Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
bputil -d showing full startup security
username@computername ~ % sudo bputil -d
Password:
This utility is not meant for normal users or even sysadmins.
It provides unabstracted access to capabilities which are normally handled for the user automatically when changing the security policy through GUIs such as the Startup Security Utility in macOS Recovery.
It is possible to make your system security much weaker and therefore easier to compromise using this tool.
This tool is not to be used in production environments.
It is possible to render your system unbootable with this tool.
It should only be used to understand how the security of Apple Silicon Macs works.
Use at your own risk!
Current OS environment:
OS Type : macOS
Local Policy Nonce Hash (lpnh): 7E1ED4512B6DF2A284C6343E469C1F1459453E4898E770CF37A8F3B1D9C000E0DA0C5C5F0546AB70984BEC3A9870DD9E
Remote Policy Nonce Hash (rpnh): 88EB8429C516B53BBCA49EC7C0D58C3F27F2890D23E176264B2178EE2A865327CFD06ED94834EE6FF7D145FB39245B59
Recovery OS Policy Nonce Hash (ronh): 6CF5EB6318AF551C5A23B8D3B2E4196AAA372B523E4F412C375CF6B39DCFED28F9B4E9881BF348886F9B9A14E918AA69
Current local policy:
Signature Type : BAA
Unique Chip ID (ECID): 0xD793810C0291E
Board ID (BORD): 0x26
Chip ID (CHIP): 0x8103
Certificate Epoch (CEPO): 0x1
Security Domain (SDOM): 0x1
Production Status (CPRO): 1
Security Mode (CSEC): 1
OS Version (love): 21.1.268.5.8,0
Volume Group UUID (vuid): 2D85CA09-A291-47CA-A68A-66CB2D3BDF70
KEK Group UUID (kuid): AC09E9D5-36DC-10C9-4312-E6DAA3753224
Local Policy Nonce Hash (lpnh): 7E1ED4512B6DF2A284C6343E469C1F1459453E4898E770CF37A8F3B1D9C000E0DA0C5C5F0546AB70984BEC3A9870DD9E
Remote Policy Nonce Hash (rpnh): 88EB8429C516B53BBCA49EC7C0D58C3F27F2890D23E176264B2178EE2A865327CFD06ED94834EE6FF7D145FB39245B59
Next Stage Image4 Hash (nsih): 443560FD2BE056BC9527452729EEC1A1BB22BA2DA456B278624DEF822DE9F7A64F0303B64ED811405B4039475F8A623D
User Authorized Kext List Hash (auxp): absent
Auxiliary Kernel Cache Image4 Hash (auxi): absent
Kext Receipt Hash (auxr): absent
CustomKC or fuOS Image4 Hash (coih): absent
Security Mode: Full (smb0): absent
User-allowed MDM Control: Disabled (smb3): absent
DEP-allowed MDM Control: Disabled (smb4): absent
SIP Status: Enabled (sip0): absent
Signed System Volume Status: Enabled (sip1): absent
Kernel CTRR Status: Enabled (sip2): absent
Boot Args Filtering Status: Enabled (sip3): absent
3rd Party Kexts Status: Disabled (smb2): absent
username@computername ~ %
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment