[xerxe-sans-s]

So would a signature check on the trusted layer against a signature generated with the device id (you'd need to distribute a different binary against every device id) permit the generation of an OS image that could only run on a single device?

[cbsmith]

It would, in theory. If there weren't any catches with this approach though... Apple could have avoided having itself in this position in the first place.