How do nonce hashes prevent replay attacks on Apple Silicon?
Apple Silicon-based Macs have a LocalPolicy file that controls the secure boot process. To prevent replay attacks of the LocalPolicy, hashes of nonces are used. From here:
The
lpnhis used for anti-replay of the LocalPolicy. This is an SHA384 hash of the LocalPolicy Nonce (LPN), which is stored in the Secure Storage Component and accessible using the Secure Enclave Boot ROM or Secure Enclave. The raw nonce is never visible to the Application Processor, only to the sepOS. An attacker wanting to convince LLB that a previous LocalPolicy they had captured was valid would need to place a value into the Secure Storage Component, which hashes to the same lpnh value found in the LocalPolicy they want to replay.
The way this is explained, the lpnh and the LPN can't really serve as an anti-replay mechanism. If the lpnh is a hash only of the LPN, then the rest of the LocalPolicy's contents can be changed without failing any sort of validation. The lpnh would need to incorporate the contents of the LocalPolicy file into it to serve as an anti-replay mechanism, in which case Apple can just ditch the nonce and the nonce hash, and store the hash of the LocalPolicy in the Secure Storage Component instead.
How does this system actually work?
