Wednesday, November 21, 2018

Secure Boot in the Era of the T2

Mikhail Davidov:

Enabled by the T2 chipset, new generations of the Macbook Pro and the iMac Pro aim to mitigate many software and hardware-based attacks against the very first pieces of code executed during the initial boot process. By ditching the flash memory chip containing Unified Extensible Firmware Interface (UEFI) firmware and using chipset functionality typically reserved for server architectures, the T2 is able to dynamically provide and validate UEFI payload contents at runtime.

We have spent considerable time looking at the T2 and have written a paper that outlines the technical details of what actually happens when the power button is pressed. The T2 is a great first step in the right direction, but there is still room for improvement when it comes to the secure boot process on an Apple T2-enabled device.

The full report is here.

Paul Haddad:

If you clone your OS disk from another machine your user won’t have a Secure Token, which means no FileVault. Also, there’s no way to add a Token to a user if no user has one.

Howard Oakley:

On many Macs with T2 chips, entering Recovery mode is much slower. Unless you’re using the built-in keyboard of a laptop model, you’ll almost certainly have to connect your wireless keyboard to your Mac using its charging lead, so that it is available via USB rather than Bluetooth. Then you’ll probably be holding Command-R forever before your Mac finally displays the standard options for Recovery.

The newest option, the T2-specific Startup Security Utility, isn’t shown in those options, but is opened from the menubar.


This may seem strange, but it doesn’t seem possible to get a Mac with a T2 chip to start up from an unencrypted internal drive: that disk will always be encrypted, no matter whether you turn FileVault ‘off’ or on. The difference it makes is that if you opt for FileVault to be ‘off’, the encryption will unlock using only its internal hardware UID (kept in the T2’s Secure Enclave), and won’t use your password in addition.

Previously: MacBook’s T2 Will Prevent Eavesdropping on Your Microphone.

Update (2018-11-27): See also: Hacker News.

Comments RSS · Twitter

Leave a Comment