apple-data 1.0.602 → 1.0.604

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dd760aa9e09e4a1a3262b1b7ba1a2142d79572876b78c969dd8f40542eee852b
-  data.tar.gz: 2ec56bb95e0d0097fad7234484ed395f196b5256e77cf852773e4e04aa5ac8e9
+  metadata.gz: 505cf3230870a47f259145e62e3f09e63064d46e3f3b6c34532e41394fcff002
+  data.tar.gz: 3c57444d5e7147281f03a6aa8aad3ea8539e010643dde4b4706f6e223aa43033
 SHA512:
-  metadata.gz: f51754e3f65ff1c507e6894dc872a0390601d0f1af783825546da153710c711b39c5685781196094364fcea8c1e0205d1b12b09dcf73ad9c85e1cbf14a578044
-  data.tar.gz: 7e36ea6e0a9bde9de0244fe2d4a6e647ce4e101bbec978b01b2ebb07fe30847415b53973937b31e144e039e1745e3b553e985af43bb74b354eaad9e072ed746d
+  metadata.gz: 8fcbbf092c4ca492488bd9a95b4812c32d4f8f9d51f86c253799dc3a729fc41da8f21f0407f3fa22b3ad9bc1bb36dd1c8914c60cd73bb8d97c1f9ae921cd8dec
+  data.tar.gz: 2d0d389c91f4ec3ad3b9848536ec093bf8dd2877bed17e2d74df1e9579b820ea61261567086fb4e300ec1a6cc2953070b87c80d064cc01db5d01eec03b17771e

data/lib/apple_data/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AppleData
-  VERSION = '1.0.602'
+  VERSION = '1.0.604'
 end

data/share/fdr.yaml

@@ -25,7 +25,7 @@ fdr_properties:
   CmCl:
     description:
   dCfg:
-    description:
+    description: Display LCD
     contexts:
     - base
     - mansta
@@ -48,10 +48,14 @@ fdr_properties:
     contexts:
     - mandev
     - mansta
+    data:
+      comb:
+        fdrd:
+        secb:
   GpC2:
     description:
   HmCA:
-    description:
+    description: Ambient Light Sensor
     contexts:
     - base
     - mansta
@@ -167,7 +171,7 @@ fdr_properties:
   rSCl:
     description:
   scrt:
-    description:
+    description: SEP Certificate
     contexts:
     - base
   SDOM:
@@ -194,5 +198,11 @@ fdr_properties:
     description:
   vcrt:
     description:
+  ADCL:
+    description: Raw Panel / Coverglass
   WMac:
     description: Wireless MAC Address
+to_be_signed_keys:
+  DGST:
+  clid:
+  inst:

data/share/img4.yaml

@@ -2,6 +2,32 @@
 metadata:
   description:
   credits:
+types:
+  digest-object:
+    description: Digest Objects are Firmare or Other Hashable Datastreams.
+      They will exist in NOR, Disk, or be received over USB.  These objects
+      will contain a `DGST` value that is the cryptographic hash of the contents.
+      They can contain additional properties per object, some of which are standard
+      and others that are object specific.
+    common_properties:
+      ESEC:
+      EPRO:
+      EKEY:
+    subtypes:
+      local-boot-object:
+      trust-measurement:
+        description: A trust measurement is requested from the processor to ensure that
+          the boot flow has not changed since a prior time that measurement was taken.
+          To date the trust measurement is commonly found on SEP firmware images.
+      ssv-root-hash:
+        description: Root Hash values are used to validate the Signature of an APFS Signed
+          volume or snapshot.  They will be paired to a coresponding disk image.  Some also
+          are paired with `ssv-merkle-tree` which includes the metadata for the volume.
