System to Protect Root Hardware Passwords
Secure Enclave
Overview
The Secure Enclave is a dedicated secure subsystem integrated into Apple tree systems on flake (SoCs). The Secure Enclave is isolated from the principal processor to provide an extra layer of security and is designed to continue sensitive user data secure even when the Application Processor kernel becomes compromised. It follows the same design principles as the SoC does—a boot ROM to institute a hardware root of trust, an AES engine for efficient and secure cryptographic operations, and protected retention. Although the Secure Enclave doesn't include storage, it has a mechanism to store information securely on fastened storage separate from the NAND wink storage that'southward used by the Application Processor and operating organisation.
The Secure Enclave is a hardware feature of near versions of iPhone, iPad, Mac, Apple Tv set, Apple Watch, and HomePod—namely:
-
iPhone 5s or subsequently
-
iPad Air or later
-
MacBook Pro computers with Bear on Bar (2016 and 2017) that contain the Apple T1 Chip
-
Intel-based Mac computers that contain the Apple T2 Security Bit
-
Mac computers with Apple silicon
-
Apple TV HD or after
-
Apple Spotter Serial 1 or later
-
HomePod and HomePod mini
Secure Enclave Processor
The Secure Enclave Processor provides the main computing power for the Secure Enclave. To provide the strongest isolation, the Secure Enclave Processor is dedicated solely for Secure Enclave use. This helps preclude side-aqueduct attacks that depend on malicious software sharing the same execution core every bit the target software under attack.
The Secure Enclave Processor runs an Apple-customized version of the L4 microkernel. Information technology's designed to operate efficiently at a lower clock speed that helps to protect information technology against clock and power attacks. The Secure Enclave Processor, starting with the A11 and S4, includes a memory-protected engine and encrypted retentiveness with anti-replay capabilities, secure kick, a defended random number generator, and its own AES engine.
Retention Protection Engine
The Secure Enclave operates from a defended region of the device's DRAM retention. Multiple layers of protection isolate the Secure Enclave protected retention from the Application Processor.
When the device starts up, the Secure Enclave Boot ROM generates a random ephemeral memory protection key for the Memory Protection Engine. Whenever the Secure Enclave writes to its dedicated memory region, the Memory Protection Engine encrypts the block of memory using AES in Mac XEX (xor-encrypt-xor) fashion, and calculates a Zippo-based Message Authentication Code (CMAC) authentication tag for the memory. The Retentiveness Protection Engine stores the authentication tag aslope the encrypted memory. When the Secure Enclave reads the memory, the Memory Protection Engine verifies the hallmark tag. If the authentication tag matches, the Memory Protection Engine decrypts the block of memory. If the tag doesn't match, the Memory Protection Engine signals an error to the Secure Enclave. Later a memory authentication error, the Secure Enclave stops accepting requests until the system is rebooted.
Starting with the Apple A11 and S4 SoCs, the Memory Protection Engine adds replay protection for Secure Enclave memory. To assistance prevent replay of security-critical data, the Memory Protection Engine stores a nonce for the block of memory aslope the hallmark tag. The nonce is used as an boosted tweak for the CMAC authentication tag. The nonces for all memory blocks are protected using an integrity tree rooted in dedicated SRAM inside the Secure Enclave. For writes, the Memory Protection Engine updates the nonce and each level of the integrity tree upwardly to the SRAM. For reads, the Retentivity Protection Engine verifies the nonce and each level of the integrity tree up to the SRAM. Nonce mismatches are handled similarly to hallmark tag mismatches.
On Apple A14, M1, and later SoCS, the Memory Protection Engine supports two ephemeral retentiveness protection keys. The starting time is used for data private to the Secure Enclave, and the second is used for data shared with the Secure Neural Engine.
The Retention Protection Engine operates inline and transparently to the Secure Enclave. The Secure Enclave reads and writes memory as if it were regular unencrypted DRAM, whereas an observer exterior the Secure Enclave sees only the encrypted and authenticated version of the memory. The result is strong memory protection without performance or software complexity tradeoffs.
Secure Enclave Boot ROM
The Secure Enclave includes a dedicated Secure Enclave Kicking ROM. Similar the Application Processor Boot ROM, the Secure Enclave Kick ROM is immutable code that establishes the hardware root of trust for the Secure Enclave.
On arrangement startup, iBoot assigns a dedicated region of memory to the Secure Enclave. Earlier using the retentiveness, the Secure Enclave Boot ROM initializes the Memory Protection Engine to provide cryptographic protection of the Secure Enclave protected memory.
