By John Gruber
WorkOS: Scalable, secure authentication, trusted by OpenAI, Cursor, Perplexity, and Vercel.
- On Apple Exclaves
-
Random Augustine has written a splendidly nerdy but very approachable overview of the evolution of Apple’s XNU kernel over the last decade:
2017 — Page Protection Layer
With the release of the iPhone 8 and iPhone X containing the A11 processor, Apple introduced a security feature known as the Page Protection Layer (PPL). This hardware+software feature isolated a small part of the kernel and gave it privileges to modify memory page tables — critical structures that manage memory access. The rest of the kernel lost the ability to directly modify these page tables. The PPL’s limited attack surface ensured that bypasses were infamously rare. While PPL added a layer of protection, it was only partly effective as the rest of the kernel still held most privileges required to compromise data without modifying page tables.
2021–2023 — Secure Page Table Monitor
Following PPL, the release of the iPhone 13 containing the A15 processor introduced new functionality utilised in iOS 17: the Secure Page Table Monitor (SPTM). This replaced and improved upon the PPL by securing additional memory functions and dividing them into subsystems, further isolating small kernel components. Validation of code signatures, confirming that all code had been signed by Apple was also isolated.
Around this time, oblique references to exclaves began to surface in XNU source code. These exclaves were speculated to be the subsystems managed by SPTM. Then 2024 happened…
2024 — Exclaves: A major addition to XNU
With the release of XNU source code supporting M4 and A18 based systems (such as the iPhone 16), the curtain was partly pulled back on exclaves. (Exclaves are not active on prior processors).
It is now clear that exclaves are part of a much larger redesign of XNU’s security model.
I am reminded of Gall’s Law:
A complex system that works is invariably found to have evolved from a simple system that worked. A complex system designed from scratch never works and cannot be patched up to make it work. You have to start over with a working simple system.
(I also suspect that Siri — today’s Siri at least — might be a canonical example of “a complex system designed from scratch”. But that’s a different topic.)
★ Wednesday, 19 March 2025