Apple T2 Security Chip: Security Overview [pdf]

One interesting point in the discussion of UEFI secure boot: it appears there is no way to boot OSes other than Mac OS and Windows without disabling secure boot entirely.<p>&gt; <i>By default, Mac computers supporting secure boot only trust content signed by Apple. However, in order to improve the security of Boot Camp installations, support for secure booting Windows is also provided. The UEFI firmware includes a copy of the Microsoft Windows Production CA 2011 certificate used to authenticate Microsoft bootloaders.</i><p>&gt; <i>NOTE: There is currently no trust provided for the the Microsoft Corporation UEFI CA 2011, which would allow verification of code signed by Microsoft partners. This UEFI CA is commonly used to verify the authenticity of bootloaders for other operating systems such as Linux variants.</i><p>It isn&#x27;t clear whether new root CAs can be added or if there is a customer-accessible setup mode for secure boot at all.<p>Another part of the discussion is about the various levels of secure boot enforcement. In the default &quot;Full Security&quot; mode, the Mac OS setup (or Boot Camp assistant for Windows boot) requests that Apple sign the OS boot loader with a signature derived from the T2 chip&#x27;s unique ID, and then the boot firmware on the T2 checks for this machine-specific signature on boot. As I understand it, Apple claims that by simply changing its online service to deny signing certain boot loaders, it can prevent many OS downgrades to versions with known vulnerabilities.

&quot;All Mac portables with the Apple T2 Security Chip feature a hardware disconnect that ensures that the microphone is disabled whenever the lid is closed.&quot; It&#x27;s interesting, I don&#x27;t know if other brands do that?

What happens if the T2 Chip fails? Is it possible to recover data on the disk? Or do we have to recover data from the last backup?

Is there anything different in the T2 chip introduced today in MacBook Air and the one in the MacBook Pro released earlier this year?

&gt; <i>line-speed encrypted storage</i><p>What does this mean?<p>&gt; <i>The Mac unique ID (UID) and a device group ID (GID) are AES 256-bit keys fused (UID) or compiled (GID) into the Secure Enclave during manufacturing. 
 No software or firmware can read the keys directly</i><p>Does anyone know the details underlying this?

anyone who uses eGPUs (w&#x2F; Nvidia): whenever I setup my MBP shortly after buying (middle of this year), one of the steps required disabling Secure Boot and another security item via terminal. Is that still the case? Pretty sure my T2 chip is disabled due to this. Not a major loss if it must remain that way, but wasn&#x27;t sure if it was just mitigating something that is no longer an issue.

I&#x27;m of two minds about how the T2 safeguards access to storage. On the one hand, safeguards like these are a great step forward for endpoint security to guard against device theft. On the other hand, if you break your machine in some way that your storage is still intact - too bad, you&#x27;re locked out.<p>What Apple is really saying with this kind of design is that you need to treat your machine as if it were disposable. You won&#x27;t worry about losing your data if your laptop only has a cached copy. If your machine breaks, ditch it, get another one, redownload your data from the cloud.<p>But most customers don&#x27;t actually use their Macs this way. They don&#x27;t see their highly-priced luxury machines as disposable. They don&#x27;t pay for cloud storage; if they do, then they don&#x27;t keep all their data backed up to their cloud storage accounts, and they expect that their original data will still be available. They don&#x27;t have 3-2-1 backup strategies and they don&#x27;t plan for being locked out of their cloud backups.<p>So this doesn&#x27;t feel to me like Apple focusing on security. It feels like the security-focused extension of Apple&#x27;s general strategy: rising prices and declining repairability as the basic formula for strategic revenue growth from their Western upper-class customer base. And that&#x27;s something to be resisted.

upvoting because I want people who know more than me about security to see and comment. :)