|
|
|
|
|
|
by jmbwell
1399 days ago
|
|
|
I'm trying to think how you could reliably, securely hash one volume while running a potentially untrusted system from another volume. I imagine this can be done, but I'd be guessing as to how. For now, I suspect Apple has thought this through and has determined that booting the system into a known-cryptographically-clean state is the best method at hand for reducing the risk of a compromise/failure in the process of signing the system volume. FWIW, APFS snapshots do at least provide an instant rollback mechanism, whereby a failure to install and sign the updates to the new temporary snapshot do not destroy the previous system. So what you describe seems reasonable and potentially feasible. |
|
|