Dice Question Streamline Icon: https://streamlinehq.com

Secure Kernel SVC endpoints beyond immediate value 0

Characterize Secure Kernel’s SVC handling for immediate values other than 0 and enumerate the functions exposed to GL0 clients via those SVC endpoints.

Information Square Streamline Icon: https://streamlinehq.com

Background

The authors analyzed SK’s handling of SVC #0 (which indexes a function table via a user-provided pointer) but have not reverse engineered SK’s handling for other SVC immediate values.

Documenting these endpoints is key to understanding the secure-world service surface available to GL0 components.

References

The SVC handling for different IMM values and the further functionality offered by SK to its GL0 clients has not yet been reverse-engineered by us and is left for future work.

Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves (2510.09272 - Steffin et al., 10 Oct 2025) in Section Secure Kernel — SVC Handling