+      trust-cache:
+      img4-disk-image:
+        description: Disk images are often signed IMG4 payloads used for USB boot or as the
+          arm64BaseSystem.dmg.  IMG4 is used for smaller disk images that can be entirely
+          validated "single shot" unlike larger disks which use SSV and validate on read.
 img4_tags:
   acfw:
     description:
@@ -22,12 +48,18 @@ img4_tags:
     type: boolean
   anef:
     description: Apple Neural Engine Firmware
+    type: digest-object
+    roots:
+    - ManifestKey-DataCenter
   anrd:
     description:
   aofi:
     description:
   aopf:
     description: Always on processor firmware
+    type: digest-object
+    roots:
+    - ManifestKey-DataCenter
   apmv:
     description:
   ater:
@@ -37,9 +69,14 @@ img4_tags:
   auac:
     description:
   aubt:
-    description:
+    description: Auxiliary
   augs:
-    description: Included in APTicket CA extensions
+    description:
+      Auxiliary User System Image
+      Included in APTicket CA extensions, as well as factory manifests.
+    roots:
+      - ExtraContent
+      - ManifestKey
   aupr:
     description:
   auxi:
@@ -85,13 +122,16 @@ img4_tags:
       opt in to a more restrictive AuxKC inclusion. The auxp field is a prerequisite for setting the auxr
       field in the LocalPolicy. Users change the auxr value implicitly when they build a new AuxKC from
       the Security & Privacy pane in System Preferences.
-    type: binary
+    type: digest-object
     subtype: sha2-384
     access:
       write:
         - macOS
   avef:
     description: AV Encryption (DRM) Firmware
+    type: digest-object
+    roots:
+    - ManifestKey-DataCenter
   bat0:
     description: battery image 0
   bat1:
@@ -100,8 +140,14 @@ img4_tags:
     description: battery full image
   BLDS:
     description:
+  prid:
+    description: Encrypted Private Key / Private Key Info
   bles:
     description:
+  rtmu:
+    description: Restore TMU for AP
+    type: digest-object
+    recovery: true
   BNCH:
     description: Boot Nonce Hash - based on the values of com.apple.System.boot-nonces
   BORD:
@@ -115,24 +161,39 @@ img4_tags:
     alias:
       - board-id
   bstc:
-    description:
+    description: Base Sysetm Static Trust Cache
+    type: digest-object
+    subtype: trust-cache
   bsys:
-    description:
+    description: Base System Seal Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
   CEPO:
     description: |-
       Certificate/Chip Epoch.  This is a unit of roll-forward time (monotonic) that allows for any security issues
       in the prior epoch to be fixed by a anti-rollback scheme.
+    nullable: true
+    type: boolean
     alias:
       - chip-epoch
   cfel:
     description:
   chg0:
     description: Charging Image 0
+    type: digest-object
+    subtype: graphic
+  faic:
+    description:
+    type: integer
+    default: 0
   chg1:
     description: Charging Image 1
+    type: digest-object
+    subtype: graphic
   CHIP:
     description: Unique identifier for a single Apple designed application processor
       sharing the same GID key
+    type: integer
     width: 2
   nsph:
     description: preboot splat manifest hash
@@ -144,14 +205,17 @@ img4_tags:
     description:
   cmsv:
     description:
+  rans:
+    description: Restore Apple NAND Storage Firmware
+    type: digest-object
   coih:
     title: CustomOS Image4 Manifest Hash (coih)
     description: >
       The `coih` is an SHA384 hash of CustomOS Image4 manifest. The payload for that manifest is used
       by iBoot (instead of the XNU kernel) to transfer control. Users change the `coih` value implicitly when
       they use the `kmutil` configure-boot command-line tool in 1TR.
