionality (eg a recording LED remains lit, various supervisor functionality can’t be disabled, etc)
Oh; so the camera LED and camera data path would run a remote attestation protocol with the exclave, and the exclave would make sure the led is on whenever it’s forwarding on data from the camera?
(Though I’m not convinced that will actually work on modern apple devices, where the led is pixels that run through the compositor — I guess the video driver stack and window managers are also exclaves in this world?)
I'm not sure how complex modern display controllers are, but I could imagine a simple priority hardware overlay functionality that an exclave has access to (similar to the dedicated "cursor overlay" functionality some older GPUs had, as far as I understand).
Once you have that, you can take the idea further: Displaying an indicator that confirms that all your keystrokes are going to an exclave validating your password, for example.
The much-hated touch bar actually enabled just that, for Apple Pay payments, as far as I remember: It could display something like "touch to confirm payment of $x" on its own screen in a way that was impossible to manipulate from macOS – now here's an opportunity to bring that level of security back without requiring a dedicated display or taking away people's beloved function keys.
They should have done half height function keys and kept the Touch Bar. Best of both worlds.
The article mentions the display controller runs an Apple OS so I could see there being a secure way for an exclave to call into it for the onscreen indicators.
I would expect that to mean they're not included in screenshots so I'm curious now whether that's true for the iPhone 16.
What he misses is "tamper evidence."
In order to do those things I have to actually steal his laptop. Which would be obvious to him. It also implicates me.
If I could just remotely install a driver I don't need to worry about any of that and I can steal remotely and anonymously.
Can’t you just remotely install a keylogger (e.g. a modified version of zoom)?
If it's running as their user account then they can see it and remove it. The point of the admin account is to prevent this by obfuscation and permission hijack.