|
|
|
|
|
|
by pfg
3773 days ago
|
|
|
I would imagine the firmware signing key is stored on a Hardware Security Module (HSM). Devices like that are tamper resistant (for example, they might be configured to delete the key if someone is messing with the device). HSMs generally support signing operations, so it's likely the key doesn't leave the device at all. They might be using a configuration with shared secrets (smart card + PIN, etc.) where at least n shares need to be present to operate the HSM. Those secrets are probably held by a small number of high-level Apple employees. It's probably similar to the DNSSEC Root Signing Ceremony[1]. Well, hopefully slightly less insane. [1]: https://www.cloudflare.com/dnssec/root-signing-ceremony/ |
|
|