Apple T2 Explained

Apple T2
Produced-Start:December 14, 2017
Produced-End:June 5, 2023
Size-From:16 nm[1]
Designfirm:Apple Inc.
Manuf1:TSMC
Arch:ARMv8.1-A

A64, A32, T32
ARMv7-A

A32

Microarch:ARMv8: "Hurricane"/"Zephyr"
ARMv7: Cortex-A7
Code:APL1027
Numcores:4 (2× Hurricane + 2× Zephyr)
L1cache:Per core: 126 KB instruction + 126 KB data
L2cache:3 MB shared
Application:Security, Controller
Variant:Apple A10
Predecessor:Apple T1
Successor:Apple M1

The Apple T2 (Apple's internal name is T8012)[2] security chip is a system on a chip "SoC" tasked with providing security and controller features to Apple's Intel based Macintosh computers. It is a 64-bit ARMv8 chip and runs bridgeOS.[3] [4] T2 has its own RAM and is essentially a computer of its own, running in parallel to and responding to requests by the main computer that the user interacts with.

Design

The main application processor in T2 is a variant of the Apple A10, which is a 64-bit ARMv8.1-A based CPU. It is manufactured by TSMC on their 16 nm process, just as the A10. Analysis of the die reveals a nearly identical CPU macro as the A10 which reveals a four core design for its main application processor, with two large high performance cores, "Hurricane", and two smaller efficiency cores, "Zephyr". Analysis also reveals the same amount of RAM controllers, but a much reduced GPU facility; three blocks, only a quarter the size compared to A10.

The die measures 9.6 mm × 10.8 mm, a die size of 104 mm2, which amounts to about 80% of the size of the A10.

As it serves as a co-processor to its Intel based host, it also consists of several facilities handling a variety of functions not present in the host system's main platform. It is designed to stay active even if the main computer is in a halted low power mode. The main application processor in T2 is running an operating system called bridgeOS.

The secondary processor in T2 is an 32-bit ARMv7-A based CPU called Secure Enclave Processor (SEP) which has the task of generating and storing encryption keys. It is running an operating system called "sepOS" based on the L4 microkernel.[5] The T2 module is built as a package on a package (PoP) together with its own LP-DDR4 RAM. Mac configurations with 1 TB of SSD storage or greater receive 2 GB LP-DDR4, while lower storage configurations receive 1 GB.[6]

The T2 communicates with the host via a USB-attached Ethernet port.

Security features

There are numerous features regarding security, including:

The T2 is integral in the boot sequence and upgrading of operating systems, not allowing unsigned components to interfere.

Other features

There are other facilities present not directly associated with security.

History

The Apple T2 was first released in the iMac Pro in late 2017.

On July 12, 2018, Apple released an updated MacBook Pro that includes the T2 chip, which among other things enables the "Hey Siri" feature.[11] [12]

On November 7, 2018, Apple released the updated Mac mini and MacBook Air models with the T2 chip.[13] [14] MacBook Air's Touch ID sensor is powered by the chip.

On August 4, 2020, a refresh of the 5K iMac was announced, including the T2 chip.[15]

The functionality of the T2 chip is incorporated in Apple's M-series CPUs, thus eliminating the need for a separate chip in Apple silicon-powered computers. Since the completion of the Mac transition to Apple silicon in June 2023, no new Mac would be shipped with a T2 chip.

Security vulnerabilities

In October 2019 security researchers began to theorize that the T2 might also be affected by the checkm8 bug as it was roughly based on the A10 design from 2016 in the original iMac Pro.[16] Rick Mark then ported libimobiledevice to work with the Apple T2 providing a free and open source solution to restoring the T2 outside of Apple Configurator and enabling further work on the T2.[17] On March 6, 2020, a team of engineers dubbed T2 Development Team exploited the existing checkm8 bug in the T2 and released the hash of a dump of the secure ROM as a proof of entry.[18] The checkra1n team quickly integrated the patches required to support jailbreaking the T2.[19] [20] [21] [22]

The T2 Development Team then used Apple's undocumented vendor-defined messages over USB power delivery to be able to put a T2 device into Device Firmware Upgrade mode without user interaction. This compounded the issue making it possible for any malicious device to jailbreak the T2 without any interaction from a custom charging device.[23] [24] [25]

Later in the year the release of the blackbird SEP vulnerability further compounded the impact of the defect by allowing arbitrary code execution in the T2 Secure Enclave Processor.[26] This had the impact of potentially affecting encrypted credentials such as the FileVault keys as well as other secure Apple Keychain items.

