tart icon indicating copy to clipboard operation
tart copied to clipboard

Published 20 hours ago verified publisher icon cirruslabs

Custom Serial Injection

Open ChefAustin opened this issue 2 years ago • 12 comments

There are some times when it is beneficial to be able to control the VM's presented serial number.

This is a feature request to allow for custom serial injection on a Tart VM.

ChefAustin avatar May 10 '22 19:05 ChefAustin

I did some investigation and it seems the only places we can configure something hardware related is via binary representation of VZMacMachineIdentifier stored in ecid field of config.json. There are no public APIs so we can only try to modify the binary representation at the moment. 😅

Data stored there is stored in Apple's binary plist format and can be decoded:

pbpaste | base64 --decode > ecid.plist
plutil -convert xml1 ecid.plist

Here are the contents of the files for our monterey-base VM:

<plist version="1.0">
<dict>
	<key>ECID</key>
	<integer>10796302860778061261</integer>
</dict>
</plist>

It seems at the moment it's not quite possible to configure it. Maybe it's possible with some secret key which we don't know yet.

WWDC is just 4 weeks away and hopefully there will be more news about Virtualization.Framework so let's wait until then and do more investigation after WWDC.

fkorotkov avatar May 11 '22 12:05 fkorotkov

Seems it will be possible going forward with macOS Ventura. There is this new VZGenericMachineIdentifier which will be available starring macOS 13.0.

fkorotkov avatar Jun 07 '22 13:06 fkorotkov

I understand there is currently not the possibility of setting a specific Serial Number, but is there any method to randomly generate a new one? I'm attempting to setup a workflow which creates VM Templates, but for obvious reasons, There needs to be a new serial on the VMs deployed from the template.

Don-Swanson avatar Jul 26 '22 14:07 Don-Swanson

I understand there is currently not the possibility of setting a specific Serial Number, but is there any method to randomly generate a new one? I'm attempting to setup a workflow which creates VM Templates, but for obvious reasons, There needs to be a new serial on the VMs deployed from the template.

Unfortunately it's not currently possible to change the Serial Number (aka machine identifier or ECID) once the macOS installation is complete. You can try this yourself by copying the ecid value from another VM's config.json.

I've initially thought that this is due to "Full Security policy" setting (see Apple Platform Security document), but booting a generic macOS VM with --recovery and opening UtilitiesStartup Security Utility shows that this is not the case:

Screenshot 2022-07-26 at 20 22 16

The other likely explanation is that VM's NVRAM contents (nvram.bin) include the initial ECID in the course of initial installation and then a mismatch happens when booting a VM with another ECID value and this causes the Virtualization.Framework to hang up.

edigaryev avatar Jul 26 '22 15:07 edigaryev

has there been any progress on getting this to work?

kylejericson avatar Apr 28 '23 01:04 kylejericson

Serial injection would be beneficial. Following closely.

1sth1sth1ng0n avatar Jun 07 '23 12:06 1sth1sth1ng0n

another ECID value and this causes the Virtualization.Framework to hang up

Doesn't seem to be the case anymore with macOS Ventura, see @fkorotkov's machine-identifier branch which generates a new ECID on each boot.

You can also generate a specific ECID value by calling plutil -convert binary1 see-below.xml -o - | base64 on a following XML, where 42 is the desired ECID value:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ECID</key>
	<integer>42</integer>
</dict>
</plist>

edigaryev avatar Aug 28 '23 21:08 edigaryev

Good news that there are now private APIs to set a serial number (shout out to @khronokernel for finding it out)but unfortunately it requires disabling AMFI at the moment so we can't ship it with Tart.

Here is a patch I applied to this location:

let result = VZMacPlatformConfiguration()

 et serialNumber = Dynamic._VZMacSerialNumber(string: "ZAAAAAAAAA")
let identifier: VZMacMachineIdentifier? = Dynamic.VZMacMachineIdentifier._machineIdentifierWithSerialNumber(serialNumber)

result.machineIdentifier = identifier ?? VZMacMachineIdentifier()

Having the APIs appear in private is a good sign that we are getting the functionality eventually. So 🤞 to get it sooner than later.

fkorotkov avatar Sep 18 '23 22:09 fkorotkov

BTW did anyone submitted feedback through the Feedback Assistant that describes your current workflow and how customization of serial number will help to simplify it/do something new? We might have a lead to escalate this feature request but we need more datapoints preferably that submitted via the Feedback Assistant.

fkorotkov avatar Mar 16 '24 07:03 fkorotkov

Sorry, where is the Feedback Assistant? (is it a link inside of Tart? somewhere in Github?)

... the use case for custom serial number is that we are testing MDM workflows and if we use a serial number that is registered with Apple Business Manager then it will automatically kick off MDM processes if we set it to a "known" serial.

nuna-alan avatar Mar 19 '24 18:03 nuna-alan

https://developer.apple.com/bug-reporting/

1sth1sth1ng0n avatar Mar 20 '24 12:03 1sth1sth1ng0n

Got a response on my Feedback Assistant about making VZMacMachineIdentifier.machineIdentifierWithSerialNumber available without com.apple.private.virtualization:

Thank you for your feedback, it is noted. Engineering has determined that there are currently no plans to address this issue.

fkorotkov avatar Apr 03 '24 19:04 fkorotkov