The Apple T2 Security Chip is a specialized intel chip that integrates security measures into both the hardware and software of Mac computers, including the MacBook. Its primary function is to provide encrypted storage. Some notable features of this chip include:
Encrypted storage: The data stored on the solid-state drive (SSD) is encrypted using a hardware-accelerated AES engine.
Secure boot: The chip ensures that all components used during the boot process, such as kernel extensions, firmware, and macOS kernel, are verified by Apple.
Touch ID data security: The chip processes fingerprint data from the Touch ID sensor and verifies its authenticity.
Improved image and signal processing: The chip enhances both the security and performance of the device through various mechanisms.
FileVault key protection: The T2 chip safeguards the cryptographic keys used for FileVault.
Secure Enclave: The chip includes a Secure Enclave that utilizes encrypted memory and a hardware random number generator.
The Apple T2 Security Chip, Apples second-generation custom Mac silicon, brings
industry-leading security to Mac. It features a Secure Enclave coprocessor,
which provides the foundation for APFS encrypted storage, secure boot, and
Touch ID on Mac. In addition to the security components, the T2 chip integrates
several controllers found in other Mac systems—like the system management
controller, image signal processor, audio controller, and SSD controller.
A dedicated AES hardware engine included in the T2 chip powers line-speed
encrypted storage with FileVault. FileVault provides data-at-rest protection
for Mac.
The T2 chip is the hardware root of trust for secure boot. Secure boot ensures
that the lowest levels of software aren’t tampered with and that only trusted
operating system software loads at startup.
On Mac computers with Touch ID and the T2 chip, the Secure Enclave
also secures Touch ID. In addition, all Mac portables with the T2 chip have
a hardware disconnect that ensures the microphone is disabled when the lid
is closed.
The features of the Apple T2 Security Chip are made possible by the
combination of silicon design, hardware, software, and services available
only from Apple. These capabilities combine to provide unrivaled privacy
and security features never before present on Mac.
Secure Enclave
The Secure Enclave is a coprocessor fabricated within the system on chip
(SoC) of the Apple T2 Security Chip, built solely to provide dedicated security
functions. It protects the necessary cryptographic keys for FileVault and secure
boot, and is also responsible for processing fingerprint data from the Touch ID
sensor (if present) and determining if there’s a match.
The Secure Enclave on the T2 chip uses encrypted memory and includes a
hardware random number generator. It maintains the integrity of its security
functions even if the macOS kernel has been compromised, and its limited
function is a virtue: Security is enhanced by the fact that the hardware is limited
to specific operations.
All Apple FIPS 140-2 Conformance Validation Certificates are on the CMVP
vendor page. For information on the status of FIPS certification of the
Apple T2 Security Chip, go to: https://support.apple.com/HT208675
Storage Encryption
APFS encrypted storage
The Apple T2 Security Chip provides a dedicated AES crypto engine built into
the DMA path between the flash storage and main system memory (see Figure 1),
making internal volume encryption using FileVault with AES-XTS highly efficient.
Figure 1: AES Crypto Engine
The Mac unique ID (UID) and a device group ID (GID) are AES 256-bit keys
fused (UID) or compiled (GID) into the Secure Enclave during manufacturing.
No software or firmware can read the keys directly. The keys can be used
only by the AES engine dedicated to the Secure Enclave. This dedicated
AES engine makes available only the results of encryption or decryption
operations it performs. The UIDs and GIDs aren’t available via JTAG or other
debugging interfaces.
Because the UID is unique to each device and is generated wholly within the
Secure Enclave rather than in a manufacturing system outside of the device,
the UID key isn’t available for access or storage by Apple or any Apple suppliers.
Software running on the Secure Enclave takes advantage of the UID to protect
device-specific secrets such as Touch ID data, FileVault class keys, and the
Keychain.
The UID allows data to be cryptographically tied to a particular device. For
example, the key hierarchy protecting the file system includes the UID, so
if internal storage media are physically moved from one device to another,
the files they contain are inaccessible. The UID isn’t related to any other
identifier on the device. This architecture forms the basis for secure internal
volume encryption.
