Secure boot in the era of the T2

Enabled by the T2 chipset, new generations of the Macbook Pro and the iMac Pro aim to mitigate many software and hardware-based attacks against the very first pieces of code executed during the initial boot process. By ditching the flash memory chip containing Unified Extensible Firmware Interface (UEFI) firmware and using chipset functionality typically reserved for server architectures, the T2 is able to dynamically provide and validate UEFI payload contents at runtime.

We have spent considerable time looking at the T2 and have written a paper that outlines the technical details of what actually happens when the power button is pressed. The T2 is a great first step in the right direction, but there is still room for improvement when it comes to the secure boot process on an Apple T2-enabled device.

Security at the expense of user ownership and repairability. Pick your poison.

12 Comments

  1. emphyrio 2018-11-22 2:14 am EST
    • Alfman 2018-11-22 4:02 am EST
      • Lennie 2018-11-22 10:27 am EST
        • zima 2018-11-25 12:13 am EST
      • andreww591 2018-11-22 11:44 am EST
  2. kwan_e 2018-11-22 4:31 am EST
    • kuiash 2018-11-22 5:21 am EST
    • agentj 2018-11-22 12:47 pm EST
    • zima 2018-11-29 12:11 am EST
  3. grat 2018-11-22 7:23 pm EST
  4. eantoranz 2018-11-23 4:43 am EST
  5. dionicio 2018-11-23 8:24 pm EST