Comment by adrian_b
2 years ago
That the secret registers are in fact cache test registers, as explained at that link, is a very plausible explanation for their existence.
Nevertheless, this does not explain at all the astonishing fact that they were mapped by default in the accessible memory space, unless listed and explicitly denied in the system configuration files.
No amount of incompetence seems enough to explain such a default policy, so the supposition of an intentional backdoor still seems more likely.
> No amount of incompetence seems enough to explain such a default policy, so the supposition of an intentional backdoor still seems more likely.
I think you're overestimating how granular the memory mappings are (or how isolated the debug registers are). They're usually used to control access on a peripheral level, not to individual registers within a peripheral.
Apple's mitigation was in fact to alter boot-configured memory mappings to deny access. (And as to the mappings... if they were in the middle of a range of documented registers, or close to one, sloppiness and poor internal communication are at least plausible...)
I would hope that all memory outside the known ranges is denied by default... Apple should know all the memory mapped hardware in the SoC, so why would they allow IO to something that doesn't exist?
It's just a few lines of code to parse the memory map and deny all undefined regions. As well as being good for security, it also helps find out-of-bounds write bugs, and ensures you can't accidentally ship an out of date memory map.