Developer Rick Mark then determined that macOS could be installed over the same iDevice recovery protocols, which later ended up true of the M1 series of Apple Macs.[27] On September 10, 2020, a public release of checkra1n was published that allowed users to jailbreak the T2.[28] [29] The T2 Development Team created patches to remove signature validation from files on the T2 such as the MacEFI as well as the boot sound. Members of the T2 Development Team begin answering questions in industry Slack instances.[30] A member of the security community from IronPeak used this data to compile an impact analysis of the defect, which was later corrected to correctly attribute the original researchers[31] The original researchers made multiple corrections to the press that covered the IronPeak blog.[32]

In October 2020, a hardware flaw in the chip's security features was found that might be exploited in a way that cannot be patched, using a similar method as the jailbreaking of the iPhone with A10 chip, since the T2 chip is based on the A10 chip. Apple was notified of this vulnerability but did not respond before security researchers publicly disclosed the vulnerability.[33] It was later demonstrated that this vulnerability can allow users to implement custom Mac startup sounds.[34] [35]

Products with the T2 chip

See also

Notes and References

  1. Web site: Boldt . Paul . Apple's Orphan Silicon . July 11, 2021 . SemiWiki . July 18, 2021 . en . September 22, 2022 . https://web.archive.org/web/20220922180857/https://semiwiki.com/semiconductor-manufacturers/tsmc/301118-apples-orphan-silicon/ . live .
  2. Web site: T8012 . 2023-08-14 . The Apple Wiki . en.
  3. Web site: Davidov . Mikhail . Erickson . Jeremy . Inside The Apple T2 . August 8, 2019 . Black Hat USA 2019 . July 11, 2021 . en . June 14, 2021 . https://web.archive.org/web/20210614004340/https://i.blackhat.com/USA-19/Thursday/us-19-Davidov-Inside-The-Apple-T2.pdf . live .
  4. Web site: Parrish . Kevin . Apple's T2 chip may be causing issues in iMac Pro and 2018 MacBook Pros . . January 22, 2019 . https://web.archive.org/web/20180918223447/https://www.digitaltrends.com/computing/apple-t2-chip-may-be-causing-imac-pro-macbook-problems/ . September 18, 2018 . July 24, 2018 . Of all the error messages uploaded to these threads, there is one detail they seem to share: Bridge OS. This is an embedded operating system used by Apple’s stand-alone T2 security chip, which provides the iMac Pro with a secure boot, encrypted storage, live “Hey Siri” commands, and so on..
  5. Web site: Apple Platform Security: Secure Enclave . 2021-07-11 . 2021-08-22 . https://web.archive.org/web/20210822172935/https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web . live .
  6. Web site: "Starting at" is the Biggest Lie in Tech . Linus Tech Tips . 14 August 2023 . 25 July 2023.
  7. Web site: iMac Pro Features Apple's Custom T2 Chip With Secure Boot Capabilities. MacRumors. December 14, 2017. August 18, 2018. https://web.archive.org/web/20180818214500/https://www.macrumors.com/2017/12/14/imac-pro-has-t2-chip-with-secure-boot/. August 18, 2018. live.
  8. Web site: The MacBook Pro's T2 chip boosts enterprise security. Jonny. Evans. 23 July 2018. Computerworld. August 18, 2018. https://web.archive.org/web/20180818214802/https://www.computerworld.com/article/3290415/apple-mac/the-macbook-pro-s-t2-chip-boosts-enterprise-security.html. August 18, 2018. live.
