Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom Serial Injection #59

Open
ChefAustin opened this issue May 10, 2022 · 12 comments
Open

Custom Serial Injection #59

ChefAustin opened this issue May 10, 2022 · 12 comments
Labels
enhancement New feature or request not possible atm Not possible at the moment

Comments

@ChefAustin
Copy link
Contributor

There are some times when it is beneficial to be able to control the VM's presented serial number.

This is a feature request to allow for custom serial injection on a Tart VM.

@fkorotkov fkorotkov added the enhancement New feature or request label May 10, 2022
@fkorotkov
Copy link
Contributor

fkorotkov commented May 11, 2022

I did some investigation and it seems the only places we can configure something hardware related is via binary representation of VZMacMachineIdentifier stored in ecid field of config.json. There are no public APIs so we can only try to modify the binary representation at the moment. 😅

Data stored there is stored in Apple's binary plist format and can be decoded:

pbpaste | base64 --decode > ecid.plist
plutil -convert xml1 ecid.plist

Here are the contents of the files for our monterey-base VM:

<plist version="1.0">
<dict>
	<key>ECID</key>
	<integer>10796302860778061261</integer>
</dict>
</plist>

It seems at the moment it's not quite possible to configure it. Maybe it's possible with some secret key which we don't know yet.

WWDC is just 4 weeks away and hopefully there will be more news about Virtualization.Framework so let's wait until then and do more investigation after WWDC.

@fkorotkov fkorotkov added the not possible atm Not possible at the moment label May 11, 2022
@fkorotkov
Copy link
Contributor

Seems it will be possible going forward with macOS Ventura. There is this new VZGenericMachineIdentifier which will be available starring macOS 13.0.

@Don-Swanson
Copy link

I understand there is currently not the possibility of setting a specific Serial Number, but is there any method to randomly generate a new one? I'm attempting to setup a workflow which creates VM Templates, but for obvious reasons, There needs to be a new serial on the VMs deployed from the template.

@edigaryev
Copy link
Collaborator

I understand there is currently not the possibility of setting a specific Serial Number, but is there any method to randomly generate a new one? I'm attempting to setup a workflow which creates VM Templates, but for obvious reasons, There needs to be a new serial on the VMs deployed from the template.

Unfortunately it's not currently possible to change the Serial Number (aka machine identifier or ECID) once the macOS installation is complete. You can try this yourself by copying the ecid value from another VM's config.json.

I've initially thought that this is due to "Full Security policy" setting (see Apple Platform Security document), but booting a generic macOS VM with --recovery and opening UtilitiesStartup Security Utility shows that this is not the case:

Screenshot 2022-07-26 at 20 22 16

The other likely explanation is that VM's NVRAM contents (nvram.bin) include the initial ECID in the course of initial installation and then a mismatch happens when booting a VM with another ECID value and this causes the Virtualization.Framework to hang up.

@kylejericson
Copy link

has there been any progress on getting this to work?

@1sth1sth1ng0n
Copy link

Serial injection would be beneficial. Following closely.

@edigaryev
Copy link
Collaborator

another ECID value and this causes the Virtualization.Framework to hang up

Doesn't seem to be the case anymore with macOS Ventura, see @fkorotkov's machine-identifier branch which generates a new ECID on each boot.

You can also generate a specific ECID value by calling plutil -convert binary1 see-below.xml -o - | base64 on a following XML, where 42 is the desired ECID value:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ECID</key>
	<integer>42</integer>
</dict>
</plist>

@fkorotkov
Copy link
Contributor

Good news that there are now private APIs to set a serial number (shout out to @khronokernel for finding it out)but unfortunately it requires disabling AMFI at the moment so we can't ship it with Tart.

Here is a patch I applied to this location:

let result = VZMacPlatformConfiguration()

 et serialNumber = Dynamic._VZMacSerialNumber(string: "ZAAAAAAAAA")
let identifier: VZMacMachineIdentifier? = Dynamic.VZMacMachineIdentifier._machineIdentifierWithSerialNumber(serialNumber)

result.machineIdentifier = identifier ?? VZMacMachineIdentifier()

Having the APIs appear in private is a good sign that we are getting the functionality eventually. So 🤞 to get it sooner than later.

@fkorotkov
Copy link
Contributor

BTW did anyone submitted feedback through the Feedback Assistant that describes your current workflow and how customization of serial number will help to simplify it/do something new? We might have a lead to escalate this feature request but we need more datapoints preferably that submitted via the Feedback Assistant.

@nuna-alan
Copy link

Sorry, where is the Feedback Assistant? (is it a link inside of Tart? somewhere in Github?)

... the use case for custom serial number is that we are testing MDM workflows and if we use a serial number that is registered with Apple Business Manager then it will automatically kick off MDM processes if we set it to a "known" serial.

@1sth1sth1ng0n
Copy link

@fkorotkov
Copy link
Contributor

Got a response on my Feedback Assistant about making VZMacMachineIdentifier.machineIdentifierWithSerialNumber available without com.apple.private.virtualization:

Thank you for your feedback, it is noted. Engineering has determined that there are currently no plans to address this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request not possible atm Not possible at the moment
Projects
None yet
Development

No branches or pull requests

7 participants