T2 chip in iMac Pro & 2018 MacBook Pro controls boot, security functions previously manage...

Posted:
in Current Mac Hardware edited July 2018
Apple's new T2 chip in the iMac Pro and 2018 MacBook Pro is far more than a refinement of the family of sub-processors that launched in the 2016 MacBook Pro, with expanded responsibility encompassing FaceTime camera image quality, drive security, and total control over the boot process.




Editor's note: AppleInsider first published this in January following the iMac Pro debut. Given the volume of questions surrounding the chip following the release of the 2018 MacBook Pro, we have revised the article slightly and republished it to reflect the new hardware

The inclusion of the processor in Apple hardware has been known for some time, with reports in December discussing some features of the T2 in the iMac Pro. At the time, we knew that the T2 regulated boot safety, and had some level of control over boot security, but also at the time, there wasn't a lot of knowledge about how deeply integrated the chip was, nor how far the security implemented by the chip penetrated.

Jason Snell from MacWorld delved deeper into the T2 chip in a report in January, beyond just describing what it does. He elaborates upon the T2's role as mass storage controller, and notes that the T2 has "complete control" over the array of flash storage banks inside the iMac Pro.

The T2 encrypts "every bit" of data sent to the flash storage array in the iMac Pro, wrote Snell, and is responsible for decrypting it for the user. As a result, should the flash array be pulled from the iMac Pro, the data is irretrievable outside of the unit.

Another feature of the T2 is the boot process. Again on the fly, the T2 validates the boot process from start to finish, including verification of a legitimate and properly cryptographically signed bootloader, before the rest of the process is handed off to the rest of the iMac Pro's hardware for completion.

This is all managed by the previously described Startup Security Utility, which is invoked by the user with Command-R during the startup cycle.




Snell reports that by default, security is set to Full -- which requires a network connection to verify the operating system's legitimacy during install -- including the latest version of Windows 10 through Boot Camp. Medium eliminates the need for a network connection, with the feature also able to be completely disabled.

The T2 also has hooks in the FaceTime camera on both computers. Integrated into the T2 is a new image signal processor that alters all parameters of the FaceTime camera, very similar to the image adjustments that the iPhone makes automatically.

Apple's T2 governs more. It also controls and secures the computer's microphones, governs fan speeds, and controls the speakers in the iMac Pro as well.
Avieshek
«1

Comments

  • Reply 1 of 38
    tipootipoo Posts: 1,141member
    I'd love to see a die scan for this. Curious if it's A10-like as Steve Smith thought he found in the iMac. And if there's anything interesting about the SSD controller with two physically separate dumb NAND sticks. 
    watto_cobraAvieshek
  • Reply 2 of 38
    macxpressmacxpress Posts: 5,801member
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    edited January 2018 SoliStrangeDayschiawatto_cobrawilliamlondonfastasleepjony0jas99lkruppliquidmark
  • Reply 3 of 38
    blastdoorblastdoor Posts: 3,256member
    So... sometimes you have an Internet connection and then, for reasons beyond your control, you don't. 

    Does Full security mean no internet connection, no boot, and nothing that you can do about it? 

    In other words, if your ISP craps your, is your iMac Pro a brick?
    mike54
  • Reply 4 of 38
    SoliSoli Posts: 10,035member
    blastdoor said:
    So... sometimes you have an Internet connection and then, for reasons beyond your control, you don't. 

    Does Full security mean no internet connection, no boot, and nothing that you can do about it? 

    In other words, if your ISP craps your, is your iMac Pro a brick?
    "…at software installation time," not "…at boot time."

    For most of us, we're not trying to install from an external drive or an air gapped LAN; we're getting our OS installations from Apple's servers, even when booting into Recovery Mode, so we're already connecting to the Internet.
    edited January 2018 StrangeDayswatto_cobrafastasleepjas99AvieshekAlex1N
  • Reply 5 of 38
    VRingVRing Posts: 108member
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    edited January 2018 williamlondonxzuAvieshekmuthuk_vanalingam
  • Reply 6 of 38
    blastdoor said:
    So... sometimes you have an Internet connection and then, for reasons beyond your control, you don't. 

