The Register asked Apple whether a fix is planned prior to its next M1 release, said to be designated M1X and expected to power a future MacBook Pro update. "And then it turned out that removing that feature made it much harder for existing OSes to mitigate this vulnerability."
"Basically, Apple decided to break the Arm spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS," he explains in his post. So, to fix this, they'd have to re-design the entire thing to work as a Type 1 hypervisor." "The macOS virtualization framework only supports running as a Type 2 hypervisor. "Mitigating the problem requires running your OS at EL1, where the problem register can be disabled, and then having at least some kind of minimal hypervisor at EL2 to deal with those traps (otherwise running an app that uses the register would just crash your machine instead)," explains Martin.
However, he says Apple's limitations on building code at runtime mean that the company could find exploit attempts if it subjected App Store submissions to static analysis. Martin suggests that exploitation on iOS could be used to defeat privacy protections, noting that a malicious keyboard app might be able to function as a keylogger by sending typed text to another malicious app that could then forward the info to the internet. The M1 flaw affects macOS Big Sur, Linux v5.13+, and iOS/iPadOS, via the A14 chip, which according to Martin shares the same vulnerability. Apple, he says, was informed of the bug 90 days before he released his findings and issued a CVE-2021-30747 in response.
Martin has published a proof-of-concept script to demonstrate how to read and write data to the overly talkative system register and a proof-of-concept script for setting up a covert channel on an M1 system.