That the secret registers are in fact cache test registers, as explained at that link, is a very plausible explanation for their existence.
Nevertheless, this does not explain at all the astonishing fact that they were mapped by default in the accessible memory space, unless listed and explicitly denied in the system configuration files.
No amount of incompetence seems enough to explain such a default policy, so the supposition of an intentional backdoor still seems more likely.
> No amount of incompetence seems enough to explain such a default policy, so the supposition of an intentional backdoor still seems more likely.
I think you're overestimating how granular the memory mappings are (or how isolated the debug registers are). They're usually used to control access on a peripheral level, not to individual registers within a peripheral.
Apple's mitigation was in fact to alter boot-configured memory mappings to deny access. (And as to the mappings... if they were in the middle of a range of documented registers, or close to one, sloppiness and poor internal communication are at least plausible...)
As explained by marcan: it's not "hashing", it's an error-correcting code. Much more understandable in that light.
https://social.treehouse.systems/@marcan/111655847458820583
That the secret registers are in fact cache test registers, as explained at that link, is a very plausible explanation for their existence.
Nevertheless, this does not explain at all the astonishing fact that they were mapped by default in the accessible memory space, unless listed and explicitly denied in the system configuration files.
No amount of incompetence seems enough to explain such a default policy, so the supposition of an intentional backdoor still seems more likely.
> No amount of incompetence seems enough to explain such a default policy, so the supposition of an intentional backdoor still seems more likely.
I think you're overestimating how granular the memory mappings are (or how isolated the debug registers are). They're usually used to control access on a peripheral level, not to individual registers within a peripheral.
Apple's mitigation was in fact to alter boot-configured memory mappings to deny access. (And as to the mappings... if they were in the middle of a range of documented registers, or close to one, sloppiness and poor internal communication are at least plausible...)
1 reply →