Please allow AMFITrustedKeys to be used without an IUOU/IUOS

Number:rdar://FB9966966 Date Originated:March 25, 2022, 7:08 PM
Status:Open Resolved:
Product:macOS – Security Product Version:12.3
Classification:Suggestion Reproducible:Yes
AMFITrustedKeys is an nvram variable that can be set to load additional code signing identities that are recognized with the same respect as Apple Root CA. This variable is only respected on IUOUs or IUOSs. This variable is a far more secure way of working with AMFI, especially when compared to the publicly documented solution which is to disable AMFI in its entirety via amfi_get_out_of_my_way.

This variable should only be configurable from 1TR to further ensure that the owner is physically present and carrying out this change. It would make it much easier for enthusiasts to tinker with their computers without fully disabling one of the larger security mechanisms in the OS.


March 26, 2022, 3:02 PM

Another example is I want to be able to create an Apple TV Remote that uses private frameworks. Sure, they’re private, but I’d like to tinker for the sake of fun. I would like to be able to tinker this way without disabling a vital part of my system security.

March 25, 2022, 7:28 PM

I’d also like to note that (per documentation visible on open-source projects) AMFITrustedKeys is documented under the “TrustedExecution” page on Confluence, and the job description for the Trusted Execution team says:

Apple’s Trusted Execution team builds the technology to keep our users safe and care-free while running the software that they want.

I want to run software with private entitlements so I can do things like make my own volume HUD.

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!