    Does Full security mean no internet connection, no boot, and nothing that you can do about it? 

    In other words, if your ISP craps your, is your iMac Pro a brick?
    I figure that in such a case you then simply change the security from ‘full’ to ‘medium’ and authenticate using a password.
  • Reply 7 of 38
    williamhwilliamh Posts: 1,032member
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    I've used enterprise hardware with TPM chips for years.  Correct me if I am wrong, but I don't think the TPM does what the T2 chip does.  For me, it just seems to be like a trusted enclave that to my knowledge I am only using for BitLocker encryption.  I don't know or care enough to find out about VRing's "magical and revolutionary custom build" but essentially, isn't Macexpress correct if referring to the T2 chip?
    watto_cobrawilliamlondonjas99magman1979Avieshek
  • Reply 8 of 38
    VRingVRing Posts: 108member
    williamh said:
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    I've used enterprise hardware with TPM chips for years.  Correct me if I am wrong, but I don't think the TPM does what the T2 chip does.  For me, it just seems to be like a trusted enclave that to my knowledge I am only using for BitLocker encryption.  I don't know or care enough to find out about VRing's "magical and revolutionary custom build" but essentially, isn't Macexpress correct if referring to the T2 chip?
    TPM doesn't do everything the T2 offers, but it offers security for disk encryption keys among a few other features. Features, such a self-healing BIOS, are separate from TPM. The approach of the hardware is different, but both offer secure features for the user's data.
    xzuAvieshek
  • Reply 9 of 38
    rob53rob53 Posts: 3,241member
    VRing said:
    williamh said:
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    I've used enterprise hardware with TPM chips for years.  Correct me if I am wrong, but I don't think the TPM does what the T2 chip does.  For me, it just seems to be like a trusted enclave that to my knowledge I am only using for BitLocker encryption.  I don't know or care enough to find out about VRing's "magical and revolutionary custom build" but essentially, isn't Macexpress correct if referring to the T2 chip?
    TPM doesn't do everything the T2 offers, but it offers security for disk encryption keys among a few other features. Features, such a self-healing BIOS, are separate from TPM. The approach of the hardware is different, but both offer secure features for the user's data.
    I thought intel was going to full EFI so no more antiquated BIOS. Doesn’t matter to me since I don’t really care about windows systems. 

    That said, I think I could have written a security plan for classified computing on an iMac Pro with internal SSDs that wouldn’t have to be locked in a vault or repository. Can’t steal the SSDs and get any data and can’t boot from external drives (disabling ports already a requirement and T2 handles this by default). Just make sure booting works to off-Internet validation server (MDM system) and it should be easy. Of course I don’t have to write these anymore but OTS OS and HW handling all this with no third-party additions makes it a slam dunk for government systems even for Windows-biased IT managers and security officers. 
    randominternetpersonwatto_cobra
  • Reply 10 of 38
    macxpressmacxpress Posts: 5,801member
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Too bad thats not the same thing as the T2 chip...try again!
    watto_cobrajas99magman1979Alex1N
  • Reply 11 of 38
    StrangeDaysStrangeDays Posts: 12,834member
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Does that means they do what the T2 does, such as:

    The T2 encrypts "every bit" of data sent to the flash storage array in the iMac Pro, and is responsible for decrypting it for the user. As a result, should the flash array be pulled from the iMac Pro, the data is irretrievable outside of the unit.

    The T2 encrypts everything, and because its not the CPU there is no performance hit as there usually is with encryption/decryption. That’s pretty nifty. 
    edited January 2018 chiawatto_cobrawilliamlondonmagman1979Alex1N
  • Reply 12 of 38
    chiachia Posts: 713member
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Apple has been using EFI/UEFI right from its first Intel-based Mac in 2005, it may have even been the first to ship consumer x86 Intel systems that used EFI/UEFI.  No production Mac has ever used BIOS; can’t vouch for what was used on the computers in Apple’s labs for their Star Trek project, the one where they ran System 7 on PC-compatible hardware.