The Awarding Processor then sends the sepOS image to the Secure Enclave Boot ROM. After copying the sepOS image into the Secure Enclave protected retention, the Secure Enclave Kicking ROM checks the cryptographic hash and signature of the epitome to verify that the sepOS is authorized to run on the device. If the sepOS image is properly signed to run on the device, the Secure Enclave Boot ROM transfers command to sepOS. If the signature isn't valid, the Secure Enclave Boot ROM is designed to preclude any further employ of the Secure Enclave until the next bit reset.
On Apple A10 and later SoCs, the Secure Enclave Boot ROM locks a hash of the sepOS into a annals defended to this purpose. The Public Key Accelerator uses this hash for operating-system-bound (OS-spring) keys.
Secure Enclave Kicking Monitor
On Apple A13 and afterward SoCs, the Secure Enclave includes a Kicking Monitor designed to ensure stronger integrity on the hash of the booted sepOS.
At organization startup, the Secure Enclave Processor'southward System Coprocessor Integrity Protection (SCIP) configuration helps prevent the Secure Enclave Processor from executing whatever lawmaking other than the Secure Enclave Boot ROM. The Boot Monitor helps forbid the Secure Enclave from modifying the SCIP configuration straight. To make the loaded sepOS executable, the Secure Enclave Boot ROM sends the Boot Monitor a request with the address and size of the loaded sepOS. On receipt of the asking, the Boot Monitor resets the Secure Enclave Processor, hashes the loaded sepOS, updates the SCIP settings to permit execution of the loaded sepOS, and starts execution inside the newly loaded code. As the system continues booting, this aforementioned process is used whenever new code is made executable. Each fourth dimension, the Boot Monitor updates a running hash of the boot process. The Kicking Monitor also includes disquisitional security parameters in the running hash.
When kicking completes, the Boot Monitor finalizes the running hash and sends it to the Public Key Accelerator to employ for Bone-jump keys. This process is designed and then that operating system key binding can't be bypassed even with a vulnerability in the Secure Enclave Boot ROM.
True Random Number Generator
The True Random Number Generator (TRNG) is used to generate secure random data. The Secure Enclave uses the TRNG whenever information technology generates a random cryptographic key, random cardinal seed, or other entropy. The TRNG is based on multiple band oscillators post processed with CTR_DRBG (an algorithm based on block ciphers in Counter Way).
Root Cryptographic Keys
The Secure Enclave includes a unique ID (UID) root cryptographic cardinal. The UID is unique to each individual device and isn't related to any other identifier on the device.
A randomly generated UID is fused into the SoC at manufacturing time. Starting with A9 SoCs, the UID is generated by the Secure Enclave TRNG during manufacturing and written to the fuses using a software process that runs entirely in the Secure Enclave. This process protects the UID from being visible outside the device during manufacturing and therefore isn't bachelor for access or storage by Apple or any of its suppliers.
sepOS uses the UID to protect device-specific secrets. The UID allows data to be cryptographically tied to a particular device. For example, the key bureaucracy protecting the file system includes the UID, and so if the internal SSD storage is physically moved from ane device to another, the files are inaccessible. Other protected device-specific secrets include Touch ID or Confront ID information. On a Mac, only fully internal storage linked to the AES engine receives this level of encryption. For example, neither external storage devices connected over USB nor PCIe-based storage added to the 2019 Mac Pro are encrypted in this fashion.
The Secure Enclave too has a device grouping ID (GID), which is common to all devices that use a given SoC (for example, all devices using the Apple A14 SoC share the same GID).
The UID and GID aren't available through Joint Test Action committee (JTAG) or other debugging interfaces.
Secure Enclave AES Engine
The Secure Enclave AES Engine is a hardware block used to perform symmetric cryptography based on the AES goose egg. The AES Engine is designed to resist leaking information by using timing and Static Ability Assay (SPA). Starting with the A9 SoC, the AES Engine besides includes Dynamic Power Assay (DPA) countermeasures.
The AES Engine supports hardware and software keys. Hardware keys are derived from the Secure Enclave UID or GID. These keys stay within the AES Engine and aren't made visible even to sepOS software. Although software can request encryption and decryption operations with hardware keys, it can't extract the keys.
On Apple A10 and newer SoCs, the AES Engine includes lockable seed bits that diversify keys derived from the UID or GID. This allows data admission to be conditioned on the device's fashion of operation. For case, lockable seed bits are used to deny access to password-protected data when booting from Device Firmware Update (DFU) mode. For more information, see Passcodes and passwords.
AES Engine
Every Apple device with a Secure Enclave also has a dedicated AES256 crypto engine (the "AES Engine") built into the direct memory access (DMA) path between the NAND (nonvolatile) flash storage and primary system memory, making file encryption highly efficient. On A9 or afterwards A-series processors, the flash storage subsystem is on an isolated passenger vehicle that'due south granted access only to retentiveness containing user information through the DMA crypto engine.
