cryptexctl-personalize(1) | General Commands Manual | cryptexctl-personalize(1) |
cryptexctl personalize
—
personalize a cryptex from a cryptex bundle
cryptexctl personalize |
[--replace ]
--identity-plist
IDENTITY-PLIST --variant
VARIANT PATH-TO-CRYPTEX-BUNDLE
|
cryptexctl personalize |
[--host-identity ]
[--replace ] --variant
VARIANT PATH-TO-CRYPTEX-BUNDLE
|
cryptexctl personalize |
[--replace ] [--ALGO
CRYPTO-ALGORITHM] [--CEPO
CERTIFICATE-EPOCH] [--BORD
BOARD-ID] [--CHIP
CHIP-ID] [--ECID
ECID] [--SDOM
SDOM] [--CPRO
CERTIFICATE-PRODUCTION-STATUS]
[--CSEC
CERTIFICATE-SECURITY-MODE]
[--EPRO
EFFECTIVE-PRODUCTION-STATUS]
[--ESEC
EFFECTIVE-SECURITY-MODE]
[--BNCH NONCE-HASH]
--variant VARIANT
PATH-TO-CRYPTEX-BUNDLE |
cryptexctl personalize
personalize a
cryptex(5) from a cryptex bundle. The result will be a
cryptex bundle with the same name as the original bundle but with a
"signed" suffix. An im4m asset will be added to the signed cryptex
bundle on following path:
./Restore/Cryptex/<Cryptex Name>/im4m
The cryptex will be personalized for the target device by sending measurements of the disk image content and the identity of a device to Apple's trusted signing service (tss.apple.com).
In most cases the device identity will be retrieved by
cryptexctl personalize
from either the host, if the
host is running a cryptexd(8) daemon, or from a connected
device (See the --udid
option on the root
cryptexctl(1) command.)
If the device cannot be connected directly the identity can be
specified either on the command line directly or using the
--identity-plist
argument. See
DEVICE IDENTIFIERS.
A list of options with their descriptions. See DEVICE IDENTIFIERS for the identity arguments.
Required:
-V
|
--variant
VARIANTOptional:
-o
|
--output-directory
OUTPUT-DIRECTORY-r
|
--replace
-I
|
--identity-plist
IDENTITY-PLISTCRYPTEXCTL_CREATE_IDENTITY
. For an example of such
a property list, see EXAMPLES.-H
|
--host-identity
-M
|
--allow-mix-n-match
-z
|
--research
These tags can be retrieved from a device with cryptexctl-identity(1) for offline personalization or retrieved automatically for the host or a connected device.
For convenience the identity can be specified as a property list
with --identity-plist
. The property list's root node
is a dictionary containing a set of key-value pairs key-value pairs for each
aspect of the device identity. The keys are the same as the argument names
(BORD, CHIP, etc).
The following components comprise a host identity for cryptex creation. For more information about these tags and the personalization process, see cryptex-image4(7).
CRYPTEXCTL_CREATE_IDENTITY
--identity-plist
. This
is useful when personalizing for an offline or disconnected device.CRYPTEXCTL_UDID
--udid
option
is not specified and there is no cryptexd(8) daemon on
the host. See cryptexctl(1) for more information about
CRYPTEXCTL_UDID
.The following is an example of the content of a property list that
might be passed to --identity-plist
to personalize
for an offline device.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ALGO</key> <string>sha2-384</string> <key>CEPO</key> <string>0x0</string> <key>BORD</key> <string>0x6</string> <key>CHIP</key> <string>0x8015</string> <key>ECID</key> <string>0x184d610044a83a</string> <key>SDOM</key> <string>0x1</string> <key>CPRO</key> <false/> <key>CSEC</key> <true/> <key>EPRO</key> <false/> <key>ESEC</key> <true/> </dict> </plist>
cryptexctl(1), cryptexctl-create(1), cryptexctl-identity(1), cryptexctl-install(1), cryptexctl-nonce(1), cryptex(5)
Introduced in macOS 12.0
2 April, 2021 | Darwin |