Duo Labs Explains How Secure Boot Works on Apple’s T2-Enabled Devices

The security experts over at Duo Labs have today released a research report titled ‘Secure Boot in the Era of the T2’, detailing Apple’s new approach to secure boot and how the process works on a T2 security chip-enabled device. 

Apple’s T2 chip on the new Macs performs a wide array of tasks to secure the machine from various hardware- and software-based attacks. However, researchers believe “there is still room for improvement”, especially when it comes to the secure boot process. 

Apple T2 chip

While the researchers found Apple’s design for T2 “using an immutable, signature-validate image for UEFI firmware” extremely effective in securing the Mac platform, they say that physical attacks are still possible “though more challenging than the classic evil-maid attacks that re-flash a single SPI flash chip”.

Duo Labs researchers also praised performing integrity validation of firmware-at-rest as “a no-brainer, security-wise”. However, they say the secure boot operations should be isolated to “a much simpler and more tightly-scoped system-on-a-chip.”

This is compounded with the complexity of the T2. It is coupled with the host OS, exposing a new attack surface. Much of its functionality can be interfaced with from userland without having root permissions. A bug in the Apple XNU common-kernel used in many Apple products could effectively create a shortcut for an attacker.

[…] Apple should be lauded for trying to bring their laptop and desktop lines into the same defensive posture as their mobile offerings.

You can read the lengthy report in its entirety at this link.