At kick time, sepOS generates an ephemeral wrapping central using the TRNG. The Secure Enclave transmits this key to the AES Engine using defended wires, designed to prevent it from being accessed by any software outside the Secure Enclave. sepOS can then use the ephemeral wrapping key to wrap file keys for use by the Application Processor file-arrangement commuter. When the file-arrangement commuter reads or writes a file, it sends the wrapped primal to the AES Engine, which unwraps the key. The AES Engine never exposes the unwrapped cardinal to software.
Note: The AES Engine is a separate component from both the Secure Enclave and the Secure Enclave AES Engine, but its operation is closely tied to the Secure Enclave, as shown beneath.
Public Cardinal Accelerator
The Public Central Accelerator (PKA) is a hardware cake used to perform asymmetric cryptography operations. The PKA supports RSA and ECC (Elliptic Bend Cryptography) signing and encryption algorithms. The PKA is designed to resist leaking information using timing and side-channel attacks such every bit SPA and DPA.
The PKA supports software and hardware keys. Hardware keys are derived from the Secure Enclave UID or GID. These keys stay within the PKA and aren't made visible fifty-fifty to sepOS software.
Starting with A13 SoCs, the PKA'due south encryption implementations accept been proved to be mathematically correct using formal verification techniques.
On Apple tree A10 and later on SoCs, the PKA supports Bone-jump keys, too referred to as Sealed Key Protection (SKP). These keys are generated using a combination of the device'due south UID and the hash of the sepOS running on the device. The hash is provided by the Secure Enclave Boot ROM, or past the Secure Enclave Boot Monitor on Apple A13 and later SoCs. These keys are as well used to verify the sepOS version when making requests to certain Apple services and are also used to improve the security of passcode-protected data past helping to forbid access to keying material if critical changes are made to the organisation without user authorization.
Secure nonvolatile storage
The Secure Enclave is equipped with a dedicated secure nonvolatile storage device. The secure nonvolatile storage is connected to the Secure Enclave using a dedicated I2C jitney, and then that information technology can only be accessed by the Secure Enclave. All user data encryption keys are rooted in entropy stored in the Secure Enclave nonvolatile storage.
In devices with A12, S4, and afterwards SoCs, the Secure Enclave is paired with a Secure Storage Component for entropy storage. The Secure Storage Component is itself designed with immutable ROM code, a hardware random number generator, a per-device unique cryptographic primal, cryptography engines, and physical tamper detection. The Secure Enclave and Secure Storage Component communicate using an encrypted and authenticated protocol that provides exclusive access to the entropy.
Devices get-go released in Fall 2020 or later are equipped with a 2nd-generation Secure Storage Component. The 2d-generation Secure Storage Component adds counter lockboxes. Each counter lockbox stores a 128-scrap common salt, a 128-flake passcode verifier, an viii-chip counter, and an 8-bit maximum attempt value. Access to the counter lockboxes is through an encrypted and authenticated protocol.
Counter lockboxes hold the entropy needed to unlock passcode-protected user data. To access the user data, the paired Secure Enclave must derive the right passcode entropy value from the userʼs passcode and the Secure Enclaveʼs UID. The user's passcode can't exist learned using unlock attempts sent from a source other than the paired Secure Enclave. If the passcode effort limit is exceeded (for instance, x attempts on iPhone), the passcode-protected data is erased completely by the Secure Storage Component.
To create a counter lockbox, the Secure Enclave sends the Secure Storage Component the passcode entropy value and the maximum try value. The Secure Storage Component generates the salt value using its random number generator. Information technology then derives a passcode verifier value and a lockbox entropy value from the provided passcode entropy, the Secure Storage Component'due south unique cryptographic key, and the table salt value. The Secure Storage Component initializes the counter lockbox with a count of 0, the provided maximum endeavour value, the derived passcode verifier value, and the table salt value. The Secure Storage Component then returns the generated lockbox entropy value to the Secure Enclave.
To retrieve the lockbox entropy value from a counter lockbox later on, the Secure Enclave sends the Secure Storage Component the passcode entropy. The Secure Storage Component first increments the counter for the lockbox. If the incremented counter exceeds the maximum attempt value, the Secure Storage Component completely erases the counter lockbox. If the maximum attempt count hasn't been reached, the Secure Storage Component attempts to derive the passcode verifier value and lockbox entropy value with the same algorithm used to create the counter lockbox. If the derived passcode verifier value matches the stored passcode verifier value, the Secure Storage Component returns the lockbox entropy value to the Secure Enclave and resets the counter to 0.
The keys used to access countersign-protected information are rooted in the entropy stored in counter lockboxes. For more data, run into Data Protection overview.
