Startup security setting for macOS

On your M1 SoC— list of information about LocalPolicy

See what comes up here, I would be curious and report back—

sudo bputil -d

*You can read more:

man bputil | more

About the flag

-d, --display-policy

Display the detailed contents of the LocalPolicy. This will show specific 4-character “tags” in the Apple Image4 data structure which is used to capture the customer-specified security policy.

note: “This utility is not meant for normal users or even sysadmins. It provides unabstracted access to capabilities which are normally handled for the user automatically when changing the security policy through GUIs such as the Startup Security Utility in macOS Recovery."

Tom Wolsky wrote:

Is there any way to tell the startup security setting of a macOS system without having to shut down the system? Is there any indication anywhere, perhaps in System Settings, that shows the startup security state of the system?

Thanks very much.

Is this a T2 chip Mac...(?)

from the Terminal.app copy & paste:

nvram 94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy

See the output will return one of the following:

• %02 - Full Security Mode

• %01 - Medium Security Mode

• %00 - No Security Mode

If the variable is not found, Apple Secure Boot is not supported.

ref: About Startup Security Utility on a Mac with the Apple T2 Security Chip - Apple Support

Tom Wolsky wrote:

Your note is quite right. It's way, way beyond my ken, in another universe.

This is what I got:

sudo bputil -d

Last login: Thu Jun 27 13:23:49 on console

tom@Toms-MacBook-Pro ~ % sudo bputil -d

Password:

This computer has several macOS installations:

  1: C48CE465-40D9-481A-8734-3666A5984B89

  2: 7F1FF143-1171-4255-8BB9-C23666EB3BA1

  3: AEE454C1-9089-455E-9946-3BD10F4C123B

  4: 4512DCA5-E647-4FEB-A266-E97550E97B53

Pick a macOS installation (1..4): 1

Current local policy:

OS environment:

OS Type                                       : macOS

OS Pairing Status                             : Not Paired

Local Policy Nonce Hash                 (lpnh): 674AE82D5DD2B480317133E2D52614CE781BC08C2F02FD4C4BEECB7719BEC46CB07043D65F7BB7F6DE0B274F062F105E

Remote Policy Nonce Hash                (rpnh): 1A7B4F12F13FAD7EBE8B21CC57DE422BEC5F53F3FD096056C905C84B9F96ADAD3DF678D70B5342195828229C5A6A5856

Recovery OS Policy Nonce Hash           (ronh): 4065B50096023D80CEFBDFECD02EDDDA4607E6D876A8923F3C319B81291DA471C825A0D2ED762A49924BA6F3BC86B3E9

Local policy:

Pairing Integrity                             : Valid

Signature Type                                : BAA

Unique Chip ID                          (ECID): 0x1A713601F8801E

Board ID                                (BORD): 0x8

Chip ID                                 (CHIP): 0x6001

Certificate Epoch                       (CEPO): 0x1

Security Domain                         (SDOM): 0x1

Production Status                       (CPRO): 1

Security Mode                           (CSEC): 1

Local Boot                              (lobo): 1

OS Version                              (love): 22.7.807.0.0,0

Volume Group UUID                       (vuid): C48CE465-40D9-481A-8734-3666A5984B89

KEK Group UUID                          (kuid): 265E5B84-4F6B-43BF-996E-426A878922DE

Local Policy Nonce Hash                 (lpnh): 674AE82D5DD2B480317133E2D52614CE781BC08C2F02FD4C4BEECB7719BEC46CB07043D65F7BB7F6DE0B274F062F105E

Remote Policy Nonce Hash                (rpnh): 1A7B4F12F13FAD7EBE8B21CC57DE422BEC5F53F3FD096056C905C84B9F96ADAD3DF678D70B5342195828229C5A6A5856

Next Stage Image4 Hash                  (nsih): B37F144001F4F69C047BC06322349E4EBD5DCB42F20E5CD7C4558AA58D317118EA475809719B3E41E5EDE98BD94E83BA

Cryptex1 Image4 Hash                    (spih): 00CEB78ECB13E09125DF324364FB47F1CECCC0D58E41E50A9FBB95AACB15D9CF11C93B00138DD1A4074E40B6C82DD361

Cryptex1 Generation                     (stng): 195

User Authorized Kext List Hash          (auxp): absent

Auxiliary Kernel Cache Image4 Hash      (auxi): absent

Kext Receipt Hash                       (auxr): absent

CustomKC or fuOS Image4 Hash            (coih): absent

Security Mode:               Reduced    (smb0): 1

3rd Party Kexts Status:      Disabled   (smb2): absent

User-allowed MDM Control:    Disabled   (smb3): absent

DEP-allowed MDM Control:     Disabled   (smb4): absent

SIP Status:                  Enabled    (sip0): absent

Signed System Volume Status: Enabled    (sip1): absent

Kernel CTRR Status:          Enabled    (sip2): absent

Boot Args Filtering Status:  Enabled    (sip3): absent

tom@Toms-MacBook-Pro ~ % 

There is quite a bit in there.

for your purposes above, seems relevant...

< Security Mode:       Reduced  (smb0): 1 >

There has to be a comprehensive table somewhere describing the Security Mode setting— you're reduced.

Similar maybe to the intel output.

I will note more verbiage in this using this command:

" This tool is not to be used in production environments. It is possible to render your system unbootable with this tool. It should only be used to understand how the security of Apple Silicon Macs works. Use at your own risk!”

For some background in how this all works and how it all fits together—this from the folks working on Asahi Linux on Apple silicon—see the following reply: https://apple.stackexchange.com/a/453256

In particular, the boot policy setting is not system-wide, it’s per installed OS.

Tom Wolsky wrote:

Thanks Leroy. It's an M1 MBP.

I got this when I tried the string

nvram: Error getting variable - '94b73556-2197-4702-82a8-3e1337dafbfb:AppleSecureBootPolicy': (iokit/common) data was not found

No surprise there, the command above in Intel T2 chip only....As I tried to indicate above.

I am not well versed in the M SoC series.