Dan Munro - Dev-Sec-Ops Engineer   Archives  Recommendations  About

New T2 Security Chip Details

T2 Chip via iFixit: https://www.ifixit.com/Teardown/iMac+Pro+Teardown/101807

Apple’s new hardware event revealed several new devices. These devices are, with little surprise, thinner, faster, and have fewer ports (if that is possible). To be honest, the author didn’t even watch the event, because that was not the interesting news of the day.

Automatic Microphone Disconnect

The second iteration of Apple’s T2 security chip was also briefly announced. This new version adds a hardware disconnect to the internal device microphone, and activates when the device lid closes. By automatically engaging the hardware disconnect, Apple has added a layer of protection against a compromised microphone listening in on conversations while the device is closed.

This is a downright cool feature. But it wasn’t until after the event, when the chip’s white paper was released, that we learned more about its design and function.

T2 Architecture

T2 Architecture

The T2 chip writes encrypted data to memory, storing the key within its Secure Enclave coprocessor (in addition to other sensitive system information, such as FileVault encryption keys, Touch ID algorithms, secure boot, and other essential system controllers).

A hardware-based random number generator is built in.

By isolating security functions, the T2 chip may continue to operate as intended despite low level breaches of macOS itself.

Secure Boot

Secure boot is described in more detail in the white paper, including how low level software components are verified using a chain of trust based in hardware.

Secure boot chain of trust

A T2-enabled computer has a new startup security utility, allowing more fine-grained controls over security requirements.

Startup security utility

Written on Oct 30, 2018.