[Cryptography] On the deployment of client-side certs

Jerry Leichter leichter at lrw.com
Thu Nov 17 17:21:32 EST 2016 

> It remains to be seen whether they will bite the bullet and fully
> divorce the hardware for security from the hardware that actually runs
> their OS.
In the case of iOS devices, it's a part of the same chip; the separation between the Secure Enclave and the OS is enforced by the hardware, but granted such separations have been known to be breakable in the past.

However, in the case of the latest MacBook Pros, it's a completely separate chip, the T1 - a small ARM chip separate from the Intel CPU.

It's unclear exactly what roles this chip plays.  It's known that it controls the fingerprint reader - the fingerprint data never leaves the chip (which leads to a limitation on the number of distinct fingerprints you can register at once:  5).  It apparently also controls the Touch Bar, but that's not currently a security issue.

There are *rumors* that it controls the light that tells you the camera is on, but I've seen no evidence (and I doubt it's true, even if just for the extra wiring needed - the T1 is under the keyboard somewhere, the camera and light are all the way at the top of the display).  In at least some designs (I haven't seen anyone actually keeping track of this on recent Apple devices), the light was kind-of hardware controlled - there was no direct software access to it, but rather it lit as a side-effect of other actions the software undertook to turn on the camera.  Someone did find an attack that managed to break the apparent hard link between the two actions in older MacBooks.  That attack only worked on some now very old hardware, but where current hardware stands ... I don't know.

It is interesting to note that no one, not even Apple, bothers to give you any indication, even software-controlled, that your microphone is live....

> I REALLY doubt that they will give the security hardware its own I/O on
> the first iteration though; they really hate to put visible external
> bits and bobs on their hardware.
The fingerprint sensor and the ARM chip it connects to are bound to each other - as people who've replaced the fingerprint sensor on iPhone's have discovered to their regret.  (The ARM chip won't talk to the new sensor.)  One guess is that they share a key so that fingerprint data is encrypted and authenticated between sensor and chip.  Allegedly the sensor is only accessible from the Secure Enclave mode (or maybe its data is encrypted and only the Enclave has access to the key).

Note that if the chip in the MacBook Pro really does control the Touch Bar, it would have complete control over a small but very-high-resolution display with integrated touch input.  You could easily output secure messages for confirmation through a virtual button, all completely outside the OS's (and even the main CPU hardware's) control.  Right now, Apple doesn't do anything of that sort - and indeed they discourage any use of the Bar as an output device, or to do something that can't be done on models that lack it.  Makes sense until devices with a Touch Bar attain critical mass.

But ... "first iteration" indeed.  There's room for all kinds of interesting development of the T1 and Touch Bar as a true security kernel/secure interface once enough of the things are out there.

It'll be interesting to see where Apple goes with this over time.

                                                        -- Jerry

More information about the cryptography mailing list