
Apple iMac Pro and Secure Storage - glhaynes
https://duo.com/blog/apple-imac-pro-and-secure-storage
======
userbinator
_The unique pairing here provides some very important security properties that
prevent the memory chips that comprise the SSD itself from being physically
removed from the system and connected to a different system, or from having
their contents extracted from the chips and flashed onto SSD chips in another
system._

Yet more sadness for data recovery companies and those who've lost files and
want their services. Full disk encryption has been around for a long time and,
well-implemented, will let you recover the encrypted data to transfer to new
media (so the DR company can't see your secrets either, but you haven't lost
anything.)

IMHO encryption should be opt-in --- contrary to what those advocating it
think, not every piece of data I have needs to be encrypted, and I certainly
have plenty more personal files that I would rather have become publicly
accessible than lost forever. It's a tradeoff between "if someone hacks in,
they can read my data too" and "if something goes wrong, _no one_ can read my
data, including myself" and I think this tradeoff needs to be a more explicit
choice.

~~~
chejazi
In general, lack of encryption enables passive surveillance. I think a better
solution than opt-in encryption could be on-by-default, with a multi-party
recovery scheme.

~~~
eli
Doesn't Windows have an option to have Microsoft keep a key in escrow? Seems
like a reasonable compromise for most people.

~~~
cbhl
I can't imagine Apple offering this option -- it doesn't really align with
their strengths (privacy first) and weaknesses (data centers). They'd need to
fix so much of iCloud first.

~~~
kalleboo
[https://support.apple.com/en-us/HT204837](https://support.apple.com/en-
us/HT204837)

> _If you 're using OS X Yosemite or later, you can choose to use your iCloud
> account to unlock your disk and reset your password_

> _If you 're using OS X Mavericks, you can choose to store a FileVault
> recovery key with Apple by providing the questions and answers to three
> security questions. Choose answers that you're sure to remember_

> _If you don 't want to use iCloud FileVault recovery, you can create a local
> recovery key. Keep the letters and numbers of the key somewhere safe—other
> than on your encrypted startup disk_

~~~
xmodem
Take a look at this blackhat talk from Apple's head of security Ivan Krstic,
where he explains the mechanism they use to secure credentials stored in the
cloud:
[https://youtu.be/BLGFriOKz6U?t=22m31s](https://youtu.be/BLGFriOKz6U?t=22m31s)

------
spunker540
These use-cases for specialized processors are prime examples of how Apple's
software-hardware bundling can give their products some really cool advantages
over competitors.

I'm not a security specialist though -- so I'm curious how valuable these
extra hardware protections are to the security community at-large.

~~~
klodolph
I know of at least one place where the MacBook Pro fingerprint sensor is
approved for authentication, but the only other approved devices are dedicated
hardware (security tokens).

~~~
gruez
>MacBook Pro fingerprint sensor is approved for authentication

does the fingerprint sensor API return a signed response from the fingerprint
sensor or SE? or is it a simple yes/no?. if it's the latter, the whole thing
is security theater.

~~~
pudquick
Why does that make a difference?

If it's a signed response, at some point there's another piece of code that
checks that the signature is valid and returns a yes/no.

I think the reason Apple's sensor was mentioned in this instance was due to
how Apple handled storage and usage of biometrics as described in here
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

Compare that to, say, other laptop vendors:
[https://support.lenovo.com/us/en/product_security/len-15999](https://support.lenovo.com/us/en/product_security/len-15999)

~~~
Buge
It depends on where you're authenticating to. If you're authenticating to
yourself, then sure a signature is will just be converted to a yes/no and be
no better. But if you're authenticating to a server, the server can do the
signature verification, whereas a server looking at a yes/no that a client
sends would be mostly useless.

------
HillaryBriss
_In order to understand Apple’s decision to switch from the older Serial ATA
(SATA) interface to the higher-performing Non-Volatile Memory Express or NVMe,
we recommend reading Ramtin Amin’s excellent deep-dive into its
implementation. The main advantages of using NVMe to provide SSD storage
access are that by using all the available parallel operations possible with
modern flash-based storage over a four-lane PCIe connection, much better I /O
speeds can be achieved compared to older HDD-specific interfaces._

Kinda surprised that this needed an Apple-specific explanation. I mean, didn't
all board manufacturers move toward NVMe simply because it's faster than ATA?

------
codebook
In these days, a lot of SSD makers have AES engine inside, it encrypts and
decrypts on-the-fly. I don't understand the usage of AES in T2.

~~~
gumby
The NVMe storage doesn't look like an SSD and doesn't have a traditional disk
controller.

------
exabrial
We've had hardware accelerated AES FDE on SSDs forever, I think since the
Samsung 840pro...

------
pimlottc
I'd like to know if this will help enable support for more authentication
methods at boot time for unlocking full disk encryption, such as Yubikey
challenge-response or smartcard PKCS #11. Sort of a drag if you're using
token-based login but you still need to memorize a password for FDE.

------
gruez
feels over engineered to me. a TPM + OS FDE (with AES acceleration) probably
gets the same performance without the need for special parts.

~~~
amluto
I assume the goal is to prevent the OS from needing to know the key.

~~~
gruez
what's the problem with letting the OS know the key? it already has access to
all the files! the only use i can think of is some sort of multi-user system
where you can't trust the kernel, but if you can't trust the kernel, it's
already game over.

~~~
mehrdada
> what's the problem with letting the OS know the key? it already has access
> to all the files!

How about when your device is locked in sleep mode. The main processor should
lose the key to a certain set of files, as does on iOS.

~~~
gruez
that's more of an argument for encrypting filesystem instead of full disk
encryption (which I agree would help in that situation), not an argument for
having a custom security co-processor. you can accomplish the same thing with
TPM: by using PCR sealed keys for the OS files, PCR + password sealed keys for
private/personal files, and wiping the second set of keys every time you lock
the computer.