-    type: binary
-    subtype: sha2-384
+    type: digest-object
+    subtype: IM4M
     access:
       write:
         - 1TR
@@ -159,31 +223,71 @@ img4_tags:
     description: Chip promotion fuse value (what is burned in)
     alias:
       - certificate-production-status
+    nullable: true
     type: boolean
   CSEC:
     description: Burned-in chip security mode
+    type: boolean
+    nullable: true
     alias:
       - certificate-security-mode
   csys:
-    description:
+    description: Install / Restore SSV Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
   dali:
     description:
   data:
     description:
+  casy:
+    description: App Cryptex SSV Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
+    roots:
+    - ExtraContent
+  cssy:
+    description: System Cryptex SSV Root Hash
+    type: digest-object
+    subtype: ssv-root-hash
+    roots:
+    - ExtraContent
   DGST:
     description: payload digest
   diag:
     description:
+  trca:
+    description:
+    type: digest-object
+    roots:
+    - ExtraContent
+  csos:
+    description:
+    type: digest-object
+    roots:
+    - ExtraContent
+  trcs:
+    description:
+    type: digest-object
+    roots:
+    - ExtraContent
   disk:
     description:
   DPRO:
-    description:
+    description: Demote from Production Request
+      Value is used by TSS sever to issue EPRO values, or effective AP prodctuion state.
   DSEC:
-    description:
+    description: Demote from Secure Request
+      Value is used by TSS server to issue ESEC values, or effective AP Security Mode should the
+      requester be authorized.  These requests are not available to consumers, only to Apple Internal.
   dtre:
     description: device tree
+    type: digest-object
+    subtype: device-tree
   dtrs:
     description: device tree for recovery
+    type: digest-object
+    subtype: device-tree
+    recovery: true
   ECID:
     description: Exclusive chip identifier.  This is burned into an eFuse at time
       of manufacture and unique across all devices sharing the same CHIP
@@ -204,10 +308,16 @@ img4_tags:
     description:
   EKEY:
     description: Effective chip promoted
+    nullable: false
+    type: boolean
   EPRO:
     description: Effective chip promotion / demotion state (if CPFM 03 this must be 0 to set ESEC)
     alias:
       - effective-production-status-ap
+    nullable: false
+    type: boolean
+  secb:
+    description: Sets a security value such as `trst` or the FDR signing trust object.  "security blob?"
   esca:
     description:
   hrlp:
@@ -224,6 +334,7 @@ img4_tags:
         - macOS
   esdm:
     description: Extended Security Domain fuses
+    type: integer
     alias:
       - esdm-fuses
   styp:
@@ -231,6 +342,37 @@ img4_tags:
     type: u32
     alias:
       - cryptex subtype
+    roots:
+    - ExtraContent
+  acid:
+  WSKU:
+    description: Wireless SKU
+  WMac:
+    description: Wireless MAC Address
+  TMac:
+    description: Thunderbolt MAC Address
+    manifest: true
+  BMac:
+    description: Bluetooth MAC Address
+    manifest: true
+  SrNm:
+    description: Unit Serial Number
+    manifest: true
+  ptrp:
+  snuf:
+    description: Staged next update firmware?
+  Regn:
+    description: Region Code
+    example: LL/A
+    type: string
+    manifest: true
+  Mod#:
+  CLHS:
+  HmCA:
+  FSCl:
+  ADCL:
+  clid:
+  hop0:
   oppd:
     description: Unknown, used by `stg1`/`sepi` - sha384 hash sized
   ESEC:
@@ -240,25 +382,49 @@ img4_tags:
   euou:
     description: engineering use-only unit
   clas:
-    description: product class
+    description: Class for Key / Object - Found in FDR objects
+    examples:
+    roots:
+    - ExtraContent
   psmh:
     description: previous stage manifest hash
+
   fchp:
-    description: Cryptex1,ChipID
+    description: Cryptex1,ChipID - Mask
+    roots:
+    - ExtraContent
   fdrs:
     description:
+  rvok:
+    description: Trust object revocation list
+  trpk:
+    description: Trust public keys
+  rssl:
+    description: The valid CA used for secure communications with the FDR server to obtain the FDR objects.  This
+      differs from the `trst` object as `rssl` is in transit and `trst` is at rest.
