EL1 vs EL2 and PAC key separation

ARM’s Exception Levels (EL) define privilege domains:

• EL0 is unprivileged user space (apps),
• EL1 is the operating‐system kernel, and
• EL2 is the hypervisor.

In Apple Silicon, XNU runs at EL1 and Apple’s native hypervisor (used by macOS’s Virtualization framework) runs at EL2. Apple uses this separation by maintaining distinct PAC key sets (and tweak values) in EL1 vs EL2: when the CPU transitions from EL0→EL1 or EL1→EL2, the hardware switches to a different set of QARMA round keys, ensuring that a pointer authenticated in one domain cannot be forged or mis-used in another. This enforces cross-domain isolation. For example, even if a guest VM at EL1 has a valid PAC for its pointers, those signatures won’t validate under the host’s EL2 key, so a compromised VM cannot manipulate hypervisor pointers or escape into the host.