Well, if you want to distrust Apple software you probably shouldn't be trusting their hardware, either.
That being said, I actually think this is a reasonable way to do secure boot. The default OS the device ships with can be validated, but there's still a proper owner override so you can boot into Linux or whatever. They even use the SEP to validate that the owner override has been tripped by the owner. The first user account you make gets handed a key generated by the SEP that can be used to sign kernels, so only that account can actually use the owner override. This is a good way to stop evil-maid attacks in their tracks while still not locking the user out of their property.
My only real complaint is that Apple's gone to great lengths to ensure the iOS side of their business is completely unaffected by owner overrides:
- If you boot into an owner-signed OS volume, macOS disables it's iOS support
- iPad-fused M1s won't generate or respect owner keys
This is silly. If individual iOS applications are sensitive to owner overrides, then they already have devicecheck APIs to get a cryptographic attestation that they haven't been tampered with. The SEP could flag those attestations as coming from an owner-signed kernel and picky banking apps[0] could check for that.
[0] And Pokemon GO, because it's easier to blacklist jailbroken users than to enforce a rate limit on GPS jumps
That being said, I actually think this is a reasonable way to do secure boot. The default OS the device ships with can be validated, but there's still a proper owner override so you can boot into Linux or whatever. They even use the SEP to validate that the owner override has been tripped by the owner. The first user account you make gets handed a key generated by the SEP that can be used to sign kernels, so only that account can actually use the owner override. This is a good way to stop evil-maid attacks in their tracks while still not locking the user out of their property.
My only real complaint is that Apple's gone to great lengths to ensure the iOS side of their business is completely unaffected by owner overrides:
- If you boot into an owner-signed OS volume, macOS disables it's iOS support
- iPad-fused M1s won't generate or respect owner keys
This is silly. If individual iOS applications are sensitive to owner overrides, then they already have devicecheck APIs to get a cryptographic attestation that they haven't been tampered with. The SEP could flag those attestations as coming from an owner-signed kernel and picky banking apps[0] could check for that.
[0] And Pokemon GO, because it's easier to blacklist jailbroken users than to enforce a rate limit on GPS jumps