What Apple's T2 chip does in your new MacBook Air or MacBook Pro

Posted:
in General Discussion edited June 2020
Apple says the T2 is a security chip, and if all it did were keep your data more secure, it would be worth it. Yet this little processor does so much else, and it has a startling effect on performance.

Apple's T2 Security Chip (Photo: iFixit)
Apple's T2 Security Chip (Photo: iFixit)


If you spent any time looking into which Mac desktop or notebook to buy before you paid out for a shiny new machine, you'll have seen Apple's website extolling the fact that many of them have T2 security chips. That's nice. Only, it's more than nice, it's more than a way to invisibly secure your Mac, it is a process that has a dramatic and visible effect on just about everything you do.

It's visible enough that the lack of a T2 chip is just about the only reason we would hesitate over buying a regular iMac right now. The iMac Pro has always had a T2 chip and now every other currently-shipping Mac has it, but the iMac doesn't.

That's an odd omission and one that will surely be corrected at some point, though. Eventually, all Macs will have this T2 or a descendant, and while we've had to wait for T2 to make its way across the range, it's been mostly worth the wait.

To find out if your Mac has T2, hold the Option key as you click on the Apple menu. Choose System Information and then click on Controller.
To find out if your Mac has T2, hold the Option key as you click on the Apple menu. Choose System Information and then click on Controller.

What's so good with its security

The Apple T2 Security Chip is a separate processor that for some aspects of operation sits between whichever main Intel processor your Mac has, and macOS.

It sits there to ensure, first of all, that nothing can ever get loaded onto your machine without you explicitly wanting it to. The T2 chip provides a secure boot, which means that the only things that can run at start up is trusted, approved macOS software.

This prevents malware getting its hooks into your Mac when it starts up, and the T2 chip also takes care of security once it's running.

For instance, built into it is a dedicated Advanced Encryption Standard (AES) hardware engine. This makes sure the data on your storage drives is encrypted and because it's done in hardware, there's no hit to the speed of your Mac as macOS reads and writes data.

This business of having a secure boot and storage encryption in the hardware extends to one more piece of security that changes how we buy things online. It is because of the T2 chip that MacBook Air and MacBook Pro can have Touch ID just as iPhones and iPads do.

Using Touch ID on a MacBook Pro
Using Touch ID on a MacBook Pro


The T2 chip maintains a secure enclave where your identifying fingerprint data is stored. When an app or online service needs to know you really are you, it asks you to put your finger on the Touch ID sensor and then it asks the T2 chip. Is this new fingerprint, whatever it is and whoever it belongs to, the same as one in your secure enclave?

Apple's T2 processor can then say yes or no. Without giving away any of your data, it has securely confirmed your identity and you can carry on with your payment.

Watching out for you

There's one more security feature the T2 chip brings that doesn't get appreciated because it doesn't tend to get noticed. If you have a MacBook Air or MacBook Pro with a T2 chip and you close the lid, the T2 chip switches off the microphone.

You don't notice it because you just closed the lid, you're not thinking of using the microphone. Yet malicious apps could have turned it back on and be listening to your every word -- except now they can't. The T2 disables the microphone in hardware so that no software can switch it on.

The chip doesn't bother doing the same thing for your camera because let malicious apps turn that on, they won't see anything as you've closed the lid.

What else is so good?

Security like this must be the heart of the T2 chip, as it's even in its full name, but Apple has leveraged it to provide other advantages. While you can't see that a secure boot has kept you safe and you may never even notice that your drive storage has been encrypted automatically, you will see and hear several differences because of this chip.

The T2 chip includes an audio processor that is meant to contribute to an overall superior sound quality, compared to Macs without it. In practice, though, musicians have reported problems.

Mac mini has T2, but it can't use the chip's
Mac mini has T2, but it can't use the chip's "Hey, Siri" or Touch ID features because it lacks a built-in mic and keyboard


Then Macs with the T2 chip -- with one significant exception -- are not just playing audio, they're listening out for it too. Unless you have a 2018 Mac mini, these machines are always listening for you to say "Hey, Siri."

