Apple details iMac Pro's T2 chip, which handles secure boot, system management, ISP, more

Posted:
in Current Mac Hardware edited December 2017
Though it flew largely under the radar, Apple introduced a new custom T2 chip in iMac Pro that combines a number of system controllers into a single secure package. The company detailed what, exactly, the silicon does in an update to its iMac Pro product webpage on Thursday.




In an addendum to the iMac Pro mini-site, buried near the bottom of the page, Apple sheds light on what purpose the T2 serves in the company's fastest all-in-one desktop.

A second-generation design that builds on the MacBook Pro's T1 chip, the T2 has been redesigned to deliver improved operational latitude, ensuring enhanced security and greater system performance.

According to Apple, the chip integrates "several controllers" found in other Mac systems, including a system management controller, image signal processor, audio controller and SSD controller. As noted in previous reports, T2 incorporates a secure enclave and hardware encryption engine, allowing for strong on-chip encryption and, if desired, hardware verification of system-level software.

"The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD's performance, while keeping the Intel Xeon processor free for your compute tasks." Apple says. "And secure boot ensures that the lowest levels of software aren't tampered with and that only operating system software trusted by Apple loads at startup."

In an early look at iMac Pro, Cabel Sasser, co-founder of Panic, noted the inclusion of new macOS tools that take advantage of the T2 chip's security features.

Specific to the all-in-one is a new "Startup Security Utility" that allows users to turn on a firmware password to prevent their Mac from booting from a different hard drive, CD or DVD without a password. Another function called "Secure Boot" lets users select from a range of security levels, from "Full Security" to "Medium Security" or none.

In addition to providing enhanced user protections, T2 leverages its onboard ISP to handle FaceTime HD tone mapping, exposure control and face detection-based auto exposure and white balance. These functions were tasked to a discrete hardware and software prior to Apple's T-series chips.

Apple fails to offer further detail on T2's other integrated controllers, though from past custom silicon iterations, it can be assumed that only select audio and system functions are offloaded to the new chip. For example, M-series motion coprocessors found in iOS devices, and now integrated into the A11 Bionic, assist in the recognition of "Hey Siri" commands. Whether the T2 offers similar functionality, or handles more complex audio tasks, is unknown at this time.

Apple debuted iMac Pro at this year's Worldwide Developers Conference in June, promising the desktop would be available to purchase in December. The company made good on those claims today with the launch of iMac Pro models featuring 8- and 10-core Intel Xeon processors. Configurations boasting top-of-the-line 18-core CPUs will ship in February and carry a hefty price tag starting at over $7,000. Shoppers looking for the best deal can save up to $1,055 by shopping through the AppleInsider Price Guide. Apple authorized resellers are currently taking pre-orders for the new iMac Pros, and several will not collect sales tax in most states. No interest financing offers are also available; details can be found here.
«1

Comments

  • Reply 1 of 37
    What is image signal controller for? If the computer requires a password to boot from any drives, what happens if a person forgets the password? Will the computer be permanently bricked?
  • Reply 2 of 37
    netrox said:
    What is image signal controller for? If the computer requires a password to boot from any drives, what happens if a person forgets the password? Will the computer be permanently bricked?
    The webcam. 

    Same as what happens to your iPhone if you forget your password. 
    watto_cobrarepressthis
  • Reply 3 of 37
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    GeorgeBMacmacpluspluswatto_cobrarepressthis
  • Reply 4 of 37
    sflocalsflocal Posts: 4,700member
    glindon said:
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    An issue that 99.99999999999^29% of users will not care about.  The Hackintosh will be a footnote in the Mac history books.
    rob53chiamacplusplusmike1watto_cobrarepressthis
  • Reply 5 of 37
    slurpyslurpy Posts: 5,179member
    glindon said:
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    Meh, it's not like hackintoshes are even a blip on Apple's business. They're for extreme enthusiasts only and have near zero impact on Apple's bottom line.
    lkruppStrangeDayschiawatto_cobrarepressthis
  • Reply 6 of 37
    lkrupplkrupp Posts: 7,310member
    slurpy said:
    glindon said:
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    Meh, it's not like hackintoshes are even a blip on Apple's business. They're for extreme enthusiasts only and have near zero impact on Apple's bottom line.
    Like the vociferous jailbreakers the hackintosh crowd likes to puff out their chests saying “look at me” but in reality they are totally irrelevant for Apple and have absolutely no influence in the affairs of Apple or its core customers. They are NOT about choice. It’s all about chest pounding.
  • Reply 7 of 37
    rob53rob53 Posts: 2,086member
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    repressthis
  • Reply 8 of 37
    danvmdanvm Posts: 791member
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.

