5.1.3 Ensure Signed System Volume (SSV) Is Enabled

Information

Signed System Volume is a security feature introduced in macOS 11.0 Big Sur.

During system installation, a SHA-256 cryptographic hash is calculated for all immutable system files and stored in a Merkle tree which itself is hashed as the Seal. Both are stored in the metadata of the snapshot created of the System volume.

The seal is verified by the boot loader at startup. macOS will not boot if system files have been tampered with. If validation fails, the user will be instructed to reinstall the operating system.

During read operations for files located in the Signed System Volume, a hash is calculated and compared to the value stored in the Merkle tree.

Running without Signed System Volume on a production system could run the risk of Apple software that integrates directly with macOS being modified.

Solution

If SSV has been disabled, assume that the operating system has been compromised. Back up any files, and do a clean install to a known good Operating System.

Impact:

Apple Software that integrates with the operating system could become compromised.

See Also

https://workbench.cisecurity.org/benchmarks/18639

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|IA-5(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|13.6, CSCv7|14.8

Plugin: Unix

Control ID: 69ac5541738f4b1e19f7725a49f72b0fec8e8f40dc902bc38293bdda94e3e2a5