   fdrt:
     description:
   file:
     description:
   fpgt:
     description:
+  ftab:
+    description: >
+      Factory Trust - Auto Boot
+      FTAB images (used for devices such as AirPods, etc) are "hacktivated" or pre-APTicket'ed devices as they
+      lack either a restore connection, or persistet memory.  Common early usage of this was the Heywire dongles
+      used for video conversion on the Mac.  It was simplest for the device to lack NAND and simply receive the
+      firmware from a host on powerup.  FTAB files are fully ready to run blobs often including RTKit OS based
+      memory images.
   ftap:
-    description:
+    description: >
+      Factory Trust - Application Processor
+    type: hash
   ftot:
-    description:
+    description: Factory Trust - Other
   ftsp:
-    description:
+    description: Factory Trust - SEP
+    type: hash
   fuos:
     description: Fully Unsigned OS
   gfxf:
@@ -266,7 +432,7 @@ img4_tags:
   ging:
     description:
   glyc:
-    description:
+    description: Gyroscope Calibration
   glyp:
     description:
   hash:
@@ -279,14 +445,34 @@ img4_tags:
     description:
   homr:
     description:
-  hrlp:
-    description:
+  cnch:
+    roots:
+    - ExtraContent
+  ndom:
+    roots:
+    - ExtraContent
+  pave:
+    description: XNU version string?
+    type: string
+    roots:
+    - ExtraContent
   hypr:
     description: Hypervisor
   iBEC:
     description: iBoot Epoch Change
-  iBoot:
+  ibot:
     description: iBoot
+  ibdt:
+  ibd1:
+  glyP:
+  ibss:
+  dven:
+  dcp2:
+  ciof:
+  batF:
+  ansf:
+  rfcg:
+    type: boolean
   iBSS:
     description: iBoot Second Stage
   ienv:
@@ -308,19 +494,21 @@ img4_tags:
   ispf:
     description: Image Signal Processor Firmware
   isys:
-    description: iBridge System
+    description: Install System SSV Root Hash
   itst:
     description:
   iuob:
     description:
   iuos:
-    description:
+    description: Internal Use Only Software
   iuou:
-    description:
+    description: Internal Use Only Unit
   kdlv:
     description:
   krnl:
     description: Kernel
+  acdc:
+    description:
   kuid:
     title: Key encryption key (KEK) Group UUID (kuid)
     description: >
@@ -341,7 +529,8 @@ img4_tags:
   LNCH:
     description:
   lobo:
-    description: Local Boot
+    description: Local Boot Object.  Indicates that the object is to be used as the target of a local boot only
+      and not provided by the server for remote / DFU boots.
   logo:
     description: Apple logo image
   love:
@@ -356,16 +545,25 @@ img4_tags:
         - 1TR
         - recoveryOS
         - macOS
+    roots:
+    - ManifestKey-DataCenter
   prtp:
     description: Product ID String
     type: string
     example: iPhone16,2
+    roots:
+    - ManifestKey-DataCenter
   sdkp:
-    description: SEP Product Type
+    description: SDK for Product
     type: string
-    example: iphoneos
+    roots:
+    - ManifestKey-DataCenter
+    values:
+    - iphoneos
+    - macos
   lphp:
     description:
+  mspr:
   lpnh:
     title: LocalPolicy Nonce Hash (lpnh)
     description: >
@@ -394,7 +592,7 @@ img4_tags:
   magg:
     description:
   MANB:
-    description:
+    description: Manifest B
   MANP:
     description: Manifest Payload
   manx:
@@ -414,7 +612,7 @@ img4_tags:
   msec:
     description:
   msys:
-    description:
+    description: Merkle Tree Metadata for System Disk
   mtfw:
     description:
   name:
@@ -426,7 +624,8 @@ img4_tags:
   nsrv:
     description:
   OBJP:
-    description:
+    description: Object Properties - Values that may be assigned per "object" (firmawres) that contain a `DGST`
+    type: sequence
   omer:
     description:
   ooth:
@@ -455,6 +654,8 @@ img4_tags:
     description:
   pmpf:
     description: Power Management Processor Firmware
+    type: digest-object
+    subtype:
   pndp:
     description:
   prot:
@@ -465,8 +666,8 @@ img4_tags:
       over time (because nonces like lpnh are frequently updated). The prot field, which is found only in each
       macOS LocalPolicy, provides a pairing to indicate the recoveryOS LocalPolicy that corresponds to the
       macOS LocalPolicy.