Internal volume encryption and FileVault
In Mac OS X 10.3 or later, Mac computers provide FileVault, built-in encryption
capability to secure all data at rest. FileVault uses the AES-XTS data encryption
algorithm to protect full volumes on internal and removable storage devices.
On Mac computers with the Apple T2 Security Chip, internal volume encryption
leverages the hardware security capabilities of the chip. After a user enables
FileVault on a Mac, their credentials are required during the boot process.
Without valid login credentials or a cryptographic recovery key, the internal
APFS volume remains encrypted and is protected from unauthorized access
even if the physical storage device is removed and connected to another
computer. Internal volume encryption on a Mac with the T2 chip is implemented
by constructing and managing a hierarchy of keys (see Figure 2), and builds on
the hardware encryption technologies built into the chip. This hierarchy of keys
is designed to simultaneously achieve four goals:
- Require the user’s password for decryption.
- Protect the system from a brute-force attack directly against storage media
removed from Mac. - Provide a swift and secure method for wiping content via deletion of
necessary cryptographic material. - Enable users to change their password (and in turn the cryptographic keys
used to protect their files) without requiring re-encryption of the entire volume.
On Mac systems with the T2 chip, all FileVault key handling occurs in the
Secure Enclave; encryption keys are never directly exposed to the (Intel)
application processor.
All APFS volumes are created with a volume key by default. Volume and
metadata contents are encrypted with this volume key, which is wrapped
with the class key. The class key is protected by a combination of the user’s
password and the hardware UID when FileVault is enabled. This protection
is the default on Mac computers with the T2 chip.
If FileVault isn’t enabled on a Mac with the T2 chip during the initial Setup
Assistant process, the volume is still encrypted, but the volume key is protected
only by the hardware UID in the Secure Enclave. If FileVault is enabled later—a
process that is immediate since the data was already encrypted—an anti-replay
mechanism prevents the old key (based on hardware UID only) from being used
to decrypt the volume. The volume is then protected by a combination of the
user password with the hardware UID as previously described.
Figure 2: FileVault key hierarchy
When deleting a volume, its volume key is securely deleted by Secure Enclave.
This prevents future access with this key even by the Secure Enclave. In addition,
all volume keys are wrapped with a media key. The media key doesn’t provide
additional confidentiality of data, but instead is designed to enable swift and
secure deletion of data because without it, decryption is impossible.
The media key is located in effaceable storage and designed to be quickly
erased on demand; for example, via remote wipe using Find My Mac or when
enrolled in a mobile device management (MDM) solution. Effaceable storage
accesses the underlying storage technology (for example, NAND) to directly
address and erase a small number of blocks at a very low level. Erasing the
media key in this manner renders the volume cryptographically inaccessible.
To prevent brute-force attacks, when Mac boots, no more than 30 password
attempts are allowed at the Login Window or via Target Disk Mode, and
escalating time delays are imposed after incorrect attempts. The delays are
enforced by the Secure Enclave coprocessor on the T2 chip. If Mac is restarted
during a timed delay, the delay is still enforced, with the timer starting over for
the current period.
To prevent malware from causing permanent data loss by trying to attack the
user’s password, these limits are not enforced after the user has successfully
logged into the Mac, but will be re-imposed after reboot. If the 30 attempts are
exhausted, 10 more attempts are available after booting into macOS Recovery.
And if those are also exhausted, then 30 more attempts are available for each
enabled FileVault recovery mechanism (iCloud recovery, FileVault recovery key,
and institutional key), for a maximum of 90 possible attempts. Once those
attempts are exhausted, the Secure Enclave will no longer process any requests
to decrypt the volume or verify the password
Secure boot
For Mac computers with the Apple T2 Security Chip, each step of the startup
process contains components that are cryptographically signed by Apple to
verify integrity (see Figure 3). The boot process proceeds only after verifying
the integrity of the software at every step, which creates a chain of trust rooted
in hardware. This includes the UEFI firmware, bootloaders, kernel, and kernel
extensions necessary for boot. This secure boot chain helps ensure that the
lowest-level software isn’t tampered with, so the Mac computer will be in a
known trustworthy state when it’s booted.