Not only do they listen out for this and if you say these words, then listen for a Siri command, they also do so very quickly. The facility to say the trigger phrase and then the responsiveness of these machines means you're now able to use Siri as freely and easily as you do on iOS.

Visible difference

Exploiting the fact that to do its security work, the T2 needs to be this completely separate processor, Apple gives it other work to do that frees up the main CPU.

It processes audio, for better or worse depending on your use case and external hardware, but you'll also see a marked difference in some video encoding jobs. It's specifically meant to help with FaceTime and it improves on face tones, auto exposure and so on.

What Apple does not mention in its official T2 security documentation is that video encoding is also faster with T2.

Detail from our testing of video encoding with and without the T2
Detail from our testing of video encoding with and without the T2


In trying to document it precisely, we found there were multiple factors and what you saw depended on what video software you were using.

However, the difference could be in the order of many minutes. Using the right settings, a T2-enabled Mac will typically encode video significantly faster than a machine without it.

Not to over-emphasize this, but it's the T2 chip that means you can be better off buying a 2018 Mac mini than a lower-end 2013 Mac Pro for equivalent pricing. Seriously. That doesn't hold true when you're looking at Mac Pros with more cores, but for price/performance, the new low-end Mac beats certain versions of the old high-end one.

Hacked off

For over a decade, enthusiasts have been shoe-horning macOS on off-the-shelf hardware. What results is a PC running macOS, but with little support from software vendors, and obviously none from Apple itself.

It is possible that Apple could require the T2 in the future to run macOS at all. But, given that the latest iMacs don't have a T2, that day is five years away -- and maybe more.

And as far as repair goes, there was a revelation that the T2 could prevent repair by third parties requiring a part registration similar to what's required when something involving Touch ID is replaced on an iPhone. However, at present, at least, this isn't the case for repairs outside of Touch ID.

Into the future

The specifications that Apple has published so far for the 2019 Mac Pro state that it will have "storage encrypted by the Apple T2 Security Chip" and that it will have the same secure boot system.

The 2019 Mac Pro will of course have a T2 chip
The 2019 Mac Pro will of course have a T2 chip


What it definitely won't have is Touch ID and, effectively, "Hey, Siri." Right now the Mac mini doesn't have either of these, because like the forthcoming Mac Pro, it lacks a keyboard and a microphone.

That should be enough to mean that neither machine will ever be able to listen out for "Hey, Siri," but it's complicated. According to Apple's documentation, you should be able to plug a microphone into a Mac mini and the T2 chip will then listen. That's not been the case in our testing, yet what has been the case is that when you have AirPods 2, they can work.

The AirPods 2 have to be paired to your Apple ID, which really just means paired to your iPhone, and then you get an option in the Mac's settings to use them for "Hey, Siri." You still have to then use the Mac's Bluetooth menu and connect to the AirPods 2, but when you've done all that, the Mac mini responds to "Hey, Siri."

Presumably the Mac Pro 2019 will be the same, but it is peculiar that the most expensive Mac needs you to also buy AirPods to make a tentpole Apple feature work.

It's also interesting, though, to speculate on whether this is a clue to whether we'll ever see Touch ID keyboards for the Mac. The T2 chip is literally all about security, and it needs hardware access to the microphone to disable it, yet it's allowing "Hey, Siri" access over the AirPods' Bluetooth.

Perhaps it's the combination of receiving data via Bluetooth but that data matching up with the AirPods already paired to the system. If that's how the T2 chip can get around the security issues of using Bluetooth, maybe we'll see a keyboard some day that uses a similar idea.

That's entirely speculation, so for now, all we can say is that there are T2 benefits that we would love to have across the entire Apple range, but at least we can be grateful that over time, every Mac is getting something.

Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
«1

Comments

  • Reply 1 of 38
    SoliSoli Posts: 10,035member
    I had hoped by now that Face ID would work with an iMac or an external Apple display.
    lostkiwiStrangeDaysrezwitswatto_cobra
  • Reply 2 of 38
    What about offering an external fingerprint reader and/or mic for the mini?
    davgregwatto_cobra
  • Reply 3 of 38
    MplsPMplsP Posts: 3,911member
    So exactly what is the T2 chip’s ‘official’ name, anyway?

    ”we can't have Touch ID on the Mac mini or new Mac Pro is because neither machine includes a built-in keyboard. This may change at some point, and likely will, but we're not sure when.

    It's hard to know how Apple could get around that, since even if it sold a separate keyboard that had its own T2 chip, the two would have to find a way to communicate securely.”
    Seriously? You’re trying to argue that there are no secure protocols to communicate over a USB connection?

    Or maybe they could just put TouchID on the front of an iMac. That might ruin Jony’s precious aesthetics, but not that he’s gone maybe we can have a bit of function allowed.

    edited July 2019
  • Reply 4 of 38
    SoliSoli Posts: 10,035member
    What about offering an external fingerprint reader and/or mic for the mini?
    I don’t think that’s possible without Apple securing the entire chain, like embedding a T2 chip (or some other encrypted control chip) on their new display.
    watto_cobra
  • Reply 5 of 38
    SoliSoli Posts: 10,035member
    MplsP said:
    So exactly what is the T2 chip’s ‘official’ name, anyway?

    ”we can't have Touch ID on the Mac mini or new Mac Pro is because neither machine includes a built-in keyboard. This may change at some point, and likely will, but we're not sure when.

    It's hard to know how Apple could get around that, since even if it sold a separate keyboard that had its own T2 chip, the two would have to find a way to communicate securely.”
    Seriously? You’re trying to argue that there are no secure protocols to communicate over a USB connection?

    Or maybe they could just put TouchID on the front of an iMac. That might ruin Jony’s precious aesthetics, but not that he’s gone maybe we can have a bit of function allowed.
    What protocols are available that would give the same security as Apple's Touch ID or Face ID to T2 chip for authentication?
    StrangeDayswatto_cobra
  • Reply 6 of 38
    mdriftmeyermdriftmeyer Posts: 7,503member
    Don't forget HEVC transcoding and more.
    macpluspluslostkiwichiaJWSCwatto_cobra
  • Reply 7 of 38
    mpantonempantone Posts: 2,033member
    MplsP said:
    So exactly what is the T2 chip’s ‘official’ name, anyway?
    Apple themselves refer to it as the Apple T2 Security Chip on their website.

    Reference: Apple whitepaper at https://www.apple.com/mac/docs/Apple_T2_Security_Chip_Overview.pdf
    edited July 2019 chiawatto_cobra
  • Reply 8 of 38
    davgregdavgreg Posts: 1,036member
    What about offering an external fingerprint reader and/or mic for the mini?
    I would love to see a fingerprint reader integrated into a Bluetooth wireless Mac keyboard. I am quite sure Apple could use its chip technology to prevent spoofing by third party keyboards and gain a secure handshake and encryption between the wireless keyboard and the headless Mac.

    As the owner of a Mac mini with the top spec CPU, I can tell you the T2 does nothing to help video transcoding. The lack of a dedicated GPU makes that task spool up the fans quickly for a not very fast cycle time.
  • Reply 9 of 38
    seanismorrisseanismorris Posts: 1,624member
    Predictions. Predictions...

    I see the T2 as the single largest bit of evidence that Apple is moving away from Intel processors.  The T2 exists because Intel CPUs doesn't have the features Apple wanted.  The T2 is part of the transition.  Eventually the T2 will be integrated into Apple’s A series chips for MacBooks Air’s and possible iMacs.  The Pro models will still be T2 + Intel for a long while.  Businesses will still need the duel boot capability for Windows...