-    type: binary
-    subtype: sha2-384
+    type: digest-object
+    subtype: trust-measurement
     access:
       write:
         - 1TR
@@ -474,18 +675,25 @@ img4_tags:
         - macOS
   rbmt:
     description:
+  mtpf:
   rddg:
     description:
   rdsk:
-    description: Restore Disk Image
+    description: Restore Disk Image / ramdisk
   rdtr:
     description:
   recm:
     description:
+  rcfg:
+    description: >
+      Appears in certificates issues by factory such as `T6031-SDOM1-TssLive-ManifestKey-RevA-Factory`.
+      Potentially indicates that the policy is for a recovery boot only.
+    type: boolean
   rfta:
     description:
   rfts:
     description:
+  rdcp:
   rkrn:
     description: restore kernel
   rlgo:
@@ -494,6 +702,7 @@ img4_tags:
     description:
   rolp:
     description: recoveryOS local policy
+    type: boolean
   ronh:
     title: recoveryOS Nonce Hash (ronh)
     description: >
@@ -526,6 +735,8 @@ img4_tags:
       change the nsih value implicitly when they perform a software update.
     type: binary
     subtype: sha2-384
+    context:
+      lpol:
     access:
       write:
         - 1TR
@@ -534,9 +745,10 @@ img4_tags:
   spih:
     description: Cryptex1 Image4 Hash
   stng:
-    description: Cryptex1 Generation
+    description: Cryptex1 Generation / Cryptex type?
   auxh:
     description: User Authorized Kext List Hash
+    context:
   rpnh:
     title: Remote Policy Nonce Hash (rpnh)
     description: >
@@ -552,15 +764,19 @@ img4_tags:
         - macOS
   RSCH:
     description: Research mode
+  rcio:
+    description: Restore CIO
   fgpt:
-    description: factory pre-release global trust
+    description: factory glob al pre-release trust
   UDID:
     description: universal device identifier
   rsch:
     description: research mode
   vnum:
-    description: maximum restore version
+    description: Version Number - Update Maximum
     type: string
+    roots:
+    - ExtraContent
   rsep:
     description: Restore SEP Image, paired with oppd/tbms
     type: string
@@ -615,21 +831,21 @@ img4_tags:
   slvn:
     description:
   smb0:
-    description: Secure Multi-Boot 0 - Security Mode - Full Security, Reduced, Disabled
+    description: Secure Multi-Boot 0 - Security Mode - Full Security, Reduced, Disabled - Setting to 1 sets to reduced
   smb1:
-    description: Secure Multi-Boot 1
+    description: Secure Multi-Boot 1 - Setting to 1 allows Permissive
   smb2:
     description: Secure Multi-Boot 2 - 3rd Party Kexts Status
   smb3:
     description: Secure Multi-Boot 3 - User-allowed MDM Control
   smb4:
     description: Secure Multi-Boot 3 - DEP-allowed MDM Control
+  smb5:
+    description: Unknown - but known to exist in Factory signing
   SNON:
     description: SEP Nonce
   snon:
     description: SEP Nonce
-  snuf:
-    description:
   srnm:
     description:
   ster:
@@ -637,12 +853,14 @@ img4_tags:
   svrn:
     description: Server nonce
   tbmr:
-    description: Trusted Boot Measurement (Root?)
