iMac Pro debuts custom Apple T2 chip to handle secure boot, password encryption, more

Posted:
in Current Mac Hardware edited December 2017
Apple's iMac Pro desktop will also sport an a new custom chip dubbed the T2, serving as a secure enclave for encrypted keys, giving users the ability to lock down their Mac's boot process and also handling system functions like the camera, audio control, and managing the solid-state hard drive.


New iMac Pro secure boot options, via Cabel Sasser.


Details on the T2 chip were revealed on Tuesday by Cabel Sasser, cofounder of developer Panic. According to him, the T2 chip combines previously discrete functions, including the system management controller, image signal processor for FaceTime camera, audio control, and SSD control.

In addition, like Apple's A-series chips for iPhone and iPad, as well as the MacBook Pro's T1 before it, the T2 has a secure enclave for storing information like passwords. It also has a hardware encryption engine, according to Sasser.

"This new chip means storage encryption keys pass from the secure enclave to the hardware encryption engine in-chip -- your key never leaves the chip," he wrote on Twitter. "And, they it allows for hardware verification of OS, kernel, boot loader, firmware, etc. (This can be disabled)"

To take advantage of the T2 chip, the iMac Pro's version of macOS High Sierra includes a new "Startup Security Utility" option. Here, users can turn on a firmware password to prevent a computer from starting up from a different hard disk, CD or DVD without the password.

macOS also gains new "Secure Boot" options, ranging from "Full Security" to "Medium Security" or none. When "Full Security" is enabled, the system ensures only the latest and most secure software can be run, requiring a network connection at software installation time.

Users can also allow or disallow booting from external media with the new T2 chip.




Apple's first T1 chip launched in late 2016 in the MacBook Pro. There, it is responsible for Touch ID authentication, as well as the secure enclave for storing Apple Pay credentials.

The details on the iMac Pro T2 chip would seem to dispel earlier rumors that claimed Apple would build a full-fledged A10 chip into the iMac Pro. The A10 powers Apple's iPhone 7 and iPhone 7 Plus, while a beefed up A10X processor is found in the 2017 iPad Pro lineup.

Notably, the iMac Pro lacks Touch ID, or Face ID, meaning there is no way to authenticate Apple Pay purchases with the device. Users must instead rely on an iPhone or Apple Watch nearby, logged into the same iCloud credentials, to authorize Apple Pay purchases on the web.

Other reports suggested that the addition of custom Apple silicon in the iMac Pro could enable always-on "Hey Siri" support. Sasser's notes on Twitter gave no mention of "Hey Siri" support, but given the T2's integration with other key components in the iMac Pro, it's possible that the feature could be coming in a future update to macOS.
«1

Comments

  • Reply 1 of 27
    lkrupplkrupp Posts: 10,557member
    A10 or T2. Either way it doesn’t look good for the hackintosh crowd going forward.
    bigpicscorradokiddysamoriacornchipjony0doozydozenargonautmuthuk_vanalingamwatto_cobraxzu
  • Reply 2 of 27
    macxpressmacxpress Posts: 5,801member
    lkrupp said:
    A10 or T2. Either way it doesn’t look good for the hackintosh crowd going forward.
    Awww...thats too bad!
    edredronnargonautwatto_cobratdknox
  • Reply 3 of 27
    bigpicsbigpics Posts: 1,397member
    lkrupp said:
    A10 or T2. Either way it doesn’t look good for the hackintosh crowd going forward.
    My first thought exactly....
    watto_cobra
  • Reply 4 of 27
    tipootipoo Posts: 1,141member
    It's also possible the T2 is based off the A10. The T1 was based off the first Watch SoC. 
    curtis hannahcornchipwatto_cobra
  • Reply 5 of 27
    tipootipoo Posts: 1,141member
    lkrupp said:
    A10 or T2. Either way it doesn’t look good for the hackintosh crowd going forward.

    Eh, it'll take a really long time for it to be in enough macs to start to require it. High Sierra still runs on 2009 hardware for instance. Maybe 8 years out, emulating an A10/T2 won't be that bad. 
  • Reply 6 of 27
    tipoo said:
    It's also possible the T2 is based off the A10. The T1 was based off the first Watch SoC. 
    That would be a huge leap from building off of the S1P to building off of the A10. The A10 has a ton of horsepower. If it turns out the T2 is based off of the A10, I suspect it will do *a lot* more than a secure enclave in the future.
    curtis hannahwatto_cobra
  • Reply 7 of 27
    sflocalsflocal Posts: 6,092member
    lkrupp said:
    A10 or T2. Either way it doesn’t look good for the hackintosh crowd going forward.
    And this matters because?
    ronncornchip
  • Reply 8 of 27
    tipootipoo Posts: 1,141member
    nhughes said:
    tipoo said:
    It's also possible the T2 is based off the A10. The T1 was based off the first Watch SoC. 
    That would be a huge leap from building off of the S1P to building off of the A10. The A10 has a ton of horsepower. If it turns out the T2 is based off of the A10, I suspect it will do *a lot* more than a secure enclave in the future.

    Well, Steve Troughton-Smith was playing around with a system files targeting the A10 in the iMac Pro. I find it unlikely there's both, a T2 and an A10 side by side, so it seems very possible the T2 is just a very A10-like chip. 