The secure nonvolatile storage is used for all anti-replay services in the Secure Enclave. Anti-replay services on the Secure Enclave are used for revocation of data over events that mark anti-replay boundaries including, simply non limited to, the following:
-
Passcode change
-
Enabling or disabling Touch ID or Face ID
-
Adding or removing a Bear on ID fingerprint or Face ID face
-
Touch ID or Confront ID reset
-
Adding or removing an Apple Pay card
-
Erase All Content and Settings
On architectures that don't feature a Secure Storage Component, EEPROM (electrically erasable programmable read-only retentivity) is utilized to provide secure storage services for the Secure Enclave. Just similar the Secure Storage Components, the EEPROM is attached and accessible merely from the Secure Enclave, just information technology doesn't comprise defended hardware security features nor does it guarantee exclusive access to entropy (aside from its physical attachment characteristics) nor counter lockbox functionality.
Secure Neural Engine
On devices with Face ID, the Secure Neural Engine converts 2D images and depth maps into a mathematical representation of a user's face.
On A11 through A13 SoCs, the Secure Neural Engine is integrated into the Secure Enclave. The Secure Neural Engine uses directly memory access (DMA) for high functioning. An input-output memory management unit of measurement (IOMMU) nether the sepOS kernel's command limits this direct access to authorized retention regions.
Starting with A14 and the M1, the Secure Neural Engine is implemented as a secure mode in the Application Processor'due south Neural Engine. A dedicated hardware security controller switches betwixt Application Processor and Secure Enclave tasks, resetting Neural Engine state on each transition to keep Face ID information secure. A defended engine applies memory encryption, authentication, and admission control. At the same time, it uses a separate cryptographic key and memory range to limit the Secure Neural Engine to authorized memory regions.
Power and clock monitors
All electronics are designed to operate inside a limited voltage and frequency envelope. When operated outside this envelope, the electronics can malfunction and and then security controls may be bypassed. To help ensure that the voltage and frequency stay in a safe range, the Secure Enclave is designed with monitoring circuits. These monitoring circuits are designed to have a much larger operating envelope than the rest of the Secure Enclave. If the monitors detect an illegal operating point, the clocks in the Secure Enclave automatically finish and don't restart until the next SoC reset.
Secure Enclave characteristic summary
Note: A12, A13, S4, and S5 products first released in Autumn 2020 have a 2nd-generation Secure Storage Component; while earlier products based on these SoCs have 1st-generation Secure Storage Component.
SoC | Retentiveness Protection Engine | Secure Storage | AES Engine | PKA |
---|---|---|---|---|
A8 | Encryption and authentication | EEPROM | Yep | No |
A9 | Encryption and authentication | EEPROM | DPA protection | Yes |
A10 | Encryption and hallmark | EEPROM | DPA protection and lockable seed bits | Os-bound keys |
A11 | Encryption, authentication, and replay prevention | EEPROM | DPA protection and lockable seed bits | Bone-leap keys |
A12 (Apple devices released earlier Fall 2020) | Encryption, authentication, and replay prevention | Secure Storage Component gen 1 | DPA protection and lockable seed bits | Bone-bound keys |
A12 (Apple tree devices released after Fall 2020) | Encryption, hallmark, and replay prevention | Secure Storage Component gen ii | DPA protection and lockable seed bits | OS-bound keys |
A13 (Apple devices released before Fall 2020) | Encryption, authentication, and replay prevention | Secure Storage Component gen one | DPA protection and lockable seed bits | OS-bound keys and Boot Monitor |
A13 (Apple devices released afterwards Autumn 2020) | Encryption, hallmark, and replay prevention | Secure Storage Component gen 2 | DPA protection and lockable seed bits | Os-bound keys and Boot Monitor |
A14 | Encryption, authentication, and replay prevention | Secure Storage Component gen ii | DPA protection and lockable seed bits | OS-spring keys and Boot Monitor |
S3 | Encryption and authentication | EEPROM | DPA protection and lockable seed bits | Yes |
S4 | Encryption, authentication, and replay prevention | Secure Storage Component gen one | DPA protection and lockable seed $.25 | Os-spring keys |
S5 (Apple tree devices released before Fall 2020) | Encryption, hallmark, and replay prevention | Secure Storage Component gen 1 | DPA protection and lockable seed bits | OS-leap keys |
S5 (Apple devices released later Fall 2020) | Encryption, authentication, and replay prevention | Secure Storage Component gen 2 | DPA protection and lockable seed bits | Os-spring keys |
S6 | Encryption, authentication, and replay prevention | Secure Storage Component gen ii | DPA protection and lockable seed bits | Bone-leap keys |
T2 | Encryption and authentication | EEPROM | DPA protection and lockable seed bits | Os-leap keys |
M1 | Encryption, hallmark, and replay prevention | Secure Storage Component gen two | DPA protection and lockable seed bits | Bone-bound keys and Boot Monitor |
0 Response to "System to Protect Root Hardware Passwords"
Post a Comment