    It amuses me that VRing conflates UEFI with BIOS.  UEFI is far more advanced in what it does compared to outdated BIOS.
    I knew the moment that Windows PC manufacturers started making their systems using UEFI that people would continue to lazily and confusingly use the term BIOS in systems where it’s absent.
    StrangeDaysRayz2016watto_cobrawilliamlondonjas99Alex1N
  • Reply 13 of 38
    wizard69wizard69 Posts: 13,377member
    This is some interesting developments but if some of this or all of this is true, Macs with this chip should suffer less of a performance loss vs a machine without.   The pay off could be greater on lesser machines like the laptops and Minis.  Effectively you get the performance of a couple of cores but you and Apple dont have to pay for those cores at Intel prices.  

    It will be interesting this year to see how the new machines roll out.  That is will T2 be universal or not.  Also how much more can T2 like chips take on, in laptops that could be very interesting.  
    watto_cobrajas99
  • Reply 14 of 38
    VRingVRing Posts: 108member
    macxpress said:
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Too bad thats not the same thing as the T2 chip...try again!
    It's not meant to be the same, but provide a secure hardware solution for systems for over a decade now. 
    muthuk_vanalingam
  • Reply 15 of 38
    VRingVRing Posts: 108member
    chia said:
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Apple has been using EFI/UEFI right from its first Intel-based Mac in 2005, it may have even been the first to ship consumer x86 Intel systems that used EFI/UEFI.  No production Mac has ever used BIOS; can’t vouch for what was used on the computers in Apple’s labs for their Star Trek project, the one where they ran System 7 on PC-compatible hardware.

    It amuses me that VRing conflates UEFI with BIOS.  UEFI is far more advanced in what it does compared to outdated BIOS.
    I knew the moment that Windows PC manufacturers started making their systems using UEFI that people would continue to lazily and confusingly use the term BIOS in systems where it’s absent.
    It's not anyone being lazy. BIOS can still be exposed in Class 2 UEFI. Class 3 or 3+ devices (Surface Book, etc.) expose only UEFI at runtime. My mention of self-healing was with respect to older systems for enterprise and a history of these secure features.
    xzu
  • Reply 16 of 38
    Rayz2016Rayz2016 Posts: 6,957member
    wizard69 said:
    This is some interesting developments but if some of this or all of this is true, Macs with this chip should suffer less of a performance loss vs a machine without.   The pay off could be greater on lesser machines like the laptops and Minis.  Effectively you get the performance of a couple of cores but you and Apple dont have to pay for those cores at Intel prices.  

    It will be interesting this year to see how the new machines roll out.  That is will T2 be universal or not.  Also how much more can T2 like chips take on, in laptops that could be very interesting.  
    I see what you’re saying.  

    By taking on more of the housekeeping, they can bleed more performance out of Intel’s stagnating chip line. 
    watto_cobrawilliamlondonAlex1N
  • Reply 17 of 38
    colinngcolinng Posts: 116member
    wizard69 said:
    Effectively you get the performance of a couple of cores but you and Apple dont have to pay for those cores at Intel prices.  

    It will be interesting this year to see how the new machines roll out.  That is will T2 be universal or not.  Also how much more can T2 like chips take on, in laptops that could be very interesting.  
    I think it’s more about system security and Apple’s wish to reduce dependency on vendors.

    They probably were really pissed off when they found that Intel firmware on the Thunderbolt controller meant that a specially crafted TB dongle could pwn a Mac. They were also not happy to be beholden to Intel’s chipset plans (which have been behind the times - to one point where Apple once used nVidia chipsets in Mac portables). Remember Intel Centrino? That was Intel’s ploy to get PC makers to buy their crappy chipset and crappy wireless cards. You needed all three to be Intel to get that flashy sticker. 

    But switching to nVidia chipsets (most power efficient, includes GPU) and Atheros wireless (best radios) got them screwed when nVidia penny-pinched on the chip’s packaging, causing thermal issues (cracked solder joints) that resulted in massive recalls. 

    None of the big vendors seem to have their head on straight, so Apple regretfully has to make everything. It’s not like they want to throw R&D behind Desktop CPUs when all the money is in Mobile. Oh well! 

