Apple Platform Security
- Welcome
- Intro to Apple platform security
-
- System security overview
- Signed system volume security
- Secure software updates
- Rapid Security Responses
- Operating system integrity
- BlastDoor for Messages and IDS
- Lockdown Mode security
- System security for watchOS
- Random number generation
- Apple Security Research Device
-
- Services security overview
-
- Apple Pay security overview
- Apple Pay component security
- How Apple Pay keeps users’ purchases protected
- Payment authorization with Apple Pay
- Paying with cards using Apple Pay
- Contactless passes in Apple Pay
- Rendering cards unusable with Apple Pay
- Apple Card security
- Apple Cash security
- Tap to Pay on iPhone
- Secure Apple Messages for Business
- FaceTime security
- Glossary
- Document revision history
- Copyright
Peripheral processor security in Mac computers
All modern computing systems have many built-in peripheral processors dedicated to tasks such as networking, graphics, power management, and more. These peripheral processors are often single-purpose and are much less powerful than the primary CPU. Built-in peripherals that don’t implement sufficient security become an easier target for attackers to exploit, through which they can persistently infect the operating system. Having infected a peripheral processor firmware, an attacker could target software on the primary CPU or directly capture sensitive data (For example, an Ethernet device could see the contents of packets that aren’t encrypted.)
Whenever possible, Apple works to reduce the number of peripheral processors necessary and to avoid designs that require firmware. But when separate processors with their own firmware are required, efforts are taken to help ensure an attacker can’t persist on that processor. This can be by verifying the processor in one of two ways:
Running the processor so that it downloads verified firmware from the primary CPU on startup
Having the peripheral processor implement its own secure boot chain, to verify the peripheral processor firmware every time the Mac starts up
Apple works with vendors to audit their implementations and enhance their designs to include desired properties such as:
Ensuring minimum cryptographic strengths
Ensuring strong revocation of known bad firmware
Disabling debug interfaces
Signing the firmware with cryptographic keys that are stored in Apple-controlled hardware security modules (HSMs)
In recent years, Apple has worked with some external vendors to adopt the same “Image4” data structures, verification code, and signing infrastructure used by Apple silicon.
When neither storage-free operation nor storage plus secure boot is an option, the design mandates that firmware updates be cryptographically signed and verified before the persistent storage can be updated.