More details of FactoryTrust

Author: rickmark

_data/terms.yaml

@@ -793,6 +793,10 @@ term_list:
   - title: Time Zone
   tz0:
   - title: TrustZone for SEP
+  SCIP:
+    - title: System Coprocessor Integrity Protection
+  KIP:
+    - title: Kernel Integrity Protection
   tz1:
   - title: TrustZone for AP (Trusted Boot Monitor)
   UART:

wip/Factory_Threat_Model.md

@@ -56,27 +56,64 @@ By fixing hashes to a sequence of zeros, once a APTicket is issued it may be re-
 Zero keys can be observed both the for xART root UUID (00000000-0000-0000-0000-000000000000) as well
 as the initial values for BNCH domain nonces.
 
-## HyperVisor `hypr`, Application Partitions `appv`, Root Domain (`hyp0`) and `0Cfg`
+## HyperVisor `hypr`, Application Partitions `appv`, Root Domain (`hyp0`) and `hyp0`'s SysCfg `0Cfg`
 
 For Apple systems historically the `hypr` role is filled by the SPTM, but with newer Apple Silicon
 this have moved from EL2 to Guarded Execution Roles.
 
+In "self hosted factory trust" the `hyp0` partition is used to act as the restoring station, and
+a `hypX` partition is the restored station.  This manifests in the FDR cached data as unlabeled
+parts (those without any prefix such as `fCfg`, `dCfg`, etc), those of the `hyp0` host station
+(`mansta`) and those of the restored device station `mandev`.  This allows the `fSys` or Firmware
+SysCfg and `0Cfg` or `hyp0` domain 0 SysCfg to be stored at the root NOR part, while EAN can be
+leveraged for the per OS `fCfg`
+
 ### `hyp0` XNU and the TXM
 
-EL2 execution, as well as the initial
+EL2 execution begins for consumer builds with the setup of the PPM (Largely replaced by Trusted
+Execution Monitor and Exclaves).  For classical setup, the hypervisor component is loaded, followed
+by `hyp0` (analogous to XEN `dom0`).
 
 ## Re-entrant iBoot and SEP
 
+To support differing versions of the SEPOS and related services the device root SEPROM will load
+the system level `sepf`,`sepi`
+
 ## iBoot (`ibot`), iBoot Data (`ibdt`), secondary iBoot (`)
 
 ## Usage of Local Policy and Local Trust Keys
 
 ## FDR, Managed Station and Managed Device
 
+FDR or "SysCfg in the Cloud" allows blobs of data to be retrieved by the restoring system through
+a proxy mechanism implemented by the restore station.  This permits the restoring device to
+request and retrieve the 4CC binary objects for placement onto persistent memory.  There are multiple
+trust primitives in the FDR system:
+
+* The `trst` or at rest signing certificate
+* The `rssl` or TLS trusted root certificate for communications with the FDR service
+* The `rvok` or revoked Certificate / Key list
+* The `trpk` or trusted public keys (additional to the one in the `trst` certificate)
+  normal restore process appears to contain the `trst`, `rssl`, an empty `rvok` and no `trtk`.
+  Factory trusted installs seem to contain a `trpk` that is a sequence of public keys that may
+  additionally be used.
+
 ## Communication with `hop0` via RemoteXPC
 
+The HyperVisor Partitions are connected using synthetic USB NCM/CDC devices, usually annotated as
+apniX (Apple Private NCM Interface).  This provides a transport mechanism between the domains over
+the virtualized USB and IPv6 Fabric similar in nature to the system utilized by the T1/T2 chips.
+For this reason the `/usr/libexec/remotectl` command line app can be used to interrogate the remote
+system's `remoted` service.
+
 ## Dual NVMe Endpoints, and Emulated Apple NOR
 
+The Apple NAND Storage 2/3 components are capable of multiple endpoints, where each endpoint
+is a configuration of mappings of LBAs (Logical Block Addresses) to Namespaces, with a given type.
+On systems where a hypervisor is used, typically two such endpoints can be observed, the "true" or
+"root" endpoint, as well as a shadow mapping used for the guest operating system thereby allowing
+a different set of namespaces and their LBAs
+
 ## Custom Sequencing via the PMGR
 
 ## The Trust Object, and Embedded Trust Keys `trpk`