Apple's T2 Security Chip promised to bring "a new level of integration and security" to new generation Mac systems. The T2 chip provides systems with a secure enclave coprocessor that is leveraged to protect Touch ID data, enable encrypted storage and provide secure boot capabilities. In this presentation we will share a deep dive into the inner workings of the T2 going way beyond the limited technical details Apple have made public up to now. In addition, we will share our methodology along with the tooling we developed and subsequently released in an effort to enable the audience to learn about our process of tackling complex security research tasks as well as being able to build on top of our initial research.
Our goal was to assess the current security posture of the T2 chip as well as build tools to enable future research into the platform. Two specific areas of interest for us were Apple's secure boot process as well as how the T2 chip communicates with macOS. Our research of Secure Boot functionality outlines how the process works, what attacks may be mitigated and what attack surface remains. In addition we will cover how Apple implemented eSPI and what this means from an attacker's perspective. Attendees will obtain an understanding of how the T2 chip has been implemented and what services it exposes to both the OS and application layers.
In exploring the T2's communication, we reverse engineered Apple's proprietary XPC protocol, which previously had near-zero third-party documentation. In addition to decoding the messaging format, we demonstrate the ability to interface directly with the T2 chip from unprivileged userspace code by writing our own client application. Our talk will present methods and tooling to query the T2's exposed services as well as decode and encode valid messages.