A Comment by @Dougee

 

In December 2017 Apple released hardware with the new T2 chip technology. It is found on the iMac Pro, 2018 Mac Mini, 2018 MacBook Air, and the 2018 MacBook Pro models.

The T2 integrated several other controllers including the System Management Controller (SMC), image signal processor that works with FaceTime HD, audio controller, Touch ID, Touch Bar, and SSD controller.

From a security perspective the T2 is really quite interesting. The T2 contains a Secure Enclave that provides the platform for Touch ID, Encrypted Storage and Secure Boot.

Secure Boot ensures only legitimate and trusted operating systems can load at startup. By default a Mac computer is shipped with ‘Full Security’ Secure Boot switched on; this prevents the Mac computer from booting from external media. Secure Boot is controlled from the ‘Startup Security Utility’ and an Admin password is needed to turn it off. As you can see in the screenshot the utility offers three levels of security.

macos high sierra startup security utility The Apple T2 Chip and Your Security
(Source https://support.apple.com/en-ca/HT208198)

At the time of writing Microsoft Windows 10 can be installed and boot a T2 Chip enabled Mac computer with Secure Boot active, as the Windows operating system is signed. Linux currently cannot boot a Mac with the default “Full Security enabled.

Interestingly the Mac can still boot into Target Disk Mode, but no external media will boot without the ‘External Boot’ option set to allow booting.

Apple Mac computers with T2 chips integrates encryption into both hardware and software. Data on the built-in SSD is encrypted in hardware using AES 256 bit encryption and the filesystem can be encrypted in software with FileVault2. FileVault 2 encryption gives the secondary level of encryption.

The SSD drive can no longer be removed from a T2 Chip Mac computer and attached to another Mac to access the data. The original T2 Chip hardware is required to decrypt the data.

Apple states that if the encryption keys become damaged in the T2 chip, then restoration from backup might be the only way you can get your data back.

The T2 Chip enabled portable Mac computers also secures the on-board microphone by physically disabling the microphone when the lid of the Mac is closed. Software is prevented at the hardware level from having access to the microphone in the closed state.

by @Dougee

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.