Skip to content

macos-l4: sysext-owned MITM CA, SE-encrypted, XPC-rotated#378

Open
GlenDC wants to merge 9 commits intomainfrom
patch/macos-l4-crt-mngmt
Open

macos-l4: sysext-owned MITM CA, SE-encrypted, XPC-rotated#378
GlenDC wants to merge 9 commits intomainfrom
patch/macos-l4-crt-mngmt

Conversation

@GlenDC
Copy link
Copy Markdown
Collaborator

@GlenDC GlenDC commented May 5, 2026
edited by aikido-pr-checks Bot
Loading

Container no longer mints or stores the MITM CA. Sysext owns it: minted
in-process, encrypted via Secure Enclave, persisted to the System
Keychain. Hard-fails without SE. Two-phase rotation over XPC, with the
pending CA served via the hijack endpoint so callers can install trust
before the swap.

Pre-PR installs stored the CA in the host's data-protection keychain.
That entry is honored as run-only passthrough until the first commit;
the sysext always prefers an SE-backed CA when one exists.

Rotate the active CA

  1. just macos-l4-cli generate-ca-crt — sysext mints a fresh CA,
    parks it as pending, hijack endpoint starts serving it. Active TLS
    stays on the previous CA. Stdout: cert_der_b64: <b64>.
    (can also ofc be retrieved via hijack domain as per usual)
  2. Install trust for the new DER (e.g. Go daemon side).
  3. just macos-l4-cli commit-ca-crt — persist + atomic swap.
    Retires legacy entries on success. Stdout:
    previous_cert_der_b64: <b64> (empty if nothing displaced).
    Non-zero exit if commit succeeded but legacy cleanup failed — run
    just macos-l4-cli cleanup-legacy-ca-crt to retry.
  4. Drop trust for the previous DER.

Move an existing install off legacy

  • Next just macos-l4-start forwards legacy via opaque config (run-only); a single
    just macos-l4-cli generate-ca-crt + just macos-l4-cli commit-ca-crt retires it.
  • If the SE-backed CA already exists alongside legacy:
    just macos-l4-cli cleanup-legacy-ca-crt retires legacy without touching the active CA.
  • just macos-l4-cli delete-ca-crt is the full reset (legacy + SE entries).

Summary by Aikido

Security Issues: 0 🔍 Quality Issues: 6 Resolved Issues: 0

🚀 New Features

  • Implemented sysext-owned MITM CA encrypted with Secure Enclave persistence
  • Added XPC generate/commit routes to rotate and atomically swap CA

⚡ Enhancements

  • Introduced graceful legacy CA passthrough and commands to retire it

🔧 Refactors

  • Reworked in-memory CA state and swapped to rama::bytes::Bytes usage

More info

GlenDC added 3 commits May 5, 2026 21:33
@GlenDC
feat(macos-l4): sysext-owned MITM CA, SE-encrypted, XPC-rotated
e2e6564 
Sysext now mints and persists the CA via Secure Enclave in the System
Keychain. Container forwards a legacy PEM only as graceful passthrough,
retired on commit. Two XPC routes drive rotation: generate-ca-crt parks
pending, commit-ca-crt persists + swaps. Hard-fails without SE.
clean-secrets removed; delete-ca-crt replaces it.
@GlenDC
fixes after self-review
b860b63
@GlenDC
change service mach name
656a342
@GlenDC GlenDC self-assigned this May 5, 2026
@GlenDC GlenDC changed the title feat(macos-l4): sysext-owned MITM CA, SE-encrypted, XPC-rotated macos-l4: sysext-owned MITM CA, SE-encrypted, XPC-rotated May 6, 2026
@GlenDC GlenDC marked this pull request as ready for review May 6, 2026 16:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SanderDeclerck SanderDeclerck Awaiting requested review from SanderDeclerck

@reiniercriel reiniercriel Awaiting requested review from reiniercriel

@tudor-timcu tudor-timcu Awaiting requested review from tudor-timcu

@bitterpanda63 bitterpanda63 Awaiting requested review from bitterpanda63

@PopoviciMarian PopoviciMarian Awaiting requested review from PopoviciMarian

At least 1 approving review is required to merge this pull request.

Assignees

@GlenDC GlenDC

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@GlenDC