How the Secure Enclave protects your Mac

If anyone promises that their computer has unbreakable security, don’t believe them, as they’re trying to sell you snake oil. History has shown that some security measures are particularly difficult, time-consuming and costly to circumvent, but none so far has proved completely impossible. Good security is therefore built in layers, each making it progressively harder to break through. In recent Macs, one of the toughest challenges for those trying to break in is its Secure Enclave.

Before 2017, Intel Macs had a fairly conventional design, in which the main processor, with its multiple cores, handled all the secrets held in that Mac. If the boot disk was encrypted using FileVault, that processor used the password entered to generate the encryption key, then used that to decrypt the data read from the disk, and to encrypt data to be written to the disk. Although software techniques were used to try to prevent malicious software from gaining access to secrets like encryption keys, they remained vulnerable to sophisticated attacks.

Attacks on CPUs have become more serious over time: Intel processors are vulnerable to new attacks such as Downfall, which is likely to affect the CPUs in most Intel Macs, and would enable the attacker to recover critical information such as FileVault and other encryption keys. Although you’re unlikely to see this widely used in malware, it’s a real threat in attacks developed for state-sponsored agencies.

T2 Macs

Starting with the iPhone 5s and iPad Air in 2013, Apple has incorporated a Secure Enclave in the ARM-based chips it has developed. These were first used in Macs with the T1 chip, and in 2017 were incorporated into the its successor, the T2 chip, alongside that Mac’s Intel processor. The T2 chip contains much more than just the Secure Enclave, and functions as a co-processor with its own operating system, bridgeOS, featuring a secure boot scheme similar to Apple silicon Macs. Here I’ll focus on the Secure Enclave, and how it handles FileVault encryption keys.

The T2 Secure Enclave is another co-processor system, run by a Secure Enclave Processor (SEP), a 32-bit ARM CPU running its own operating system, sepOS, based on a specialised microkernel completely different from those used by Macs and Apple’s devices. It has its own secure storage (EEPROM), a dedicated AES256 encryption/decryption engine built into the data transfer path between the internal SSD and main system memory, and a Public Key Accelerator for signing and encryption/decryption using RSA and ECC methods.

The Secure Enclave is responsible for handling all the keys used by FileVault, and for performing the hardware encryption/decryption direct with the internal SSD. This means that those keys are never exposed to the Intel processor, its memory or storage, but are confined to the Secure Enclave at all times.

FileVault encryption doesn’t use your password to encrypt the volumes it protects, which is why you can enable FileVault on a T2 Mac without having to wait for the whole volume to be encrypted, and changing your password doesn’t require the volume to be decrypted and re-encrypted. The Volume Encryption Key (VEK) used to encrypt and decrypt the protected volume is created from two keys generated by the Secure Enclave. Those remain the same whether or not FileVault is enabled, and independently of your password. Your password is instead used, together with a hardware key specific to your Mac, to encrypt the VEK, a step which is far more readily changed than the final volume encryption.

To gain access to the hardware key, the VEK, or anything else in this chain, an attacker must therefore gain access to the Secure Enclave. While an exploit giving them access to the main processor could be a first step in that process, until they can break into the Secure Enclave they can’t gain access to the secrets that it protects.

Apple silicon Macs

While the T2 chip was a huge step forward for Macs, it’s a co-processor, which brings disadvantages. It requires its own ‘firmware’ updates, actually bridgeOS updates, which must be installed with the whole of the Intel side shut down. If you’ve ever experienced the dead Mac effect during a macOS update, you’ll know how stressful these can be, and the time they waste.

When Apple designed the M1 chip to replace pretty well everything in its Intel models, the Secure Enclave became a part of that chip, although it still effectively functions as a co-processor within that. The Secure Enclave in Apple silicon chips is not only better integrated, but it’s also enhanced, compared with the T2.

Perhaps the most significant of its improvements are measures to prevent replay attacks. Those are best illustrated with FileVault. Let’s say that you didn’t enable FileVault at first, but left your Apple silicon Mac to handle the encryption of its internal Data volume without the added protection of your password. That would mean that the VEK was generated internally by the Secure Enclave, and kept there. If you then turned FileVault on, the VEK would be encrypted using your password and the hardware key. In the T2 chip, it might be possible to use the old VEK to decrypt the volume. In the Secure Enclave of M-series chips, that type of replay attack is prevented by revoking all previous events and records.