    We’ll probably see the T2 + A Series + wireless... integrated in one chip a decade from now.  It’s cheaper and more efficient that way...
  • Reply 10 of 38
    Aegis2kAegis2k Posts: 3unconfirmed, member
    Everyone loves their T2 until they need to boot from external media. And you will. You will... I like security, but I like *ME* deciding what level of security I want or need, not Apple. If I like sleeping with my windows open is my choice. I don't want anyone saying to me 'dude close your windows, you might get robbed' or even worse, someone actually nailing my windows shut and saying 'it is not safe to have windows at your house, screw you.'.
    dysamoriacat52TheStemGroup
  • Reply 11 of 38
    StrangeDaysStrangeDays Posts: 12,844member
    Soli said:
    I had hoped by now that Face ID would work with an iMac or an external Apple display.
    Agree; while unlocking w/ the Watch is a nifty time-saver, sometimes the link between the devices goes wonky and it flat-out stops unlocking. When this happens restarting the Watch seems to help.
    GeorgeBMac
  • Reply 12 of 38
    StrangeDaysStrangeDays Posts: 12,844member

    Aegis2k said:
    Everyone loves their T2 until they need to boot from external media. And you will. You will... I like security, but I like *ME* deciding what level of security I want or need, not Apple. If I like sleeping with my windows open is my choice. I don't want anyone saying to me 'dude close your windows, you might get robbed' or even worse, someone actually nailing my windows shut and saying 'it is not safe to have windows at your house, screw you.'.
    Can you explain what on earth you're talking about, specifically?
    macplusplus
  • Reply 13 of 38
    dysamoriadysamoria Posts: 3,430member

    Aegis2k said:
    Everyone loves their T2 until they need to boot from external media. And you will. You will... I like security, but I like *ME* deciding what level of security I want or need, not Apple. If I like sleeping with my windows open is my choice. I don't want anyone saying to me 'dude close your windows, you might get robbed' or even worse, someone actually nailing my windows shut and saying 'it is not safe to have windows at your house, screw you.'.
    Can you explain what on earth you're talking about, specifically?
    https://appleinsider.com/articles/19/01/15/how-to-make-new-t2-secured-macs-boot-from-external-drives
    bobolicious
  • Reply 14 of 38
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    davgreg said:
    What about offering an external fingerprint reader and/or mic for the mini?
    I would love to see a fingerprint reader integrated into a Bluetooth wireless Mac keyboard. I am quite sure Apple could use its chip technology to prevent spoofing by third party keyboards and gain a secure handshake and encryption between the wireless keyboard and the headless Mac.

    As the owner of a Mac mini with the top spec CPU, I can tell you the T2 does nothing to help video transcoding. The lack of a dedicated GPU makes that task spool up the fans quickly for a not very fast cycle time.
    As an owner of the Mac mini with the top spec CPU, I can tell you the T2 does a lot to help video transcoding -- assuming you've got the right settings. And, the proof is here.

    https://appleinsider.com/articles/19/04/09/apples-t2-chip-makes-a-giant-difference-in-video-encoding-for-most-users
    GG1boboliciouschiacgWerks
  • Reply 15 of 38
    mcdavemcdave Posts: 1,927member
    Aegis2k said:
    Everyone loves their T2 until they need to boot from external media. And you will. You will... I like security, but I like *ME* deciding what level of security I want or need, not Apple. If I like sleeping with my windows open is my choice. I don't want anyone saying to me 'dude close your windows, you might get robbed' or even worse, someone actually nailing my windows shut and saying 'it is not safe to have windows at your house, screw you.'.
    Apple products are designed for adults. Kids who fall for self-worship can go elsewhere.
    macplusplus
  • Reply 16 of 38
    mcdavemcdave Posts: 1,927member
    Predictions. Predictions...

