Cameron Katri's Manual Page Server

Manual Page Search Parameters

cryptexctl-create(1) General Commands Manual cryptexctl-create(1)

cryptexctl createcreate a cryptex from a disk image

cryptexctl create [--replace] --identifier IDENTIFIER --version VERSION PATH-TO-DMG


cryptexctl create [--identity IDENTITY-PLIST] [--replace] --identifier IDENTIFIER --version VERSION PATH-TO-DMG


cryptexctl create [--host-identity] [--replace] --identifier IDENTIFIER --version VERSION PATH-TO-DMG


cryptexctl create [--identity IDENTITY-PLIST] [--replace] [--ALGO CRYPTO-ALGORITHM] [--CEPO CERTIFICATE-EPOCH] [--BORD BOARD-ID] [--CHIP CHIP-ID] [--ECID ECID] [--SDOM SDOM] [--CPRO CERTIFICATE-PRODUCTION-STATUS] [--CSEC CERTIFICATE-SECURITY-MODE] [--EPRO EFFECTIVE-PRODUCTION-STATUS] [--ESEC EFFECTIVE-SECURITY-MODE] [--BNCH NONCE-HASH] --identifier IDENTIFIER --version VERSION PATH-TO-DMG

cryptexctl create creates a new cryptex(5) from a disk image. The disk image must encapsulate an HFS+ filesystem with a hierarchy as described in cryptex(5). The result will be a directory with a "cptx" file name extension. This bundle contains four objects:

Together, these objects comprise the cryptex. They are not independently useful.

The cryptex will be personalized for the target device by sending measurements of the disk image content and the identity of a device to Apple's trusted signing service (tss.apple.com).

In most cases the device identity will be retrieved by cryptexctl create from either the host, if the host is running a cryptexd(8) daemon, or from a connected device (See the --udid option on the root cryptexctl(1) command.)

If the device cannot be connected directly the identity can be specified either on the command line directly or using the --identity-plist argument. See DEVICE IDENTIFIERS.

A list of options with their descriptions. See DEVICE IDENTIFIERS for the identity arguments.

Required:

| IDENTIFIER
A reverse-ICANN identitifer for the cryptex
| VERSION
The CFBundleVersion-style version number for the cryptex
PATH-TO-DMG
The path to the disk image file from which the cryptex will be created -- the disk image must encapsulate an HFS+ file system containing a cryptex(5) filesystem hierarchy.

Optional:

| OUTPUT-DIRECTORY
The directory to which the cryptex should be written. Upon successful completion, this directory will contain a directory named for the given IDENTIFIER, which will contain the cryptex's constituent personalized objects [default: the current working directory]
|
Replace the cryptex in OUTPUT-DIRECTORY if it already exists. The old directory will be rename(2)ed into a temporary directory rather than being deleted outright.
| IDENTITY-PLIST
Path to a property list whose root node is a dictionary containing a set of key-value pairs for each aspect of device identity. The keys are the same as argument names (BORD, CHIP, etc.) and the values are all integers; defaults to the value of the environment variable CRYPTEXCTL_CREATE_IDENTITY. For an example of such a property list, see EXAMPLES.
|
Use the host's identity for the personalization; if specified all other identifiers are ignored
|
Use AppleConnect credentials. Mostly useful for Apple internal development.
|
Personalize with the AMNM entitlement. Only useful for Apple internal development.

These tags can be retrieved from a device with cryptexctl-identity(1) for offline personalization or retrieved automatically for the host or a connected device.

For convenience the identity can be specified as a property list with --identity-plist. The property list's root node is a dictionary containing a set of key-value pairs key-value pairs for each aspect of the device identity. The keys are the same as the argument names (BORD, CHIP, etc).

The following components comprise a host identity for cryptex personalization. For more information about these tags and the personalization process, see cryptex-image4(7).

The crypto algorithm employed by the target device. Valid values are: sha1, sha2-384 [default: sha2-384]
The certificate epoch of the target device
The board identifier of the target device
The chip identifier of the target device
The unique chip instance identifier of the target device
The security domain of the target device [default: 0x1]
The certificate production status of the target device [default: 0x1]
The certificate security mode of the target device [default: 0x1]
The effective production status of the target device [default: 0x1]
The effective security mode of the target device [default: 0x1]
The nonce hash to use for the personalization. Can be retrieved with cryptexctl-nonce(1). [default: all zeros]

Sets the default value for --identity-plist. This is useful when personalizing for an offline or disconnected device.
Read by the base cryptexctl(1) command to select the device on which to operate when the --udid option is not specified and there is no cryptexd(8) daemon on the host. See cryptexctl(1) for more information about CRYPTEXCTL_UDID.

The following is an example of the content of a property list that might be passed to --identity-plist to personalize for an offline device.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>ALGO</key>
    <string>sha2-384</string>
    <key>CEPO</key>
    <string>0x0</string>
    <key>BORD</key>
    <string>0x6</string>
    <key>CHIP</key>
    <string>0x8015</string>
    <key>ECID</key>
    <string>0x184d610044a83a</string>
    <key>SDOM</key>
    <string>0x1</string>
    <key>CPRO</key>
    <false/>
    <key>CSEC</key>
    <true/>
    <key>EPRO</key>
    <false/>
    <key>ESEC</key>
    <true/>
</dict>
</plist>

cryptexctl(1), cryptexctl-identity(1), cryptexctl-install(1), cryptexctl-nonce(1), cryptex(5)

Introduced in macOS 11.0

28 September, 2020 Darwin