+    description: Trusted Boot Measurement (Recovery/Root?)
   tbms:
     description: Trusted Boot Measurement (Signature?)
     notes: Likely encrypted by the SEP and opaque to the AP
   tatp:
-    description: Board Name (such as d84)
+    description: Board Name (such as d84) - Target AP Test
+    roots:
+    - ManifestKey-DataCenter
   tery:
     description:
   test:
@@ -650,11 +868,19 @@ img4_tags:
   tics:
     description:
   trst:
-    description: Trust Cache
+    description: Trust Object
   tsys:
     description:
   type:
     description: Cryptex Type
+    type: integer
+    roots:
+    - ExtraContent
+  caos:
+    description:
+    type: digest-object
+    root:
+    - ExtraContent
   ucer:
     description: User Cert
   ucon:
@@ -664,6 +890,8 @@ img4_tags:
   uidm:
     description:
     type: boolean
+    roots:
+    - ManifestKey-DataCenter
   vice:
     description:
   vkdl:
@@ -682,6 +910,11 @@ img4_tags:
       - macOS
   ware:
     description:
+  sski:
+    description: SHA2 os some kind
+    type: binary
+  inst:
+    descryption: The key or file to install
   wchf:
     description: Wireless Charging Framework
   xbtc:

data/share/pki.yaml

@@ -5,16 +5,25 @@ metadata:
 certificate_names:
   dcrt: device certificate
   dcrt-oid: device owner certificate
-  lcrt: local certificate?
+  lcrt: Lynx / Secure Storage for SEP Certificate
   pcrt: product/production certificate?
   rcrt: remote/recovery certificate?
-  scrt: server certificate?
+  scrt: SEP Certificate
   tcrt: test certificate?
   ucrt: user certificate (mapps to a single iCloud account)
   vcrt: virtual certificate?
+keys:
+  uik:
+    description: User Identity Key
+  sik:
+    description: System Identity Key
+  oik:
+    description: Owner Identity Key (the first password after restore)
 constants:
   private_oid_root: 1.2.840.113635
 oids:
+  - oid: 1.2.840.113635.100.6.17
+    description: Contains the name of the key
   - oid: 1.2.840.113635.100.5.3
     apple_description: ADC Certificate Policy
   - oid: 1.2.840.113635.100.5.4
@@ -31,17 +40,30 @@ oids:
     apple_description: Apple World Wide Developer Relations Certificates for Code Signing for Test Release through the iTMS
   - oid: 1.2.840.113635.100.6.1.4
     apple_description: Apple World Wide Developer Relations Certificates for Code Signing GM from developer to Apple
+  - oid: 1.2.840.113635.100.6.16
+    description:
+      A sequence of FDR programming commands, seperated by ";".  Each command is "PUT" or "GET" prior to a
+      4CC value, followed by a ":" then the value of the key.
+    example:
+      PUT/FSCl:sik-FXFYFXFFYFFEX-QQRRRDEETFEFYCEIESLIREILCILESCLSELRESERSER
   - oid: 1.2.840.113635.100.6.1.15
+    name: TSS Signing Delegation Constraints
     description:
-      Contains the boot policy of the machine during certificate issuance
-      based on boot policy.  includes BORD, ronh, lobo, SDOM, lpnh, rpnh
-      BNCH, CSEC, CHIP, ECID, CPEO, OBJP, EPRO, DPRO, ESEC, DSEC and DGST
+      Constriction on values that can be specified or signed by this certificate.  Conatins two sub-sequesnces, the MANP (Manifest Properties)
+      and the OBJP (Object Properties).  Manifest properties are at the issued IM4M, and object properties are per signed object (firmware).
+      Values of NULL mean tha tthis certificate can sign any value for that property, values that are set are values that must be signed
+      with that value by this certificate.  This is how for example `T6031-SDOM1` is enforced.  The certificate for that set of servers
+      have a null value for ECID (meaning it can be used for any ECID) and have fixed values for CHIP / Security Domain SDOM.