    I see the T2 as the single largest bit of evidence that Apple is moving away from Intel processors.  The T2 exists because Intel CPUs doesn't have the features Apple wanted.  The T2 is part of the transition.  Eventually the T2 will be integrated into Apple’s A series chips for MacBooks Air’s and possible iMacs.  The Pro models will still be T2 + Intel for a long while.  Businesses will still need the duel boot capability for Windows...

    We’ll probably see the T2 + A Series + wireless... integrated in one chip a decade from now.  It’s cheaper and more efficient that way...
    As I understand it, the T2 already contains an A-Series processor (A10 I think).  If they were going down this path they would have progressed further by now.  We would see more than just a few HEVC profiles accelerated.  Post-Jobs Apple isn’t even ‘brave’ enough to dump AMD for GPU with minimal software investment let alone dump Intel for CPU with huge software investment.  The T2 should be a Metal2 Monster at least but I think Intel’s promises and progress have killed any commitment to make the Mac anything more than a pricey PC.
  • Reply 17 of 38
    mcdavemcdave Posts: 1,927member
    davgreg said:
    What about offering an external fingerprint reader and/or mic for the mini?
    I would love to see a fingerprint reader integrated into a Bluetooth wireless Mac keyboard. I am quite sure Apple could use its chip technology to prevent spoofing by third party keyboards and gain a secure handshake and encryption between the wireless keyboard and the headless Mac.

    As the owner of a Mac mini with the top spec CPU, I can tell you the T2 does nothing to help video transcoding. The lack of a dedicated GPU makes that task spool up the fans quickly for a not very fast cycle time.
    That would help justify the cost too.

    On the T2 performance; what software are you using and what’s the target format?  My understanding is the software must use 1st-party frameworks (rules out anything Adobe) and 8-bit HEVC is optimal.

    The T2 could be stunning if Apple extended its live transcoding beyond encryption to image & more video.
  • Reply 18 of 38
    zimmiezimmie Posts: 651member
    Soli said:
    MplsP said:
    So exactly what is the T2 chip’s ‘official’ name, anyway?

    ”we can't have Touch ID on the Mac mini or new Mac Pro is because neither machine includes a built-in keyboard. This may change at some point, and likely will, but we're not sure when.

    It's hard to know how Apple could get around that, since even if it sold a separate keyboard that had its own T2 chip, the two would have to find a way to communicate securely.”
    Seriously? You’re trying to argue that there are no secure protocols to communicate over a USB connection?

    Or maybe they could just put TouchID on the front of an iMac. That might ruin Jony’s precious aesthetics, but not that he’s gone maybe we can have a bit of function allowed.
    What protocols are available that would give the same security as Apple's Touch ID or Face ID to T2 chip for authentication?
    Public-key authentication is a thing. Ultimately, biometrics only identify a person. A computer has to then authenticate the biometric, not the user. That is, it has to be designed in such a way as to require a real fingerprint on a real finger attached to a real, living person, and to attempt to reject inauthentic fingerprints. Once the sensor has done this, it provides asymmetric attestation to the rest of the system that the biometric provided is authentic. For people who know what Kerberos is, think of the sensor's attestation like the TGT. The other parts of the system are the service-granting-servers, while the authentication subsystem is the authentication server.

    The real challenge would be establishing trust between the keyboard and the system T2. There's a reason so many papers on public-key cryptosystems start with "Assume a reliable system for public key distribution and revocation exists." Establishing bidirectional trust between two systems, one of which doesn't have a display, is challenging (though an external keyboard with Touch Bar would solve the display part). Revoking that trust if one of the devices is compromised is even more challenging.
  • Reply 19 of 38
    macplusplusmacplusplus Posts: 2,112member
    Predictions. Predictions...

    I see the T2 as the single largest bit of evidence that Apple is moving away from Intel processors.  The T2 exists because Intel CPUs doesn't have the features Apple wanted.  The T2 is part of the transition.  Eventually the T2 will be integrated into Apple’s A series chips for MacBooks Air’s and possible iMacs.  The Pro models will still be T2 + Intel for a long while.  Businesses will still need the duel boot capability for Windows...