  9. Web site: The T2 chip makes the iMac Pro the start of a Mac revolution. Jason. Snell. January 3, 2018. Macworld. August 20, 2022. August 23, 2022. https://web.archive.org/web/20220823105709/https://www.macworld.com/article/230870/the-t2-chip-makes-the-imac-pro-the-start-of-a-mac-revolution.html. live.
  10. Web site: Apple's T2 chip makes a giant difference in video encoding for most users . 2021-07-11 . 2021-07-11 . https://web.archive.org/web/20210711202124/https://appleinsider.com/articles/19/04/09/apples-t2-chip-makes-a-giant-difference-in-video-encoding-for-most-users . live .
  11. Web site: Rossignol . Joe . Apple Launches 2018 MacBook Pros: 8th Gen Core, Up to 32GB of RAM, Third-Gen Keyboard, Quad-Core on 13-Inch and More . July 12, 2018 . . July 12, 2018 . en . https://web.archive.org/web/20180712183627/https://www.macrumors.com/2018/07/12/apple-launches-2018-macbook-pro-lineup/ . July 12, 2018 . live .
  12. Web site: Apple updates MacBook Pro with faster performance and new features for pros. Apple Inc.. July 12, 2018. https://web.archive.org/web/20180712231549/https://www.apple.com/newsroom/2018/07/apple-updates-macbook-pro-with-faster-performance-and-new-features-for-pros/. July 12, 2018. live.
  13. Web site: Broussard . Mitchel . Apple Announces New MacBook Air With 13-Inch Retina Display and Touch ID . . October 30, 2018 . October 30, 2018 . en . https://web.archive.org/web/20181031173743/https://www.macrumors.com/2018/10/30/apple-new-macbook-air/ . October 31, 2018 . live .
  14. Web site: Hardwick . Tim . Apple Announces New Space Gray Mac mini With 4-Core or 6-Core Intel Processor and Up to 64GB RAM, Starting at $799 . . October 30, 2018 . October 30, 2018 . en . https://web.archive.org/web/20181031133116/https://www.macrumors.com/2018/10/30/apple-announces-new-mac-mini/ . October 31, 2018 . live .
  15. 27-inch iMac gets a major update. August 4, 2020. Apple Inc.. July 11, 2021. July 12, 2021. https://web.archive.org/web/20210712075316/https://www.apple.com/newsroom/2020/08/27-inch-imac-gets-a-major-update/. live.
  16. Web site: 2019-08-06. Original GitHub issue. Github. 2021-07-11. 2021-09-30. https://web.archive.org/web/20210930144436/https://github.com/axi0mX/ipwndfu/issues/141. live.
  17. Web site: Twitter. T2 Support in libimobiledeive. 2021-07-11. 2021-07-08. https://web.archive.org/web/20210708131103/https://twitter.com/su_rickmark/status/1202129990545887233. live.
  18. Web site: 2020-03-06. t8012 SecureROM Hash. Twitter. 2021-07-11. 2021-07-08. https://web.archive.org/web/20210708131216/https://twitter.com/su_rickmark/status/1236108594182905856. live.
  19. Web site: Twitter. checkra1n supports T2. 2021-07-11. 2021-07-03. https://web.archive.org/web/20210703203513/https://twitter.com/su_rickmark/status/1237414287372500993. live.
  20. Web site: Anthony. Bouchard. 2020-03-18. Checkra1n experimental pre-release adds preliminary support for iOS 13.4, Mac T2 chip. 2021-06-26. iDownloadBlog.com. en-us. 2021-06-26. https://web.archive.org/web/20210626141234/https://www.idownloadblog.com/2020/03/18/checkra1n-experimental-pre-release-adds-preliminary-support-for-ios-13-4-mac-t2-chip/. live.