    They ship like 37 million iPhones a quarter, which are effectively a hardware legacy-free system (what’s a headphone jack?), so they probably can make a full desktop at some point. They’d probably rather not, though. Lots of R&D to get x64 code running perfectly on an ARM. I mean, even subtle details like Meltdown and Spectre have to be looked into. 

    edited January 2018 Soliwatto_cobraAlex1N
  • Reply 18 of 38
    chiachia Posts: 713member
    VRing said:
    chia said:
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Apple has been using EFI/UEFI right from its first Intel-based Mac in 2005, it may have even been the first to ship consumer x86 Intel systems that used EFI/UEFI.  No production Mac has ever used BIOS; can’t vouch for what was used on the computers in Apple’s labs for their Star Trek project, the one where they ran System 7 on PC-compatible hardware.

    It amuses me that VRing conflates UEFI with BIOS.  UEFI is far more advanced in what it does compared to outdated BIOS.
    I knew the moment that Windows PC manufacturers started making their systems using UEFI that people would continue to lazily and confusingly use the term BIOS in systems where it’s absent.
    It's not anyone being lazy. BIOS can still be exposed in Class 2 UEFI. Class 3 or 3+ devices (Surface Book, etc.) expose only UEFI at runtime. My mention of self-healing was with respect to older systems for enterprise and a history of these secure features.
    Sorry but you are one of those that is confused, VRing.  The Surface Book uses only UEFI.  UEFI devices can have a mode where they emulate a BIOS boot for legacy operating systems, but UEFI isn't BIOS.
    watto_cobraRayz2016
  • Reply 19 of 38
    GG1GG1 Posts: 483member
    wizard69 said:
    This is some interesting developments but if some of this or all of this is true, Macs with this chip should suffer less of a performance loss vs a machine without.   The pay off could be greater on lesser machines like the laptops and Minis.  Effectively you get the performance of a couple of cores but you and Apple dont have to pay for those cores at Intel prices.  

    It will be interesting this year to see how the new machines roll out.  That is will T2 be universal or not.  Also how much more can T2 like chips take on, in laptops that could be very interesting.  
    Do you think the encryption/decryption function is realized purely in hardware (fixed in silicon) as opposed to being calculated on-the-fly in a microcontroller (with a software routine)? Sure, you can get painted in a corner with a fixed routine, but it would be super fast/efficient.
  • Reply 20 of 38
    VRingVRing Posts: 108member
    chia said:
    VRing said:
    chia said:
    VRing said:
    macxpress said:
    Hey @VRing, does that supposed magical and revolutionary custom build of yours that is SO much better than an iMac Pro do this? Didn't think so and never will! 
    I know you're just flaming, but TPM chips have been in the vast majority of Windows computers and motherboards for enterprise use for years. As well, a number of these types of computers have a self-healing BIOS to restore a corrupt or potentially attacked BIOS.
    Apple has been using EFI/UEFI right from its first Intel-based Mac in 2005, it may have even been the first to ship consumer x86 Intel systems that used EFI/UEFI.  No production Mac has ever used BIOS; can’t vouch for what was used on the computers in Apple’s labs for their Star Trek project, the one where they ran System 7 on PC-compatible hardware.

    It amuses me that VRing conflates UEFI with BIOS.  UEFI is far more advanced in what it does compared to outdated BIOS.
    I knew the moment that Windows PC manufacturers started making their systems using UEFI that people would continue to lazily and confusingly use the term BIOS in systems where it’s absent.
    It's not anyone being lazy. BIOS can still be exposed in Class 2 UEFI. Class 3 or 3+ devices (Surface Book, etc.) expose only UEFI at runtime. My mention of self-healing was with respect to older systems for enterprise and a history of these secure features.
    Sorry but you are one of those that is confused, VRing.  The Surface Book uses only UEFI.  UEFI devices can have a mode where they emulate a BIOS boot for legacy operating systems, but UEFI isn't BIOS.
    I'm not saying UEFI is BIOS. I'm saying that Class 2 (or lower) will still expose a BIOS interface. Due to this, the terminology has remained. 

    I said:  "Class 3 or 3+ devices (Surface Book, etc.) expose only UEFI at runtime."
    You said: "
    The Surface Book uses only UEFI."

    You should read that again. We're saying the same thing with regards to Class 3 devices, the BIOS interface  is no more at that level.

    xzumuthuk_vanalingam
Sign In or Register to comment.