  • Reply 9 of 37
    rob53rob53 Posts: 2,086member
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.
    DoD adjusts their cyber security rules to meet their needs. Are their systems secure? It all depends on who you ask and who is responsible for accepting the risk. Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies. I worked for DOE and we actually had higher security than DoD.
    chiarepressthis
  • Reply 10 of 37
    danvmdanvm Posts: 791member
    rob53 said:
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.
    DoD adjusts their cyber security rules to meet their needs. Are their systems secure? It all depends on who you ask and who is responsible for accepting the risk.
    I suppose this applies to all environments, not only MS / Windows shops. 

    Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies. I worked for DOE and we actually had higher security than DoD.

    Bitlocker have been part of Windows since v8.  And in Windows 10 BitLocker, encryption works with TPM chips that come with most business/enterprise PC's (for example, Thinkpads had TPM chips for +10 years).  And it even works with Windows Hello, which has facial recognition, something missing in the iMac Pro. 

    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10

    https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password

    And MS provide tools to manage it, not 3rd party tools needed. 

    https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/about-mbam-25





    chia
  • Reply 11 of 37
    danvm said:
    rob53 said:
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.
    DoD adjusts their cyber security rules to meet their needs. Are their systems secure? It all depends on who you ask and who is responsible for accepting the risk.

    Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies. I worked for DOE and we actually had higher security than DoD.

    Bitlocker have been part of Windows since v8.  And in Windows 10 BitLocker, encryption works with TPM chips that come with most business/enterprise PC's (for example, Thinkpads had TPM chips for +10 years).  And it even works with Windows Hello, which has facial recognition, something missing in the iMac Pro. 

    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10

    https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password

    And MS provide tools to manage it, not 3rd party tools needed. 

    https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/about-mbam-25





    And Apple has FileVault for 10+ years. Your point?
    edited December 2017 chiawatto_cobrarepressthis
  • Reply 12 of 37
    sflocal said:
    glindon said:
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    An issue that 99.99999999999^29% of users will not care about.  The Hackintosh will be a footnote in the Mac history books.
    As will the Mac by then.
  • Reply 13 of 37
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.

    "see no issues with Windows security"
    I think it's a stretch to say they "see no issues".  
    Like in nutrition, the question of what is a healthy food is always relative.  The question is:  "Healthier than what?" 
    Likewise, compared to Windows 7 or 8, Windows 10 just might be more secure.  
    ....   But then that may be like saying that a BigMac is healthier than a hot dog.

    repressthis
  • Reply 14 of 37
    glindon said:
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    Nor install OS X on an older model of Mac on which it would work perfectly fine but Apple arbitrarily decides to leave it out.
  • Reply 15 of 37
    danvmdanvm Posts: 791member
    matrix077 said:
    danvm said:
    rob53 said:
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.
    DoD adjusts their cyber security rules to meet their needs. Are their systems secure? It all depends on who you ask and who is responsible for accepting the risk.

    Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies. I worked for DOE and we actually had higher security than DoD.

    Bitlocker have been part of Windows since v8.  And in Windows 10 BitLocker, encryption works with TPM chips that come with most business/enterprise PC's (for example, Thinkpads had TPM chips for +10 years).  And it even works with Windows Hello, which has facial recognition, something missing in the iMac Pro. 

    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10

    https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password

    And MS provide tools to manage it, not 3rd party tools needed. 

    https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/about-mbam-25





    And Apple has FileVault for 10+ years. Your point?

    I was responding to @Rob53, who mentioned that "Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies."  I already knew that OS X / macOS had FileVault for many years.
    repressthis
  • Reply 16 of 37
    danvmdanvm Posts: 791member
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.

    "see no issues with Windows security"
    I think it's a stretch to say they "see no issues".  
    Like in nutrition, the question of what is a healthy food is always relative.  The question is:  "Healthier than what?" 
    Likewise, compared to Windows 7 or 8, Windows 10 just might be more secure.  
    ....   But then that may be like saying that a BigMac is healthier than a hot dog.


    With the term "see no issues", I meant that they found Windows 10 to be secure enough for their requirements, and not necessarily compared to what they had before.  If Windows 10 had not match their requirements, they would hold of to what they had or move to another platform, like macOS.  I don't think they took that decision lightly, when 4M devices were to be upgraded.
    edited December 2017
  • Reply 17 of 37
    sflocal said:
    glindon said:
    I foresee in 10 or so years that once all usable macs have these T2, T3... chips that Hackintosh will be completely dead. You won’t be able to install macOS without the T chip being present. 
    An issue that 99.99999999999^29% of users will not care about.  The Hackintosh will be a footnote in the Mac history books.
    As will the Mac by then.
    Oh really. And what will iOS devs and all those people in the shiny new HQ be developing on? It won’t be ipads. 
    watto_cobra
  • Reply 18 of 37
    danvm said:
    matrix077 said:
    danvm said:
    rob53 said:
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.
    DoD adjusts their cyber security rules to meet their needs. Are their systems secure? It all depends on who you ask and who is responsible for accepting the risk.

    Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies. I worked for DOE and we actually had higher security than DoD.

    Bitlocker have been part of Windows since v8.  And in Windows 10 BitLocker, encryption works with TPM chips that come with most business/enterprise PC's (for example, Thinkpads had TPM chips for +10 years).  And it even works with Windows Hello, which has facial recognition, something missing in the iMac Pro. 

    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10

    https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password

    And MS provide tools to manage it, not 3rd party tools needed. 

    https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/about-mbam-25





    And Apple has FileVault for 10+ years. Your point?

    I was responding to @Rob53, who mentioned that "Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies."  I already knew that OS X / macOS had FileVault for many years.
    To be clear, this T2 chip is a whole another level than BitLocker or FileVault. This is much more than that. This can prevent suspicious softwares from booting itself along with OSX, can prevent suspicious software using your webcam to spy on you.. for example. This is what I call true innovation. Certainly more innovative than slim keyboard or Touch Bar (which just happen to replace physical keys with touch screen). This should be in every MacBook Pro shipped. My guess is we will see it soon.  
    edited December 2017 GeorgeBMacwatto_cobra
  • Reply 19 of 37
    tipootipoo Posts: 1,058member
    "The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD's performance, while keeping the Intel Xeon processor free for your compute tasks." 

    That's what I was waiting on confirmation on, if it eliminates the APFS encrypted performance hit. Sounds like a yes, I'd still like to see tests

    https://malcont.net/2017/07/apfs-and-hfsplus-benchmarks-on-2017-macbook-pro-with-macos-high-sierra/


    edited December 2017 watto_cobra
  • Reply 20 of 37
    danvmdanvm Posts: 791member
    matrix077 said:
    danvm said:
    matrix077 said:
    danvm said:
    rob53 said:
    danvm said:
    rob53 said:
    I wish I was still working. Writing up a security plan for a department full of these will be a piece of cake. Add MDM software that works with these and the security plan will write itself. Would just have to deal with the troublesome Windows PCs. Now if Apple would just re-release a compatible server and Macs would dominate secure government organizations. 
    Interesting how one government organization, the USA DoD, see no issues with Windows security.  They announced the deployment of Windows 10 in 4 million devices "based on the need to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.".

    https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/

    I don't see how bring back the XServe will make Apple dominant in government organizations, when Windows Server and Linux are far more capable than macOS Server.
    DoD adjusts their cyber security rules to meet their needs. Are their systems secure? It all depends on who you ask and who is responsible for accepting the risk.

    Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies. I worked for DOE and we actually had higher security than DoD.

    Bitlocker have been part of Windows since v8.  And in Windows 10 BitLocker, encryption works with TPM chips that come with most business/enterprise PC's (for example, Thinkpads had TPM chips for +10 years).  And it even works with Windows Hello, which has facial recognition, something missing in the iMac Pro. 

    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10

    https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-why-pin-is-better-than-password

    And MS provide tools to manage it, not 3rd party tools needed. 

    https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/about-mbam-25





    And Apple has FileVault for 10+ years. Your point?

    I was responding to @Rob53, who mentioned that "Windows PCs don't come standard with any type of physical encryption like the new iMac Pro, everything is bolted on requiring software updates from third-party companies."  I already knew that OS X / macOS had FileVault for many years.
    To be clear, this T2 chip is a whole another level than BitLocker or FileVault. This is much more than that. This can prevent suspicious softwares from booting itself along with OSX, can prevent suspicious software using your webcam to spy on you.. for example. This is what I call true innovation. Certainly more innovative than slim keyboard or Touch Bar (which just happen to replace physical keys with touch screen). This should be in every MacBook Pro shipped. My guess is we will see it soon.  
    Secure Boot, Trusted Boot, ELAM, and Measured Boot, which part of Windows since v8, does the same thing, protect the system boot process,

    https://technet.microsoft.com/en-us/windows/dn168167.aspx

    The only requirement is UEFI and a TPM chip, which are very common in PCs a few years back.  I agree with what you said, this type of security should be part of every Mac as it is with Windows.  Too bad it's only on the iMac Pro.
Sign In or Register to comment.