Figure 3: macOS secure boot chain
When a Mac computer with the T2 chip is turned on, the chip executes code
from read-only memory known as the Boot ROM. This immutable code, referred
to as the hardware root of trust, is laid down during chip fabrication and is
audited for vulnerabilities and implicitly trusted. The Boot ROM code contains
the Apple Root CA public key, which is used to verify that the iBoot bootloader
is signed by Apple’s private key before allowing it to load. This is the first step
in the chain of trust. iBoot verifies the kernel and kernel extension code on the
T2 chip, which subsequently verifies the Intel UEFI firmware. The UEFI firmware
and the associated signature are initially available only to the T2 chip.
After verification, the UEFI firmware image is mapped into a portion of the
T2 chip memory and this memory is made available to the (Intel) application
processor via the enhanced Serial Peripheral Interface (eSPI). When the
application processor first boots, it fetches the UEFI firmware via eSPI from
the integrity-checked, memory-mapped copy of the firmware located on the
T2 chip.
Touch ID
Using Touch ID on Mac is an easy way to use a fingerprint instead of a password
for many common operations. With just the touch of a finger, the sensor quickly
reads a fingerprint and automatically unlocks the device. Touch ID can authorize
purchases from the iTunes Store, App Store, and Apple Books, as well as with
Apple Pay.
Touch ID doesn’t store any fingerprint images, instead it relies only on a
mathematical representation of the fingerprint. This representation is encrypted,
stored on the device, and protected with a key available only to the Secure
Enclave. The fingerprint data is used only by the Secure Enclave to verify a
match with the enrolled information. It can’t be accessed by macOS or by any
apps running on it. It’s never stored on Apple servers, it’s never backed up to
iCloud or anywhere else, and it can’t be used to match against other fingerprint
databases.
Every fingerprint is unique, so it’s rare that even a small section of two separate
fingerprints are alike enough to register as a match for Touch ID. The probability
of this happening is 1 in 50,000 with a single enrolled finger. And Touch ID
allows only five unsuccessful fingerprint match attempts before requiring
a password.
A password is required to start using Touch ID and a password is always required
for viewing or changing password settings. A password is also required if Mac is
in the following states:
- The device has just been turned on or restarted.
- The device hasn’t been unlocked for more than 48 hours.
- The password hasn’t been used to unlock the device in the last 156 hours
(six and a half days) and a biometric hasn’t unlocked the device in the last
4 hours. - The device has received a remote lock command.
- After five unsuccessful attempts to match a fingerprint
Hardware microphone disconnect
All Mac portables with the Apple T2 Security Chip feature a hardware
disconnect that ensures that the microphone is disabled whenever the lid
is closed. This disconnect is implemented in hardware alone, and therefore
prevents any software, even with root or kernel privileges in macOS, and even
the software on the T2 chip, from engaging the microphone when the lid is
closed. (The camera is not disconnected in hardware because its field of view
is completely obstructed with the lid closed.)
Conclusion
A commitment to security
The Apple T2 Security Chip provides a robust foundation for encrypted storage,
secure boot, and Touch ID. These features are based on dedicated security
hardware and the Secure Enclave coprocessor, which is included on the T2 chip.
The resulting system is a Mac that can base the cryptographic protections of
stored data in dedicated hardware and utilize a hardware root of trust to ensure
secure boot. And on Mac systems with Touch ID, users can conveniently unlock
their Mac with their finger. Combining the T2 chip with a hardware disconnect
to ensure the microphone is disabled when the lid is closed results in a level of
privacy and security protections never before seen on Mac.
To learn more about reporting issues to Apple and subscribing to security
notifications, go to: https://www.apple.com/support/security
