Ivan Krstić, Head of Apple Security Engineering and Architecture at Apple, will be speaking at BlackHat on the T2 security processor:
[…]We will discuss three iOS and Mac security topics in unprecedented technical detail, offering the first public discussion of several key technologies new to iOS 13 and the Mac.[…]The T2 Security Chip brought powerful secure boot capabilities to the Mac. Comprehensively securing the boot process required protections against sophisticated direct memory access (DMA) attacks at every point, even in the presence of arbitrary Option ROM firmware. We will walk through the boot sequence of a Mac with the T2 Security Chip and explain key attacks and defenses at each step, including two industry-first firmware security technologies that have not been publicly discussed before.[…]
This is a new product support document from Apple:
This article contains references for key product certifications, cryptographic validations, and security guidance for Secure Enclave Processor (SEP): Secure Key Store. Contact us at firstname.lastname@example.org if you have any questions.[…]
[…]The thing that his team had been able to analyze for the first time was the iPhone’s Secure Enclave Processor (SEP), which handles data encryption for the iPhone. How they were able to do this was a valid question given Apple’s notorious secrecy, and the fact that the SEP is one of the most important and most closely guarded components of the iPhone, the most secure smartphone on the market. […]
A new macOS EFI password tool has appeared on Github today
…but I’ve no time today to look at how it works. 😦
CLOSED-SOURCE WARNING: The project includes a few pre-compiled .EFI binaries but no source, so be careful.
Apple has updated their T2 knowledge base article:
Here’s an article that describes how you can check if an Apple system is T2-based or not:
Apple has — at least I think so — updated their Secure Boot knowledge base article in the last few days:
Failure to run Apple’s proprietary diagnostic software after a repair “will result in an inoperative system and an incomplete repair.”
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
[…]There are two ways for spies to alter the guts of computer equipment.
One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden.
The other method involves seeding changes from the very beginning.[…]
The last piece in the puzzle that is the booting of a Mac is understanding how any given volume is made bootable, and how it can be made the next startup volume.[…]
Booting the Mac: bless, and what makes a volume bootable
This article provides a simplified visual summary of the various stages which take place when a modern Intel Mac starts up in macOS 10.12 or 10.13, from pressing the Power button through to running the kernel and its extensions.[…]
Booting the Mac: Visual Summary
NVRAM stores key settings which your Mac cannot obtain from disk during startup. Variables vary according to the model, version of macOS, and EFI firmware in use. Included among these are the following:[…]
What’s stored in NVRAM?
The whole purpose of the BootROM and EFI phases is to get to load and run the macOS kernel and its extensions, which is what boot.efi, the “OS X booter”, finally does. Although boot.efi doesn’t suddenly vanish, from here on it is very little needed.[…]
Booting the Mac: the kernel and extensions
Settings that can be audited/ fixed:
enable automatic updates
enable admin password preferences
enable terminal secure entry
disable firewall builin software
disable firewall downloaded signed
disable mail remote content
disable remote apple events
disable remote login
set airdrop contacts only
set appstore update check daily
check kext loading consent
check EFI integrity
check firmware password set