+
+      This is how Live TSS for customers differs from factory signing in what properties it can include.  Factory only manifest properties
+      include `augs`, `uidm`
     found_in:
       - ucrt
       - dcrt-oid
     issuers:
       - Basic Attestation User Sub CA2
       - FDRDC-UCRT-SUBCA
+      - T6031-SDOM1-TssLive-ManifestKey-RevA-Factory
     ous:
       - BAA Certification
       - ucrt Leaf Certificate
@@ -64,7 +86,7 @@ oids:
   - oid: 1.2.840.113635.100.7.1.1
     apple_description: 'Apple FairPlay certificate extended Application Authentication & Authorization: Policy'
   - oid: 1.2.840.113635.100.8.4
-    description: contains 3 integer values in ASN1, the second of which seems to be a 64bit mask of 0xFE000000
+    description: Contains a sequence of integer values.  Some are 0, some are 1, others appear to be int32 bitmasks.
     is_asn_body: true
     is_extension: true
     found_in:
@@ -75,6 +97,7 @@ oids:
     ous:
       - BAA Certification
   - oid: 1.2.840.113635.100.8.5
+    description: Similar in nature to `1.2.840.113635.100.8.4`. Non-integer values observed of `ssca`.
     is_asn_body: true
     is_extension: true
     found_in:
@@ -171,4 +194,31 @@ known_symbols:
     - _oidAppleSecureBootCertSpec
     - _oidAppleSecureBootTicketCertSpec
     - _oidAppleTVOSApplicationSigningProd
-    - _oidAppleTVOSApplicationSigningProdQA
+    - _oidAppleTVOSApplicationSigningProdQA
+roots:
+  FDR-CA1-ROOT-CM:
+  FDR-DC-SSL-ROOT:
+  FDR Sealing Server CA 1:
+    subordinate_cas:
+      FDR-SS-CM-E1:
+  Basic Attestation User Root CA:
+    subordinate_cas:
+      Basic Attestation User Sub CA2:
+        description:
+          Issues `ucrt` subordinate CA's that are used for user level signing.  Under this `BAA Certification`
+          certs are issued.
+  Apple Secure Boot Root CA - G6:
+    subordinate_cas:
+      T6031-SDOM1-RecoveryBoot-RevA-Factory:
+        description:
+      T6031-SDOM1-TssLive-ManifestKey-RevA-Factory:
+  Apple X86 Secure Boot Root CA - G1:
+    subject_key_id: 301680147D73CE0A3B41A1A352D2B1141EF6F5B4DD76E6E8
+    subordinate_cas:
+      T6031-SDOM1-TssLive-ManifestKey-Global-RevA-DataCenter:
+        subject_key_id: 0414D8B9E3E9C4A1C542ECB72FC2CF0C2F861E1B3EEF
+  Apple Extra Content Global Root CA - G1:
+    subject_key_id: 30168014AA63251D082C72A381536C94D2864995881CB0D0
+    subordinate_cas:
+      ZFF10-SDOM1-TssLive-ManifestKey-ExtraContent-Global-RevA-DataCenter:
+        subject_key_id: 041442FEAB470561CE2A7471B55AC0D81AB7536F4B36

data/share/terms.yaml

@@ -195,6 +195,25 @@ terms:
       debugging, but nearly all kernels shipped by Apple can be debugged if the proper
       `boot-args` are passed on startup.
   kernel:
+  baa:
+  - title: Basic Attestation Authority (BAA)
+  oik:
+    - title: Owner Identity Key (OIK)
+  uik:
+    - title: User Identity Key (UIK)
+  ucrt:
+    - title: User identity Certificate (ucrt)
+  oic:
+    - title: Owner Identity Certificate (OIC)
+  LLB:
+  LocalPolicy:
+  RemotePolicy:
+  1TR:
+  sik:
+  oid:
+  pka:
+  siK:
+    - title: System Identity Key
   kernelcache:
   - title: Kernel Cache
     description: A kernel cache is a combined object that contains the kernel itself

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: apple-data
 version: !ruby/object:Gem::Version
-  version: 1.0.602
+  version: 1.0.604
 platform: ruby
 authors:
 - Rick Mark
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 2024-02-18 00:00:00.000000000 Z
 dependencies: []
 description: |2
       This package includes machine readable data about Apple platforms maintained by hack-different.