  21. Web site: Hacker omzeilt beveiliging T2-chip in recente Mac-computers. 2021-06-26. Tweakers. NL. 2021-06-26. https://web.archive.org/web/20210626233652/https://tweakers.net/nieuws/164492/hacker-omzeilt-beveiliging-t2-chip-in-recente-mac-computers.html. live.
  22. Web site: 2020-10-07. T2 Dev Team Blog. On bridgeOS / T2 Research. Timeline of Events. Rick. Mark. https://web.archive.org/web/20201008231456/https://blog.t8012.dev/on-bridgeos-t2-research/. 2020-10-08. dead.
  23. Web site: Plug'nPwn - Connect to Jailbreak. The T2 Development Blog. Rick Mark. mrarm. Aun-Ali Zaidi. h0m3us3r. 2020-10-12. https://web.archive.org/web/20211023044211/https://blog.t8012.dev/plug-n-pwn/. 2021-10-23. dead.
  24. Web site: T2 Debug Interface Exposed. Twitter. 2021-07-11. 2021-07-08. https://web.archive.org/web/20210708131220/https://twitter.com/h0m3us3r/status/1280432544731860993. live.
  25. Web site: Intel Debug Exposed over T2 interface. Twitter. 2021-07-11. 2021-07-05. https://web.archive.org/web/20210705104841/https://twitter.com/su_rickmark/status/1280590602690637824. live.
  26. Web site: Blackbird Exploit for Apple SEP. iDownloadBlog. 24 July 2020. 11 July 2021. 29 June 2021. https://web.archive.org/web/20210629132951/https://www.idownloadblog.com/2020/07/24/pangu-hacks-sep/. live.
  27. Web site: macOS restore via USB. Twitter. 2021-07-11. 2021-07-06. https://web.archive.org/web/20210706141835/https://twitter.com/su_rickmark/status/1298512629040910336. live.
  28. Web site: checkra1n. checkra.in. 2021-07-11. 2019-10-10. https://web.archive.org/web/20191010224917/https://checkra.in/. live.
  29. Web site: Hackers jailbreak Apple's T2 security chip powered by bridgeOS. 23 September 2020. https://web.archive.org/web/20210227105751/https://reportcybercrime.com/hackers-jailbreak-apples-t2-security-chip-powered-by-bridgeos/. 27 February 2021.
  30. Web site: Industry: bridgeOS / checkra1n Questions. Dropbox Paper. 2021-07-11. 2021-06-30. https://web.archive.org/web/20210630100732/https://paper.dropbox.com/doc/Industry-bridgeOS-checkra1n-Questions-IuejF6oBFWiUtGhYkAz2z. live.
  31. Web site: ironPeak. ironpeak.be. 2021-07-11. 2021-07-27. https://web.archive.org/web/20210727195617/https://ironpeak.be/blog/crouching-t2-hidden-danger/. live.
  32. Web site: Paper. Dropbox. 2021-07-11. 2021-07-12. https://web.archive.org/web/20210712162125/https://www.dropbox.com/paper?no_redirect=1. live.
  33. Web site: Hackers claim they can now jailbreak Apple's T2 security chip. October 6, 2020. ZDNET. July 11, 2021. May 6, 2021. https://web.archive.org/web/20210506125524/https://www.zdnet.com/article/hackers-claim-they-can-now-jailbreak-apples-t2-security-chip/. live.
  34. Web site: 2020-10-29. Checkra1n tinkerer demonstrates custom boot sound on T2-equipped Mac. live. 2021-01-19. iDownloadBlog.com. en-US. https://web.archive.org/web/20201030005524/https://www.idownloadblog.com/2020/10/29/checkra1n-t2-mac-boot-up-sound/ . 2020-10-30 .
  35. Web site: 2020-11-23. Apple T2 hack means you can have PS5 sounds be your startup chime. 2021-01-19. iMore. 2021-01-27. https://web.archive.org/web/20210127214121/https://www.imore.com/apple-t2-hack-means-you-can-have-ps5-sounds-be-your-startup-chime. live.
  36. Web site: Mac models with the Apple T2 Security Chip . 2021-07-11 . 2021-07-02 . https://web.archive.org/web/20210702063513/https://support.apple.com/en-us/HT208862 . live .