    Certainly overkill for mobile, but a desktop has no such concerns. 
    edited December 2017 watto_cobra
  • Reply 9 of 27
    It's Cabel Sasser, not Caleb. Darned autocorrect strikes again!
    watto_cobra
  • Reply 10 of 27
    tipoo said:
    nhughes said:
    tipoo said:
    It's also possible the T2 is based off the A10. The T1 was based off the first Watch SoC. 
    That would be a huge leap from building off of the S1P to building off of the A10. The A10 has a ton of horsepower. If it turns out the T2 is based off of the A10, I suspect it will do *a lot* more than a secure enclave in the future.

    Well, Steve Troughton-Smith was playing around with a compile target just like the A10. I find it unlikely there's both, a T2 and an A10 side by side, so it seems very possible the T2 is just a very A10-like chip. 

    Certainly overkill for mobile, but a desktop has no such concerns. 
    Wouldn't be overkill for mobile (nor desktop) if it had development/programming applications. If it's based on an A10, it will do more than secure enclave. At some point.
    ronnwatto_cobra
  • Reply 11 of 27

    Notably, the iMac Pro lacks Touch ID, or Face ID, meaning there is no way to authenticate Apple Pay purchases with the device. Users must instead rely on an iPhone or Apple Watch nearby, logged into the same iCloud credentials, to authorize Apple Pay purchases on the web.

    When I use ApplePay on my MacBook Pro (with Touch ID), it makes me confirm it with my iPhone's touch ID rather than the one built into the MacBook itself. Is that typical. It tends to surprise me when this happens.
  • Reply 12 of 27
    anomeanome Posts: 1,533member

    Interesting that there's no FaceID. I get not having TouchID, as that does have its problems with a wireless keyboard, or putting it on the front of the computer. The TouchID problems aren't insurmountable, but now we have FaceID, they become unnecessary, since putting the appropriate sensors in the front of the computer is less of a hassle than finding somewhere to put a TouchID sensor, and, if you put it on the keyboard, authenticating it properly for a wireless connection.

    It might be that FaceID wasn't ready for the iMac Pro when they finalised the design, but it could (should?) be in subsequent models. Possibly it will turn up in the consumer iMacs first, depending on the release schedule. Maybe it will be in the new Mac mini when they announce it...

    dysamoriaargonautwatto_cobra
  • Reply 13 of 27
    irnchrizirnchriz Posts: 1,616member
    Now I know why you cry...
    sedicivalvolewatto_cobrabb-15
  • Reply 14 of 27

    All you need is encrypted communication end to end and the government and its agents will have no idea what you do in your bedroom at night.

    They can get into your phone and now they will not be about to get into your mac. If you can secure all your written communication end to end the FBI will just have to through in the towel and do old fashion police work verse your electronics ratting you out

    watto_cobra
  • Reply 15 of 27
    anome said:

    Interesting that there's no FaceID... ...It might be that FaceID wasn't ready for the iMac Pro when they finalised the design...

    FaceID not only requires a new camera module with the depth sensing technology (aka the notch), but it also requires processing logic commands (and machine learning capabilities) that are built into the A11 Bionic chip.

    simply upgrading the iMac front facing camera array with the depth sensing camera module found in the iPhone X without also including the A11 Bionic SIC will not enable FaceID or the AI capabilities that it needs to function.
    curtis hannahcornchipdysamoriadoozydozenchiaRayz2016argonautwatto_cobra
  • Reply 16 of 27
    anome said:

    Interesting that there's no FaceID. 

    There was no chance whatsoever Apple puts its hallmark top-of-the-line iPhone feature in anything else for the next year. Not a technical limitation, but a pretty clear business decision.
    cornchipdysamoriadoozydozenargonaut
  • Reply 17 of 27
    I just tested the T2 security. Login "root" with an empty password works!

    And anyone tempted to write that I should use a /s on this post, just don't. The bar is already low enough, isn't it?
    doozydozen
  • Reply 18 of 27
    I wonder if this means it is compatible with a yet to be released touch ID mac sensor? Of course given external GPS, I'm not sure if a touch bar wired keyboard could not sport it's own T2 chip?
    watto_cobra
  • Reply 19 of 27

    Notably, the iMac Pro lacks Touch ID, or Face ID, meaning there is no way to authenticate Apple Pay purchases with the device. Users must instead rely on an iPhone or Apple Watch nearby, logged into the same iCloud credentials, to authorize Apple Pay purchases on the web.

    When I use ApplePay on my MacBook Pro (with Touch ID), it makes me confirm it with my iPhone's touch ID rather than the one built into the MacBook itself. Is that typical. It tends to surprise me when this happens.
    Yes. Two probable reasons — Using two devices absolutely confirm that it's you, unless both of your devices are in the possession of someone else and have your fingerprint, which would be very unlikely. And Macs likely haven't been signed-off by banks for authorizing payments.

    focher said:
    I just tested the T2 security. Login "root" with an empty password works!

    And anyone tempted to write that I should use a /s on this post, just don't. The bar is already low enough, isn't it?

    Yet you conveniently left out the fact that Apple fixed that problem very quickly.
  • Reply 20 of 27
    lkrupp said:
    A10 or T2. Either way it doesn’t look good for the hackintosh crowd going forward.
    So far Apple hasn’t cared about people stealing their software, and if they wanted to kill off hackintosh I don’t think they’d need this to do so. But sure, it could be used for that. 
    watto_cobratyler82
Sign In or Register to comment.