Other improvements include the use of second generation secure storage incorporating counter lockboxes to enforce limits on the number of passcode attempts allowed, instead of EEPROM, and a better Public Key Accelerator.

What does it protect?

Currently, the Secure Enclave is known to protect the following:

encryption keys for Touch ID, FileVault, and the Data Protection (iCloud) keychain (but not file-based keychains)
that Mac’s Unique ID (UID) and Group ID (GID)
hardware encryption and decryption for FileVault on the internal SSD, acting as the SSD’s storage controller
Touch ID control, and (on older devices not Macs) Face ID using a secure neural engine; in recent devices and M-series chips, that is implemented as a secure mode in the main neural engine (ANE)
Apple Pay handling,
Activation Lock, through the Owner and User Identity Keys,
signing and verification of LocalPolicy for boot environments (Apple silicon).

Has it been exploited yet?

Older iPhone chips have a ‘Blackbird’ vulnerability in their ROM, but that doesn’t affect newer Secure Enclaves such as those in the T2 or M-series Macs. The T2 chip itself has been ‘jailbroken’ by exploiting the checkm8 bug common to many of Apple’s ARM chips, in an exploit known as checkra1n. Although this affects the main cores in the T2 chip, it doesn’t give access to its Secure Enclave.

The Downfall attack, to which a great many Intel processors are vulnerable, gives untrusted software access to data stored by other software, but only on the Intel processor, and hasn’t been shown to carry over to a T2 chip, let alone the Secure Enclave running within it.

Apple silicon Macs are known to be vulnerable to the PACMAN hardware attack that can bypass pointer authentication, but that doesn’t appear to give access to their Secure Enclave or the secrets that it contains.

At present, as far as I can establish, no exploit has been made public that gives access to secrets in the Secure Enclave in T2 or Apple silicon Macs.

Summary

Intel Macs without T2 chips have no Secure Enclave. Successful attack on the processor can therefore reveal its secrets.
Intel Macs with T2 chips have a full Secure Enclave that protects secrets.
Apple silicon Macs have an improved Secure Enclave that protects secrets even better than the T2 chip.

4Comments

Add yours

1

SarahB on August 21, 2023 at 1:53 pm

I just have one Mac with the T2, my 2018 Mac mini. At first I liked having the T2 since I could use it for encoding in handbrake with its h.265 video toolbox. I was able to encode video easier without feeling like my Mac would melt with the help of the T2 chip.

Since the T2 seems to do so much like bluetooth and audio and other things I had mixed feelings about it. Audio didn’t sound as good on this Mac compared to my older Mac minis. I also had more bluetooth issues but mostly with AirPods but probably was more to do with the AirPods. My apple bluetooth keyboard never has any trouble.

I do wish audio sounded. I wonder how this will effect me going forward also into future macOS versions, or if Sonoma will be the last I can run on this. Kind of frustrating these days wanting to keep secure yet having to open up some things in order to run OCLP or keep a Mac alive.

I have nothing against the new mac’s. Just can’t afford this push to keep upgrading apple has us on. It keeps moving so fast. I’m happy with the main Mac I use and just wish I could keep on using it longer.

LikeLiked by 1 person
- 2
  
  hoakley on August 21, 2023 at 4:16 pm
  
  Thank you.
  Apple released the first Macs with T2 chips six years ago this coming December – this iMac Pro was one of the first it manufactured with the chip, although I didn’t buy this one until a year later. Admittedly some lines like regular iMacs were late to gain them. But any MacBook Pro still without a T2 has lived longer than the great majority of notebooks from other manufacturers.
  And all Macs with T2 chips will be able to run Sonoma without OCLP.
  Howard.
  
  LikeLike
3

Dakotamoons on August 21, 2023 at 3:05 pm

Great explanation re the evolution and current state of Mac security issues.
Thank you for taking the time to pen such a concise piece on the subject.

LikeLiked by 1 person
- 4
  
  hoakley on August 21, 2023 at 4:17 pm
  
  Thank you.
  Howard.
  
  LikeLike

The Eclectic Light Company

How the Secure Enclave protects your Mac

T2 Macs

Apple silicon Macs

What does it protect?

Has it been exploited yet?

Summary

Further reading

T2 Macs

Apple silicon Macs

What does it protect?

Has it been exploited yet?

Summary

Further reading

Share this:

Related