    We’ll probably see the T2 + A Series + wireless... integrated in one chip a decade from now.  It’s cheaper and more efficient that way...
    On the contrary T2 is all the “ARM Mac” you can get. Apple has already a desktop class A series, they made an iPad Pro of it, not a crippled Mac. If they get an even more powerful A series, they’ll use it for a more powerful iPad Pro. The only candidate for an ARM Mac was the 12” Macbook, but they killed that only fanless model of the series, meaning there will be absolutely no ARM Mac in the foreseeable future. Macs will integrate always higher and higher not lower and lower.
    mdriftmeyer
  • Reply 20 of 38
    mpantonempantone Posts: 2,033member
    davgreg said:
    What about offering an external fingerprint reader and/or mic for the mini?
    As the owner of a Mac mini with the top spec CPU, I can tell you the T2 does nothing to help video transcoding. The lack of a dedicated GPU makes that task spool up the fans quickly for a not very fast cycle time.
    You are either A.) using video encoding software that doesn't support T2 hardware encoding or B.) you don't know the correct settings to enable it.

    I already knew this from previous tests a week ago (between a Mac mini 2018, MacBook Air 2019, and a MacBook 2017). But for giggles, I decided to set up a bunch of tests while I left my house for a few houses.

    I transcoded a 4K video (approximately 30 minutes in runtime) six consecutive times using the same software (latest version of Handbrake 1.2.2) but with different settings and it is clear that hardware encoding is real. Hardware is Mac mini 2018, 3.2 GHz i7 (6 cores, 12 threads) with 16 GB RAM and 1 TB SSD running macOS 10.14.5.

    1. H.265 (HEVC) VideoToolbox: 28 minutes via hardware (despite the fact I set this up for 8000 kbps bitraate, it ended up as 7150, thus resulting in a smaller file. More later.) The fan ran around 1800 rpm, and the CPU load was nearly zero.
    2. H.265 (HEVC) x265 software encoder: 82 minutes. This was clearly CPU intensive; the user load was 12 (six cores, 2 threads per core maxed out). The fan ran at 4500 rpm.
    3. H.265 (HEVC) x265 software, 12-bit encoding: 110 minutes. Even slower. Again, the fan ran around 4500 rpm.
    4. H.264 VideoToolbox: 30 minutes. Hardware encode, the fan was around 1800 rpm and the CPU load was nothing.
    5. H.264 x264 (software): 38 minutes. I wasn't around to use XLD to view the CPU nor fan status, but clearly this took more effort than the VideoToolbox setting.
    6. H265 (HEVC) VideoToolbox with bitrate set at 8850: 29 minutes. In an attempt to get more comparable resulting file than the earlier encode (7150), I upped the bitrate from 8000 to 8850. The resulting file took 1 minute more than the control and I ended up with a 8150 file.

    You don't need to look at your computer display to know whether or not it is using hardware encoding. The Mac mini 2018 fan tells you.

    Of all the comparisons, the most important are between #1 and #2. The latter is all software and takes nearly 3x longer than the encode that leverages hardware. The #2 encode maxes out the CPU and cranks up the fan. The HEVC hardware encode is a walk in the park for the Mac mini 2018.

    Note that I used Handbrake, an application that is known to have access to hardware encoding features for years.

    If your fan kicks in during a transcode on a Mac mini 2018, you are basically doing it wrong.

    But don't take my word for it. Go ahead and do you own tests.

    Find some suitable 4K content to transcode and open it up in Handbrake. Use a preset like "HQ 1080p30 Surround", switch to the Video tab and set the Quality to an average bitrate of 8000 kbps. Then use the pulldown menu selector for Video Encoder and start selecting different encoders. Name the resulting file accordingly and save it to the queue. Then switch the Video Encoder to something else, rename the resulting file and add it to the queue.
    edited July 2019 chiaSolicgWerksmdriftmeyerGG1tht
Sign In or Register to comment.