Hacker News new | ask | show | jobs
by DannyBee 900 days ago
This would make sense if it was a one-off.

But apple has hundreds of debug registers. They have >1000 apple-specific MSR registers in the M3, which can be used to bypass/test lots of things, not just this, if you have enough permissions.

They were historically not locked down for the most part, just undocumented.

Apple has MSR lockdown registers that let them lock down access to MSR's (which only makes it harder, you can unlock access again later, but it means you have to be able to write the lock MSR to unlock them), and the latest kernels now lockdown most MSR's.

XNU also even has code to inject AMCC/DCS/ECC errors for testing.

Almost all of these can be seen from the KDK, and it's been that way for years.

This specific thing being a backdoor is totally implausible as a result. It's almost certainly not the only test mechanism that could be exploited due to some bug.

The CPU registers are MMIO accessible, like the GPU ones, but protected through various mechanisms that the GPU ones are not, by design (the GPU has no IOMMU).

It is much more likely they paid an insider for access to the GPU register names/info, or found it through a leak, and then started trying to see what they could do with the info, than it is that the entire thing, top to bottom, was an intentional backdoor.
2 comments
seanhunter 899 days ago
That makes sense. Thanks for taking the time to explain.
link
DannyBee 899 days ago
I'll go a little further on why i think it's not a backdoor.

If you look at the debug info in the Kernel dev kits, you can see the internal SDK (which has existed forever - i had access to it 2 decades ago when i was working on compilers at IBM, for apple) has chip/register info in it:

    DW_AT_decl_file             0x00000014 /AppleInternal/Library/BuildRoots/8a51e4ad-7e8b-11ee-8cd8-2a65a1af8551/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.Internal.sdk/usr/local/include/EmbeddedHeaders/soc/module/dart_v14.h

    DW_AT_decl_file             0x00000017 /AppleInternal/Library/BuildRoots/8a51e4ad-7e8b-11ee-8cd8-2a65a1af8551/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.Internal.sdk/usr/local/include/EmbeddedHeaders/soc/module/p_acc0_v5.h
Just some examples. The first one is a header file containing the register names/structures/flags etc for the DART. The second is for recent p-cores. etc

Depending on what the kernel uses, sometimes they accidentally leak most of the data (more than once).

So for example, the current XNU debug info leaks the register bits/structure of the hid18 register (a p-core register):

https://gist.github.com/dberlin/ec277fc61c33419e658a17f743e1...

(I put this in a GIST because i am too lazy to try to get the formatting right in-comment)

So you can see the bits of HID18 and what they mean, just from the debug info.

Now, current XNU dumps contain info on 2-3 registers like this out of the thousand+.

But, the header files contain all the data, presumably, on CPU, GPU, DART, etc.

They have also leaked much more before.

Regardless, it is much more likely to me that someone got a recent internal SDK (which again, was at least shared with partners at various points in time), went looking through the header files, and then started testing things out, than it is to me that they engineered a backdoor from scratch into the GPU.

link
philistine 900 days ago
If you wanted to backdoor Apple's chipset, you wouldn't build one that could be closed through software without any impact whatsoever.
link