Apple quietly upgraded the Secure Enclave for older chips in fall 2020

Posted:
in iPhone edited April 12
Apple made changes to its A12, A13, and S5 system-on-chips to alter the Secure Enclave in Fall 2020, to include a second-generation model of the Secure Enclave.




Whenever Apple introduces new features to its chips, it typically does so as part of a number of other updates included in a new chip release. While unlikely to occur on pre-existing chips normally, it appears that Apple has adjusted some of the designs of its earlier SoCs to make them more secure.

In an update to the Apple Platform Security pages spotted by Andrew Pantyukhin on Twitter and first reported by MacRumors, a PDF version of the guide includes a table showing the feature summaries of the Secure Enclave, with changes that occurred in fall 2020. The Secure Enclave is used to store highly sensitive details relating to security, such as Face ID or Touch ID data, instead of handing off that work to the application processor.

An illustration from Apple of the Secure Enclave's role in iPhone security
An illustration from Apple of the Secure Enclave's role in iPhone security


In the table, the A12, A14, and S5 SoCs all have two lines instead of one, covering "Apple devices released before Fall 2020" and after that time. For all three pre-Fall 2020 lines, Apple lists the SoCs as having "Secure Storage Component Gen 1," while the later versions have "Secure Storage Component gen 2."

Based on the wording of the text, it seems that the change in the Secure Enclave only affects product lines released from fall 2020 onward, while existing devices using the chips continued to use the earlier variant. While it is feasible for Apple to apply the change to existing products using those chips beyond fall 2020, it seems unlikely for Apple to make such a change without first announcing it.

In terms of hardware affected by the change, it seems that the iPad, HomePod mini, and Apple Watch SE are the only devices released using older chip designs that have the updated Secure Enclave.

Newer SoCs introduced during the fall of 2020, namely the A14 and the S6, already have the second-generation Secure Enclave. A-series chips from the A8 to A11, the S3, and the T2 are all listed as having "EEPROM" for their secure storage component.

The exception to the list is the S4, used in the Apple Watch Series 4, as it uses "Secure Storage Component gen 1" without any changes to give it "gen 2." It is likely due to Apple having discontinued the Apple Watch Series 4, and that no other products used the S4 SoC.

In terms of what is actually different in the second-generation Secure Enclave, Apple describes it as including "counter lockboxes," which stores a 128-bit salt, a 128-bit passcode verifier, an 8-bit counter, and an 8-bit maximum attempt value. It is likely this was introduced as a countermeasure for hardware such as GrayShift's GrayKey or services offered by Cellebrite to unlock and extract files from iOS devices.

In August 2020, security researchers revealed a vulnerability in the Secure Enclave processor that attacked a memory controller, allowing attackers to alter how memory was used.


Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.

Comments

  • Reply 1 of 6
    lkrupplkrupp Posts: 8,991member
    Yet more confirmation that when Apple controls the silicon they can make changes, improvements, fixes without having to wait for someone like Intel to get their act together. 
    repressthisBeatswatto_cobrabyronl
  • Reply 2 of 6
    I just hope that they add the ability to update its' firmware to be able to fix bugs like what was discovered in August. 
    watto_cobra
  • Reply 3 of 6
    lkrupp said:
    Yet more confirmation that when Apple controls the silicon they can make changes, improvements, fixes without having to wait for someone like Intel to get their act together. 
    You don’t know the time it took between discovery and resolution, so that’s just an assumption. Plus, as you can see, if they control anything, they can be super quiet about potential security threats and downplay the issue since they control everything. There is no authority who can check or put pressure on them the same way suppliers do this with eachother.  
  • Reply 4 of 6
    BeatsBeats Posts: 2,065member
    lkrupp said:
    Yet more confirmation that when Apple controls the silicon they can make changes, improvements, fixes without having to wait for someone like Intel to get their act together. 
    You don’t know the time it took between discovery and resolution, so that’s just an assumption. Plus, as you can see, if they control anything, they can be super quiet about potential security threats and downplay the issue since they control everything. There is no authority who can check or put pressure on them the same way suppliers do this with eachother.  
    Evil evil Apple. Always snooping on our data and breaching our security. Time to switch to Windows/Android!
    Fidonet127
  • Reply 5 of 6
    Beats said:

    Evil evil Apple. Always snooping on our data and breaching our security. Time to switch to Windows/Android!
    Some folks are so blind that they can't see when a company is updating stuff to more completely secure user privacy.

    This from someone who is probably using a device which gives as much data as possible to Google.
    watto_cobra
  • Reply 6 of 6
    neilmneilm Posts: 874member
    Beats said:

    Evil evil Apple. Always snooping on our data and breaching our security. Time to switch to Windows/Android!
    Some folks are so blind that they can't see when a company is updating stuff to more completely secure user privacy.

    This from someone who is probably using a device which gives as much data as possible to Google.
    I suspect you forgot to turn on your sarcasm detector this morning.
Sign In or Register to comment.