Before the iMac Pro finally shipped in late December, 2017, there was a lot of speculation that the powerful desktop machine would contain an Apple A10 chip, possibly for providing always-on “Hey, Siri” support or other unspecified functions. Shortly before the iMac Pro shipped, one developer who was given early access to the device found that the new computer features a unique custom Apple chip — the T2.
Like the T1 used in the 2016 and 2017 MacBook Pro, the T2 is a custom ARMv7 system-on-chip that performs specific security-related functions for the iMac Pro. On the MacBook Pro, the T1 acts as a secure enclave for processing and encrypting fingerprints for Touch ID as well as keeping tabs on the microphone and FaceTime HD camera to keep them safe from hacking. Oddly enough, the T1 runs a special version of watchOS separate from macOS on the computer itself.
On the iMac Pro, the T2 performs a very similar function, providing a secure enclave for encrypted keys. It also handles system functions including the camera and audio control — probably in a manner identical to that on the MacBook Pro — and manages the solid-state drive of the computer. Although we haven’t yet performed tests and have not seen that others have tested the FaceTime HD camera on the iMac Pro, the T2 also allegedly delivers “enhanced image processing” for that camera. An integrated image signal processor allows tone mapping, exposure control, and face detection-based auto exposure and white balance for the FaceTime HD camera. Those functions were provided on older Macs by other hardware and software before being built into the T-series chips.
On December 14, 2017, Apple announced that the T2 integrates several controllers found in other Mac systems, including a system management controller, image signal processor, audio controller, and SSD controller. The secure enclave is teamed with a hardware encryption engine that allows for strong on-chip encryption and hardware verification of system-level software.
Apple says that “The data on your SSD is encrypted using dedicated AES hardware with no effect on the SSD’s performance, while keeping the Intel Xeon processor free for your compute tasks. And secure boot ensures that the lowest levels of software aren’t tampered with and that only operating system software trusted by Apple loads at startup.”
The developer mentioned in the first paragraph of this post, Cabel Sasser of Panic, found during his early access work with the iMac Pro that there are several new macOS utilities that take advantage of the security features of the T2 chip. One of these is the Startup Security Utility, which allows users to enable a firmware password to prevent the Mac from booting from a different hard drive, CD or DVD without that password. Another function is called “Secure Boot” and lets users select a range of security levels from none to “medium” or “full” security (see screenshot below).
Sasser noted in a tweet sent out in mid-December that “This new chip means storage encryption keys pass from the Secure Enclave to the hardware encryption engine in-chip — your key never leaves the chip. And, it allows for hardware verification of OS, kernel, boot loader, firmware, etc… (this can be disabled).”
With Apple’s custom T1 and T2 silicon now providing enhanced security on the MacBook Pro and iMac Pro respectively, there’s a good chance that we may see these or other chips in other future Macs as well.